home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.67
< prev
next >
Wrap
Text File
|
1995-01-03
|
17KB
|
403 lines
VIRUS-L Digest Tuesday, 3 Apr 1990 Volume 3 : Issue 67
Today's Topics:
re: Updated signature files for IBM VIRSCAN (PC)
Confirmed virus infection (PC)
More viruses from Taiwan (PC)
Disinfectant 1.7/New ZUC Virus (Mac)
Small-pox
=VIR? (Mac)
SCAN60 Trojan Reports (PC)
Re: New ZUC virus (Mac)
Re: Death of a Virus
New viruses from South Africa (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: 02 Apr 90 00:00:00 -0500
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Updated signature files for IBM VIRSCAN (PC)
Version 1.1 of the program (including new & larger signature files)
was recently released. Should be available through your IBM
Marketing Representative, and perhaps some dealers. Not sure if
there's an 800 number this time... DC
------------------------------
Date: Tue, 27 Mar 90 14:37:34 -0000
From: Bob Kilgore <bobkil@ibmpcug.co.uk>
Subject: Confirmed virus infection (PC)
FOR INFORMATION ONLY:
An outbreak of Jerusalem virus, (1813) was detected here at
Oceonics FDS on 26 Mar. 1990. There were 26 .COM and .EXE
files infected. The infection probably occurred on the week
of 19 Mar. It was detected quickly because the operator was
keeping track of file size on backup listings and 2 very
large programs were infected.
The system is a CAD system and is running a popular CAD
program. There is very little else in the system other than
DOS, the CAD system, and the obligatory Norton Utilities.
The files infected were DOS files, mouse.co, xt.exe, chkdsk,
diskcopy, etc. There were a number of the Norton programs
contaminated, he thought he had a disk problem. Four very
large CAD programs, 204K to 387K load modules were infected
and did not perform correctly.
The CAD system is under a maintenance contract with the
vendor and within the last two weeks as undergone some major
updates. This involved the installation of new software
modules supplied by the vendor. This task was begun on the
week of 12 Mar. and the software became 'flaky'. The vendor
told us they had found a bug in the new release disk's and
sent us another set that would correct the problem.
The second set were installed the week of 19 Mar. We have
reached the conclusion that the virus was probably attached
to the second set of disks. We could not check all of the
new disks since four were forwarded to our Gloucester
facility to upgrade there system. It is a bit unfortunate
that the Gloucester people rang us up during my evaluation
of the problem to inform me that they had a suspected virus.
I have no hard evidence that the disk came from the vendor,
you won't find there name here, but it seems highly likely.
I want to thank Dr. Solomon for the virus tool-kit. It did
a superb job of identification and made life easy in the
recovery of the system. There was never any 'real' danger
since the operator is a very firm believer in regular
backups, and the retention of the backup documentation.
BOB
Forgot to mention the original update disks came from the
U.S. of A.
------------------------------
Date: Mon, 02 Apr 90 18:49:51 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: More viruses from Taiwan (PC)
A few days ago I reported a number of computers arriving infected from
Taiwan. This does not seem to be limited to one manufacturer (Nothern
International).
A computer from a company named "Jafuco" arrived infected with not
one, not two, but three different viruses: "Stoned", "Brain" and
"Jerusalem".
This is the first reported occurrence of "Stoned" here in Iceland, and
both "Brain" and "Jerusalem" have been very rare here.
Is there a major virus epidemic in Taiwan or what ?
- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
------------------------------
Date: Mon, 02 Apr 90 20:24:52 -0400
From: jln@acns.nwu.edu
Subject: Disinfectant 1.7/New ZUC Virus (Mac)
Disinfectant 1.7
================
April 2, 1990
Disinfectant 1.7 is a new release of our free Macintosh virus
detection and repair utility.
Version 1.7 recognizes the new ZUC virus. Thanks to Don Zucchini and
Francesco Giagnorio for discovering and reporting this new virus.
The ZUC Virus
=============
The ZUC virus was first discovered in Italy in March, 1990. It is named
after the discoverer, Don Zucchini.
ZUC only infects applications. It does not infect system files or data
files. Applications do not have to be run to become infected.
ZUC was timed to activate on March 2, 1990. Before that date it only
spread from application to application. After that date, approximately
90 seconds after an infected application is run, the cursor begins to
behave unusually whenever the mouse button is held down. The cursor
moves diagonally across the screen, changing direction and bouncing
like a billiard ball whenever it reaches any of the four sides of the
screen. The cursor stops moving when the mouse button is released.
The behavior of the ZUC virus is similar to that of a desk accessory
named Bouncy. The virus and the desk accessory are different, and
they should not be confused. The desk accessory does not spread, and
it is not a virus. ZUC does spread, and it is a virus.
ZUC has two noticeable side effects. On some Macintoshes it causes the
desktop pattern to change. It also often causes long delays and an
unusually large amount of disk activity when infected applications are
opened.
ZUC can spread over a network from individual Macintoshes to servers
and from servers to individual Macintoshes.
Except for the unusual cursor behavior, ZUC does not attempt to do any
damage.
Vaccine is not effective against ZUC. GateKeeper 1.1.1, however, is
effective against ZUC.
ZUC does not change the last modification date when it infects a file,
so you cannot use the last modification dates in the Disinfectant
report to trace the source of a ZUC infection.
Other Changes in Version 1.7
============================
Some people have used ResEdit to add a copy of the standard system WDEF
0 resource to Desktop files in an attempt to inoculate their disks
against the WDEF virus, even though we do not recommend this practice.
Version 1.6 incorrectly reported that such Desktop files were infected
by an unknown strain of WDEF. This problem has been fixed in version
1.7.
Some of the nVIR clones have offensive names. These names appeared in
plain text in various resources in Disinfectant version 1.6, and caused
concern for some people who discovered them using ResEdit or a file
editor. Version 1.7 encodes the resources so that the names do not
appear in plain text.
Version 1.6 contained an error which could cause crashes, hangs,
unexpected error messages, or other unusual behavior in some
circumstances. The error is corrected in version 1.7.
How to Get a Copy of Version 1.7
================================
Disinfectant 1.7 is available now via anonymous FTP from site
acns.nwu.edu [129.105.49.1]. It will also be available soon on
sumex-aim, rascal, comp.binaries.mac, CompuServe, Genie, Delphi, BIX,
MacNet, America Online, Calvacom, AppleLink, and other popular sources
for free and shareware software.
Macinstosh users who do not have access to bulletin boards,
networks, user groups, or online services may obtain a copy of
Disinfectant by sending a self-addressed stamped envelope and an
800K floppy disk to the author at the address below.
John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208
Bitnet: jln@nuacc
Internet: jln@acns.nwu.edu
CompuServe: 76666,573
AppleLink: A0173
------------------------------
Date: Mon, 02 Apr 90 13:25:00 -0400
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: Small-pox
WHM:
>To return to the biological analogy, it clearly demonstrates that YOU CANNOT
>STOP THE SPREAD BY TREATING THE SYMPTOMS OF THE INFECTED.
Then H. Treftz:
> I think when a discusion of a virus and how to deal with a virus
>is talked about it is a good iead to take a look at the first disease
>that man has been able to eliminate totaly. That is the Small Pox
>virus. How small pox was eliminated is fairly simple. Frist the
>conditions that led to small pox were eliminated the individual cases
>were delt with and treated so they could not spread.
While I am sure that neither the the author nor the editor intended it,
this appears to be a rebuttal. The description of the elimination of
small-pox is so incomplete as to suggest that hygiene, treatment, and
quarantine alone, or in combination, might have been effective. This is
is certainly not true in the case of small-pox and appears to be untrue
in the case of computer viruses.
While it is true that residual cases and instances of small-pox were
tracked down, one at a time, and while it is true that quarantine was
useful, the major weapon in the elimination of Small Pox was an
effective, specific, low-risk, low-cost vaccine massively and
pervasively applied.
I encourage the use of prophylaxis. It is extremely effective against
infection by computer viruses. If you are interesting in protecting
your system, you may rely upon it.
However, while it can protect specific systems, it cannot be applied
consistently and broadly enough to contain the growth and spread.
William Hugh Murray, Fellow, Information System Security, Ernst & Young
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
------------------------------
Date: 02 Apr 90 10:45:59 +0000
From: paul@tenset.UUCP (Paul Andrews)
Subject: =VIR? (Mac)
Whilst trying to sort out a corrupted desktop file recently I noticed a
resource of the type '=VIR' (or maybe it was 'not equals'VIR). Anybody know
what this is? I'm running gatekeeper and use disinfectant and neither seem
bothered by its presence...
- ------------------------------------------------------------------
| Paul Andrews | Post: Tenset Technologies Limited, |
| paul@tenset.uucp | Norfolk House, |
| Phone: +44 223 328886 | 301 Histon Road, |
| Fax: +44 223 460929 | Cambridge CB4 3NF, UK. |
- ------------------------------------------------------------------
------------------------------
Date: Sun, 01 Apr 90 11:58:12 -0700
From: Alan_J_Roberts@cup.portal.com
Subject: SCAN60 Trojan Reports (PC)
This is a forward from John McAfee:
==========================================================================
A number of reports of a trojan in SCANV60 have been floating
around for the past two weeks, but so far I have not talked to anyone
who has a copy of this allegedly hacked version. SCAN60 has indeed
been released and the original ZIP file size is 44482. However, if
your ZIP file size is different than this, it does not mean that the
file has been hacked. Many people pass on the programs in a re-Zipped
file that has been archived using a different version of ZIP, or some
people forget to pass the registration document (or other element that
they deem unessential to the utility of the package) along with the
newly Zipped file. The critical elements are the executable files.
These files have all been validated prior to distribution and the
validation information (and VALIDATE program) are included in the
distribution file. If the validation information is suspect, or you
believe it may also have been tampered with, you may call HomeBase 24
hours a day to access the on-line validation data base. This data
base cannot be tampered with so the information is secure. The same
validation program has been shipped with each version of SCAN since
version 46, so if you have a version that you trust, then you need not
replace it when new versions of SCAN are released. If you are still
unsure, then download the validate program directly from HomeBase -
408 988 3832. The validation information for Version 60 should be:
SCAN.EXE program size - 43,277; Creation Date - 03-18-90; Validation
method 1 - A8F6; Validation Method 2 - 1C09.
Remember that creation dates for the ZIP file will change each
time the ZIP file is downloaded to a system. The EXE dates inside the
ZIP file should not change.
If anyone does have what they believe is a bogus copy of
SCANV60 then please call us at 408 988 3832.
Thank you.
John McAfee
------------------------------
Date: 03 Apr 90 06:25:50 +0000
From: rcoahk@koel.co.rmit.OZ.AU (Alvaro Hui Kau)
Subject: Re: New ZUC virus (Mac)
AUBXG@ASUACAD.BITNET (Ben Goren):
> Does anyone know if Gatekeeper/Gatekeeper Aid will block this? It
> sounds like it will, but has anyone checked?
How about SAM or virex????
------------------------------
Date: Tue, 03 Apr 90 06:15:13 +0000
From: Dave Ihnat <ignatz@chinet.chi.il.us>
Subject: Re: Death of a Virus
a10hat8@cs.niu.edu (Henry Treftz) writes:
> I think when a discusion of a virus and how to deal with a virus
>is talked about it is a good iead (sic) to take a look at the first disease
>that man has been able to eliminate totaly. That is the Small Pox
>virus. How small pox was eliminated is fairly simple. Frist (sic) the
>conditions that led to small pox were eliminated then individual cases
>were delt with and treated so they could not spread.
> So I think a simular method should be used in dealing with a
>computer virus. I would recomend a issue of National Geographic that
>talked about Small Pox. I belive the issue is from 1978 some time
>but. . . .
Nice idea. The problem here is that the root cause of the virus
explosion is the underlying hardware itself; unlike with humankind,
elimination of the conditions that lead to viruses basically means
redesigning the computers that are attacked to eliminate the
simplistic hardware model that allows full access to the single user.
In many instances, this is happening in a rather interesting way; as
such DOS emulators as Simultask and VP/IX mature, we're seeing people
run DOS applications on these virtual machines. But the elimination
of the suceptibility--while, I assure you, necessary and almost a
certainty in the long run--is a significant economic undertaking that
will probably not be deemed necessary (risk vs. cost) for some time by
most vendors or corporations.
------------------------------
Date: Tue, 03 Apr 90 09:53:55 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: New viruses from South Africa (PC)
The following viruses have recently been reported in South Africa.
Pretoria (alias June 16th)
Infects .COM files only, enlarging them by 879 bytes. When an infected file
is run, all .COM files on the current drive will be infected. This makes
the virus rather easily detectable - the time it takes to start a program
may grow enormously, as the virus does a recursive scan on the directory tree.
On June 16th, all entries in the root directory are changed to 'ZAPPED'.
The virus is reported to be encrypted.
Durban (alias Saturday the 14th)
This virus infects both .COM and .EXE files, adding 669-684 bytes to their
length. It is resident, and will activate on Saturday the 14th, overwriting
the first 100 sectors on drive C: (followed by B: and A:)
I do not have any more information available, as I have not yet received a
copy of the viruses.
- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253