home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.82
< prev
next >
Wrap
Text File
|
1995-01-03
|
7KB
|
175 lines
VIRUS-L Digest Thursday, 6 Apr 1989 Volume 2 : Issue 82
Today's Topics:
A New Virus Perhaps (PC)
Bad, Bad, Bad Boot Blocks (Mac)
Mac Boot Sector Virus -scary thought
WARNING: ORGASM EXEC (VM/CMS)
ORGASM EXEC siting in Florida (VM/CMS)
Cornell RTM Worm Report
---------------------------------------------------------------------------
Date: Thu, 06 Apr 89 13:36:26 MEZ
From: Ghost <UZR50F@DBNRHRZ1.BITNET>
Subject: A New Virus Perhaps (PC)
We have possibly found a new virus. It's characteristic is a
string named "Packed file is corrupt". It can be found in PCTOOLS and
other programs. New buyed program discs are infected, but till now he
didn't do anything. It is about 900 Byte long and ends with the upper
string. Does anyone heard of him or does anyone has it in his
software??
Thomas Friedrich, RHRZ Bonn, Germany
------------------------------
Date: Thu, 06 Apr 89 08:58:31 EDT
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Bad, Bad, Bad Boot Blocks (Mac)
Well, from looking in general at the history of Mac viruses so far,
they've followed Apple's implementation guidelines remarkably well :-).
The viruses all used standard Mac facilities in a slightly nonstandard
way to reproduce and spread; the ANTI virus (the most recent one) is
the first to do anything different, and that one *still* doesn't
really do anything exceptional.
The boot blocks are a different matter. As I recall, part of the
"bootstrap" code is in the ROM (the blinking-question-mark disk) and
part on the disk itself. I also don't believe that there are calls
like MessWithBootBlocks(); you'd have to get down there at the device
level and mess with it. Not that this couldn't be done, it's just much
harder that diddling another virus with ResEdit and releasing it.
--- Joe M.
------------------------------
Date: Thu, 6 Apr 89 13:03:20 CDT
From: "David Richardson, UT-Arlington" <B645ZAX@utarlg.arl.utexas.edu>
Subject: Mac Boot Sector Virus -scary thought
David M Gursky (dmg@mwunix.mitre.org) writes:
>My question is this: Why can't the bootstrap code on tracks 0 and 1 of
>a Mac disk be infected? Would Vaccine prevent such an infection?
Good question, scary. I am forwarding his original msg to
info-mac@sumex-aim-stanford.edu.
As configured, Vaccine would definately *NOT* stop it, and there is no
current detection for this type of infection (other than by hand with
FEdit or the like).
- -David Richardson, The University of Texas at Arlington
Bitnet: b645zax@utarlg Internet: b645zax@utarlg.arl.utexas.edu
UUCP: ...!{ames,sun,texbell, <backbone>}!utarlg.arl.utexas.edu!b645zax
SPAN: ...::UTSPAN::UTADNX::UTARLG::b645ZAX US Mail: PO Box 192053
PhoNet: +1 817 273 3656 (FREE from Dallas, TX) Arlington, TX 76019-2053
------------------------------
Date: Thu, 6 Apr 89 15:28 EDT
From: <JEB107@PSUVM.BITNET>
Subject: WARNING: ORGASM EXEC (VM/CMS)
*** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
An exec file known as ORGASM was released about two days ago on the
PSUVM system. This file was obviously written up here, and was
detected by Computer center personnel soon after it was released. It
sends null messages to all users linked to a particular disk and then
sends the file to all users listed in the names file it finds.
Up to this point I believed that we had a local outbreak....the file
was written with Penn State in mind...probably by a student. However,
I just got done talking with another person down at University of
Central Florida, and she reports that a copy was found at her
location. Therefore, I am now assuming that this program has spread
across BITNET.
I just felt that everyone on this list should be warned of the
possible problems in letting this program spread.
Jonathan Baker JEB107 at PSUVM.BITNET
The Pennsylvania State University.
DISCLAMER : I am just a student...not an employee. I am doing this only
to keep the community infomed about possible problems.
[Ed. Jonathan later sent me the following message that was posted by
the Penn State computing center warning its users of the EXEC. Thanks
to all for the prompt reports!]
Date: Tue, 04-Apr-89, 16:07:30 EDT
From: "Al Williams" <ALW@PSUVM.BITNET>
Subject: IMPROPER PROGRAMS BEING DISTRIBUTED ON PSUVM
A program called ORGASM EXEC is being distributed, and might be found
in your reader (RDRLIST) or on mindisks you link and access. DO NOT
RUN THIS PROGRAM. DISCARD it from your reader, or ERASE it from your
disk.
It may do some things without warning you, and does at least two
things programs should not do: it sends a null message via RSCS
(resulting in "...") to all or most logged-on users, and it mails a
copy of itself to all users listed in your NAMES file. The message is
annoying to recipients and should be embarrassing to you. Mailing out
copies should also be embarrassing, but more importantly wastes
resources and has the potential of "clogging" our system and others we
are connected to.
Distributing or providing access to any program that acts in a
surreptitious manner is considered an invalid use of your computer
account and in violation of University policies. While you may not
realize what a program does, you are responsible if you execute it.
If you are not sure a program behaves properly, DISCARD IT!
ALW
------------------------------
Date: Thu, 06 Apr 89 16:24:48 EST
From: Lois Buwalda <LOIS@UCF1VM.BITNET>
Subject: ORGASM EXEC siting in Florida (VM/CMS)
Hello,
I've run across another one of those lovely viruses which goes by the
name of ORGASM EXEC. It is disguised as a message server type utility
(approximately 1400+ lines long), with the virus itself relatively
cleverly hidden (the size of the file itself makes it difficult to
detect). The virus is effective in only 2 instances: 1) If the user
has a disk defined as virtual addr 319. It queries all users connected
to this disk and propogates itself to them. 2) If the site uses RXNAMES,
a Penn State University tool. The EXEC then sends itself to all people
in the user's NAMES file. It appears to be "safe" if these two conditions
are not met.
The virus originated at PSUVM, although at the time of this posting the
writer has not yet been caught.
Lois Buwalda
Systems Support
University of Central Florida
------------------------------
Date: Thu, 6 Apr 89 13:45:04 PST
From: PJS%naif.JPL.NASA.GOV@Hamlet.Bitnet
Subject: Cornell RTM Worm Report
Just read in the April 3 _Unix Today_ that Cornell is releasing a report
today on the Internet Worm. Does anyone know where I can get a copy?
Peter Scott (pjs@naif.jpl.nasa.gov)
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253