home *** CD-ROM | disk | FTP | other *** search
- VIRUS-L Digest Thursday, 20 Apr 1989 Volume 2 : Issue 94
-
- Today's Topics:
- Viruses, Networks, and NFS: Questions
- AppleShare volumes (Mac)
- Forwarded: DenZuk Virus (PC)
- Hiding Viruses by Intercepting Output
-
- ---------------------------------------------------------------------------
-
- Date: Thu, 20 Apr 89 07:58:06 PLT
- From: Joshua Yeidel <YEIDEL@WSUVM1.BITNET>
- Subject: Viruses, Networks, and NFS: Questions
-
- Joe Sieczkowski's recent remarks about the possibility of NFS-borne
- viruses lead me to the following questions:
-
- I understand that EXECUTING an infected program stored on an NFS
- server could infect the client system. I'm wondering if NFS has
- loopholes such that a client can be infected by a server WITHOUT the
- client requesting execution of a server-based program (for example,
- via a worm process, a bogus remote procedure call, or ???) Anyone who
- knows NFS well is hereby invited to speculate.
-
- We are a few weeks away from getting our first NFS machines, so I'm
- not very familiar with the ins and outs (I don't have documentation
- yet, either). This is not a burning issue, just a question which our
- security task force is bound to ask sooner or later.
-
- ------------------------------
-
- Date: Thu, 20 Apr 89 11:14 EST
- From: Roberta Russell <PRUSSELL@OBERLIN.BITNET>
- Subject: AppleShare volumes (Mac)
-
- I have a question about virus infections on an AppleShare file server.
-
- If I partition the server into two "volumes", and if one of these
- volumes becomes infected, will that infection spread to the other
- volume? I'm not talking here about users infecting the other volume,
- but about the infection spreading across the server from one volume to
- another (users would have access to only one volume). Since both
- volumes share the same operating system, I'm assuming this would be
- true, but would appreciate more informed opinions. Thanks,
-
- Robin Russell
- Oberlin College Computing Center
- prussell@oberlin (bitnet)
- prussell@ocvaxa.oberlin.edu (internet)
-
- ------------------------------
-
- Date: Thu, 20 Apr 89 09:44:35 PDT
- From: rogers@marlin.nosc.mil (Rollo D. Rogers)
- Subject: Forwarded: DenZuk Virus (PC)
-
- Here are more details as a follow-up to the message i forwarded to you
- yesterday on this suspected new virus. This person is seeking
- assistance to find a way to eradicate the infection and perhaps
- disassemble a copy of it too..
- -------
- Forwarded mail follows:
- Original-Date: Thu, 20 Apr 89 10:12:40 EST
- Original-From: iuvax!bsu-cs.bsu.edu!atariman@ucsd.edu (Jeff Scott)
-
- Here is some general information about the 'DENZUK' virus. No
- specific information is available as to it's origin, what it actually
- does, or how long it takes to do it.
-
- The 'DENZUK' virus.
-
- The DENZUK virus first started showing up here at Ball State
- University, Muncie, Indiana around the 16th of April. It was first
- noticed because everytime that the computer is re-booted, a graphic
- display will show up and the letters DEN ZUK * will slide in from the
- sides of the screen. (The * is a graphics symbol resembling the AT+T
- logo) then the system will roboot. The display only lasts for about 3
- seconds and will only be seen on a graphics screen (CGA is the only
- one that has been checked). If the disk is not write protected, the
- virus (I call it that, but techincally it might be a worm, we really
- don't know) will write a counter to the disk. After about 5 times of
- rebooting, the disk will become useless. The information is still
- there, but the disk is un-usable. (It might overwrite the directory
- blocks or something simular).
-
- The 'DENZUK' virus can be transfered to either other bootable
- disks or DATA DISKS (unbootable disks). It was thought for a while
- that the virus could possibly be transfered to disks with a write
- protect tab in (as it is possible to do that on IBM PC's), but this
- can only be done in certain instances. This instance would be if the
- write-protect tab was squeezed or torn a bit. The virus is transfered
- to another disk whenever another disk is accessed (either read or
- write) and that disk will then have the virus.
-
- The only way known of checking for that virus is to reboot the
- computer with the disk you want to check in the A: drive. This will
- work with system or data disks to check for the virus. This is not to
- say that this is a sure- fire way of checking for DENZUK. It may well
- keep a counter to count up the number of times re-booted and not start
- showing the display until a certain number. That would give it time
- to propagate even more.
-
- It has also been found out that the virus writes to the first
- track. This may be where the actual program is, or it could be where
- the counters are kept, or both...
-
- At this point, we do not know what, if anything, this virus will
- do to a hard drive.
-
- That is all that we know right now, if we learn any more I will
- try to keep you informed.
-
- Jeff Scott
- Computer Competency
- Ball State University
-
- ------------------------------
-
- Date: Thu, 20 Apr 89 16:06 EST
- From: <JWW7917@RITVAX.BITNET>
- Subject: Hiding Viruses by Intercepting Output
-
- Some time ago, a person brought up the idea of a virus that
- would intercept the sector reads. If the sector that was read was the
- one in which the virus lived, then the virus would return bogus data.
- Someone else responded with a reason why this would not be an easy
- task to do. Could anyone tell me how this method of hiding a virus
- would fail? Consider the virus using this technique to be a boot
- sector virus.
-
- John Wagner
- RITRC
- jww7917@ritvaxa
-
- ------------------------------
-
- End of VIRUS-L Digest
- *********************
-
- Downloaded From P-80 International Information Systems 304-744-2253
-
