home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.39
< prev
next >
Wrap
Text File
|
1995-01-03
|
12KB
|
262 lines
VIRUS-L Digest Wednesday, 8 Feb 1989 Volume 2 : Issue 39
Today's Topics:
On COMMAND.COM viruses... (PC)
Re: Master Virus Listing info request
Virus Manual/Computer Phreak's Cookbook/Bit Jammer's Bible
(c) Brain (PC)
Re: Anarchist Cookbook for Computers
How To Book, 2
New Macintosh Virus (from Newsgroups: comp.sys.mac)
Latent Mac viruses??
---------------------------------------------------------------------------
Date: Tue, 7 Feb 89 10:36:40 est
From: ubu!luken@lehi3b15.csee.lehigh.edu
Subject: On COMMAND.COM viruses... (PC)
This latest occurrence of the Lehigh Virus made me realize (again) how
blatantly hole ridden the COMMAND.COM file is. The last couple
hundred bytes in every version of COMMAND.COM (that I've seen) contain
all 00s (for stack space while the program is executing). Also, the
*very first* instruction in the file is a JMP. What's worse, almost
all PCs have a COMMAND.COM file in their root directory. It doesn't
take a rocket scientist to figure out how to exploit these
similarities.
The best thing that a person can do (imho) to protect themselves from
a "garden variety COMMAND.COM virus" is to remove their computer(s)
from this homogeneous environment by placing a statement like:
SHELL=C:\BIN\DOS\COMMAND.COM /P
in each CONFIG.SYS file, thus booting from a COMMAND.COM in a
different directory, would help. Also, put a:
SET COMSPEC=C:\BIN\DOS\COMMAND.COM
in each AUTOEXEC.BAT file. This will allow normal functioning in
MS-DOS without leaving a COMMAND.COM file wide open to viruses. Once
exception to this (at least in the case of Zenith MS-DOS) is with the
FORMAT command; it requires a COMMAND.COM file in the root directory
to format a bootable disk. That is, the authors of FORMAT (Microsoft?
Zenith?) didn't adhere to the standard way of pointing to the
COMMAND.COM (heavy sigh)...
I realize that this has all been discussed before on VIRUS-L, and that
it certainly isn't going to stop all viruses (!). It will, however,
at least hide a major Achilles Tendon in MS-DOS. Of course, if
*everyone* did the above, then the environment would once again become
homogeneous, so each person should find a different "hiding place" for
their COMMAND.COM file.
Also, the best solution would be for Microsoft to change some of their
programming practices. Static memory allocation is asking for
problems. It's also surprising how many programs place a JMP
statement as their very first instruction.
For what it's worth,
Ken
------------------------------
Date: 7 Feb 89
From: J. D. Abolins <OJA@NCCIBM1.BITNET>
Subject: Re: Master Virus Listing info request
For Paul Bienevue's question about a master virus listing, I don't
of a comprehensive existing one yet. There are several of us who
are attempting to get a list going.
The DIRTY DOZEN listing by Eric Newhouse has a virus section. It is
the only widely available attempted virus listing I know of. But the
listing is woefully out of date (although for other malicious programs
it is excellent.) In communicating with Eric again on the Crest BBS,
he told that he plans one more Dirty Dozen listing- version 9.0. After
that, he might be "retiring" from makingmore such listings. In any
case, we (the people working on a virus listing) aim to continue the
virus listing past the Dirty Dozen if it should cease.
A general question: What are some of the taxonomical conventions for
virus cases? Ie; naming schemes for the cases.Some have been discussed
here lately. Of course, there is the approach of naming the case after
it first major reported site (eg; Lehigh virus, Jerusalem virus, etc.)
But such conventions can create problems, including giving the im-
pression that the case is localized and by causing adverse publicity
for the site named.I would like to have the choices of conventions
so that a "neutral" scheme could be used for virus listing. The
other names could given as "aliases, AKA's)
Thank you.
J.D. Abolins / 301 N. Harrison Str. #197 / Princeton, NJ 08540 USA
(609) 292-7023
------------------------------
Date: Tue, 07 Feb 89 11:37:08 EDT
From: 34AEJ7D@CMUVM.BITNET
Subject: Virus Manual/Computer Phreak's Cookbook/Bit Jammer's Bible
We would like very much to capture a copy of this publication.
(Please, no flaming diatribes about the evils of reading such
material.) We now have fairly good evidence that it is already in
circulation at at least one institution with which we have close ties
and with whom we share a certain common body of studetns. The
potential result of that is not hard to assess. Additionally, this
list itself has already offered an awareness of such a publication to
the student community.
We need to be aware of what we could be up against.
Please reply to me privately, for obvious reasons.
............................................................................
|W. K. "Bill" Gorman "Do Foust Hall # 5 |
|PROFS System Administrator SOMETHING, Computer Services |
|Central Michigan University even if it's Mt. Pleasant, MI 48858|
|34AEJ7D@CMUVM.BITNET wrong!" (517) 774-3183 |
|Disclaimer: These opinions are guaranteed against defects in materials and|
|workmanship for a period not to exceed transmission time. |
|..........................................................................|
------------------------------
Date: Tue, 7 Feb 1989 09:41 PAC
From: Marty Zimmerman <MARTYZ@IDUI1.BITNET>
Subject: (c) Brain (PC)
I'm looking for any information or advice on the "(c) Brain" virus.
Has anyone documented the means by which this thing breeds? Thanks in
advance for your help.
P.S. - please reply directly to me, unless you think your comments
would be of interest to everyone.
Marty Zimmerman
University of Idaho
Computer Services
<MARTYZ@IDUI1.BITNET>
[Ed. Take a look at J.D. Abolins's message in this digest.]
------------------------------
Date: Tue, 7 Feb 1989 12:38 EST
From: Bruce Ide <xd2w@PURCCVM.BITNET>
Subject: Re: Anarchist Cookbook for Computers
If they tell you how to write 'em, the are also telling you what
to look out for and how to destroy them. I'd buy the book.
-Grey Fox
------------------------------
Date: Tue, 07 Feb 89 19:12:53 MEZ
From: Konrad Neuwirth <A4422DAE@AWIUNI11.BITNET>
Subject: How To Book, 2
I just wanted my $0.02 to the discussion about a HOW TO book. I don't
think it is a bad idea to publish a virus. If someone types in the
virus from the book I cited earlier, almost nothing happens. and if he
just changes the routines which do something to the system (the writer
uses a "SHELL") it should be easier to write a antidote. I know it is
not easy to find about how the code was originally written, but it
should be easier to scan a program or anything infectable for a
certain bit of code, which can come from the book.
- -konrad
p.s.: the book doesn't give a listing of an antidote. maybe that would
be an idea worth thinking about...
------------------------------
Date: 7 Feb 89 15:29:46 GMT
From: hammen@csd4.milw.wisc.edu (Robert J. Hammen)
Subject: New Macintosh Virus (from Newsgroups: comp.sys.mac)
This is some info on a new Mac virus. This article was originally
posted on CompuServe, and reposted on Delphi by Robert Wiggins:
Reposted message at the request of the author, Thierry DeLettre: Until
now, all known Macintosh viruses could be easily detected by the
additional resources they created. Now, it's over... There is at least
one virus that creates no additionnal resource. This virus is called
ANTI, and infects only applications (and other files, ID=1 resource.
It inserts a JSR at the beginning of the resource and all the virus
code at the end. It seems to be very recent, but we have already found
infected Macintoshes in Paris and Marseilles, and it is probably
making its way fast across all Europe. This virus is _not_ detected by
VirusDetective or other utilities. It installs itself even when
Vaccine is on. Vaccine beeps only if the 'Always compile MPW Inits' is
_not_ checked. Virus Rx does not detect ANTI's presence in other
files, but, when infected itself, changes its name to 'Throw me in the
trash'. It doesn't seem to infect all applications, but only some (the
ones with a CODE 1 resource called 'Main'). We haven't found how it
works yet. It doesn't seem to change the System file, which doesn't
contain a CODE resource. The contagion seems to be spread by the
Finder. To see if an application is infected, you have to open its
CODE ID=1 resource with ResEdit and search for the ASCII string
'ANTI'. You can also use the advanced features (resource fork search)
of GOfer. We haven't yet found the way to remove it, but only a way to
deactivate it by changing the first words of the virus code to a RTS.
There is a strange story about this virus. Two years ago, Apple
France's developper's support manager, Alain Andrieux, wrote a utility
for his own use called 'Stamp', with which he marked the programs he
gave to developpers. If a confidential program was given out, he could
easily know where it came from. His program added a CODE resource to
the marked files, but did _not_ change anything in the CODE 1
resource. In January 89, a 'new' version of this program (Stamp 1.0b5)
began to spread in the French Mac community. When run, this program
installs the 'ANTI' virus into the marked or checked applications
and/or into the Finder. These infected applications and Finders then
become contagious themselves. It seems the virus author stole the
source code of this program, changed it into a virus installer, then
gave it away. Obviously, inserting a virus installer in an Apple
program was done to damage Apple France's reputation...
Thierry D,
Chief Mac Sysop,
Calvacom .
P.S. A copy of the virus has been sent to Jeffrey Shulman and Robert
Woodhead, so that they can update their anti-viruses consequently. .
P.P.S. I don't have access to other major American on-line services,
so please upload the above information where you can. Thierry can be
reached via CompuServe at 76670,2260.
///////////////////////////////////////////////////////////////////////////
/ Robert Hammen | hammen@csd4.milw.wisc.edu | uwmcsd1!uwmcsd4!hammen /
/ Delphi: HAMMEN | GEnie: R.Hammen | CI$: 70701,2104 | MacNet: HAMMEN /
/ Bulfin Printers | 1887 N. Water | Milwaukee WI 53202 | (414) 271-1887 /
/ 3839 N. Humboldt #204 | Milwaukee WI 53212 | (414) 961-0715 (h) /
///////////////////////////////////////////////////////////////////////////
------------------------------
Date: Tue, 7 Feb 89 17:04:31 -0500 (EST)
From: Mark Thormann <mt19+@andrew.cmu.edu>
Subject: Latent Mac viruses??
Hi. I was wondering if anyone had heard of any latent versions of
nVir, Scores, etc. which waited until a certain number of copies had
been made or a certain date passed before appearing. Would one of the
current virus detectors spot one of these things before it activated?
Any specific experiences anyone has had like this? If you reply to
this mailing list, please carbon copy to me.
Thanks,
Mark Thormann
Carnegie Mellon U.
ARPANET: mt19@andrew.cmu.edu
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253