home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.257
< prev
next >
Wrap
Text File
|
1995-01-03
|
31KB
|
654 lines
VIRUS-L Digest Monday, 11 Dec 1989 Volume 2 : Issue 257
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Ping Pong B (PC)
Re: Network Virus Protection (Mac)
Seagate drives (PC)
Wiping out Jerusalem's virus (PC)
WDEF (Mac)
Jerusalem B virus found (long story)
Re: WDEF Virus (Mac)
re: DIR EXEC remedies (VM/CMS)
Disinfectant 1.4 (Mac)
Protecting Users form Letter Bombs
Use of Digital Signatures
JUST WHAT IS *LSD? (Mac)
SCANV51 (PC)
---------------------------------------------------------------------------
Date: Fri, 08 Dec 89 15:23:22 -0500
From: Peter Jones <MAINT@UQAM.BITNET>
Subject: Ping Pong B (PC)
We have a PC virus in our labs, which is detected as Ping Pong B by
SCANV49, and as the Ping Pong Virus by IBM's virus scanner. Unlike the
Ping Pong described in file MSDOSVIR.A89, it does not have the bytes
1357 at offset 1FCO.
The virus appears to be a boot-sector virus; it has not been detected
by SCAN in the .COMs or .EXEs. As with Ping Pong, a strange character
(not a lower-case 'o') bounces around the screen. Sometimes the "ball"
bounces off a non-blank character. Sometimes characters fall down.
The virus appears to be triggered, like Ping Pong, when a disk access
occurs near a quarter-hour. CHKDSK issued about 5 seconds before such
a time usually does it.
Occaisonally, we have observed two independent "balls" on the screen.
We have been unable to cause this behaviour deliberately on our test
PC.
The virus can be spread by an infected boot sector on non-system data
diskettes, if the user accidentally leaves such a diskette in drive A
and tries to boot from it, then presses any key to continue booting
after the "non-system disk" message from DOS.
Questions for you readers:
1) Is there a complete description of the virus available?
2) What damage does it do?
3) What prevention and disinfection procedures can be used
a) in computer labs with many users per machine
b) in professor's office (few people using a machine)
(I've read about the idea of scanning the diskettes used by students
in labs before giving the diskette to another student.)
4) Is there a version of SCANVRS that will detect boot-sector viruses on data
disks? Aside from disk utilities such as Norton's absolute sector editor,
is there a simple way to disinfect a data disk? SYS A: after a clean boot
doesn't work because there isn't space for a system on A:.
Peter Jones MAINT@UQAM (514)-987-3542
"Life's too short to try and fill up every minute of it" :-)
------------------------------
Date: 08 Dec 89 22:53:47 +0000
From: emx.utexas.edu!ut-emx!chrisj@cs.utexas.edu (Chris Johnson)
Subject: Re: Network Virus Protection (Mac)
C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) writes:
>Is there any freeware that will provide virus protection when using a
>network such as AppleShare or TOPS? I know SAM will work fine. Will
>Gatekeeper or Vaccine provide adequate protection? Will Disinfectant
>provide adequate diagnosing capabilities?
Gatekeeper will work fine - just install it on all your machines.
'Makes no difference what sort of file server (if any) that you use.
If Gatekeeper sees an attack taking place, it stops it - no matter
what sort of volume the attacker is stored on. This is equally true
of SAM and Vaccine, but I wouldn't recommend Vaccine.
Vaccine requires (1) that your machine is only used by highly skilled
users/ programmers, i.e. people who always know how to respond to the
Granted/Denied queries and (2) that the viruses be very simple -
Vaccine's protections are minimal compared to Gatekeeper (and I'm
currently working on further extending Gatekeeper's protections.)
I hope this helps,
- ----Chris (Johnson)
- ----Author of Gatekeeper
- ----chrisj@emx.utexas.edu
------------------------------
Date: Fri, 08 Dec 89 14:29:34 -0600
From: James Ford <JFORD1@UA1VM.BITNET>
Subject: Seagate drives (PC)
Question 1: (PC)
Some (all?) Seagate drives come with a program called DM. This
program lets you set the partitions to whatever size, etc. It also
includes an option to allow you to set a partition to "read-only".
Would this be effective against any/some/all boot infectors, IBMBIOS,
IBMDOS and COMMAND.COM infectors? How hard would it be to get around
this program (DM)?
Question 2: (all)
Could the PC, MAC, or TI99/4A wizards post some of their methods of
protecting their files/machines from infection(s)? Right now, I just
use SCANRES, but have been thinking about spending the time to install
some other (PC) programs (FluShot, Sentry, etc) on my machine. What
would be the best combination?
For those of you who are keeping records of various infections, the
Jerusalem Virus version "B" was detected yesterday by SCAN V50. The
machine infected was a PS/2 Model 50, located in the graduate students
office. It was noticed when a grad student kept getting strange
results when running Turbo Pascal (machine slowdown). The disks that
have been in contact have been re-formatted (micros, that is) and the
search is on for the disk that origionally brought it to the machine.
James Ford - JFORD1@UA1VM.BITNET "Gee, a one-line tag..............."
------------------------------
Date: 09 Dec 89 13:50:43 +0000
From: inesc!ajr@relay.EU.net (Julio Raposo)
Subject: Wiping out Jerusalem's virus (PC)
1:
This is the C source of a program I made to clean the JERUSALEM's virus
from the EXE and COM files, restoring those files to their original state.
Just cut between the start -- end lines and compile.
2:
I have no access to FTP sites, so can anyone (preferably from EUROPE, it is
cheaper) mail me virus scan programs for the IBM PC - DOS ?
==============================<start of C source>===========================
[Ed. Due to its length, I'm forwarding the C program to the archive sites.]
==============================<end of C source>=============================
Antonio Julio Raposo (ajr@inesc, LISBOA, PORTUGAL)
------------------------------
Date: Sat, 09 Dec 89 10:15:08 -0500
From: "Frank Steele" <fsteele@uga.bitnet>
Subject: WDEF (Mac)
The new WDEF virus for the Mac has infected some of the Mac labs at
the University of Georgia. I've had a chance to see its effects, here
are a few: If your machine is infected, WDEF slows down window
updates. You may hang in the middle of trying to open or close a
window. Generally, the arrows in your monitor's upper left-hand corner
(denoting network connection) will show during the entire process
(they usually blink) and, if you're closing a window, you may see the
radial lines within the close box even long after (15-30 sec) you've
clicked in it. From my understanding of the proper role of the
W(indow) Def(inition) resource, this makes sense. The spooler window
on an AppleShare window can take a similarly long time to update. I
can't tell yet whether the virus can spread to/from AppleShare servers
over the network (or only by disk contact) or whether the special
desktop files, Desktop DB and DF, associated with AppleShare servers
can be infected (None I've seen so far have been). Further input from
others on these possibilities would be appreciated. Also, I don't
think infection is automatic. I checked a floppy disk belonging to a
user who had been using an infected hard drive for an hour, and the
floppy was clean.
Virus Detective, version 3.1, will search for the resource and will
remove it. In fact WDEF is the only virus I'm aware of that Virus
Detective can safely remove. Others?) Don't be intimidated by the
rather lengthy dialog box telling you that removing a single resource
won't necessarily remove a virus. In this case, it will. One problem
I've seen is that, if you're running Symantec Anti- virals for the
Mac, telling Virus Detective to remove the resource brings up an alert
box disallowing you (in about five different ways) from changing any
resources, then bombs the machine. Therefore, if you're using SAM,
disable it until you've removed WDEF, then re-enable it.
This is one of the more innocuous viruses to hit the Mac, but the
unusual propagation method is going to make it extremely difficult to
completely clean up, especially in an unattended environment, as many
campus Mac labs are.
I'll be happy to help anyone with questions as much as I can through
BITNET... I'd appreciate hearing from others with additional
information (Has anyone this apart and discovered whether it has a
purpose beyond propagation?)... My address is FSTEELE@UGA.BITNET.
Frank Steele
------------------------------
Date: Sat, 09 Dec 89 13:27:57 -0500
From: HJW2@PSUVM.PSU.EDU
Subject: Jerusalem B virus found (long story)
FOR THOSE WHO RESPONDED TO MY PREVIOUS VIRUS POSTING, I HAVE THIS STORY
FOR YOU:
How I got Jerusalem virus in my computer
A user's nightmare came true
(88 lines long, anything longer than that would be VIRUS...)
To make a short story long, let me go back to some day in late
September....
I was playing with my computer, as usual, and my wife was doing
her works in the kitchen, as usual. I was using PC Tools to copy some
of my files from hard disk to floppy and when I went back to root
directory in C:, I saw an empty file that was new and weird to me. It
looked like this in PC Tools:
Filename File length Attribute Date
gEgEgEgE.gEg 0 .SR. 11/07/14
Since I have deleted countless files using PC Tools, I tried the same
way to select that file and delete it. To my surprise, PC Tools
responded "File not Found". So I said to my self:"It must be the
problem of zero length." and tried to write something on it so I can
delete it, and you know, it didn't work that way. And the strange
thing was that whenever I changed its attribute by using Edit/View
function, it didn't work as it supposed to be.
So I kept that file and forgot it until someone on campus(or Wall
Street Journal) brought up the issue of October 13th and computer
virus attack. I went to 12 Willard to get a scanv4 disk and used it
to scan my hard disk for at least 13 times and did not spot a virus.
I was still nervous about the virus attack, so I got another virus
protection program (Flushot, in case it matters) and checked the hard
disk again and again and again until my wife reminded me to do
homework. I survived the virus hit in October.
Before the first snow in November about three weeks ago, I booted
up the machine as usual and press the turbo switch when I noticed the
slow speed of computer checking my Intel Aboveboard memory. The
computer suddenly went nuts for the first time since I bought it a
year ago. There was nothing on the screen, the keyboard didn't
respond, and the speaker beeped. I powered off and on again and the
computer prompted me "8237 Error" and refused to work. I was nervous
but not afraid. Since I have played around with computers for a
while, I tore down my machine to check what might be the source of
error. I didn't find anything suspicious but BIOS and DMA. I went to
a local computer store and had my BIOS replaced and the computer
worked again. So I gave them $35 for the Phoenix BIOS that worked
wonder on my computer.
But honeymoon soon was over. One day when I was using my
primitive word processor PFS:Professional Write, the computer hung me
without any warning. I lost all my editing file and had to reboot it
again using reset button not ctrl+alt+del. And after that, it hung
from time to time whenever I changed from editing document to print or
to spell check. After few days, I found out I cannot use turbo mode
anymore, I had to stay with normal mode. When I press the turbo
button to boost speed, I got hung.
Since I just replaced BIOS, I suspected the problem is in DMA.
So I brought my computer back to that local store after Thanksgiving
and they said that I need a new motherboard because they cannot fix
the motherboard problem. Because they were asking ONLY $200 for a new
12MHz 286 motherboard, I decided to get it replaced. Everything
worked fine with the new board until I tried to run Harvard Graphics,
it hung again. Same thing happened to Minitab and the new
PFS:Professional Write v2.0. I questioned the store about the
compatibility of that kind of motherboard and got pissed off. They
claimed that their motherboard has been running thousands of software
and has never encountered non compatible problem. So I tested
everything I could, changing faster memories, changing different BIOS,
changing video board, and even swapping hard disks. I could not find
out the problem until someday I used MAPMEM to see memory usage and
saw an unknown program occupying about 1732k memory above
configuration and dos command and I realized that something weird was
going on.
I immediately (well, next day) got the virus detection disk from
office and started checking my hard disk. Boy, was I astonished! I
saw a warning line as soon as I issued SCAN command: SCAN file has
been damaged.... In the next few minutes, I saw 50 of my command
files were infected by Jerusalem B virus. I used pctools to erase all
infected files and got a map of my hard disk to see if everything is
ok. But I saw some secctors marked "unremovable" where they should be
"usable" space. And I realized that the only way to get rid of the
virus would be reformatting my entire hard disk. So I did. I am glad
I have a back up for every program I have in the hard disk.
Now all the viruses are gone except one that I keep in a floppy
as a memory or for future research use, I start thinking where I got
this little virus. There are only two places: PCLIB at Penn State or
that computer store. I cannot think of any other sources except these
two. The weired file with 0 byte and unremovable is from some file in
PCLIB, but I have checked every file before October 13 and found no
virus. After that date, I have not downloaded anything. On the other
hand, every weired thing started after I replaced BIOS and used
testing software from the computer store. It's also possible that the
virus is attached to some file that store has. I will keep tracking
down the suspicious source of this virus and if anything comes out
interesting, I will summarize and post it.
GOOD BYE !
_____ ___
H. WU HJW2@PSUVM.BITNET _|_ |___|
DEPARTMENT OF BUSINESS LOGISTICS |_|_| |___|
THE PENNSYLVANIA STATE UNIVERSITY _|_|_|_ |___|
| | _/ |__|
------------------------------
Date: Sat, 09 Dec 89 18:07:23 +0000
From: yale!slb-sdr!sdr.slb!shulman@uunet.UU.NET (Jeff Shulman)
Subject: Re: WDEF Virus (Mac)
C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) writes:
>Recently there was a posting on VALERT-L about a new virues, WDEF. In the
>alert it is mentioned that:
>(stuff deleted)
>"Jeff Shulman, the author of Virus Detective 3.1, recommends adding the
>following search string to detect the virus:
>CREATOR=ERIK & Resource WDEF & Any
>Virus Detective can also be used to remove the virus ......"
>Where or to what do we add the "following search string". Please
>pardon my ignorance.
>Greg
These instructions only apply to VirusDetective 3.x
1. Select VirusDetective from the DA menu.
2. Click the Modify Search Strings button.
3. Type
Creator=ERIK & Resource WDEF & Any ; For finding WDEF, etc.
4. Click the Add button.
5. Click the Save button.
6. That's it!
Specific instructions can be found both in the VD doc file, online
docs and is going to be mailed out to registered users early this
week. I will also be posting a file full of the latest search strings
that you can read in by clicking Read from File instead of steps 3 &
4, and I will be posting VD 3.1a that has this string already built in
(NO code modifications were made).
If you are a registered user and you still need more assistance don't
hesitate to contact me either electronically or by phone.
Jeff Shulman
VirusDetective Author
As usual, this is *me* speaking and no other organization.
uucp: ...rutgers!yale!slb-sdr!shulman
CSNet: SHULMAN@SDR.SLB.COM
Delphi: JEFFS
GEnie: KILROY
CIS: 76136,667
AppleLink: KILROY
------------------------------
Date: Sat, 09 Dec 89 19:10:00 -0500
From: "Gerry Santoro - CAC/PSU 814-863-4356" <GMS@PSUVM.BITNET>
Subject: re: DIR EXEC remedies (VM/CMS)
Marty Zimmerman <POSTMAST@IDUI1.BITNET> writes:
>What are other VM/CMS installations doing to slow down the spread of
>the DIR EXEC? I seem to remember that the CHRISTMA EXEC prompted
>someone to write a program to scan/clean the SPOOL queue, and I was
>wondering if anything similar is available for DIR.
At Penn State we are taking a broader approach. The systems folks
here may be scanning spool files for a file named DIR EXEC (don't
really know if they are), but we've also placed a logon warning
message talling users not to receive and execute *ANY* EXEC unless
they know exactly what it does.
Although DIR EXEC and CHRISTMA EXEC (also distributed as XMAS EXEC)
cause well-known havok, it is rather easy for a mischevious student to
send a custom EXEC to an unwary faculty/staff/student who then tries
it out to see what it does.
I did a poll of some of my students (i teach computing for humanities
here) and was horrified at how many of them were given 'neat' EXECS by
perfect strangers, which they then proceeded to use and distribute to
others. Not a single one of them reads REXX and they had no suspicion
that any of these EXECS could be doing something behind their backs.
Another common problem here is that eager students will 'customize'
the environment of faculty who are novices to VM/CMS by linking them
to their (the students) disks, which have lots of custom EXECs on
them. At the very least, when the student graduates and their account
disappears we get questions about the faculty regarding why "the
computer dosen't work anymore".
gerry santoro, ph.d. *** STANDARD DISCLAIMER ***
center for academic computing This posting is intended to
penn state university | represent my personal opinions.
gms @ psuvm.psu.edu -(*)- It is not representative of the
gms @ psuvm.bitnet | thoughts or policies of anyone
...!psuvax1!psuvm.bitnet!gms else here or of the organization.
(814) 863-4356 ---- "I yam what I yam!" ----
------------------------------
Date: Sun, 10 Dec 89 00:10:16 -0500
From: jln@acns.nwu.edu
Subject: Disinfectant 1.4 (Mac)
Disinfectant 1.4 is a new release of our free Macintosh virus
detection and repair utility.
Version 1.4 detects and repairs infections by the new WDEF virus (see
below).
In version 1.4 we no longer refer to the various clones of the nVIR B
virus by name. We refer to them simply as generic "clones of nVIR B."
All references to the individual clone names have been removed from
both the document and the reports generated by the program.
We feel that the creators of these clones do not deserve the publicity
they receive when they see the names they have chosen in print,
especially since some of the names are offensive.
Disinfectant 1.4 is available now via anonymous FTP from site
acns.nwu.edu [129.105.49.1]. It has also been posted to
comp.binaries.mac, info-mac, and CompuServe, and should be available
from those sources soon.
The following text is extracted from the new section on WDEF in
Disinfectant's online document. It describes what we know to date
about this new virus.
The WDEF virus was first discovered in December, 1989 in Belgium and
in one of our labs at Northwestern University. It has also been
reported at several other major US universities, so we fear that it
may be widespread. We also have reason to believe that the virus has
been in existence since at least mid-October of 1989.
WDEF only infects the invisible Desktop files used by the Finder. With
a few exceptions, every Macintosh disk (hard drives and floppies)
contains one of these files. WDEF does not infect applications,
document files, or other system files. Unlike the other viruses, it is
not spread through the sharing of applications, but rather through the
sharing and distribution of disks, usually floppy disks.
WDEF spreads from disk to disk very rapidly. It is not necessary to
run a program for the virus to spread.
Although the virus does not intentionally try to do any damage, WDEF
contains bugs which can cause very serious problems. In particular,
one bug in the virus causes the Mac IIci to crash. We have also
noticed unusually frequent crashes on infected Mac IIcxs, and severe
performance problems with infected AppleShare servers. Several people
have also reported frequent crashes when trying to save files, and we
have two reports that the virus can damage disks.
When using Disinfectant to repair WDEF infections, you must use Finder
instead of MultiFinder. Under MultiFinder the Desktop files are always
busy, and Disinfectant is not able to repair them. If you try to
repair using MultiFinder, you will get an error message.
Unfortunately, none of the current versions of the most popular virus
prevention tools are effective against the WDEF virus. This includes
Vaccine 1.0.1, GateKeeper 1.1.1, Symantecs SAM Intercept 1.10, and
HJCs Virex INIT 1.12. However, by the time you read this, it is very
likely that new versions of these tools will have been released.
Symantec and HJC are preparing new releases of their products, and we
expect that a free prevention tool or tools will also be available
soon.
This version of Disinfectant is being released only a few days after
the discovery of the WDEF virus. We do not yet understand it as
thoroughly as we do the other older viruses. We have disassembled it
completely, and we understand the basic replication mechanism. We know
that it can cause serious problems, and we know why it causes some of
the problems. Research into the behavior and adverse effects of this
virus will continue for some time.
You should keep in touch with your local Mac user group or bulletin
board for more information about this new virus as it becomes
available. Commercial online services like CompuServe and Genie and
the Macintosh trade press publications like MacWeek are also good
sources of information.
John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208
Bitnet: jln@nuacc
Internet: jln@acns.nwu.edu
CompuServe: 76666,573
AppleLink: A0173
------------------------------
Date: Sun, 10 Dec 89 10:17:00 -0500
From: WHMurray@DOCKMASTER.ARPA
Subject: Protecting Users form Letter Bombs
>On this subject: how far should system administrators go to protect
>users from this type of "letter bomb". It seems a bit heavy-handed to
>purge ANY file from the queue with a filetype of EXEC, XEDIT, or MODULE.
>Is it best to let the users fend for themselves, or overprotect them?
A reasonable compromise is to protect them from surprise by arbitrarily
renaming and re-typing the object so that they will not execute it by
accident.
William Hugh Murray, Fellow, Information System Security, Ernst & Young
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
------------------------------
Date: Sun, 10 Dec 89 10:51:00 -0500
From: WHMurray@DOCKMASTER.ARPA
Subject: Use of Digital Signatures
I suspect that Y. Radai misses the point of Bob Bosen's posting.
The point is, why re-invent the wheel thinking up new authentication
schemes when standard ones of known strength already exist. He was not
making knew claims about how effectively such schemes can be implemented.
However, there is a more subtle point. In the most general, non-trivial
(read PC), case, a virus designer cann always get his program executed
by duping users. The law of large numbers suggests that, as Abraham
Lincoln said, you can always fool some of the people some of the time.
If the population is sufficiently large, that will be enough to insure
the life of the virus.
Again, in the most general non-PC case, an effective way to get a
program executed is to make it appear to come from a known and trusted
source. The Christmas cards are a good example. When the copies are
distributed they are distributed under the source ID of the last victim.
Since the names of the targets are taken from the address book (NAMES
file) of the source, this ID is likely known by many of the victims.
Another example is the re-shrink-wrapped software of a reputable vendor on
the shelf of a naive or irresponsible distributor. Many of us are
likely to be duped into executing such software. How can we know that
the software is what the vendor shipped? How can the vendor
demonstrate, even to his own satisfaction, that he did not ship it?
Digital signatures (which are not simply CRCs) provide at least a
partial answer to these questions. They provide compelling evidence
that a data object originated in a particular place and that they have
not been contaminated since leaving that point.
They do not and cannot protect us against all lies and all malice. They
may not protect us at all if we refuse to apply them or reconcile them.
However, they make it possible to protect the innocent. If we refuse to
accept data objects that are not signed by the source, then they will
help to fix accountability for malice. In the presence of such
accountability the quantity of malice can be expected to be less than it
would be the absence of such signatures.
Finally, the ability of a virus to spread in a population, as opposed to
its ability to detect and bypass the controls in a member of the
population, depends upon there being exploitable similarities among the
members of the population. The insistence of Mr. Radai et. al. that,
since it is possible to detect and bypass any control, that all is
futile does not stand up. By subtle changes to my machine and its use,
I can make it sufficiently different from the population at large, to
make it effectively immune from practical attacks. If we were all doing
that, viruses would be far less successful. That I cannot make it
theoretically resistant to hypothetical attacks, may be of little
interest.
It is time to stop condemning the useful out of hand. Those who insist
upon doing so are contributing to the problem rather than the solution.
William Hugh Murray, Fellow, Information System Security, Ernst & Young
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
------------------------------
Date: Sun, 10 Dec 89 18:10:00 -0500
From: someone please stop the bunny <ACSAZ@SEMASSU.BITNET>
Subject: JUST WHAT IS *LSD? (Mac)
The recent notification of the WDEF virus residing in the Desktop
got me thinking so I poked through our fileserver's desktop with
resedit. I found a resource that began with a diamond and followed up
with LSD sort or *LSD but with a diamond instead of a star. Does
anybody know what this is?
- Zav
________________________________________________________ `!'
| - Southeastern Massachusetts University U S of A - |
| Live From the 'REAL' SMU... iiiiiiit's Alex! | _-----_
| alias Alex Zavatone, RoadHazard (I've earned that one)| / _ _ \
| Discmaimer?!: You must be kidding | | O o |
|-------------------------------------------------------- | v |
| Bitnet -> ACSAZ@SEMASSU | ACS - It's not just a job | \ '___` /
| Hepnet -> ALEX@SMUHEP | It's an Adventure! | | \_/ |
|_________________________|___________________________| \___/
------------------------------
Date: Sun, 10 Dec 89 15:53:12 -0800
From: Alan_J_Roberts@cup.portal.com
Subject: SCANV51 (PC)
SCANV51 is now available on HomeBase. It checks for the
Datacrime II-B, the Payday and the Amstrad viruses as new additions to
the list. The Datacrime II-B and Payday viruses were submitted by Jan
Terpstra of IBM in the Netherlands and the Amstrad was submitted by
Jean Luz of the University of Lisbon in Portugal. All three are
described in the VIRLIST.TXT file included with SCAN.
Five new viruses (at least new to McAfee and the HomeBase
group) have been submitted by Andrzej Kadlof, an editor of KOMPUTER
Magazine in Warsaw, Poland. These viruses have been reported in the
public domain within Poland and many other Eastern block countries,
according to Kadlof, but we are not aware of any reports from Western
Europe or the U.S. David Chess at IBM has been given copies as has
Joe Hirst in London to determine whether these are indeed new viruses.
In any case, they are new to SCAN and will be included in the next
release. Two are EXE and COM infectors and three are just COM
infectors. Hopefully I can report details of how they work within a
few days.
Alan
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
