Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: COS99284%UFRJ.BITNET@VMA.CC.CMU.EDU (Luiz Felipe Perrone)
Newsgroups: comp.virus
Subject: Virus signatures
Message-ID: <0016.8909281133.AA14331@ge.sei.cmu.edu>
Date: 27 Sep 89 13:26:48 GMT
Sender: Virus Discussion List 
Lines: 45
Approved: krvw@sei.cmu.edu


   A few weeks ago I received one VIRUS-L digest (unfortunately I do not
remember which one) which had the signatures of two versions of the
Datacrime virus. I happened to loose the listings and to make matters worse
I found out I also had discarded the digest from my mailbox. I wonder if
someone could send me this signatures as soon as possible and also show me
an effective way to look for them in my hard disk.

As a matter of fact it would be of great help to receive all the known
virus signatures, although I guess I might be asking too much.

   I study at COPPE/UFRJ in Rio de Janeiro and a couple of months agoall
this fuss about computer viruses was like Science Fiction for me. I had never
seen any kind of it, and thought that it would take a long time before I had
any trouble with them. In Brazil there are no networks like CompuServe, The
Source, PCMagnet, etc. so I thought that the "problems" that affect Europe or
North America couldn't reach us so fast for they would not be downloaded.

   But I was quite wrong. About two moths ago I have seen Bouncing-ball and JV
infect the whole Lab in which I work. And worse than that : they have got to
my hard disk. After running a program that kill BB and JV I have run Norton
Utilities to look for the string "sUMsDos" and it found four instances of it.
I still do not know if they belong to sectors in use by .EXE or .COM filesbut
I must say I'm worried. There is a strong possibily that other evil creatures
lurk in my system just waiting for the day to come up and make a big mess.
I would be very grateful if someone could help me to make a list of methods to
take this orcs out from our hard disks and develop anti-virus programs.

I have appreciated the help contained in the VIRUS-L disgests but sometimes
I feel I have missed a lot of the basic information.

[Ed. From an earlier editorial comment (v2i195):

In VIRUS-L volume 2 issue 192, Charles M. Preston
 states that a) Viruscan V36
can detect Datacrime and that b) Datacrime can be identified by the
hex string EB00B40ECD21B4 (1168 version) or 00568DB43005CD21 (1280
version).  Note that a hex string search can be done via the DEBUG 'S'
command (e.g., "S CS:100 FFFF hex_string" at the DEBUG prompt), if my
memory of MS-DOS is correct.
]
                       Thanks a lot and greetings from Brazil

                         Luiz Felipe Perrone
                         COS99284@UFRJ   -   Bitnet