Path: utzoo!utgpu!watserv1!watmath!att!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson)
Newsgroups: comp.virus
Subject: V & S
Message-ID: <0015.9011281444.AA08768@ubu.cert.sei.cmu.edu>
Date: 26 Nov 90 13:18:12 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 65
Approved: krvw@sei.cmu.edu

- ---------------------------------------------------
>From:    s37775d@taltta.hut.fi (Pandy (A. Holmberg))
>Subject: Re: List of known viruses urgently required.

>From:    JAN-LIEN@vera.stacken.kth.se
>Subject: Virus info databases

I strongly recommend Patricia Hoffman's Virus Summary List (PC) and
the Disinfectant by John Norstad (MAC) documentaion (both available
from any number of electronic sources as REQUIRED reading. Having
access to a VAX, the SEARCH command allows selective extraction and
resorting of just about anything. On the PC, Q&A (by Symantec I think)
is a good flat-file database or a custom flat file analysis routine is
trivial (well, an evening) to write in BASIC.

- ----------------------------------------------------------------------
>From:    cjohnson@acsu.buffalo.edu (charles johnson)
>Subject: Yale/Alameda (PC)

>From:    "Daud.R..Matthews" <D03T005@SAKSU00.BITNET>
>Subject: Removal of EDV? (PC)

These are both boot sector infectors. The Yale/Alameda originally just
infected 360k floppies and the EDV could also infect the Partition
Table though heaven only knows what varients have been cooked up. From
floppies, just replace the boot sector using DEBUG (L100 0 0 1 with a
good floppy in A and W100 0 0 1 with an infected floppy in A),
however, any sector overwritten or marked bad by the virus will remain
that way. (the bad sectors can be recovered, overwritten data cannot)
According to my data, the Yale stores the original boot sector at head
0 track 39 sector 8. The EDV stores it at head 1 track 39 sector 8.
Both go resident at the TOM & reduce total system memory (CHKDSK or
the three bytes again).

As to EDV surviving CLEAN, I have seen cases of Ghosting (viral code
still attached to a file or in memory but disconnected from the execution
path) & would suggest following CLEAN by:
        1) COLD (power off) boot from a clean floppy. POST should wipe memory.
        2) use DEBUG to read the HD partition table & boot record
        3) if ok, boot from the HD, check for the TOM movement & run SCAN
           again. If the /m finds it in memory BELOW the 640k segment & CHKDSK
           returns 655360 bytes (640k) total memory, one of the files in
           CONFIG.SYS or AUTOEXEC.BAT used to be infected & is ghosting -
           try copying these files to a floppy and back to the HD in a
           different place. The smaller floppy cluster size should strip the
           remnant off.
NOTE: this is not a one-size-fits-all procedure: TOM is only ONE of the "three
      bytes" but will work for Yale/Alameda or EDV original recipes.

p.s. I would rather have a few "false positives" thatn ANY "false negatives"
- ------------------------------------------------------------------------------

keithm@ashtate.A-T.COM (Keith Mund) writes:

>Speaking personally as a software author, buy software from the
>manufacturer or a legitimate dealer. The same fears you have are felt
>by them manyfold...

When the software houses start distributing their wares on notchless floppies
like IBM, Norton, Intel, and Iomega (plus a few others) do, I'll believe it.
Not perfect but a BIG step in the right direction.

			Padgett, had my Judge out yesterday & had nearly
                                 forgotten what a RA400/4spd was like. Now
                                 if I can just get the electrics fixed...