home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.147
< prev
next >
Wrap
Text File
|
1995-01-03
|
7KB
|
161 lines
VIRUS-L Digest Monday, 3 Jul 1989 Volume 2 : Issue 147
Today's Topics:
new network-virus group?
nVIR and Appletalk (Mac)
VACATION Virus Reported on INFO-VAX List (VAX/VMS)
Update on boot virus in Germany (PC)
Re: New Virus - Fu Manchu?
----------------------------------------------------------------------
Date: Fri, 30 Jun 89 12:55:48 -0500
From: "Jeffery K. Bacon" <BACON@MTUS5.BITNET>
Subject: new network-virus group?
A little while ago, there was some hashing about the overly
pcoriented direction of this list or something like that. (Forgive me,
I had 4+ week's worth of mail to catch up on in the past 1-1/2 wks,
and it's been a while since I read the virus-l notebook - which was
sizeable. So...)
Anyway. I don't mean to hash on the pc virus gurus and the pc virus
problems - I will definitely agree, they are very serious, and need much
attention. In fact, I will say right here and now that THIS netgroup, in
my wide and varied experience, is one of THE most productive and useful
groups I have EVER seen ANYWHERE in netland. (Please note that when I say
'PC', I mean 'personal computer' in general, not IBM-PC&clones.) This of
course needs to continue.
My thought here is that the group has kind of shifted directions
towards the PC environment. But the networking environment and the issues
surrounding it are very different. There are of course no major network
virus dangers right now, but network security and finding loopholes is
always a major concern. Is there a place for another list concerning
viruses in the network and PC-NFS/LAN environment?
I remain kind of neutral on the issue, I just bring it up here for
thought. There might be some overlap with VIRUS-L as it is, or perhaps
with the SECURITY list, that might want to be considered. But I personally
know that most of what passes thru VIRUS-L nowadays is of little interest
to me because I rarely if ever work with pc's. I imagine there are others
who are like me here too.
Whaddya think? Instead of discussing it here, it might be better to
perhaps have the comments sent to me (bacon@mtus5.bitnet) and I'll
compile them. I'll leave that to Ken to decide.
[Ed. Thanks for offering to compile the "votes", Jeff - I hope you're
prepared for some more mail to wade through! :-) I've received lots
of requests for, among other things, a Mac-only and a PC-only list.
If the readers feel that it is time to split the already heavy traffic
into separate groups, then it would seem (to me) to make sense to have
a Net-only group. I also think that if such a split is desired, then
we'd have to find a moderator/digestifier for each group, since I
don't think that I'll have enough time to handle all three (or however
many) groups. So, be careful what you ask for, you just may get it.
Feedback, both positive and negative, is appreciated.]
Jeffery Bacon
Academic Computing Svcs, Michigan Technological University
bitnet: <bacon@mtus5> uucp: <backbone>!rutgers!umix!anet!bacos
------------------------------
Date: 06 (null) 89 09:06:28 +0000
From: E. C. Greer <RS0XEG@ROHVM1.BITNET>
Subject: nVIR and Appletalk (Mac)
We've found a few MAC's here with nVIR (both A and B), and we're
having some success in dealing with the infections using SAM. So far
the affected machines appear to be isolated cases, but I'm concerned
becaues most of our 100+ MAC's are networked with Appletalk. Can
anyone tell me whether nVIR can be spread over Appletalk? If so, under
what conditions is it spread, and what countermeasures can I take?
------------------------------
Date: Fri, 30 Jun 89 13:43:00 -0500
From: "Brian D. McMahon" <BRIAN@UC780>
Subject: VACATION Virus Reported on INFO-VAX List (VAX/VMS)
The following recently appeared on INFO-VAX; I have no further information.
Can anyone confirm/deny/elaborate?
>Date: 26 JUN 89 22:05:24.55-GMT
>From: INFOVAX@FRIPN51.BITNET
>To: INFO-VAX@KL.SRI.COM
>Subject: RE: automatic mail answering service : WARNING, MAY BE VIRUS
>
>TAKE CARE: the program VACATION (distributed on a mailing list) is a
>potential VIRUS for ALL the people registered on this list if used
>with no modifications. It will reply to the list, so to itself...and
>so on... And you will be on vacation, so you will not stop it quickly.
>Suppose just a few people of INFO-VAX use this program, and imagine
>the disaster, because it will also reply to all the mailing send by
>all the runing copy of this monstrosity.
>Surely it was not the will of the author of VACATION, but this
>program IS A VIRUS !
>
>Bernard PERROT
>Institut de Physique Nucleaire
>Orsay - France -
[Ed. It appears to me to be more a case of an infinite mail loop than
anything that could be called a virus. I frequently get messages on
VIRUS-L/comp.virus which are sent from a VACATION program (VMS or
Unix). Since VIRUS-L is moderated, however, I merely delete the
message. If the message goes out to the list, and the VACATION
program replies, you have an endless cycle. Use any VACATION program
very cautiously.]
------------------------------
Date: 30 Jun 89 00:00:00 +0000
From: Christoph Fischer <RY15@DKAUNI11.BITNET>
Subject: Update on boot virus in Germany (PC)
CONTINOUS BOOT VIRUS UPDATE
Finally we received a copy of the virus that appeared at two places
in West-Germany.
1. Both Viruses are identical
2. It infects COM files
3. It is a direct virus (no TSR)
4. Its size is 648 bytes (like the DOS62 virus) (the first value we
announced was 50bytes the value phoned to us by the panicing owner
of the infected PC. We assumed part of the virus hiding out in
uninitialized DATA sections.
5. It continuosly boots over and over again
6. It overwrites the first 5 bytes with a JMP (3 Bytes) and
byte 4 with BAh and byte 5 with B8h.
7. The JMP points to the beginning of the virus wich starts with
PUSH CX MOV DX,<comfilesize+648)
Maybe someone has encountered this apperently hacked version of
DOS62.
We'll present more after diassembly of the virus.
Have a nice weekend
Chris
*****************************************************************
* Torsten Boerstler and Christoph Fischer *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
Date: Sat, 01 Jul 89 18:22:56 -0400
From: "Russell K. Davis" <rdavis@AI.MIT.EDU>
Subject: Re: New Virus - Fu Manchu?
This virus was found by Joe Hurst in the united Kingdom and he shoukld
have finished disassembling it by now (but I have not spoken to him
for a while)
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253