COS99284%UFRJ.BITNET@VMA.CC.CMU.EDU (Luiz Felipe Perrone) (09/27/89)
A few weeks ago I received one VIRUS-L digest (unfortunately I do not remember which one) which had the signatures of two versions of the Datacrime virus. I happened to loose the listings and to make matters worse I found out I also had discarded the digest from my mailbox. I wonder if someone could send me this signatures as soon as possible and also show me an effective way to look for them in my hard disk. As a matter of fact it would be of great help to receive all the known virus signatures, although I guess I might be asking too much. I study at COPPE/UFRJ in Rio de Janeiro and a couple of months agoall this fuss about computer viruses was like Science Fiction for me. I had never seen any kind of it, and thought that it would take a long time before I had any trouble with them. In Brazil there are no networks like CompuServe, The Source, PCMagnet, etc. so I thought that the "problems" that affect Europe or North America couldn't reach us so fast for they would not be downloaded. But I was quite wrong. About two moths ago I have seen Bouncing-ball and JV infect the whole Lab in which I work. And worse than that : they have got to my hard disk. After running a program that kill BB and JV I have run Norton Utilities to look for the string "sUMsDos" and it found four instances of it. I still do not know if they belong to sectors in use by .EXE or .COM filesbut I must say I'm worried. There is a strong possibily that other evil creatures lurk in my system just waiting for the day to come up and make a big mess. I would be very grateful if someone could help me to make a list of methods to take this orcs out from our hard disks and develop anti-virus programs. I have appreciated the help contained in the VIRUS-L disgests but sometimes I feel I have missed a lot of the basic information. [Ed. From an earlier editorial comment (v2i195): In VIRUS-L volume 2 issue 192, Charles M. Preston <portal!cup.portal.com!cpreston@sun.com> states that a) Viruscan V36 can detect Datacrime and that b) Datacrime can be identified by the hex string EB00B40ECD21B4 (1168 version) or 00568DB43005CD21 (1280 version). Note that a hex string search can be done via the DEBUG 'S' command (e.g., "S CS:100 FFFF hex_string" at the DEBUG prompt), if my memory of MS-DOS is correct. ] Thanks a lot and greetings from Brazil Luiz Felipe Perrone COS99284@UFRJ - Bitnet