home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.160
< prev
next >
Wrap
Text File
|
1995-01-03
|
10KB
|
227 lines
VIRUS-L Digest Wednesday, 26 Jul 1989 Volume 2 : Issue 160
Today's Topics:
Re: virus sociology
VNET and the CHRISMA EXEC (IBM VM/CMS)
Computer Virus Research
Less well known viruses?
Viruscan tested.
***WARNING*** VIRUSCAN Trojan (PC)
------------------------------------------------------------
Date: 25 Jul 89 12:47:21 +0000
From: krvw@sei.cmu.edu (Kenneth van Wyk)
Subject: Re: virus sociology
In article virus sociology of 21 Jul 89 20:10:28 GMT
mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) writes:
> The question is: can we speculate that many, if not most, of this
>scum reads (and perhaps participates) in this newsgroup? Isn't the
>effort of cataloging all the viri egging the scum on to greater
>efforts?
I suppose that it's possible to find a pessimistic outlook on just
about everything... The flip side of it is that we're getting
valuable information out to people who really need it to understand
(hence cope with) the virus problem. I think that positive side
outweighs any negative side.
> The next question is: how much effort should we be putting into
>getting the vendors of various machines and operating systems to
>design their software to be virus-proof as opposed to writing new
>virus detectors/fixers? Let's face it, the current generation of
>personal computers have non-existant security not only from viri but
>also from user screwups.
Newer machines are already being equipped with features, such as
hardware memory protection, privileged i/o instructions, etc., that
can help in preventing viruses. It's still up to the operating system
software to properly use the available hardware. To that end, I
believe that it is worthwhile for customers to push vendors to supply
more secure and thoroughly tested hardware and software.
Ken
------------------------------
Date: Tue, 25 Jul 89 09:49:00 -0400
From: John McMahon <FASTEDDY@DFTBIT.BITNET>
Subject: VNET and the CHRISMA EXEC (IBM VM/CMS)
***> From: David M. Chess <CHESS@YKTVMV.BITNET>
***> Subject: re: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS)
***>
***> While I was lucky enough to be on vacation when CHRISTMA hit
***> VNET, my impression is that (press to the contrary), VNET
***> handled it about like BITNET did: a few nodes shut down or
***> cold started, but most just installed and ran some filters
***> on RSCS and local spool. Lots of human and CPU time and net
***> bandwidth wasted, but not a system-wide shutdown. This is
***> just an unofficial impression, of course!
As I recall, VNET Topology is not like BITNET's. BITNET is currently
a tree structure, slowly migrating to a mesh topology backbone of
sites connected via the BITNET II software (NJE over TCP/IP). VNET,
on the other hand, is a set of trees connected by a fairly extensive
wide-area mesh backbone.
As I recall (it's been a while), this mesh backbone only consists of a
handful of nodes (Sixteen to Twenty), one at each major IBM center.
Shutting that down would effectively isolate each IBM center. As to
whether or not that is a "System-Wide" shutdown, well you will have
ask the media. As to whether or not that happened, you would have to
ask IBM.
+------------------------------------+----------------------------------------+
|John "Fast Eddie" McMahon | Span: SDCDCL::FASTEDDY (Node 6.9) |
|Advanced Data Flow Technology Office| Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV |
|Code 630.4 - Building 28/W255 | Bitnet: FASTEDDY@DFTBIT |
|NASA Goddard Space Flight Center |GSFCmail: JMCMAHON |
|Greenbelt, Maryland 20771 | Phone: x6-2045 |
+------------------------------------+----------------------------------------+
------------------------------
Date: Tue, 25 Jul 89 11:28:00 -0500
From: <DQB@ORNLSTC.BITNET>
Subject: Computer Virus Research
I am doing research at the University of Tennessee on the current
state of computer viruses. Most of the material that I have found
to date has been written by members of this discussion list. I
would appreciate direct correspondence from members who have
written papers, books or articles or who are currently conducting
research in this area.
If nothing else, I would like to make a reference to other research
work that is being conducted by members of the discussion list. If
any of you have other material that can be sent to me electronically,
I would appreciate it.
I will redistribute a complete list of these research references via
this discussion group.
------------------------------
Date: Tue, 25 Jul 89 19:36:47 -0000
From: David.J.Ferbrache <davidf@CS.HW.AC.UK>
Subject: Less well known viruses?
Having just finished an update on the list of known IBM and MAC viruses
I have come across a few reported viruses which no/few details seem
to be available on. These are:
IBM PC Boot sector
Nichols virus both are incorporated in the 0.29 viruscan test
2730 virus strings, but have not been reported in full
IBM PC Link viruses
Screen characteristic lengths and identifying signatures
Dbase are currently unknown for these two viruses covered
in Ross's article in the June edition of byte
Agiplan So far no-one seems to have a sample of this virus
available, also no signatures have been provided
Mistake Again no signatures available
I would also be interested in characteristic lengths and signature byte
sequences for a number of the Homebase variants described in Jim Goodwin's
list.
On a further point a remarkable similarity has been established between
the Saratoga and Icelandic (variant 1) virus code. This similarity is
reflected in the code sequences used by Viruscan 0.29. The question
raised by this observation is which came first, the Saratoga virus detected
in California or the Icelandic virus. With the recent report of a
second strain of the Icelandic virus which bypasses Interrupt table
dos call monitoring methods it seems that the virus is under active development
by a hacker in Iceland.
Finally, I will be forwarding three notes from Joe Hirst in the next
few days concerning the Ashar variant of Brain, Saratoga virus and
his views on the foundation of national research centres. I will establish
a temporary mail account <bcvrc@cs.hw.ac.uk> for his centre and will relay
any correspondence received.
- ------------------------------------------------------------------------------
Dave Ferbrache Internet <davidf@cs.hw.ac.uk>
Dept of computer science Janet <davidf@uk.ac.hw.cs>
Heriot-Watt University UUCP ..!mcvax!hwcs!davidf
79 Grassmarket Telephone +44 31-225-6465 ext 553
Edinburgh, United Kingdom Facsimile +44 31-220-4277
EH1 2HJ BIX/CIX dferbrache
- ------------------------------------------------------------------------------
------------------------------
Date: 26 Jul 89 00:12:43 +0200
From: cth_co@tekno.chalmers.se (CHRISTER OLSSON)
Subject: Viruscan tested.
I tested VIRUSCAN but it can't found 1701/1704 (Cascade) virus in files
with EXE-extension. If you rename a COM-file to an EXE-file, the 1701
virus infected the file but VIRUSCAN don't check the file because
VIRUSCAN only search COM-files for the 1701/1704 (Cascade) -virus.
------------------------------
Date: Tue, 25 Jul 89 19:47:00 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: ***WARNING*** VIRUSCAN Trojan (PC)
Someone has taken the VIRUSCAN program and hacked it into a trojan.
Richard Levey of Shareware Enterprises in Elmont, NY, and J.J. Webb
of Lockheed have both submitted copies of a program that they
thought was identical to VIRUSCAN version 19 in the way it
operated. On analysis, the program turned out to be Viruscan V19
with a number of modifications.
No attempt was made to modify the VIRUSCAN program messages,
internal data strings or instruction sequences, with the single
exception of the copyright notice. The copyright notice was
changed to 'Copyright 1989, WileySoft Corporation". The only
modification made to the documentation was the change of name and
address to:
WileySoft
11 Trafalgar Square
Nashua, NH 03063
And a request to send $24 to the above address was added.
The program was then compressed, a front end loader/decompressor
was tacked on, and the final package was infected with what appears
to be a modified version of the Jerusalem virus. The final EXE
file was named SCAN (the same as the VIRUSCAN executable module)
and was 22917 bytes long.
A check with the local Nashua phone company found no listing for
such a company, and no WileySoft Corporation was registered in the
state of New Hampshire.
VIRUSCAN users should be aware of this trojan program. Please
check that your executable module is exactly 34400 bytes long. All
versions of VIRUSCAN have been this length and all future versions
are planned to have the same length. Ensure that the McAfee
Associates copyright is displayed with the version ID and phone
number in the first display line. If there are any questions about
the validity of your program, an original copy may be downloaded
from HomeBase, 408 988 4004, from SIMTEL20 or some other reliable
source.
John McAfee ..-....
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253