Info-IBMPC@WSMR-SIMTEL20.ARMY.MIL ("Info-IBMPC Digest") (05/21/91)
Info-IBMPC Digest Mon, 20 May 91 Volume 91 : Issue 127
Today's Editor:
Gregory Hicks - Rota Spain <GHICKS@WSMR-Simtel20.Army.Mil>
Today's Topics:
Trojan version of VIRUSCAN version 78 (PC) (2 msgs)
Drive A problem; COM1 & 2 problem
Hanging desqview
PKWare ZIP -AV cracked
quiet hard drives ...
Tar files
Today's Queries:
AST I/O Card info request
Search for a Numerical Methods C routine
New Uploads:
DDUPE322.ZIP - Diskcopy any size floppy disk in only 1 pass
MAGIC116.ZIP - Magnifies VGA/XGA/SVGA screen txt/graph. DEMO
SST_52B.ZIP - Fast file & ARC/ZIP/LZH/ZOO/PAK/PKA searcher
Virus checking of archives from a batch
WILDF113.ZIP - Unix sh-style regex parser (wild cards), C src
Send Replies or notes for publication to:
<INFO-IBMPC@WSMR-SIMTEL20.ARMY.MIL>
Send requests of an administrative nature (addition to, deletion from
the distribution list, et al) to:
<INFO-IBMPC-REQUEST@WSMR-SIMTEL20.ARMY.MIL>
Archives of past issues of the Info-IBMPC Digest are available by FTP
only from WSMR-SIMTEL20.ARMY.MIL in directory PD2:<ARCHIVES.IBMPC>.
----------------------------------------------------------------------
Date: Mon, 13 May 91 14:50:16 -0700
From: Aryeh Goretsky <aryehg%darkside.com@apple.com>
Subject: Trojan version of VIRUSCAN version 78 (PC)
TROJAN VERSION OF VIRUSCAN VERSION 78
We have received a trojan horse version of VIRUSCAN. The hacked SCAN
has apparently been uploaded to BBSes in Michigan, USA under the
filename SCANV78.ZIP. Running PKZIP -V on the file reveals:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
. Length Method Size Ratio Date Time CRC-32 Attr Name
. ------ ------ ----- ----- ---- ---- ------ ---- ----
. 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT
. 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC
. 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE
. 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM
. 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST
. 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT
. 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC
. 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC
. ------ ------ --- -------
. 103967 47269 55% 8
The number listed for the Fantasia BBS is NOT a BBS number and has no
connection with the trojan horse. I have called the phone number and
asked the party at the other end to contact me.
Running PKUNZIP on the file reveals the following:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
. Exploding: AGENTS.TXT -AV
. Extracting: REGISTER.DOC -AV
. Exploding: SCAN.EXE -AV
. Exploding: VALIDATE.COM -AV
. Exploding: README.1ST -AV
. Exploding: VIRLIST.TXT -AV
. Exploding: VALIDATE.DOC -AV
. Exploding: SCAN78.DOC -AV
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
While the Authentic Files Verified Message appears, the Serial Number
is NOT correct. McAfee Associate's Serial Number is NWM405.
Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT
files revealed that these are straight from VIRUSCAN Version 77--the
version number in the VIRLIST.TXT file was still V77.
The SCAN78.DOC file had been modified so that all occurrences of V77
were switched to V78. Additionally, the following text was added for
the validation data:
. The validation results for Version 77 should be:
. FILE NAME: SCAN.EXE
. SIZE: 23,008
. DATE: 05-06-1991
. FILE AUTHENTICATION
. Check Method 1: 2C21
. Check Method 2: 022E
For the What's New section, the following text was added:
. WHAT'S NEW
. Version 78 of SCAN removes a few small bugs and continues
. to optimize the procedures SCAN uses to find viruses, as in Version 77,
. as well as adding a few more to the list of known viruses. SCAN is now much
. more compressed than was previously thought possible, so please enjoy the
. shortened file size, it should still work just fine.
. Refer to the enclosed VIRLIST.TXT file for a schematic
. description of the new viruses. For a complete description, please
. refer to Patricia Hoffman's VSUM document.
Examination of the SCAN.EXE file has show that it contains the help
message that VIRUSCAN displays as well as the program information
message. However, the program does not contain any of the other
messages that VIRUSCAN has in it.
The REGISTER.DOC file distributed with the trojan version of VIRUSCAN
is not a text file, but rather another .ZIP file containing a file
named TB1.COM:
. PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
. Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
. PKUNZIP Reg. U.S. Pat. and Tm. Off.
. Searching ZIP: REGISTER.DOC
. Extracting: TB1.COM -AV
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
When unZIPped, the REGISTER.DOC file displays the same Authentic Files
Verified Message as the SCANV78.ZIP file did. Examination of the of
the TB1.COM file revealed that it contains the Whale virus.
This is all I currently know about the SCANV78.ZIP trojan. If you see
any copies of this file, please ask the system administrator or sysop
to remove it and ask them to contact the uploader to warn them that it
contains a virus.
Aryeh Goretsky
McAfee Associates Technical Support
------------------------------
Date: Tue, 14 May 91 14:06:54 -0500
From: mbaker@logdis1.hq.aflc.af.mil (Michael Baker;LMSC/SXSC)
Subject: Fw: Trojan version of VIRUSCAN version 78
> TROJAN VERSION OF VIRUSCAN VERSION 78
Aryeh,
There is also another version of McAfee's virus scan program called vscan82.
This version surfaced in the Dayton Oh area a few months back and
McAfee was notified. He seemed really upset, which I can understand,
cause the someone who is doing this is out to ruin McAfee. One of the
local BBS sysops here is on a first name basis with McAfee. I think
his bbs alone has had about 10 virus infected programs uploaded to him.
In our organization here we had 8 cpu's infected with the 4096
virus. We think that it came from a game, but with it infecting just
about all files, it is hard to narrow it down.
Now there is a scare out on the "STONED" virus. Have not seen it
as yet, but the way things go, I am sure it won't be long.
If you find any other info on the virus scare, let me know if you
would, please.
Later
Michael Baker
------------------------------
Date: 14 May 91 05:46:43 GMT
From: mtraini@loki.une.oz.au (Traini Mathew)
Subject: Drive A problem; COM1 & 2 problem
I too have experienced your drive A problem. I was using a 720K 3.5"
drive, and was swopping 720K and 360K 3.5" disks whilst copying. (Yes,
that's right, a 360K 3.5" floppy. They come with the IBM PC JX, a close
realative of the PC jr.)
Anyway, after swppong disks, the previous directory reading still
existed. One way I found to get around the problem (In DOS V3.3
anyway) was to press ^C or break afterwards, and this solved the
problem.
Check if you were swopping 1.2MB floppies and 360K floppies; this may
be the cause of the trouble (for some unknown reason.)
------------------------------
Date: Tue, 14 May 91 12:20 EDT
From: "Ed Harris, Academic Affairs, So Ct State U"
Subject: Hanging desqview
Richard Reiner writes:
> I'll second your hunch that it is not DV's fault. I do many complex
> things at once in DV/386 routinely (compiling while downloading while
> printing while doing my accounts while formatting floppies while...)
> and I *never* get system hangs unless I've been very bad indeed, e.g.
> if I've given two programs simultaneous access to the same COM port, or
> something similar.
I do nothing more complex than editing while downloading, yet I can't
use PC Magazine's snipper or calc tsrs or PSFF, a tsr that inserts a
form feed after a print screen, without hanging my machine. I've tried
loading these in a dos window under desqview rather than in my autoexec
bat which loads them before desqview; I've tried loading them high
rather than low; nothing helps. Any ideas, anyone? Thanks in advance.
Ed <HARRIS@CTSTATEU.BITNET>
Southern Connecticut State U, New Haven, CT 06515 USA
Tel: 1 (203) 397-4322 / Fax: 1 (203) 397-4207
------------------------------
Date: Tue, 14 May 1991 20:34 MDT
From: Keith Petersen <w8sdz@WSMR-SIMTEL20.ARMY.MIL>
Subject: PKWare ZIP -AV cracked
I have received word from a reliable source that there is now a PKWare
ZIP authentication verification (-AV) cracker going around called
MAKEAV. It will generate registration numbers so that people can
create their own serialized ZIPs.
MAKEAV was apparently used to make the bogus SCANV78.ZIP which was
warned about in a recent posting by McAfee Associates.
PKWare has been notified.
Keith
- - -
Keith Petersen
Maintainer of SIMTEL20's MSDOS, MISC and CP/M archives - [192.88.110.20]
Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu
Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND
------------------------------
Date: Tue, 14 May 91 13:32 PDT
From: (Joseph A. Faracchio) SPGJAF%cmsa.Berkeley.EDU@ucbvax.Berkeley.EDU
Subject: quiet hard drives ...
About quiet hard drives. I can not speak for other hard drive
manufactures but at least the Conner hard drives that are engineered
for laptops have special commands that will 'quiesce' the drive. (In
fact there appears to be 3 stages ending in total shutoff (til a
request comes in then its an automatic power up.))
You may want to check to see what OEM is in a HardCard and order the
spec's manual from the OEM. Good luck! .. joe.f.
------------------------------
Date: Tue, 14 May 91 02:18:37 MEZ
From: "Gisbert W.Selke" <S00100%DBNRHRZ1.BITNET@CUNYVM.CUNY.EDU>
Subject: Tar files
Jim Wiegand <v5058u@templevm.bitnet> recently asked for tar file info
due to trouble extracting files under DOS. I have once written a very
crude utility that extracts members from a tar file, renaming files on
the fly to make them acceptable to DOS and taking care not to overwrite
anything (e.g., a tar might contain both README and readme (and
possibly ReadMe...)). If interest warrants, I'll mail it to Jim and/or
to Simtel20 - be warned, it is *very* crude! Since it comes with
TurboPascal source, of course, anyone can hack it to suit their needs.
\Gisbert <s00100@dbnrhrz1.bitnet>
WIdO, Bonn, Germany ^^ ^^ zeroes, not ohs!
------------------------------
Date: Mon, 13 May 91 16:04 EDT
From: "Roy L. Lehmann" <ROY%NKI.BITNET@CUNYVM.CUNY.EDU>
Subject: AST I/O Card info request
Can anyone e-mail me the settings for the 2 DIP switches on a
serial/parallel i/o card? The card has the following markings:
AST
RAM PAGE
AT-PAK
RAMPAT-I/O
Can anyone send the name and address of the manufacturer?
------------------------------
Date: Tue, 14 May 91 17:23:07 +0300
From: Dov Peter Grobgeld <CFGROB@weizmann.weizmann.ac.il>
Subject: Search for a Numerical Methods C routine
I am looking for a C implementation of the Adams Moulton variable step
integrator. If someone has any clues if such code exists, I would be
most interested in it. It might be either commercial or public domain.
Dov Grobgeld
Department of Chemical Physics
The Weizmann Institute of Science
Rehovot 76100, Israel
------------------------------
Date: Sat, 11 May 91 11:13:05 -0500
From: kaplan@silver.ucs.indiana.edu
Subject: DDUPE322.ZIP - Diskcopy any size floppy disk in only 1 pass
I have uploaded to SIMTEL20:
pd1:<msdos.dskutl>
DDUPE322.ZIP Diskcopy any size floppy disk in only 1 pass
This is a new Shareware version of Diskdupe. This is the fastest disk
duplicator I have seen. It copies 3.5 and 5.25 inch disks.
Preston
kaplan@silver.ucs.indiana.edu
------------------------------
Date: Wed, 8 May 91 14:43:35 EDT
From: wtm@bunker.shel.isc-br.com (Bill McGarry)
Subject: MAGIC116.ZIP - Magnifies VGA/XGA/SVGA screen txt/graph. DEMO
I have uploaded to SIMTEL20:
pd1:<msdos.handicap>
MAGIC116.ZIP Magnifies VGA/XGA/SVGA screen txt/graph. DEMO
Bill McGarry
(203) 337-1518
UUCP: {oliveb, philabs, decvax, yale}!bunker!wtm
INTERNET: wtm@bunker.shel.isc-br.com
BITNET: l-hcap@ndsuvm1.bitnet
Fidonet: The Handicap News BBS (141/420) 1-203-337-1607
(300/1200/2400 baud, 24 hours)
Compuserve: 73170,1064
------------------------------
Date: Sun, 12 May 1991 16:02 EDT
From: BLACKMANW@urvax.urich.edu
Subject: SST_52B.ZIP - Fast file & ARC/ZIP/LZH/ZOO/PAK/PKA searcher
I have uploaded to SIMTEL20:
pd1:<msdos.dirutl>
SST_52B.ZIP Fast file & ARC/ZIP/LZH/ZOO/PAK/PKA searcher
SST: the Supersonic Search Tool v5.2b by Keith Ledbetter (aka
"WhereIs"). The cutting-edge in file-finder programs. Supports all
major archive formats, greps, size ranges, date ranges, verified
deletion, duplicate searching, 4DOS description searches, command
execution on found files, and too many other features to list. Network
aware. Now works with the new LHARC format. Member, ASP. Maintenance
upgrade
--- webb ---
Webb B. Blackman, Jr. BLACKMANW @ URVAX (Vanilla BITNET)
University of Richmond blackmanw@urvax.urich.edu (Bitnet or Internet)
Richmond, Virginia 23173
------------------------------
Date: 12 May 91 07:49:41 GMT
From: ts@uwasa.fi (Timo Salmi)
Subject: Virus checking of archives from a batch
I have updated my collection of useful batch files and it is now
available from SIMTEL20:
pd1:<msdos.batutl>
TSBAT25.ZIP Collection of useful batch files by Timo Salmi
One of the constant worries of downloaders of archived packages is the
threat of viruses. (Games from shady BBSes are particularly
susceptable, but even commercial products have been known to be
infected). Fortunately there are good virus checkers like McAfee's
scanv77.zip and Fridrik Skulason's fp-115a.zip available to check for
infections.
There are, however, two dilemmas in checking archived packages on a
routine basis. (Since the format most encountered is .zip let's speak
of zipped files). The first problem is that there are so many
executable compressors in use currently (such as lzexe, pklite, diet,
tinyprog, etc). This means that unless the virus checking programs can
observe all these variations, a virus can be hiding in an execompressed
form. Therefore it is advisable to expand the executables for the
check. A second problem is that .zip files occasionally contain
embedded .zip files (eg PC-Magazine's collections often do). These
embedded .zip files must be unzipped for a closer examination.
The earlier versions of the tsbat collection included a batch called
scanzip.bat. I have completely rewritten this batch to take care of
the two eventualities discussed above. I have renamed the rewritten
batch scanz.bat. Note that before using this new batch, you have to go
through scanz.bat and edit all the directory path references to
correspond to your own configuration. This is, of course, an
inconvenience, but it is the best way of guaranteeing that a batch
complicated as this stays reasonably efficient.
Prof. Timo Salmi
Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.12.37
School of Business Studies, University of Vaasa, SF-65101, Finland
Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun
------------------------------
Date: Wed, 8 May 91 11:23:09 PDT
From: johnk@wrq.com
Subject: WILDF113.ZIP - Unix sh-style regex parser (wild cards), C src
I have uploaded to SIMTEL20:
pd1:<msdos.c>
WILDF113.ZIP Unix sh-style regex parser (wild cards), C src
WildFile (wild card file expansion of *IX SH style regular expressions)
is C source which allows the specification of a regular expression for
file specifications in a program. This will allow such file
specifications as *t., *s*.doc, *[a-efz]?y*.*o*, etc. This greatly
enhances the programs ability to handle user file requests. Dedicated
to the public domain and uploaded by the author J.Kercheval.
jbk
johnk@wrq.com
------------------------------
End of Info-IBMPC Digest V91 #127
*********************************
-------