home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
misc
/
v05i001.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
20KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #1
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Friday, 3 Jan 1992 Volume 5 : Issue 1
Today's Topics:
Novell Inadvertantly distributes virus with update (PC)
Re: password program (PC)
Central-Point Anti-Virus Question (PC)
Re: DOS 5.0 FDISK, UNFORMAT and the wily MBR (PC)
Re: PC problem - possible virus? (PC)
Re: virus outbreak in central Virginia (PC)
TBScan v3.1 (PC)
Unknown Mac virus? (Mac)
General questions about viruses
Virus capable of infecting Mainframes and PCs
New files on Risc (PC)
VIRx v1.9 Is Released ! (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Fri, 20 Dec 91 12:02:34 -0800
From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk)
Subject: Novell Inadvertantly distributes virus with update (PC)
The following is an excerpt from CIAC bulletin C-11. The infected
distribution occurred ONLY on 5 1/4 inch diskettes.
Karyn Pichnarczyk
- ---------------------
CIAC has learned that Novell, Inc. has inadvertently sent diskettes
infected with the Stoned-3 virus to Novell Netware customers. These
diskettes are labelled "Network Support Encyclopedia - Standard Volume
Update." The Novell part number for these disks is 883-001495-004.
Infected diskettes were distributed from December 9 - 16, 1991.
The Stoned-3 virus is a minor variation of the Stoned virus. This
virus infects the boot sector of a hard disk or diskette and will
sometimes display the message:
"Your PC is now Stoned!.....LEGALISE MARIJUANA!"
This virus becomes memory resident and will infect any other disks
accessed by the PC while the virus is memory resident. For additional
information, please see CIAC bulletins A-28 for more information on
the Stoned virus family, and B-16 for a summary of known viruses.
If you discover that the Stoned virus has infected your PC, it may be
removed using the VIRHUNT package. CIAC also recommends that you
follow a policy of scanning all new software before using or
installing it on your PC. This policy should be followed for all
vendor-supplied shrink-wrapped software as well as bulletin board or
shareware software, since a few other vendors have inadvertently
distributed viruses with packaged software in the past. CIAC
recommends that if you are from a DOE site and are not already using
an effective anti-viral scanner, you should contact your site's
computer security department to obtain one. In addition, since new
viruses are constantly being discovered, we recommend that you ensure
that your anti-viral scanner has been updated to the most recent
version.
For additional information or assistance, please contact CIAC:
Karen Pichnarczyk Tom Longstaff
(510)422-1779** or (FTS) 532-1779 (510)423-4416** or (FTS) 543-4416
karyn@cheetah.llnl.gov longstaf@llnl.gov
(FAX) (510) 423-8002** or (FTS) 543-8002
Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)532-8193.
**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response team,
DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
------------------------------
Date: 19 Dec 91 17:54:38 +0000
From: bdrake@oxy.edu (Barry T. Drake)
Subject: Re: password program (PC)
Another way to reset the CMOS is to disconnect the battery.
If it's a soldered-in NiCad, try draining it completely with a light bulb
or other load (unless you *really* want to unsolder it).
- --Barry (bdrake@oxy.edu)
------------------------------
Date: Thu, 19 Dec 91 22:17:54 -0700
From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences)
Subject: Central-Point Anti-Virus Question (PC)
I gather that CPAV includes a "self-integrity check" routine that can
be appended to files. My question: is the size of this appendix
constant, or does it vary? I suspect it varies, in the range of 700 -
1000 bytes. Can someone who knows the product please confirm or
refute this?
Tim.
-------------------------------------------------------------
Tim Martin *
Soil Science * These opinions are my own:
University of Alberta * My employer has none!
martin@cs.ualberta.ca *
-------------------------------------------------------------
------------------------------
Date: Fri, 20 Dec 91 18:34:00 +0200
From: Y. Radai <RADAI@HUJIVMS.BITNET>
Subject: Re: DOS 5.0 FDISK, UNFORMAT and the wily MBR (PC)
Padgett Peterson writes:
>The new FDISK is not so well known but is just as effective for the
>MBR if the cunningly named /MBR switch is used however you will not
>find mention of this by typing FDISK /? or HELP FDISK. Nor could I
>find it in the hologram-equipped manual that came with the software
>from EggHead but it does seem to work in replacing the MBR code
>section while maintaining the Partition-Table.
The /MBR parameter of FDISK is an undocumented feature of DOS 5 (both
PC-DOS and MS-DOS) which replaces the code in the Master Boot Record
with a clean copy, but leaves the Partition Table as is. It is there-
fore effective in removing MBR infections (provided that the virus has
not modified the Partition Table). Although this feature was mentioned
by Bill Arnold in Virus-L/comp.virus half a year ago and in the Virus
Bulletin in its November issue, my experience is that very few people,
even experienced virus fighters, know of its existence, and those who
do seem to be unaware that it can also be used on machines running
DOS *prior to Ver. 5*. All that is necessary is to find a (clean) DOS
5 system diskette, to copy FDISK.EXE from DOS 5 onto that diskette, to
cold boot the infected machine from the diskette, and then to perform
FDISK /MBR . Works beautifully.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
RADAI@HUJIVMS.BITNET
RADAI@VMS.HUJI.AC.IL
------------------------------
Date: Sat, 21 Dec 91 23:10:50 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: Re: PC problem - possible virus? (PC)
cci632!sjfc!od9425@ccicpg.irv.icl.com (Ogden Dumas) writes:
> Question for all: Is there a virus that can infect BOTH PCs and
> Mainframes? The place where I am working is networking and I am trying to
> find out what possible threats can arise from this. Thanx.
The answer to your question is: yes and no.
No, there is no current PC virus which would "infect" mainframes in the
sense of being active in them.
However, in a networking situation, viral infections can spread "through"
the medium of a mainframe being used as a server.
Mainframe and network viri or worms may be able to infect PC's in the
net. This is due to the more complex nature of mainframe viri, and the
use of "interpreters" in network machines. One example is the
Morris/Internet?UNIX worm which contained "source" code in the most basic
form which would be interepretted by a number of different machines, as
well as "object" code for different machines it expected to encounter.
The CHRISTMA EXEC of a few years back relied strictly upon a common
interpretted language, REXX. A PC version of REXX is available, and is
used in IBM based networks in order to assist in automating
communications between machines.
However, at present this type of situation is relatively rare. For the
moment, infections crossing OS lines are extremely unlikely.
=============
Vancouver p1@arkham.wimsey.bc.ca | "Remember, by the
Institute for Robert_Slade@mtsg.sfu.ca | rules of the game, I
Research into CyberStore | *must* lie. *Now* do
User (Datapac 3020 8530 1030)| you believe me?"
Security Canada V7K 2G6 | Margaret Atwood
------------------------------
Date: 23 Dec 91 09:48:39 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: virus outbreak in central Virginia (PC)
HAYES@urvax.urich.edu writes:
> Msg #: 3005 MAIN
> From: TOM HUFFMAN Sent: 12-18-91 22:23
> To: ALL Rcvd: 12-19-91 05:23
> Re: DIR-2 WARNING!!!
> We have had a "slight" attack of the DIR-2 virus in the School of
> Business at VCU. We found the virus on almost 10-15 computers... two
Sigh... :-(( It began to happen... With the source of this incredibly
infectious virus published world-wide, what else do you expect?...
> We have McAfee's VSHIELD v84 on all the machines, but they never
> detected the infections! The virus was however found with version 85.
Hmm, strange... The original, as posted, was for a quite weird and
unpopular assembler... (No, -not- A86.) If assembled with MASM/TASM,
it will generate a variant of the virus (perfectly working, though).
Maybe somebody already did this?
> This virus has already trashed several hard disks, which need to be
> formatted because they're beyond help!! Since this virus is
He must be kidding! No reformatting is necessary! Just reboot from a
non-infected diskette; delete all executable files; and run CHKDSK/F
on the infected machine. This way you'll lose only the executables,
which you can restore from a clean backup...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Thu, 01 Jan 70 00:00:00 +0000
From: djonge@isis.cs.du.edu (Denny de Jonge)
Subject: TBScan v3.1 (PC)
I'm using Thunderbyte's TBScan v3.1, with virussignatures dated
14-nov-1991. If someone is interested I can post it here.
Denny
------------------------------
Date: Sun, 22 Dec 91 19:12:00 -0500
From: "dholland@husc10.harvard.edu"@HUSC3.HARVARD.EDU
Subject: Unknown Mac virus? (Mac)
A friend of mine was cleaning up his sister's Mac Classic today,
and discovered and removed the CDEF virus using Disinfectant (2.5.1).
He also installed Gatekeeper. Now, later on, we discovered that
starting Microsoft Word generated a Gatekeeper alert; plus, the menus
were printed in the wrong font. Furthermore, the System file was over
1 megabyte, with no DAs or fonts or anything else installed except for
the standard ones that come with every Mac. Worst of all, the Grouch
was deleted without warning from the System Folder while we were
looking around.
Disinfectant still reported the system clean.
I haven't been reading this group very regularly of late; is there a new
Mac virus around? (The Mac in question has been at Brown lately.)
Unfortunately, I don't have a sample: the computer is needed, so we did
a low-level format and reinstalled everything from clean copies.
- --
- David A. Holland dholland@husc.harvard.edu
Just say NO to vi.
------------------------------
Date: Sun, 22 Dec 91 02:56:48 +0000
From: nkjle@locus.com (John Elghani)
Subject: General questions about viruses
Can someone help me with the following questions:
1- A virus obviously is a program that is CPU bound, io bound, ..etc.
i.e. it occupies system's resources. Some could probably delete
all files on a system? right?
2- How does it transfer across networks. How does it know a phone number
(modem #) of a remote node.
3- How does it get tracked down. By program name? if so, then what if
this virus changes its name? are we in trouble?
4- When it makes it to disk, how does it tell the Kernel that it wants
to run the system. It it something like a daemon tht sleeps and
wakes up?
Thanks in advance
jle
- --
-----------------------------------------------------------------------------
The above is my own posting and has nothing to do with the opinion of
Locus Computing Corporation.
------------------------------
Date: Fri, 20 Dec 91 16:46:37 -0500
From: Arthur Gutowski <AGUTOWS@WAYNEST1.BITNET>
Subject: Virus capable of infecting Mainframes and PCs
>Date: Wed, 18 Dec 91 16:44:47 -0500
>From: cci632!sjfc!od9425@ccicpg.irv.icl.com (Ogden Dumas)
> Question for all: Is there a virus that can infect BOTH PCs and
>Mainframes? The place where I am working is networking and I am trying
>to find out what possible threats can arise from this.
Not yet. And I don't think there could be. Not with the major differences
between program execution, and for that matter, operation codes on these
different platforms. For example, X'D20750006000' in MVS translates to
MVC 0(8,R5),0(,R6) which moves 8 bytes from a location pointed to by
register 6 into a location pointed to by R5. This hex string, even if
it could be downloaded to a PC in its origional form without get translated
by whatever protocol you happen to be using, is *probably* (I'm not a PC
assembler guru) meaningless once it gets there. The effort expended in
trying to get something on a mainframe downloaded to a PC and executed there
would be wasted.
Disclaimer: Then again, I may have no idea what I'm talking about.
Arthur J. Gutowski
MVS System Programmer and Virus Research Dabbler
Wayne State University
- ----------------------
"We come into the world and take our chances
Fate is just the way of circumstances
That's the way that Lady Luck dances...
Roll the Bones..." -Neil Peart
------------------------------
Date: Fri, 20 Dec 91 09:37:07 -0600
From: James Ford <JFORD@UA1VM.BITNET>
Subject: New files on Risc (PC)
The following files have been placed on risc.ua.edu (130.160.4.7) in the
directory pub/ibm-antivirus:
bootid.zip - Identify a diskette's boot sector type ("hashcode")
checkout.zip - Display or check a diskette or Hashcode
tbresc15.zip - Thunderbyte Anti-Virus Resque Boot Sector v1.5
tbscan30.zip - Thunderbyte Virus Scan v3.0, need VSyymmdd.ZIP
vs911114.zip - Virus signatures for HTSCAN/TBSCAN date 911114.
Apparently, Novell has sent out diskettes infected with Stoned 3. The
origional text follows.......
- ----------
User: "The mainframe is broke. I can't get to my account!!"
Helpdesk: "What exactly does your computer screen show now?"
User: "Wait a sec...hey, bring the candle over so I can read the screen."
- ----------
James Ford - Consultant II, Seebeck Computer Center
jford@ua1vm.ua.edu, jford@risc.ua.edu
The University of Alabama in Tuscaloosa
------------------------------
Date: Fri, 20 Dec 91 23:37:55 +0000
From: trent@rock.concert.net (C. Glenn Jordan -- Microcom)
Subject: VIRx v1.9 Is Released ! (PC)
p1@arkham.wimsey.bc.ca (Rob Slade) writes:
> ...VIRx 1.8 (by the way, Ross, where/when is 1.9?)...
OK, ok, Rob Slade ! Here it is ! :-)
VIRx version 1.9
----------------
(Good things come to those who wait !) :-)
Available on many FTP sites, Compuserve, FIDO-Net
and the Virex Support BBS at (919) 419-1602 (V.32bis, MNP-10)
>From the original $TOC file:
Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- ------ ---- ----
804 Implode 493 39% 12-17-91 00:00 2c496185 --w $TOC
7129 Implode 2626 64% 12-17-91 00:00 505730b1 --w VIREX.TXT
13184 Implode 5536 59% 12-17-91 00:00 f79005aa --w README.VRX
99242 Implode 57351 43% 12-17-91 00:00 9d38dd54 --w VIRX.EXE
13184 Implode 5135 62% 12-17-91 00:00 3065505b --w WHATSNEW.19
------ ------ --- -------
133543 71141 47% 5
What's New In VIRx Version 1.9
==============================
Date: 12/17/91
1. The licensing agreement for your usage of VIRx has been changed.
Individual and educational users need not concern themselves with the
change. For corporate and business users: VIRx may only be used within
your institution for a 30 day evaluation period. If you wish to use
VIRx after that period, please contact Microcom, Inc. at (919)-490-1277
for information on a site license. VIRx may not be bundled with other
products without a written agreement: contact Microcom for details.
2. VIRx 1.9 now detects 85 newly discovered viruses, bringing the total
count to 649, plus innumerable variants.
3. There is a known problem with occasional V2P6 false positives. If
you encounter a file that VIRx indicates contains the V2P6 virus, please
leave a message on Microcom's BBS at the number listed below with details
immediately. If possible, please upload a copy of the file that is
generating the V2P6 alert.
4. Our BBS is thriving and awaits your visit! It runs at up to V.32BIS
speeds. Please upload suspect files to the BBS, where we'll examine them
and let you know whether the file contains a virus. The latest copy of
VIRx is always available on the BBS, and we welcome your suggestions and
comments regarding our products. You can reach the BBS at (919)-419-1602
5. Finally, we are documenting our external signature file. This allows
new viruses to be detected without having to wait for a new release of
VIRx. You should be careful: if you use the external signature file and
add a virus signature that we are already using within our internal virus
signature database, VIRx will inform you that it has found a virus in
Downloaded From P-80 International Information Systems 304-744-2253