home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.104
< prev
next >
Wrap
Text File
|
1995-01-03
|
9KB
|
216 lines
VIRUS-L Digest Thursday, 4 May 1989 Volume 2 : Issue 104
Today's Topics:
New Jerusalem Virus (PC)
Missouri Virus (PC)
Bad sectors and viruses (PC)
Virus testing at Social Security Administration
UK conference
re: Forwarded Message From Jim Goodwin (PC, 1704, Stoned)
NAMES file (VM/CMS)
New Virus utility, "SecureInit(tm)" [Mac]
[Ed. This is the first digest that will (read: should) be going out to
comp.virus as well as the familiar VIRUS-L mailing list. Currently,
only digests are being sent to comp.virus. I hope to have
distribution of undigestified messages over comp.virus working soon.
Feedback is invited.]
---------------------------------------------------------------------------
Date: Sat, 29-Apr-89 13:32:14 PDT
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: New Jerusalem Virus (PC)
Andrew Carroll asked me to forward the following message for him:
Original-Date: 04/28/89 23:29:58
Original-From: ANDREW CARROLL
Thanks for passing on the message for me. I need some help from the
VIRUS-L users and I understand they have some information about
infections. I am a CVIA volunteer and I've been tracking the New
Jerusalem virus. It's the one that does a disk format on April 1,
1990, and has the EXE bug fix. The earliest occurance that I can find
is October 6, 1988 in Vancouver. If anyone has verified an earlier
infection please contact me. Everything I've seen so far indicates
that the source is Vancouver. Data to the contrary is urgently
needed. Andrew Carroll - HomeBase - 408 988 4004 or C/O Alan Roberts.
------------------------------
Date: Sun, 30 Apr 89 17:40-0400
From: David.Slonosky@QueensU.CA
Subject: Missouri Virus (PC)
I have a copy of this DOS Power Tools disk. How do you detect if
there is indeed a virus lurking on this disk? I've been working with
two floppy drive systems only -- is this a problem?
__________________________________
| |
David Slonosky/QueensU/CA,"",CA | Know thyself? |
SLONOSKY@QUCDN | If I knew myself, I'd run away. |
|__________________________________|
------------------------------
Date: Sun, 30 Apr 89 18:14-0400
From: David.Slonosky@QueensU.CA
Subject: Bad sectors and viruses (PC)
I think this has been discussed before, but is there a mechanism
by which a virus can hide in a bad sector? How does DOS declare
that a given sector is "bad", i.e. where on the disk does the
information reside? Can a bad sector be protected from being
reformatted if the virus author was clever enough?
__________________________________
| |
David Slonosky/QueensU/CA,"",CA | Know thyself? |
SLONOSKY@QUCDN | If I knew myself, I'd run away. |
|__________________________________|
------------------------------
Date: Sun, 30-Apr-89 23:53:19 PDT
From: portal!cup.portal.com!garyt@Sun.COM
Subject: Virus testing at Social Security Administration
Lynn McLean (on the Homebase BBS) asked me to forward this to VIRUS-L:
Original-Date: 04/28/89 17:19:42
Original-From: LYNN MCLEAN
My co-worker and his colleague in the microcomputer support center at
the Social Security Administration have just finished a review of
anti-virus products. They tested against 14 viruses (which I helped
obtain from a nefarious member of the Homebase board) and collected
over 20 products to review. The viruses were a subset of Goodwin's
collection and, supposedly, the most common ones. The results of the
review were that none of the products were effective. The Tracer
program (I understand it's been renamed Sentry and placed in public
domain) was able to detect them all, but only if the system was
re-booted every day or so. Most of our network systems are never
re-booted, or booted only every few months, and many of the test
viruses activated after only a few weeks in the system. So it doesn't
do any good to detect a virus a month after it's destroyed the system.
The rest of the products could not even detect half of the viruses, at
any time. I don't know of any other review that has used any more
viruses than we did, but the results couldn't come out much different
if they included some of the same viruses that we used. I hope this
information is useful to some of the users.
Lynn McLean
------------------------------
Date: Mon, 1 May 89 09:59 N
From: ROB_NAUTA <RCSTRN@HEITUE5.BITNET>
Subject: UK conference
I read the advertisment for the virus conference which will be held in
the UK. The ad mentiones a price of 235 pounds, and states that a
disk with antiviral tools will be part of the deal. I wonder, did you
write those tools yourself or are they PD utilities ? I am not sure if
the authors of those tools would like this, their shareware licences
are quite clear about commercial use, and selling those tools for such
an amount of money is nothing more than a copyright violation. Again,
only if the tools on the disk ARE shareware tools like FluSHot + ...
I know, in the current virus panic there is a lot of money to be made
from worrying users, but keep it clean...
Greetings
Rob
------------------------------
Date: 1 May 1989, 09:16:50 EDT
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: Forwarded Message From Jim Goodwin (PC, 1704, Stoned)
Thanks for the forwarding, Alan! It would be nice if there were an
easy BBS<->BitNet link; I don't know of one, but You Never Can Tell...
I stand corrected on POP CS. I'm still adamant (see last issue)
about the 1704-on-vanilla-PC issue. The 1701 has a bug, but so
does the 1704! Perhaps there's yet a third variant that has
neither bug? In any case, the code you posted awhile back
does indeed *not* successfully differentiate vanilla machines
from clones.
As a friendly suggestion, I might caution you to be a little less
free with name-dropping! You and Alan have managed to insult
both the NSA and IBM in your last couple of items! *8)
(Somewhat more seriously, definite statements like "XXX was the
first company hit by the YYY virus" are always dangerous, since
you can almost never have sufficient evidence that they're true...)
On the Australian virus: the version that I've seen will infect
the master boot record of hard disks, and the SYS command will do
nothing to remove it from there (since SYS only writes to the
partition boot record, I think?). And it does display the first
half of the message ("Your PC is now stoned") on something like
one boot in eight (depending on the system clock).
Sorry to be so contrary! Monday morning, ya' know... *8)
DC
------------------------------
Date: Mon, 1 May 89 10:03 EST
From: "Thomas R. Blake" <TBLAKE@bingvaxb.cc.binghamton.edu>
Subject: NAMES file (VM/CMS)
>[Ed. How about renaming (or encrypting) your names file all the time,
>except when you're in MAIL or MAILBOOK? Not elegant, perhaps, but
>probably effective.]
MAIL, MAILBOOK, NAMES, LNAME, TELL, SENDFILE, CHAT, XYZZY
Think of any others?
It seems wiser to examine any strange EXEC's you may receive before running
them, no matter who they come from.
Or simply rename you NAMES file before running any new EXEC's.
Thomas R. Blake
Lead Programmer Analyst
Academic Computing
SUNY Binghamton 13901
[Ed. Good points, I neglected those other programs.]
------------------------------
Date: Mon, 01 May 89 14:48:36 EDT
From: dmg@mwunix.mitre.org
Subject: New Virus utility, "SecureInit(tm)" [Mac]
A new anti-virus packaged recently appear on the Twilight Clone BBS
here in Washington called "SecureInit(tm)". It comes from someone
named "P. Guberan" in Switzerland and the docs were written by Dany
Hofmann. Hofmann makes some rather boisterours claims about the
package in the documentation, and I do not believe they can be
attributed to his "more than bad English".
I've not tried the application. If the description is accurate, this
stuff does some pretty heavy duty tinkering around. For example, the
documentation states SecureInit installs some invisible inits in my
System Folder. Why not make them visible, and let the user decide on
visibility/invisibilty (there are a wide variety of utilities that let
you do this). I may do some experimenting with this later, and report
on what I think. If anyone leaves a note on the Clone about this
package, I'll forward them up here too.
David Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253