home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.205
< prev
next >
Wrap
Text File
|
1995-01-03
|
18KB
|
422 lines
VIRUS-L Digest Wednesday, 27 Sep 1989 Volume 2 : Issue 205
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: Is this a virus? (PC)
Anti-virus virus
re: IBM Virus (from EXPERT-L list) (PC)
LAN boot disks. (PC)
ACS Demo - is it a virus? (Apple)
Information wanted about Selftest (tm)
notchless disks (PC)
Atari ST VIRUS ALERT!!
Lotus Virus
Re: IBM Virus (from EXPERT-L list) (PC)
Tiger Teams
Re: Software company distributing viruses (PC)
Tiger Teams & Viruses
Disk Killer Virus (PC)
Re: SCANV38 (PC)
---------------------------------------------------------------------------
Date: 26 Sep 89 16:13:44 +0000
From: carroll1!dnewton@uunet.UU.NET (Dave Newton)
Subject: Re: Is this a virus? (PC)
In article <0008.8909251230.AA29228@ge.sei.cmu.edu> Christoph.Fischer.RY15@DKAU
NI11 writes:
>Hi,
> we just had an inquiery about 4 strange files that appeared on a
>Microsoft WORD installation. All 4 files are hidden system and readonly.
>
>The file MWA is text and contains:
>
>Copyright 1984 by Microsoft
>Word Freedom Fighters:
[names deleted]
>Charles Simonyi
^^^^^^^^^^^^^^^ I only recognize this name as being a guy who worked/works
at microsoft, he was profiled in the microsoft press book _Porgrammers at
Work_.
Plus it's pretty unlikely that microsoft would copyright a virus.
Of course, it could just be a ruse...
David L. Newton | dnewton@carroll1.UUCP | Quote courtesy of
(414) 524-7343 (work) | dnewton@carroll1.cc.edu | Marie Niechwiadowicz,
(414) 524-6809 (home) | 100 NE Ave, Waukesha, WI 53186 | Boston College.
[Q]: How many surrealists does it take to screw in a light bulb? [A]: The fish.
------------------------------
Date: 26 Sep 89 16:40:00 +0000
From: carroll1!dnewton@uunet.UU.NET (Dave Newton)
Subject: Anti-virus virus
One of the arguments raised against AVV's is the possible escalation of
of viral warfare. It seems to me that this has already happened with the
vaccine programs.
I'd be almost certain that most virus writers will try to circumvent
detection by writing (perhaps) a self-modifying virus, or a resident virus
that will attempt to detect detection.
If any comp.virus readers have read any of William Gibson's "Cyperpunk"
novels, in which software protection (ICE) is handled by AI, the concept
of AVV's will be nothing new.
From a technological standpoint, they provide an interesting challenge,
both for the virus writer and anti-virus virus writer.
David L. Newton | dnewton@carroll1.UUCP | Quote courtesy of
(414) 524-7343 (work) | dnewton@carroll1.cc.edu | Marie Niechwiadowicz,
(414) 524-6809 (home) | 100 NE Ave, Waukesha, WI 53186 | Boston College.
[Q]: How many surrealists does it take to screw in a light bulb? [A]: The fish.
------------------------------
Date: 26 Sep 89 00:00:00 +0000
From: David.M..Chess.CHESS@YKTVMV
Subject: re: IBM Virus (from EXPERT-L list) (PC)
Sounds basically like the Jerusalem Virus; in particular, the
little signature string given occurs in the JV. Not sure
why they aren't seeing files change in size when they're
infected. Perhaps the fact that a file gets infected when
it executes (rather than when the original infected file executes)
is causing confusion. The multiple infections that they're
seeing (and attributing to disk fragmentation) are also
characteristic of the JV. Or, of course, it could be some
Brand New nasty... DC
------------------------------
Date: Tue, 26 Sep 89 14:39:00 -0500
From: Reality is not an Industry Standard <PETERSON@LIUVAX.BITNET>
Subject: LAN boot disks. (PC)
If your LAN o/s and cards support the function - try auto boot roms.
We run Novell nets with various cards that all autoboot from a server.
(Novell 2.1x allows you to have multiple boot files for different pcs)
This method keeps the boot code very safe, allows for global changes,
and the students just need a blank formatted disk.
In addition, any new software gets installed from an account that does
*not* have supervisor's (operator) status - one dept. forund that out
the hard way.
J. Peterson/Sys Eng
LIU-Southampton
PETERSON@LIUVAX.BITNET
------------------------------
Date: 26 Sep 89 18:22:15 +0000
From: carroll1!dtroup@uunet.UU.NET (Dave Troup)
Subject: ACS Demo - is it a virus? (Apple)
I was just looking at the disk (just unpacked) of the ACS Demo. Should
the Catalog of the disk be :
WHAT
ARE.YOU
LOOKING
FOR
END OF DATA
]
Im just a little leary, someone wanna check on this for me.
thanks...
"We got computers, we're tapping phone lines, knowin' that ain't allowed"
_______ _______________ |David C. Troup / Surf Rat
_______)(______ | |dtroup@carroll1.cc.edu : mail
_______________________________|414-524-6809______________________________
------------------------------
Date: Tue, 26 Sep 89 14:27:35 -0400
From: wayner@svax.cs.cornell.edu (Peter Wayner)
Subject: Information wanted about Selftest (tm)
Someone recently mentioned a shareware product called "selftest." Can
anyone provide me with any information about how to find the selftest
program or perhaps something about its design?
Thank you,
Peter Wayner
(wayner@cs.cornell.edu)
------------------------------
Date: Tue, 26 Sep 89 15:15:38 -0400
From: Marcus J. Ranum <mjr@cthulhu.welch.jhu.edu>
Subject: notchless disks (PC)
Don't let notchless disks give you a sense of false
confidence! I have a drive on my system at home with the notch detect
jumpered off on one of the drives from when I used to be a student at
a place where they used exactly the protection scheme you describe.
- --mjr();
------------------------------
Date: Tue, 26 Sep 89 13:23:00 -0500
From: Holly Lee Stowe <IHLS400%INDYCMS.BITNET@VMA.CC.CMU.EDU>
Subject: Atari ST VIRUS ALERT!!
At least 2 instances of the "Key" virus have been found on ORIGINAL
WordUp 2.0 disks from Neocept for the Atari ST and Mega computers.
If you have WordUp 2.0, please use Virus Killer 2.2 or some other
virus checking program to check your disks!
Holly Lee Stowe,
Faculty/Staff Consulting
.......................................................................
He has all the subtlety and wit of a speed bump.
- paraphrased from Oleg Kisilev in alt.flame
+---------------------------------------------------------------------+
| @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ Holly Lee Stowe |
| @@@ @@@ @@@ @@@ @@@ @@@ @@@ @@@ Bitnet: IHLS400@INDYCMS |
| @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ IUPUI Computing Services |
| @@@ @@@@@@@@ @@@ @@@@@@@@ @@@ 799 West Michigan Street |
| Indiana U. - Purdue U. at Indianapolis Indianapolis, IN 46202 |
+---------------------------------------------------------------------+
------------------------------
Date: Tue, 26 Sep 89 13:50:23 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: Lotus Virus
The new Lotus 123 virus is being turned over to Lotus Corp (a CVIA
member) for analysis and disassembly. It is imbedded in an 800K EXE
file and no-one other than Lotus was willing to attempt a disassembly.
The CVIA will publish results as soon as we get them.
Alan
------------------------------
Date: Tue, 26 Sep 89 16:16:10 -0400
From: Chris Haller <CJH@CORNELLA.cit.cornell.edu>
Subject: Re: IBM Virus (from EXPERT-L list) (PC)
>From: Ken Hoover <consp21@bingvaxu.cc.binghamton.edu>
>Subject: IBM Virus (from EXPERT-L list) (PC)
>
>Original-Date: Mon, 18 Sep 89 17:38:00 EDT
>Original-From: Sanjay Hiranandani <GDO@CRNLVAX5.BITNET>
>
[text omitted]
Oh well, I was considering writing to VIRUS-L about this anyway, and
this posting precipitates a response. Here is the current situation
about the virus that showed up at Sibley Hall at Cornell University.
John McAfee's VIRUSCAN v36 identified this virus as Jerusalem B, and
its appearance and behavior correspond with this identification, AS
FAR AS I KNOW. (Would some kind soul please send me a type
description of "Jerusalem B" so I can verify the identification more
completely? I think this is the version of the Israeli that attacks
both .COM and .EXE files on both floppy and hard disks, that was
modified (probably in the U.S.) to be less obtrusive, and that
WordPerfect and FoxBase catch in the act because they detect its
alteration of their file.) We are using UNVIRUS, which we retrieved
from the archive at Kansas State, to clean up.
Incidentally, we find VIRUSCAN and SCANRES very useful and intend to
ask Mr. McAfee about site licensing arrangements for Cornell
University. (That's why we haven't sent in our shareware fees yet!
Most of us on the staff here won't use software without paying for it,
except preliminarily.) However, do not let this kind of endorsement
of one person's (or group's) efforts deter those of you who are
writing other protective software. No single program, indeed no
single way of addressing the problem, will be sufficient to protect a
diverse computing community like this from the threat of viruses.
This semester we may recommend SCANRES, but we are counting on there
still being a lot of people using FLU_SHOT+ here, and next semester we
may recommend something else, or a newer version of FLU_SHOT, or a
program that checks CRC polynomials to detect altered files or disk
sectors. The idea is that in a large and diverse community like a
major university, a virus may get started locally but it won't get
very far before it sets off an alarm on someone's system. If everyone
using PC's were using the same kind of protection, a virus written to
evade that particular protection would spread farther. This is not a
new idea, it's one I learned from reading this list! Thank you all.
- -Chris Haller, Research and Analysis Systems, Cornell University
BITNET: <CJH@CORNELLA> Internet: <CJH@CornellA.CIT.Cornell.edu>
Acknowledge-To: <CJH@CORNELLA>
------------------------------
Date: Tue, 26 Sep 89 18:12:26 -0400
From: Steve <XRAYSROK%SBCCVM.BITNET@VMA.CC.CMU.EDU>
Subject: Tiger Teams
Maybe I just don't understand, but I personally think the "Tiger Team"
idea put forth (by David Gursky) on this list is a little ridiculous
because:
1) Most viruses are not spread by someone sneaking in at night and
against your wishes copying something onto your computer. Rather,
they are usually spread voluntarily (but unknowingly) by the user
exposing the computer to foreign contaminated disks or programs. If I
always (almost always anyway) operate within a closed system, how is
letting someone *tamper* with my computer going to help me? I'd feel
much safer just scanning for known viruses, which brings up the next
point.
2) What corporation (or employee for that matter) is willing to
take the risk of letting someone (outsiders or corporation employees)
*tamper* with the computers which the company (and the employee)
depends upon, especially when proper operating procedures (regular
backups, etc.) will offer you very good protection?
3) Can you guarantee that the "Team" will not do damage? No, you
cannot. And if they are introducing live viruses, we already know
that no one can guarantee that the viruses will be benign in every
situation (as has been discussed many times by others on this list),
or that they will not get away.
Acknowledge-To: <XRAYSROK@SBCCVM>
------------------------------
Date: 26 Sep 89 21:43:51 +0000
From: chinet!ignatz@att.att.com
Subject: Re: Software company distributing viruses (PC)
In article <0007.8909251241.AA29279@ge.sei.cmu.edu>
bnr-di!borynec@watmath.waterloo.edu (James Borynec) writes:
>Software companies may be the largest source of virus contamination
>around. After all, they send disks everywhere and no one worries
>about 'shrink wrap' software being 'unclean'. I have only been hit by
>two viruses - both came from software companies - one of which was
>Texas Instruments. The guy in the office next door was hit by a copy
>of a virus on his (shrink wrap) copy of WordPerfect. I think it is
>shocking that people are told just to watch out for viruses when
>engaged in software 'swapping'. Everyone should regard EVERY disk
>that enters their machine with suspicion.
It's probably been mentioned before, but it can't hurt to repeat.
Some software houses--especially discount stores--have a very liberal
return policy. Unfortunately, it seems that shrinkwrap equipment is
neither very expensive nor difficult to obtain, and some stores will
accept such returned software, repackage and re-shrinkwrap it, and
return it to the store shelf. Thus, you really can't be certain that
the sealed shrink-wrap you bought *hasn't* been tampered with at some
point along the line.
It really is starting to look like either there will have to be
tamper-proof shrinkwrap (as resulted from the Tylenol disaster in the
OTC consumer market), or a general practice of scanning *any*
purchased software for contamination...
Dave Ihnat
ignatz@homebru.chi.il.us (preferred return address)
ignatz@chinet.chi.il.us
------------------------------
Date: Tue, 26 Sep 89 20:24:00 -0500
From: <CTDONATH%SUNRISE.BITNET@VMA.CC.CMU.EDU>
Subject: Tiger Teams & Viruses
Someone has suggested that "Tiger Teams" use (as one of their tests)
viruses. A "controlled" atmosphere is suggested.
Like the idea of an anti-virus virus, this usage may run out of
control and cause more damage than expected. If the tiger team fails
to exterminate ALL copies of the virus (which is very likely in the
chaotic user environment), there is the possibility of virus parinoia
(i.e. lawsuits), files that grow in size for no good reason (very
dangerous when a disk is full or nearly so [programs abend or refuse
to run]), and the possibility of lost data thru virus malfunctions.
Another problem is the nature of a tiger team using a virus: the virus
would be released in a (probably) unsuspecting work area. The presence
of strangers insisting on checking every disk that leaves the area
(and don't forget the problem of LANs and file transfers) would cause
chaos.
Remember, a "good" virus used for a "good" purpose would have to be
working perfectly. And we all know how programs work perfectly under
all conditions all the time :-)
------------------------------
Date: Tue, 26 Sep 89 18:50:40 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: Disk Killer Virus (PC)
The CVIA has isolated the "Disk Killer" virus after 6 months of work
and over three dozen reports. The virus activates after a random time
period which varies from a few days to a few months, and when it
activates, it performs a low level format of the hard disk - thereby
destroying itself along with everything else. As it formats, it
displays the message - "Disk Killer -- Version 1.00 by COMPUTER OGRE.
Don't turn off the power or remove the diskettes while Disk Killer is
processing. I wish you luck." The first organization to report this
virus was Birchwood systems in San Jose in early Summer. Additional
reports were received from Washington, Oklahoma, Minnesota and
Arizona. We finally isolated it at Wedge Systems in Milpitas
California and discovered that it is a boot sector infector that
infects hard disks and floppies. The internal messages do not appear
in sector zero, but are stored in sector 152 on floppy disks and an as
yet undetermined location on hard disks. This had always added to the
confusion over the virus because message remnants were sometimes
discovered in the middle of executable files, and it was assumed that
the virus was a COM or EXE infector. The virus appears to be very
widespread and everyone should watch out for it. If your boot sector
does not contain the standard DOS error messages, then immediately
power down and clean out the boot.
(Infected boot sectors begin with FAEB). This is a nasty virus and
should be treated cautiously. ViruScan V39 identifies the virus, but
it will not be posted till the 29th due to major revisions in SCAN's
architecture for version 39.
Alan
------------------------------
Date: 26 Sep 89 15:30:08 +0000
From: bnr-fos!bmers58!mlord@watmath.waterloo.edu (Mark Lord)
Subject: Re: SCANV38 (PC)
In article <0012.8909251241.AA29279@ge.sei.cmu.edu> portal!cup.portal.com!Alan_
J_Roberts@Sun.COM writes:
>ViruScan V38 is out and has been sent to Compuserve and the
>comp.binary sites. This version identifies the MIX1, the New Ping
ViruScan V37 was recently uploaded to SIMTEL20, and a question about
it's authenticity has been posted to one of the .ibm.pc newsgroups.
Apparently the length of the SCAN program is 34 bytes longer than the
constant (??) length that the author said would be preserved for all
versions.
Is this a valid copy, or might it have a little parasite attached ?
- -Mark
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253