hicks@WALKER-EMH.ARPA (Gregory Hicks COMFLEACTS) (02/10/88)
Info-IBMPC Digest Mon, 8 Feb 88 Volume 7 : Issue 8
This Week's Editor: Gregory Hicks -- Chinhae Korea <hicks@walker-emh.arpa>
Today's Topics:
Another PC Virus
Virus (Trojan) protection program now available from SIMTEL20
Calendar calculations
copyright Revisited
Problems with FANSI-CONSOLE: try NANSI.SYS
Program Name in the PSP
Turbo C Date Conversion
Today's Queries:
80486
Book Search
Floppy/Hard drive configuration for XT
Keyboard driver under Windows
Turbo C 1.5 Upgrade
VT-100 Emulation
Wanted: a program to build a call graph for C
Where to get IBM PC DOS software via FTP Hosts
Turbo Pascal -- Terminate and Stay Resident.
Info-IBMPC Lending Library is available from:
Bitnet via server at CCUC; and from SIMTEL20.ARPA (see file
PD1:<msdos>files.idx for listing of source files)
SIMTEL20.ARPA can now be accessed access from BITNET is via
LISTSERV@RPICICGE.BITNET using LISTSERV Commands
INFO-IBMPC BBS Phone Numbers: (213) 827-2635 and (213) 827-2515
----------------------------------------------------------------------
Date: Wed, 27 Jan 88 13:22:27 +0200
From: Y. Radai <RADAI1%HBUNOS.BITNET@CNUCE-VM.ARPA>
Subject: Another PC Virus
Issue 74 of the Info-IBMPC digest contained a description of a "virus"
discovered at Lehigh University which destroys the contents of disks after
propagating itself to other disks four times. Some of us here in Israel,
never far behind other countries in new achievements (good or bad), are
suffering from what appears to be a local strain of the virus. Since it
may have spread to other countries (or, for all we know, may have been im-
ported from abroad), I thought it would be a good idea to spread the word
around.
Our version, instead of inhabiting only COMMAND.COM, can infect any ex-
ecutable file. It works in two stages: When you execute an infected EXE
or COM file the first time after booting, the virus captures interrupt 21h
and inserts its own code. After this has been done, whenever any EXE file
is executed, the virus code is written to the end of that file, increasing
its size by 1808 bytes. COM files are also affected, but the 1808 bytes
are written to the beginning of the file, another 5 bytes (the string
"MsDos") are written to the end, and this extension occurs only once.
The disease manifests itself in at least three ways: (1) Because of this
continual increase in the size of EXE files, such programs eventually be-
come too large to be loaded into memory or there is insufficient room on
the disk for further extension. (2) After a certain interval of time
(apparently 30 minutes after infection of memory), delays are inserted so
that execution of programs slows down considerably. (The speed seems to be
reduced by a factor of 5 on ordinary PCs, but by a smaller factor on faster
models.) (3) After memory has been infected on a Friday the 13th (the next
such date being May 13, 1988), any COM or EXE file which is executed on
that date gets deleted. Moreover, it may be that other files are also af-
fected on that date; I'm still checking this out.
(If this is correct, then use of Norton's UnErase or some similar utility
to restore files which are erased on that date will not be sufficient.)
Note that this virus infects even read-only files, that it does not
change the date and time of the files which it infects, and that while the
virus cannot infect a write-protected diskette, you get no clue that an at-
tempt has been made by a "Write protect error" message since the pos-
sibility of writing is checked before an actual attempt to write is made.
It is possible that the whole thing might not have been discovered in
time were it not for the fact that when the virus code is present, an EXE
file is increased in size *every* time it is executed. This enlargement of
EXE files on each execution is apparently a bug; probably the intention was
that it should grow only once, as with COM files, and it is fortunate that
the continual growth of the EXE files enabled us to discover the virus much
sooner than otherwise.
From the above it follows that you can fairly easily detect whether your
files have become infected. Simply choose one of your EXE files
(preferably your most frequently executed one), note its length, and ex-
ecute it twice. If it does not grow, it is not infected by this virus.
If it does, the present file is infected, and so, probably, are some of
your other files. (Another way of detecting this virus is to look for the
string "sUMsDos" in bytes 4-10 of COM files or about 1800 bytes before the
end of EXE files; however, this method is less reliable since the string
can be altered without attenuating the virus.)
If any of you have heard of this virus in your area, please let me know;
perhaps it is an import after all. (Please specify dates; ours was noticed
on Dec. 24 but presumably first infected our disks much earlier.)
Fortunately, both an "antidote" and a "vaccine" have been developed for
this virus. The first program cures already infected files by removing the
virus code, while the second (a RAM-resident program) prevents future in-
fection of memory and displays a message when there is any attempt to in-
fect it. One such pair of programs was written primarily by Yuval Rakavy,
a student in our Computer Science Dept.
In their present form these two programs are specific to this particular
virus; they will not help with any other, and of course, the author of the
present virus may develop a mutant against which these two programs will be
ineffective. On the other hand, it is to the credit of our people that
they were able to come up with the above two programs within a relatively
short time.
My original intention was to put this software on some server so that it
could be available to all free of charge. However, the powers that be have
decreed that it may not be distributed outside our university except under
special circumstances, for example that an epidemic of this virus actually
exists at the requesting site and that a formal request is sent to our head
of computer security by the management of the institution.
Incidentally, long before the appearance of this virus, I had been using
a software equivalent of a write-protect tab, i.e. a program to prevent
writing onto a hard disk, especially when testing new software. It is
called PROTECT, was written by Tom Kihlken, and appeared in the Jan. 13,
1987 issue of PC Magazine; a slightly amended version was submitted to the
Info-IBMPC library. Though I originally had my doubts, it turned out that
it is effective against this virus, although it wouldn't be too hard to
develop a virus or Trojan horse for which this would not be true. (By the
way, I notice in Issue 3 of the digest, which I received only this morning,
that the version of PROTECT.ASM in the Info-IBMPC library has been replaced
by another version submitted by R. Kleinrensing. However, in one respect
the new version seems to be inferior: one should *not* write-protect all
drives above C: because that might prevent you from writing to a RAMdisk or
an auxiliary diskette drive.)
Of course, this is only the beginning. We can expect to see many new
viruses both here and abroad. In fact, two others have already been dis-
covered here. In both cases the target date is April 1. One affects only
COM files, while the other affects only EXE files. What they do on that
date is to display a "Ha ha" message and lock up, forcing you to cold boot.
Moreover (at least in the EXE version), there is also a lockup one hour
after infection of memory on any day on which you use the default date of
1-1-80. (These viruses may actually be older than the above-described
virus, but simply weren't noticed earlier since they extend files only
once.)
The author of the above-mentioned anti-viral software has now extended
his programs to combat these two viruses as well. At present, he is con-
centrating his efforts on developing broad-spectrum programs, i.e. programs
capable of detecting a wide variety of viruses.
Just now (this will give you an idea of the speed at which developments
are proceeding here) I received notice of the existence of an anti-viral
program written by someone else, which "checks executable files and reports
whether they include code which performs absolute writes to disk, disk for-
matting, writes to disk without updating the FAT, etc." (I haven't yet
received the program itself.)
Y. Radai
Computation Center
Hebrew University of Jerusalem
RADAI1@HBUNOS.BITNET
------------------------------
Date: Wed, 27 Jan 1988 00:56 MST
From: Keith Petersen <W8SDZ@SIMTEL20.ARPA>
Subject: Virus (Trojan) protection program now available from SIMTEL20
Now available via standard anonymous FTP from SIMTEL20...
Filename Type Bytes CRC
Directory PD1:<MSDOS.DSKUTL>
FLUSHOT2.ARC.1 BINARY 5539 AFA8H
Here are some comments from the author, Ross Greenberg:
There exists a low-level form of dirt who gets joy out of destroying
your work. They release a program, typically called a 'Trojan Horse',
which is designed to erase or otherwise damage your disks.
The programs are released into the public domain and typically are
downloaded or distributed exactly as you may have received this file.
Once run, they would print some sort of self-congratulatory message
and proceed to erase your data. Obviously, these type of programs are
Not A Good Thing, and should be avoided. However, usually you'll only
know you've been bit by a trojan after the fact.
Recently, a new breed has been developed. Called a 'virus', it
infects all disks that it sees with a copy of itself, and then each of
these copies are capable of infecting all disks that *they* see.
Eventually, at some predetermined instance (a date, a time, a certain
number of copy operations), the virus attacks and destroys whatever
disks it can. By this time, though, the virus has spread, and a
friends' machine may also be infected, infecting the disks of their
friends and so forth.
It was to counter just such a program that the enclosed program,
called FLU_SHOT, was developed. The current virus making the rounds
infects the command processing program called "COMMAND.COM". Every
bootable DOS disk must have a copy of this file. FLU_SHOT examines
each write and will not allow a write operation to the COMMAND.COM
file to take place without your permission. Normally, there should
never be a write operation to this file, so it should be effective in
that regard.
To run FLU_SHOT, place a copy of it in your root directory on the disk
you boot your system from. Additionally, a line to invoke FLU_SHOT
should be placed in your AUTOEXEC.BAT file.
If you find the virus attacking your disk, please try to preserve a
copy of it and to forward it to me at my BBS at (212)-889-6438. Once
I have a copy of the virus, I should be able to develop another
program which would serve as a vaccine.
Please be aware that there is a possibility that, if FLU_SHOT
determines a write operation taking place to your COMMAND.COM, it
*may* be a legitimate one ---- check the currently running program.
FLU_SHOT may indicate that a TSR program you're running seems to be
causing a problem. If this happens to you, and you're sure the TSR
you're running is a valid one, then merely place the FLU_SHOT
invokation line in your AUTOEXEC *after* the TSR invokation line.
Additionally, FLU_SHOT can not determine whether your current
COMMAND.COM is infected, only if a COMMAND.COM is about to be
infected.
The odds of you being hit with this virus are slim, but running
FLU_SHOT should keep this particular incarnation of the virus from
infecting your disks.
Ross M. Greenberg
(212)-889-6438 24hr BBS, 2400/1200,N,8,1
-----
Note from Keith: This program is legitimate. Ross is a personal
friend whose programming skills I highly respect.
--Keith Petersen
Arpa: W8SDZ@SIMTEL20.ARPA
Uucp: {decwrl,harvard,lll-crg,ucbvax,uunet,uw-beaver}!simtel20.arpa!w8sdz
GEnie: W8SDZ
------------------------------
Date: Tue, 26 Jan 1988 09:28-EST
From: firth@SEI.CMU.EDU
Subject: Calendar calculations
> I would like to know the formula for calculating the day of the week for
> any given date.
If you have a specific RANGE of dates in mind (eg any date in the 20th
century), then a lookup table is by far the fastest way. Have one table
for the years, and one each for the months in a leap year and a normal
year. The first records the number of days between base date and 1 Jan for
that year; the others record number of days between 1 Jan and the start of
that month.
Add up year_table[year], month_table[month], and day; you have the number
of days since base date, and hence (modulo 7) the day of the week.
If you don't have a specific range of dates, watch out for the century
years, and for the change from Julian to Gregorian reckoning.
------------------------------
Date: Tue, 26 Jan 88 10:12:11 est
From: Dave Sill <dsill@NSWC-OAS.arpa>
Subject: Copyright Revisited
>> If it does not have a proper copyright notice along the lines of
>> "Copyright (c) 198x by somebody or something" then it is in the public
>> domain.
>
>Wrong.
An basis for your statement would be helpful here. The following
excerpt is from an article on copyrights (written by a lawyer) I
picked up from sri-nic (I can't remember which directory).
>... The one thing you
>must do, however, is protect your copyright by including a copyright
>notice on every copy of every program you sell, give away, lend out,
>etc. If you don't, someone who happens across your program with no
>notice on it can safely assume that it is in the public domain (unless
>he actually knows that it is not).
I'll be glad to send out copies of this copyright article upon request.
------------------------------
Date: Tue, 26 Jan 88 14:36:01 EST
From: rochester!srs!dan@rutgers.edu
Subject: Problems with FANSI-CONSOLE: try NANSI.SYS
Phillip Burton asks
> Are there substitutes for FANSI that improve screen display, but don't
> affect the keyboard buffer?
My driver NANSI.SYS is a substitute for ANSI.SYS which does much less
mucking around with BIOS and the keyboard than FANSI-CONSOLE.
It's available wherever fine public-domain software is sold :-)
------------------------------
Date: 26 Jan 88 18:18:59 GMT
From: Kelly Roney <kr@mrmarx.uucp>
Subject: Program Name in the PSP
C08922DB%WUVMD.BITNET@CUNYVM.CUNY.EDU (Don Branson) writes:
> I understand that the program name is supposed to be available under
>DOS versions 3.00 and above- but it isn't in the PSP. Where is it?
According to p. 7-7 of the DOS Technical Reference for v3.1 (verified by
my own experience), the program's environment is pointed to at offset 2CH
of the PSP. The environment strings are null-terminated, and then the
environment itself is null-terminated. Following the two nulls is a count
of some unspecified words, which may be a long (I don't recall). Following
that is a null-terminated string containing the fully qualified path name
of the file being executed.
Kelly Roney {uunet,alliant,masscomp}!mrmarx!kr
51 Spinelli Place (617) 576-7121
Decision Software Co.
Cambridge, MA 02138
[In addition, the program PD1:<msdos.sysutl>PMAP.arc from SIMTEL20 prints
out the name of all programs that reside in memory. gph]
------------------------------
Date: 25 Jan 88 19:39:51 GMT
From: SWARBRICK FRANCIS JOHN <swarbric@tramp.Colorado.EDU>
Subject: Turbo C Date Conversion
In article <454@picuxa.UUCP> rcr@picuxa.UUCP (Richard Court ) writes:
:I am writing a program to list directory attributes. I am using the
:"findfirst" and "findnext" routines to extract file information for me
:and then "strcpy" data out of the "ffblk" structure to fill my arrays.
:
:What I can't figure out is how to convert the file date and time. They
:are placed in the ffblk structure as packed integers and I'll be damned
:if I can figure out a way to get them into strings!
Get a good DOS programming book such as "Advanced MS-DOS." I would tell
you exactly how, except I am at school and the book is at home. It's a
very good book to have, anyway.
Frank Swarbrick (and his cat)
swarbric@tramp.UUCP swarbric@tramp.Colorado.EDU
...!{hao|nbires}!boulder!tramp!swarbric
"No one can hear when you're Screaming in Digital!"
------------------------------
Date: Tue, 26 Jan 88 01:24:21 +0100
From: mcvax!olnl1!inno@uunet.UU.NET
Subject: 80486
Hi there,
While the 386-wave is overwhelming computerland, the first rumours of the
Intel 80486 are popping up. Does anybody out there in netland know some-
thing more about this next hot item ?
Inno Frencken
Olivetti Nederland BV
------------------------------
Date: Fri, 22 Jan 88 14:28:17 MEZ
From: Erich Neuwirth <A4422DAB%AWIUNI11.BITNET@CUNYVM.CUNY.EDU>
Subject: Book Search
I remember having read about a book (already 2 volumes) describing the file
formats of many commonly used programs like LOTUS, WORD.....
I cannot find a reference to these books now. Can anybody point me towards
these books?
Erich Neuwirth
A4422DAB at AWIUNI11 in BITNET
------------------------------
Date: 25 Jan 88 22:34 GMT
From: WASHBURN @ Walker-EMH.arpa
Subject: Floppy/Hard drive configuration for XT
A friend of mine and I are trying to put together an XT clone using Parts
from JDR Microdevices, a mail order firm in San Jose Calif.
The motherboard will be a standard 8 slot turbo motherboard. Here is
the drive configuration desired.
Drive A 1.2 Meg Floppy
Drive B 360K Floppy
Drive C 30 Meg hard disk drive RRL w/ST-238
Opt Drive D 30 Meg Hard disk drive RRL w/ST-238 same controller
Drive E 720K 3 1/2 " floppy
We realize that this might require 3 controller cards. Is it possible to do
something like this with one Floppy controller (4 drives) and one hard RRL
controller?
Questions 1. Has anybody done something like this or similiar?
2. Which Floppy controller is best for the above config?
3. How can you configure a Taiwan Floppy controller card
to be drives E and F instead of A and B.
Washburn @ Walker-EMH.ARPA
------------------------------
Date: Fri, 22 Jan 88 14:21:26 MEZ
From: Erich Neuwirth <A4422DAB%AWIUNI11.BITNET@CUNYVM.CUNY.EDU>
Subject: Keyboard driver under Windows
I have a problem with keyboards. Currently (under DOS 3.3) I am using a
modified keyboard driver giving a normal US layout with umlauts on some
Alt-keys. So I can have a normal (English) keyboard and still additionally
use German special characters. The ideas for that driver are from the book
"The IBM-PC from the Inside Out" by Murray Sargent and another author (it
is from Addison Wesley, I think). That driver program alone was worth
buying the book, but I think it is very good otherwise also.
The driver program does not work any more under Windows. Can anybody give
me some hints how to get a solution for my problem under Windows?
I am not content with installing a German keyboard.
Erich Neuwirth
A4422DAB at AWIUNI11 in BITNET
------------------------------
Date: 24 Jan 88 15:32:09 GMT
From: John Robinson <robinson@dalcsug.uucp>
Subject: Turbo C 1.5 Upgrade
I just received my copy of Turbo C 1.5 the other day. I've been waiting
for it since sometime in mid-November 87. Turbo Pascal 4.0 arrived very
shortly there after as well, it was ordered around the same time.
I think I know why it took so long for mine to show up at least, and I'm
rather surprised they showed up at all. You see, I live in Halifax, Nova
Scotia, Canada. Borland sent both packages to Halifax, New Brunswick,
Canada. There is, to my knowledge, no city named Halifax in New Brunswick.
Has anyone else experienced the same problem?
I must say, I am very impressed with the product. Normally in an
upgrade of this sort one expects the additional pages to be stapled
together or attached in some other equally clumsy fashion. The addendum
for TurboC is nicely bound and matches my 1.0 manuals. Installation was a
snap.
I have only looked at the graphics functions in the manual, but they
look truely awesome. I am impressed.
For those of you waiting for a source code debugger, the letter I got
with my upgrade said TurboC would be the first product to benefit from
Borland's debugging technology in the first quarter of 88. I can't wait.
------------------------------
Date: Tue 26 Jan 1988 12:36:42 EST
From: <JORDAN@LL.ARPA>
Subject: VT-100 Emulation
I am looking for a program that will do FULL VT-100 terminal emulation and
Kermit file transfer. At the moment I use Kermit as the basic terminal
emulator and file transfer system, and I change the keypad keys to send the
VT-100 escape sequences by modifying the MSKERMIT.INI file. By installing
the console driver ANSI.SYS I seem to get most, but not all of the return-
ing escape sequences correctly interpreted. The cursor positioning com-
mands work, but some of the others associated with in-line inserts and
deletes do not.
I tried using NANSI.SYS, which I FTP'ed from SIMTEL20. This seems to do
a better job on the inserts, but fails to recognise the sequence <ESC>H
<ESC>J as a 'clear screen' command. Does anyone know of a console driver
that will recognise ALL of the VT-100 escape commands? Alternatively, I
could use a separate VT-100 emulation program for editing, and revert to
Kermit for file transfer, if I could get such a program.
Thanks in advance for your help.
Mike Jordan <JORDAN at LL.ARPA>
------------------------------
Date: 22 Jan 88 16:38:46 GMT
From: Leonard Vanek <len@array.uucp>
Subject: Wanted: a program to build a call graph for C
Does anybody have a public domain or "copylefted" program or awk script
that constructs some sort of encoding (graph, nested listing, etc.) of the
calling structure of either a single C source file or, preferably, a col-
lection of such files.
I know that this information is included (obscured by a much higher volume
of ordinary cross reference information) in the output of "cxref", which is
included with some Unix systems. However, our Sun seems to lack cxref even
though it has pxref!
Failing the existence of such a tool, does anybody have a yacc grammar for
C that I can use to build my own call graph constructer?
Thanks.
--------------------------------------------------------------------
Leonard Vanek UUCP: ... utzoo!dciem!array!len
Array Systems Computing Inc. or ... {utzoo,watmath}!lsuc!array!len
5000 Dufferin St. Suite 200 INTERNET: len@array.UUCP
Downsview, Ont. M3H 5T5 Phone: (416) 736-0900
Canada FAX: (416) 736-4715
t work any more under
------------------------------
Date: Tue, 26 Jan 88 18:12:12 PST
From: Todd Booth <todd@SEAS.UCLA.EDU>
Subject: Where to get IBM PC DOS software via FTP Hosts
Hi.
I'm trying to find out what IBM PC DOS software is available on the network
via FTP. Could someone provide me with a list of the major hosts which
have public domain or shareware software. I'm already aware of simtel20.
--todd booth / ucla data comm
ArpaNet booth@oac.ucla.EDU / todd@seas.ucla.EDU
BitNet csdctgb@uclamvs.bitnet
UUCP {ihnp4,ucbvax}!ucla-cs!todd
UCLA LAN BBS 1200 bps (213) 206-1430
Voice +1 (213) 825-1933
USnail Todd Booth / UCLA Data Communications / 5628 MSA
Los Angeles, CA 90024-1557 / USA
[How about replying to Info-IBMPC@Walker-EMH.arpa in addition to replys to
Todd? I'm sure there are others out there that would like the same infor-
mation. I know I would. gph]
------------------------------
Date: Wed, 27 Jan 88 09:44:15 IST
From: "Paul Nolan" <SCST2017@IRUCCIBM>
Subject: Turbo Pascal -- Terminate and Stay Resident.
Could any one tell me if there is a way to make a Turbo Pascal program
resident in memory, and if so how. I have tried using the TSR interrupt in
MS-DOS but without success. Thanx in advance.
Paul (Scst2017@iruccibm).
------------------------------
************************
End of Info-IBMPC Digest
-------