home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.148
< prev
next >
Wrap
Text File
|
1995-01-03
|
8KB
|
188 lines
VIRUS-L Digest Monday, 3 Jul 1989 Volume 2 : Issue 148
Today's Topics:
Re: Request for info on viruses (PC)
joe mcmahon - ancient macs
Re: Request for info on viruses (PC)
Trojan horse on CompuServe
ERIC NEWHOUSE where are you?
Re: CMS viruses (IBM CMS)
more on West German boot virus
----------------------------------------------------------------------
Date: 03 Jul 89 14:42:09 +0000
From: dinda@cat51.cs.wisc.edu (Peter Dinda)
Subject: Re: Request for info on viruses (PC)
(c)Brain also seems to randomly mark sectors bad - whether there is
anything in them or not. At UW-Madison's Academic Computing Center
(MACC), we've also noticed that a new version of the virus is making
its way into our labs - one that does not leave the (c)Brain warning
and thus, can not be detected by our NOBRAIN program. Has anyone seen
a detector that works by finding 'unique' code in the boot record?
Peter A. Dinda
(also dinda@WIRCS3.macc.wisc.edu)
------------------------------
Date: Mon, 03 Jul 89 15:37:38 -0000
From: LBA002@PRIME-A.TEES-POLY.AC.UK
Subject: joe mcmahon - ancient macs
Dear Joe,
We are using System 3.2, Finder 5.3 (you see we really do have antiques!)
I think this is because of having to use version 3.1 of the laserwriter
to drive an equally ancient laserwriter. The machines have actually been
upgraded to 800k RAM and it maybe that they can run on a more modern version
of the system which will handle Vaccine etc. Any help welcome.
Rgds,
Iain Noble
------------------------------
Date: Mon, 03 Jul 89 12:37:56 -0400
From: ugcantie@cs.Buffalo.EDU (Bruce Cantie)
Subject: Re: Request for info on viruses (PC)
We have had the same (c) Brain running around UB for some time now,
but have managed to kill it off. We Have the source code (written in C) for
NOBRAIN, which will remove the bad sectors, and volume. We had picked up
the cure from another University, and put it in all of our micro sites.
Bruce Cantie --- ugcantie@sybil.cc.buffalo.edu
------------------------------
Date: Mon, 03 Jul 89 09:18:38 -0700
From: Steve Clancy <SLCLANCY@UCI.BITNET>
Subject: Trojan horse on CompuServe
I posted this message on the CompuServe Information Service today, and
thought I would share it with the other members of Virus-L. The text
of the message follows:
.
"I recently downloaded a file from library #2 of the SCIFI forum.
The file, called STARS3.EXE is a trojan horse. It has been
mentioned for at least a couple of years in a listing of known
trojan horses and viruses called "The Dirty Dozen." The
description (from DIRTY DOZEN VER. 8B) is included below:
*
*
STAR.EXE 3072 T Beware RBBS-PC SysOps! This file puts
some stars on the screen while copying
RBBS-PC.DEF to another name that can be
downloaded later!
*
After downloading this file, I checked it carefully using a
program called CHK4BOMB.EXE which, among other things, dumps the
program listing to the screen so that any ASCII threats, taunts,
etc. can be seen. I found the strings "RBBS-PC DEF" and
"RBBS-PC" in this program.
*
Now the security present in current versions of RBBS does not allow
any file with the extension "DEF" to be downloaded by users. In
addition, running this program DID NOT copy my RBBS-PC.EXE file
to RBBS-PC.DEF as explained above, however, there may be some
timing feature that I am not aware of.
*
In any event, I would highly suggest that you remove this file as
soon as possible! It is potentially a dangerous file that is
designed (though not very well!) to compromise the security of
anyone who runs the RBBS-PC bulletin board software.
*
Please don't hesitate to contact me if you have any further
questions.
*
Steve Clancy
714-856-7309, 71066,416"
.
.
% Steve Clancy, Biomedical Library % WELLSPRING RBBS %
% P.O. Box 19556 % 714-856-7996 300-9600 %
% University of California, Irvine % 714-856-5087 300-1200 %
% Irvine, CA 92713 % %
% SLCLANCY@UCI % "Are we having fun yet?" %
------------------------------
Date: Mon, 03 Jul 89 09:57:46 -0700
From: Steve Clancy <SLCLANCY@UCI.BITNET>
Subject: ERIC NEWHOUSE where are you?
Well, it seems that Eric Newhouse, author of the famous "Dirty Dozen"
has dropped out of sight again. I recently attempted to call his
bulletin board system, but found that it was no longer his BBS. The
Dirty Dozen is a great list of known trojan horse for the PC, and I
would like to keep getting the updates. If anyone knows what his new
number is, please let me know.
Thanks.
% Steve Clancy, Biomedical Library % WELLSPRING RBBS %
% P.O. Box 19556 % 714-856-7996 300-9600 %
% University of California, Irvine % 714-856-5087 300-1200 %
% Irvine, CA 92713 % %
% SLCLANCY@UCI % "Are we having fun yet?" %
------------------------------
Date: Mon, 03 Jul 89 13:08:54 -0400
From: Ed Nilges <EGNILGES@PUCC.BITNET>
Subject: Re: CMS viruses (IBM CMS)
>>in Communications Monitoring System (CMS) version 4 for IBM's MVS
>>operating system where a dangerous virus could be introduced by simply
>>programming 16 lines of code.
That's Conversational Monitor System (formerly Cambridge Monitor System),
and it is independent of, not "for", MVS. To my knowledge, ALL viruses
on this system require some human action (to pull files in from the
"virtual reader" user input queue). Although certain idiotic viruses
(the CHRISTMA virus being the most notable) have affected CMS, it is
not as subject to damage as is unix, where files are transmitted
directly to the user's file space, rather than an independent queue.
------------------------------
Date: 03 Jul 89 00:00:00 +0000
From: Christoph Fischer <RY15@DKAUNI11.BITNET>
Subject: more on West German boot virus
DURING THE WEEKEND WE DISASSEMBLED THE VIRUS AND SOLVED THE
MYSTERY ABOUT THE CONTINOUS BOOTING:
AT BOTH LOCATIONS WE WERE CALLED TO, THE VIRUS HAD PATCHED
A JUMP TO THE BIOS WARMBOOT ROUTINE IN TO THE COMMAND.COM
WHICH WILL YIELD AN ENDLES BOOTING PROCESS SINCE WHEN THE SYSTEM
COMES UP THE FIRST THING IT DOES IS STARTING COMMAND.COM.
THE VIRUS PATCHES ITSELF INTO A PROGRAM IF ANY OF THE LOWORDER BITS
OF SYSTEM TIME (SECONDS) ARE NON ZERO. IF ALL ARE ZERO IT PATCHES THIS
FAR JUMP TO THE BIOS INTO THE PROGRAM. SO OUR CASE HAPPENS ONLY IN
ONE OUT OF EIGHT CASES. FOR TWO LOCATIONS THIS MAKES 1 IN 64 CASES. :-)
THE CODE OF THE VIRUS SEEMS TO BE IDENTICAL TO WHAT IS DESCRIBED AS
DOS62 OR VIENNA SINCE WE DO NOT HAVE EITHER OF THE ORIGINAL VIRUSES
WE CANNOT TELL FOR SURE WHETHER IT IS AN ORIGINAL OR A MUTANT.
ANYHOW THE CODE SEEMS TO BE SOMEWHAT ARKWARD IN SOME PLACES,
WHICH COULD BE A SIGN FOR A PATCHED VERSION.
BYE
CHRIS & TOBI
*****************************************************************
* Torsten Boerstler and Christoph Fiscier *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253