home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.245
< prev
next >
Wrap
Text File
|
1995-01-03
|
10KB
|
252 lines
VIRUS-L Digest Tuesday, 21 Nov 1989 Volume 2 : Issue 245
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
re: Known PC Virus List (PC)
RE: Internet Worm Statistics...
Re: Ping Pong virus (PC) at UIUC
Eagle Virus Detection Utility and Final Report (PC)
No Virus Found (Mac)
Most common virus (PC)
More on VACSINA (PC)
---------------------------------------------------------------------------
Date: 20 Nov 89 00:00:00 +0000
From: "David.M..Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Known PC Virus List (PC)
Quite welcome for the format, and thanks for the acknowledgement!
A few small notes/questions:
- I notice the "Missouri" and "Nichols" viruses aren't
listed. Did they turn out not to really exist, or
to be viruses that are known under some other name?
- For completeness, you might want to include the 1704-C,
as well as the 1701, 1704, 1704-B and 1704-format?
(The 1704-C has the same in-clear section as the
1704-format, but doesn't have the disk-formatting
code.) I know you have a sample! *8)
- Suspect you didn't mean to mark "Self-Encryption" for
the 1168 and 1280 viruses? They don't do it in the same
sense that the DataCrime II, the Syslock, or the 17xx
series do; the only thing that's "encrypted" in the
1168/1280 is the logo string, and that's just stored
XORed with hex 55. That's not the -interesting- kind of
self-garbling: the kind that makes the invariant part of
the virus smaller.
Nice list!
DC
------------------------------
Date: Mon, 20 Nov 89 11:54:35 -0500
From: dmg@lid.mitre.org (David Gursky)
Subject: RE: Internet Worm Statistics...
As some of you may recall, Cliff Stoll (author of "Stalking the Wily
Hacker" CACM May '88 and _The Cuckoo's Egg_ Doubleday 1989) asked
people to submit tales, horror stories, and so on about the Morris
Internet Worm. Cliff then performed some statistical analysis on the
resulting data, and published the results as part of his paper "An
Epidemology of Viruses & Network Worms". presented at the 12th
National Computer Security Conference last month in Baltimore (see
pages 371 -> 373 of the proceedings for the section of Cliff's article
on the Morris Work).
------------------------------
Date: Mon, 20 Nov 89 16:40:30 -0500
From: Melinda Varian <MAINT@PUCC.BITNET>
Subject: Re: Ping Pong virus (PC) at UIUC
Although I recognize that this is not the appropriate forum
for discussion of the BITFTP server, since BITFTP has been being
discussed here, I would like to correct some misapprehensions:
BITFTP does handle binary files; indeed, it distributes hundreds
of them everyday.
BITFTP is currently designed to be used only within the BITNET/
EARN/NetNorth network; it distributes all files (both binary and
text) in NETDATA format, which means it cannot send files through
mail-only gateways into other networks.
I have addressed the original complaint about BITFTP that was
broadcast to this list, i.e., that it was not accepting FTP requests
for the UXE.CSO node. Requests to that node had regularly been
resulting in hung FTP sessions, but I believe that I have now
circumvented that problem, so I am again accepting requests to access
it.
Anyone wanting further information on BITFTP should send mail or an
interactive message to BITFTP@PUCC.
Melinda Varian
[Ed. Thanks for the clarification!]
------------------------------
Date: Mon, 20 Nov 89 19:13:00 -0500
From: IA96000 <IA96@PACE.BITNET>
Subject: Eagle Virus Detection Utility and Final Report (PC)
Final report on virus contained in file EAGLE.EXE:
1) It DOES contain a form of Jerusalem B. It WILL spread to other
files once EAGLE.EXE has been loaded into memory.
2) If the system being run has a '286 or higher processor and if
COMMAND.COM is found in the root directory, the program will
DESTROY the boot and FAT tables on the disk. No question about
this folks! It overwrites the sectors with the ASCII 246
character.
3) When EAGLE.EXE is loaded, ONLY the Jerusalem B virus is spread
to other files. The trojan part of the program is part of
EAGLE.EXE, not part of the virus itself.
4) Viruscan (SCAN.EXE) WILL NOT detect any viruses in the EAGLE.EXE
file. This appears to be because EAGLE.EXE has been compressed
and a DOS loader has been added to the head of the file and is
not the fault of Viruscan.
5) Once EAGLE.EXE has been run,SCAN will detect the Jerusalem B
virus in memory when SCAN's "M" command line switch is used.
6) A write protect tab WILL stop the destruction of the Boot and FAT
on a floppy. Numerous methods have been tried to stop the destruction
of the Boot and FAT on a hard disk and none appear to be effective.
7) After considerable study it has been determined that the EAGLE.EXE
program was written in (take a guess) a version of compiled Basic.
8) We have no way to know that author intended for the program to
contain the Jerusalem virus. It is quite possible this IS the case
since the specific compression program used would not allow the
program to load, if the virus had infected the file AFTER it had
been compressed.
To recap:
The program name is EAGLE.EXE and contains the Jerusalem virus.
It was uploaded to a BBS with a description line saying it would
produce a VGA animation of an EAGLE in flight. If COMMAND.COM
is present in the root directory of the default drive and if
the processor is a '286 or higher (including a '486) EAGLE.EXE
will write over the Boot and both FAT areas with the ASCII 246
character.
Detection:
The good people at SWE have written a small program named
EAGLSCAN.EXE which will probe any file with an extension of .EXE
to determine if it is the EAGLE.EXE program renamed. I do not know
the particulars of the program but I have tested it, and it is very
fast! It will if you desire scan one .EXE file or all .EXE files
on your disk. If a file is found be EAGLE.EXE renamed or has the
exact same identification strings, it will be flagged and you will
be notified.
If you would like a copy of EAGLSCAN.EXE please send a formatted
5.25 inch, 360k disk to the following address with return postage,
(stamps are fine) and you will receive the program along with a
commented dis-assembly of the EAGLE.EXE file. Please enclose a
return address label for the disk mailer.
SWE
132 Heathcote Road
Elmont, New York 11003
EAGLSCAN IS NOT Shareware, nor is it in the public domain. The
authors have consented to supply anyone who reads Virus-L with
a copy free of charge (except for postage which you must supply).
That is about it for now. As far as I am concerned we have found
everything we need to know. EAGLE.EXE contains both a virus and
a very nasty trojan horse if the conditions are right!
For whatever it is worth, my opinion is that you should send for
a copy of EAGLSCAN. It does not cost you anything except for postage
and it might come in handy!
------------------------------
Date: 20 Nov 89 15:09:00 -0800
From: harvard!applelink.apple.com!D1660%GARP.MIT.EDU@vma.cc.cmu.edu
Subject: No Virus Found (Mac)
To put everyone's mind at ease:
In Virus-L Digest #242 Tom Southall of American University asks help
with an apparent virus problem. I was able to go down to American
University today and take a look at the Macs there. I could find no
evidence of any viral activity. What I did find was some things put
onto the systems by students and set to be invisible. These definitely
accounted for the changing system file size, and perhaps for the other
problems experienced there.
Paul Cozza
------------------------------
Date: 21 Nov 89 14:16:38 -0400
From: <pangkm@ievmis.ie.ac.sg>
Subject: Most common virus (PC)
Can we know which type of VIRUS is most common on the Personal Computer ?
Thank in advance
------------------------------
Date: Tue, 21 Nov 89 06:02:39 -0500
From: <ry15@dkauni11.bitnet>
Subject: More on VACSINA (PC)
Hi,
we just completed our virus catalog entry for the VACSINA virus and
checked with some friends. One of them: David M. Chess pointed out
that we overlooked a fact. Well it is a very important fact: VACSINA
contains an update facility. The last 4 bytes of an infected file
contain F4 7A 05 00. The F4 7A is the VACSINA id and 05 00 is the
version number ( lo byte first ) so we have version 0005 of VACSINA.
If the virus finds anything less than 0005 it will reconstruct the
original file and then it will infect with the new version of VACSINA.
Now we understand why the author left so much space in the head of the
virus. Also the 3 byte used for the 'VACSINA-TSR is in memory' flag
contain a 05 so future versions of VACSINA will know if an older
version of VACSINA installed its TSR.
If anybody has virus infected files that show F4 7A 06 00 or higher
please post a note.
Thanks to David again!
Chris
*****************************************************************
* Torsten Boerstler and Christoph Fischer and Rainer Stober *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253