home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.168
< prev
next >
Wrap
Text File
|
1995-01-03
|
9KB
|
199 lines
VIRUS-L Digest Friday, 4 Aug 1989 Volume 2 : Issue 168
Today's Topics:
Israeli boot viruses; New UnVirus (PC)
New FTP source for anti-virals (PC) - Internet access required
IBM Australian/Stoned Virus (PC)
Re: viruses that reprogram ANSI keys
Re: Shareware? Hmm... (Mac)
---------------------------------------------------------------------------
Date: Thu, 03 Aug 89 17:07:48 +0300
From: Y. Radai <RADAI1@HBUNOS.BITNET>
Subject: Israeli boot viruses; New UnVirus (PC)
Israeli boot-sector viruses
---------------------------
At least two boot-sector viruses were discovered in Israel recently.
One, which hooks interrupt 17h and causes letters sent to the printer
to be replaced by similar sounding ones, was reported by Yair Gany and
by myself in VIRUS-L at the end of June. I referred to it then as the
"Mistake" virus, but I now prefer the name "Typo".
Another virus, mentioned by John McAfee a few days ago, was de-
scribed only as being a boot-sector virus discovered in Israel; he
suggested calling it the "Israeli Boot" virus since he thought that no
such viruses had been reported from Israel previously. But since the
Typo is also a boot-sector virus, John's suggestion is inappropriate.
I have not yet seen the new virus in action, but according to info
sent me by Yuval Tal, it causes letters on the screen to fall. (There
are two other viruses which fit this description: the Cascade/Autumn/
Blackjack virus and the Traceback virus, but they infect files, not
boot sectors.) I suggest we call it the Swap virus, since the words
SWAP VIRUS FAT12 appear in the modified boot sector.
New version of UNVIRUS
----------------------
A few weeks ago I offered to send the virus-eradicating program
UNVIRUS to anyone who wanted it. It has now been updated to eradicate
many more viruses. I have sent a package UNVIR6.ARC to Keith Petersen
for uploading to the SIMTEL20 archive. It consists of the following
three files:
UNVIR6.DOC Instructions for use of the following two programs.
UNVIRUS.EXE Eradicates Israeli (2 strains), Ping-Pong, Brain, Typo,
(Vers. 6) April-1-Com, April-1-Exe.
IMMUNE.EXE Prevents infection by Israeli and April-1 viruses and
(Vers. 5) notifies of presence in RAM of any boot-sector virus.
The authors (Yuval Rakavy and Omri Mann) plan to extend UNVIRUS to
many more viruses in the near$future, but they always give priority to
those which have appeared in Israel. The next virus on the list will
evidently be the Swap virus.
Y. Radai
Hebrew Univ. of Jerusalem
P.S. Please do not send requests for UNVIR6 to me. If it is not
yet on SIMTEL20 it soon will be.
------------------------------
Date: Thu, 03 Aug 89 12:15:52 -0500
From: kichler@ksuvax1.cis.ksu.edu (Charles Kichler)
Subject: New FTP source for anti-virals (PC) - Internet access required
The following files dealing with computer viruses are now available by
anonymous ftp (file transfer protocol) from 'hotel.cis.ksu.edu' [Ed.
IP number is 129.130.10.12] located in Computer Science Dept. at
Kansas State University, Manhattan, KS. The files have been and will
be collected in the future from reliable sources, although no warranty
is implied or stated. I will attempt to update the files as often as
possible. If anyone becomes aware of new updates or new anti-viral
programs, let me know. All files are in the /ftp/pub/Virus-L
sub-directory.
./ DETECT2.ARC.1 GREENBRG.ARC.1 VACCINE.ARC.1
../ DIRTYDZ9.ARC.1 IBMPAPER.ARC.1 VACCINEA.ARC.1
00-Index.doc DPROT102.ARC.1 IBMPROT.DOC.1 VACI13.ARC.1
ALERT13U.ARC.1 DPROTECT.ARC.1 INOCULAT.ARC.1 VCHECK11.ARC.1
BOMBCHEK.ARC.1 DPROTECT.CRC.1 MD40.ARC.1 VDETECT.ARC.1
BOMBSQAD.ARC.1 DVIR1701.EXE.1 NOVIRUS.ARC.1 VIRUS.ARC.1
CAWARE.ARC.1 EARLY.ARC.1 PROVECRC.ARC.1 VIRUSCK.ARC.1
CHECK-OS.ARC.1 EPW.ARC.1 READ.ME.FIRST VIRUSGRD.ARC.1
CHK4BOMB.ARC.1 F-PROT.ARC.1 SCANV30.ARC.1 pk36.exe
CHKLHARC.ARC.1 FILE-CRC.ARC.2 SENTRY02.ARC.1 pk361.exe
CHKSUM.ARC.1 FILECRC.ARC.2 SYSCHK1.ARC.1 uu213.arc
CHKUP36.ARC.1 FILETEST.ARC.1 TRAPDISK.ARC.1
CONDOM.ARC.1 FIND1701.ARC.1 TROJ2.ARC.1
DELOUSE1.ARC.1 FSP_16.ARC.1 UNVIR6.ARC.1
The current list only includes programs for MS/PC-DOS computers. I will
continue to expand the collection to include some worthwhile textual
documents and possible programs for other machines and operating systems.
The procedure is to first ftp to the hotel.cis.ksu.edu. [Ed. type:
ftp hotel.cis.ksu.edu (or ftp 129.130.10.12). Enter "anonymous"
(without the quotes) as a username and "your id" as a password.] Then
use 'cd pub/Virus-L'. Next get the files you would like. You will
need the 'pk361.exe' to expand the ARChived programs. Be sure to
place ftp in a binary or tenex mode [Ed. type "bin" at ftp> prompt].
Please note that the highly recommended VirusScan program
(SCANV30.ARC.1) is available.
If there are any questions, send mail to me and I will make every effort
to help you as soon as time allows.
[Ed. Sorry for all the editorial comments... And thank you for all of
your efforts, Chuck!]
Charles "chuck" E. Kichler, Into. to PC Instructor/Co-ordinator
Computer & Info. Science Kansas State Univ. * Yesterday,
Internet: kichler@ksuvax1.cis.ksu.edu | I knew the answers.
BITNET: kichler@ksuvax1.bitnet * Today,
UUCP: {rutgers,texbell}!ksuvax1!kichler | they changed the answers.
------------------------------
Date: 04 Aug 89 07:35:42 -0100
From: Jeff Raynor <raynor@rzsin.sin.ch>
Subject: IBM Australian/Stoned Virus (PC)
One of my colleagues has just become infected with the
"Stoned/Australian" virus and contacted me for help. I have
searched through my VIRUS-L archives for information.
There seems little specific details of what part of the hard
disk it infects, nor how to remove it. The best information was
on 8-May-89 from Alan_J_Roberts/Jim Goodwin:
>..this virus stores itself between the partition table and the
> first partition.
According to Norton Utilities, Absolute sector Side 0, Cylinder
0, Sector 1 is my partition table, while Sector 2 is the start of
my DOS partition. Where is the virus supposed to reside? at the
end of the 1st sector, or is there an error in my sector
numbering?
There is further mention that SYS fails to remove the virus (I
can confirm that), but recommends MDISK. I have downloaded the
<MSDOS.TROJAN-PRO>MD40.ARC from Simtel, but find that it is DOS
version specific, MD40 is for DOS 4.0 only. In this case, I need
MD32, but would like MD30 and MD33 as we run 3.1 and 3.3 here. I
would also like to see a DOS independent algorithm to remove the
virus manually using DEBUG low-level read/writes or a Disk
editor.
Thanks for your help
Jeff Raynor
EARN: RAYNOR@RZSIN.SIN.CH
Post: Paul Scherrer Institut, Badenerstrasse 569,
8048 Zurich, Switzerland.
------------------------------
Date: 03 Aug 89 22:18:25 +0000
From: hutto@attctc.Dallas.TX.US (Jon Hutto)
Subject: Re: viruses that reprogram ANSI keys
They don't usually harm people using communications softwares as much as
it does BBS's, because the sequences are set for only certain directories,
and files.
IBM's ANSI.SYS doesn't let you filter them out eithere. There are some
ANSI substitutes that do. Such as NANSI, and PC-Mag had one in an issue
called ANSI.COM.
- --
- --
Jon Hutto PC-Tech BBS (214)271-8899 2400 baud
USENET: {ames, texbell, rutgers, portal}!attctc!hutto
INTERNET: hutto@attctc.dallas.tx.us or attctc!hutto@ames.arc.nasa.gov
------------------------------
Date: Thu, 03 Aug 89 08:21:33 -0400
From: "W. K. Bill Gorman" <34AEJ7D@CMUVM.BITNET>
Subject: Re: Shareware? Hmm... (Mac)
Yeah, I know - wrong list, but...
Wouldn't it be interesting if others, say auto dealers, took
this same position,i.e., since one has the use of a vehicle purchased from
them, kick in the difference in price between, say, the '89 and '90 models?
Yeow!!! :-)
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253