home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.62
< prev
next >
Wrap
Text File
|
1995-01-03
|
6KB
|
165 lines
VIRUS-L Digest Friday, 10 Mar 1989 Volume 2 : Issue 62
Today's Topics:
Bouncing ball (PC)
Alameda virus? (PC)
Possible Virus protection
Flu_Shot+ queries answered (PC)
Brain virus infection (PC)
bouncing ball virus (PC)
---------------------------------------------------------------------------
Date: 9 March 89, 13:12:01 MEX
From: Mario Camou Riveroll <EM302723@VMTECMEX.BITNET>
Subject: Bouncing ball (PC)
Here at the Monterrey Tech (Mexico City campus) we had an epidemic of
the bouncing ball virus. This strain lodged itself in a couple of
"bad" sectors (it marked them as bad in the FAT). There seem to be at
least 2 strains, one that doesn't seem to have any adverse effects and
another one that scrambles up the FAT and root directory. That's as
much as I know about it. We call it the Italian Virus (don't know if
this helps).
Mario Camou
EM302723@VMTECMEX
"Those who can, do.
Those who can't, teach.
Those who can't teach, manage."
------------------------------
Date: 9 March 1989, 16:01:10 EST
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: Alameda virus? (PC)
John McAfee's article in the Feb 15 issue of Datamation, "The Virus
Cure" (good article, poor title) lists a boot-sector virus that he
calls the "Alameda Virus". I've never heard that name before, and it
isn't on Dave Ferbrache's February list. It does sound sort of like
the "Yale" boot virus (which McAfee doesn't list under that name);
does anyone know if the two are in fact the same? If not, does anyone
know any more about the "Alameda"?
DC
Watson Research
------------------------------
Date: Thu, 09 Mar 89 22:18:14 -0900
From: Reed Rector <SXWRR@ALASKA.BITNET>
Subject: Possible Virus protection
It seems to me that global methods of virus checking are limited
by their scope. If there is an accepted way for the system to check
for viruses, then people WILL find ways to get around it. On the other
hand, if all programmers are encouraged to include routines that look
for infection in every program they write, then the spread of viruses
can be greatly slowed.
If each program were to keep itself free of infection though
methods developed seperatly by each programmer, then there would be no
"standard" way for viruses to invade the software. These checks could
be relativly simple checksum methods, but if each program has
different code (even if they do the same basic thing) to do these
checksums, then viruses could only carry patches for a few products.
This method of individual program protection could be forced on the
whole industry by only a few programmers. Once programs become
available that have a "virus resistant" seal of approvial, they have a
great advantage over competing products that don't. I'd be willing to
bet that the cost of these routines would more than pay for
themselves, while making the virus illiterate public safer.
Thanks for your time,
Reed Rector - Systems Programming, Univ of Alaska
SXWRR@ALASKA (BITNET)
SXWRR@acad3.fai.alaska.edu (Internet)
* Disclaimer: All of the above views are mine (assuming you believe in
free will), and in no way reflect the views of anyone else.
------------------------------
Date: Thu Mar 9 13:30:39 1989
From: utoday!greenber@uunet.UU.NET
Subject: Flu_Shot+ queries answered (PC)
(Sorry for the delay in responding...some hardware problems kept me
offline for close to three weeks!)
Paul: The checksum values shipped with the distribution copy of
FLU_SHOT+ are dummy values. Although the next release will have an
easier installation package, you simply must run the code, copy down
the expected checksums, then edit them into the FLU_SHOT.DAT file. I
didn't want to have the checksum routines in two places initially as
an additional security precaution.
Jelle: I'm in the process of invetigating what PCTools does which
permits it to get around FSP1.51 - stay tuned for the next release,
which will [hopefully] solve the problem.
Ross
Ross M. Greenberg
UNIX TODAY! 594 Third Avenue New York New York 10016
Review Editor Voice:(212)-889-6431 BBS:(212)-889-6438
uunet!utoday!greenber BIX: greenber MCI: greenber PCMagNet: 72241,36
------------------------------
Date: Thu Mar 9 13:41:19 1989
From: utoday!greenber@uunet.UU.NET
Subject: Brain virus infection (PC)
Rob: you were hit with what seems to be the so-called "Brain" Virus.
There does not appear to be a seeder program of any sort. In general,
this virus takes over the BIOS interrupt for INT13, and takes a look
at the boot track on any disk it will [maybe] infect. If it finds the
key of 1234 (as a number) stored starting at offset location 4 in the
boot track, it assumes that the disk is already infected and leaves it
alone.
Ross M. Greenberg
UNIX TODAY! 594 Third Avenue New York New York 10016
Review Editor Voice:(212)-889-6431 BBS:(212)-889-6438
uunet!utoday!greenber BIX: greenber MCI: greenber PCMagNet: 72241,36
------------------------------
Date: Fri, 10 Mar 89 14:03 N
From: ROB_NAUTA <RCSTRN@HEITUE5.BITNET>
Subject: bouncing ball virus (PC)
Thanks everybody for the replies. I can answer some questions. First
of all it's not the face.com joke program, it's a real bootsector
virus. It is indeed like someone described a virus that marks one
sector bad, not three like the brain virus i read about in the
magazine Computers & Security. Defeating it is easy but I'm glad there
is no additional counter or timer. I found the following in the code
of the bootsector..
XOR AH,AH
INT 1A
TEST DH,7F
JNZ 0203
TEST DL,F0
JNZ 0203
PUSH DX
CALL 03B3
INT 1A with AH=00 gets the time of day. This explains the assumed
irrational behaviour: the virus appeared on IBM PC's but not on some
others (i mean the ball part). I could never get it to bounce at home,
probably because of the differences in cold boot time (the ibm takes
forever)... and why it would appear after a cold boot but not after
some warm boots..
Rob J. Nauta
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253