home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.76
< prev
next >
Wrap
Text File
|
1995-01-03
|
14KB
|
320 lines
VIRUS-L Digest Thursday, 30 Mar 1989 Volume 2 : Issue 76
Today's Topics:
Disinfectant for Mac
RE: Star Trek virus
PKWare virus? (PC)
Not really an nVIR (Mac)
Disinfectant (Mac)
New England J. of Med. letter
KillVirus Init not malevolent (Mac)
Re: KillVirus Init (Mac)
---------------------------------------------------------------------------
From: David.J.Ferbrache <davidf@CS.HW.AC.UK>
Date: Wed, 29 Mar 89 10:03:02 BST
Subject: Disinfectant for Mac
Ken,
you asked about disinfectant. In my opionion this is probably the most
comprehensive virus control program available for the Mac system. The
program is designed to detect all non-hypertext Mac viruses (including
the recent AIDS resource edited nVIR strain). Most importantly this
program can detect the new Anti virus (see recent posting by Danny
Schwendener) which a number of older tools fail to detect [No
characteristic resource additions].
If run together with an INIT to detect modification of code file
resources (hmm, vaccine, gatekeeper, watcher etc one of this group),
it should provide excellent protection.
Availability:
Disinfectant 1.0 was posted to comp.sys.mac recently, and is available
from a number of backbone archive sites, including the info-mac
archives, and Heriot-Watt's anti-virus software archive.
I suspect Werner Uhrig's archives on RASCAL.ICS.UTEXAS.EDU should also
also have a copy in the virus-tools directory (although I haven't
confirmed this).
European sites can pull a copy by sending mail to
<info-server@cs.hw.ac.uk> with the body:
request: virus
topic: mac.disinfect
Bugs:
One serious problem due to contention while accessing files from
remote servers, involving missed directories. John's looking into the
problem at the moment.
Features:
- - Detects and repairs files infected by Scores, nVIR A, nVIR B, Hpat,
AIDS, INIT 29, ANTI, and MacMag. These are all of the currently known
Macintosh viruses.
- - Scans volumes (entire disks) in either virus check mode or virus
repair mode.
- - Option to scan a single folder or a single file.
- - Option to "automatically" scan a sequence of floppies.
- - Option to scan all mounted volumes.
- - Can scan both MFS and HFS volumes.
- - Dynamic display of the current folder name, file name, and a thermometer
indicating the progress of a scan.
- - All scans can be cancelled at any time.
- - Scans produce detailed reports in a scrolling field. Reports can be
saved as text files and printed with an editor or word processor.
- - Carefully designed human interface that closely follows Apple's
guidelines. All operations are initiated and controlled by 8 simple
standard push buttons.
- - Uses an advanced detection and repair algorithm that can handle partial
infections, multiple infections, and other anomalies.
- - Careful error checking. E.g., properly detects and reports damaged and
busy files, out of memory conditions, disk full conditions on attempts
to save files, insufficient privileges on server volumes, and so on.
- - Works on any Mac with at least 512K of memory running System 3.2
or later.
- - Can be used on single floppy drive Macs with no floppy shuffling.
- - 8500 word online document describing Disinfectant, viruses in general,
the Mac viruses in particular, recommendations for "safe" computing,
Vaccine, and other virus fighting tools. The document can be saved as
a text file and printed with an editor or word processor. We tried to
include everything in the document that the average Mac user needs to
know about viruses.
John Norstad wrote Disinfectant with the help of an international group
of Mac virus experts, programmers and enthusiasts: Wade Blomgren,
Chris Borton, Bob Hablutzel, Tim Krauskopf, Joel Levin, Robert Lentz,
Bill Lipa, Albert Lunde, James Macak, Lance Nakata, Leonard Rosenthol,
Art Schumer, Dan Schwendener, Stephan Somogyi, David Spector, and
Werner Uhrig.
- --------------------------------------------------------------------------
Dave Ferbrache Personal mail to:
Dept of computer science Internet <davidf@cs.hw.ac.uk>
Heriot-Watt University Janet <davidf@uk.ac.hw.cs>
79 Grassmarket UUCP ..!mcvax!hwcs!davidf
Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553
------------------------------
Date: Wed, 29 Mar 89 13:39 EST
From: "Mark H. Anbinder" <THCY@VAX5.CCS.CORNELL.EDU>
Subject: RE: Star Trek virus
There WAS one problem with the Star Trek: The Next Generation episode
"Contagion" as far as the treatment of computer viruses was concerned.
How did this alien code get executed? If the Enterprise downloaded
the other ship's log as data, no code buried within it should have
been executed.
My speculation was that ship's logs include code (perhaps security
systems) that must be executed in order to accesss the data, so the
virus code could have been executed that way.
Mark H. Anbinder
------------------------------
Date: Wed, 29 Mar 89 13:53:20 EST
Sender: Virus Alert List <VALERT-L@IBM1.CC.Lehigh.Edu>
From: msmith%TOPAZ.RUTGERS.EDU@IBM1.CC.Lehigh.Edu
Subject: PKWare virus? (PC)
Original-Date: Wed, 29 Mar 1989 10:50 MST
Original-From: Keith Petersen <w8sdz@wsmr-simtel20.army.mil>
Mark, I hope whoever posted messages on this will retract them
immediately. There is NO virus and PKWare is NOT involved.
Here is the REAL story:
2/25/89 - ARCMASTER SOFTWARE DANGER
- -----------------------------------
The ArcMaster compression program shell/menu system has been a very
popular download on our BBS. In the past week I have received
numerous reports of messed up hard disks after running ArcMaster
version 4.0 and 4.01. I don't know if there were bugs in those
versions, or if some hacker has decided to target ArcMaster for
trojans.
I suggest all users of ArcMaster 4.0 and 4.01 stop using those
versions and wait until you can get a clean, new version from a
reliable source.
My apologies to John Newlin, since he has written some great software,
but the reports of trashed hard disks have been consistent enough to
warrant some caution with the 4.x versions of ArcMaster.
Bob Mahoney Exec-PC Multi-user BBS 414-964-5160
------------------------------
Date: Wed, 29 Mar 89 16:52:00 EST
From: Joe McMahon <XRJDM@SCFVM.BITNET>
Subject: Not really an nVIR (Mac)
The KillVirus INIT installs what I've called a "killed" virus - an
nVIR 10 resource that some (but not all) versions of nVIR check for.
If nVIR finds this resource in the system file, it "goes dormant" and
doesn't infect that copy of the System.
Generally, NOT RECOMMENDED. It triggers the detectors (as you've seen)
and interferes with Vaccine, You should remove the nVIR 10 resource
from any System whose system folder you've installed Kill- Virus and
make sure that KillVirus is out of there too.
Vaccine is safer and works as well.
--- Joe M.
------------------------------
Date: Wed, 29 Mar 89 16:59:52 EST
From: Joe McMahon <XRJDM@SCFVM.BITNET>
Subject: Disinfectant (Mac)
Disinfectant comes from John Norstad, someone whose work I would very
much trust. If John says it cleans up all that stuff, it does.
The only other thing I'd like to mention is that as viruses get more
complex, the less I trust disinfectants. I'm all for using them to
clean up far enough to finish what you're doing and THEN clean up by
replacing, but I wouldn't bet the farm on them.
--- Joe M.
------------------------------
Date: Wed 29 Mar 89 13:22:09-PST
From: Ted Shapin <BEC.SHAPIN%ECLA@ECLA.USC.EDU>
Subject: New England J. of Med. letter
New England Journal of Medicine, March 23, 1989, Vol. 320, No. 12,
page 811-12. _COMPUTER-VIRUS INFECTION OF A MEDICAL DIAGNOSTIC
COMPUTER_
To the Editor:
Computers used in dianostic imaging, intensive care monitoring, and
other such functions have been relatively immune to computer
vandalism, because they have been special purporse units that are not
easily programmed by amateurs. A detailed MEDLINE search has revealed
no previous reports of "infection," or sabotage, of medical diagnostic
data with a computer "virus."
Recently, our Department of Nuclear Medicine acquired new
image-display stations for cardiac studies, consisting of powerful
personal computers (PCs) (Macintosh II) that provide high-quality
images for diagnosis. After sucessfully using the system for several
weeks, we noted occasional random malfunctions. Often the computer had
to be shut down and then restarted before it would respond to any
commands. Occsionally, nonexistant patients and garbled names appeared
on the patient directory. We found that approximately 70 percent of
the programs on the PC data disk had been altered by the insertion of
an exogenous code into the standard computer instructions. In
addition, many new files were found scattered among the legitimate
programs. We found that our system harbored two separate computer
viruses. An investigation revealed that these viruses had spread from
a computer company to both our facilities (located 20 miles aprt) and
a nearby university medical center PC network.
The computer virus has many similarities to biologic viruses. It is a
small program designed to splice copies of itself into other programs.
Whe these programs are run, the viral code directs the computer to
make additional copies of the virus and splice them into other
"uninfected" programs. The original program then continues aftera
barely noticeable delay. As with biologic viruses, host facilities are
subverted into producing endless copies of the foreign intruder. At
random intervals, these hidden programs may produce delays, noises,
scrambling, or actual deletion of data from computer storage. The
viral infection may spread from computer to computer by the simple
insertion of a floppy disk into an infected machine and later into
another, similar computer. This is the likely mechanism of spread of
the viruses we encountered. Floppy disks used by members of our staff
for word processing were found to contain copies of at least one of
these viruses. After several weeks of meticulous work, all copies of
the virus were eliminated from our systems.
Mass production of PCs has generated a large pool of amateur
programmers, a few of whom attempt computer sabotage either as an
intellectual challenge or as vandalism. The capability of the PC to
perform literature searches, word processing, and other tasks tempts
users of hospital PCs to insert a variety of "foreign" disks, thus
spreading infections. We now examine all software before use in our
systems and have alerted our personnel to the need to practice "safe
computing". As multipurpose PCs replace their safer single-purpose
predecessors in patient care, the need for expanded vigilance is
clear.
Jack E. Juni, M.D.
Richard Ponto
William Beaumont Hospitals
Royal Oak, MI 48072-2793
- -------
------------------------------
Date: Wed, 29 Mar 1989 13:34:11 EST
From: Clare Shawcross <CLARES@BROWNVM.BITNET>
Subject: KillVirus Init not malevolent
A couple of postings have been made recently about KillVirus Init, one
(from Jonathan Baker) wondering if it was a virus or virally infected,
and the other (from David Stodolsky) suggesting that it is some sort
of breeding ground for viruses.
In fact, KillVirus Init is intended to *protect* your files from nVIR
by "vaccinating" your disk. KillVirus contains a dummy nVIR and
installs one in your System file. Interferon and VirusRX can't tell
the difference between this and a real virus. But your Macintosh can.
And so can you. One way of checking is to run a smarter program like
Disinfectant which will not flag the dummy virus. The commercially
available program Virex will go so far as to flag such a virus as a
fake one.
The more adventurous may want to use ResEdit to look at the nVIR
resource on a file. If it is called "InstallTrap (ID=1)" or "nVIR
Inhibitor (ID=10)" then you are dealing with a dummy virus rather than
the real thing.
Clare Shawcross
Consulting Support Specialist
Brown University
------------------------------
From: Andrew Dawson <andrew@UXM.SM.UCL.AC.UK>
Date: Thu, 30 Mar 89 10:31:54 BST
Subject: Re: KillVirus Init (Mac)
The KillVirus Init is *NOT* infected with the nVIR virus - it just
appears that way to a lot of virus search utilities. A feature of nVIR
is that it will effectively disable itself if it finds an nVIR
resource with ID=10 in the system file. If you place killvirus in your
system folder and reboot, it will install an nVIR 10 resource in the
system to prevent infection, at the same time removing any other nVIR
resources. In order to do this effectively, killvirus itself has an
nVIR 10 resource, which is simply copied. There is no code in this
resource. Most virus checking utilities check for resources of a
certain type - and the presence of any nVIR resource will cause
warnings from Interferon, Virus RX or Virus Detective (and probably
others).
While I'm not actually very keen on anything that modifies the system
file, KillVirus has proved very effective in keeping our machines
clean - it will automatically disinfect any nVIR infected application
that a user attempts to launch.
Andrew Dawson
School of Medicine Computer Unit
University College London
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253