infotech@rupert.misemi ( infottech) (01/10/91)
A recent article found on comp.sys.ibm.pc.digest states (in part): >Date: Tue, 1 Jan 91 10:58:09 -0500 >From: David Kirschbaum <kirsch@usasoc.soc.mil> >Subject: Reported QEMM virus > >I have found what appears to be a virus on the factory supplied disk >from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd >install.exe programs. These 2 programs contain a HEX signature of >EAF0FF00F0 which indicates the possible presence of the 648 virus. This >virus is supposed to infect overlay programs, which I have had MAJOR >problems with lately. > I checked my copy of QEMM 5.1 and lo and behold the same Hex string was in these programs... So, what's the scoop? Is it a virus? SCANV71 didn't find anything out of the ordinary in these files. I have yet to get through to Q-deck customer support... Anyone have any further info?
chao@oahu.cs.ucla.edu (Chia-Chi Chao) (01/11/91)
In article <5955@rupert.misemi> infotech@rupert.misemi ( infottech) writes: >A recent article found on comp.sys.ibm.pc.digest states (in part): > >>Date: Tue, 1 Jan 91 10:58:09 -0500 >>From: David Kirschbaum <kirsch@usasoc.soc.mil> >>Subject: Reported QEMM virus >> >>I have found what appears to be a virus on the factory supplied disk >>from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd >>install.exe programs. These 2 programs contain a HEX signature of >>EAF0FF00F0 which indicates the possible presence of the 648 virus. This >>virus is supposed to infect overlay programs, which I have had MAJOR >>problems with lately. >> > >I checked my copy of QEMM 5.1 and lo and behold the same Hex string >was in these programs... So, what's the scoop? Is it a virus? SCANV71 >didn't find anything out of the ordinary in these files. I have yet to >get through to Q-deck customer support... > >Anyone have any further info? No, it is _NOT_ a virus. I contacted the original poster, and I was told that the hex string turned out to be part of the warm boot instruction, which install.exe and optimize.com both use. -- Chia-Chi Chao chao@cs.ucla.edu ..!ucbvax!cs.ucla.edu!chao
tbt@polari.UUCP (Tom Talbott) (01/12/91)
----- News saved at 11 Jan 91 23:19:49 GMT In article <5955@rupert.misemi> infotech@rupert.misemi ( infottech) writes: >I checked my copy of QEMM 5.1 and lo and behold the same Hex string >was in these programs... So, what's the scoop? Is it a virus? SCANV71 >didn't find anything out of the ordinary in these files. I have yet to >get through to Q-deck customer support... > >Anyone have any further info? I also have checked my copy of QEMM and have found the Hex string. Specifically I found it in OPTIMIZE.COM and QEMM386.SYS. Yet, I have found no indication of a virus on my system. I have run scanv72 and I have checked the CRC's of various EXE files with the CRC's of the originals and have found no differences. I have a feeling that Mr. Kirschbaum has jumped to an early conclusion and has not truly found his problem.
w8sdz@vela.acs.oakland.edu (Keith Petersen) (01/15/91)
In article <3135@polari.UUCP> tbt@polari.UUCP (Tom Talbott) writes: >I also have checked my copy of QEMM and have found the Hex string. >Specifically I found it in OPTIMIZE.COM and QEMM386.SYS. Yet, I have found >no indication of a virus on my system. I have run scanv72 and I have checked >the CRC's of various EXE files with the CRC's of the originals and have >found no differences. I have a feeling that Mr. Kirschbaum has jumped to >an early conclusion and has not truly found his problem. Mr. Kirschbaum is very upset. He was incorrectly attributed as being the person who reported the problem. This message will explain. --Keith [--forwarded message--] From kirsch@usasoc.soc.mil Mon Jan 14 19:41:09 1991 Date: Fri, 11 Jan 91 09:48:14 -0500 >From: David Kirschbaum <kirsch@usasoc.soc.mil> To: Keith Petersen <w8sdz@vela.acs.oakland.edu> Subject: Re: David Kirschbaum becomes famous Too famous, by far! Notice the extract from the message below. I had forwarded an entire message (to include Fido Echo message headers, originator's name, etc.) that included that "I have found ..." quote below. But *I* didn't say it! *I* didn't find the reputed virus! Hell, *I* don't even *own* QEMM or OPTIMIZE.COM! I was only passing on what someone else was reporting. A few days later, the same fellow came back and explained it was not a virus: all his problems were due to a faulty command line or some such. I duly forwarded *that* message the same way to everyone I'd sent the first message to (namely, Info-IBMPC). But *somebody* trimmed away the Fido Echo headers and left *ME* as the originator of the message .. and the resultant false QEMM virus rumor! I've gotten about a dozen messages or so, and am carefully responding to each of them, but boy, what a pain! It'll be a cold day in hell before I touch *that* area again. Better safe than sorry, sure .. but this is a pain! I must admit people have been nice: no flames about the false alarm. Or maybe they come later. In any case, it was all a false alarm. No virus in QEMM products, no virus from the QEMM factory disks, no virus in OPTIMIZE.COM. True, OPTIMIZE has that "HEX signature" (the code for a warm boot), but it's *supposed* to. That code is NOT necessarily indicative of a virus anyway, and makes a lousy signature. (The one virus tester using it as a signature has changed to another signature as well.) I'll be glad when this all dies down. Sigh .... David Kirschbaum Toad Hall ----- Forwarded Message Start A recent article found on comp.sys.ibm.pc.digest states (in part): >Date: Tue, 1 Jan 91 10:58:09 -0500 >From: David Kirschbaum <kirsch@usasoc.soc.mil> >Subject: Reported QEMM virus > >I have found what appears to be a virus on the factory supplied disk >from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd >install.exe programs. These 2 programs contain a HEX signature of >EAF0FF00F0 which indicates the possible presence of the 648 virus. This >virus is supposed to infect overlay programs, which I have had MAJOR >problems with lately. --------------------- This is what I forwarded to Info-IBMPC (with a brief text header). (Sorry, I didn't make note of the date I received it.) FROM: Richard Crain Area # 23 ( Dr. Debug ) TO: ALL MSG # 239, BUG-0-80 0:00am SUBJECT: Virus I have found what appears to be a virus on the factory supplied disk >from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd install.exe programs. These 2 programs contain a HEX signature of EAF0FF00F0 which indicates the possible presence of the 648 virus. This virus is supposed to infect overlay programs, which I have had MAJOR problems with lately. In the last 18 hours, every program that I have used that uses overlays has had its CRC change, or worse yet, totaly crash on invocation locking the system. [deleted] ------------------------------- Here's the "Sorry, False Alarm" message I duly forwarded to Info-IBMPC (and which no one appears to be reading). FROM: Richard Crain Area # 23 ( Dr. Debug ) TO: Clay Zahrobsky 7 Jan 91 SUBJECT: Re: Virus >CZ Who at quarterdeck did you talk to? I called today and they said >CZ they knew nothing about it. They took down the info that you >CZ mentioned, >CZ please keep me informed as to what you find out. I also have a corupted >CZ orginal disk. Since my original message, I believe the problem was due to a new version of a program I use for renumbering my message base. This version, instead of making BIOS calls, goes after the directories itself. This shows a major improvement in speed, at the expense of added danger. The command line was wrong for this new version, and upon discussing this with my node sysop, who set it up, the command lines were wrong for the old version as well. Upon correcting the command line, my problems have gone away for now. What originaly led me to believe it was Quarterdecks fault is this, I had just used optimize the night that things started to go sour, the next morning, half of my .EXE files were corrupt. The virus scanner found a hex signature for the 648 virus in optimize on the hard disk and on the factory diskette. The author of the program has removed this HEX signature from the sigfile and replaced it with one more unique than before. Also, he added a separate file of different hex signatures for this virus, to only be used IF the virus is confirmed. It is hard to detect as it aparently uses legitemate code found in innocent programs. --- msged 1.99S ZTC * Origin: DinoPoint 2 (1:104/114.2)