home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.194
< prev
next >
Wrap
Text File
|
1995-01-03
|
13KB
|
300 lines
VIRUS-L Digest Monday, 18 Sep 1989 Volume 2 : Issue 194
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
RE: How does one disinfect nVIR from an Appletalked net
Re: Source of virus reading material
October 12'th virus... (PC)
Where to Find a Copy of the Dirty Dozen List
Mac System File access time
Adobe Illustrator/68030 (Mac)
Re: A question on detecting viruses on bootable disks (PC)
Re: October 12th Virus (PC)
Re: Virus? or what? (PC)
New .COM virus (PC)
---------------------------------------------------------------------------
Date: Fri, 15 Sep 89 09:51:54 -0400
From: dmg@lid.mitre.org (David Gursky)
Subject: RE: How does one disinfect nVIR from an Appletalked network
To answer your question literally, one Mac at a time....
1) Get a copy of Disinfectant 1.2. This detects and removes all known
versions of nVIR. Also get a copy of Gatekeeper 1.1.1. Both of these are
available from the Info-Mac archives on SUMEX-AIM.STANFORD.EDU.
When you finally get Disinfectant, and de-Binhex it and de-Stuffit, make
sure the diskette you keep it on is write-protected!!! This is very
important; a virus cannot infect an application on a write-protected
diskette!
2) Pick any Mac on your LAN, and run Disinfectant on the disk. This will list
all the infected files. Here you have two options:
a) Throw out all the infected files and restore them from the original
master diskettes *or*
b) Use the disinfect feature of Disinfectant to remove nVIR from the
infected applications.
a is the more effective treatment, but b may be a more practical solution.
3) Once the disk is "clean", put a copy of Gatekeeper in the System Folder,
and reboot the machine. Gatekeeper is a cdev that detects attempts to
infect applications and System files. I refer you to the documentation
that accompanies Gatekeeper for instructions on how it works, in depth.
4) Repeat steps 1 through 3 for each Mac. After this, you may wish to check
floppy disks you have around for infection, but that is up to you.
As to your other questions, Disinfectant not only detects and kills
nVIR, but the various strains of it (such as MEV#, AIDS, nFLU, and so
on), as well as Scores, INIT 29, ANTI, and MacMag. In short, it
detects and kills all known Mac viruses.
As far as tracing the source, well, that can be a hard thing to do.
You can look at the time the infected files were last modified, and
this should give you some form of a "traceback", but it is not a
certainty that you will be able to garner the source of the infection
from it.
Lastly, you ask about prgrams that can continually monitor for signs
of infection. Gatekeeper is such an application. Other tools that do
this are Vaccine (also available on the SUMEX archive), and SAM (a
commercial application written by Paul Cozza and published by
Symantec, and a very good application from what I understand).
David Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation
------------------------------
Date: Fri, 15 Sep 89 10:47:23 -0500
From: m19940@mwvm.mitre.org (Emily H. Lonsford)
Subject: Re: Source of virus reading material
Two good books are: "Computer Viruses:a High-Tech Disease" by Ralf
Burger, Abacus Software. [contains examples!!] and "Computer Viruses"
by Ralph Roberts, COMPUTE! Publications Inc. The "real scoop" from
the first few victims can be found in the April 89 issue of Computers
& Security.
Also IBM has a free publication called "Coping with Computer Viruses
and Related Problems" which may be ordered from IBM Thomas J. Watson
Research Center, Distribution Services F-11 Stormytown, Box 218,
Yorktown Heights, NY 10598.
It's difficult to give a comprehensive list because there's a new
article or book out almost every day. Good luck and happy reading.
* Emily H. Lonsford *
MITRE - Houston W123 (713) 333-0922
[Ed. As Emily points out, Ralf Burger's book contains, for better or
for worse, source code examples of several viruses. This was a topic
of discussion here on VIRUS-L some time back - most people seemed
shocked that such a book would ever be published. Indeed, the book is
readily available at bookstores as well as from the publisher.]
------------------------------
Date: Fri, 15 Sep 89 16:34:06 -0400
From: angelo@pilot.njin.net (Michael F. Angelo)
Subject: October 12'th virus... (PC)
Okay,
I have heard lots of rumours about this virus. I would like
it if someone could PLEASE answer the following questions:
1- What is this viruses signature?
2- Is there any program out there that will locate all
the DATACRIME virus strains? ( I think there are
3 -> 5 )...
3- How wide spread is the virus? ( Can be conjecture :-> ).
Thanx much...
Michael F. Angelo
------------------------------
Date: Fri, 15 Sep 89 14:39:55 -0600
From: Chris McDonald ASQNC-TWS-RA <cmcdonal@wsmr-emh10.army.mil>
Subject: Where to Find a Copy of the Dirty Dozen List
Version 9.0, Jul 89, of the Dirty Dozen list is available on simtel20.
A compressed copy resides on pd1:<msdos.trojan-pro>dirtydz9.arc.1.
The file is available on an "anonymous" ftp.
Chris Mc Donald
White Sands Missile Range
------------------------------
Date: Fri, 15 Sep 89 16:22:00 -0400
From: Peter W. Day <OSPWD%EMUVM1.BITNET@VMA.CC.CMU.EDU>
Subject: Mac System File access time
Someone recently mentioned that they were having problems loading an
application (not enough memory), noticed that the Modified date on
their Mac System File had changed, wondered if they had a viral
infection, but could not detect any with Disinfectant. The System file
gets modified whenever the Chooser is run, so a change in the Modified
date does not in itself indicate infection. While I don't know the
cause of the suddenly inadequate memory, the user should try removing
all INITS from theSystem Folder and then see if the program will load.
------------------------------
Date: Fri, 15 Sep 89 11:07:11 -0400
From: Thomas Neudecker <tn07+@andrew.cmu.edu>
Subject: Adobe Illustrator/68030 (Mac)
The recent question regarding problems in running Adobe Illustrator '88
on a Mac SE/30 or IIcx is not a virus but rather a bug in the program.
Adobe has a bug fix version 1.8.3 that is available to registered owners.
------------------------------
Date: 16 Sep 89 14:20:04 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Re: A question on detecting viruses on bootable disks (PC)
A reply to "A question on detecting viruses on bootable disks (PC)" from
Damon Kelley.
> I've recently read George Woodside's file on how viruses work
> obtained from SIMTEL20.ARPA, VIRUS101.001-004). He says that a virus
> latches on a read/write interrupt to spread itself.
Most of the boot sector viruses (BSV) do, but not all. The Yale/Alameda
virus hooks into the keyboard interrupt, and will only spread when the
Ctrl-Alt-Del combination is pressed. A program virus will of course
use an entirely different method.
> Would the instructions the interrupt calls be near or located at the
> first JMP instruction in the boot sector?
No. In fact the new interrupt routine does not have to be located in the
boot sector at all. Many BSV only store a small part of their code on the
boot sector, the rest (and the original boot sector) may be located
somewhere else on the diskette.
Most, (but not all) boot sectors contain a JMP instruction at the
start. All disks formatted by the FORMAT command contain either a 3-byte
JMP (DOS 2.x) or a 2-byte JMP (DOS 3.x and 4.x). This JMP instruction
transfers control to a sequence of instructions, usually starting like this:
CLI
XOR AX,AX
MOV SS,AX
MOV SP,7C00
:
:
Most BSV replace the original boot sector with a new one. The new boot
sector may look very similar to an uninfected one, or it may be obviously
different (Not containing the "Not a system disk" message for example)
Note that the virus boot sector may contain the same instructions as listed
above.
> From reading a certain reference that concerns the programming of
> the IBM PC, I have the impression that that JMP instruction in the
> boot sector is quite consistent for the type of PC a user uses.
No, no, no. If the boot sector starts with a JMP instruction at all
(and the boot sectors of many "autoboot" games don't) it does not depend
upon the type of machine, but rather the program used to format the
disk.
> If that JMP instruction is changed, does that signal a virus present,
Yes, but it is impossible to know if it has been changed, without keeping a
copy of the original boot sector.
> or have virus writers skipped around that limitation and had the virus
> write over what code is found at that JMP destination?
No - most of them just replace the boot sector.
Fridrik Skulason University of Iceland
frisk@rhi.hi.is
Guvf yvar vagragvbanyyl yrsg oynax .................
------------------------------
Date: Sat, 16 Sep 89 15:40:02 -0400
From: Lee Sailer <UH2@PSUVM.PSU.EDU>
Subject: Re: October 12th Virus (PC)
I am new to this virus watching business. There is a bit of logic that
I don't understand. Several of you have said that since there are
only seven reported occurrances in the US, it isn't much of a threat.
But, since the virus lays low til 10/13, couldn't many people be infected
but not know? My environment is a small college with about 200 virus-
innocent faculty and staff. Our computer center has only just begun
to look for viruses. I bet none of the faculty have a virus detector,
and certainly the secretaries don't.
If one of these destructive viruses got a foothold in a place like this,
couldn't it spread quite a bit between now and 10/13?
lee
------------------------------
Date: Sat, 16 Sep 89 10:14:00 -0500
From: hutto@icarus.riacs.edu (Jon Hutto)
Subject: Re: Virus? or what? (PC)
Well, 've found the probablem, (The one thing after everything doesn't work)
I had a messed up cable. Oh well.. Life goes on.
------------------------------
Date: Sun, 17 Sep 89 13:10:03 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: New .COM virus (PC)
I though the following message on HomeBase from John McAfee might be of
interest:
We have received a new encrypting .COM infector from Dave Chess at
IBM and have updated the VIRUSCAN program to be able to identify it.
Please download SCANV37.ARC and replace your current version of SCAN.
We are trying to find out how widespread this virus may be, so if
anyone identifies this virus using SCAN, please contact us
immediately. We know little about this virus as yet, but three
volunteers are currently analyzing it. We should have a report by the
21st. The only indications so far are: It increases the size of
infected COM files by 3555 bytes; It is able to infect COMMAND.COM; it
has a 50 byte encryption routine, similar to DATACRIME II; It infects
COM files at the time that the infected program is loaded - it does
not appear to be memory resident; It sometimes cause the message -
"Error Writing to Device AUX1" to occur at the time an infected
program is executed. We have no indication of activation date or
function at this time. Again PLEASE contact the board if SCAN
displays the message - "Found 3555 virus".
Thanks. John
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253