LUKEN@IBM1.CC.Lehigh.EDU (The Moderator Kenneth R. van Wyk) (05/08/89)
VIRUS-L Digest Monday, 8 May 1989 Volume 2 : Issue 108
Today's Topics:
Comments on SYS from John McAfee (PC)
Comment on SYS command (PC)
Re: thoughts on comp.virus (and admin notes)
---------------------------------------------------------------------------
Date: Fri, 5-May-89 14:23:40 PDT
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: Comments on SYS from John McAfee (PC)
I too often assume understanding which isn't there, and it
always gets me in trouble. At the risk of boring nearly everyone, I'd
like to expand briefly on the SYS command. It only works if the
system is first powered down (soft re-boot will not work), then
re-booted from a clean, preferably original, system master dskette.
Otherwise, the virus will remain in control and you will accomplish
nothing with most viruses. The Search virus (Den Zuk) has been found
with variations that specifically disable loading of the SYS program.
When a SYS command is entered, a sector read is made to the home
device (so that the access light will come on), then multiple sector
reads are done to the target device so that it looks like something is
happening, and then it displays the message - "System Transferred".
I know you all already knew this but better safe than sorry.
John McAfee
>From the HomeBase BBS 408 988 4004
------------------------------
Date: Fri, 5-May-89 16:51:01 PDT
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: Comment on SYS command (PC)
Original-From: Tim Sankary
The comment on Virus-L about the SYS command not removing boot
infectors is disconcerting. Not because it's true, but because it is
so misleading. Any competent programmer knows that the SYS command
has to overwrite the boot sector. It's used to specifically upgrade
versions of DOS. So if you have, say, version 3.0 running (which
means a 3.0 boot sector as well - check it out with Norton if you're
skeptical), and you're upgrading to 3.3, then you have to overwrite
the boot sector, else you'll have a 3.0 boot with a 3.3 DOS - a
meaningless situation. If anyone reading this still doubts it, then
simply run the Norton Utilities and erase or overwrite part of the
boot sector and then run SYS. The boot will be magically restored.
We have advised over 300 infected corporations involving over
20,000 infected computers and 100,000 infected floppies to use this
technique to remove their boot infectors. I'm not aware of any
instance where it did not work. To publish a statement in a virus
forum that is distributed to thousands of readers, when the statement
is patently absurd and damaging to the efforts of the CVIA and other
groups is irresponsible. The virus situation is not a joke, a game or
a playground. Many of us have dedicated full time efforts for over a
year to understand and deal with waht's happening. In this area I
recommend the the advice of Mark Twain - It is better to remain silent
and be thought a fool, than to speak up and remove all doubts.
------------------------------
Date: Sat, 6 May 89 00:19:14 EDT
From: msmith@topaz.rutgers.edu (Mark Robert Smith)
Subject: Re: thoughts on comp.virus (and admin notes)
Two thoughts on the comp.virus addition:
Would it be possible to have the comp.virus side of the list
distributed as individual articles, rather than a digest. Granted,
it's harder, but it reads much easier on UseNet, where vnews does not
undigestify digests.
[Ed. I've gotten *lots* of requests for this, and it is something that
I plan on doing shortly (as time permits). If anyone wants to write a
VMS DCL script to receive a mail file, undigestify it (maintaining
appropriate NNTP headers for each message), and then post it, I'd be
eternally grateful, and the process will move much faster. Otherwise,
it'll have to wait until I can get around to tackling it.]
Also, when those of us who get comp.virus Unsubscribe from the
LISTSERV list, should we remain on VALERT-L, or will those articles
have some "get it to UseNet quick" mechanism?
[Ed. Readers who get Usenet news will probably want to unsubscribe
from VIRUS-L and read comp.virus. VALERT-L is *not* currently sent to
the newsgroup immediately, however. Any VALERT-L (other than a SUB
John Doe, etc...(heavy sigh!)) posting will get included in the next
outgoing comp.virus/VIRUS-L digest. So, if you want to read VALERT-L
in as timely a manner as possible, don't unsubscribe from it.
To UNSUBSCRIBE from VIRUS-L and/or VALERT-L, send MAIL to
LISTSERV@LEHIIBM1.BITNET (not to the list) stating: SIGNOFF listname.
(Where listname is either VIRUS-L or VALERT-L.)
While on the subject of VALERT-L, I'd like to ask everyone to please
*PLEASE* not reply to subscription requests, etc. there. A note to
the author of the request would be fine, but please do not send
anything to the list. The list is only to be used for urgent alerts
when and if they arrise.]
Mark
- --
Mark Smith (alias Smitty) "Be careful when looking into the distance,
RPO 1604; P.O. Box 5063 that you do not miss what is right under your nose."
New Brunswick, NJ 08903-5063 rutgers!topaz.rutgers.edu!msmith (OK, Bob?)
msmith@topaz.rutgers.edu
------------------------------
End of VIRUS-L Digest
*********************