home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.133
< prev
next >
Wrap
Text File
|
1995-01-03
|
13KB
|
317 lines
VIRUS-L Digest Friday, 9 Jun 1989 Volume 2 : Issue 133
Today's Topics:
Re: naming confusion
Re: Your assistance please...
GateKeeper
re: possible virus (pc)
Software companies writing nasty s/w
Warning New Virus (PC)
RE: Possible virus? (PC)
more on developers releasing viruses
Upcoming Flu_Shot+ version (PC)
---------------------------------------------------------------------------
Date: Thu, 8 Jun 89 12:55:58 PDT
From: rmorey@ORION.CF.UCI.EDU
Subject: Re: naming confusion
Regarding the "PLO" virus and your suggestion that we not call it by
that name, don't you think that your desire to suppress the link
between the virus and something which obviously offends you (the name
"PLO") is a political tactic? That particular virus is known to many
people already as the "PLO virus"--now you expect them to have to
worry about changing that name in their minds because it offends
someone?
Don't forget that viruses offend everyone, most certainly everyone
who reads this net. We all have a common interest in combating
viruses and their spread but I really doubt that we are going to spend
much time worrying about their names. I apologize if this offends you
but, given both my interest in international politics and my work in
computers, I don't see how both should be meshed or affected at such a
perfunctory level.
Robert J. Morey
[Ed. In mentioning the confusion in the naming convention for viruses,
I never intended to start a political discussion/war - let's please
not turn this into one.]
------------------------------
Date: Thu, 8 Jun 89 22:21:25 +0200
From: Johan Bengtsson <d85-ben@sm.luth.se>
Subject: Re: Your assistance please...
Name of Virus: Israeli Virus (I belive)
Computers/OS: Does run on IBM compatibles with DOS operating system.
(though not when using the Novell network, interupt conflict)
Virus activity: After infection, every program run received a copy of the
virus. One type of executables (EXE files) were infected
many times. This led to the eventual discovery of the virus.
The sick systems did have a "symptom"; about two times each
hour a small part of the screen was blanked out.
Each Friday 13th, after an initial delay of about 30 min,
*every* program run was *deleted*. This did not happen to
us, countermeasures were applied in time.
Countermeasures:A "vaccine" was developed by me, after disassembly of the
virus code. This detected and prevented further infections.
An "antidote" program was developed by the Comp. Dep. which
was able to restore most infected programs.
Later, we discovered that a "vaccine" and "antidote" had
already been developed at an Israeli University.
Place of events:University of Lulea, Sweden, October 1988
My name: Johan Bengtsson, at the time a last year student in Comp. Sc.
Good luck with the book!
- --BEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Johan Bengtsson University of Lulea, SWEDEN
Forskarvagen 149B
S-951 63 LULEA Domain: d85-ben@luth.se
SWEDEN Path: mcvax!enea!luth.se!d85-ben
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------------------
Date: Thu, 8 Jun 89 16:14:25 -0500
From: chrisj@emx.utexas.edu (Chris Johnson)
Subject: GateKeeper
>Though this is probably old news, I'd recommend adding GateKeeper to
>your INITs. Though it's absolutely transparent for all disc writes
>you tell it to allow, it forbids completely any writes it doesn't know
>to be authorised. As soon as I discovered how effective it is, I
>removed Vaccine from my system: GateKeeper is much more thorough (as
>it checks the writing of *any* resource, not just CODE) and much less
>intrusive.
>
>Best of luck with your disinfection.
>
>Alastair Milne
If you liked GateKeeper 1.1, you'll really like GateKeeper 1.1.1.
It's been in testing (in various stages of completion) for several
months now and should be available in the next few weeks. One
(potentially) troublesome bug has been fixed and a good number of
enhancements have been added. More details on 1.1.1 later.
By the way, you're right that GateKeeper doesn't *just* protect CODE
resources, but it's not true that it protects *all* resources.
Protecting all resources is unnecessary (besides, you wouldn't want to
have to grant privileges to every program that modifies one of its own
'STR ' resources). What GateKeeper does do is protect every type of
resource known to contain executable code (there're about 26 of them,
running from INIT and CODE (which you might expect viruses to attack)
to others like 'snth' and 'MBDF' (which you might not)). [Anyone
interested in the exact list can check GateKeeper's 'Type' 1
resource.] Fortunately, most of these protections are unnecessary
against the current crop of viruses (and let's hope it stays that
way), but the protections are there just the same (to help make sure
it *does* stay that way).
In response to another question I noticed a few articles down,
GateKeeper is available for anonymous ftp from Sumex, Simtel,
emx.utexas.edu and rascal.ics.utexas.edu. If these won't work for
you, you can always send me (Chris Johnson) mail as
chrisj@emx.utexas.edu and I'll send you a copy.
Cheers,
- ----Chris (Johnson)
- ----Author of GateKeeper
------------------------------
Date: Thu, 08 Jun 89 16:09:40 CDT
From: "Rich Winkel UMC Math Department" <MATHRICH@UMCVMB>
Subject: re: possible virus (pc)
> Another wierdness (or maybe not). If you are (BY THE WAY, WE
>ARE TALKING ABOUT IBM CLONES) booting up from a bootable diskette (not a
>full DOS disk) with no config.sys file, does it get the files and buffers
>limits from the dos disk that originally made the bootable disk? It
>must, obviously. Where does it keep this stuff?
No, it just uses default values hardcoded in dos. The default for buffers
is 2 for a PC, 3 for an AT. The default for files is 8.
Rich
------------------------------
Date: ???, 02 Jan 80 17:06 EDT
From: Bob Stratton <BSTRATTO@NAS.BITNET>
Subject: Software companies writing nasty s/w
In VIRUS-L Digest, Thursday, 8 Jun 1989, Volume 2 : Issue 132:
odawa@well.sf.ca.us (Michael Odawa) writes:
> Let us set the record straight on this subject:
> No known software publisher has ever intentionally released a virus
> into circulation, nor is it likely that any would do so, as it would
> be contrary to their interests. Viruses threaten the entire software
> industry and expose the releasing party to an enormous legal
> liability.
While the following information pertains specifically to a trojan
horse, it is a prime example of a software company (or at the very
least - individuals at a software company) writing deleterious
software to further personal aims.
I quote from the "Dirty Dozen List, Revision 8D";
SUG.ARC - " Words can not express my feelings about this trojan.
SUG.ARC advertises that it can break SOFTGUARD copy protection,
but upon invocation, it will scramble the FATs on drive A, B,
C, and onwards to your highest drive.
- ----> While this is certainly a nasty trojan, it is particularly
- ----> repulsive because SOFTGUARD, CORP, THE CREATORS OF SOFTGUARD
- ----> COPY-PROTECTION, WROTE IT - perhaps in response to declining
- ----> business. [My emphasis - RJS III]
They claim that anyone who runs SUG is breaking an
original license agreement; therefore they may legally destroy
data.
I don't credit this, and neither does an attorney I
know, so I eagerly anticipate Softguard's day in court."
I wouldn't normally credit rumors of this sort, but this list has
generally been well-researched, and the author(s) seem(s) to put a lot
of time into verification of the reports he receives.
Cheers,
Bob
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Robert J. Stratton, III BITNET: BSTRATTO@NAS
Stratton Systems Design INTERNET: BSTRATTO%NAS.BITNET@UUNET.UU.NET
Alexandria, VA, USA USENET: uunet!NAS.BITNET!BSTRATTO
PSTNET: 1-202-334-3638
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"Software is like entropy. It is difficult to grasp, weighs nothing, and
obeys the Second Law of Thermodynamics; i.e., it always increases."
-- Law XVII: "Augustine's Laws" -- Norman R. Augustine --
------------------------------
Date: THU 08 JUN 1989 18:34:00 EDT
From: IA96000 <IA96@PACE.BITNET>
Subject: Warning New Virus (PC)
Just thought you all might like to know the following:
There is a new virus floating around, which attacks WP.EXE in
particular and almost every other .EXE file it comes in contact
with. It is self propogating and trashes files and disks.
Some of the things to look for are as follows:
1) Strange blue/green blocks appear on the screen.
2) Running a .EXE you know is on the disk and getting a
"File not found" error even though the .EXE is on the disk.
3) After 30 to 45 minutes everything seems to slow down. Doing
a DIR takes 30 or 40 seconds for each line to appear.
4) It definitely spreads between .EXE files, although it
appears .COM files are immune.
5) It will spread to all types (sizes) of floppy disk drives
and will jump to a hard drive.
More later...
------------------------------
Date: Thu, 8 Jun 89 21:40:26 -0400
From: Joe Sieczkowski <joes@scarecrow.csee.Lehigh.EDU>
Subject: RE: Possible virus? (PC)
> Another wierdness (or maybe not). If you are (BY THE WAY, WE
>ARE TALKING ABOUT IBM CLONES) booting up from a bootable diskette (not a
>full DOS disk) with no config.sys file, does it get the files and buffers
>limits from the dos disk that originally made the bootable disk?
If there is no config.sys file on a bootable disk, DOS just uses
the default buffer and file sizes which are quite small. It does
not keep them from the original DOS disk that made it bootable.
Dbase requires a minimium file and buffer size in order for it to run
properly. Every bootable Dbase disk should have a config.sys file on
it to meet these requirements. This might have been the cause of your
problem.
Joe
------------------------------
Date: Thu, 08 Jun 89 23:30 CDT
From: Gordon Meyer <TK0GRM1@NIU.BITNET>
Subject: more on developers releasing viruses
At the risk of beating a dead horse, and restating a position that
I made quite clear in my first posting, I feel I must respond
in some form to the message from Michael Odawa of the "Software
Development Council of North America".
Rather than issue political statements about the possibilities I'll
refer interested readers to the article I was speaking of. Despite
Mr. Odawa's claims, there is evidence of "unknown" developers doing
just what I outlined. I remind him, and all readers, that such
evidence does *not* constitute proof. Can we agree that it is
undesirable, but not impossible?
- -=->G<-=-
"The Revenge of the Developers"
_Current Notes_ Volume 8. Number 6. August 1988
Back issues available for $2.50 from:
Current Notes, Inc.
122 N. Johnson Rd.
Sterling, VA 22170
Standard disclaimers apply.
- --------------------------------------------------------------------
| Gordon R. Meyer, Northern Illinois University, Dept of Sociology |
| GEnie: GRMEYER, CIS: 72307,1502, Phone: (815) 753-0555 |
| Bitnet: Tee-Kay-Zero-Gee-Are-Em-One AT Enn-Eye-You.bitnet |
|------------------------------------------------------------------|
------------------------------
Date: Thu, 8 Jun 89 15:00:24 EDT
From: utoday!greenber@uunet.uu.net (Ross Greenberg)
Subject: Upcoming Flu_Shot+ version (PC)
Rob, a future version of FLU_SHOT+ will be available in the next few
months to a)search your hard disk (upon request) to look for strains
of a virus I know about and b)remove that virus from the infected
program if possible. Same thing goes for Boot Sector Viruses, too.
However, since I can only program in such a manner against viruses I
know of, a new virus would not be noticed or removed. Each new virus
I found would require a new version of FLU_SHOT+, and (after ten
versions!) I'm sure some people are looking at the incremental
benefits and presuming it isn;t worth the expense in time to update.
I know that I'm sorta cautious not to release trivial updates, and I
presume that the majority of the other anti-virus people must have the
same attitude.
Ross M. Greenberg
Author, FLU_SHOT+
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253