home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.88
< prev
next >
Wrap
Text File
|
1995-01-03
|
9KB
|
225 lines
VIRUS-L Digest Thursday, 13 Apr 1989 Volume 2 : Issue 88
Today's Topics:
General question....
Re: hard disk write protection
antiviral archives (Mac)
Re: nVIR Removal (Mac)
Mac software repository
Availability of FLU_SHOT+ on Simtel20.Army.Mil (PC)
Hard disk write protection
More on the Alameda Virus (PC)
---------------------------------------------------------------------------
Date: Wed, 12 Apr 1989 19:57 EST
From: Bruce Ide <xd2w@PURCCVM.BITNET>
Subject: General question....
If the virus needs to access the disk to spread why not have the
computer manufactorers modify their HARDWARE slightly so that any disk
writes are questioned? It would get irritating to users, true, but if
you don't specify save and a write occurs, I expect it would be
questioned and perhaps the user would even have enough sense to deny
access... This idea as I have it now is very rough... With some
polishing, it might be ok, but you've probably had ones like it
before, and I could probably read all about it if I felt like digging
through several years worth of archives :)
------------------------------
Date: Wed, 12 Apr 89 23:06:56 EDT
From: vanembur@gauss.rutgers.edu (Bill Van Emburg)
Subject: Re: hard disk write protection
> If you do figgure out how to do this, you could probably set up a
> toggle switch or key thing to alllow you to write to your disk
> when it's switched one way and keep write protection on when it's
> switched the other. If you want to keep users out, set it up with the
> key. If it's to keep viri out, set it up with the switch. It'll take
The problem with this idea is that many programs need to write
temporary files to disk. Often, the user is completely unaware that
this is happening. If you set a hardware write protect, you may find
that your favorite utility doesn't work. While this *could* serve a
useful purpose in some settings, I don't feel that it could be a
widespread solution.
-Bill Van Emburg
(vanembur@aramis.rutgers.edu)
{...}!rutgers!aramis.rutgers.edu!vanembur
------------------------------
Date: Wed, 12 Apr 89 23:13:28 CDT
From: "David Richardson, UT-Arlington" <B645ZAX@utarlg.arl.utexas.edu>
Subject: antiviral archives (Mac)
In response to the question about antiviral archives,
SUMEX-AIM.STANFORD.EDU has a HUGE Mac archive, which is anonymously
ftp-able. It has all the anti-viral software, including
disinfectant.
- -David Richardson, The University of Texas at Arlington
Bitnet: b645zax@utarlg Internet: b645zax@utarlg.arl.utexas.edu
UUCP: ...!{ames,sun,texbell, <backbone>}!utarlg.arl.utexas.edu!b645zax
SPAN: ...::UTSPAN::UTADNX::UTARLG::b645ZAX US Mail: PO Box 192053
PhoNet: +1 817 273 3656 (FREE from Dallas, TX) Arlington, TX 76019-2053
------------------------------
Date: Thu, 13 Apr 89 02:10 EDT
From: "Mark H. Anbinder" <THCY@VAX5.CCS.CORNELL.EDU>
Subject: Re: nVIR Removal (Mac)
The nVIR virus (all currently-known strains, including those with
different names) can be removed with the Disinfectant program, written
by John Norstad and assisted by a group of programmers who
collaborated via the Internet. Disinfectant 1.0 is available from
various servers, or I could e-mail you a copy. Disinfectant 1.1,
which includes mostly bug fixes, is expected to be released on Monday
17 April. If you wish to use it over a TOPS network, wait for 1.1.
Mark H. Anbinder
Department of Media Services
Cornell University
------------------------------
Date: Thu, 13 Apr 89 08:37:07 EST
From: Joe Simpson <JS05STAF@MIAMIU.BITNET>
Subject: Mac software repository
Joe McMahan maintains a superior repository of Mac software on
LISTSERV at SCFVM
The repository includes
A Hypercard documentation stack
VACCINE a very nice protection cDev
GATEKEEPER another very nice protection cDev for programmers
VirusRX Apple's disgnostic
Interferon another very nice diagnostic.
------------------------------
Date: Thu, 13 Apr 89 07:53:08 MDT
From: Chris McDonald ASQNC-TWS-R 678-4176 <cmcdonal@wsmr-emh10.army.mil>
Subject: Availability of FLU_SHOT+ on Simtel20.Army.Mil (PC)
FLU_SHOT+, Version 1.5, has been available on simtel20.army.mil for
over one month. It can be found in the directory
pd1:<msdos.trojan-pro>. The copy posted was obtained directly from
the author, Ross Greenberg.
[Ed. Thanks for the speedy work!]
------------------------------
Date: Thu, 13 Apr 89 10:24:51 CDT
From: dennis@savant.BITNET
Subject: Hard disk write protection
>Could some hardware hacker upload instructions on disabling the write
>capability of an XT or AT style hard disk?
>[Ed. The problem with that is that the entire hard disk would be
>read-only (which could be useful for some applications).
>It'll take a bit of soldering, and a few thirty nine cent swtiches
>from radio shack.
Communications is obviously more difficult than just being able to send
messages! I have developed a hardware write-protect swithc as mention.
I received a patent on it almost a year ago.
Let me make a few points.
1. It is 100% effective against modification of protected files.
2. You DO NOT have to protect the entire hard disk.
3. It requires more than a $.39 switch, unless you don't mind cooking
your disk electronics.
4. It has been available for over two years.
5. It CAN NOT be disabled by ANY software!
Dennis Director, dennis@math.nwu.edu
------------------------------
Date: Thu, 13-Apr-89 11:01:35 PDT
From: portal!cup.portal.com!Gary_F_Tom@Sun.COM
Subject: More on the Alameda Virus (PC)
In digest 2.74, Y. Radai brought up some inconsistencies he had found
between descriptions of the Yale virus and John McAfee's description
of the Alameda virus. He asks:
> So Gary, since you obviously are able to contact McAfee, would you
> mind asking him (1) to clarify the inconsistency in the dates, (2) to
> give us all available details on the Alameda-Merritt virus, and (3) to
> provide all the evidence he has for concluding that Alameda = Yale.
Here is John's response:
> 04/04/89 00:25:26
> From: JOHN MCAFEE
>
> Gary, thanks again for serving as courier for these messages. In response
> to the questions: The Alameda was first discovered in Spring 1987 at
> Merritt College. It popped up again at Alameda College, where it received
> large publicity, in February, 1988. It is identical to a virus given to
> me by Loren Keim in October of 1988, and Loren called the virus the Yale
> virus - hence my certainty. To remove any doubts, however, I am placing
> my disassembly of the Alameda virus in the MS-DOS SIG for you to forward
> along with my message. If I have been incorrect in my analysis, then I
> apologize to the august body of East coast researchers. I think, however,
> that the disassembly should match the Yale perfectly. Thank you for your
> time. (The disassembly is called - ALAMEDA.ASM).
The complete virus disassembly has been sent to Y. Radai via e-mail. Here
is the comment block from the front of John's disassembly:
; This virus is of the "FLOPPY ONLY" variety.
; It replicates to the boot sector of a floppy disk and when it gains control
; it will move itself to upper memory. It redirects the keyboard
; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time
; it will attempt to infect any floppy it finds in drive A:.
; It keeps the real boot sector at track 39, sector 8, head 0
; It does not map this sector bad in the fat (unlike the Pakistani Brain)
; and should that area be used by a file, the virus
; will die. It also contains no anti detection mechanisms as does the
; BRAIN virus. It apparently uses head 0, sector 8 and not head 1
; sector 9 because this is common to all floppy formats both single
; sided and double sided. It does not contain any malevolent TROJAN
; HORSE code. It does appear to contain a count of how many times it
; has infected other diskettes although this is harmless and the count
; is never accessed.
;
; Things to note about this virus:
; It can not only live through an ALT-CTRL-DEL reboot command, but this
; is its primary (only for that matter) means of reproduction to other
; floppy diskettes. The only way to remove it from an infected system
; is to turn the machine off and reboot an uninfected copy of DOS.
; It is even resident when no floppy is booted but BASIC is loaded
; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC,
; it activates and infects the floppy from which the user is
; attempting to boot.
;
; Also note that because of the POP CS command to pass control to
; its self in upper memory, this virus does not work on 80286
; machines (because this is not a valid 80286 instruction).
;
; The Norton utilities can be used to identify infected diskettes by
; looking at the boot sector and the DOS SYS utility can be used to
; remove it (unlike the Brain).
Gary Tom
Tandem Computers, Inc.
Cupertino, CA
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253