home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.105
< prev
next >
Wrap
Text File
|
1995-01-03
|
13KB
|
297 lines
VIRUS-L Digest Thursday, 4 May 1989 Volume 2 : Issue 105
Today's Topics:
Virus - worm combinations: A future trend?
Virus Plurals
Chroma trojan horse (PC)
checksum algorythm
(c) Brain ?????????? (PC)
old question - AV software info request (PC)
Possible virus, info request (PC)
Boot viruses - forwarded from HomeBase (PC)
---------------------------------------------------------------------------
Date: Sun, 30 Apr 89 16:02:48 +0200
From: David Stodolsky <stodol@diku.dk>
Subject: Virus - worm combinations: A future trend?
Joe Sieczkowski <joes@scarecrow.csee.Lehigh.EDU> in "RE: Review of THE
COMPUTER VIRUS CRISIS," Virus-L Digest, 2(93), points out that the
definition offered distinguishing between virii and worms in "Review
of THE COMPUTER VIRUS CRISIS" (Mark Paulk <mcp@SEI.CMU.EDU> Virus-L
Digest, 2(92)) is not that accurate. Joe adds "If the [worm] program
had modified the actual sendmail and fingerd (sic) executables in such
a way that they would in turn modify other machines S&F executables,
then it could be called a virus."
The threat posed by virus - worm combinations was previously mentioned
in "Net hormones: Part 1 - Infection control assuming cooperation
among computers." The relevant paragraph reads:
"An inapparent infection could spread rapidly, with damage noted only
much later. Consider a worm that is constructed to carry a virus. The
worm infects a system, installs the virus and then infects other
nearby systems on the net. Finally, it terminates erasing evidence of
its existence on the first system. The virus is also inapparent, it
waits for the right moment writes some bits and then terminates
destroying evidence of its existence. Later the worm retraces its path
reads some bits, then writes some bits and exits. The point is that an
inapparent infection could spread quite widely before it was noticed.
It also might be so hard to determine whether a system was infected or
not, that it would not be done until damage was either immanent or
apparent. This analysis suggests response to network-wide problems
would best be on a network level." (Citation: Stodolsky, D. (1989).
Net hormones: Part 1 - Infection control assuming cooperation among
computers [Machine- readable file]. van Wyk, K. R. (1989, March 30).
Several reports available via anonymous FTP. Virus-L Digest, 2(77,
Article 1). Abstract republished in van Wyk, K. R. (1989, April 24).
Virus papers (finally) available on Lehigh LISTSERV. Virus-L Digest,
2(98, Article 4). (Available via anonymous file transfer protocol from
LLL-WINKEN.LLNL.GOV: File name "~ftp/virus-l/docs/net.hormones" and
IBM1.CC.LEHIGH.EDU: File name "HORMONES NET". And by electronic mail
from LISTSERV@LEHIIBM1.BITNET: File name "HORMONES NET")).
In January I started writing a paper, "Virus infected worms in
information machines." The virus - worm combination has both negative
and positive implications. In the biological world, virii have been
very effective in controlling bacteria that cause disease in farm
animals, etc. So far, the only thing I have seen like this for
computers is the "KillVirus" init. As discussed earlier, it is a
"virus" that overwrites and thereby destroys an invading one. The key
problem seems to be how to develop a virus that has no negative
affects, except on an invading agent. Are there any wizards, virus
writers, etc. who will accept this challenge?
- --------
David Stodolsky Routing: <@uunet.uu.net:stodol@diku.dk>
Department of Psychology Internet: <stodol@diku.dk>
Copenhagen Univ., Njalsg. 88 Voice + 45 1 58 48 86
DK-2300 Copenhagen S, Denmark Fax. + 45 1 54 32 11
------------------------------
Date: Tue, 02 May 89 12:15:45 EDT
From: "Gregory E. Gilbert" <C0195@UNIVSCVM.BITNET>
Subject: Virus Plurals
For all of you out there who might be confused between:
viruses
viri or
virii.
According to the Second College Edition of The American Heritage
Dictionary the correct plural form of virus (drum roll please.......)
viruses .
Please note that I will not be offended if any of the others are used,
nor should this message be conceived as snobby or condescending, I was
curious as to which is the "preferred" plural form and thought that
others out there in virusland (or is that viriland, viriiland,
virusesland ?????) might want to know also.
------------------------------
Date: Tue, 02 May 89 14:21:51 -0700
From: Steve Clancy <SLCLANCY@UCI.BITNET>
Subject: Chroma trojan horse (PC)
This is a short bulletin that I recently posted on our BBS. I want to
emphasize that I DO NOT have all the facts, and am not trying to start
a wild rumor. The user who informed me of this possible trojan horse
(as opposed to a virus) is reliable. -- Steve Clancy
Original-April, 19th, 1989. Irvine, CA.
TROJAN HORSE ALERT!
John Cook of the French Connection BBS, just informed me of a possible
Trojan Horse that has surfaced in this area. Details are sketchy.
All I have to go on is what he told me.
Evidently, someone downloaded a file called "HARDCORE.ARC" which
contained a file called either "CHROMA.EXE" or "CHROMA.COM." This
person ran the program, and it displayed something approximating the
following message on the screen:
"The worst possible thing has just happened to your hard disk!"
I don't have details on exactly what happened to this person's hard
disk, but at very least the TH seems to have erased all files.
Again, details are very sketchy at this point, but John is a reliable
source. As more info becomes available, I will update this bulletin.
Steve Clancy, Wellspring RBBS, 714-856-7996, 714-856-5087
U.C. Irvine, California, USA.
------------------------------
Date: Tue, 2 May 89 11:01:45 CDT
From: "Len Levine" <len@evax.milw.wisc.EDU>
Subject: checksum algorythm
In an earlier Virus-l dmg@mwunix.mitre.org states:
>I believe it is possible to use a checkfunction in a constructive
>manner to detect even the most advanced computer viruses, and it
>involves a technique called a "cryptographic checkfunction".
It is fairly easy to use a even simple CRC with a non-standard
polynomial to fool any arbitrary virus. There is no way that a virus
writer can determine what polynomial you are using, as the program
that does the ckecking need not be stored in any special place on the
system for the virus to check against. As long as you use a
polynomial for the CRC that is not published, no virus can match it.
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Leonard P. Levine e-mail len@evax.milw.wisc.edu |
| Professor, Computer Science Office (414) 229-5170 |
| University of Wisconsin-Milwaukee Home (414) 962-4719 |
| Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 |
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
------------------------------
Date: Wed, 03 May 89 13:12:35 CDT
From: Michael K. Blackstock <ELTRUT@MSSTATE.BITNET>
Subject: (c) Brain ?????????? (PC)
I am a student at Mississippi State Univ. and some of the computer
disks around here are getting odd data on them. All of the disk that
I have seen have the label (c)Brain. Doen any one out there know what
this is, is it a anti-virus or is it a virus itself?
I look at the disk with a program called Master Key and I found this
in sector number 0.
< J.4 Welcome to the Dungeon (c) 1986 Brain. & Amjads (pvt)
< Ltd VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic
< memories of millions of virus who are no longer with us today -
< Thanks GOODNESS!! BEWARE OF THE er..VIRUS
< \this program is catching program follows after these messeges...
If anyone knows what this is infecting the disks on campus please let
me know.
Michael K. Blackstock ELTRUT@MSSTATE
P.S. Thanks...................
[Ed. Sure sounds like the Pakistani (aka Brain) virus to me. There
have been some excellent technical descriptions of the Brain published
on VIRUS-L. Does someone have one of these handy that they could send
to Mr. Blackstock (directly)?]
------------------------------
Date: Wed, 3 May 89 17:00 EST
From: "Shawn V. Hernan" <VALENTIN@pittvms.BITNET>
Subject: old question - AV software info request (PC)
Please anyone,
Where can I get virus detection/removal software from some
network? I am looking for MS-DOS stuff, I have all the Macintosh stuff
I need, and I know where to get it. But I run a library of about 500
MS-DOS packages and I need to check for/eliminate viruses. I am hoping
to get public domain or shareware stuff. Any help is appreciated. If
possible, please respond directly to me, as this is rather urgent.
Thanks....
- ------------
Shawn V. Hernan
- --------------------------------------------------------------------------
Computing and Information Systems (Computer Center), Academic Computing
University of Pittsburgh valentin%VMS.CIS.PITTSBURGH.EDU@VB.CC.CMU.EDU
4015 O'Hara Street valentin@PITTVMS.BITNET
Pittsburgh,Pennsylvania 15260 valentin@cisunx.UUCP
(412) 624-9356 valentin@CISVM{1,2,3}.CCnet
__________________________________________________________________________
------------------------------
Date: Wed, 3 May 89 17:48:55 EDT
From: vanembur@gauss.rutgers.edu (Bill Van Emburg)
Subject: Possible virus, info request (PC)
My friend's PC-compatible seems to have a virus, and I don't have
enough experience with IBM viruses to recognize it. Does this sound
familiar to anyone??
This virus (if it really is a virus) modifies the command.com
file. The result of this the next time you boot the machine
is that all .exe files are no longer executable. The machine
boots just fine, and .bat files run, but the autoexec.bat
file dies when it tries to execute xtree.exe. The .exe files
are still there, they just can't be run. Diagnostics were
run on the hard drive, and everything checked out. When the
command.com file was re-copied from an original DOS 3.3
disk, everything started working normally again.
The BIG question: Was the virus killed when the command.com was
re-copied? How can we be sure that it isn't
residing somewhere else, waiting to try it's little
game again?
The secondary question: Does anyone recognize this virus? Does anyone
have any additional info (background, how it
works, what it does, where it hides, and how
to detect it) on it?
-Bill Van Emburg
Rutgers University
------------------------------
Date: Sun, 30 Apr 89 05:36:50 EDT
From: Bruce Burrell <USERW6BL@UMICHUM.BITNET>
Subject: Boot viruses - forwarded from HomeBase (PC)
I was asked by Frank Nalls, a user on HomeBase Virus BBS, to forward
this message to VIRUS-L. I'll forward responses to him there; if you
want to send private mail to him through me, that's fine too
(BPB@um.cc.umich.edu)
-----------------------------------------------------------------------
I have just finished reading the Virus-L postings for the past year or
so and found a lot of good information in them. I'm concerned,
though, about some of the virus product attitudes that I've seen
expressed. Jim Goodwin, Mark Shaw and Tim Sankary reported on the
most common infections from over 700 corporate occurences and and
found that over 90% of PC infections were caused by one of the
following viruses:
. Pakistani Brain (Basit and Mjad Original)
. Pakistani Brain HD Version
. Alameda (Yale)
. Alameda (Version - C, Modifies FAT)
. Australian (Stoned) - Original Version
. Venezuelan (Den Zuk)
. Venezuelen-CX (No display)
. Ping Pong (Italian)
. Nichols (Original Version)
The reason I bring this up is that all 9 of these viruses are boot
sector infectors. Virus filter products (like Flu-Shot+ and C-4)
can't prevent or even detect any boot sector virus. Yet I see these
products hyped as good virus protection products. Anyone who claims
these products works either has never seen a boot sector virus or has
never tested these products against them. The only products that are
even remotely useful against these viruses are logging products like
Virus-Pro, Sentry, Magic Bullets and other detection type products.
I'm not trying to flame Mr. McAfee's C-4 or Mr. Greenberg's Flushot+,
it's just that the products don't match virus realities. I also have
to strongly disagree with Mr. David Bader's assessment of Sentry. I
suggest he try some live viruses and check the differences himself.
Frank Nalls
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253