[comp.virus] Ohio Virus found at UTMB

perry@beach.gal.utexas.edu (John Perry KG5RG) (10/11/90)

	Just a quick note to let everyone know that several IBM and
compatible PC's here at the University of Texas Medical Branch in
Galveston, Texas have been infected with the OHIO virus. I have not yet
attempted to remove the virus and I would like any suggestions on the
best way to go about it. I have the McAfee products. I will try them
first. Anybody have any thoughts or suggestions?

                              John Perry KG5RG
                              University of Texas Medical Branch
                              Galveston, Texas  77550-2772

You can send mail to me at any of the following addresses:

DECnet   : BEACH::PERRY
THEnet   : BEACH::PERRY
Internet : perry@beach.gal.utexas.edu
BITNET   : PERRY@UTMBEACH
SPAN     : UTSPAN::UTADNX::MBIAN::PERRY

FEDERMAN@CVAX.IPFW.INDIANA.EDU (ALAN N. FEDERMAN) (10/16/90)

In response to:

(Reply-To:     VIRUS-L@IBM1.CC.LEHIGH.EDU
From:         "The Moderator Kenneth R. van Wyk" <krvw@CERT.SEI.CMU.EDU>
Subject:      VIRUS-L Digest V3 #170
 VIRUS-L Digest   Monday, 15 Oct 1990    Volume 3 : Issue 170)

>Date:    11 Oct 90 16:52:24 +0000
>From:    perry@beach.gal.utexas.edu (John Perry KG5RG)
>Subject: OHIO virus found at UTMB (PC)
>
>	Just a quick note to let everyone know that several IBM and
>compatible PC's here at the University of Texas Medical Branch in
>Galveston, Texas have been infected with the OHIO virus. I have not yet
>attempted to remove the virus and I would like any suggestions on the
>best way to go about it. I have the McAfee products. I will try them
>first. Anybody have any thoughts or suggestions?
>
>                              John Perry KG5RG
>                              University of Texas Medical Branch
>                              Galveston, Texas  77550-2772

Reply:

I have run a PC lab "virus free" for the last three years. We use a
Novel network, with student PCs equiped with auto-bootup ROMS on the
network cards. The students cannot write to the server hard disk, only
access applications and data. The student PCs do not have hard disks.
No floppies are handed out by staff. Students can download shareware
and licensed software.  They cannot make a DOS diskette. We also run
the McAlfee program (WE ARE LICENSED FOR IT!) A student can check a
floppy for possible infection.

We recently won a NACUBO cost reduction incentive award for this Lab.
We have stayed virus free. Other labs in this school have been
clobered repeatedly. I don't know how you could enforce a perimeter
defense.  Do you intend to screen every floppy comming in the door?
Pretty labor intensive, as well as annoying to customers. Run memory
resident virus checking programs? Those TSRs may interfer with other
applications.

 =============================================================================
[                                                                             ]
[          Alan Federman                                                      ]
[                                                                             ]
[ Coordinator of Academic Computing                                           ]
[ Indiana University - Purdue University at Fort Wayne                        ]
[ bitnet:    FEDERMAN@IPFWCVAX                                                ]
[ internet:  FEDERMAN@CVAX.IPFW.INDIANA.EDU                                   ]
[                                                                             ]
[ "It's supposed to be automatic, but you really have to press this Button."  ]
[               - John Bruner                                                 ]
[                                                                             ]
 ==============================================================================

perry@mbian.gal.utexas.edu (John Perry KG5RG) (10/18/90)

     A few days ago, I announced that the OHIO virus has infected
several PCs here at UTMB. Well, there is a whole new twist to the
story now.

     After consulting with John McAfee and running a few tests,
it has been determined that in the proper environment, the OHIO
virus changes from a relatively benign virus into a potent disk
destroyer!

     The virus was discovered on several 5.25 inch floppy disks
on a PC connected to a VAX 8250 using DECnet DOS 2.1. Almost all
diskettes used on the PC after infection were damaged so badly
that they had to be completely re-formatted before they were
usable again. In addition, the virus was also discovered on
several 3.5 inch floppies. The virus isn't supposed to be able to
do this!

     Apparently the combination of the OHIO virus and DECnet DOS
2.1 creates a contention between the TSRs that causes havoc. I
hope someone out there in VIRUS-L land can reproduce this problem
and either confirm or refute my findings.

                              John Perry KG5RG
                              University of Texas Medical Branch
                              The Marine Biomedical Institute
                              200 University Blvd. H-43
                              Galveston, Texas  77550-2772
                              Voice : (409) 761-2124
                              FAX   : (409) 762-9382

You can send mail to me at any of the following addresses:

DECnet   : MBIAN::PERRY
THEnet   : MBIAN::PERRY
Internet : perry@mbian.gal.utexas.edu
BITNET   : PERRY@UTMBEACH
SPAN     : UTSPAN::UTADNX::MBIAN::PERRY