Hacker 2

home *** CD-ROM | disk | FTP | other *** search

/ Hacker 2 / HACKER2.mdf / virus / virusl2 / virusl2.83 < prev next >

Wrap

Text File | 1995-01-03 | 6KB | 142 lines

VIRUS-L Digest Friday, 7 Apr 1989 Volume 2 : Issue 83 Today's Topics: More thoughts on potential nasy Mac Boot Block virus (Mac) Error in Thinking (PC) re: A New Virus Perhaps (PC) Zip "virus" isn't a virus (PC) --------------------------------------------------------------------------- Date: Thu, 06 Apr 89 19:20:23 EST From: dmg@mwunix.mitre.org Subject: More thoughts on potential nasy Mac Boot Block virus (Mac) In Virus-L, Joe McMahon (XRJDM@SCFVM.GSFC.NASA.GOV) wrote... >Well, from looking in general at the history of Mac viruses so far >they've followed Apple's implementation guidelines remarkably well :-). When in Cupertino, do like Steve Jobs does... <Big Grin> >The viruses all used standard Mac facilities in a slightly nonstandard >way to reproduce and spread; the ANTI virus (the most recent one) is >the first to do anything different, and that one *still* doesn't >really do anything exceptional. >The boot blocks are a different matter. As I recall, part of the >"bootstrap" code is in the ROM (the blinking-question-mark disk) and >part on the disk itself. I also don't believe that there are calls >level and mess with it. Not that this couldn't be done, it's just much >harder that diddling another virus with ResEdit and releasing it. No question about it. A Mac Boot Block virus (henceforth I'm going to call this thing "the Sad Mac virus") would be sophisticated IMHO, but I'm not 100% certain. Correct me if I'm wrong, but does not the Mac boot blocks contain the name of the file the ROM bootstrap should load into RAM? If this is the case, the Sad Mac virus would only need to change this name to some other file, and voila', its infiltrated the machine. Yes, I'm grossly simplyfing things, but I've long since retired from hacking. On a related subject, suppose I went to the U.S. Copyright office, and copyrighted the idea for the Sad Mac virus. Does this mean that if someone actually went and implemented it, they are prosecutable not only under the Computer Infiltration Act (or whatever it is called), but the Copyright Act? Have I come up with a concept that can be copyrighted? I doubt it is patentable. Disclaimer: Good evening. I'm David Gursky, and you're not. David M. Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Fri, 07 Apr 89 11:24:53 MEZ From: Thomas Friedrich (Ghost) <UZR50F@DBNRHRZ1.BITNET> Subject: Error in Thinking (PC) Hi, there i told of a new possible virus, but it was a mistake by me and other people who haven't enough knowledge to check up. A system programmer here told us today, that the string "Packed file is corrupt" is a regular error code by the DOS program EXEPACK. It optimizes the memory holding by a program and builds checksums. If starting such packed program the machine loader unpacks this code and checks the sum, if not correct this message will be returned. In addition to that, sorry for my mistake using my pseudonym here. My MAIL EXEC did it automaticly, and i thought it wasn't so bad, but i know now, that this wasn't a joke. Sorry! Thomas Friedrich University Bonn Germany ------------------------------ Date: 7 April 1989, 14:20:07 EDT From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: re: A New Virus Perhaps (PC) That's probably just the Microsoft EXEPACK utility. It makes smaller versions of EXE files by compressing them, and sticking on a small decompresser program. The decompresser contains the message that you give, in case something has damaged the compressed version of the original file. It comes with many Microsoft compilers, and is not a virus. Of course, someone COULD have written a virus with that message in it, just to lull us into trusting it... DC [Ed. Interesting utility - kind of reminds me of Fred Cohen's example of a Compression Virus.] ------------------------------ Date: Fri, 7 Apr 89 13:54:15 EDT From: Fred Hartmann <mhartma@APG-EMH5.APG.ARMY.MIL> Subject: Zip "virus" isn't a virus (PC) I checked with Jerry Shenk, SYSOP of Lancaster Area Bulletin Board (LABB) regarding the possible PKZIP virus and here are his comments: "We have version .92 of PKZIP on-line here and we have version 4.2 of AM. The problem was not a virus. PKZIP has a feature that will allow it to pass a files attribute to the ZIP and when the file is unZIPped it will keep that attribute. This has had some rather surprising consequences none of which are really a virus although they would hog up their share of disk space. The problem was that a file could contain a hidden file (attribute set to hidden - nearly everyone has at least two of these such files on their system...placed there by DOS). If these files are added to a ZIP file and that ZIP gets unZIPped to a C:\DUMP and if that is the directory that is normally used for ZIP unZIP operations the hidden file(s) will be added to every ZIP that's made from that directory. It would also be quite easy to pass those hidden files all over the disk (ie. every place a file was unZIPped. The primary perpetrators of this have been SYSOPs who are converting files from ARC to ZIP and/or reZIPping for better compression. I happen to use a utility for disk management that displays all files (hidden or not) so I would have spotted it if it had been happening on LABB. As I understand, Phil is working on a flag that will disable the 'hidden' flag so that ALL files would be visible if a user wanted it done that way." ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253