home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.11
< prev
next >
Wrap
Text File
|
1995-01-03
|
6KB
|
147 lines
VIRUS-L Digest Wednesday, 11 Jan 1989 Volume 2 : Issue 11
Today's Topics:
Re: proprietary vs pd software
boot sequence (PC)
VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
---------------------------------------------------------------------------
[Ed. While trying to move the editing of VIRUS-L over to a different
machine today, I had a fight with the LISTSERV - it was converting my
address to uppercase, and Xenix wasn't delivering the mail to me.
It's possible that, during the scuffle, one or two messages to the
list were lost, and/or sent back to their author(s). If this happened
to you, please resubmit your message, and I apologize.]
Date: Wed, 11 Jan 89 13:51:35 EST
From: Neil Goldman <NG44SPEL@MIAMIU.BITNET>
Subject: Re: proprietary vs pd software
Stan Horwitz writes that Fred Cohen has determined that proprietary
software is a more common source of viruses than public domain (and
shareware?) software is. This seems contrary to all the discussion I
have read and participated in on this list as well as in published
reports (for whatever they are worth).
I am very interested in how Dr. Cohen has determined this.
Comment?
Neil A. Goldman NG44SPEL@MIAMIU.BITNET
Replies, Concerns, Disagreements, and Flames expected.
Mastercard, Visa, and American Express not accepted.
Acknowledge-To: <NG44SPEL@MIAMIU>
------------------------------
Date: 11 January 89, 20:00:17 +0100 (MEZ)
From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1
Subject: boot sequence (PC)
> When a user presses ctl-alt-del, the keyboard code in BIOS [...]
> redirects interrupt vectors to their default values, then boots. A
> worm sitting in memory (not a _virus_) would have to duplicate all the
> machine-specific stuff for various possible machines
What if the virus (why not?), or worm, simply hooks Int 9?
Then it could fake the warm boot by resetting the interrupt vectors
in a non-standard way that allowed itself to survive in memory and then
jumping to the booting code. The machine-specific stuff would only be
the default values of the interrupt vectors (may be, even they are rather
standard, or can be derived from the memory contents -- I don't know).
Or it could infect the disk/diskette to be booted from, and then rely
on BIOS to be installed again; the machine specific stuff would be nil,
and if it was a boot-sector virus, all required subroutines would already
be part of it.
Just a thought...
O, I just remember some expert told me that the Yale virus did redefine
Ctrl-alt-Sequences. Hence I guess, my thought is not so far off from
what virus-inventors might consider. So, be prepared!
Conclusion: Never, ever, warm-boot an infected computer.
Best wishes
Otto
------------------------------
Date: Wed, 11 Jan 89 16:04:00 EST
Sender: Virus Alert List <VALERT-L@IBM1.CC.Lehigh.Edu>
From: Michael Brown <BROWN@CMR001.BITNET>
Subject: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
*Something a bit strange has appeared in one of our IBM PC labs.*
One of our AT clones has a file called C:\CBUG.COM. Running CBUG.COM
has the following effect: The first time the Y key is pressed, it
prints the message "YOUR COMPUTER IS NOW INFECTED WITH SOME WEIRD VIRUSES",
and it hangs the system. A warm boot will restore the system to normal.
I looked at the file with PCTOOLS. It is a normal .COM file with a
length of 149 bytes. The message is clearly embedded in the beginning of
the file. The rest of the file contains a block of 00h then a irregular
pattern of 00h 0Fh and FFh. The file is dated 1/01/80 (which is unusual,
because that machine has a clock, and usually get the date right) and
the machine is running PCDOS 3.3.
I checked the disk for other occurrences of the message, but it seems
to only be there once.
If I cold start the system:
- run CBUG once, and type a Y, I get the message and the system hangs
- run CBUG twice, and type a Y, I get the message and the system hangs
- either time the system will warm boot
- run CBUG three times, and type a Y, I get the message, the next time
I type a Y it displays the message again and again until the fourth time
the Y key is typed, then the system hangs and I cannot do a warm boot.
- - something similar happens if I run CBUG four times.
- - If I run CBUG five times, the number of time before the system hangs
is irregular, but it always displays the message.
Enough said.
1) Has anyone seen this before????
2) Any suggestions????
I am planning on working on it tonight, using the following procedure...
- - Installing FSP 1.4 on the machine. (I have never used FluShot+, but from
my understanding it is reliable).
- - Running all of the software packages installed on the machine to find
out if any of the programs on the hard disk call it.
- - I will ask the people that used the machine in the last few days
to use all of the software (on floppies) that they used while
the machine is running under FSP.
- - I am *not* sure this is a virus, but I don't understand how the
file got into the root directory of the disk, as most of the users
use the software on the hard disk or if they use floppies, it is to
play games. (There are only 3 files in c:\ , command.com, config.sys and
CBUG.COM and there are 4 subdirectories with utilities that we purchased)
I am assuming that this procedure will help me find out 1) if it is a virus,
and 2) the source of the virus if such a beast exists. There is always
a possiblilty of this being a prank done by someone, but I cannot see
it being one of our student or staff as none of them know enough about
the IBM PC to create such a program. (we are a small college of 600
students with a small percentage in computer related studies).
Thanx for your time,
Any help/suggestions/flames would be appreciated.
Please reply directly to me, I will summarize to the list appropriately.
CP6-Mail: Michael Brown @CMR
NET-Mail: <brownm@cmr001.bitnet>
Michael Brown Snail-Mail: Service Informatique CMR, St-Jean, Que. J0J 1R0
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253