home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.159
< prev
next >
Wrap
Text File
|
1995-01-03
|
9KB
|
195 lines
VIRUS-L Digest Tuesday, 25 Jul 1989 Volume 2 : Issue 159
Today's Topics:
query re: archive access
re: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
Missouri virus news? (PC)
Wanted: Beta Testers for Flu_Shot+ (PC)
RE: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
update to F-PROT.ARC (PC)
---------------------------------------------------------------------------
Date: Mon, 24 Jul 89 11:27:43 -0400
From: "M.S.Kolansky" <TERE%ERENJ.BITNET@IBM1.CC.Lehigh.Edu>
Subject: query re: archive access
Can someone tell me how to get at the LISTSERV virus archives.
[Ed. Send mail to LISTSERV@LEHIIBM1.BITNET (same as
LISTSERV@IBM1.CC.LEHIGH.EDU - for Internet users) containing one or
more of the following commands:
HELP - to get help
INDEX VIRUS-L - to get a list of available files
GET filename filetype - to retrieve a particular file (via e-mail)
]
------------------------------
Date: 24 Jul 89 00:00:00 +0000
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
While I was lucky enough to be on vacation when CHRISTMA hit
VNET, my impression is that (press to the contrary), VNET
handled it about like BITNET did: a few nodes shut down or
cold started, but most just installed and ran some filters
on RSCS and local spool. Lots of human and CPU time and net
bandwidth wasted, but not a system-wide shutdown. This is
just an unofficial impression, of course!
As far as I know, it's no harder to get a file from BITNET to
VNET now than it was before CHRISTMA; the person you want to
talk to on the VNET side has to be authorized with the gateway.
Exactly how an IBMer gets authorized for BITNET access varies
with site/division/etc. I'm authorized, for instance, and I
can be sent mail from BITNET just by sending in the normal way
to CHESS at YKTVMV (let's not all try this just to be sure it
works, of course! Hehe).
DC
IBM T. J. Watson Research Center
------------------------------
Date: Mon, 24 Jul 89 15:07:42 -0400
From: "Dennis P. Moynihan" <DMOYNIHA@WAYNEST1.BITNET>
Subject: Missouri virus news? (PC)
Way back in April the following was reported to this list:
>Date: Thu, 27-Apr-89 13:57:27 PDT
>From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
>Subject: Missouri Virus (PC)
>
>The Homebase group has logged over a dozen occurrences of this virus
>but we have never successfully sampled it. The latest occurrence was
>notable enough to pass on to Virus-L so that we might get some
>assistance. The occurance was at the National Security
>Administration. The virus came into their shop on a disk shipped with
>the book - "DOS Power Tools", published by Bantam. This was the third
>report of the virus entering an installation on this book. The virus
>completely disables writing to the hard disk, but it does allow normal
>reading of data already stored. Every site that has been hit has
>destroyed or lost the original source disk, and the target disk. The
>NSA is no exception. Robert Dimsdale of the NSA in Fort Meade
>originally reported the virus to the CVIA and he cut the floppy into 8
>sections prior to calling. He then disrarded the standard CVIA advice
>and low level formatted the hard disk. Anyone with any additional
>information about this virus is invited to share that information with
>what we already know by contacting the HomeBase board. We know that
>Missouri is a virus and not a Trojan because we have documented four
>occurances of its replication. Please do not contact Mr. Dimsdale
>directly. Serious inquiries should be addressed through Jim Corwell
>on Homebase. He will pass on your name to the NSA and they will
>reply.
> ....
This just became a bit of a hot topic here today. We noted the report
in our newsletter and have been receiving calls about it. Most have been
from users who have "Dos power tools" and want to know if their machine
will roll over any time soon. One, interestingly, was from Bantam. They
wanted to know where we got this from.
Anyway, have there been any more reports regarding this virus? I got the
impression from the above that if a copy of "Dos power tools" had the
virus people found out quick. Any other news in general on this?
- --------------------------------------
Dennis Moynihan (DMOYNIHA@WAYNEST1)
Computing and Information Technology
Wayne State University
Detroit, MI
------------------------------
Date: Mon, 24 Jul 00 19:89:34 +0000
From: utoday!greenber@uunet.uu.net
Subject: Wanted: Beta Testers for Flu_Shot+ (PC)
I'm all set to release a new version of FLU_SHOT+ and need some people
as beta testers (all my current beta testers opted to take the summer
off, those lucky dogs!).
Requirements: MS-DOS 2.x - 4.x. In particular, I'm looking for 4.x
people (there were some problems with the last release and 4.x)
Send *me* E-mail, not the list. Many thanks.
Ross M. Greenberg
Author, FLU_SHOT+
------------------------------
Date: Mon, 24 Jul 89 16:14:00 -0700
From: "Hervey Allen, U of O Comp. Ctr., (503) 686-4394" <HALLEN@oregon.bitne
t>
Subject: RE: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
I have been reading the discussions on VM/CMS as pertaining to viruses and
security with some interest. I was the Senior Consultant/Programmer at a
small college for a system running VM/CMS when the CHRISTMA EXEC program
was making its rounds.
There were two of us who had complete control over the machine we were work-
ing on (a 4341-2 w/1500 accounts) which made it extremely easy to spot and
eradicate the CHRISTMA EXEC. We routinely checked the number of Reader (mail)
files on our machine. We noticed an increase in files over the span of a few
hours that was unusual so we checked our RSCS spool to see if anything unusual
was happening and spotted the CHRISTMA EXEC file showing up repeatedly. We
then took a look at the CHRISTMA EXEC (which we had both received) and
realized what it was doing. At this point we wrote a few lines of code to
search for all occurrences of the CHRISTMA EXEC on the system (in Reader or
on disk) and to delete any that were found. We warned our users not to run
the CHRISTMA EXEC (in case we missed any) and then we periodically checked
for the EXEC over the next few days. We did not think of putting the check
directly into RSCS, which is a better idea.
The reason I bothered to write this was to make note of the possibility that
those places where people dealt directly with their machines and the operating
systems seemed to catch the CHRISTMA EXEC almost immediately, whereas on the
IBM VNET many of the machines ran systems such as PROFS that separate the
users from the operating system and most of the machines were maintained by
a larger number of people who had less direct control over their environ-
ments. I'm not advocating either system over the other, but, to us, it was
interesting how trivial a problem the CHRISTMA EXEC was to deal with. On
IBM's VNET, however, the offending program was not noticed until network
traffic had become so high, and system spool resources were becoming full
enough (I assume) that they were forced to shut the network down.
This begs the question as to whether or not systems that are designed to be
user friendly and administrations that are set up to keep access to data
restricted are more susceptible to viruses/worms/trojan horses. I don't
expect to answer this question, but it does seem to be a re-occurring theme
when dealing with viruses.
Hervey Allen <<Bitnet: HALLEN@OREGON.Bitnet>>
<<Internet: HALLEN@oregon.uoregon.edu>>
Student Programmer/Virus Consultant
University of Oregon Academic Computer Services
| Disclaimer: The opinions expressed here are my own and in no way reflect |
| the opinions of the University of Oregon. |
------------------------------
Date: Tue, 25 Jul 89 05:39:26 -0500
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: update to F-PROT.ARC (PC)
I'm sending out an update to the f-prot package. Apparently there is
some problem with one of the programs and some TSR programs. The
F-LOCK.EXE program is being replaced in this update.
Jim
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253