home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.155
< prev
next >
Wrap
Text File
|
1995-01-03
|
9KB
|
230 lines
VIRUS-L Digest Thursday, 20 Jul 1989 Volume 2 : Issue 155
Today's Topics:
Is this a Macintosh Virus?
VIRUSCAN program (PC)
Re: virus interviews
Re: CMS viruses (IBM CMS)
More on VIRUSCAN (PC)
VACATION & VALERT-L (was Re: VACATION Virus)
(Possibly) a new COMMAND.COM virus (PC)
Leisure Suit Larry .... (PC)
---------------------------------------------------------------------------
Date: Wed, 19 Jul 89 08:41:00 -0500
From: <DQB@ORNLSTC.BITNET>
Subject: Is this a Macintosh Virus?
Has anyone ever encountered a virus that changes the normal "watch"
cursor to a cockroach? This happened several times within ResEdit,
but disappeared after ResEdit was exited and could not be repeated.
The disk has been inspected with Disinfectant and SAM. No viruses
were found. I also checked for unknown INIT resources in the system
folder. The same system was recently infected by nVIR. Disinfectant
was used to eradicate it.
Any words of wisdom?
------------------------------
Date: Wed, 19 Jul 89 10:09:53 -0700
From: rogers@marlin.nosc.mil (Rollo D. Rogers)
Subject: VIRUSCAN program (PC)
For those who are interested in such things:
a. The VIRUSCAN software now called SCANV26 is available for
downloading from SIMTEL20 as SCANV26.ARC.1, same directory as before.
b. I ran the scanv26 (scan 0.3V27) program on a DOS V2.11 PC and it
scanned multiple (7) diskettes on Drives A: & B: with no problems.
This program correctly identified the number of directories/sub-directories
and files contained on each separate disk.
NOTE: I understand that as of yesterday, Version29 is now available
from the HOMBASE BBS.
REgards, RollO~~
------------------------------
Date: Wed, 19 Jul 89 12:03:00 -0700
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: virus interviews
> A Mr. Atsushi Tanaka is visiting me today from Japan, interviewing me for
> Nikkei Computer Magazine. He will be in the San Francisco area July 11 &
> July 13, and wishes to meet with people involved in anti-virus and computer
> security activities on a wide variety of machines from Micros to Mainframes.
>
> If anyone is interested and can spend some time doing an interview, please
> send me mail at the below address, including phone number, and I'll pass
> the information on to Tanaka-san.
Unfortunately I was out of town!!!grin!! but for future reference John
McAfee locally here in santa clara is probably the best one to talk
to... a lot of the local antiviral people dump all their data on
him... reach him at Interpath Corp at 408-988-3832
cheers
kelly
------------------------------
Date: Wed, 19 Jul 89 12:25:00 -0700
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: CMS viruses (IBM CMS)
> >>in Communications Monitoring System (CMS) version 4 for IBM's MVS
> >>operating system where a dangerous virus could be introduced by simply
> >>programming 16 lines of code.
>
> That's Conversational Monitor System (formerly Cambridge Monitor System),
> and it is independent of, not "for", MVS. To my knowledge, ALL viruses
> on this system require some human action (to pull files in from the
> "virtual reader" user input queue). Although certain idiotic viruses
> (the CHRISTMA virus being the most notable) have affected CMS, it is
> not as subject to damage as is unix, where files are transmitted
> directly to the user's file space, rather than an independent queue.
sorry guys I hate to dispel your fantasies on both of you but rumuour
are getting rife as of late and its time to quench some of them:
1. CMS is also known as VM/CMS its the equivalant of a complete OS in
its own virtual machine...
2. neither MVS nor VM could be infected by 16 bytes of code in an none
obtrusive manner... an overwriting virus possibly...!! however these
are both large expensive mainframe SCP(system control programs) note I
didnt include cms in this he is a user interface!! but they most
defintely can be infected!!!!!!
3. given the richness of the 2 above environments and both of them
predate any other System control programs currently used now... no
human intervention is necessary for an infection mechanism to
accomplish its designed task!!!!
4. to acheive point 3 above... one must be what is knwown in IBM
Parlance as a SYSPROG not just a technical support specialist... in
other words it most likely is not going to be the local 14 year old
sunnyvale hacker!!!(that would implement this code)
cheers
kelly
------------------------------
Date: Wed, 19 Jul 89 21:51:10 -0000
From: A.SIGFUSSON@ABERDEEN.AC.UK
Subject: More on VIRUSCAN (PC)
After my first comments on VIRUSCAN I have had some replies from other
people and this program seems to work in different ways on different
machines. I have used it on a COMMODORE PC 10 II and an AMSTRAD 1640, both
using MSDOS 3.2 and in both cases when doing a multiple scan of diskettes
the program thinks it is scanning the same diskette. I have tried this
both on drive A: and B: and this makes no difference. Rollo D. Rodgers
has tried this on different types of machines and had no difficulties if
the scan was done on the B: drive using DOS 3.2 (I think) but if scanned
on drive A: the scan is not done properly.
As I Pointed out this can be avoided by doing something different like DIR
or as Rollo D. Rogers suggested by hitting *C before each disk. There is
a new version of VIRUSCAN out now and since I do not have a copy I dont know
if this has been fixed but I would be interested to know or if somone could
mail me a copy.
Best regards,
Arnor Sigfusson (A.SIGFUSSON@UK.AC.ABERDEEN)
------------------------------
Date: 19 Jul 89 22:14:27 +0000
From: bucsb!ckd@husc6.harvard.edu (Christopher Davis)
Subject: VACATION & VALERT-L (was Re: VACATION Virus)
In article <> VIRUS-L@IBM1.CC.Lehigh.EDU writes:
- - [Description of Vacation "virus" deleted]
- -
- - [Ed. It appears to me to be more a case of an infinite mail loop than
- - anything that could be called a virus. I frequently get messages on
- - VIRUS-L/comp.virus which are sent from a VACATION program (VMS or
- - Unix). Since VIRUS-L is moderated, however, I merely delete the
- - message. If the message goes out to the list, and the VACATION
- - program replies, you have an endless cycle. Use any VACATION program
- - very cautiously.]
All the vacation programs I've ever seen only send one reply to any
address; this is to prevent mail loops such as the one that we saw on
VALERT-L not too long ago.
[For those not on the list, what happened is that a VACATION program
sent one--count 'em, one--reply to the list (a reply to a mis-sent
subscription request, at that!). Then, some JANET site started
bouncing mail back due to a full disk at one site--but was bouncing it
to THE LIST ADDRESS. Needless to say, the resulting mail loop was
rather horrendous, especially since the messages got bigger each time. --ckd]
- --
/\ | / |\ @bu-pub.bu.edu <preferred> | Christopher K. Davis, BU SMG '90
/ |/ | \ %bu-pub.bu.edu@bu-it.bu.edu | uses standardDisclaimer;
\ |\ | / <for stupid sendmails> | BITNET: smghy6c@buacca
\/ | \ |/ @bucsb.UUCP <last resort> or ...!bu-cs!bucsb!ckd if you gotta.
--"Ignore the man behind the curtain and the address in the header." --ckd--
------------------------------
Date: Wed, 19 Jul 89 23:11:29 +0000
From: Fridrik Skulason <frisk@RHI.HI.IS>
Subject: (Possibly) a new COMMAND.COM virus (PC)
Yesterday I went to check out a reported virus infection in a large
company here.
The main symptom was that COMMAND.COM would grow by approx. 400 bytes,
when it was infected. The virus was a bit similar to the original
"Jerusalem" virus in one respect - it was unable to recognize existing
infections and the file would just grow and grow (which caused it to
be noticed).
When I arrived, they were very proud that they had just "wiped out" the
infection.
They did not reformat every single hard disk, as one site here that got
infected by the Ping-Pong virus just did, but they wiped out every copy
of COMMAND.COM using WIPEFILE, and then restored them from the original
floppies.
So - I was unable to obtain a sample.
Since the description does not fit any virus that I know of, I would like
to ask everybody if they have heard of this virus, which (just possibly)
arrived with a number of illegal copies of software from Hong-Kong.
If I obtain a sample or more information, I will post a full description
on VIRUS-L.
------------------------------
Date: Thu, 20 Jul 89 08:33:06 -0500
From: Thomas Heil <ICH211@DJUKFA11.BITNET>
Subject: Leisure Suit Larry .... (PC)
Hello!
Could someone please summarize the "Leisure Suit Larry" trojan horse
case for me? I heard about it but didn't learn the details yet.
Please respond directly to me as I'm not on this list.
Thanks in advance,
T.H.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253