home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.61
< prev
next >
Wrap
Text File
|
1995-01-03
|
12KB
|
296 lines
VIRUS-L Digest Wednesday, 21 Mar 1990 Volume 3 : Issue 61
Today's Topics:
Low level format (PC)
Utilities?
bogus Amiga program: 'VirusX 4.4'
Re: Getting files from "anonymous FTP"
probably not maliciouos [was Re: possible new trojan on Genie (Mac)]
Re: Stoned disinfection information (PC)
another trojan called "Virus Info" (Mac)
VirusX Trojan (Amiga)
VirusX Trojan (Amiga) More Info!
Vaxservers and Mac viruses
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: Mon, 19 Mar 90 16:06:06 -0000
From: LBA002@PRIME-A.TEES-POLY.AC.UK
Subject: Low level format (PC)
Many of the articles I read on recovering from a virus infection
recommend a "low level format" of the hard disk as part of the
process. What is a "low level format" and how does it differ from just
using the DOS FORMAT command?
Thanks in advance for any information.
Rgds,
Iain Noble
- -----------------------------------------------------------------------------
Iain Noble |
LBA002@pa.tp.ac.uk | Post: Main Site Library,
JANET: LBA002@uk.ac.tp.pa | Teesside Polytechnic,
EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough,
INTERNET: LBA002%pa.tp.ac.uk@cunyvm.cuny.edu | Cleveland, UK, TS1 3BA
UUCP: LBA002%tp-pa.ac.uk@ukc.uucp | Phone: +44 642 218121 x 4371
- -----------------------------------------------------------------------------
------------------------------
Date: 19 Mar 90 22:54:52 +0000
From: william@eniac.seas.upenn.edu (Bill King)
Subject: Utilities?
Can someone tell me where the best place to get the utilities neccessary
for de-arcing and unzipping the programs would be? For example, I now
have v59 of scan and clean, but don't have the unzip program. Can someone
help me out here as to an ftp address where I could get the neccessary
programs? Thanks.
Bill
[Ed. The PKZIP and ARC programs are available, among many other
places, on SIMTEL20.ARMY.MIL by anonymous FTP.]
------------------------------
Date: Tue, 20 Mar 90 00:02:36 -0500
From: Jim Shaffer Jr <72750.2335%COMPUSERVE.COM@IBM1.CC.Lehigh.Edu>
Subject: bogus Amiga program: 'VirusX 4.4'
A notice has just been posted on CompuServe, by one of the sysops of the
Amiga Technical Forum, that a program purporting to be "VirusX 4.4" is
in circulation. This is a bogus program! The current version of VirusX,
as verified by its author, is 4.0.
No details of what "4.4" might do were mentioned.
------------------------------
Date: 20 Mar 90 10:31:50 +0000
From: Sam Wilson <ercm20@castle.ed.ac.uk>
Subject: Re: Getting files from "anonymous FTP"
In article 1914 of comp.virus XPUM04@prime-a.central-services.umist.ac.uk
(Anthony Appleyard) writes:
>
> Information from "Kenneth R. van Wyk" <krvw@edu.cmu.sei.cert>, with thanks.
> Some Virus-L messages say that the rest of the message can be got (say) "by
> anonymous ftp from the/quick/brown/fox/jumps.over.the.lazy.dog". For the
> information of those not very conversant with FTP, this can be done thus:-
>
> Type your computer's command "ftp cert.sei.cmu.edu". "cert.sei.cmu.edu" is
> a USA email address. It should be "edu.cmu.sei.cert@uk.ac.nsfnet-relay" if
> typed in UK (I think).
Nope! There is no direct Internet FTP access for most people in the UK.
We have our own file transfer protocol known as NIFTP (or just FTP to
its friends) or 'Blue Book'. It does not interwork with the Internet
and you can't use odd mail addresses like that given above.
If you need to access Internet FTP from the UK the NSFnet-Relay provides
a service of sorts but I don't know if it's public (yet?). Mail
Postmaster@uk.ac.NSFnet-Relay (...@NSFnet-Relay.ac.uk for folks outside
the UK and some folks inside) for details.
Most anti-viral s/w is available in the UK - see the monthly sites
postings.
Sam Wilson
Network Planning, Edinburgh University Computing Service
------------------------------
Date: 20 Mar 90 14:02:12 +0000
From: werner@cs.utexas.edu (Werner Uhrig)
Subject: probably not maliciouos [was Re: possible new trojan on Genie (Mac)]
I wrote:
> a rumour has reached me that a program called "Totally Safe Sex"
> on Genie may be a new trojan.
first disassembly and review makes it look like a harmless
prank, but I'd still recommend that you do not run the program
at this time unless you are absolutely certain you know how
to prevent any potential dangers to your files ...
apologies if you feel that this was an unnecessary alarm,
but it seemed the lesser evil to pass on a false warning to
waiting for 5 days to confirm it.
Cheers (or grumble?!?), ---Werner
------------------------------
Date: Tue, 20 Mar 90 22:51:07 +0000
From: gm@cunixb.cc.columbia.edu (Gary Mathews)
Subject: Re: Stoned disinfection information (PC)
DEVMTG12@SAKFU00.BITNET (MUSTAFA T. ALGHAZAL) writes:
>To all virus experts,
> One of our systems here at SAKFU00 was infected by the STONED virus.
> I remember that I read a note about how to remove this virus from a
> hard disk ,but the writer was refering to some issues of COMPUTER
> & SECURITY which we were not able to get.
> If any of you knows step by step instructions to remove that virus,He
> (or she) will be thankfull to send it to me directly or to the list.
>
> Mustafa ALGhazal ( DEVMTG12@SAKFU00.BITNET)
> Academic Services Manager
> King Faisal Univ.
> Saudi Arabia
You could remove the stoned virus with McAfee's clean program or more
simply, by booting off a clean dos disk and use the sys command to
transfer a new copy of the MS-DOS system onto the hard disk.
1) boot system on a clean disk
2) sys c:
3) "Stoned" virus is gone !
That's all.
-
------------------------------------------------------------------------------
\c-
Gary Jason Mathews | gm@cunixd.cc.columbia.edu
Columbia University | Death is life's way of telling you you've been fired.
- ------------------------+ CPU time flies when you have a lot of bugs
------------------------------
Date: 21 Mar 90 02:58:02 +0000
From: milano!werner@cs.utexas.edu (Werner Uhrig)
Subject: another trojan called "Virus Info" (Mac)
shortly after the first 2 trojans showed up on "that Canadian BBS"
a third (but technically different) one showed up - and I do not
believe anyone reported it publically yet (and I had hopes to
snarf the "evil ones" with it. alas ....)
This trojan claims to also be from the "DeathTrack" group as were
the first two.
it will *IMMEDIATELY* destroy your disk(s) - and I assume if anyone
had run into it, we would have heard about it by now ...:-()
well, if anyone sees it show up ANYWHERE (or any other program which
you suspect after running it and finding your hard disk unusable
immediately afterwards, for that matter) please let me know.
(you do keep copies of all new software you download on more
than one place, don't you?!! else, if you execute it and it
destroys the disk it was on .... right. you can't send me a
copy for analysis!)
Cheers (what for?! right!), ---Werner
- --------------------------> please send REPLIES to <------------------------
INTERNET: werner@cs.utexas.edu
or: werner@rascal.ics.utexas.edu (Internet # 128.83.144.1)
UUCP: ...<well-connected-site>!cs.utexas.edu!werner
------------------------------
Date: 21 Mar 90 04:42:17 +0000
From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler)
Subject: VirusX Trojan (Amiga)
A friend of mine here at SUNY-Binghamton just informed me of a message
that was posted to CompuServe recently. I've no idea as to how valid
it is, but it's better to be safe than sorry, even VIA 3rd-hand news.
It seems that somebody has released something called "VirusX 4.4" into
the public domain. THIS IS A BOGUS PROGRAM, and may be a trojan.
According to Steve Tibbett (sp?), the author of VirusX, the most
recent version of the disinfectant is 4.0.
Just thought you might like to know.
+------///-+------------------| BRETT KESSLER |------------------+-\\\------+
| /// | consp11@bingvaxu.cc.binghamton.edu | \\\ |
| \\\/// | consp11@bingvaxa.BITNET | \\\/// |
| \XX/ | (PeopleLink) B.KESSLER | \XX/ |
+----------+-----------------------------------------------------+----------+
------------------------------
Date: 21 Mar 90 07:17:17 +0000
From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler)
Subject: VirusX Trojan (Amiga) More Info!
With regards to my earlier posting about the bogus version of VirusX
(version 4.4), here is the original text. It originally appeared in
comp.sys.amiga and comp.sys.amiga.tech. I thought that my posting was
a little sketchy, so here's a (slightly) better one.
- -----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----
There is a file going around now that supposedly has a new version of
VIRUSX. The archive says the file has version VIRUSX 4.4 and that it was
released on March 10th.
I've done some analysis on the files in the archive, and the archive
appears to have the same executables as VirusX 4.0. The doc files and
the C code in the archive talk about two viruses that are supposedly
"harmless". It appears the messages were put there to lull people into
a false sense of security.
I've contacted Steve Tibbett he has confirmed that this archive was NOT
released by him. He's working on a new version of VIRUSX, but this is
NOT IT.
WATCH OUT FOR THIS BAD ARCHIVE, AND LET PEOPLE KNOW ABOUT IT!
Official VIRUSX releases are posted to ALL the national networks by Steve
Tibbett, or by an official agent.
- ------------------
SR Pietrowicz UUCP: ...!uunet!modcomp!srp CIS: 73047,2313
73047.2313@compuserve.com
- -----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----
No more "hard info," but at least it's a confirmation that the darned
thing exists, and that it is probably trouble.
+------///-+------------------| BRETT KESSLER |------------------+-\\\------+
| /// | consp11@bingvaxu.cc.binghamton.edu | \\\ |
| \\\/// | consp11@bingvaxa.BITNET | \\\/// |
| \XX/ | (PeopleLink) B.KESSLER | \XX/ |
+----------+-----------------------------------------------------+----------+
------------------------------
Date: Tue, 20 Mar 90 14:22:00 -0600
From: POST@ADMIN.ripon.edu
Subject: Vaxservers and Mac viruses
Hi all!
I think I already know the answer to this one, but could anyone
comment on Mac viruses infecting VAXen file servers. It would seem to
me that this is impossible, but we'd like a more practical view.
Thanks.
Mike Post
Ripon College
POST@ADMIN.RIPON.EDU
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253