home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.144
< prev
next >
Wrap
Text File
|
1995-01-03
|
14KB
|
331 lines
VIRUS-L Digest Thursday, 29 Jun 1989 Volume 2 : Issue 144
Today's Topics:
Random comments (Mac)
Re: Virus Identification Software
VIRUS ALERT: New Virus? (PC)
The "Mistake" Virus (PC)
RE: Mac Archives - correction
RE: questions re: HomeBase
virus detection program (PC)
NEW VIRUS?? (PC?)
2 remarks
File: "VIRUS-L MAIL" being sent to you
virus bulletin newsletter
--------------------------------------------------------------------------------
Date: Wed, 28 Jun 89 11:10:30 EDT
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Random comments (Mac)
<ACSAZ@SEMASSU.BITNET> (Alex Z.) asks:
>Besides nVir and Scores, what other viruses are `out' for the Mac. I
>am interested in their frequency of appearence and how they can be
>identified and dealt with.
The current count is 9. Scores, nVIR (two strains and three clones -
MEV#, Hpat, and AIDS), INIT 29, Peace, and ANTI. Get a copy of my
virus doc stack from the LISTSERV at SCFVM; if you need help in doing
that, drop me some E-mail.
Kenneth R. van Wyk <krvw@SEI.CMU.EDU> quotes Fred Cohen:
> ... "On the very widely
>used Compuserve network, a virus was apparently planted to infect the
>initialization files of the Apple MacIntosh. This virus was designed
>to put an advertisement on the screen on a particular date and then
>delete itself. It was noticed by a programmer browsing through his
>system initialization files and was traced to a company that had added
>a program to the Compuserve library. The perpetrator was barred from
>Compuserve 'forever'. Compuserve has countered by providing a public
>domain program that constantly runs in the background checking for
>modifications to system initialization files and asks the user if
>these are desired...."
The virus portion is correct; it refers to the "Peace" virus. It was
distributed in a Trojan HyperCard stack. The anti-viral in question
is Vaccine, distributed by CE Software, *not* CompuServe. CIS did not
sponsor the development or distribution of this program; it was done
solely in a spirit of public service by Don Brown at CE Software.
--- Joe M.
------------------------------
Date: Wed, 28 Jun 89 10:44:18 PDT
From: rogers@marlin.nosc.mil (Rollo D. Rogers)
Subject: Re: Virus Identification Software
Sounds Good.
Do they plan to make this software available to host sites on the Internet
such as SIMTEL20?
REgards, RollO Rogers, COMPUSEC SPEC, NOSC S D
------------------------------
Date: Wed, 28 Jun 89 19:31:46 MEZ
Sender: Virus Alert List <VALERT-L@ibm1.cc.lehigh.edu>
From: Christoph Fischer <RY15@DKAUNI11.BITNET>
Subject: VIRUS ALERT: New Virus? (PC)
We were called for assistance in two virus cases today. Both seem to be
caused by the same virus.
Symptoms:
COM Files grow by 50 Bytes
Upon reboot the system will keep booting over and over again (till power
off)
Both incidents were not at our location so we will have to wait until paper
mail will get them through to us for further tests.
Sites of appearance:
Rosenheim West-Germany (Bavaria)
Ettlingen West-Germany (Baden)
*****************************************************************
* Torsten Boerstler and Christoph Fischer *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
Date: Wed, 28 Jun 89 15:36:31 +0300
From: Y. Radai <RADAI1@HBUNOS.BITNET>
Subject: The "Mistake" Virus (PC)
As some of you may already have read in the press, a new PC virus,
the "Mistake" virus, has been reported in Israel. As I have already
been getting inquiries about it, I thought I might as well publish
what I know, even though I haven't yet seen it, so that what I report
here is second-hand info.
Its main symptom is that certain characters in printouts are re-
placed by others. In the case of letters, the replacement is always
by another letter which is pronounced similarly, e.g. K by C. The
same thing happens with Hebrew letters (which on Israeli computers
replace the foreign letters at Ascii 128-154), making it almost
certain that the virus was authored by an Israeli. Digits are also
replaced. The virus has been reported in banks in Tel Aviv and at the
Univ. of Tel Aviv. According to a newspaper report, the virus even
caused the Hebrew equivalent of the following sentence to be printed:
"4 times 4 equals 16, more or less" (there was no indication of what
the undistorted original was). (Note: Replacements do not appear on
the screen or in files, only in printouts.)
So much for the symptoms. As to the mechanism, it's said to be a
boot-sector virus installing itself in 2K at the upper end of RAM.
It may be a mutation of the Ping-Pong (Italian) virus. In any case it
has been removed by a program designed to remove the P-P virus. As
with other boot-sector viruses, it could presumably be wiped out also
by performing SYS on the infected disk (immediately after a cold boot
from a clean DOS diskette).
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Wed, 28 Jun 89 11:30 MST
From: GORDON_A@CUBLDR.Colorado.EDU
Subject: RE: Mac Archives - correction
<wsmr-simtel20.army.mil
< Robert Thum rthum@wsmr-simtel20.army.mil
< Access is through anonymous ftp, IP number 26.0.0.74.
< Archives can be found in PD3:<MACINTOSH.VIRUS>.
< Please get the file 00README.TXT and review it offline.
<Jim Wright
<jwright@atanasoff.cs.iastate.edu
I believe the IP number should be 26.2.0.74.
Allen Gordon
------------------------------
Date: Wed, 28 Jun 89 16:02 CDT
From: "Roger Safian, VAX Systems Group" <ROGER@nuacc.acns.nwu.edu>
Subject: RE: questions re: HomeBase
> It's shareware and available on the HomeBase BBS - 408 988 4004.
This is my first time replying to the list, so be gentle with me :-)
Does the HomeBase BBS have a FidoNet node number, and if so does it
accept file requests? Also, if you are giving info on a BBS, please
include the FidoNet node number if it has one. Thanks in advance.
Roger Safian
------------------------------
Date: Wed, 28 Jun 89 23:23 N
From: "Rob J. Nauta" <RCSTRN@HEITUE5.BITNET>
Subject: virus detection program (PC)
I just read the message by Alan J. Roberts about a program that scans
a disk for the 53 known viruses. He also states that it is available
from the homebase BBS, which i unfortunately cannot call from here -
too expensive! The adress he gave
(portal!cup.portal.com!Alan_J_Roberts@sun.COM) is too nonstandard for
my mailer, even gMAIL won't send my message, that's why i would like
to ask if anyone would be so kind to send me this program. It sounds
like the thing I was asking for in an issue of this digest a few weeks
back. I would be very grateful.
Also adding it to the listserv files or sending it to simtel-20 to be
added to <msdos.trojan.pro> sounds like the thing to do beause i think
a lot of people would be interested in this great program..
With thanks in advance, Rob J. Nauta.
rcstrn@heitue51.bitnet
------------------------------
Date: 29 Jun 89 07:53:00 GMT-15:00
From: "DSC T. DEJANE" <motu_7a@wmms-srf-yoko.arpa>
Subject: NEW VIRUS?? (PC?)
The follow was recieved over the IBMPC-L list.
------------------------------
Date: Tue, 13 Jun 89 17:39:41 EDT
From: ejs@goldhill.com (Eric Swenson)
Subject: Virus? Help!
My wife's office has gotten the following messages printed out on their
networked laserprinter. She doesn't know which workstation on the Novell
network originated the printouts and no banners on printed documents are
used, so it is hard to track down. In any case, the output included:
THE COPY BANDITO
SAYS YOUR SYSTEM HAS BEEN INVADED BY
STRANGE BEINGS WHO SEEK TO DISRUPT THE NORMAL LIFE ESSENSE
PURVEYING YOUR PLACE OF WORSHIP.
WHAT IS IT THAT YOU PRAY TO?
IS ANYONE SMART ENOUGH?
TIMES UP!
!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
BOW DOWN
NO ONW [sic] HAS THE BRAINS
Has anyone seen this before? Does anyone have an suggestions as to how to
track down which program contains this virus (if it is a virus)?
Thanks. -- Eric
------------------------------
Date: Wed, 28 Jun 89 20:37 EST
From: Dimitri Vulis <DLV@CUNYVMS1.BITNET>
Subject: 2 remarks
1. The English language has certain traditional ways of naming groups
of animals, e.g., a goggle of goblins, a school of fish, a pack of
wolves, etc. Since both `virus' and `Trojan horse' have some kind of
animal overtones, I wonder what other people (preferably English
majors) think is a good way to name a group of those beasts.
Definitely not `diskful'---a disk is likely to be anything but full
after a visitation. A test-tube of viruses? A can of worms? A pack of
Trojan horses? `This BBS offers a horde of Trojan Horses for
downloading.' Please reply directly to me, and I'll summarize in the
newsgroup.
2. Ross Greenberg is alleged to have written in Byte, June '89, page 275:
>In the DOS environment, viruses use JMPs or other system files
>to ply their trade.
I know that Ross knows that JMP is an instruction, not a system file.
Moral: check your proofs, or (c)Brain will infect every NOP in your system.
Dimitri Vulis
Department of Mathematics
CUNY GC
------------------------------
Received: from IBM1.CC.Lehigh.Edu by spot.CC.Lehigh.EDU (5.59++/1.14)
id AA13214; Thu, 29 Jun 89 04:20:55 EDT
Message-Id: <8906290820.AA13214@spot.CC.Lehigh.EDU>
Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.Edu (IBM VM SMTP R1.2) with
BSMTP id 6824; Thu, 29 Jun 89 04:21:55 EDT
Received: by LEHIIBM1 (Mailer R2.03A) id 8899; Thu, 29 Jun 89 04:21:51 EDT
Date: Thu, 29 Jun 89 04:21:50 EDT
From: Revised List Processor (1.6a) <LISTSERV@IBM1.CC.Lehigh.Edu>
Subject: File: "VIRUS-L MAIL" being sent to you
To: VIRUS-L@spot.CC.Lehigh.EDU
Received: from UKACRL.BITNET by (Mailer R2.03A) with BSMTP id 8897; Thu, 29
Jun 89 04:20:13 EDT
Received: from RL.IB by UKACRL.BITNET (Mailer X1.25) with BSMTP id 9541; Thu,
29 Jun 89 09:15:20 BST
Received: from RL.IB by UK.AC.RL.IB (Mailer X1.25) with BSMTP id 3165; Thu, 29
Jun 89 09:15:20 BS
Via: UK.AC.TP.PA; 29 JUN 89 9:15:17 BST
Date: Thu, 29 Jun 89 09:16:26 BST
From: LBA002@PRIME-A.TEES-POLY.AC.UK
To: virus-l@LEHIIBM1
Subject: gatekeeper/vaccine on old macs
> PS I've discovered that GateKeeper won't work on our ancient 128/512k
> Macs to stop reinfection with the dose of nVirB we have going around.
> Am I right? If I am any helpful suggestions?
You're probably right. The oldest versions of the System do not scan
the System folder for INIT (Startup), RDEV (Chooser), and cdev (Control
Panel) files; INIT resources contained in these files will not be
executed. GateKeeper and Vaccine are both cdev files.
You _might_ be able to install a hacked-up copy of Vaccine into the
System file on your startup disk(s). You'd need to configure Vaccine
on a more-modern machine... probably "protection on, expert display,
don't compile MPW INITs, don't show icon at startup". Then, use
ResEdit to copy the INIT and FKDT resources from the configured copy of
Vaccine, and paste them into the System file on your startup floppy.
You could also try configuring the copy of Vaccine to display its icon
at startup time; you'd then need to copy the ICN# resource from the
Vaccine file and add it to the System.
I haven't tried this and can't assure you that it would work... but it's
probably worth a try. Do it on _copies_ of Vaccine and of your startup
floppy, of course! Best of luck!
Dave,
Thanks for the above. I tried it and although all the copying and pasting
via ResEdit worked OK, no joy when I booted up with the new system. The
Vaccine icon didn't appear and re-infection occurred when I used an infected
disk on the machine. I have an application called "Immunity" which is supposed
to protect the System file from re-infection by inserting nVir=10 code into
the resource fork of the sytem file. It doesn't seem to insert it into other
files that could be infected eg. Finder, MacWrite, MacPaint etc. Could I use
ResEdit to copy the nVir=10 code and paste it into the other files/
applications? Rgds, Iain Noble
------------------------------
Date: Thu, 29 Jun 89 09:19:46 BST
From: LBA002@PRIME-A.TEES-POLY.AC.UK
Subject: virus bulletin newsletter
Somebody was asking about a new monthly newsletter I mentioned called
"Virus Bulletin."
All I've got in the way of more information is a price 195 pounds, and
a UK telphone number 0844 290396
Rgds,
Iain Noble
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253