home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.185
< prev
next >
Wrap
Text File
|
1995-01-03
|
13KB
|
308 lines
VIRUS-L Digest Tuesday, 5 Sep 1989 Volume 2 : Issue 185
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Anti-Virus/Virus Listing
Re: Is this a virus? (PC)
RE: capturing viruses (Mac)
Columbus Day Virus and Lehigh (PC)
Re: Is this a virus? (PC)
Virus or no? Help please (PC)
Re: is this a virus? (PC)
Kim's question concerning FATs (PC)
removing a floppy then Retry (PC)
Columbus Day "virus" (PC)
Re: Virus Naming
Appleshare and viruses ?
---------------------------------------------------------------------------
Date: Fri, 01 Sep 89 06:28:54 -0700
From: portal!cup.portal.com!Chuck_SirVAX_Staatse@apple.com
Subject: Anti-Virus/Virus Listing
I teach a class on hard disk management. Naturaly I cover virues, but
do not have a list of virus names and what programs are currently
available to combat these viruses. Coulde someone please post a list
of this information. Could you also include some information about
the CV group who are working to combat these viruses.
Thanks, Chuck
------------------------------
Date: 01 Sep 89 00:00:00 +0000
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: Re: Is this a virus? (PC)
> ...if I answer "r" to the
> massage and puting a non-protected diskette, then the FAT and
> DIRECTORY of the protected diskette is transfered to the second non
> protected diskette(and the files that I copied to).
DOS has always done this, I think. I believe some versions of the
documentation Strongly Warn against switching diskettes during the
"Abort, Retry..." message. I realize that may not be much
consolation! But it's not a virus, at least...
DC
------------------------------
Date: Fri, 01 Sep 89 10:19:00 -0400
From: "Alex Z." <ACSAZ@SEMASSU.BITNET>
Subject: RE: capturing viruses (Mac)
Well, with a virus (take scores for example), you could identify the
infected files and then view them with a utility like Fedit+. I think
that would be a better way to view the code than Resedit.
Alex Z... . . .
------------------------------
Date: Fri, 01 Sep 89 08:11:05 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: Columbus Day Virus and Lehigh (PC)
Ken van Wyk asks about the Columbus day Virus. It's the same as
the DataCrime virus versions one and two (not to be confused with the
DataCRime II). Columbus day is October 12. The Datacrime versions 1 and 2
activate on October 12. I would discourage the use of "Columbus Day Virus"
as a name, since DatCrime has been an accepted name for quite some time.
Also, the Lehigh original virus has been sporadically reported at
dozens of installations outside of the university for over a year. It is
not a particulary successful replicator -- probably because of the extremely
short activation fuse - and it is difficult to detect and report because
there are few symptoms prior to activation. Buit there should certainly be
no surprise that it's in the public domain. In John McAfee's report to the
CVIA on epidemiology he writes - "The belief that viruses can be contained
by early counter-action is belied by the Lehigh University experience. I
have spoken to a number of individuals at the University who belived that
the virus had somehow been contained because "no copies of the virus were
distributed to outside organizations". This assumed, of course, that the
original virus writer gave up after being foiled at Lehigh and did not insert
the virus at any other location, and that all copies of the virus at Lehigh
had indeed been accounted for. The first issue rests solely in the hands of
the perpetrator and is beyond any containment controls. The second issue
relies on an error-free containment process - allowing no possibility for
overlooking, losing or mistaking an infected diskette. In any case, the
Lehigh virus was by no means contained. I received a copy, as did virtually
every virus researcher, in mid-1988, and infection reports issued throughout
the year from universities, corporations and individual computer users."
I think John said it better than I could, but my sentiments exactly.
Alan
------------------------------
Date: Fri, 01 Sep 00 11:51:00 -0400
From: Bob Babcock <PEPRBV%CFAAMP.BITNET@IBM1.CC.Lehigh.Edu>
Subject: Re: Is this a virus? (PC)
>When I copy some
>files to a floppy but I misput a write protected diskette, I find the
>error massage "retry, ...". At this time, if I answer "r" to the
>massage and puting a non-protected diskette, then the FAT and
>DIRECTORY of the protected diskette is transfered to the second non
>protected diskette(and the files that I copied to). Is this a DOS's
>bug or a virus?
This is a known behavior of MS-DOS. The directory and FAT have
already been read before the write protect error is sensed, and
when you say retry, DOS doesn't know that you have changed disks,
so it doesn't reread the directory info.
------------------------------
Date: Fri, 01 Sep 89 12:31:00 -0400
From: <ACSAZ@SEMASSU.BITNET>
Subject: Virus or no? Help please (PC)
At our university a student came in and described a problem with
his AT compatible and wondered if it was a virus. The symptoms
follow:
1. lots of garbage on screen.
2. repeat of dos prompt across the screen.
3. I view all my files with .sys and found word BUG .
4 I could't do any work at the time, but following day all
seemed okay.
Any of you IBM specialists have any ideas on this one?
Alex Z... . . .
Library Mac Software Chief
SMU
------------------------------
Date: Fri, 01 Sep 89 16:55:59 -0500
From: Joe Simpson <JS05STAF@MIAMIU.BITNET>
Subject: Re: is this a virus? (PC)
In response to the question about the FAT from a locked disk being
written to another disk this is a feature of MS-DOS, not a virus.
Another chilling scenario conserns running an application such as a
word processor, opening a document, exchangeing data diskettes, and
saving a "backup" of the file. This often hoses the "backup" disk and
sometines affects the origional file.
------------------------------
Date: 01 Sep 89 15:41:00 -0400
From: "Damon Kelley; (RJE)" <damon@umbc2.umbc.edu>
Subject: Kim's question concerning FATs (PC)
In response to Kim:
I'm no expert at MS-DOS or software-stuff, but I've been poking
around in my computer's memory long enough to believe that what you
are describing may be normal with MS-DOS. Often I see that within
memory, data stays in its assigned spot until something moves or
writes over it. I notice this effect with a certain software
word-processing/graphing/spreadsheet package I have. Sometimes when I
am retreiving data with my package, I place a data disk first before
putting in the main program disk. The program needs to do something
with the disk with the main program first, so the package asks for the
main program disk. Whe the directory pops up for the main program
disk, it shows a conglomeration of the files on the curent disk PLUS
the files that were on the removed data disk and some random garbage.
Nothing grave has happened to my files with this package (It came with
my computer. It wasn't PD/Shareware, either.), so I feel that this
may be either a DOS bug (not writing over completely the FAT) or
something normal. Of course, I've never really had an opportunity to
look at the directory track on any disks, so I can't confirm that this
is absolutely true. I can find out. Has anyone out there found mixed
FATs affecting the performance of their disks?
jnet%"damon@umbc"
damon@umbc.bitnet
damon@umbc2.umbc.edu
"Would anyone dare let me represent their views? I think not!!!"
------------------------------
Date: Sat, 02 Sep 89 00:00:00 +0000
From: "Prof Arthur I. Larky" <AIL0@LEHIGH.BITNET>
Subject: removing a floppy then Retry (PC)
> I 'm a college student studying physics. Now I have discovered a
> suspicious thing about MS-DOS's behavior in my sense. When I copy some
> files to a floppy but I misput a write protected diskette, I find the
> error massage "retry, ...". At this time, if I answer "r" to the
> massage and puting a non-protected diskette, then the FAT and
> DIRECTORY of the protected diskette is transfered to the second non
> protected diskette(and the files that I copied to). Is this a DOS's
> bug or a virus?
It's a "feature" of MSDOS - when you attempt to write on a floppy,
MSDOS reads the FAT and Directory and re-writes it when you are done.
If you swap floppies, you get the old information on the new disk.
The rule is: NEVER NEVER replace a floppy with another in the middle
of a write or a write protect error. Pick the Abort option, not the
Retry option; then start the process all over.
Anyway, it's not a virus, it's just Bill Gates getting even with the
world for making him a billionaire.
Art Larky
CSEE Dept
Lehigh University
------------------------------
Date: Sat, 02 Sep 89 16:05:53 -0400
From: dmg@lid.mitre.org (David Gursky)
Subject: Columbus Day "virus" (PC)
Yes, I have heard of the "Columbus Day 'virus'". What I have heard is
a pronouncement from a certain Dr. S. that this thing exists and on
Friday, October 13th, this bugger is going to strike and start causing
problems.
IMO, this sounds suspiciously like the Jerusalem/Hebrew University
virus, *at this point*.
Emily Lonsford, a fellow MITRE-ite and contributor here, has meet Dr.
S., and was less then impressed with him and his techniques.
Of course, none of this means that this virus does not exist as a
seperate strain from existing viruses. Barring independant
confirmation of this virus, my opinion is that no extraordinary action
is needed.
[Ed. Thanks for the info - in fact, I received a number of replies
about the Columbus Day virus. Most replies indicated that it was the
DataCrime virus. Thanks to all those who replied!]
------------------------------
Date: 03 Sep 89 18:58:31 +0000
From: dav@eleazar.dartmouth.edu (William David Haas)
Subject: Re: Virus Naming
In article <0001.8909011255.AA07043@ge.sei.cmu.edu> ttidca.TTI.COM!hollombe%sdc
svax@ucsd.edu (The Polymath) writes:
<EICHTER@Venus.YCC.Yale.Edu (Jerry Leichter) writes:
<}... When the discoverer doesn't choose a name, the disease
<}often gets named after him (Wernickie's Aphasia).
<
<I think this is the way to go for simple psychological reasons.
<Naming a virus for its discoverer is a strong discouragement to the
<virus writers. Imagine the frustration of writing what you think is a
<really nifty virus, only to have someone else's name associated with
<it. Not much incentive there.
<
<There's more than one way to fight this war.
And then you will have virus writers 'discovering' their own work to
their name on it.
------------------------------
Date: 04 Sep 89 01:18:53 +0000
From: gilbertd@silver.bacs.indiana.edu (Don Gilbert)
Subject: Appleshare and viruses ?
What are the conditions under which current Mac viruses can
infect files on Appleshare volumes?
a. All ashare files are susceptible if volume is mounted
to an infected Mac.
b. Only files in write- AND read-enabled folders are
susceptible.
c. Files in write-enabled folders are susceptible (read
access doesn't matter).
d. Files in read-enabled folders are susceptible (write
access doesn't matter).
e. Gee, the students are back in town, better lock up your
file servers.
Don Gilbert biocomputing office
gilbertd@iubacs.bitnet gilbertd@gold.bacs.indiana.edu
biology dept. indiana univ. bloomington, in 47405 usa
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253