Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: COS99284%UFRJ.BITNET@VMA.CC.CMU.EDU (Luiz Felipe Perrone) Newsgroups: comp.virus Subject: Virus signatures Message-ID: <0016.8909281133.AA14331@ge.sei.cmu.edu> Date: 27 Sep 89 13:26:48 GMT Sender: Virus Discussion ListLines: 45 Approved: krvw@sei.cmu.edu A few weeks ago I received one VIRUS-L digest (unfortunately I do not remember which one) which had the signatures of two versions of the Datacrime virus. I happened to loose the listings and to make matters worse I found out I also had discarded the digest from my mailbox. I wonder if someone could send me this signatures as soon as possible and also show me an effective way to look for them in my hard disk. As a matter of fact it would be of great help to receive all the known virus signatures, although I guess I might be asking too much. I study at COPPE/UFRJ in Rio de Janeiro and a couple of months agoall this fuss about computer viruses was like Science Fiction for me. I had never seen any kind of it, and thought that it would take a long time before I had any trouble with them. In Brazil there are no networks like CompuServe, The Source, PCMagnet, etc. so I thought that the "problems" that affect Europe or North America couldn't reach us so fast for they would not be downloaded. But I was quite wrong. About two moths ago I have seen Bouncing-ball and JV infect the whole Lab in which I work. And worse than that : they have got to my hard disk. After running a program that kill BB and JV I have run Norton Utilities to look for the string "sUMsDos" and it found four instances of it. I still do not know if they belong to sectors in use by .EXE or .COM filesbut I must say I'm worried. There is a strong possibily that other evil creatures lurk in my system just waiting for the day to come up and make a big mess. I would be very grateful if someone could help me to make a list of methods to take this orcs out from our hard disks and develop anti-virus programs. I have appreciated the help contained in the VIRUS-L disgests but sometimes I feel I have missed a lot of the basic information. [Ed. From an earlier editorial comment (v2i195): In VIRUS-L volume 2 issue 192, Charles M. Preston states that a) Viruscan V36 can detect Datacrime and that b) Datacrime can be identified by the hex string EB00B40ECD21B4 (1168 version) or 00568DB43005CD21 (1280 version). Note that a hex string search can be done via the DEBUG 'S' command (e.g., "S CS:100 FFFF hex_string" at the DEBUG prompt), if my memory of MS-DOS is correct. ] Thanks a lot and greetings from Brazil Luiz Felipe Perrone COS99284@UFRJ - Bitnet