home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.236
< prev
next >
Wrap
Text File
|
1995-01-03
|
25KB
|
591 lines
VIRUS-L Digest Wednesday, 8 Nov 1989 Volume 2 : Issue 236
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Introduction to the anti-viral archives
UNIX anti-viral archive sites
Apple II anti-viral archive sites
Atari ST anti-viral archive sites
Amiga anti-viral archive sites
IBMPC anti-viral archive sites
Documentation anti-viral archive sites
Macintosh anti-viral archive sites
New anti-virus files uploaded to SIMTEL20 (PC)
Re: Where are the Sophisticated Viruses? (PC)
---------------------------------------------------------------------------
Date: 08 Nov 89 05:19:49 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Introduction to the anti-viral archives
# Introduction to the Anti-viral archives...
# Listing of 07 November 1989
This posting is the introduction to the "official" anti-viral archives
of virus-l/comp.virus. With the generous cooperation of many sites
throughout the world, we are attempting to make available to all
the most recent news and programs for dealing with the virus problem.
Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh
and Unix computers, as well as sites carrying research papers and
reports of general interest.
If you have general questions regarding the archives, you can send
them to this list or to me. I'll do my best to help. If you have a
submission for the archives, you can send it to me or to one of the
persons in charge of the relevant sites.
If you have any corrections to the lists, please let me know.
Jim
==== cruft for the lawyers ====
The files contained on the participating archive sites are provided freely
on an as-is basis.
To the best of our knowledge, all files contained in the archives are either
Public Domain, Freely Redistributable, or Shareware. If you know of one
that is not, please drop us a line and let us know.
PLEASE NOTE
The Managers of these systems, and the Maintainers of the archives, CAN NOT
and DO NOT guarantee any of these applications for any purpose. All possible
precautions have been taken to assure you of a safe repository of useful
tools. Unfortunately, in this day and age nothing is certain. It is awful
that these people have to worry about legalities when they are only trying
to provide a free and useful service. But facts are facts. Your use of
the archives relieves the sites from any liability.
Sigh.
------------------------------
Date: 08 Nov 89 05:20:49 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: UNIX anti-viral archive sites
# Anti-viral and security archive sites for Unix
# Listing last changed 30 September 1989
attctc
Charles Boykin <sysop@attctc.Dallas.TX.US>
Accessible through UUCP.
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
sauna.hut.fi
Jyrki Kuoppala <jkp@cs.hut.fi>
Accessible through anonymous ftp, IP number 128.214.3.119.
(Note that this IP number is likely to change.)
ucf1vm
Lois Buwalda <lois@ucf1vm.bitnet>
Accessible through...
wuarchive.wustl.edu
Chris Myers <chris@wugate.wustl.edu>
Accessible through anonymous ftp, IP number 128.252.135.4.
A number of directories can be found in ~ftp/usenet/comp.virus/*.
------------------------------
Date: 08 Nov 89 05:18:15 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Apple II anti-viral archive sites
# Anti-viral archive sites for the Apple II
# Listing last changed 30 September 1989
brownvm.bitnet
Chris Chung <chris@brownvm.bitnet>
Access is through LISTSERV, using SEND, TELL and MAIL commands.
Files are stored as
apple2-l xx-xxxxx
where the x's are the file number.
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The Apple II index for the virus archives can be retrieved as
request: apple
topic: index
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
uk.ac.lancs.pdsoft
Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft>
Service for UK only; no access from BITNET/Internet/UUCP
Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft"
FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft".
Pull the file "help/basics" for starter info, "micros/index" for index.
Anti-Viral stuff is held as part of larger micro software collection
and is not collected into a distinct area.
------------------------------
Date: 08 Nov 89 05:18:37 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Atari ST anti-viral archive sites
# Anti-viral archive sites for the Atari ST
# Listing last changed 30 September 1989
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The Atari ST index for the virus archives can be retrieved as
request: atari
topic: index
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>.
panarthea.ebay
Steve Grimm <koreth%panarthea.ebay@sun.com>
Access to the archives is through mail server.
For instructions on the archiver server, send
help
to <archive-server%panarthea.ebay@sun.com>.
uk.ac.lancs.pdsoft
Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft>
Service for UK only; no access from BITNET/Internet/UUCP
Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft"
FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft".
Pull the file "help/basics" for starter info, "micros/index" for index.
Anti-Viral stuff is held as part of larger micro software collection
and is not collected into a distinct area.
------------------------------
Date: 08 Nov 89 05:17:51 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Amiga anti-viral archive sites
# Anti-viral archive sites for the Amiga
# Listing last changed 30 September 1989
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The Amiga index for the virus archives can be retrieved as
request: amiga
topic: index
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
ms.uky.edu
Sean Casey <sean@ms.uky.edu>
Access is through anonymous ftp.
The Amiga anti-viral archives can be found in /pub/amiga/Antivirus.
The IP address is 128.163.128.6.
uk.ac.lancs.pdsoft
Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft>
Service for UK only; no access from BITNET/Internet/UUCP
Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft"
FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft".
Pull the file "help/basics" for starter info, "micros/index" for index.
Anti-Viral stuff is held as part of larger micro software collection
and is not collected into a distinct area.
uxe.cso.uiuc.edu
Mark Zinzow <markz@vmd.cso.uiuc.edu>
Lionel Hummel <hummel@cs.uiuc.edu>
The archives are in /amiga/virus.
There is also a lot of stuff to be found in the Fish collection.
The IP address is 128.174.5.54.
Another possible source is uihub.cs.uiuc.edu at 128.174.252.27.
Check there in /pub/amiga/virus.
------------------------------
Date: 08 Nov 89 05:19:26 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: IBMPC anti-viral archive sites
# Anti-viral archive for the IBMPC
# Listing last changed 30 September 1989
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The IBMPC index for the virus archives can be retrieved as
request: ibmpc
topic: index
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
ms.uky.edu
Daniel Chaney <chaney@ms.uky.edu>
This site can be reached through anonymous ftp.
The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus.
The IP address is 128.163.128.6.
uk.ac.lancs.pdsoft
Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft>
Service for UK only; no access from BITNET/Internet/UUCP
Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft"
FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft".
Pull the file "help/basics" for starter info, "micros/index" for index.
Anti-Viral stuff is held as part of larger micro software collection
and is not collected into a distinct area.
uxe.cso.uiuc.edu
Mark Zinzow <markz@vmd.cso.uiuc.edu>
This site can be reached through anonymous ftp.
The IBMPC anti-viral archives are in /pc/virus.
The IP address is 128.174.5.54.
vega.hut.fi
Timo Kiravuo <kiravuo@hut.fi>
This site (in Finland) can be reached through anonymous ftp.
The IBMPC anti-viral archives are in /pub/pc/virus.
The IP address is 128.214.3.82.
wsmr-simtel20.army.mil
Keith Peterson <w8sdz@wsmr-simtel20.army.mil>
Direct access is through anonymous ftp, IP 26.2.0.74.
The anti-viral archives are in PD1:<MSDOS.TROJAN-PRO>.
Simtel is a TOPS-20 machine, and as such you should use
"tenex" mode and not "binary" mode to retreive archives.
Please get the file 00-INDEX.TXT using "ascii" mode and
review it offline.
NOTE:
There are also a number of servers which provide access
to the archives at simtel.
WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands
from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe
from EARN TRICKLE servers. Send commands to TRICKLE@<host-name>
(for example: TRICKLE@AWIWUW11). The following TRICKLE servers
are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium),
DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy),
EB0UB011 (Spain) and TREARN (Turkey).
------------------------------
Date: 08 Nov 89 05:18:59 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Documentation anti-viral archive sites
# Anti-viral archive sites for documentation
# Listing last changed 30 September 1989
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The index for the **GENERAL** virus archives can be retrieved as
request: general
topic: index
The index for the **MISC.** virus archives can be retrieved as
request: misc
topic: index
**VIRUS-L** entries are stored in monthly and weekly digest form from
May 1988 to December 1988. These are accessed as log.8804 where
the topic substring is comprised of the year, month and a week
letter. The topics are:
8804, 8805, 8806 - monthly digests up to June 1988
8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests
The following daily digest format started on Wed 9 Nov 1988. Digests
are stored by volume number, e.g.
request: virus
topic: v1.2
would retrieve issue 2 of volume 1, in addition v1.index, v2.index and
v1.contents, v2.contents will retrieve an index of available digests
and a extracted list of the the contents of each volume respectively.
**COMP.RISKS** archives from v7.96 are available on line as:
request: comp.risks
topic: v7.96
where topic is the issue number, as above v7.index, v8.index and
v7.contents and v8.contents will retrieve indexes and contents lists.
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
lehiibm1.bitnet
Ken van Wyk <LUKEN@LEHIIBM1.BITNET> new: <krvw@sei.cmu.edu>
This site has archives of VIRUS-L, and many papers of
general interest.
Access is through ftp, IP address 128.180.2.1.
The directories of interest are VIRUS-L and VIRUS-P.
uk.ac.lancs.pdsoft
Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft>
Service for UK only; no access from BITNET/Internet/UUCP
Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft"
FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft".
Pull the file "help/basics" for starter info, "micros/index" for index.
Anti-Viral stuff is held as part of larger micro software collection
and is not collected into a distinct area.
unma.unm.edu
Dave Grisham <dave@unma.unm.edu>
This site has a collection of ethics documents.
Included are legislation from several states and policies
from many institutions.
Access is through ftp, IP address 129.24.8.1.
Look in the directory /ethics.
------------------------------
Date: 08 Nov 89 05:20:23 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Macintosh anti-viral archive sites
# Anti-viral archive sites for the Macintosh
# Listing last changed 07 November 1989
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The Mac index for the virus archives can be retrieved as
request: mac
topic: index
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
ifi.ethz.ch
Danny Schwendener <macman@ethz.uucp>
Interactive access through DECnet (SPAN/HEPnet):
$SET HOST 57434 or $SET HOST AEOLUS
Username: MAC
Interactive access through X.25 (022847911065) or Modem 2400 bps
(+41-1-251-6271):
# CALL B050 <cr><cr>
Username: MAC
Files may also be copied via DECnet (SPAN/HEPnet) from
57434::DISK8:[MAC.TOP.LIBRARY.VIRUS]
rascal.ics.utexas.edu
Werner Uhrig <werner@rascal.ics.utexas.edu>
Access is through anonymous ftp, IP number is 128.83.144.1.
Archives can be found in the directory mac/virus-tools.
Please retrieve the file 00.INDEX and review it offline.
Due to the size of the archive, online browsing is discouraged.
scfvm.bitnet
Joe McMahon <xrjdm@scfvm.bitnet>
Access is via LISTSERV.
SCFVM offers an "automatic update" service. Send the message
AFD ADD VIRUSREM PACKAGE
and you will receive updates as the archive is updated.
You can also subscribe to automatic file update information with
FUI ADD VIRUSREM PACKAGE
sumex-aim.stanford.edu
Bill Lipa <info-mac-request@sumex-aim.stanford.edu>
Access is through anonymous ftp, IP number is 36.44.0.6.
Archives can be found in /info-mac/virus.
Administrative queries to <info-mac-request@sumex-aim.stanford.edu>.
Submissions to <info-mac@sumex-aim.stanford.edu>.
There are a number of sites which maintain shadow archives of
the info-mac archives at sumex:
* MACSERV@PUCC services the Bitnet community
* LISTSERV@RICE for e-mail users
* FILESERV@IRLEARN for folks in Europe
uk.ac.lancs.pdsoft
Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft>
Service for UK only; no access from BITNET/Internet/UUCP
Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft"
FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft".
Pull the file "help/basics" for starter info, "micros/index" for index.
Anti-Viral stuff is held as part of larger micro software collection
and is not collected into a distinct area.
wsmr-simtel20.army.mil
Robert Thum <rthum@wsmr-simtel20.army.mil>
Access is through anonymous ftp, IP number 26.2.0.74.
Archives can be found in PD3:<MACINTOSH.VIRUS>.
Please get the file 00README.TXT and review it offline.
------------------------------
Date: Wed, 08 Nov 89 01:15:00 -0700
From: Keith Petersen <w8sdz@WSMR-SIMTEL20.ARMY.MIL>
Subject: New anti-virus files uploaded to SIMTEL20 (PC)
I have uploaded the following files to SIMTEL20:
pd1:<msdos.trojan-pro>
SCANRS48.ARC Resident program to scan for many viruses
SCANV48.ARC VirusScan, scans disk files for 48 viruses
SCANRS48 and SCANV48 were downloaded from the Homebase BBS.
- --Keith Petersen
Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74]
Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.arpa BITNET: w8sdz@NDSUVM1
Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz
------------------------------
Date: 08 Nov 89 11:23:12 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Re: Where are the Sophisticated Viruses? (PC)
jim frost writes:
>Limiting Propagation Rates.
Some viruses do this. SysLock, Icelandic and Typo-COM will only infect some
of the programs they have a chance to infect. They use different methods,
like "only every other day" or "only every tenth program run".
>Limiting Re-Infections. Most simple viruses don't detect systems
>which have already been infected and will re-infect them.
Actually very few viruses infect the same "victim" over and over. Some boot
sector viruses do, but the only program virus which does so is the original
version of the Israeli (Jerusalem) virus.
>
>Detecting and Avoiding "Virus-Protected" Hosts. I have yet to see a
>virus which looked at the state of a system to detect virus detection
>mechanisms to nullify them and/or avoid infecting them.
One virus - the "Icelandic" virus - makes an attempt at this. It will not
infect a system if it determines that any program has hooked INT 13. Since
all virus monitoring programs do that, it will not be detected by them.
(In practice this does not work too well, because of a bug in the code..)
>Staying Within Normal System Activity Boundaries.
Most resident viruses do this.
>Hiding From Standard System Utilities.
This is the difficult part. Very few existing viruses are able to do this
properly. Most boot sector viruses will decrease the amount of memory
available - for example turning a 640K machine into a 639K one. Program
viruses can in many cases be detected by using a ordinary memory mapping
utility. Still, quite a few manage to hide even from that, but there is room
for much improvement in this area :-(
>Modifying Hosts To Make Them More Susceptible To Re-Infection.
This brings up the topic of "virus types we have not seen yet". I have
written a document describing a few types of viruses that could theoretically
be written, but are currently unknown. Description of one of the types
follows.
7) The "AIDS" type. This type of virus is very dangerous. Not because
it destroys programs or data, but because it attacks the protection
mechanism in the computer. These viruses can be divided in two
subgroups.
Specific: These viruses will search for known anti-virus programs
and disable or destroy them. They might to that by
patching the code in memory and then overwriting parts
of the protection programs on the disk.
General: These viruses must be much more complicated, but they
could for example try to determine what programs had
hooked a specific interrupt. Then they might modify
a few memory locations in order to bypass those programs.
A virus of this type might not do any further damage, but it would
leave the system vulnerable to attacks by other viruses, which might
then have a devastating effect.
>By now you should get the idea that almost every virus we've seen is
>primitive, although several showed some of the survival traits which I
>outline above. Given the limited resources of PC environments, it's
>unlikely that you'll get a very sophisticated virus.
I must disagree. In the PC environment it is not a question of limited
resources, but rather the fact that any user process has full access to
ALL resources and can even directly manipulate the hardware if required.
So, my opinion is that it is even easier to write a sophisticated virus on
the PC than in most other environments.
Finally, I want to add one "feature" to the description of a sophisticated
virus:
"Bypass protection programs and jump directly to the hardware, DOS or
BIOS routines."
There are quite a few "filter" programs available that will monitor every
INT 13, INT 21, INT 40.... call and alert the user if an attempt is made
to do an illegal operation. They are, however, almost useless against
viruses that can access the system directly in the way described above.
Only two or three viruses do this now, but I am certain that more virus
writers will figure out how to do this in the future. :-(
- -frisk
Fridrik Skulason University of Iceland
frisk@rhi.hi.is Computing Sevices
Guvf yvar vagragvbanyyl yrsg oynax .................
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253