Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky)
Newsgroups: comp.virus
Subject: PROTEC System & Stoned Virus (PC)
Message-ID: <0003.9103131701.AA15339@ubu.cert.sei.cmu.edu>
Date: 11 Mar 91 22:20:10 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 24
Approved: krvw@sei.cmu.edu

In one of our public labs, we have a Zenith 159 with hard disk
attached to a laser printer.  We have SOPHCO's PROTEC system installed
on said Zenith and we offer 3 flavors of Word Perfect (and charge a
quarter per page for printing).

We had been experiencing problems accessing files and printing (users
have their documents on their floppy; we don't want them playing too
much with the hard disk, hence the PROTEC system).  Upon examination
we found the Stoned virus on the hard disk.  I didn't do the scanning,
but the person who did said Stoned didn't show up in memory (the scan
was done by exiting out of PROTEC by using the supervisor's password).
Said person also cleaned things up.  (The virus got on the machine by
some student trying to break in to the machine by booting off a floppy
that happened to be infected.)

I find this interesting.  Short of re-infecting the machine to
investigate further, I'm curious as to why Stoned didn't show in
memory when a boot from floppy hadn't been done.  I'm also curious
about the mechanism of transferral under PROTEC.  Does anyone have any
insight to offer?  Thanks.

Richard Travsky                        Bitnet:   RTRAVSKY @ UWYO
Division of Information Technology     Internet: RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming                  (307) 766 - 3663 / 3668