home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.158
< prev
next >
Wrap
Text File
|
1995-01-03
|
22KB
|
493 lines
VIRUS-L Digest Monday, 24 Jul 1989 Volume 2 : Issue 158
Today's Topics:
virus sociology
Computer security report available
the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
resource fork viruses (Apple II)
Re:What kind of virus is this ? (PC)
Virus Encyclopedia (Was Re: INIT29 and data files (Mac))
Ping Pong Virus (PC)
Re: Request for boot sector information (PC)
safeware (PC)
Still on viruscan (PC)
Re: query re: VIRUSCAN program availability (PC)
Re: new network-virus group?
Re: VIRUSCAN tested (PC)
---------------------------------------------------------------------------
Date: 21 Jul 89 20:10:28 +0000
From: mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin)
Subject: virus sociology
I've been reading this newsgroup for a while now, and have come
to speculate about whether or not the situation is going to become
self-perpetuating. That is, I'm sure that the human scum who write
viri are doing so for the same reasons that any act of vandalism is
committed. The motivations of attention getting and of maliciously
hurting innocent (and often unknown) people are common to all vandals.
The question is: can we speculate that many, if not most, of this
scum reads (and perhaps participates) in this newsgroup? Isn't the
effort of cataloging all the viri egging the scum on to greater
efforts?
The next question is: how much effort should we be putting into
getting the vendors of various machines and operating systems to
design their software to be virus-proof as opposed to writing new
virus detectors/fixers? Let's face it, the current generation of
personal computers have non-existant security not only from viri but
also from user screwups.
Mark Crispin / 6158 Lariat Loop NE / Bainbridge Island, WA 98110-2020
mrc@CAC.Washington.EDU / MRC@WSMR-SIMTEL20.Army.Mil / (206) 842-2385
Atheist & Proud / 450cc Rebel pilot -- a step up from 250cc's!!!
------------------------------
Date: Fri, 21 Jul 89 16:27:04 -0400
From: Stephen Wolff <steve@note.nsf.gov>
Subject: Computer security report available
COMPUTER SECURITY: Virus Highlights Need for Improved Internet Management
(GAO/IMTEC-89-57) is the first U.S. General Accounting Office report that
has been made available on a wide-area computer network. The report is
particularly relevant to Internet users -- it examines Internet security
and vulnerability to issues and factors relating to the the prosecution of
virus crimes.
**************************************************************
* This is the first GAO report to be made available over *
* the Internet. GAO wants to know how many people *
* acquire the report this way. If you do, please send *
* mail to me <swolff@nsf.gov> and I'll keep count for *
* them. Your name will not be saved or used. *
**************************************************************
The report is available by anonymous ftp from the NSF Network Service
Center on host nnsc.nsf.gov <128.89.1.178> in directory pub, from the NSF
Information Services host nis.nsf.net <35.1.1.48> in directory nsfnet, and
on host umd5.umd.edu <128.8.10.5> in directory pub. In all cases, log in
as user anonymous, with password guest. The file is about 104 kilobytes.
If you would prefer a printed copy, send me your mailing address and GAO
will post one to you directly.
------------------------------
Date: 21 Jul 89 13:46:11 -0500
From: <U27745%UICVM.BITNET@VMA.CC.CMU.EDU>
Subject: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
At the time of the CHRISTMA EXEC I was a student mainframe consultant.
and I don't recall BITNET being crippled by this program.
2 copies of the program were sent to my reader and i just ignored
them. Later when I had the time to look at them I went to my reader and
Voila, they were gone! I asked my boss what happened to the files.
He ran a program that went thru the system and removed all copies of
the program from every one's reader and minidisk. He took this a bit
further by having RSCS ( VM's communication server ) purge all files
going though our node named CHRISTMA EXEC.
I've heard that VNET was crippled by the CHRISTMA EXEC.
I've heard that IBM actually had to shut down
thier RSCS servers and then purge the files from each machine.
They have since done 2 things ( that I know of) to prevent future
instances.
First off, when one receives an EXEC from their reader
the filetype is changed from EXEC to CEXE to prevent execution
of the program.
Secondly, it is now very hard to get files/mail into VNET.
I've been trying for sometime to find a route for BITNET<->VNET
and haven't been successful. (( any help with this would be greatly
appreciated!! ))
As a sidebar, the reason I think the 2 nets were effected differently
is because these nets are used differently. On BITNET most nodes are
primarily used for 'things' other than E-Mail. So when the RSCS servers
started using too much CPU time, systems people got curious and found
out what was happening. IBM on the other hand uses VNET primarily for
E-Mail and with 300,000+ people (my guess) using E-Mail one would expect
RSCS to suck a lot of the systems resources.
This made it less obvious and the longer the CHRISTMA EXEC went
unchecked the harder it was going to be to eradicate.
Include standard disclaimers here:
A) These opinions are mine; MINE, ALL MINE!!
B) I've been wrong before
Bob Johnson << u27745@uicvm.uic.edu >>
------------------------------
Date: Fri, 21 Jul 89 21:18:00 -0400
From: TMPLee@DOCKMASTER.ARPA
Subject: resource fork viruses (Apple II)
The Apple II GS OS is about to incorporate resource forks, something I
understand has been in the MAC OS forever. I also note from all the
traffic that almost all the MAC viruses seem to have something to do
with resource forks. (sounds to me like the virus writers aren't very
inventive; any bad guy worth his salt would bypass ALL the vendor's
software and play with the bare metal -- but since the IBM crowd ain't
much smarter I guess we just don't have the hackers like we used to)
Anyway, could someone summarize for me what the MAC resource forks are
used for (since I know essentially nothing about MAC-land) and how they
are or are not more vulnerable to virus/trojan horse penetration than
"conventional" file structures as found in IBM-land or the more earlier
Apple II DOS and ProDos-land?
TMPLee@dockmaster.ncsc.mil
------------------------------
Date: Sat, 22 Jul 89 12:49:10 +0700
From: CCEYEOYT@NUSVM.BITNET
Subject: Re:What kind of virus is this ? (PC)
If I am not wrong, it is the Ping-pong virus ( also known as the Bouncing
ball virus). I remove the virus by first copy the original boot record (
it is stored in one of the bad sectors marked by the virus) back to the
boot sector and then erase the content in the two bad sectors.
Yeo Y.T.
Plus: I always boot-up the system with a 'clean' DOS before I make any
changes. Otherwise the virus will remain active in the RAM if you boot-up
with an infected disks. You will not be able to remove the virus even
though you format your disk.
------------------------------
Date: 21 Jul 89 18:57:33 +0000
From: chinet!henry@att.att.com
Subject: Virus Encyclopedia (Was Re: INIT29 and data files (Mac))
In article <0010.y8907131623.AA04591@ge.sei.cmu.edu> IHLS400@INDYCMS.BITNET (Ho
lly Lee Stowe) writes:
>Also, for anyone using Macs and trying to teach others about what things
>to be aware, may I recommend highly a Hypercard stack called the Virus
>Encyclopedia which is available on GEnie and probably other places.
>(The author's name is Henry C. Schmitt, and he's from the Northwest of
>Us, a user group in Arlington Heights, IL.) Also the informational
>screens from John Norstad's Disinfectant are very helpful.
Thanx for your praise Holly! I didn't think I'd become famous when
I wrote the stack. The latest version (dated 6/8/89 on the
disclaimer card) is available on GEnie. I haven't uploaded it to
Compuserve yet, so the latest version there is only 3/31/89. I also
upload it to The Rest of Us BBS here in Chicago (when it's up!).
Since it gets downloaded quite a lot, people put it elsewhere too.
I've seen it on HomeBase BBS in CA, someone sent me mail that they
got it off a BBS in Denver, I've even seen it on an archive list
from the U.K.!!
If you want to be sure you have the latest version: check the Date
Modified on the Disclaimer card. First Version: 1/22/89, second:
3/31/89, third and latest: 6/8/89. Of course I'm continually
working on it so I'll probably release another version soon.
Please send me any comments or suggestions. My mail addresses are:
GEnie: H.Schmitt
CompuServe: 72275,1456
UUCP: henry@chinet.chi.il.us
- --
H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely)
| GEnie: H.Schmitt (Occasionally)
Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet)
------------------------------
Date: Fri, 21 Jul 89 22:52:34 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: Ping Pong Virus (PC)
Hans Varkevisser described what appears to be the Ping Pong virus and asks
if there is any way to deal with it short of a low level format. The Ping
Pong (Italian) is a boot infector and can be removed with McAfee's MDISK
programs. The CVIA is distributing these programs free of charge (with
proof of infection) to anyone infected with a boot or partition table virus.
They've been tested against all the viruses we know about and work flawlessly
against all boot and partition table viruses.
Contact the CVIA at 408 727 4559 or page SysOp on HomeBase at
408 988 4004 to get these programs.
Alan Roberts.
------------------------------
Date: Sat, 22 Jul 89 11:58:28 -0400
From: allbery@NCoast.ORG (Brandon S. Allbery)
Subject: Re: Request for boot sector information (PC)
In your article <0009.y8907171856.AA19378@ge.sei.cmu.edu> ["Request for boot se
ctor information"], you wrote:
+---------------
| I need an answer to the following question:
|
| In the boot sector of every diskette and hard disk there is a short
| string starting at the fourth byte. This string contains information
| about the version of DOS used to format the disk/diskette.
| Typically it is something like "IBM 3.0" or "MSDOS2.0".
| What I need to know is: What other possibilities are there ?
+---------------
Out of three versions of DOS available to me, two don't follow this rule:
ITT XTra, ITT DOS 2.11: "ITT 2.0 "
Wyse PC DOS 3.2: "PC & AT^@"
Altos 500 MS-DOS 3.3: "MSDOS3.3"
++Brandon
- ---
Brandon S. Allbery, moderator of comp.sources.misc allbery@NCoast.ORG
uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu
NCoast Public Access UN*X - (216) 781-6201, 300/1200/2400 baud, login: makeuser
(Send inquiries to rhg@NCoast.ORG, *not* to me! I'm just the resident guru.)
* "ncoast" regenerates again! The 5th "ncoast", coming August 1 (stay tuned) *
------------------------------
Date: Sat, 22 Jul 89 13:23:00 -0400
From: IA96000 <IA96@PACE.BITNET>
Subject: safeware (PC)
perhaps you remember my mentioning safeware several weeks ago.
we have been doing some testing and thought you might like to
know the results.
we tested safeinfo and several other safeware products on what
has now been identified as the jerusalem virus and several other
viral strains.
in each case, safeware detected that some change had been made in
the file since it had been compiled and notified me.
safeware runs a proprietary selftest (tm) module as soon as the
program is loaded.
execution is immediately halted if a change is detected in file
length, crc or both.
safeinfo.arc can be downloaded from (201) 473-1991 if you would
like to check it out. also viruscan can be downloaded from
(201) 249-1898. the first number is a 10 line tbbs so there is
almost never a busy signal.
i spoke to the author of safeware and he assures me neither safeware
nor the selftest module will ever be sold or allowed to be used by
a commercial software house.
he seems to be quite proud of the fact that safeware was written
and released by a shareware author. in fact when you think about it
it is quite amazing that commercial houses have not yet released
such a product, and it took a shareware author to do it first!
he also assures me that the code can be changed and programs
recompiled in less than 5 minutes if the need arises. it seems there
are several versions of the selftest module and only one has been
released in shareware so far.
in any event, the built in protection safeware offers works, and
there are now more than 25 programs released under the safeware
label.
almost forgot, we are working on getting copies of all the safeware
products. if we can get them, does anyone know where we can post
them for requests? we do not have a listserv here, so it would
be kind of hard.
any suggestions would be appreciated.
------------------------------
Date: Sun, 23 Jul 89 22:33:06 -0000
From: A.SIGFUSSON@ABERDEEN.AC.UK
Subject: Still on viruscan (PC)
Mr. Alan Robertson sent me a message and pointed out to me that
the problem I had with VIRUSCAN and multiple scans was due to the
hardware and not a software problem. He thinks that about 1% of
IBM clones suffer from this and it so happend that both the machines
I have used (COMMODORE PC20 & AMSTRAD 1640) fall into that 1%. I have
now tried a copy of the new version of SCAN and find that the problem
does not occur any more.
Best regards,
Arnor Sigfusson (A.SIGFUSSON@UK.AC.ABERDEEN)
------------------------------
Date: Sun, 23 Jul 89 17:01:00 -0700
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: query re: VIRUSCAN program availability (PC)
In article <0005.x8906301409.AA00605@ge.sei.cmu.edu> you write:
>in VIRUS-L of Jun 28, 1989 Alan J.Roberts mentioned a program called
>VIRUSCAN for the IBM PC. I would like to get this program, but I don't know
>how. Could someone, if possible, mail me a uuencoded ARC-file ?
> Thank you,
> Rainer Kleinrensing (RAINER at DBNUAMA1 in BITNET)
I have been doing beta testing for john and at his request I am going
to besubmitting the results and the virus scan program... here in just
a few hours to the mailing list... if any one knows a uucp reachable
archive site address to be a recipient of this code please email me
this address as I dont want to have to mail out continuous copies...
cheers
kelly
p.s. its even more inclusive now!!
------------------------------
Date: Sun, 23 Jul 89 17:10:00 -0700
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: new network-virus group?
> A little while ago, there was some hashing about the overly
> pcoriented direction of this list or something like that. (Forgive me,
> I had 4+ week's worth of mail to catch up on in the past 1-1/2 wks,
> and it's been a while since I read the virus-l notebook - which was
> sizeable. So...)
[...]
> My thought here is that the group has kind of shifted directions
> towards the PC environment. But the networking environment and the issues
> surrounding it are very different. There are of course no major network
> virus dangers right now, but network security and finding loopholes is
> always a major concern. Is there a place for another list concerning
> viruses in the network and PC-NFS/LAN environment?
Actually given RPC's(Remote Procedure calls) and other given holes in
present lan systems they are as vunerable as any non-protected system
nowadays!! My vote would have to be yes lets cover these issues also
I just hope the vendors are listening!!
cheers
kelly
------------------------------
Date: 24 Jul 89 08:04:25 +0000
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: VIRUSCAN tested (PC)
Last week someone asked for inputs about the VIRUSCAN program and
whether or not it had actually identified any viruses. The
following log is an actual log by VIRUSCAN against viruses I have
collected for taxonomy purposes. VIRUSCAN correctly identified
the Virus and strain involved. At present in the log are the
strains of EXE and com infectors I have gathered and will be
testing the boot and partition infectors sometime this week. I
would be interested on anyone elses's inputs that might have
samples of strains that I have not yet tested.
EXE AND COM INFECTORS:
Scanning for 27 viruses.
Scanning boot sectorFECTED\1704.COM
Found 1701/1704 Virus - Version B
Scanning D:\VIRUS\INFECTED\SARATOGA.EXE
Found Saratoga/Icelandic Virus
Scanning D:\VIRUS\INFECTED\ICELANDI.EXE
Found Saratoga/Icelandic Virus
Scanning D:\VIRUS\INFECTED\1168.COM
Found 1168 Virus
Scanning D:\VIRUS\INFECTED\1280.COM
Found 1280 Virus
Scanning D:\VIRUS\INFECTED\1701.COM
Found 1701/1704 Virus - Version B
Scanning D:\VIRUS\INFECTED\1704-B.COM
Found 1701/1704 Virus - Version B
Scanning D:\VIRUS\INFECTED\1704-C.COM
Found 1701/1704 Virus - Version C
Scanning D:\VIRUS\INFECTED\ATTRIB.EXE
Found Jerusalem Virus - Version B
Scanning D:\VIRUS\INFECTED\JRVIR-C.COM
Found Jerusalem Virus - Version B
Scanning D:\VIRUS\INFECTED\JRVIRUS.COM
Found Jerusalem Virus - Version A
More? ( H = Help )NFECTED\NUMOFF.COM
Found Jerusalem Virus - Version A
Scanning D:\VIRUS\INFECTED\DOS62.COM
Found Vienna (DOS 62) Virus - Version A
Scanning D:\VIRUS\INFECTED\FUMANCHU.COM
Found Fu Manchu Virus - Version A
Scanning D:\VIRUS\INFECTED\SURIV01.COM
Found April First Virus - Version C
! Scanning D:\VIRUS\INFECTED\SURIV02.EXE
Found Jerusalem Virus - Version D
Scanning D:\VIRUS\INFECTED\SURIV03.COM
Found Jerusalem Virus - Version E
Scanning D:\VIRUS\INFECTED\INFECTED\1280.COM
Found 1280 Virus
Scanning D:\VIRUS\INFECTED\I2\1168.COM
Found 1168 Virus
Scanning D:\VIRUS\INFECTED\I2\1280.COM
Found 1280 Virus
Scanning D:\VIRUS\INFECTED\I2\1701.COM
Found 1701/1704 Virus - Version B
Scanning D:\VIRUS\INFECTED\I2\1704-B.COM
Found 1701/1704 Virus - Version B
Scanning D:\VIRUS\INFECTED\I2\1704-C.COM
Found 1701/1704 Virus - Version C
More? ( H = Help )NFECTED\I2\1704.COM
Found 1701/1704 Virus - Version B
Scanning D:\VIRUS\INFECTED\I2\1704FRMT.COM
Found 1701/1704 Virus - Version C
Scanning D:\VIRUS\INFECTED\I2\DOS62.COM
Found Vienna (DOS 62) Virus - Version A
Scanning D:\VIRUS\INFECTED\I2\FUMANCHU.COM
Found Fu Manchu Virus - Version A
Scanning D:\VIRUS\INFECTED\I2\ICELANDI.EXE
Found Saratoga/Icelandic Virus
Scanning D:\VIRUS\INFECTED\I2\JRVIR-C.COM
Found Jerusalem Virus - Version B
Scanning D:\VIRUS\INFECTED\I2\JRVIRUS.COM
Found Jerusalem Virus - Version A
Scanning D:\VIRUS\INFECTED\I2\SARATOGA.EXE
Found Saratoga/Icelandic Virus
Scanning D:\VIRUS\INFECTED\I2\SURIV01.COM
Found April First Virus - Version C
Scanning D:\VIRUS\INFECTED\I2\SURIV02.EXE
Found Jerusalem Virus - Version D
Scanning D:\VIRUS\INFECTED\I2\SURIV03.COM
Found Jerusalem Virus - Version E
Scanning D:\VIRUS\INFECTED\I2\TRACEBCK.COM
Found 3066 (Traceback) Virus
More? ( H = Help )RUS.LIB\V3.COM
Found Jerusalem Virus - Version A
Disk D: contains 81 directories and 1466 files.
36 files contain viruses.
This list was edited to eliminate a lot of intermediate output...
information proprietary to my system... The test system is a NEC
PROSPEED 386 Laptop at MS-DOS Level 3.3 .with Quarterdecks
2.25/386 multitasking system. The disk size was a 32 meg
partition running on a 100mb disk.
I will be running the series of tests for boot sector infectors
and partition table infectors later this week and will post those
results then.
cheers
kelly
p.s. I think this should settle any doubts
DISCLAIMER: The views expressed above are not those of AMDAHL
Corp. who has generously provided e-mail facilities or those of
ONSITE CONSULTING... they do represent the views of Cybernetic
Systems Specialists Inc. A CVIA Member... No warranty is
expressed implied or granted in any fashion what so ever...
However The VIRUSCAN program was tested against LIVE viral
programs and it did correctly identify what I have in my archives
to this date..
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253