jpl5@cunixb.cc.columbia.edu (Jay P Lessler) (10/31/90)
After reading the message here about a possible virus in cursor.zip (The file that changes the mouse pointer, from cica) I checked my hard disk with Norton Utilities' Speed Disk. It seems that some program has been allocating blocks as unmovable. Since everything that I run is also being run on my friend's pc, except cursor.zip, I believe curse.exe contains a virus. Can anyone else who has run curse.exe check for extra unmovable blocks? If you have definitive proof that curse.exe contains a virus, please e-mail me the name of the virus so that I can kill it. Thanks --Jay Lessler
mr@ogre (Michael Regoli) (10/31/90)
In <1990Oct30.200205.1245@cunixf.cc.columbia.edu> jpl5@cunixb.cc.columbia.edu (Jay P Lessler) writes: > After reading the message here about a possible virus in cursor.zip (The file > that changes the mouse pointer, from cica) I checked my hard disk with > Norton Utilities' Speed Disk. It seems that some program has been allocating > blocks as unmovable. Since everything that I run is also being run on my > friend's pc, except cursor.zip, I believe curse.exe contains a virus. Now just hold on a minute! That "program" that is allocating blocks as unmovable could be DOS! If you are using version 5.0 of Norton's SpeedDisk program, look under the "Information/Show Static Files" menu. I'll bet what you'll find as "unmovable" are COMMAND.COM, IBMBIO.COM, IBMDOS.COM, and any other file that has one of the following attributes: hidden, read-only, or system. (Under 4.5 of SpeedDisk, there is a similar menu under "Statistics" or some such that shows unmovable files.) Let's get a little more information before jumping off the deep end. I've tested CURSE.EXE on my system when it arrived in late July. No problems whatsoever. If anyone has any evidence that pub/pc/win3/util/cursor.zip contains a virus, please contact me immediately. -- michael regoli mr@cica.indiana.edu regoli@iubacs.bitnet ...rutgers!iuvax!cica!mr
bien@venice.SEDD.TRW.COM (Frank E. Bien) (11/02/90)
In article <1990Oct30.200205.1245@cunixf.cc.columbia.edu> jpl5@cunixb.cc.columbia.edu (Jay P Lessler) writes: > >After reading the message here about a possible virus in cursor.zip (The file > that changes the mouse pointer, from cica) I checked my hard disk with > Norton Utilities' Speed Disk. It seems that some program has been allocating > blocks as unmovable. Since everything that I run is also being run on my > friend's pc, except cursor.zip, I believe curse.exe contains a virus. Can > anyone else who has run curse.exe check for extra unmovable blocks? If you > have definitive proof that curse.exe contains a virus, please e-mail me the > name of the virus so that I can kill it. > >Thanks >--Jay Lessler I also installed CURSE.EXE on my machine. I had _a lot_ of promblems with it. It does wipe out your load= WIN.INI command. I also checked my disk w/norton 5.0. . . I noticed blocks marked as unmovable which normally should not be (ZIPPER.EXE on others). I don't know if CURSE.EXE had anything to do with it, but I also had the problem. It may be premature to say CURSE is a trojan or has a virus. . . but I threw mine away anyway. Only time will tell what will happen. I haven't seen anything more on the subject in COMP.VIRUS, but I'll keep looking. Frank E. Bien TRW Computer Security Services bien@venice.sedd.trw.com
tom@mims-iris.waterloo.edu (Tom Haapanen) (11/02/90)
Frank E. Bien <bien@venice.sedd.trw.com> writes: > [disk problems possibly caused by curse.exe] Well, I have two datapoints: First, scanv67 doesn't think there is a virus in curse.exe. From this, my own experience, and the postings on the net, I would conclude that curse.exe does not contain a virus. Second, after I downloaded curse.exe (quite a while ago), I have used curse.exe on two occasions, separated by several months. About a month after I used it the first time, I found that my E: drive had piles of crosslinked files and lost clusters. I didn't make the connection here, but I eventually ran curse.exe again, and again the disk was messed up. (Not fatally but enough to be a pain.) There have also been several references on the net to it fooling around with the FAT, so I think that it *is* a malicious nasty evil program. :) Could we either remove it from cica, or at least have a warning added to the .zip file about damage possibly caused by using curse.exe? [ \tom haapanen --- university of waterloo --- tom@mims-iris.waterloo.edu ] [ "i don't even know what street canada is on" -- al capone ]
mpd@anomaly.sbs.com (Michael P. Deignan) (11/03/90)
jpl5@cunixb.cc.columbia.edu (Jay P Lessler) writes: > It seems that some program has been allocating > blocks as unmovable. Since everything that I run is also being run on my > friend's pc, except cursor.zip, This reasoning is flawed. There are many reasons why you may have immovable blocks on your hard disk, none of which even remotely is related to a "virus". Instead of posting "ifs", why not download a copy of McAfee's SCAN program from a local BBS or FTP server, and run it on your machine. It will scan your entire hard drive for known viruses, and inform you of their presence. Posting these cries of "possible virus alert" is utterly irresponsible, in light of the fact that you've taken no steps to even determine if a virus is present on your system. MD -- -- Michael P. Deignan / Introducing... -- Domain: mpd@anomaly.sbs.com / MommyCalc: A Spreadsheet so -- UUCP: ...!uunet!rayssd!anomaly!mpd / simple, even a woman can learn -- Telebit: +1 401 455 0347 / how to use it....
bien@venice.SEDD.TRW.COM (Frank E. Bien) (11/06/90)
In article <4196@anomaly.sbs.com> mpd@anomaly.sbs.com (Michael P. Deignan) writes: > > Posting these cries of "possible virus alert" is utterly irresponsible, in >light of the fact that you've taken no steps to even determine if a virus >is present on your system. Don't be so quick to condemn. . . The suggestion that CURSE was a TROJAN (Not a virus!) first came up on COMP.VIRUS. Although writing to the WIN.INI file was mentioned, the main concern was that the file may destroy the FAT table. Also the "unmovable block" problem later came up in this group. I don't know if it is a Trojan, but the possibility does exist. Simply checking it with McAffee's scan67 means nothing. If it is new, McAffee would not know to flag the problem. That's why there's always new versions of SCAN. . . each one looks for newer viruses, etc. Maybe this discussion should be moved to COMP.VIRUS. . . Frank Bien TRW Computer Security Services bien@venice.sedd.trw.com
own@castle.ed.ac.uk (O Morgan) (11/07/90)
In article <1990Nov2.130136.16906@watserv1.waterloo.edu> tom@mims-iris.waterloo.edu (Tom Haapanen) writes: >Frank E. Bien <bien@venice.sedd.trw.com> writes: >> [disk problems possibly caused by curse.exe] I too have a problem with Norton showing a whole load of unmovable blocks which I associate with Curse.exe. I didn't worry about it until recently when I have inexplicably lost some files on my hard disk. Ok I might be getting a bit tired (and paranoid?) and could well have deleted something without being aware of it, but on at least one occasion, there was no hint of the file having previously existed when I tried to recover it with Norton utilities. I don't know anything about how erased names are stored and whether they may occasionally be overwritten, but it seemed unusual. The file (a ZIP archive) certainly existed 2 or 3 days earlier. Something else that's been happening recently is that the PC has taken to hanging from time to time, particularly under Word 5. It is probably unconnected (and 3 months after I used Curse.exe) but worth mentioning in case other people are experiencing similar problems. Finally, I am having problem compiling some pretty simple code in Prolog and MS C. Ok, that will inevitably turn out to be something to do with my programming skills, but in the meantime I can't for the life of me figure out what's wrong with the code (neither can other people I've passed it to, and MS haven't replied (yet?)). The C executable works fine, but the machine hangs soon after exit from the program. The Prolog executable just doesn't find interpreted code, as it is supposed to. Ok, this is all pretty vague and probably unconnected, but I would be interested to know if it sounds at all familiar to anybody. Olly Morgan -- ---------------------------------------------------------------------------- Olly Morgan @ Scottish Agricultural College, Edinburgh EH9 2HH, Scotland Tel: (+44 31) 662 4395 E.Mail: O.Morgan@ed.ac.uk ----------------------------------------------------------------------------
bg11+@andrew.cmu.edu (Brian E. Gallew) (11/09/90)
It's funny, but now that I think of it, just after starting to use Curse MS Word 4.0 started being screwy. I can't run it in graphics mode, and the text mode screen is about 30% larger than my monitor! Even adjusting the picture height to its minimum doesn't make it small enough to fit. I have since stopped using Curse, and re-installed Word, but it still acts the same way. Any ideas? -Brian You drop the bomb -more- It goes off... -more- ------------------------------------------------------------------------- I am *NOT* as think as you dumb I am!! | This space for rent (241-6939) ------------------------------------------------------------------------- Disclaimer: Even I don't agree with myself! ------------------------------------------------------------------------- Please send me mail so I can send you mail so you can send me mail so ... -------------------------------------------------------------------------