home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.196
< prev
next >
Wrap
Text File
|
1995-01-03
|
9KB
|
256 lines
VIRUS-L Digest Tuesday, 19 Sep 1989 Volume 2 : Issue 196
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Macintosh Virus
oct 13 virus (PC)
nbbs virus simulator (PC)
123 protected mode virus (PC)
F-PROT anti-virus package (PC)
have you a name for (what might be) a virus (PC)
---------------------------------------------------------------------------
Date: Tue, 19 Sep 89 09:48:00 -0400
From: "JOHN P. BRADLEY"
Subject: Macintosh Virus
Howdy!
Well it was bound to happen - why should we be any different? We
believe we have discovered a virus in our microcomputer lab. So far, we
have only found one contaminated diskette. This is a MAC station disk
used for booting a MAC to work with Appleshare. We ran VIRUS Rx and it
confirmed a user's suspicion. The report from VIRUS Rx detected the
presence of the SCORES virus (or so it seemed to indicate).
Has anyone else had a similar experience and could offer any ideas
on how to proceed? At present, we are beginning to check all station disks
and offering to check any user's disks for a virus. Next step, is
education of the users, hoping that this won't get out of hand.
Any ideas would be greatly appreciated.
==========================================================================
! John P. Bradley ! U.S. Mail : Hawkins Hall, Room 029 !
! Senior Programmer/Analyst ! SUNY !
! Computing Support Center ! Plattsburgh, NY 12901 !
! State University of New York ! (518) 564-4433 !
! College at Plattsburgh ! BitNet : BRADLEJP@SNYPLAVA !
! ! POSTMAST@SNYPLAVA !
==========================================================================
------------------------------
Date: Mon, 18 Sep 89 19:39:00 -0400
From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU>
Subject: oct 13 virus (PC)
can the october 13th virus be fooled into triggering early
by advancing the date on the system?
if so, if someone loads an intercept program like sentry2 or
another good program, will it intercept and warn you of
impending disaster?
------------------------------
Date: Mon, 18 Sep 89 19:39:00 -0400
From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU>
Subject: nbbs virus simulator (PC)
does anyone know where we can obtain the nbbs simulator.
we are doing some research here and it would be of
great vakue to us.
thanks.
------------------------------
Date: Mon, 18 Sep 89 18:50:00 -0400
From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU>
Subject: 123 protected mode virus (PC)
It would appear that a new virus is on the scene. it seems that
some strain attacks >only< the large (700k+) plus file supplied
with lotus 123 version 3.
basically what happens seems to be as follows:
1) The file grows in size (one time) by 3907 bytes.
2) Any spreadsheet saved after the virus has infected the file
is exactly half the size of what it should be. in other words
if you have a spreadsheet 100 x 100 cells in size, after you
save it and then retrieve again, it is exactly 50 x 50 in
size.
I call this a virus because the file does grow in size one time
and if you erase the file, restore the file from a backup and
run lotus again, the file grows again in size.
It also seems to cause files which run in protected mode/dos
mode to grow as well. makes me feel that this is a virus
geared to extended memory programs.
in any event as soon as the code is isolated i will make it
available to homebase so they can figure out a test to see if
it is present.
this has not damaged anything at the univerisity. this is strictly
on observation based on outside experiences.
w.r.
------------------------------
Date: Tue, 19 Sep 89 15:27:34 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: F-PROT anti-virus package (PC)
Some time ago I sent out several copies of my F-PROT anti-virus package.
Those copies were only beta-release, and not intended for general
distribution, although they were uploaded to SIMTEL by mistake. Now I have
fixed all the problems reported to me and added a number of new features.
F-PROT will be made available soon, but it is now in final testing at
around 20 sites here in Iceland.
I am still speculating on how to distribute it. Is the idea of shareware,
where you will automatically receive the next major update for a
contribution of $15 (or equivalent) acceptable ?
I would be very interested in knowing how much interest there is for
this set of programs. If you would like to see it distributed on SIMTEL,
comp.binaries.ibm.pc etc, please let me know. (A short reply saying just
"yes" will do). If there seems to be sufficient interest in this program,
it will made available later this month.
F-PROT includes a number of anti-viral programs, including:
1) A device driver that provides full protection against
most viruses. The program will check every program run
for infection by any of the following viruses:
April 1. (sURIV 1.0 and sURIV 2.0)
Cascade (1701, 1704)
DataCrime
DataCrime-II
405
Friday 13. (Miami, Munich)
Fu Manchu
Icelandic (incl. Saratoga)
Jerusalem (incl. sURIV 3.0)
Lehigh
Traceback
Vienna (DOS 62)
In addition the program will also provide protection against
the following boot sector viruses:
Ping-Pong (Italian)
Brain
Stoned (New Zealand)
Den Zuk
Alameda/Yale
Typo
It is also able to stop (but not identify) new boot sector viruses.
The viruses listed above are responsible for over 99% of
infections.
The best part is that this program only occupies around 1K of
memory, and is totally invisible unless an attempt is made to run
an infected program.
2) A program that will look for infections and remove them. This
program can handle all the viruses listed above, and in addition
it will detect infections by the following viruses:
Pentagon
Swap
Nichols
Agiplan
2730
These viruses are very rare, but code to remove them will
be added as soon as I obtain a copy of them.
The following viruses have been reported, but are extremely rare
and certainly not a serious threat (yet).
Dbase
Oropax
Ohio
RAP
MIX1
Code to detect and remove them will be added as soon as possible.
3) A program that will modify any .EXE or .COM file and add code
to it, so that the program will check itself for infection by
ANY virus when run. This will provide full protection against
any new program viruses. This addition to the program will not
interfere with normal execution.
4) A TSR program that will watch out for suspicious activity:
Attempts to write to the FAT.
Formatting of the hard disk.
Making Read-Only .EXE or .COM files Read/Write.
Writing to a .EXE and .COM file
Other similar programs exist, but this one is also able to:
.... stop viruses that bypass INT 21 when performing
DOS functions (like the Icelandic virus does).
.... prevent all four methods used in the TRYOUT program
in Dr. Solomon's Anti-Virus Toolkit from working.
As far as I know, no other similar program can do this.
5) A number of utilities:
Memory-mapping program
Inoculation program
Checksum program
Disk locking program
+ a few more.
- --------------------------------------------------------------------
Fridrik Skulason University of Iceland
frisk@rhi.hi.is
Guvf yvar vagragvbanyyl yrsg oynax .................
------------------------------
Date: 19 Sep 89 16:49:48 +0000
From: trw@hrc63.uucp (Trevor Wright "Marconi Baddow")
Subject: have you a name for (what might be) a virus (PC)
I've heard of a virus (possibly) whereby the screen randomly scrolls
up either over its full width, or restricted to a small window
covering 8 lines in the top left, ie, the bottom line scrolls up and
obliterates the intermediate lines. I'm told there are no harmful
effects, and it's been seen on several makes of system and MS-DOS 3.2
and 3.3, both inside applicationsand just in MS-DOS command mode..
Anyone got a name for this virus ??
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253