home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.83
< prev
next >
Wrap
Text File
|
1995-01-03
|
6KB
|
142 lines
VIRUS-L Digest Friday, 7 Apr 1989 Volume 2 : Issue 83
Today's Topics:
More thoughts on potential nasy Mac Boot Block virus (Mac)
Error in Thinking (PC)
re: A New Virus Perhaps (PC)
Zip "virus" isn't a virus (PC)
---------------------------------------------------------------------------
Date: Thu, 06 Apr 89 19:20:23 EST
From: dmg@mwunix.mitre.org
Subject: More thoughts on potential nasy Mac Boot Block virus (Mac)
In Virus-L, Joe McMahon (XRJDM@SCFVM.GSFC.NASA.GOV) wrote...
>Well, from looking in general at the history of Mac viruses so far
>they've followed Apple's implementation guidelines remarkably well :-).
When in Cupertino, do like Steve Jobs does... <Big Grin>
>The viruses all used standard Mac facilities in a slightly nonstandard
>way to reproduce and spread; the ANTI virus (the most recent one) is
>the first to do anything different, and that one *still* doesn't
>really do anything exceptional.
>The boot blocks are a different matter. As I recall, part of the
>"bootstrap" code is in the ROM (the blinking-question-mark disk) and
>part on the disk itself. I also don't believe that there are calls
>level and mess with it. Not that this couldn't be done, it's just much
>harder that diddling another virus with ResEdit and releasing it.
No question about it. A Mac Boot Block virus (henceforth I'm going to
call this thing "the Sad Mac virus") would be sophisticated IMHO, but
I'm not 100% certain. Correct me if I'm wrong, but does not the Mac
boot blocks contain the name of the file the ROM bootstrap should load
into RAM? If this is the case, the Sad Mac virus would only need to
change this name to some other file, and voila', its infiltrated the
machine. Yes, I'm grossly simplyfing things, but I've long since
retired from hacking.
On a related subject, suppose I went to the U.S. Copyright office, and
copyrighted the idea for the Sad Mac virus. Does this mean that if
someone actually went and implemented it, they are prosecutable not
only under the Computer Infiltration Act (or whatever it is called),
but the Copyright Act? Have I come up with a concept that can be
copyrighted? I doubt it is patentable.
Disclaimer: Good evening. I'm David Gursky, and you're not.
David M. Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation
------------------------------
Date: Fri, 07 Apr 89 11:24:53 MEZ
From: Thomas Friedrich (Ghost) <UZR50F@DBNRHRZ1.BITNET>
Subject: Error in Thinking (PC)
Hi, there
i told of a new possible virus, but it was a mistake by me and other
people who haven't enough knowledge to check up. A system programmer
here told us today, that the string "Packed file is corrupt" is a
regular error code by the DOS program EXEPACK. It optimizes the memory
holding by a program and builds checksums. If starting such packed
program the machine loader unpacks this code and checks the sum, if
not correct this message will be returned.
In addition to that, sorry for my mistake using my pseudonym here. My
MAIL EXEC did it automaticly, and i thought it wasn't so bad, but i
know now, that this wasn't a joke. Sorry!
Thomas Friedrich
University Bonn
Germany
------------------------------
Date: 7 April 1989, 14:20:07 EDT
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: A New Virus Perhaps (PC)
That's probably just the Microsoft EXEPACK utility. It makes smaller
versions of EXE files by compressing them, and sticking on a small
decompresser program. The decompresser contains the message that you
give, in case something has damaged the compressed version of the
original file. It comes with many Microsoft compilers, and is not a
virus.
Of course, someone COULD have written a virus with that message in
it, just to lull us into trusting it...
DC
[Ed. Interesting utility - kind of reminds me of Fred Cohen's example
of a Compression Virus.]
------------------------------
Date: Fri, 7 Apr 89 13:54:15 EDT
From: Fred Hartmann <mhartma@APG-EMH5.APG.ARMY.MIL>
Subject: Zip "virus" isn't a virus (PC)
I checked with Jerry Shenk, SYSOP of Lancaster Area Bulletin Board
(LABB) regarding the possible PKZIP virus and here are his comments:
"We have version .92 of PKZIP on-line here and we have version 4.2 of
AM. The problem was not a virus. PKZIP has a feature that will allow
it to pass a files attribute to the ZIP and when the file is unZIPped
it will keep that attribute.
This has had some rather surprising consequences none of which are
really a virus although they would hog up their share of disk space.
The problem was that a file could contain a hidden file (attribute set
to hidden - nearly everyone has at least two of these such files on
their system...placed there by DOS). If these files are added to a
ZIP file and that ZIP gets unZIPped to a C:\DUMP and if that is the
directory that is normally used for ZIP unZIP operations the hidden
file(s) will be added to every ZIP that's made from that directory.
It would also be quite easy to pass those hidden files all over the
disk (ie. every place a file was unZIPped.
The primary perpetrators of this have been SYSOPs who are converting
files from ARC to ZIP and/or reZIPping for better compression. I
happen to use a utility for disk management that displays all files
(hidden or not) so I would have spotted it if it had been happening on
LABB.
As I understand, Phil is working on a flag that will disable the
'hidden' flag so that ALL files would be visible if a user wanted it
done that way."
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253