From: Zane Lewis To: Kenneth B. Mc Cleaft Subject: Virus Warning!! KM> People, I dont know if this is for real; but, I just received this KM> off of fur-net and wanted to pass it along just incase that is it KM> true. * Area : EAGLE * From : Bruce Lane 11-Oct-92 08:28:00 * To : All 12-Oct-92 14:27:16 * Subj.: Virus Warning!! Heads up, folks! We got a nasty one out there. [4/4] From : Tempest To : All Subject: **** Warning **** Date : 03 Oct 92 17:31 I just recieved this from a user on one of my nets. It pertains to everyone who runs a computer and modem. A very VERY dangerous virus seems to hav escaped, and people must be warned about it. Here is the message I recieved.... -!---------------------------------------------------------------------- This is an exact copy of a "Broadcast" letter sent to all members a affiliates of THIEVCO INC; a group located somewhere in the San Francisc Bay Area. While I do not support the general theology of Thievco Inc, I must applaud thier actions. Thier warnings about a new virus called PROTO-T, potentially save us computer users possibly thousands of dollars - and hundreds of man hours. Here is a copy of the broadcast letter, as received from a friend at Thievco ... <<*>> <<*>> <<*>> <<*>> <<*>> <<*>> <<*>> <<*>> Retrieved BLUWAV 6921 / THIEV 00621*420 - Node 1:8 Sent T-Tymnet Date : 9/24/92 11:14pm To : All Thievco Members, and affil. Re : PROTO - T Class : Confidential (go public 9-26) Dear Members, At 7:34PM (pst) our attempt to isolate and contain the PROTO - T virus failed. As we have discovered, PROTO - T has a *VERY* unique feature, to hide in the RAM of VGA cards, hard disks, and possibly, in modem buffers. Unfortunaly, we found out the hard way - after it stru At this time, there is no known defence against this virus, save formatt your hard/floppy disks - there isn't even a method of detecting it yet.. untill its too late. [ PROTO - T specs listed later ]. Unearthly Vision ( Portland, Oregon ), and Chron ( Alameda, Calif ) were working on isolating the virus when it struck. Over 900 megabytes of information was lost, of that about 214 megabytes is probably recoverable. Action : Please assist us in implementing this plan, to warn the general pub Our first priority is our fellow THIEVCO members. Please distribute this letter to all contacts inside the U.S., upon recipt of this letter. Please inform the public on 9-26-92. Start warning the elite boards firs followed by the P.D. boards. Dont bother telling known SPA locals, they aren't worth our time. What is known: Proto - T was just a rumor, untill it was confirmed a few weeks ago. Chron, being the most incredible skip-tracer, traced its origins to a college campus in California. There, it was placed into two files. The first, is a file called "TEMPLE" - which to our knowledge, has no legitimate use; it seems to be a dummy file. The other file, was placed in an unathorized version of PKZip by PKWare ( versions 3.0, and - these are not legitimate versions of PKZip! Quite possibly, these versio of PKZip were created, for the reason of distributing PROTO - T ). Proto - T is very elusive. There is no program known to detect it. From what we understand, it will only infect your system if certian conditions are met. From what we know, it will infect your system only i you run TEMPLE, or PKZip 3.x after 6:00pm. Even doing that wont nessaral cause infection - it took 6 days for Chron and Unearthly Vision to becom infected. Obviously some other criteria must be met. Upon infection, the virus is written (as un-attached file chains), O two parts of a hard disk - each capable of running independently without the other half. After infection, the virus seems to be written into the memory or me routines of a VGA or EGA monitor; or is written into the memory of the h drive, or quite possibly, into a modem - or COM port. Thus excaping most any known detection methods. PROTO - T : Proto - T when activated, corrupts data on a disk, stops VGA or EGA from being used ( Thus either defaulting to CGA, or locking up ), and prohibits memory from being used over 512K. Known to be put into two files : TEMPLE.EXE ( 14,771 Bytes ) and PKZip 3 (Varries always over 100,000 bytes when zipped). If you see these files do not get or use them. Give this letter to all Thievco members and thier contacts, followed by other boards. With luck, we can stop the damage before it *REALLY* starts. THIEVCO INC, San Francisco Bay Area. This sounds pretty bad, fellow FurNetters. Please be careful what yo up/download and unZIP. Current version of PKZip is still 1.10. Actually, it's 1.95A (Alpha, Still Buggy..) Use it occasionally, when 1. Won't unzip something.