home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.149
< prev
next >
Wrap
Text File
|
1995-01-03
|
20KB
|
467 lines
VIRUS-L Digest Wednesday, 12 Jul 1989 Volume 2 : Issue 149
Today's Topics:
VIRUS-L has been down, sorry
VIRUSCAN Availability (PC)
Re: nVIR and AppleTalk (Mac)
Re: ancient macs
Re: Other Mac viruses
VIRUSCAN.ARC (PC)
vaccine & ancient macs
Virus Plea #2
Re: Anyone heard of this new virus ?? (PC? No system given)
Re:nVIR and Appletalk (Mac)
Re: Request for info on viruses (PC)
viruscan placed on system for anonymous FTP access
Another strain of Lamer Exterminator on amiga.
RE: VACATION Virus Reported on INFO-VAX List (VAX/VMS)
Loren Keim and Proceedings
----------------------------------------------------------------------
Date: Wed, 12 Jul 89 14:00:00
From: krvw@SEI.CMU.EDU
Subject: VIRUS-L has been down, sorry
Sorry for the downtime, folks, but we experienced a water main
breakage here last week which knocked out our air conditioning (hence,
our computers) until today. Hopefully things will slowly return to
normal around here now.
Ken
------------------------------
Date: Mon, 03 Jul 89 18:20:06 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: VIRUSCAN Availability (PC)
Hi everyone. I posted a note last week about the availability of
VIRUSCAN on HomeBase and we have been literally swamped ever since
with requests for information and downloads. Unfortunately, HomeBase
is a small-town country-atmosphere BBS with a single data line and we
cannot support the volume of requests that we've had. Also, I am a
nyophyte at using Usenet and Unix and cannot navigate well enough to
even upload or download data. If there is some kind and generous user
of Virus-L that could get a copy off of HomeBase and somehow make it
available through SIMTEL (whatever that is) or some other medium, we
would be eternally grateful. As for the rest of you, I would like to
ask that you not call HomeBase for the file, but have patience and
wait for it to be made available some other way. Thanks, and the
regular users of HomeBase (who are currently up in arms 'cause they
can't get on) thank you too. Alan Roberts
HomeBase - 408 988 4004
------------------------------
Date: Tue, 04 Jul 89 15:36:00 -0400
From: "Mark H. Anbinder" <THCY@VAX5.CCS.CORNELL.EDU>
Subject: Re: nVIR and AppleTalk (Mac)
Any Macintosh virus that spreads when an infected program is executed
can be spread over AppleTalk networks, IF you are using file sharing
or file server software such as AppleShare or TOPS. If you execute a
program on a remote computer that happens to be infected, the System
software on your local computer can be infected. From there, you will
infect any other program you use.
nVIR is particularly effective at spreading from program to program in
this way, so be sure that any shared software, or anything on a shared
file server volume, is clean.
As evidence: my hard drive was heavily infected with nVIR when someone
else on my network (I'm running TOPS) asked to try out the software on
my drive. He executed a couple dozen programs... shortly after having
played an nVIR-infected game on his own computer. The disk containing
the nVIR virus was never physically even NEAR my computer.
Mark H. Anbinder
------------------------------
Date: Tue, 04 Jul 89 15:41:00 -0400
From: "Mark H. Anbinder" <THCY@VAX5.CCS.CORNELL.EDU>
Subject: Re: ancient macs
Chances are your computers were not just upgraded to 800K RAM; there is
no such configuration for any Macintosh. The DISK DRIVES might now be
800K disk drives (allowing you to use double-sided disks) rather than
400K drives. What matters for your purposes is whether you have 512K of
RAM or 1Mb. Or, of course, 128K, if your Macs are REALLY ancient. The
way to determine this is to boot your computers with any startup disk,
then, while in the desktop, choose About the Finder from the Apple menu.
There should be a notation in the resulting window telling you how much
memory your computer has.
Vaccine is fully compatible with any System whose Control Panel desk
accessory lets you choose between multiple Control Panel Devices (cdevs)
such as "General," "Monitors," "Mouse," etc. The best way to determine
whether your computers can run such a version of the System software is
to try startup disks with various System/Finder combinations. See your
dealer for assistance.
Mark H. Anbinder
------------------------------
Date: 03 Jul 89 22:09:10 +0200
From: <macman@ethz.uucp>
Subject: Re: Other Mac viruses
>From macman Mon Jul 3 22:09:02 MET 1989 remote from ethz
>Newsgroups: comp.virus
>Organization: ETH Zuerich, Switzerland
There are quite a few other viruses on the loose: Several new strains
of nVIR (named Hpat, AIDS, etc), with mainly the same infection code.
Some are more harmful, some are less. Then, INIT 29, which is extremely
virulent (active), but doesn't destroy anything. ANTI, which cannot be
detected by ResEdit or older virus detection programs. This one is
fairly widespread in Europe, but not much in the USA (the opposite
is with Scores). Prevention methods, besides fair computer hygiene
(i.e. being careful when swapping disks with someone else) i urgently
recommend the *regular* use of a virus detector such as Disinfectant
or VirusDetective (commercial products like sam or virex do the same
job, but cost). By regular, I mean on every new disk/program you
receive, even if it was a sealed original, *plus* once a week on your
hard disk.
- -- Danny Schwendener
MASH Virus Group
+-----------------------------------------------------------------------+
| Mail : Danny Schwendener, ETH Macintosh Support |
| Swiss Federal Institute of Technology, CH-8092 Zuerich |
| Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman |
| Internet: macman@ifi.ethz.ch Voice : yodel three times |
+-----------------------------------------------------------------------+
------------------------------
Date: Wed, 05 Jul 89 09:47:07 -0700
From: rogers@marlin.nosc.mil (Rollo D. Rogers)
Subject: VIRUSCAN.ARC (PC)
hi, i recently downloaded the file above from SIMTEL20.
It contains a .EXE program called SCAN which i have run on
Z-248 hard disk PC several times so far.
When it completes the run it gives a message which sez the hard disk is
"clean" That none of the 19 viruses were found on the disk.
Does anyone know of a user that actually "found" any viruses when using
this SCAN.EXE program?
REgards, RollO~~
------------------------------
Date: Thu, 06 Jul 89 10:18:27 -0000
From: LBA002@PRIME-A.TEES-POLY.AC.UK
Subject: vaccine & ancient macs
Dear Joe,
Thanks for the latest message and your patient help. I've tried System 4.1
and Finder 6.0 on the Macs but I keep getting the "bomb" and ID=12. Methinks
the upgrade wasn't as total as I imagined?
However the cutting and pasting of vaccine as suggested seems to have
worked (at least the vaccine icon appears when I boot up.) I haven't
tested it with an infected disk yet. I'll let you know what happens.
Rgds,
Iain Noble
------------------------------
Date: Wed, 05 Jul 89 22:12:00 -0400
From: "I've been sold....." <WLHADLEY@GMUVAX.BITNET>
Subject: Virus Plea #2
VIRUS-PLEA 2/4
Hello, my name is Bill Hadley. I would like to ask a favor of the
readers of VIRUS-L. I am doing research (which will hopefully become
a book) on computer viruses and computer security. What I would like
you to do, is to write me a letter if you have ever had an experience
with a virus or trojan horse program. What I would ask that you
include in your letter is:
Name of the Virus or Trojan Horse.
What computer and operating system does
this virus/trojan horse exist on.
What did the virus/trojan horse do.
How did you deal with it.
Where did this happen (ie. George Mason
University in Fairfax, Virginia...or
company name..whatever..).
What is your name (if you don't mind if I
put it in a section of names in the back
of my book).
If you would please answer these questions and send them directly to
me, WLHADLEY@GMUVAX.GMU.EDU (not VIRUS-L), I would greatly appreciate
it. This will assist me on trying to track what viruses have spread
and how. If you have had problems with more than one of these evil
programs, then answer these questions for each virus/trojan in your
letter (even the Internet Worm which struck last November). If more
than one person writes me from one node with the same information,
that is okay...it will help me in the verification of virus reports.
Please only answer this message once. I will try to post it once a
month for the next three or four months to try to catch new readers.
I realize that I will receive alot of mail, I have already tried to
make room for that. I thank you in advance for your assistance. I
will post to the list any thing I find of urgent importance to the
readers of VIRUS-L.
Again, thank you for your time.
Bill Hadley
WLHADLEY@GMUVAX.GMU.EDU
WLHADLEY@GMUVAX2.GMU.EDU
------------------------------
Date: 06 Jul 89 14:46:17 +0000
From: wasatch.utah.edu!c-msmith%ug.utah.edu@cs.utexas.edu (Matt Smith)
Subject: Re: Anyone heard of this new virus ?? (PC? No system given)
>Yesterday and today articles about a new virus appeared in an Israeli
>paper (Maariv). It seems that the virus (some sort of a TSR maybe ?)
>is planting typos (i.e typing mistakes) when printing to the printer.
I've also heard of a virus that randomly scans the screen and looks
for 4 consecutive numbers in a row (like 1234), and then proceeds to
rearrange them in a different fashion.
That would certainly wreak havoc in a spreadsheet program.
Matt Smith
c-msmith@ug.utah.edu
------------------------------
Date: Wed, 05 Jul 89 09:41:33 -0400
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Re: nVIR and AppleTalk (Mac)
E. C. Greer <RS0XEG@ROHVM1.BITNET> asks:
>Subject: nVIR and Appletalk (Mac)
>
>We've found a few MAC's here with nVIR (both A and B), and we're
>having some success in dealing with the infections using SAM. So far
>the affected machines appear to be isolated cases, but I'm concerned
>becaues most of our 100+ MAC's are networked with Appletalk. Can
>anyone tell me whether nVIR can be spread over Appletalk? If so, under
>what conditions is it spread, and what countermeasures can I take?
nVIR can transmit to a new machine in two ways:
1) The user runs an infected program on the machine, which installs
the virus in the System file. After the "incubation period", the
infected System file begins to spread the virus to applications
run on the machine.
2) The user boots an infected System of his or her own and then runs
applications which reside on the machine. This can infect appli-
cations even if the "normal" folder on the machine contains a
virus blocker like Vaccine.
If your AppleTalk network only is used for mail or access to
LaserWriters, you shouldn't have a problem. If you have AppleShare
servers, make sure the servers are protected. You may have to disinfect
the odd machine here and there, but the servers should be safe.
--- Joe M.
------------------------------
Date: 05 Jul 89 00:00:00 +0000
From: MIROWSKI@FRECP12.BITNET
Subject: Re: Request for info on viruses (PC)
Responding to a "Request for info on viruses (PC)", Reynolds Cafferata says
"be sure to write a booting sector to boot disks and non-booting to non-
booting disks".
There is no need to care about this because all boot sectors are identical
for a given DOS version. FORMAT A:/S and FORMAT A: produce the same boot
sector. So you can write the same boot sector to all disks. You should only
verify that what you write to the disk is really a DOS sector and not a
sector produced by PCFormat or other software. Depending on whether you ask
for a booting or a non-booting disk, PCFormat will copy the DOS boot sector
or a sector of his own (that only displays a message without trying to search
for DOS files further on the disk) when you format one.
It's rarely necessary to care about the distinction between 360 Ko and
1.2 Mo disks, because the information about the format is in the second
sector of the disk (the first FAT sector) and DOS will take this second
information in consideration. You will probably prefer to copy a 360 Ko
boot sector to a 360 Ko disk and a 1.2 Mo boot sector to a 1.2 disk.
The manipulation is very simple. You need only DEBUG :
You start DEBUG
C:+> DEBUG
You put a non-infected, FORMAT formatted disk in A:, close the door and type
-l 0 0 0 1
You replace it by the disk you want to desinfect and type
-w 0 0 0 1
That's all | You can repeat the last line for all the disks you need.
When you replace the boot sector on a booting disk, you should do it with
a boot sector from the same DOS version. On a DOS disk you can also replace
the boot sector doing SYS on it. It doesn't work on non-bootable disks.
Adam MIROWSKI
------------------------------
Date: Thu, 06 Jul 89 09:14:00 -0400
From: "Gerry Santoro - CAC-PSU 814-863-4356" <GMS%PSUVM.BITNET@VMA.CC.CMU.ED
U>
Subject: viruscan placed on system for anonymous FTP access
I dialed into the Homebase system and downloaded a copy of VIRUSCAN.ARC.
I then placed it on my NeXT system to make it available for anonymous FTP.
The system name is is SNAFU.PSU.EDU and the file is in binary. Anyone
experiencing problems trying to get to it should send me mail at
GMS@PSUVM.PSU.EDU.
Since SNAFU is a test/development system I can't guarantee that it will
always be available. I just wanted to facilitate getting this program
out to people.
- -----------------------------------------------------------------------------
gerry santoro, ph.d. *** STANDARD DISCLAIMER ***
center for academic computing This posting is intended to
penn state university | represent my personal opinions.
gms @ psuvm.psu.edu -(*)- It is not representative of the
gms @ psuvm.bitnet | thoughts or policies of anyone
..!psuvax1!psuvm.bitnet!gms else here or of the organization.
- -----------------------------------------------------------------------------
------------------------------
Date: 10 Jul 89 07:14:24 +0000
From: rivm!ccemdd@uunet.UU.NET (Marco Dedecker)
Subject: Another strain of Lamer Exterminator on amiga.
Here is a warning to all amiga users, who completely rely on the
current available viruskillers.
The virus called 'Lamer Exterminator' has more then one strain.
At least one of strains will be recognized by virusX 3.2, but I
came across another strain that wasn't recognized by it.
And so far I haven't found a program that noticed the virus when it
was in memory. The guardian only sees it when you execute the
bootblock within the guardian, but it can't kill the virus although
it said it did kill it.
The virus uses the KickTagPtr to stay resident and it manipulates
the exec call DoIO, to make it reactivate after you have done somekind
of IO.
Marco Dedecker.
------------------------------
Date: 07 Jul 89 13:32:48 +0000
From: ZDEE699@ELM.CC.KCL.AC.UK
Subject: RE: VACATION Virus Reported on INFO-VAX List (VAX/VMS)
In VIRUS-L Digest, Monday, 3 Jul 1989, Volume 2 : Issue 147,
Brian D. McMahon <BRIAN@UC780> writes:
>The following recently appeared on INFO-VAX; [...]
>
>>Date: 26 JUN 89 22:05:24.55-GMT
>>From: INFOVAX@FRIPN51.BITNET
>>To: INFO-VAX@KL.SRI.COM
>>Subject: RE: automatic mail answering service : WARNING, MAY BE VIRUS
>>
>>TAKE CARE: the program VACATION (distributed on a mailing list) is a
>>potential VIRUS for ALL the people registered on this list if used
>>with no modifications. It will reply to the list, so to itself...and
>>so on... And you will be on vacation, so you will not stop it quickly.
[...]
>>
>>Bernard PERROT
>>Institut de Physique Nucleaire
>>Orsay - France -
The moderator of VIRUS-L, Kenneth van Wyk answers:
>[Ed. It appears to me to be more a case of an infinite mail loop than
>anything that could be called a virus. [...]
[...]
> If the message goes out to the list, and the VACATION
>program replies, you have an endless cycle.
As Ken van Wyk said, this is a case of infinite mail loop. There is
probably nothing wrong with the VACATION program, and the remedy lies in the
list moderator/management's side.
To avoid this problem of infinite mail loop when VACATION is run, or
a gateway is shutdown, many fileservers use a different address to receive
commands and to send information. So if the data is returned to the sender
(in this case the listserver), it ends-up in a different account and is NOT
sent back again.
Examples:
send commands to: <NISTLIB@GOV.NIST.NCSL.CMR> and the server answers
with id: <NISTLIBD@GOV.NIST.NCSL.CMR>
so if the data "bounces back", it is returned to the id NISTLIBD where it is
not processed again, and dies there.
send articles to: <uk-virus-l@uk.ac.hw.cs> and the distribution is
with id: <uk-virus-l-request@uk.ac.hw.cs>
etc. etc.
The point is that for some reason (can you explain, Ken ?) bitnet
listservers use the same ID to send and receive mail. Before VIRUS-L
was moderated, messages bouncing back from gateways were redistributed
again since the return path for bounced messages was the sender:
<VIRUS-L@LEHIIBM1.BITNET> Now, I believe that most of the time, the
messages are sent by the moderator, to the postmaster of the remote
site, who sorts-out the problem with the user on the remote computer.
But few lists are moderated, and perhaps it could be time to think
about a way to stop these loops which I agree are very irritating to
other users.
Olivier Crepin-Leblond
Computer systems & Electronics, Dept. of Elec. Engineering,
King's College London, England
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|Olivier M.J. Crepin-Leblond | - If no-one can do it |
|JANET : <zdee699@uk.ac.kcl.cc.elm> | then do it yourself |
|BITNET : <zdee699%elm.cc.kcl.ac.uk@ukacrl> | - If you can't do it, |
|INTERNET: <zdee699%elm.cc.kcl.ac.uk@uk.ac.nsfnet-relay>| then P A N I C ! ! |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
------------------------------
Date: 07 Jul 89 00:00:00 +0000
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: Loren Keim and Proceedings
Does anyone have current contact info for Loren Keim (or does he
still follow this list)? I have one or two people here who
are waiting for copies of the Proceedings of the conference that
he put together the other year. Anyone know the status? DC
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253