home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.246
< prev
next >
Wrap
Text File
|
1995-01-03
|
24KB
|
484 lines
VIRUS-L Digest Tuesday, 21 Nov 1989 Volume 2 : Issue 246
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: Known PC virus list
Where did they come from ? (PC)
A new LISTSERV group
Re: 80386 and viruses (PC & UNIX)
Re: 80386 and viruses (PC & UNIX)
CVIA clarifications
followup on mind viruses
Virus Disinfectors (Mac)
Potential Virus? (Mac)
Computer Virus Catalog Index:November'89
---------------------------------------------------------------------------
Date: Tue, 21 Nov 89 16:25:22 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Re: Known PC virus list
A few comments:
- since the boot part of the ghost virus does not spread,
it can not properly be called a virus, so I do not think it should be
included.
- The Pentagon virus does not work. Why include it ?
- Why not include Agiplan, Oropax, Missouri, Macho and Nichols ?
- Do-nothing Remains resident
- 1168/1280 do not use self-encryption.
Apart from this it's a good list.
- -frisk
------------------------------
Date: Tue, 21 Nov 89 16:26:30 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Where did they come from ? (PC)
I am trying to compile a list showing where the various viruses seem
to have originated. Here is what I have got so far, but I am sure the
list contains several errors, and I would be very grateful for any
comments and corrections.
Boot Sector Viruses:
Alameda USA
Brain Pakistan ?
Den Zuk/Ohio Venezuela ? Indonesia ?
Disk Killer USA ?
Stoned New-Zealand/Australia
Missouri USA ?
Nichols USA ?
Pentagon UK ?
Ping-Pong Italy (Torino ?)
Typo Israel
Swap Israel
Program Viruses
Aids USA
Agiplan W. Germany
Alabama Israel ?
April 1st Israel
Cascade USA ?
Dark Avenger ?
DataCrime W. Germany ? The Netherlands ?
DataCrime-2 ?
dBase USA
Do-Nothing Israel
405 UK ?
Fumble USA
Fu Manchu UK ?
Ghost Iceland
Icelandic/Saratoga Iceland/USA
Jerusalem/variants/Sunday Israel/USA
Lehigh USA
Mix1 Israel
Oropax W. Germany
Screen USA
South African South Africa
SysLock/Macho/Advent W. Germany
Traceback ?
Vacsina W. Germany ?
Vienna/Lisbon Austria/Portugal
Yankee ?
Zero Bug ?
- -frisk
------------------------------
Date: 21 Nov 89 00:00:00 +0000
From: BAUMARD.Philippe.42.64.31.89.BAUMARD@FRAIX11 (33)
Subject: A new LISTSERV group
Dear Virus-L networkers,
a new list has been created. Its name is APOGEES (LISTSERV at FRMOP11.BITNET).
APOGEES is open to any networker with practical experience in the
fields of strategic and critical information management. We are by
now working on supervisory systems for strategic technological
information.
Applicants are welcome. Please send a note to BAUMARD at FRAIX11.
Virtually,
APOGEES Management.
------------------------------
Date: 21 Nov 89 17:49:52 +0000
From: williams@cs.umass.edu
Subject: Re: 80386 and viruses (PC & UNIX)
peter%ficc@uunet.UU.NET (Peter da Silva) writes...
>> The isolation hardware in the I386 makes it possible to construct a
>> contained execution environment... Such an environment would be a
>> useful place to test untrusted programs.
>
>> Has anyone constructed such an environment?
>
>Yes.
>
>It's called "Merge 386" or "Vp/IX".
>
>[Ed. These products, by the way, are DOS emulation boxes for i386
>based UNIX and XENIX products.]
Would someone elaborate on this? Surely a program (virus or otherwise)
running under the emulator could do the same things, including deleting all
the files it can find, as on DOS. What protection is provided? Perhaps
not allowing access to the FAT, boot sector, etc.?
------------------------------
Date: Tue, 21 Nov 89 13:46:23 -0500
From: Kenneth R. van Wyk <krvw@SEI.CMU.EDU>
Subject: Re: 80386 and viruses (PC & UNIX)
>> Would someone elaborate on this? Surely a program (virus or otherwise)
>> running under the emulator could do the same things, including deleting all
>> the files it can find, as on DOS. What protection is provided? Perhaps
>> not allowing access to the FAT, boot sector, etc.?
At least in the case of VP/ix (which I used on a Zenith 386 SCO Xenix
system when I worked at Lehigh), all DOS calls are subject to
"approval" by Xenix - or UNIX for that matter, on a 386 UNIX system.
All interrupts, etc., are handled by Xenix in the end. The DOS
session(s) runs as a virtual 8086 on the 386, and is given an image
file which appears to be a physical hard disk to the DOS session. The
"boot sector" per se is just part of a file on the Xenix file system
(or on a floppy if the VP/ix system is rebooted from floppy). I would
imagine that this logical physical (?!) drive would be subject to boot
sector infections, but the actual Xenix disk is treated as a network
disk. If a VP/ix process tries to delete or alter any of the Xenix
files, it would be subject to standard Xenix file protection
mechanisms. I never did try to perform any direct (via hardware) read
or writes on the hard disk, but I suspect that they would be stopped.
Can anyone confirm this?
One interesting side-effect of the way VP/ix works is that a
(ctrl-alt-del) reboot really works - and can, in fact, be used to
reboot from floppy. The VP/ix session boot DOS, while leaving the
Xenix system quite in-tact. Very disconcerting the first time it's
done.
Running a DOS emulator under UNIX (or Xenix), in my opinion, would be
a very expensive anti-virus tool. To me, there are plenty of other
good reasons to run UNIX on a 386 or 486.
Ken
------------------------------
Date: Mon, 20 Nov 89 23:04:16 -0800
From: portal!cup.portal.com!Gary_F_Tom%Sun.COM@vma.cc.cmu.edu
Subject: CVIA clarifications
Original-Date: 11-20-89 18:10:56
Original-From: John McAfee
I regret that Ross Greenberg and three of my other competitors
mentioned in his statement persist in an attitude of hostility toward
myself and my endeavors. I have no answer to Ross's allegations that
could possibly suffice, other than that my own recollections of the
events he described differ radically from his descriptions. I must
set the record straight on two points however: First, Ross states that
the CVIA sells anti-viral software and that SCAN is one of its
products. The CVIA does not sell any product, SCAN or otherwise, and
has never sold any product. It is a non-profit corporation funded
solely by the membership and its only other source of income is
through the distribution of a public information packet (price -
$4.00; cost to produce - $4.70).
Second, Ross states that the CVIA is an organization of antiviral
product vendors. This is entirely incorrect. The majority of members
are computer manufacturers or software houses with no existing or
planned antivirus products as part of their product lines. It is true
that the beginning membership was composed of antiviral product
vendors, but the understanding from the beginning was that the
organization must have (and indeed now has) a broad industry
participation.
John McAfee
------------------------------
Date: Tue, 21 Nov 89 10:10:03 -0700
From: Peter Zukoski <Zukoski1@hypermail.apple.com>
Subject: followup on mind viruses
Dear virus-folk:
thanks for all the responses to Richard Dawkins questions. Here's some
further thoughts from Richard on the topic of mind viruses...He and I
would be interested in your opinions, especially on evolving/mutating
virus technology. Has anyone seen viri which evolve, or mutate in
response to the environment which it is in? Or viri which recognize
and "use" other viri which might be present?
OK Richard, you may begin...
- ----------------------------
There is something important about the distinction between what I call
Anarchic Replicators and Socialized Replicators. In the world of DNA,
anarchic replicators are things like viruses, or smaller units with
names like viroids or plasmids, which parasitically exploit the
large-scale transcribing and copying machinery in cells, machinery
which has been put together by cooperating teams of socialized
replicators. Socialized replicators are the ordinary mainline genes
that travel from generation to generation in sperms or eggs and
cooperate to build big survival-machines like our bodies. In a sense,
our 'own' genes are parasitic on each aother's efforts, just as virus
genes are parasitic on the efforts of other genes.
In the world of mind viruses, the reason large religions like Islam or
Roman Catholicism fascinate (as well as repel) me is that they are
large aggregations of mutually socialized viruses, which work to
sustain other members of the cluster and work to destroy alternative
replicators. e.g. Islam has a rule that apostates must be punished by
death. The rule of priestly celibacy in Catholicism at first sight
doesn't seem like a self-preserving replicator. But it frees the
priest's time for more active proselytizing, and it enjoys a good
mutualistic relationship with another rule of contraception among
non-priests.
In the world of computer viruses, I find it harder to find an analogy
for socialized replicators. I gather that anti-virus programmers have
already used the 'biological control' self-replication technique -
sending in a tame,'good' virus to catch the bad one. This reminds us
of the possibility of a kind of ecology of computer viruses building.
We are reminded of this, again, in another of the papers which states
that viruses that were originally intended to be benign can turn
unintentionally malignant when the user upgrades to a new Operating
System. A given OS serves as an environment in which a virus may
flourish or not, may behave benignly or malignantly. Couldn't we
envisage a time when the whole computer environment facing a new virus
is put together, not just by one monolithic OS, but by the OS plus a
motley collection of aleady-infiltrated viruses, some benign, some
malignant, s ome medicinal. New viruses will be written to flourish,
not just in known OSs, like System 6, System 7 and so on, but in a
background containing an unknown but statistically guessable
collection of already existing viruses. Already, the environment that
even a legitimate programmer has to cope with is more than just the
operating system - think of the motley collection of co-resident INITs
and Desk Accessories that you have to worry about when writing a
program for public consumption. A virus ecology will just complicate
the picture, in the same 'biological' direction. The language I am
now using is not too far from the language that I use (e.g. in The
Selfish Gene and The Extended Phenotype) to describe the co-evolution
of genes in genomes.
So far, as far as I know computer viruses don't evolve. Even with
viruses manufactured by conscious human programmers, something like a
mutually co-evolved cluster of viruses could come to constitute the
environment to which any future virus has to accommodate itself. If
truly evolving (self-modifying in adaptive directions) viruses start
to arise, the trend will go even further. Software Companies may have
to write their products to be compatible, not just with numbered
versions of 'The System', but with the changing statistical ensemble
of fellow-travellers both good and bad.
I'd be interested in hearing whether any of this makes sense.
Richard
- -----------------------
"Do what you want -- you will anyway."
PeterZ
------------------------------
Date: 21 Nov 89 14:06:19 -0500
From: Pat Ralston <IPBR400@INDYCMS.BITNET>
Subject: Virus Disinfectors (Mac)
Thanks to Alan for his contribution on Fri. Nov. 17th. Listing many
or all of the Virus Disinfectors and the viruses associated with
them was a big help and a time saver. Hunting through the back
issues of this list for specific information is becoming an unruly
task for me.
Now will some one do the same kind of list for the Mac? Thank you
in advance.
Pat Ralston
------------------------------
Date: Tue, 21 Nov 89 14:53:48 -0500
From: joel_glickman@MTS.RPI.EDU
Subject: Potential Virus? (Mac)
I have just recently noticed a problem on my Mac. After using Cricket
Graph I checked the last modified date and the program had just been
modified. After noting this, I began checking other programs and
found that my copy of Versaterm Pro was also being modified every time
I ran it. It was at that point that I checked these programs on other
people's Macs in the office and saw that these programs were not being
modified on some, while they were being modified on others.. I am
running Gatekeeper and Vaccine and have checked these programs with
Disinfectant and they report no trouble.
My question is: Should these programs modify themselves when I just
run them. All I do is run them and quit immediately and they are
modified??? Do you think I have a virus problem???
Joel Glickman
Rensselaer Polytechnic Institute.
------------------------------
Date: 21 Nov 89 17:42:00 +0100
From: Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
Subject: Computer Virus Catalog Index:November'89
The Computer Virus Catalog now classifies 45 viruses
(AMIGA:24;MSDOS:15; Atari:6). Activities are undertaken to make the
documents available via servers in different regions of the world; we
hope that we can announce such servers in the next weeks. If you wish
to receive the documents (see Index appended, with length of the
documents given) sooner, please send a short request to the author.
Klaus Brunnstein
========================================================================
== Computer Virus Catalog Index ==
========================================================================
== Status: November 15, 1989 (Format 1.2) ==
== Classified: 15 MSDOS-Viruses (MSDOSVIR.A89) ==
== 24 AMIGA-Viruses (AMIGAVIR.A89) ==
== 6 Atari-Viruses (ATARIVIR.A89) ==
== Updates since last edition (July 31, 1989) marked: U (column 70)=U=
== Additions since last edition (July 31, 1989) marked: + (column 70)=+=
========================================================================
== Document MSDOSVIR.A89 contains the classifications of the ==
== following viruses (1.138 Lines, 6.271 Words, 62 kBytes): ==
== ==
== 1) Autumn Leaves=Herbst="1704"=Cascade A Virus ==
== 2) "1701" = Cascade B = Autumn Leaves B = Herbst B Virus ==
== 3) Bouncing Ball = Italian = Ping Pong= Turin Virus =U=
== 4) "Friday 13th" = South African Virus =+=
== 5) GhostBalls Virus =+=
== 6) Icelandic#1 = Disk Crunching = One-in-Ten Virus =U=
== 7) Icelandic#2 Virus =+=
== 8) Israeli = Jerusalem A Virus =U=
== 9) MachoSoft Virus =+=
== 10) Merritt = Alameda A = Yale Virus ==
== 11) Oropax = Music Virus ==
== 12) Saratoga Virus =+=
== 13) SHOE-B v9.0 Virus ==
== 14) VACSINA Virus =+=
== 15) Vienna = Austrian = "648" Virus =U=
== ==
== Remark: The following 13 MS-DOS-Viruses are presently being classi-==
== fied and will be published in the next edition (December 31,1989): ==
== .) Brain A = Pakistani A-Virus (Pakistani Virus Strain) ==
== .) Datacrime I = 1168 Virus (Datacrime Virus Strain) ==
== .) Datacrime II = 1280 Virus (Datacrime Virus Strain) ==
== .) Den Zuk Virus (Venezuela/Search Virus Strain) ==
== .) Lehigh Virus ==
== .) FuManchu Virus (Israeli Virus Strain) ==
== .) NewZeeland= Marijuana= Stoned Virus (NewZealand Virus Strain) ==
== .) Pentagon Virus ==
== .) SURIV 1.01,2.01,3.00 Viruses (Israeli Virus Strain) ==
== .) Traceback Virus ==
== .) 405 Virus ==
========================================================================
== Document AMIGAVIR.A89 contains the classifications of the ==
== following 24 viruses (2.272 Lines, 9.421 Words, 106 kBytes): ==
== ==
== 1) AEK-Virus = Micro-Master Virus (SCA Virus Strain) =U=
== 2) BGS 9-Virus =+=
== 3) Byte Bandit Virus =U=
== 4) Byte Bandit Plus Virus (Byte Bandit Virus Strain) =+=
== 5) Byte Warrior#1 Virus = DASA-Virus (Byte Warrior Strain) =U=
== 6) Disk Doctors Virus =U=
== 7) Gaddafi-Virus =U=
== 8) Gyros Virus =U=
== 9) IRQ-Virus =U=
== 10) LAMER (Exterminator) Virus =U=
== 11) LSD Virus (SCA Virus Strain) =+=
== 12) NORTH STAR I Antivirus-Virus (NORTH STAR Virus Strain) =U=
== 13) NORTH STAR II Antivirus-Virus (NORTH STAR Virus Strain) =U=
== 14) Obelisk Virus =U=
== 15) Paramount Virus = Byte Warrior#2 Virus (Byte Warrior Strain) =U=
== 16) Pentagon Antivirus-Virus =+=
== 17) Revenge 1.2G Virus =+=
== 18) SCA-Virus =U=
== 19) System Z 3.0 Antivirus-Virus (System Z Virus Strain) =U=
== 20) System Z 4.0 Antivirus-Virus (System Z Virus Strain) =U=
== 21) System Z 5.0 Antivirus-Virus (System Z Virus Strain) =+=
== 22) Timebomb 1.0 Virus =+=
== 23) VKill 1.0 Virus = Camouflage Virus =U=
== 24) WAFT-Virus =+=
== ==
== Remark: the following 8 AMIGA-viruses are presently analysed, clas-=
== sified and will be published in the next edition (12/31/1989): ==
== .) BUTONIC 1.1 Virus ==
== .) JOSHUA Virus ==
== .) LAMER EXTERMINATOR Virus 1.0, 2.0, 3.0 ==
== .) SYSTEM Z 5.1, 5.3 Virus ==
== .) WARHAWK Virus ==
========================================================================
== Document ATARIVIR.A89 contains the classifications of the ==
== following 6 viruses (375 Lines, 2.045 Words, 21 kBytes): ==
== ==
== 1) ANTHRAX = Milzbrand Virus =+=
== 2) c't Virus ==
== 3) Emil 1A Virus = "Virus 1A" ==
== 4) Emil 2A Virus = "Virus 2A" = mad Virus ==
== 5) Mouse (Inverter) Virus =U=
== 6) Zimmermann-Virus ==
== ==
== Since last edition, ANTHRAX V. has been added. We have problems to ==
== get viruses, as many users wish to exchange their viruses (like ==
== stamps) against our's, which we generally refuse: the Virus Test ==
== Center's ethical standard says, that we do not spread viruses! ==
== Please send infected programs without preconditions. ==
========================================================================
== For essential updates (marked "U="), we wish to thank D.Ferbrache,==
== Y.Radai and F.Skulason for their continued help and support. ==
== Critical and constructive comments as well as additions are ==
== appreciated. Especially, descriptions of recently detected viruses =
== will be of general interest. To receive the Virus Catalog Format, ==
== containing entry descriptions, please contact the above address. ==
========================================================================
========================================================================
== The Computer Virus Catalog may be copied free of charges provided ==
== that the source is properly mentioned at any time and location ==
== of reference. ==
========================================================================
== Editor: Virus Test Center, Faculty for Informatics ==
== University of Hamburg ==
== Schlueterstr. 70, D2000 Hamburg 13, FR Germany ==
== Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner ==
== Tel: (040) 4123-4158 (KB), -4715 (SFH), -4162(Secr.) ==
== Email (EAN/BITNET): Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de ==
========================================================================
== This document: 117 Lines, 701 Words, 9 kBytes ==
========================================================================
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253