home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.73
< prev
next >
Wrap
Text File
|
1995-01-03
|
12KB
|
284 lines
VIRUS-L Digest Tuesday, 28 Mar 1989 Volume 2 : Issue 73
Today's Topics:
KillVirus Init (Mac)
Transposing Virus (PC)
Re: anti-virus recommendations
UK Computer threat research association
---------------------------------------------------------------------------
Date: Sun, 26 Mar 89 00:38:49 +0100
From: David Stodolsky <stodol@diku.dk>
Subject: KillVirus Init (Mac)
KillVirus Init for Mac
"KillVirus", a startup document for the Mac, was found to be
infected with "nVIR" by Interferon 3.1. The infection was
confirmed by Virus Rx. The information box indicated its size
to be "979 bytes used, 1K on disk". The creations date was
"Tue, Sep 10, 1985, 10:08 AM", Modified "Tue, Mar 22, 1988,
9:14 AM". Version indicated "not available". The icon was a
generic document.
The document was never used, just placed in my "Anti-virus"
folder. I have deleted the document from my hard disk and
taken no further action. I ran the checks after an attempt to
start a shareware program "Concentration", which I thought
was a game, caused a screen disruption, a buzz from speaker,
and a system restart (Mac SE, System 6.0.2, Multi-finder
6.0.1. I had Vaccine version 1.0, without expert mode on.)
When I tried to copy "Concentration" to a folder on
the hard disk, I got an error, but my copy of the original (a
whole disk copy) to another floppy disk had worked. An
attempt to recopy the original back to the same floppy after
deleting the game (and emptying the trash) gave a error
indicating a failure on the target disk! Checking this disk
with "Disk First Aid" found it to be OK. This made me think
that a virus check of the disk was in order, but no virus was
found on it. Later I tried another whole disk copy to the same
target disk that failed with an "unknown error" message.
After reinitializing the target disk a whole disk copy worked,
and it was possible to move the Concentration application to
a folder on the hard disk. An attempt to execute it again led to
the system hanging, and I had to do a restart manually ( by
pressing the programmer's key). I had rebuilt the desktop after
the initial crash, so that might explain the different behavior.
Or maybe it was because the Concentration application was run
before any other application the last time I tried it.
Is this really an infection, or is "KillVirus" an init that
happens to trigger both of these anti-virus programs?
****************** Interferon Report *****************
Interferon 3.1 - Version of 16 May 88 - 1988 Robert
Woodhead, Inc. - All Rights Reserved
- ------------ lines deleted----------------
(002) 04/07/88 "nVIR" Virus
- --------------lines deleted-------------------
Checking for viral infections on volume "HD0"
INFECTION: Type 002 virus detected in file:
HD0:
applications:
Anti-viral:
KillVirus
ALERT! Volume "HD0" may be infected!
Consult listing to determine the details.
Interferon run completed!
2197 files were scanned, of which 207 had resource forks.
******************** Virus Rx report **********************
Volume: HD0
Thursday, March 23, 1989 8:30 PM
User:
Virus Rx - v1.4a1
These files are infected with a known virus
Remove these files from your disk
INIT ???? KillVirus :applications:Anti-viral:
Last modified Tuesday, March 22, 1988 9:14 AM
SUMMARY:
***** FATAL infected files: 1
!!!!! You appear to have a virus !!!!
!!!!! Clean this volume !!!!
!!!!! See Virus Rx README !!!!
******************************************************
David Stodolsky diku.dk!stodol@uunet.UU.NET
Department of Psychology Voice + 45 1 58 48 86
Copenhagen Univ., Njalsg. 88 Fax. + 45 1 54 32 11
DK-2300 Copenhagen S, Denmark stodol@DIKU.DK
------------------------------
Date: Sun, 26 Mar 1989 00:52:18 EST
From: Steve <XRAYSROK@SBCCVM.BITNET>
Subject: Transposing Virus (PC)
Ross M. Greenberg wrote about a virus that randomly tranposed
characters but kept track of all the transpositions in a hidden file
called BUG.DAT:
> .
> .
> .
>The virus, after spreading to all .COM and .EXE files in the current
>directory, would look for an open operation on a .DBF file. All
>writes to the file would have two bytes transposed at random. These
>bytes' offsets were stored in a file called "BUG.DAT" (a hidden file)
>in the .DBF's directory. Subsequent reads of this data would cause
>the transposition of the same data, and everything would look nifty.
>After this code had run for 90 days (after the BUG.DAT file was 90
>days old), it would trash the disk (eat the FAT and root directory).
>
>Getting rid of the virus wasn't difficult: just copy in new
>executables from your backup. However! If you did this, your data is
>history - nothing to transpose it back into "real" form.
Just some comments:
So the virus must keep all the .DBF file names and all their
transposed characters in the file called BUG.DAT? It seems to me that
if you made the mistake of getting rid of the infected *.EXE file it
wouldn't be a disaster because you'd probably still have the hidden
file BUG.DAT somewhere and could always recreate the infected file
(provided you had or could import another file infected with the
virus).
All this brings up a good point: If one day I found that my
computer was infected with a virus, *before doing anything*, I'd first
make a backup of all the files on my disk (hidden files too!). Then
I'd try to verify that all my data files (anything that wasn't an .exe
or .com file) on the backup were identical to the originals on the
main disk and hopefully intact. Then I'd go to work trying to
eliminate the infection. If something went wrong, then I'd still have
my backup. This is reasonably safe unless one encounters a virus like
the one Ross describes, only which hides the transposed-character
information in a file in a sector marked bad (even though it isn't
bad), and then (for example) you reformat the original disk (a
disaster because you'd lose BUG.DAT). So, though it's more trouble,
it's always safer to "uninfect" a copy of your infected disk if
possible.
Finally, if you're really unlucky and the virus contains a bomb, it
could blow still blow up before you get all your files "un-transposed"
Steven C. Woronick | Disclaimer: Always check it out for yourself...
Physics Dept. |
SUNY at |
Stony Brook, NY 11794 |
Acknowledge-To: <XRAYSROK@SBCCVM>
------------------------------
Date: Mon, 27 Mar 89 14:17:59 EST
From: Neil Goldman <NG44SPEL@MIAMIU.BITNET>
Subject: Re: anti-virus recommendations
Roman Olynyk provides us with the anti-virus recommendations from
Computer World. There is one with which I disagree (to an extent).
In regard to shareware and PD software, I do believe that users should
be cautioned that they are the primary (though not exclusive) source
of viruses do to their widespread availability. As you are all aware,
users will obtain a copy from a friend, business associate, or even a
bulletin board. Since in the first two, and periodically in the
third, no controls exist to prevent the corruption of the product from
its original form (which for the sake of argument I assume did not
have any malicious intent).
However, I do not believe that an end to PD and shareware is called
for. In the vast majority of cases, they are excellent products,
often rivaling their industry-marketed counterparts.
As an alternative to the Computer World suggestion, I recommend that
IF users want to take advantage of this software, they should contact
the ORIGINAL AUTHOR for a copy. Presumably, his product is
*uncorrupted*. Then, if a virus does then become introduced into your
system and you have documented the source of all data and programs
existing on your system, the source of the virus is determinable. Or
rather, no virus *should* infect the system to begin with.
***************************************************************
*Neil A. Goldman NG44SPEL@MIAMIU.BITNET*
* *
* Replies, Concerns, Disagreements, and Flames expected *
* Mastercard, Visa, and American Express not accepted *
***************************************************************
Acknowledge-To: <NG44SPEL@MIAMIU>
------------------------------
Date: Tue, 28 Mar 89 10:33:16 BST
From: David.J.Ferbrache <davidf@CS.HW.AC.UK>
Subject: UK Computer threat research association
For those of you interested an umbrella organisation has been
established in the UK to co-ordinate information on, and research into
all aspects of computer security. In the first instance one of the
organisations primary concerns will be combatting the threat posed by
computer viruses by acting as a clearing house for virus information
and control software.
Below is a copy of an initial letter mailed to prospective members:
The Computer Threat Research Association
The computer threat research association, CoTra is a non-profit making
organisation that exists to research, analyse, publicise and find
solutions for threats to the integrity and reliability of computer
systems.
The issue that caused the formation of CoTra was the rise of the
computer virus. This problem has since become surrounded by fear,
uncertainty and doubt. To the average user the computer virus and its
implications are a worry of an unknown scale. To a few unfortunates
whose systems have become a critical issue.
The key advantage of CoTra membership will be access to advice and
information. Advice will be provided through publications, an
electronic conference (a closed conference for CoTra's members has
been created on the Compulink CIX system) as well as other channels
such as general postings direct to members when a new virus is
discovered.
CoTra membership will be available on a student, full or corporate
member basis. All software that is held by CoTra that enhances system
reliability, such as virus detection and removal software, will be
available to all members. It is intended to establish discounts with
suppliers of reliability tools and services. A library of virus
sources and executables and other dangerous research material will be
made available to members who have a demonstrable need.
A register of consultants who have specific skills in the systems
reliability field will be published by CoTra and reviews of
reliability enhancing software will be produced.
Your support of CoTra will ensure that you have the earliest and most
accurate information about potential threats to your computer systems.
CoTra, The computer threat research association,
c/o 144 Sheerstock, Haddenham, Bucks. HP17 8EX
- ----------------------------------------------------------------------------
Part of the organisations aims is to establish reciprocal links with
other similar organisations worldwide to facilitate the sharing of
experience and rapid flow of information on new threats.
To this end if you are involved in, or have contacts with, a similar
organisation in your country, please write to CoTra (or by email to
me, and I will forward your correspondence) outlining your
organisation and its aims.
Yours sincerely
- -------------------------------------------------------------------------
Dave Ferbrache Personal mail to:
Dept of computer science Internet <davidf@cs.hw.ac.uk>
Heriot-Watt University Janet <davidf@uk.ac.hw.cs>
79 Grassmarket UUCP ..!mcvax!hwcs!davidf
Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253