home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.128
< prev
next >
Wrap
Text File
|
1995-01-03
|
9KB
|
212 lines
VIRUS-L Digest Monday, 5 Jun 1989 Volume 2 : Issue 128
Today's Topics:
nVIR Origins (Mac)
.ZIP Ansi codes (PC)
Re: comp.virus usenet virus handbook
Re: nVirB infection at teesside poly, uk (Mac)
naming confusion
---------------------------------------------------------------------------
Date: Fri, 02 Jun 89 17:48:51 EDT
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: nVIR Origins (Mac)
I vaguely remember downloading some assembler code from CIS a looong
while back (pre-Scores) that purported to be source for a virus
similar to nVIR. I didn't save it, mostly because I didn't see any use
for it then. It would have been a good guide to writing an anti-viral,
I suppose.
In fact, if I remember right, the resources it used were indeed called
nVIR!
--- Joe M.
Internet: xrjdm@scfvm.gsfc.nasa.gov | "I've seen yellow stripes down the
Phone: (301) 286-8090 | middle of the road, but never
CIS: 72330,554 | quite so WIDE..." - Dorothy
------------------------------
Date: Sat, 03 Jun 89 00:34:41 CDT
From: James Ford <JFORD1@UA1VM.BITNET>
Subject: .ZIP Ansi codes (PC)
This was taken from an IBM SIG conference. This is *NOT* a
virus/trojan warning/alert; however I thought it might be of interest.
James
Original-From: Sysop Of 107/522
Original-Subject: .ZIP Utility ALERT
FILES UPLOADED TO YOUR SYSTEM THAT HAVE BEEN COMPRESSED UTILIZING PHIL
KATZ'S PKZIP/PKUNZIP UTILITY COULD CRASH YOUR SYSTEM WHEN UNZIPPED!
As most of you know it is possible to reprogram your keyboard (and
other things) using ANSI Escape sequences... .ZIP programs will allow
the use of ANSI in the comments section... I have received several such
"innocent looking" files in the last two weeks. One caused my F1 key to
display a wide DOS Directory, the other attempted to delete all files on
my hard drive!
------------------------------
Date: Sun, 4 Jun 89 15:18:38 BST
From: "David.J.Ferbrache" <davidf@cs.heriot-watt.ac.uk>
Subject: Re: comp.virus usenet virus handbook
The idea of a handbook associated with the newsgroup is an excellent
one, although I would caution that such a handbook can not be a
comprehensive guide to known viruses and trojan horses without a
significant (major) amount of effort on the part of the editorial
committee.
There are a number of excellent general papers available describing
the nature of computer viruses, and the countermeasures which can be
taken to prevent their spread. A general guide should probably
incorporate this information, together with a short symptomatic
description of the major common computer viruses across all systems.
It would also be worth incorporating and updating the Dirty dozen list
(by the way 8D available from Heriot-Watt University archive).
It would also be useful to incorporate a public domain anti-viral
software guide (a la Compute's computer virus book), including details
of software availability via Jim Wright's archive site initiative.
> (1) How much information should be provided in the general guide?
Hmm, I would say that the guide should be aimed at casual non-systems
programmers. The use of binary and resource editors together with disk
recovery and reconstruction techniques are probably best ommitted from
the beginners section. It might be possible to describe the use of
norton utilities to destroy boot sector viruses on the IBM, and
resedit to identify and repair infected Mac applications. In general
however there is little or no reason to utilise Resedit directly when
such powerful repair tools as Disinfectant are available.
The guide should include:
1. A general introduction to the concept of a virus
2. Brief historical overview and perspective on the threat
3. Operational principles of viruses in brief (v101?)
4. Prevention, detection and recovery from viral infection
(ie backups, software policies, use of checksum and file
alteration checking techniques, disk access monitors etc..
mentioning the categories of anti-viral software).
(maybe also include a checklist of simple anti-viral measures)
5. Known viruses (symptomatic description in brief)
a. IBMPC b. MAC c.Atari d.Amiga e.Apple II
6. Trojan horses and other replicating programs
Appendices: Glossary. Public domain software - availability and review.
References. Dirty Dozen Trojan List. Bulletin Board contacts.
> (2) How best do we handle duplicate effort?
There is quite a bit of duplication to date, in Europe Klaus' virus
directory will hopefully serve as a central focus for the viral code
analysis and disassembly. In the UK there is CoTRA (computer threat
research association) and the BCVRC (British computer virus research
centre). A number of people are producing listing of known viruses,
documentation on anti-viral techniques and software etc. The Homebase
bulletin board, CVIA, SDCNA, NCSC, MacMash etc all jump to mind as
possible organisations worth contacting.
> (3) How do we assemble the editor staff?
Tricky. Ideally you want the widest possible spread of expertise,
preferably including an Atari ST and Amiga expert (George Woodside,
Steve Tibbett ??). When the project gets off the ground I am sure you
will not be short of volunteers for the project, if you wish any
feedback on the UK virus scene then please get in touch and I will be
happy to help.
> (4) How much staff do we need? One or two for each supplement? One
> for each general chapter? Should we have a chief editor or two to
> oversee the whole effort and help to assure that project goals are
> being met? How about a temporary peer review group to evaluate each
> section as the guide is being built for the first time?
Ideally a general editor who has a wide experience of viruses across
all systems to prepare the introductory section, volunteers for each
major machine type to deal with the specific problems of that machine
(known viruses, specific disinfection software reviews etc).
If you wish to include a degree of technical detail then this might
include advanced recovery techniques (eg boot sector, partition
record, resource and binary editing), use of signature recognition to
detect viral infection, repair of infected application programs, maybe
even a catalog of viruses with algorithmic descriptions.
> (5) How about a different name for the effort?
I would suggest an ad-hoc mailing list. Such discussion is not
suitable for a newsgroup as such (unless possibly a temporary alt.
group). Easiest is to add volunteers or interested parties to the
list, with a known redistribution address at your site. I suspect that
the effort may generate a great deal of discussion which would
probably swamp most newsgroups!
Thanks for volunteering Jim, Good luck.
- -------------------------------------------------------------------------
Dave Ferbrache Internet <davidf@cs.hw.ac.uk>
Dept of computer science Janet <davidf@uk.ac.hw.cs>
Heriot-Watt University UUCP ..!mcvax!hwcs!davidf
79 Grassmarket Telephone +44 31-225-6465 ext 553
Edinburgh, United Kingdom Facsimile +44 31-220-4277
EH1 2HJ BIX/CIX dferbrache
- -------------------------------------------------------------------------
------------------------------
Date: Sun, 04 Jun 89 00:15:26 -0700
From: Alastair Milne <milne@ICS.UCI.EDU>
Subject: Re: nVirB infection at teesside poly, uk (Mac)
Though this is probably old news, I'd recommend adding GateKeeper to
your INITs. Though it's absolutely transparent for all disc writes
you tell it to allow, it forbids completely any writes it doesn't know
to be authorised. As soon as I discovered how effective it is, I
removed Vaccine from my system: GateKeeper is much more thorough (as
it checks the writing of *any* resource, not just CODE) and much less
intrusive.
Best of luck with your disinfection.
Alastair Milne
------------------------------
Date: Mon, 5 Jun 89 11:45:50 EDT
From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk)
Subject: naming confusion
David Ferbrache helped me out in my quest for information on the
Little Black Box virus (Thanks David!). Apparently, this virus is a
strain of the Israeli virus. ...which brings me to my point.
One of the most frustrating things that I've run into is that viruses
get called different things by different people. Just look at a
couple of the more common ones - Israeli <=> PLO <=> Russian <=> Black
Hole <=> Little Black Box, Brain <=> Pakistani ... (the list goes on).
I'm not proposing any solutions here because, quite frankly, I'm not
aware of any real good solutions. Anyone have any suggestions? My
point is merely to point out the cause for confusion and hopefully
generate some discussion on it.
Ken
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253