home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.173
< prev
next >
Wrap
Text File
|
1995-01-03
|
6KB
|
139 lines
VIRUS-L Digest Friday, 11 Aug 1989 Volume 2 : Issue 173
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on
accessing anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: LaserWriter (Mac)
Re: DataCrime II - tiny clarification (PC)
Re: Memory Resident ViruScan (PC)
DATACRIME-2 (PC)
---------------------------------------------------------------------------
Date: Thu, 10 Aug 89 09:13:59 -0400
From: Tom Coradeschi <tcora@PICA.ARMY.MIL>
Subject: Re: LaserWriter (Mac)
>Is there such a thing as a LaserWriter virus on an AppleTalk net? We
>printed out a directory listing from a MacII hooked to a net and on
>two of the pages got these large black lock-like looking things in the
>middle of the page. The funny thing is, they were different sizes,
>one was big, one was small.
If the lock looking things were next to files or folders, (assuming
you sorted the directory by name, type, size or date, of course) that
means that the files they were adjacent to are locked. Select those
files under the Finder and to a "Get Info..." (CMD-I), and you should
see the locked file checkbox marked. If the locks _aren't_ next to any
files... you got me swingin'.
tom c
Electromagnetic Armament Technology Branch
US Army Armament Research, Development and Engineering Center
Picatinny Arsenal, NJ 07806-5000
ARPA: tcora@pica.army.mil
UUCP: ...!{uunet,rutgers}!pica.army.mil!tcora BITNET: Tcora@DACTH01.BITNET
------------------------------
Date: 10 Aug 89 20:52:18 +0000
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: DataCrime II - tiny clarification (PC)
The comments about the cache usage on datacrime2 is somewhat
fallacious... while there is most certainly the 6 byte instruction on
board the chip and its status is relayed via signal pins to external
devices... that is not the reason why CV and debug lose control during
the jmp to loc 124(1 byte into a multibyte instruction...the actual
reason is that while tracing under cv a set of internal simulation
registers are continually utilized, the jump into the middle of an
instruction causes them to lose synchronization with the program
running...these simulation registers are what allow the debugger to
disassemble code correctly... TurboDebug's ability to merely handle
the the situation without error merely means that more robust code is
executing than codeview...(I have the latest for both and have tested
both) datacrime2 code was more unique than most viruses in this regard
but hardly very sophisticated...
cheers
kelly
p.s. before suspecting true skulduggery exmine the tool for fallacious
results!! disclaimer I do not represent Amdahl Corp...or Onsite
consulting I represent me(myself only)
------------------------------
Date: Thu, 10 Aug 89 09:14:56 -0400
From: bnr-vpa!bnr-fos!bnr-public!mlord@gpu.utcs.toronto.edu (Mark Lord)
Subject: Re: Memory Resident ViruScan (PC)
Would you consider perhaps someday posting VIRUSCAN to
comp.binaries.ibm.pc ?
I know I would love to have a copy, and there are probably thousands
of other interested onlookers as well. I know there are archive
sites, but that doesn't help those of us who lack BITNET and FTP
access.
Cheers,
- -Mark
------------------------------
Date: Thu, 10 Aug 89 22:20:31 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: DATACRIME-2 (PC)
I just caught David Chess's posting about the Datacrime-2 virus.
He's absolutely correct about the ease in bypassing the virus's
de-garbling code. Not that I had a chance to find out for myself. As
I was psyching myself up to the disassembly challenge, John McAfee
sent me two very good and well commented disassemblies, one of which,
I believe, was from David Chess himself. It's not very satisfying to
settle for someone else's disassembly, no matter how well done, but
it's even harder to do your own when at least two are in front of your
face. Which leads me to a question. Why do three or four dozen
people (at least) disassemble every new virus that pops up? I'm not
complaining in the least. Just wondering if some of us are redundant.
Should we maybe draw straws to see who gets to do the next one, and
the rest of us go see a movie or something instead? I don't know.
But back to the Datacrime-2. Even though, as I was shown, you can set
a breakpoint at 124H, it is still unnerving not to be able to single
step a virus. I like to take my time - do one instruction and
contemplate it. Savor the meaning of a single branch instruction; the
simplicity of an XOR; the power of a multiply. To be forced to submit
to the brutal pace of two to three hundred operations per millisecond
- - even for a short loop - is not my idea of a good time. And as to
Dave's comment about adding 90 seconds to his disassembly time, he can
only speak for himself. When MY debugger kicked out to DOS, I spent
at least a half hour trying to figure out which virus had infected my
debugger, and how could I have been so stupid as to let it happen. I
spent the next half hour complaining about the bug in Codeview, and
the half hour after that I watched a 1963 Andy Griffith Show on
television to try and calm down. So I'm not so sure the virus
designer was just showing off. He/she/it nearly off'd one of us.
Alan Roberts
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
