home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
v05i003.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
31KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #3
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Tuesday, 7 Jan 1992 Volume 5 : Issue 3
Today's Topics:
Re: Novell distributes Stoned-3 (PC)
F-PROT 2.x and Cascade (PC)
Question re Stoned (PC)
Latest version of F-Prot? (PC)
List of Viruses (PC)
DOS 5.0 FDISK & older O/Ses (PC)
New strain of Murphy? Amilia (PC)
Help with virus (PC)
Re: Macs Running Soft PC (Mac) (PC)
General questions about viruses
theoretical literature on viruses?
Re: Virus capable of infecting Mainframes and PCs
Re: Hardware damage
Re: General questions about viruses
WSCAN85.ZIP - Windows 3.0 version of VIRUSCAN V85 (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 06 Jan 92 11:55:00 +1300
From: "Nick FitzGerald" <CCTR132@csc.canterbury.ac.nz>
Subject: Re: Novell distributes Stoned-3 (PC)
Further to postings from Karyn Pichnarczyk (karyn@cheetah.llnl.gov) and
James Ford <JFORD@UA1VM.BITNET> in VL 5 #1 on Novell's distribution of
the Stoned-3 virus, the following article was posted (way off-charter)
in Usenet newsgroup comp.binaries.ibm.pc.archives.
Note the interesting number of mis-conceptions and/or poorly described
pieces of "information". The article only describes how file infecting
viruses work, implying that they are the only kind (and getting it
mostly wrong!), yet the incident it reports involved a boot sector
virus. Finding the other gaffs is left as an exercise to the reader.
:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
::::::::::::::::::::: Begin included message :::::::::::::::::::::
From: markoff@nyt.com (John Markoff)
Date: 31 Dec 91 20:03:40 GMT
By JOHN MARKOFF (from the New York Times, 20 Dec 1991)
The nation's largest supplier of office-network software for
personal computers has sent a letter to approximately 3,800 customers
warning that it inadvertently allowed a software virus to invade
copies of a disk shipped earlier this month.
The letter, sent on Wednesday to customers of Novell Inc., a Provo,
Utah, software publisher, said the diskette, which was mailed on Dec.
11, had been accidentally infected with a virus known by computer
experts as "Stoned 111."
A company official said yesterday that Novell had received a number
of reports from customers that the virus had invaded their systems,
although there had been no reports of damage.
But a California-based computer virus expert said that the potential
for damage was significant and that the virus on the Novell diskette
frequently disabled computers that it infected.
'Massive Potential Liabilities'
"If this was to get into an organization and spread to 1,500 to
2,000 machines, you are looking at millions of dollars of cleanup
costs," said John McAfee, president of McAfee & Associates, a Santa
Clara, Calif. antivirus consulting firm. "It doesn't matter that only
a few are infected," he said. "You can't tell. You have to take the
network down and there are massive potential liabilities."
Mr. McAfee said he had received several dozen calls from Novell
users, some of whom were outraged.
The Novell incident is the second such case this month. On Dec. 6,
Konami Inc., a software game manufacturer based in Buffalo Grove, 111.
wrote customers that disks of its Spacewrecked game had also become
infected with an earlier version of the Stoned virus. The company said
in the letter that it had identified the virus before a large volume
of disks had been shipped to dealers.
Source of Virus Unknown
Novell officials said that after the company began getting calls
earlier this week, they traced the source of the infection to a
particular part of their manufacturing process. But the officials said
they had not been able to determine how the virus had infected their
software initially.
Novell's customers include some of nation's largest corporations.
The software, called Netware, controls office networks ranging from
just two or three machines to a thousand systems.
"Viruses are a challenge for the marketplace," said John Edwards,
director of marketing for Netware systems at Novell. "But we'll keep
up our vigilance. He said the virus had attacked a disk that contained
a help encyclopedia that the company had distributed to its customers.
Servers Said to Be Unaffected
Computer viruses are small programs that are passed from computer to
computer by secretly attaching themselves to data files that are then
copied either by diskette or via a computer network. The programs can
be written to perform malicious tasks after infecting a new computer,
or do no more than copy themselves from machine to machine.
In its letter to customers the company said that the Stoned 111
virus would not spread over computer networks to infect the file
servers that are the foundation of networks. File servers are special
computers with large disks that store and distribute data to a network
of desktop computers.
The Stoned 111 virus works by attaching itself to a special area on
a floppy diskette and then copying itself into the computer's memory
to infect other diskettes.
But Mr. McAfee said the program also copied itself to the hard disk
of a computer where it could occasionally disable a system. In this
case it is possible to lose data if the virus writes information over
the area where a special directory is stored.
Mr. McAfee said that the Stoned 111 virus had first been reported in
Europe just three months ago. The new virus is representative of a
class of programs known as "stealth" viruses, because they mask their
location and are difficult to identify. Mr. McAfee speculated that
this was why the program had escaped detection by the company.
Steps Toward Detection
Novell has been moving toward adding new technology to its software
to make it more difficult for viruses to invade it, Mr. Edwards said.
Recently, the company licensed special digital-signature software that
makes it difficult for viruses to spread undetected. Novell plans to
add this new technology to the next major release of its software, due
out at the end of 1992.
In the past, courts have generally not held companies liable for
damages in cases where a third party is responsible, said Susan Nycum, a
Palo Alto, Calif., lawyer who is an expert on computer issues. "If they
have been prudent it wouldn't be fair to hold them liable," she said.
"But ultimately it may be a question for a jury."
------------------------------
Date: Mon, 16 Dec 91 11:29:03 +0000
From: "Vaughan.Bell" <vaughan@computing-department.poly-south-west.ac.uk>
Subject: F-PROT 2.x and Cascade (PC)
I have been testing F-PROT 2.01 with various virus samples and I have
found that I didn't detect cascade in memory (identified as cascade
1701-A) although it does detect the infection in a .COM file. Pre 2.x
versions did detect the virus in memory and as a .COM infection.
Various other anti-virus programs do detect it in memory includin
McAfee SCAN, Dr Solomons AVTK, VISCAN and IBM's Virscan.
Also is it possible to get the virus info supplied with F-PROT 2.01 as
an ASCII text file (like FILVIR-1.TXT etc) ???
Thanks in advance . . .
***************************************************************************
* Vaughan Bell - Polytechnic South West - U.K. - vaughan@cd.psw.ac.uk *
***************************************************************************
* You can take a horse to water, but if you can make it float on it's *
* back you've got something ! *
***************************************************************************
------------------------------
Date: Thu, 02 Jan 92 20:45:00 -0500
From: HAYES@urvax.urich.edu
Subject: Question re Stoned (PC)
Hello.
As a co-sysop of the virus discussion board I received the following
message. I thought it was interesting enough, and asked more details
which will show in the second forwarded message (in fact, long
excerpts of both messages).
I myself came with no good reason why the system (details in msg #2)
does not get infected. Any guru out there with some explanation(s)?
Best, Claude.
- ----- begin forwarded messages --
Message #1
More of a curiosity than an emergency here: Our academic PC lab had a
protracted battle with the Stoned virus last Summer and Fall, which we
dealt with fairly aggressively and with good success. [...]
At any rate, "Stoned" seems to be history in our lab, if only because
it does not seem to infect 3.5" diskettes (which we've recently
switched to).
My question is this. For the benefit of many users who only have
5.25" drives at home and want to use one of our 3.5" PC's, we set up a
3-floppy PC with menu-driven software for file copying and diskette
formatting. A: & B: drives are 360K and 1.2M (respectively); C: is
1.44M. D: is the hard drive. If ever a PC would be succeptable to
"Stoned" it would be this one, considering the amount and nature of
its use--or so it would seem! Periodic checks for the virus on the
hard drive have always been negative over four months of heavy use.
(Like I say--I know "Stoned" is still around here.) Is there
something about the four-disk controller setup (or the drive name
"D:") that creates an immunity to "Stoned"? Or have we been
incredibly lucky?
- -----
Message #2
[...]
The format-copy box I referred to was an old IBM-PC (8088) outfitted
with 2 5.25 floppy drives (one for ea. density) and 1 3.5" high
density drive (A,B & C). The hard drive is a 40 meg. (brand or type
unknown--I'm not that familiar with the types), and as I said, it was
designated D: as per the requirements of the JDR (or is it JRD?)
Microdevices 4-floppy controller card I used. I wrote a snazzy
menu-driven batch program (with BATMAN and ANSWER enhancements)
walking users through any of the 4 floppy formats and permitting
copying of files ("All" or selected) between any two of the floppy
drives. The "selected" copying option would list the directory of the
source floppy before copying (prime infection activity!) No virus
protection installed. (I'd check it periodically by running Clean-Up
on the D: drive.
As I mentioned, Clean-Up never found Stoned when I ran it on this
drive, and I haven't been getting the kind of complaints I would get
if users were getting re-infected at home. (So I think Clean-Up is
checking properly.) I might add that this hard drive in this computer
had picked up Stoned more than once when it was an office machine with
just a 5.25" A: drive (and the hard drive was C:). So there's nothing
inherantly immune about the drive. Oh, DOS is 3.30, and the hard
drive is not segmented.
Because this box is the only one we have that does this job in a busy
lab and a lot of our users on 5.25-only PC's, it gets a lot of use.
So I would have considered frequent infection a near certainty, it
only takes one careless user or one old neglected floppy. (Don't ask
me why I didn't install protection on this one. I guess I was
concerned about the slowness of the 8088 processor.)
At any rate, I hope this is enough information. (Watch! As soon as I
report this, the PC will turn up "stoned"!) Any clues?
- ---- end forwarded messages --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond hayes@urvax.urich.edu (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: Thu, 02 Jan 92 19:38:10
From: hoisve@Public.Access.CC.UTAH.EDU (David Hoisve)
Subject: Latest version of F-Prot? (PC)
Where can I find the latest version of F-Prot?
The version on beach.gal.utexas.edu now displays something like "This
version is rather old. You should get a new one.".
I also noticed that this version does not include license information.
Is the F-Prot "site license" still available? (The terms were
something like $0.75 per machine for non-profit orgs. Very
reasonable!)
Thanks!
- -- Dave.
Dave Hoisve, HOISVE@XANADU.CC.UTAH.EDU
------------------------------
Date: Fri, 03 Jan 92 14:09:42 -0600
From: THE GAR <GLWARNER@SAMFORD.BITNET>
Subject: List of Viruses (PC)
Someone faxed me a list of viruses, that I believe he got from Center
Point, with codes for him to enter to update his virus information for
the package. He sent it to me to show how many viruses Center Point
protected him from that McAfee fails to protect me from.
My question (McAfee rep?) is whether these are actually detected by
McAfee but called something else.
Also, can anyone identify any of the following that are especially
prevalent? Or are these mostly "laboratory" viruses?
In case anyone out there cares, the only viruses I have SEEN in
Birmingham AL are Stoned, Ping-Pong, Ping-Pong B, Dark Avenger,
and Jerusalem, with Stoned and Ping being the only ones that really
seem to have staying power.
1590 Golden Gate 1
740 Golden Gate 2
805 HIV
Amoeba 2 Horse II
Anarkia Justice
Anthrax PT Kylie
April 15 Lunch
Beast C Omicron PT
Beast D PC Bandit
Cascade YAP Phoenix
Dark Lord Stoned III
Decide Suomi
Den-Zuk 2 Tequila
Diamond Twelve Tricks
Doctor Vienna 656
Drug Virdem 792
Faggot Vriest
France Zapper
/++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
! Later + Systems Programmer !
! Gary Warner + Samford University Computer Services !
! + II TIMOTHY 2:15 !
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
------------------------------
Date: Fri, 03 Jan 92 15:12:42 -0500
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Subject: DOS 5.0 FDISK & older O/Ses (PC)
Y. Radai <RADAI@HUJIVMS.BITNET> writes:
>.., and those who
>do seem to be unaware that it can also be used on machines running
>DOS *prior to Ver. 5*. All that is necessary is to find a (clean) DOS
>5 system diskette, to copy FDISK.EXE from DOS 5 onto that diskette, to
>cold boot the infected machine from the diskette, and then to perform
>FDISK /MBR . Works beautifully.
One caveat: Certain older Zenith DOS versions (think 3.0 3.1 & 3.2) &
possibly some others have boot records that seem to expect some
registers to be passed intact from the MBR to the BR code. After using
a "generic" MBR replacement I have occasionally encountered an
"Unformatted Partition" message & lockup from the BR on these machines
when booting from the fixed disk. In this case booting from a floppy
executes ok & the C: drive is then accessable.
Should this occur you will need to either SYS the fixed disk, patch in
a new "generic" Boot Record (not that difficult - five minutes with a
bootable floppy & debug)), FDISK the fixed disk with the original O/S
(lose all data, do not pass Go), replace the MBR with the original (if
you have a back-up), or upgrade to a different O/S version.
Or you could use FixMBR.
Warmly,
Padgett
<padgett%tccslr.dnet@mmc.com>
Isn't diversity wonderful ?
------------------------------
Date: Fri, 03 Jan 92 20:28:41 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: New strain of Murphy? Amilia (PC)
I have received a new virus, originally reported to Delta Base
Enterprises here. I have not been able to examine it in detail, but
telephone reports indicate it is unidentified by any scanners except
FPROT 2.01, which identifies it as Murphy HIV.
Delta Base has already done fairly extensive testing of the virus. It
appears to be a "fast file infector", infecting every file that is
opened. (A sweep of the system with a commercial antivirus product was
apparently responsible for the infection of all 361 program files.) It
appears to infect both .COM and .EXE files. To this point, no bounds
have been found on the size of programs infected.
The text string "AmiLia I Viri - [NukE] i99i" appears at the beginning
of the infection. The text section also refers to "Released Dec91
Montreal". This indicates that the virus has spread extensively since
its release. In Vancouver, it appears to have been obtained, in one
instance, from a BBS known as Abyss. Notification to the sysop revealed
that he had had trouble with the infected file and subsequently deleted
it. However, there are other indications that the infection may have
come from several sources in Vancouver.
=============
Vancouver p1@arkham.wimsey.bc.ca | "Remember, by the
Institute for Robert_Slade@mtsg.sfu.ca | rules of the game, I
Research into CyberStore | *must* lie. *Now* do
User (Datapac 3020 8530 1030)| you believe me?"
Security Canada V7K 2G6 | Margaret Atwood
------------------------------
Date: 05 Jan 92 08:03:13 -0700
From: "Taisir.Jawberah" <CCA3607@SAKAAU03.BITNET>
Subject: Help with virus (PC)
I found new virus called "Amobiaii" I formated my hrddisk but still
their i try with scan&clean84 but didnt clean it How can i remove this
virus please more information about this virus
Any help appreciated
Taisir Jawberah
king abdul aziz unversity
jeddah
------------------------------
Date: Tue, 07 Jan 92 00:57:00 +0000
From: lev@amarna.gsfc.nasa.gov (Brian S. Lev)
Subject: Re: Macs Running Soft PC (Mac) (PC)
fprice@itsmail1.hamilton.edu (Frank Price) writes...
>SoftPC does such a good job of emulating an MS-DOS machine that many
>(most? virtually all?) viruses WILL infect it. SoftPC uses a (big)
>data file for the contents of the simulated PC's hard drive. I believe
>Mac antiviral programs consider this to be a data file and do not
>check it. Even if they did, they would not know how to recognize
>MS-DOS viral code.
Ummm... I'm not 100% positive, but I seem to remember the more recent
versions of the Mac's "Big 4" (Disinfectant, Virex, SAM, SUM) all _do_
look at data files if you tell 'em to scan your disk...
- -- Brian Lev
+----------------------------------------------------------------------------+
| Brian Lev/Hughes STX Task Leader 301-286-9514 |
| NASA Goddard Space Flight Center DECnet: SDCDCL::LEV |
| Advanced Data Flow Technology Office TCP/IP: lev@dftnic.gsfc.nasa.gov |
| Code 930.4 BITNET: LEV@DFTBIT |
| Greenbelt, MD 20771 TELENET: [BLEV/GSFCMAIL] |
| X.400 Address: (C:USA,ADMD:TELEMAIL,PRMD:GSFC,O:GSFCMAIL,UN:BLEV) |
+----------------------------------------------------------------------------+
------------------------------
Date: Fri, 03 Jan 92 20:06:15 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: General questions about viruses
nkjle@locus.com (John Elghani) writes:
> Can someone help me with the following questions:
Perhaps, but you seem to be confusing the types of operations that go
on in a microcomputer, and those which are more common in "linked
mainframes".
> 1- A virus obviously is a program that is CPU bound, io bound, ..etc.
> i.e. it occupies system's resources. Some could probably delete
> all files on a system? right?
Once a virus has been invoked on a system, it can do anything that is
possible through software. It is possible to delete all the files on
a system through software, therefore it is possible for a virus to do
it.
> 2- How does it transfer across networks. How does it know a phone number
> (modem #) of a remote node.
In a PC situation, a virus is transfered by some (usually unknowing)
person. This can be through a file transfer, email, or simple disk
swapping. Mainframe networks, such as Usenet or the Internet, have
procedures whereby programs can be automatically transferred from one
machine to another, and started on the remote machines. Network viri
(sometimes referred to more specifically as worms) use these
functions. Some, such as the CHRISTMA EXEC, rely on advanced email
functions and high level language interpretters. These use the
"directorie files" to "find" other machines.
> 3- How does it get tracked down. By program name? if so, then what if
> this virus changes its name? are we in trouble?
Viri get tracked down in a number of ways. Program names have little
to do with it, since viri "attach" to existing programs.
> 4- When it makes it to disk, how does it tell the Kernel that it wants
> to run the system. It it something like a daemon tht sleeps and
> wakes up?
How it wakes up depends upon what type of system it is in and how it
got there.
These answers were done quickly, and are simplistic to the point of
inaccuracy. They are only meant as a starting point. (Ken, are the
CVP files available yet?)
=============
Vancouver p1@arkham.wimsey.bc.ca | "Remember, by the
Institute for Robert_Slade@mtsg.sfu.ca | rules of the game, I
Research into CyberStore | *must* lie. *Now* do
User (Datapac 3020 8530 1030)| you believe me?"
Security Canada V7K 2G6 | Margaret Atwood
------------------------------
Date: Mon, 06 Jan 92 15:50:17 +0000
From: ctika01@mailserv.zdv.uni-tuebingen.de (George Kampis)
Subject: theoretical literature on viruses?
Is there any work out there on a *theoretical* treatment of
computer viruses?
Such as, for instance, description of virus computation, what kind of
viruses are possible etc, how to test them, is there a virus that
escapes every test, or, is there a test that catches every virus, and
so on...
I suspect the latter will lead to halting-problem-like questions -
would be interested to see if anybody did work on that (pls don't mix
it with self-reproducing automata a la von Neumann etc)
Thanks, George Kampis Tubingen FRG
------------------------------
Date: 06 Jan 92 17:14:47 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Virus capable of infecting Mainframes and PCs
AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) writes:
> > Question for all: Is there a virus that can infect BOTH PCs and
> >Mainframes? The place where I am working is networking and I am trying
> >to find out what possible threats can arise from this.
> Not yet. And I don't think there could be. Not with the major differences
Sorry to disagree. Such viruses are relatively easy to write and
they'll appear sooner or later.
> between program execution, and for that matter, operation codes on these
> different platforms. For example, X'D20750006000' in MVS translates to
> MVC 0(8,R5),0(,R6) which moves 8 bytes from a location pointed to by
> register 6 into a location pointed to by R5. This hex string, even if
> it could be downloaded to a PC in its origional form without get translated
> by whatever protocol you happen to be using, is *probably* (I'm not a PC
The example you gave might be meaningless indeed, but it is possible
to write a program which runs on two different processors. Anybody who
has installed a CP/M card in an Apple ][ computer probably knows this.
(If not, just think - there are -two- processors present, 6502 and
8080, but only the first is active on boot-up. So, the boot sector of
a CP/M diskette for such computers -must- contain code which executes
on 6502. Obviously, it has at some time activate the 8080 and transfer
control to it. When the 8080 gets activated, the code which begins to
get interpretted -must- be valid for it. So...) Even the well-known
Internet worm contained code for two different kinds of computers -
SUNs and VAXes... So, it -IS- possible. And, since it is possible, it
- -WILL- be done - sooner or later.
> assembler guru) meaningless once it gets there. The effort expended in
> trying to get something on a mainframe downloaded to a PC and executed there
> would be wasted.
Right, but the opposite is not true, and that's what we'll probably
see in the near future. It is possible to design a virus, which
spreads on PCs, and, as soon as it detects that the PC is used as a
terminal to connect to mainframe, releases a virus (or worm) to the
mainframe. It can be done. It will be.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 20 Dec 91 10:04:40 -0400
From: wood@covax.commerce.uq.oz.au (Malcolm Wood)
Subject: Re: Hardware damage
> There is also a story, likely apocryphal, that one computer
> company set up a "portable" computer, including banks of disk
> drives, in a semi-trailer for demos. The first time the truck
> took a turn with all the drives running, it flipped over due to
> the enormous stored angular momentum of the spinning platters.)
Can I stop this myth before it gets around? The banks of disk drives
you refer to would be of the old 'washing-machine' cabinet style, with
vertical axes. There would be no strange torque effects while
cornering because the truck's turn would also be about a vertical
axis.
Also, even with the old-style drives, the spinning mass is not
'enormous', they were always thin aluminium platters whose mass is
negligible compared to, eg, the flywheel of the truck.
The most likely problem would be vibration-induced head crashes.
"The world's biggest portable computer" is an interesting thought,
though ... power supply? Cooling system? Operator's console? A trailer
full of TTY's for the users?
- -------------------------------------------------------------------------
Malcolm Wood, Faculty of Commerce and Economics, University of Queensland
WOOD@COMMERCE.UQ.OZ.AU
- -------------------------------------------------------------------------
------------------------------
Date: 06 Jan 92 22:42:13 +0000
From: vail@tegra.com (Johnathan Vail)
Subject: Re: General questions about viruses
nkjle@locus.com (John Elghani) writes:
1- A virus obviously is a program that is CPU bound, io bound, ..etc.
i.e. it occupies system's resources. Some could probably delete
all files on a system? right?
right. anything that any other program can do can possible be done by
a virus.
2- How does it transfer across networks. How does it know a phone number
(modem #) of a remote node.
a virus, as opposed to other computer nasties like worms, attach
themselves to other programs. People transferring programs either by
diskette or modem or networks are the transmission vector for viruses.
3- How does it get tracked down. By program name? if so, then what if
this virus changes its name? are we in trouble?
Virus scanners typically work by looking for particular "signature"
strings in programs and memory of known viruses. Some viruses could
try to "mutate" themselves to thwart this and new viruses are not
detected by these kinds of detection programs. Then there are
"stealth" viruses that attempt to hide their existence by trapping
system calls.
To answer specifically: new viruses get "tracked down" when their
symptoms are detected by carefully disassembling the code on infected
files and disks. Once identified, their signature strings can be
added to the virus scanners. Since most viruses exist in the system
boot sectors or in executable programs tracking my a particular
program name is not useful.
4- When it makes it to disk, how does it tell the Kernel that it wants
to run the system. It it something like a daemon tht sleeps and
wakes up?
viruses get their execution thread when their "host" program is
executed. they can then install themselves in memory or just do their
work before passing control on to the "host" program.
if the virus installs itself in memory it may get executed based on a
timer but more frequently by trapping operating system calls (BIOS and
DOS calls on a PC).
hope this helps...
jv
"Always Mount a Scratch Monkey"
_____
| | Johnathan Vail vail@tegra.com (508) 663-7435
|Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet)
----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu)
------------------------------
Date: Fri, 03 Jan 92 16:20:59 -0800
From: mcafee@netcom.com (McAfee Associates)
Subject: WSCAN85.ZIP - Windows 3.0 version of VIRUSCAN V85 (PC)
I have uploaded to SIMTEL20:
pd1:<m
Downloaded From P-80 International Information Systems 304-744-2253