home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.74
< prev
next >
Wrap
Text File
|
1995-01-03
|
10KB
|
214 lines
VIRUS-L Digest Tuesday, 28 Mar 1989 Volume 2 : Issue 74
Today's Topics:
RE: virus in PD software
Disinfect 1.0 (Mac)
The KillVirus Alarm (Mac)
(from UseNet rec.ham-radio) virus in PKZIP? (PC)
Re: Israeli viruses; Alameda virus (PC)
RE: Zip virus (PC)
---------------------------------------------------------------------------
Date: Tue, 28 Mar 89 09:41 EST
From: Roman Olynyk - Information Services <CC011054@WVNVAXA.WVNET.EDU>
Subject: RE: virus in PD software
Neil Goldman's comments about virus lurking in PD/Shareware are good.
However, I'd like to add yet another way of obtaining "sanitized"
copies of public domain good: CD-ROM. We (WVNET) distribute software
from PC-SIG directly off of a laser disk. Although not 100%
guaranteed, you can be sure that nothing can corrupt the software once
it has been burned onto a CD-ROM disk -- at least not yet! ;-)
------------------------------
Date: Tue, 28 Mar 89 09:48:42 EST
From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk)
Subject: Disinfect 1.0 (Mac)
A colleague just showed me a program, called Disinfect (version 1.0)
that was announced in INFO-MAC. It claims to do quite a bit,
including detect most major Mac viruses (Scores, ANTI, AIDS, Init 29,
MacMag, etc.), and it is even supposed to be able to remove most
(all?) of the above. The claims are quite impressive. I'm not a Mac
user, however, so don't take my word for it.
Anyone Mac people out there have any more info on this?
Ken
------------------------------
Date: Tue, 28 Mar 89 11:41 EST
From: <JEB107@PSUVM.BITNET>
Subject: The KillVirus Alarm (Mac)
(This is in response to the recent report of an infection to the
program resource KillVirus, for the Macintosh....)
If memory serves me correctly (and I am sure that I will be corrected
if I am wrong) KillVirus is not a program per se. The resource is
meant to be the culture where viruses can infect a 'resource' and then
the program can be edited to determine the exact workings of the
virus. If you are waging war against a new virus this can be an
extremely good thing, as you do not have to root around in the source
code to find what you are looking for.
If this is true (as I said before) then remove this copy of KillVirus
and replace it with a clean copy. But be forewarned : you most
certainly have a system infection on your hands, so before you go
using your system, I reccomend a dose of Interferon (to find
infections) and Vaccination (to remove them). Also - replace the
system. This is the safest way of making sure you have a clean one to
work with.
I am open for comments or questions....after all, trying to keep our
labs free of contamination keeps me open for help....
Thanks
Jonathan Baker JEB107 @ PSUVM
Penn State University.
------------------------------
Date: Tue, 28 Mar 89 11:49:25 EST
Sender: Virus Alert List <VALERT-L@IBM1.CC.Lehigh.Edu>
From: msmith@TOPAZ.RUTGERS.EDU
Subject: (from UseNet rec.ham-radio) virus in PKZIP? (PC)
Original-Date: 25 Mar 89 03:56:53 UTC (Sat)
Original-From: wa2sqq@kd6th.nj.usa.hamradio (BOB )
PKZIP/PKUNZIP .92
AM40/AM41
Recent developments in the software world have required the famous
PKARC software to be replaced by a new version called PKZIP/PKUNZIP.
While several versions have been seen, the latest appears to be
version .92 . Usually listed on landline BBS's is a program which
will provide a menu driven screen for PKZIP, usually listed as AM-40
or AM-41.
After running these one time, the embedded virus allocated 13 meg of
memory to "never never land". It appears that this "strain" looks to
see how much memory is occupied on the HD and then proceeds to gobble
up an equal amount of unused memory. The results are devastating if
you have more than 50% of the drives capacity in use. With the
assistance of Gary WA2BAU I was able to retrieve the lost memory by
using CHKDSK /f. For those of you who are not familiar with this DOS
command, drop me a line @KD6TH and I'll elaborate. My sincere thanks
goes out to Gary WA2BAU for saving me lots of disk handling ! Please
pass this on to your local BBS and be sure to include the remedy.
Best 73 de WA2SQQ
Bob Kozlarek
@KD6TH in Wycoff,
NJ
[Ed. Can anyone verify that this is actually a virus and not just a
bug in the program, or a Trojan Horse?]
------------------------------
Date: Tue, 28 Mar 89 18:30:58 +0200
From: Y. Radai <RADAI1@HBUNOS.BITNET>
Subject: Re: Israeli viruses; Alameda virus (PC)
To begin with, I thought it appropriate to warn readers that Fri13
(the Israeli Friday-the-13th virus) has apparently been "improved"
(i.e. made less noticeable) by someone in the U.S. so that it
increases the size of EXE files only once, does not cause a slowdown
after 30 minutes, and does not scroll the screen. Of course, it still
causes deletion of files executed on any Friday the 13th.
In #71, David Ferbrache mentioned the two April 1 viruses which were
discovered in Israel [at the beginning of 1988]. I too would like to
hear of reports of the April 1 viruses elsewhere, not only recent
outbreaks but also at any time in the past so that we can know whether
these viruses really originated in Israel.
Dave asked me for further details on these viruses. In principle,
I'd be glad to oblige, but that requires research, which requires
time, and since neither of these viruses seems to cause any real
damage and both have apparently been eradicated locally, such research
necessarily gets low priority. However, I will take this opportunity
to make a few small clarifications and corrections to Dave's descrip-
tion: (1) The variant of Fri13 ("sURIV 3.00") is not only "less
dangerous", but not dangerous at all due to a bug; (2) the names
"sURIV x.xx" which Dave has given them are based on strings which
appear in the viral code (but they could probably be altered without
disabling the viruses); (3) I wouldn't describe the April 1 viruses as
"variants of the Friday 13th virus".
In any case, I've promised to supply Dave with anti-viral programs
and various text files for his server (sorry for not doing it yet,
Dave), and will do so as soon as I find the time. At that time I'll
also post a notice to the List.
In #62 David Chess mentioned the Alameda Virus which was described
by John McAfee in the Feb 15 issue of Datamation. Now I had seen
another article of McAfee's in the Feb 13 issue of Computerworld which
contained the same table of "the 6 most common computer viruses", and
like David, I also conjectured that Alameda = Yale. Actually, from
the few details which McAfee gives, about the only similarities are
that both are PC boot sector viruses which do *not* mark as bad the
sector on which they store the original boot code. However, the fact
that none of the values of the generation counter found at Yale last
August were less than 12h could be explained if Yale were a continu-
ation of some other virus, such as Alameda.
However, there was one point which bothered me: McAfee describes
the Alameda virus as follows: "Stores original boot sector on first
free sector." Now this is *not* true of the Yale virus, which always
stores it in the ninth sector of Track 40. I decided that the des-
cription by Chris Bracy and Loren Keim of the Yale virus was far more
dependable than McAfee's meager description of the Alameda, and that
there was a good chance that the two viruses are the same, after all.
But what I don't understand now is what basis *McAfee* has for
stating categorically that the two viruses are the same.
And there's another peculiarity: In his original article, McAfee
wrote that the origin of the virus was "Merritt College ... spring
1988". However, in his response of Mar 14 which was reprinted in
VIRUS-L #71, he says "It was first discovered at Merritt ... in April
of 1977". I originally thought: well, he obviously means April of
1988. But later he writes that the virus reached Alameda in Feb 1988.
So now I'm thoroughly confused!
So Gary, since you obviously are able to contact McAfee, would you
mind asking him (1) to clarify the inconsistency in the dates, (2) to
give us all available details on the Alameda-Merritt virus, and (3) to
provide all the evidence he has for concluding that Alameda = Yale.
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Tue, 28 Mar 89 14:48 EDT
From: Paul Coen <PCOEN@DRUNIVAC.BITNET>
Subject: RE: Zip virus (PC)
>While several versions have been seen, the latest appears to be
>version .92 . Usually listed on landline BBS's is a program which will
>provide a menu driven screen for PKZIP, usually listed as AM-40 or
>AM-41.
>
>After running these one time, the embedded virus allocated 13 meg of
>memory to "never never land". It appears that this "strain" looks to
>see how much memory is occupied on the HD and then proceeds to
Is the virus in PKZIP or in AM-40? From the sound of it this is in
AM-40. Also, I've been running PKZIP 0.92 for a couple of weeks (on
my HD) without a problem. I would adivse anyone looking to get Zip to
either get it from someone reliable, or, from the PKWARE BBS in
Wisconson. Also, any front-end menu programs should be downloaded
from there. I don't have the number handy, but if anyone wants it I
can get it. I'm not very suprised at this, since ARC/ZIP type
programs have been a favorite of program writers for a couple of years
now. Thanks for the warning.....
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253