home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.214
< prev
next >
Wrap
Text File
|
1995-01-03
|
8KB
|
172 lines
VIRUS-L Digest Thursday, 5 Oct 1989 Volume 2 : Issue 214
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: paper comparing biological and computer viruses
CNN coverage of Columbus Day Virus and Friday 13th Virus
The DataCrime viruses (PC)
Two new PC viruses
That's the news...
---------------------------------------------------------------------------
Date: 05 Oct 89 06:07:51 +0000
From: munnari!gara.une.oz.au!pmorriso@uunet.UU.NET (Perry Morrison MATH)
Subject: Re: paper comparing biological and computer viruses
SOFPJF@UOGUELPH.BITNET (Peter Jaspers-Fayer) writes:
> This is an outline for a semi-serious paper on the similarities
> between biological and computer viruses, and the efforts to understand
> and combat them. I present it here in the hopes that others may wish
> to contribute a paragraph or so (sorry no money, but I'll give credit
> for any material I receive).
I wrote a short paper published in the Futurist which introduces the
analogy of software and organic viruses. For historical adequacy of
your paper, I'd appreciate it if you included it in your bibliography:
Morrison, P.R. "Computer Parasites May Cripple Our Computers",
The Futurist, 1986, 20(2), 36-38.
_ _______________________W_(Not Drowning...Waving!)______________________
Perry Morrison Ph.D, V.D (and scar).
SNAIL: Maths, Stats and Computing Science, UNE, Armidale, 2351, Australia.
perrym@neumann.une.oz or pmorriso@gara.une.oz Ph:067 73 2302
------------------------------
Date: Thu, 05 Oct 89 08:51:37 -0500
From: Jim Ennis <JIM@UCF1VM.BITNET>
Subject: CNN coverage of Columbus Day Virus and Friday 13th Virus
Hello,
Viruses were covered on the CNN 'AT&T Information and Technology'
segment of the CNN Daybreak show Weds, 10/4/89. There was a good
non-techie description of what a virus is, how it spreads and some
safe computing (safe sex) practices. They did not mention how to
detect the virus and remove, or who you could contact for more
information.
They had short pieces with Winn Schwartau 'American Computer
Security', Richard Carr 'NASA', and Ross Greenberg 'Software Author'.
The show seems to be lumping all computer security problems as
'viruses', it did not attempt to differentiate (sp?) the different
types of problems facing computers. Also, they said that the virus
will not affect many people, they did not give any estimates on the
number of possible infections (which from following this list is
pretty small).
The segment might run on Sunday during the 'Science & Technology' half
hour show (usually in the early afternoon). It was only about 3-4
minutes long.
Jim Ennis
UCF Computer Services
------------------------------
Date: Thu, 05 Oct 89 17:13:10 +0200
From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU>
Subject: The DataCrime viruses (PC)
In August, Alan Roberts, David Chess, and Kelly Goen discussed the
DataCrime II virus on VIRUS-L, but only from one point of view: that
it's encrypted and that the decryption code includes a routine which
prevents looking at the code with a single-step utility. Unless I
missed something, none of them thought of telling us anything else
concerning how DC-2 differs from the original DC. Much later,
however, we did learn several additional differences, for example:
(1) DC-2 infects EXE as well as COM files.
(2) It increases file size by 1514 bytes.
(3) Whereas DC avoids infecting COM files whose 7th letter is "D"
(thus avoiding infection of COMMAND.COM), DC-2 avoids infecting COM
files whose 2nd letter is "B" (presumably so as not to infect
IBMBIO.COM and IBMDOS.COM).
So far, so good. But I have since discovered that there was one
very important difference which (again, assuming that I haven't missed
anything) was not mentioned by anyone on the List: Whereas DC per-
forms its damage (low-level format of cylinder 0 of the hard disk) on
any day between Oct 13 and Dec 31 of any year, DC-2 does it on any day
between Jan 1 and Oct 12, except on Sundays!
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Thu, 05 Oct 89 14:33:43 +0200
From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU>
Subject: Two new PC viruses
Two new viruses have been discovered in Israel. One of them is
called the Alabama virus. It infects EXE files and increases their
size by 1560 bytes. Unlike many other resident viruses, it does not
use Int 21h function 31h to stay resident. It loads itself 30K under
the highest memory location reported by DOS, but (unlike MIX1) it does
not lower the amount of memory reported by BIOS or DOS.
It hooks Int 9 and checks for Ctrl-Alt-Del. (It uses IN and OUT
commands to confuse anti-virus people.) When it identifies this com-
bination it causes an apparent boot but remains in RAM.
After 1 hour of operation (the virus checks the time on each Int 9
or Int 21 call), the following flashing boxed message appears:
SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
Box 1055 Tuscambia ALABAMA USA.
This virus does not necessarily infect the file which is currently
being executed. First it looks for an uninfected file in the cur-
rent directory, and if it finds one it infects it. Only if it does
not find one does it infect the executed file.
But sometimes, when it finds an uninfected file, instead of infect-
ing it, it will *exchange* it with the currently executed file without
renaming it, so that the user will think that he is executing one pro-
gram while he is actually executing another one!
I have less information about the other virus (not even a name for
it). It adds 4096 to all infected files (both EXE amd COM, incl.
COMMAND.COM). But when you perform DIR you don't see the increase in
file size since the virus shows you the *original* (uninfected) sizes.
Like the Alabama and MIX1, it does not use the usual TSR function. It
also uses INs and OUTs to confuse single-step utilities.
My thanks to Eli Shapira for this info.
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Thu, 05 Oct 89 16:00:00 EDT
From: "Kenneth R. van Wyk" <krvw@SEI.CMU.EDU>
Subject: That's the news...
To quote Saturday Night Live's Dennis Miller, That's the news and I am
out of here!
VIRUS-L/comp.virus will be back on-line when I return from Maui/Kaui
on Oct. 23. Until then, use VALERT-L for *VIRUS ALERTS* only. Please
do not use VALERT-L for anything other than virus alerts.
Aloha, :-)
Ken van Wyk
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253