home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.131
< prev
next >
Wrap
Text File
|
1995-01-03
|
10KB
|
205 lines
VIRUS-L Digest Wednesday, 7 Jun 1989 Volume 2 : Issue 131
Today's Topics:
Notifications for Network Viruses
re: Possible virus? (PC)
Re: naming confusion
Are software developers releasing viruses?
virus desinfecting
---------------------------------------------------------------------------
Date: Wed, 7 Jun 89 08:55 EDT
From: Roman Olynyk - Information Services <CC011054@WVNVAXA.WVNET.EDU>
Subject: Notifications for Network Viruses
I've recently completed a virus response procedure for our site, a
statewide educational telecomputing network. This procedure
establishes an emergency action plan that we hope would reduce the
impact of a computer virus at WVNET.
One of the sections in our procedure deals with notifying authorities.
A couple of the following items took a little digging to get, and I
think that having these on hand for reference would be useful. Every
moment spent deciding what to do during an outbreak of a virus may
give the virus another chance to spread.
* VALERT-L list - if the virus is spreading outside of WVNET's
network through BITNET or the Internet, a member of the Virus
Response Team will post a warning to VALERT-L@LehiIBM1. This
list is dedicated to posting emergency warnings of detected
viruses.
* BITNIC - the BITNET Information Center in Washington, DC,
should be notified in the event of a virus which affects the
BITNET network. Telephone number 202-872-4200. Contact
persons as of June 7, 1989 are Michael Hrybyk, James Conklin
(director), and Amanda Spiegel.
* SRI-NIC - the SRI International Network Information Center is
the central information site for the Internet. Telephone
number 800-235-3155, available around the clock. There is no
designated contact person for SRI-NIC.
Besides the above three items, we also want to inform our management
team, primary contacts at the campuses of our member schools, and
(particularly where a serious incident is suspected to have originated
from within WVNET's environment) legal counsel.
[Ed. Another Internet contact point is the Computer Emergency Response
Team at Carnegie Mellon's Software Engineering Institute.]
------------------------------
Date: 7 June 1989, 09:33:25 EDT
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: Possible virus? (PC)
> If you are... booting up from a bootable diskette (not a full DOS
> disk) with no config.sys file, does it get the files and buffers
> limits from the dos disk that originally made the bootable disk?
No, when you boot from any disk without a CONFIG.SYS on it, DOS just
takes the defaults for files and buffers. The defaults have varied
with DOS version, I think. In 3.3, I believe the defaults were
FILES=8 and BUFFERS=2, 3, 5, 10 or 15 (depending on diskette drives
installed and memory size). See the DOS manual for details.
DC
------------------------------
Date: Wed, 07 Jun 89 19:30:14 +0300
From: Y. Radai <RADAI1@HBUNOS.BITNET>
Subject: Re: naming confusion
In #128 Ken writes:
>One of the most frustrating things that I've run into is that viruses
>get called different things by different people. Just look at a
>couple of the more common ones - Israeli <=> PLO <=> Russian <=> Black
>Hole <=> Little Black Box, Brain <=> Pakistani ... (the list goes on).
>I'm not proposing any solutions here because, quite frankly, I'm not
>aware of any real good solutions. Anyone have any suggestions? My
>point is merely to point out the cause for confusion and hopefully
>generate some discussion on it.
I don't think we can prevent multiplicity of names, but some names
are more reasonable than others. For example, if a user sees a region
of his screen scroll up and leave a black rectangle, it's understand-
able that he should call it the "Little Black Box" if he's never heard
of the Israeli virus before.
On the other hand, the term "PLO" as a name for the Israeli virus is
entirely inappropriate since it suggests a political motive for the
virus, a hypothesis which, to the best of my knowledge, has never been
supported by *any evidence whatsoever*. The first person to suggest
this motive seems to have been Vin McLellan, who wrote in a New York
Times article of Jan 31, 1988 that the virus "was apparently intended
as a weapon of political protest". But his sole "evidence" was the
coincidence of dates which he discovered between the first day on
which the virus would cause damage (it does this only on Friday-the-
13ths) and the 40th anniversary of the last day Palestine was under
the British mandate (May 13, 1988)! I wrote to him, pointing out how
flimsy his evidence was. I also pointed out that whatever psychologi-
cal drive motivates most creators of viruses and Trojan Horses else-
where in the world, and whatever motivated the author of the April-
Fools-Day viruses (which were discovered in Israel about the same
time, yet no one claims that *they* were politically motivated), is
quite sufficient to motivate creation of our Friday-the-13th virus
also. Now I have no doubt that McLellan's intentions were good. But
as he eventually admitted to me, he "was too quick to assume too much
about this virus, its author, and its intent." Unfortunately, his
explanation was already accepted by many people, even to the point of
dubbing this virus the "PLO" virus.
The name "PLO" is therefore entirely inappropriate and I would like
to request readers of this list to refrain from using this name.
As for the other synonyms for the Israeli virus (btw, I can add 7
more to those mentioned by Ken), I can understand the reason for all
of them except "Russian". Does anyone have any idea what motivated
*that* name??
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Wed, 07 Jun 89 12:13 CDT
From: Gordon Meyer <TGRM1@NIU.BITNET>
Subject: Are software developers releasing viruses?
A virus-l writer recently asked about viruses being spread, on
purpose, by software manufacturers. While I would like to think this
isn't happening, there is evidence to the contrary.
Dave Small, developer of the Magic Sac and Spectre 128 (two products
that allow the Atari ST/Mega to emulate a Macintosh), has indicated
that some developers might be introducing viruses as a means to fight
software piracy.
It's a simple premise. The developer "releases" a beta version of his
program that is clearly labeled as being pirated. (A big "CRACKED BY
CAPTAIN CROOK" will do it.) So far these programs have not been aimed
at individual pirates per se, but rather the pirate bulleting board
systems. When run they introduce a virus that waits for a future date
(long enough to allow the program to be circulated in the pirate
community) before going into action. Usually it looks for specific
BBS files...if it finds them it starts to slowly corrupt the FAT table
on the hard drive. Small has suggested that other "revenge"
techniques are possible such as burning out the Atari color monitor by
forcing the hardware into monochrome mode. I'm sure there are other
possibilities as well.
This information it taken from an article by Small, published in
_Current Notes_. (August 1988) Any errors in the above summary should
be blamed on me, not him. -=->G<-=-
PS: Small didn't name any specific programs, but I know that a French
game, "Manhattan Dealer", was known to contain a virus in it's pirated
form.
- --------------------------------------------------------------------
| Gordon R. Meyer, Northern Illinois University, Dept of Sociology |
| GEnie: GRMEYER, CIS: 72307,1502, Phone: (815) 753-0555 |
| Bitnet: Tee-Kay-Zero-Gee-Are-Em-One AT Enn-Eye-You.bitnet |
|------------------------------------------------------------------|
|------------------------------------------------------------------|
| Disclaimer? Grad students don't need 'em! |
|__________________________________________________________________|
------------------------------
Date: Wed, 7 Jun 89 20:51 N
From: ROB_NAUTA <RCSTRN@HEITUE5.BITNET>
Subject: virus desinfecting
I got nobrain.c, a program that removes a Brain virus from a diskette,
and antidote, which removes the pingpong virus from a disk. These
tools made me wonder, is there a program that recognises viruses for
the PC ? Mac antiviral programmes do, because everytime a new virus is
found the tools can't help and a new version comes out, extended to
recognise that one as well. Is there a program that says 'this disk
(or COM or EXE file) is infected by ......' ?? I know FluShot+ warns
if you boot from a Lehigh-infected disk. Furthermore, is there a
program that desinfects COM or EXE files that were infected by, say,
the 1701/1704, TSR virus etc ?? At the moment everybody says 'install
your software from your backups and start with a clean system' but
seeing how fast I can clear the Pingpong from a disk makes me
interested to find out if there are programs that restore program
files... If those programs don't exist, I may start writing my own
tool for it, I will need some info then how I can recognise known
viruses and how I can reconstruct the file (delete the first 1701 or
1704 bytes seems logical in that case, but is it correct, and what
about the others??) I hope someone can help me, thanks in advance
Rob J. Nauta - Fidelio Software
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253