home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.63
< prev
next >
Wrap
Text File
|
1995-01-03
|
25KB
|
594 lines
VIRUS-L Digest Monday, 26 Mar 1990 Volume 3 : Issue 63
Today's Topics:
Viruses and Copyrights (Part 4 - Final)
Virus-L index of V3 #1 to #60
FAX Address for Tacoma Software.
re: Ping Pong Virus Question (PC)
re: Virus Replication Rates
Re: viri using Hamming
Re: New Mac Virus?
False Alarm (was Re: New Mac Virus?)
VirusX 4.4 (Amiga)
False version of antivirus program
Re: Possible virus alert (PC)
VIRUS SCANNING UTILITIES (pc)
Virus Alert - NEW VIRUS IN GERMANY (PC)
Prosecute Virus Authors?
viruses or viri, a philological question
VirusX 4.4
Mac file infected with Scores and nVIR -- Usable? (Mac)
F-PROT.ZIP update (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: Thu, 22 Mar 90 15:07:00 -0500
From: davidbrierley@lynx.northeastern.edu
Subject: Viruses and Copyrights (Part 4 - Final)
Although no longer required by law, it is important to include an
appropriate copyright notice in a work to insure full legal protection in
the event of an infringement suit.
The _ONLY_ internationally recognized copyright symbol, as of the
publication of my source, is the 'c' in a circle. A 'c' in parenthenses
(c) is _NOT_ an internationally recognized symbol (but this could change).
In the United States "copyright" and "copr." are valid substitutes, but they
may not hold up in other countries. For computer use the author (M.J. Salone)
recommends these possible notices for various situations:
(these are for use if the circled c is not available.)
Copyright 1990 John Doe
Copr. 1990 John Doe
(C) Copyright 1990 John Doe
(C) Copr. 1990 John Doe
Copyright John Doe (This work is unpublished)
Copr. John Doe (This work is unpublished)
(C) Copyright John Doe (This work is unpublished)
(C) Copr. John Doe (This work is unpublished)
Copyright John Doe (Work in Progress)
Copr. John Doe (Work in Progress)
(C) Copyright John Doe (Work in Progress)
(C) Copr. John Doe (Work in Progress)
The phrase "All rights reserved." is required under some international
treaties.
I've used a lot of software in my time and I have noticed that a lot of
publishers use "defective" copyright notices in their programs, like:
(C) 1990 John Doe
DISCLAIMER: I am not a lawyer. This information was taken from _How to
Copyright Software_ by attorney M.J. Salone (3rd edition).
------------------------------
Date: Wed, 21 Mar 90 09:43:32 +0000
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
Subject: Virus-L index of V3 #1 to #60
SUBJECT ISSUE
<Mac: Virus Alerts>
after trying JCremote & MacII Diagnostic Sound,got damaged resource fork 11
Grammatik may contain WDEF A 19
New NVIR-like virus, VIREX can detect, can't identify or fix;
Disinfectant can't find [New virus?] 23
[Trojan Alert (MAC)]Mosaic and Fontfinder, they damage disks 30
New Trojan Warning! (Mac) 52
Prog "Totally Safe Sex" on Genie is [possible new trojan on Genie (Mac)] 60
<Mac: AIDS virus>
This is not the trojan [There is more than 1 virus called AIDS!] 21
AIDS Virus (Mac) and AIDS Trojan (Non-Mac) 34
<Mac: Anti-Virals>
How to get Mac Anti-viral programs 4
Another place to get them [RE: Anti-virus programs] 4
Is this Anti-viral site available to Usenet as well as Bitnet? 6
Is there alternate virus protection besides Vaccine & Gatekeeper? 6
answer to alt. virus prot: try RWATCHER [RE: Alt. virus prot.] 7
1st Aid Software, Publisher of Anti-virus Kit,
will do no further updates to software [An unfortunate victim] 11
[Ed. Remainder of index package (for Mac, PC, and miscellaneous) is
available by anonymous FTP on cert.sei.cmu.edu (IP number
128.237.253.5). Filenames are:
pub/virus-l/archives/index.v3i1-60.appleyard.pc
pub/virus-l/archives/index.v3i1-60.appleyard.mac
pub/virus-l/archives/index.v3i1-60.appleyard.misc
]
------------------------------
Date: Fri, 23 Mar 90 12:54:57 +0000
From: Dave Tillett <CPI001@IBM.SOUTHAMPTON.AC.UK>
Subject: FAX Address for Tacoma Software.
Does anyone have the fax address of Tacoma Software Systems, the
suppliers of VIRSTOP. I have just had a fax from them which does not
give their number and I need to send a reply.
Thanks
Dave
Dave Tillett CPI001@UK.AC.SOUTHMAPTON.IBM
Southampton University Computing Services phone 0703 592161
fax 0703 593939
------------------------------
Date: 23 Mar 90 00:00:00 -0500
From: "David.M..Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Ping Pong Virus Question (PC)
ag541@cleveland.Freenet.Edu (John Zola):
> It is also known as the Bouncing Ball, the Bouncing Dot, the
> Italian, the Vera Cruz, the Falling Letters, and the Boot Virus.
"Falling Letters" is a different virus. "Boot Virus" isn't really
the name of any particular virus...
> The original Ping Pong Virus is a boot sector virus first
> reported in March 1988. The original virus could only infect
> floppy diskettes.
Although people are constantly saying this, I've never encountered
anyone who had a copy of the floppy-only version. The Bouncing Ball
(or whatever) virus that's out there actively spreading in the world
infects both floppies and hard disks.
> would like to find out whether this so-called bad sector is a
> duplicate of the virus or possible a data segment that the virus
> uses.
The virus is too large to fit into the small boot sector; the place on
the disk(ette) that it reserves for itself is used to store the rest
of the virus, and of course the original valid DOS boot sector that it
has overlaid.
DC
------------------------------
Date: 23 Mar 90 00:00:00 -0500
From: "David.M..Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Virus Replication Rates
Fascinating stuff! What sort of data does he base his rate estimates
on? I would be (pleasantly) surprised if anyone had managed to gather
reliable enough data to make a credible estimate. Will the paper
appear in some journal at some point? Do you know if preprints are
available? DC
------------------------------
Date: 23 Mar 90 13:17:03 +0000
From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal)
Subject: Re: viri using Hamming
jg3o+@andrew.cmu.edu (Jason Ari Goldstein) writes:
> Excuse me for my apparent cluelessness but could someone please tell me what
> people mean by Hamming? From context I think I know what ever one is talking
It is an error correcting scheme that lets you detect and correct
errors. It is used in various serial transmission schemes and in file
integraty verification. Apparently some viruses (please not viri)
have hamming error correcting code included that attempts to correct
errors or changes made to the virus.
Cheers
woody
------------------------------
Date: Fri, 23 Mar 90 15:07:02 -0500
From: "Norman William Franke, III" <nf0i+@andrew.cmu.edu>
Subject: Re: New Mac Virus?
Make sure you are using the most current version of TeachText, which is
1.2 I believe. TeachText isn't really ment to be used as a word
processor, hence the name, it's ment to read readme files, and the like.
You can also check the modification dates on TeachText do determine if
it has been modified lately.
Viruses are generally the last thing I look for. This may not be a good
idea, but I usually find on the Mac it's something else. For example,
have you added any new INITs or CDEVs? Try removing them all. Next you
could try to replace your System and Finder. I've had my System get
corrupted a few times, while under MultiFinder usually.
However, the easiest thing to do would to use one of the virus checkers,
publicly available. One of the better non-commerical ones is
Disinfectant 1.6, which you can get from most clusters on campus,
appleshare servers, or via FTP from sumex. (36.44.0.6,
/info-mac/virus/disinfectant-16.hqx). To be super-safe you can do this
on a friends system. Put Disinfectant and a system/finder on a disk,
lock it, and boot from this disk on your machine. Then run Disinfectant
from that disk. If you have a known virus, it should be able to remove
it.
Norman Franke
nf0i+@andrew.cmu.edu
------------------------------
Date: Fri, 23 Mar 90 16:18:10 -0500
From: Yary Richard Phillip Hluchan <yh0a+@andrew.cmu.edu>
Subject: False Alarm (was Re: New Mac Virus?)
OK, sorry for crying wolf!
First, there were some things I forgot to mention in my original post:
I run a known clean copy of Disinfectant 1.6 on my entire hard drive
every two days, in addition to running SAM Intercept and Virex in the
background. Hence the title "new mac virus?" Also, I have not changed
any inits in my System folder since I reformatted my hard drive a couple
months ago.
The occasional MacMail bomb could be anything, as it is still in its
test version.
The TeachText bomb is most probably from my inadvertantly copying over
my version 1.2 with an older 1.1
As for they sys err #10 when I boot up, who knows? I booted up my
machine, and other than the old version of TeachText everything seems
fine. If anything odd happens again, I'll let everyone know.
I would like to thank everyone who promptly sent mail pointing me in the
right direction. Now I can enjoy my vacation!
- -Yary
------------------------------
Date: 23 Mar 90 21:09:55 +0000
From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler)
Subject: VirusX 4.4 (Amiga)
This article was originally posted to American People/Link's AmigaZone
club by Steve Tibbett, the author of VirusX. As long as this article
is kept in its entirety, it can be re-posted anywhere. (I copied it
from comp.sys.amiga.)
- -----
Club : AMIGA ZONE Sec: 2
Date : 3/22/90 19:59 Num: 63,234
Theme: VIRUSX 4.4
To : ALL By : STEVEX
Title: WHAT IT IS
- -----
A bogus version of VirusX has appeared recently, and has begun circulating
under the name "VirusX 4.4".
VirusX 4.4 is not by me, but it's not something to worry about if you
have run it. VirusX 4.4 is a VirusX 4.0 archive that has been slightly
modified by somebody who obviously doesn't know anything about C, nor
programming the Amiga (based on some of the things he says).
The 4.4 archive contains a VirusX.Docs that has a new "Virus"
appended to the docs, has a longer description of this virus appended
to the source file, had some punctuation moved around in the source
file, and had the 4.00 version number patched to 4.40.
That's it. If you have it, don't use it because you'll just confuse
yourself. Please don't pass it on.
The only places that I normally personally upload VirusX to are
my own BBS (OMX, at 613-731-3419), and People/Link.
I will have a new version of VirusX with a few new features, and knowledge
a number of new viruses, to release within the next few days.
On another VirusX-related topic, some people have noticed that XOPER
reports that VirusX uses an incredible amount of CPU time (between 40% and
60% of the available CPU time) for a program that's supposed to run in the
background. Well, VirusX is pretty nice to the Amiga system so checked it
out with Commodore's PerfMon (PM) from the 1.3 Extras disk, and it reports
that VirusX takes almost no processor time. I trust PM.
...Steve
+------///-+------------------| BRETT KESSLER |------------------+-\\\------+
| /// | consp11@bingvaxu.cc.binghamton.edu | \\\ |
| \\\/// | consp11@bingvaxa.BITNET | \\\/// |
| \XX/ | (PeopleLink) B.KESSLER | \XX/ |
+----------+-----------------------------------------------------+----------+
------------------------------
Date: Fri, 23 Mar 90 17:30:00 -0500
From: <WOLVERIN@JHUVMS.BITNET>
Subject: False version of antivirus program
I think an interesting question is raised by the (intentional) rumor of a
new version. Presuming that an evildoer wants people to accept the phony
version, with whatever virus it might contain, how can we trust what is
said anywhere about shareware? I have a friend who knows something about
computers, and he told me its relatively easy to send messages under false
names. How can we tell whether a person whose opinion we trust is really
"speaking"?
Andre Teschner
------------------------------
Date: Fri, 23 Mar 90 16:21:23 -0600
From: Gary Heston <psuvax1!unix.cis.pitt.edu!usc.edu!sci34hub.sci.COM!gary@d
sinc>
Subject: Re: Possible virus alert (PC)
Sounds more like your hard drive or power supply is about to go bad.
There is no hardware whatsoever that can alter the speed of a hard
disc in a PC or AT style system. Failure of either the power supplys'
+12V output or the drives' motor control circuitry is indicated,
unless the power connection into the drive is loose.
The increasing number of bad sectors points to the drive.
Keep those backups safe.....
- ---
Gary Heston { uunet!sci34hub!gary } System Mismanager
SCI Technology, Inc. OEM Products Department (i.e., computers)
"I think, therefore, !PANIC! illegal protected mode access attempt
Memory fault: core dumped
------------------------------
Date: Fri, 23 Mar 90 18:36:00 -0800
From: jmolini@nasamail.nasa.gov (JAMES E. MOLINI)
Subject: VIRUS SCANNING UTILITIES (pc)
Arthur Gutowski <AGUTOWS@WAYNEST1.BITNET> writes:
> In Virus-L, v3.i59, Jim Molini gives an alternative to having to register
> many copies of shareware programs for virus detection. He suggests using
> a PD CRC checker (eg, FILETEST by Len Levine) to monitor program changes,
> and use your one registered copy of a scanner/disinfector if any changes
> are detected.
>...
> We (at Wayne State) have a similar problem to the one he's addressing.
> We are starting an IBM token-ring LAN, with Ethernet, and will be running
> Novell. There will be several workstations hooked up to a server. Some
> will be used for a special program involving teaching kids (high school
> age) how to use PCs and word processors, database programs, spreadsheets,
> etc. Development on these machines will not be an issue. However, our
> Engineering department also intends to use some of the workstations as
> well, and they may very well do a fair amount of program development.
>
> Jim, would you suggest the same approach for a network where there may be
> heavy programming? I'd like to see some more discussion of this topic.
Arthur, you have identified the primary problem associated with CRC type
virus detectors. They work against a baseline that always tends to change
when working with program development. Nevertheless, this is not an
insurmountable problem, because you can usually isolate your program
development environment into a separate directory, or partition. What I
would recommend is for you to continue with something like FILETEST after
you have relocated the destination directory for your program development
environment into another area (preferably onto another partition of your
disk). In this way, you are once again ensuring that your primary
partition is stable enough to use a CRC type program.
It is kind of like the problem of locating smoke detectors in a commercial
kitchen. Most people don't. They usually have fire extinguishers in
hazardous areas and locate smoke detectors outside the kitchen area because
smoke naturally occurs in a kitchen area and would then generate too many
false alarms. In certain cases they will use sprinklers, which are not
activated by smoke (only heat) and figure that if the smoke is bad enough
to activate a detector outside the kitchen, it must be bad enough at that
point to generate an alarm.
In your environment, if you located program development code in a non-
bootable partition under C: (like D:, or E:) and scanned C:, you should
have a very good chance of detecting viruses before they became a problem,
as long as you are not running your network software from a drive that is
not being scanned. Then, if you are really worried about your production
software (and you should be if you anticipate exporting it from your
machines) then you can use one of the other scanners for detecting viruses
on those files.
Now that I've stuck my foot in it, let me hedge by saying that the existing
CRC detectors you described will not detect the more advanced viruses, like
4096, without extensive modifications. But that is an issue for a future
edition of Virus-L.
Jim Molini.
------------------------------
Date: Sat, 24 Mar 90 10:22:54 -0500
From: Christoph Fischer <RY15@DKAUNI11.BITNET>
Subject: Virus Alert - NEW VIRUS IN GERMANY (PC)
We received a sample of a new virus. This is very URGENT since this virus
will activate part of its payload on ** APRIL 1st **
Overview:
It will only infect .COM files since it searches for *.COM during the
infection process. ( much like the Vienna, 648, UNESCO family but it does
multiple infections upon execution of an infected .COM file).
It does *NOT* create a TSR.
It is a prepending virus, thus it will overwrite the first part of an un-
infected file, saving the data, being overwritten, behind the host code.
the file will grow 1539 bytes. The infection process is not very
sophisticated and will cause noticable delays and harddisk action upon
each invocation of an infected file.
The virus is self-encrypting. (very simple mechanism) The decryption mechanism
is slightly modified on each infection. With another simple trick it prevents
the debugger from tracing correctly. (just takes seconds for an experienced
user to circumvent).
The virus carries *TWO* payloads:
1. From 24th of December till the end of each year it will write a X-mas tree
and the following german message on the screen:
Und er lebt doch noch : Der Tannenbaum !
Frohe Weihnachten ...
Translation:
And still it is alive : The Christmas Tree !
Merry Christmas ...
Note: The tree is done with '*' and IBM PC special characters. It might be
an allusion to the famous BITNET worm CHRISTMA EXEC !
No further damage is done.
2. On April 1st it will drop a sabotage code into the partition table of
harddisk 0 (note this is on the physical level) and into the bootsector
of floppydrives 0 and 1. (using INT 13, so some protection sw will
prohibit this action)
This code will write the following string : 'April, April ...' and a beep
to the screen and hang the system upon next boot up.
(Translation: April fool)
The virus will identify itself by looking for the following 7 bytes in the
very beginning of each .COM file EB 07 56 0A 03 59 00
We got our first sample from a small town in nortern Germany named Altena.
A highschool student found it while he was trying out a programm that plays
a Christmastune on Dec. 24th (he set his clock and got the tree on his screen
while running several other programms)
I am not fully done with the disassembly since I had a virus myself
bad case of FLUE :-)
I think we will name it the XA1 virus for X-mas and April 1st.
Sincerely
Christoph Fischer
*****************************************************************
* Chistoph Fischer and Torsten Boerstler and Rainer Stober *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
Date: 23 Mar 90 19:03:49 +0000
From: garth!dbarnes@unix.sri.com (Dave Barnes)
Subject: Prosecute Virus Authors?
I was wondering...I read a comment somewhere that said
"[such-and-such] virus was written by [so-and-so]"
Do we know who any of the authors of virii are, and if so, can anybody
prosecute them? I know you can for single incidents like the big
network virus that was written by the student back east, but what
about PC viruses?
- ----------------------------------------------------------
David Barnes
UUCP: {pyramid,sri-unix,ingr}!apd!dbarnes 415/852-2365
USPS: Intergraph APD, 2400 Geng Road, Palo Alto, CA 94303
- ----------------------------------------------------------
------------------------------
Date: Sat, 24 Mar 90 12:06:00 -0500
From: Christoph Fischer <RY15@DKAUNI11.BITNET>
Subject: viruses or viri, a philological question
Virus, originally meaning slime, poison is of Latin origin. It was a
collective noun of neuter gender such as vulgus meaning common people
and occured in the singular only.
The plural form viri belongs to the Latin noun vir, meaning man, and has
nothing to do with virus.
So viruses is the only acceptable plural form of virus and moreover
a good example of British pragmatism in using loan words.
Sincerely
Christoph Fischer
*****************************************************************
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
Date: Sun, 25 Mar 90 13:03:00 -0500
From: High on Bick's <SLONOSKY@QUCDN.BITNET>
Subject: VirusX 4.4
Has anyone figured out what this program does yet? I realize it's only been a
short time since its release, but was just curious.
Dave
------------------------------
Date: Mon, 26 Mar 90 06:42:07 +0000
From: drz@po.cwru.edu (David Zinkin)
Subject: Mac file infected with Scores and nVIR -- Usable? (Mac)
(Sorry if I'm doing something wrong. I've never posted here before.)
My copy of SideKick for the Mac has been infected with TWO viruses at the
same time -- Scores and nVIR A. Is it possible to make SideKick usable
again? The only tool I've tried using is SAM 1.5, which will only let me
delete the file, not repair it. I don't want to try anything else until I
know the file won't be damaged.
Thanks in advance for helping.
- -- Dave Zinkin --
Disclaimer: The opinions and ideas expressed here are solely my own.
- ------------------------------------------
I see, and I forget.
I hear, and I remember.
I do, and I understand.
(Ancient Chinese Fortune Cookie)
- ------------------------------------------
Dave Zinkin - drz@po.cwru.edu
------------------------------
Date: Fri, 23 Mar 90 13:54:03 -0600
From: James Ford <JFORD1@UA1VM.BITNET>
Subject: F-PROT.ZIP update (PC)
Fridrik (Frisk) Skulason's F-PROT.ARC program has been placed on the
server at MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) for anonymous FTP in
the directory pub/ibm-antivirus. Thanks to Leonard Levine for uploading
it (it was you, wasn't it)? (The file was converted from ARC to ZIP)
F-PROT.ZIP had been uploaded incorrectly earlier (thanks to Carol Conti-Entin
for spotting this). This has been corrected. If you note any other errors,
please drop me a line so I can correct it.
For virus-trackers: Jerusalem Virus-B was found in our IE student lab.
- ----------
Discover all unpredictable errors before they occur.
- ----------
James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU
THE University of Alabama (in Tuscaloosa)
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
