HAYES%urvax.urich.edu@vma.cc.cmu.edu (10/05/90)
Hello Ken. Following is a translation of a posting in german from one of the previous virus-l digest. Not knowing if this can be inserted directly to the list, I send it to you. I hope I did not make a mistake doing so. The person who did the translation is Tom Bonfiglio, one of our german professor. Regards, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ...!psuvax1!urvax.bitnet!hayes (UUCP) - --- begin forwarded translation Help against "magic cape' viruses: The infamous 4096 - alias the Frodo virus, mwhich resides in the main memory and makes itself invisible to all operational utilities (cf CW 33 of Aug. 17 1990 p. 10), has an Achilles heel - namely the fact that it is invisible. When copying an infected program, the copy is, under certain conditions, virus-free. Precondition: the virus resides in the main memory and the extensions or designations are not ones that are normally executable (e.g. COM, EXE, OVL, OR SYS.) Then the virus filters its code out of the byte flow in order to hide itself. Only the original program code arrives at the destination. The best thing in this case is to use a compromise program like PKARC. It's not yet certain to what extent it would work with DOS programs COPY and XCOPY. Afterwards the infected program has to be erased, the system has to be booted with a definitely clean diskett, and the copies have to be "decompromised" (?) and labelled with the correct extensions. Some virus experts issue warnings about this "therapy." Because it's not as simple as it sounds, only those who are familiar with their PC at bit-level should try it. The safest solution is a professional anti-virus program. The newer ones recognize the catalyst (irritant) right away, like, for instance, the virus scanner by Solomon (Findviru) Mcaffee (Scan) or Skulason (Find-mistake). The anti-virus turbo program by EPG international is capable of getting rid of it, too. Just two tips: 1. Signature programms and virus scanners should be started only by a guaranteed clean diskett and only after the PC has been booted from a diskett that's just as clean. 2. If the virus becomes active, it won't elicit the message "Frodo Lives" because of a programm error. Instead, the "counter" (computer?) disconnects.