LK-AP@finou.oulu.fi (11/01/90)
Hello again netreaders, I found orig. text about Curse (was in Comp.virus 12 OCT 90) here it is. Maybe some virus expert will give us a comment. So chek the text yourself ... >Newsgroups: comp.virus >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) >Subject: Windows Trojan ? (MS-DOS) >Date: 12 Oct 90 14:38:21 GMT > Have not had a chance to verify yet but want to pass on a >warning: Received a file that alledgedly sets the cursor in Windows. >The file is contained in WINCURS.ZIP and is called CURSE.EXE. It is >windows aware and will not run under plain DOS except to print a >message. > According to the user, when run under Windows, it modifies the >LOAD= command in the .INI file so that it is always executed. It is >said that any information that was in the LOAD= section is trashed. > > Once invoked, files appear to have a copy of the first FAT >sector written randomly into them. It is said that this affects ANY >file (executable or data). After a period of time (from the >description) the FAT is destroyed. > I have a copy of the file & as soon as it can be properly >examined, I will post a full description. > > Padgett ------- |-------------------------|---------------------------------| | Antti Peltonen | Internet: lk-ap at finou.oulu.fi| | University of Oulu | Bitnet: lk-ap at finou.bitnet | | Computer Services Centre|---------------------------------| | Linnanmaa | This space for vice taughts | | SF 90570 OULU FINLAND | unintentionally left blank. | |-------------------------|---------------------------------|
mr@ogre (Michael Regoli) (11/03/90)
In <90305.084851LK-AP@finou.oulu.fi> LK-AP@finou.oulu.fi writes: >>Newsgroups: comp.virus >>From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) >>Subject: Windows Trojan ? (MS-DOS) >>Date: 12 Oct 90 14:38:21 GMT >> ... >> Once [CURSE is] invoked, files appear to have a copy of the >> first FAT sector written randomly into them. It is said that >> this affects ANY file (executable or data). After a period of >> time (from the description) the FAT is destroyed. cursor.zip has been removed from the archives here at cica.cica.indiana.edu. -- michael regoli mr@cica.cica.indiana.edu regoli@iubacs.bitnet ...rutgers!iuvax!cica!mr
todd@ivucsb.sba.ca.us (Todd Day) (11/03/90)
mr@ogre (Michael Regoli) writes:
%cursor.zip has been removed from the archives here at
%cica.cica.indiana.edu.
Has anyone proven anything about curses? I've been using it for over
a month on three different machines with no problems...
--
Todd Day | todd@ivucsb.sba.ca.us | ucsbcsl!ivucsb!todd
Zen koan:
*finger = moon; /* finger != moon */keating@rex.cs.tulane.edu (John W. Keating) (11/04/90)
white@csvax.cs.ukans.edu (Kevin S. White) writes: > I'm also waiting to see if anyone can "prove" that CURSE.EXE is >infected. I think that the general consensus is that if something is wrong with the curse program, that it is a trojan, and not a virus. > I've used it since the summer, and have never had trouble with it. I'm beginning to believe that it was a false alarm, myself. The fact that it overwrites the Load= line in win.ini probably had a large part to do with the scare. I have removed it from my directory, however, both because I actually found that I preferred the arrow, and that it is better to be safe than sorry. (Decide for yourself what you are going to do.) >This discussion reminds me of the (typical) Macintosh user who, when faced >with what s/he feels is a strange event, lunges for the anti-virus software. >I can't find a single Macintosh on campus that doesn't have some kind of >detection software installed. I also can't find more than 2 or 3 MSDOS users >who have actually been hit by a virus. Still waiting for the proof... I, too, have noticed that lack of actual proven viruses that have appeared around here on PC's. On the other hand, Macs do have a *big* problem with them. I don't know how many times I've scanned a disk on one of our systems here, and found that the disk needed to be "sanitized." Apparently, it is because of how the mac shares information or some such. (Never did like the buggers anyway... :^) John Keating -- Signature, part XVII... Coming soon, to a site near you... John Keating, keating@rex.cs.tulane.edu
ntaib@silver.ucs.indiana.edu (Nur Iskandar Taib) (11/06/90)
*> I, too, have noticed that lack of actual proven viruses that have *>appeared around here on PC's. On the other hand, Macs do have a *big* *>problem with them. I don't know how many times I've scanned a disk on *>one of our systems here, and found that the disk needed to be "sanitized." *>Apparently, it is because of how the mac shares information or some such. *>(Never did like the buggers anyway... :^) We did have a rather bad outbreak of the Jerusalem B virus at our public clusters some time ago. But its true, Macs are so much more susceptible to viruses, and I think its more due to how the USERS behave (they are more likely to trade software than IBM users). ------------------------------------------------------------------------------- Iskandar Taib | The only thing worse than Peach ala Internet: NTAIB@AQUA.UCS.INDIANA.EDU | Frog is Frog ala Peach Bitnet: NTAIB@IUBACS !
rzi@philpav.tds.philips.se (Roman Zielinski) (11/06/90)
It has been some discussions about curse.exe. One of them was about the
*unmovable* blocks as reported by norton's *sd*.
I made some investigations on my 386SX (Award bios) and found that indeed
there was four non-movable areas on my disk.
- io.sys (the old boot friend)
- msdos.sys (one more old boot friend)
- \windows\msdos.exe (Why non-movable? Que?)
- garbage from crashed win-session (could be removed by *chkdsk /f *)
Now something very *funny*:
If I rename \windows\msdos.exe to msdos1.exe it ceases to be non movable!
When I rename it back to msdos.exe it is non-movable again.
I compared the file with the original on distribution disks and did not
find any strange things. (NB You must uncompress them by *expand.exe*,
also on win3.0 distribution disks).
One more strange thing is that my other 386-system
(=Philips 3345/100MB+386SX which has almost the same software,
but another HW and BIOS did not have the same behaviour (ie on unmovable blks)
****** can someone explain what's going on? *******
Tanks,
Roman
+-------------------------------------------+ _--~--_
| Roman M. Zielinski | ---- / \ ----
| Philips Tele & Data System AB | ---- ( |^^^| ) ----
| S-115 84 Stockholm, Sweden | ---- \ \ / / ---
| tel +46 8 782 1373 | |=====|
+-------------------------------------------+ |=====|
| NET ADDR: rzi@pav.tds.philips.se | |=====|
+-------------------------------------------+ ~~U~~bien@venice.SEDD.TRW.COM (Frank E. Bien) (11/07/90)
In article <70038@iuvax.cs.indiana.edu> ntaib@silver.ucs.indiana.edu (Nur Iskandar Taib) writes: >*> I, too, have noticed that lack of actual proven viruses that have >*>appeared around here on PC's. On the other hand, Macs do have a *big* >*>problem with them. I don't know how many times I've scanned a disk on >*>one of our systems here, and found that the disk needed to be "sanitized." >*>Apparently, it is because of how the mac shares information or some such. >*>(Never did like the buggers anyway... :^) There are over 300 variants to the 65 main MSDOS viruses documented. There are only 30 variants to 10 main MAC viruses known. While it is true that the MAC viruses seem to spread faster, I wouldn't forget about the MSDOS threat. It seems the MAC viruses are usually harmless. . . The MSDOS variants are far more destructive in nature. I would prefer to have neither. Frank Bien TRW Computer Security Services bien@venice.sedd.trw.com
risto@tuura.UUCP (Risto Lankinen) (11/07/90)
rzi@philpav.tds.philips.se (Roman Zielinski) writes: >I made some investigations on my 386SX (Award bios) and found that indeed >there was four non-movable areas on my disk. > - io.sys (the old boot friend) > - msdos.sys (one more old boot friend) > - \windows\msdos.exe (Why non-movable? Que?) > - garbage from crashed win-session (could be removed by *chkdsk /f *) >Now something very *funny*: > If I rename \windows\msdos.exe to msdos1.exe it ceases to be non movable! > When I rename it back to msdos.exe it is non-movable again. Hi! In DOS, each 'device' has a name, which is in the beginning of its .SYS-file. Now, regarding the MSDOS.SYS and IO.SYS, they are considered not different from *real* device drivers, in the sense that their names become reserved words in the system. Many CONFIG.SYS -installed device drivers have there- fore names, which would not collide with file names (for example, the HIMEM defines XMSXXXX0 for its 'device name'). In your system, the MSDOS.SYS possibly uses simply 'MSDOS' for its 'device name', thereby either preventing or at least modifying the accesses to any file named MSDOS.??? . Would the problem persist, if you created a file named MSDOS.TXT ? Did it so, then that was the reason. > but another HW and BIOS did not have the same behaviour > (ie on unmovable blks) Well, the other system uses IBMDOS.COM and IBMBIO.COM for its system files? >Tanks, >Roman Containers, :-> Risto -- Risto Lankinen / product specialist *************************************** Nokia Data Systems, Technology Dept * 2 2 * THIS SPACE INTENTIONALLY LEFT BLANK * 2 -1 is PRIME! Now working on 2 +1 * replies: risto@yj.data.nokia.fi ***************************************