home *** CD-ROM | disk | FTP | other *** search
- VIRUS-L Digest Friday, 18 Aug 1989 Volume 2 : Issue 177
-
- VIRUS-L is a moderated, digested mail forum for discussing computer
- virus issues; comp.virus is a non-digested Usenet counterpart.
- Discussions are not limited to any one hardware/software platform -
- diversity is welcomed. Contributions should be relevant, concise,
- polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
- LEHIIBM1.BITNET for BITNET folks). Information on accessing
- anti-virus, document, and back-issue archives is distributed
- periodically on the list. Administrative mail (comments, suggestions,
- and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- - Ken van Wyk
-
- Today's Topics:
-
- Re: Response to query from A.Berman, Yale,8-14-89 (PC)
- 1701/4 Disinfector
- Need info on Datacrime virus (PC)
- Correction to the Swap Virus report (PC)
-
- ---------------------------------------------------------------------------
-
- Date: 16 Aug 89 21:43:49 +0000
- From: berman-andrew@CS.YALE.EDU (Andrew P. Berman)
- Subject: Re: Response to query from A.Berman, Yale,8-14-89 (PC)
-
- I want to thank everyone who mailed/posted responses to my
- posting about the virus which infected my friend's disks. She think's
- she's cleaned it out by copying only the source codes to new disks,
- zapping the hard drives, and recompiling everything on the clean hard
- disks.
- BTW, there is an article in this month's Popular Science on
- computer viruses.
- Once again, Thanks
- Andrew Berman
-
- ------------------------------
-
- Date: Wed, 16 Aug 89 08:36:09 -0700
- From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
- Subject: 1701/4 Disinfector
-
-
- Forward from John McAfee
- =============================================================================
-
- Hi folks. I've had a large number of panicky calls, and Ken van
- Wyk has had at least one 'emergency' message about a possible 1701
- virus in the M-1704.EXE disinfector program. What's happening is
- VIRUSCAN is identifying the 1701 virus code within the disinfector
- product. The 1701/4 disinfector is the only one of our disinfectors
- that causes this problem, and because of the very small de-garbling
- code within the 1701/4 virus, there is no practical way around it.
- Our choices are: 1. Remove the 1701/4 disinfector from circulation and
- let people disinfect manually; 2. Change VIRUSCAN to ignore the
- program (it's the only non-virus program we know of that looks like a
- virus to VIRUSCAN); or 3. Continue as is. I definitely do not want to
- change VIRUSCAN to start and 'exclusion' list. This defeats the
- purpose of the scan program and reduces its reliability. I also
- believe that the value of the disinfector outweighs the confusion
- factor. I have stated up front in the documentation for M-1704 that
- the user should contact us BEFORE trying to use the program so that we
- can verify over the phone whether there is a possibility that the
- program really is infected (a slim probability if downloaded from
- SIMTEL or other reputable source).
- A second point I'd like to bring up is that people do not need to
- stockpile disinfector programs. Many of these programs are dangerous
- if used on uninfected systems and even in infected systems, certain
- disinfectors can have unpleasant side effects if used improperly. A
- disinfector should be used AFTER an infection has been verified. It
- appears that many people are collecting disinfectors and trying them
- out so that they are prepared for an infection if one occurs. I don't
- think this is a good idea. My final recommendation is: Read the
- documentation and follow the instructions. If you're using the M-1704
- program, then call before you do anything with it.
-
- John McAfee
-
- ------------------------------
-
- Date: Thu, 17 Aug 89 10:20:54 -0600
- From: <watmath!ctycal!ingoldsb@uunet.UU.NET>
- Subject: Need info on Datacrime virus (PC)
-
- Sorry if you get this message twice, I'm not sure if the first attempt
- will get to you (its been one of those days :^)
-
- I'm sure this has been discussed, but I just got back from
- vacation and missed the info (we're low on disk and things get
- purged quickly).
-
- Can anyone tell me how to detect if a machine has been infected
- with the Datacrime virus, what it does (I've heard that it is
- supposed to erase files on a particular date), and how to get
- rid of it.
-
- I'd appreciate a response to this. It will give me a good
- opportunity to demonstrate to our security gurus that Usenet
- can be beneficial to security (instead of the open door that is
- usually portrayed by the media).
-
- Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP
- Land Information Systems or
- The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb
-
-
- ------------------------------
-
- Date: Fri, 18 Aug 89 17:14:11 +0300
- From: "Yuval Tal (972)-8-474592" <NYYUVAL@WEIZMANN>
- Subject: Correction to the Swap Virus report (PC)
-
- Hello all!
-
- I don't know how many of you had noticed the few small mistakes in the
- report about the "Swap Virus" but anyway, I am correcting it now.
-
- The only mistake I found was in the INFECTION part section C.
-
- 1) Instead of bytes 2B4-2E4 correct it to bytes 00B7-00E4 (A sector has
- only $200 bytes on it.
-
- 2) The correct message at the end of the virus is:
-
- "The Swapping-Virus. (C) June, 1989 by the CIA"
-
-
- I hope there are no more mistakes!
-
- - --Yuval
-
- ------------------------------
-
- End of VIRUS-L Digest
- *********************
-
- Downloaded From P-80 International Information Systems 304-744-2253
-
