VIRUS-L Digest Wednesday, 7 Jun 1989 Volume 2 : Issue 131 Today's Topics: Notifications for Network Viruses re: Possible virus? (PC) Re: naming confusion Are software developers releasing viruses? virus desinfecting --------------------------------------------------------------------------- Date: Wed, 7 Jun 89 08:55 EDT From: Roman Olynyk - Information Services Subject: Notifications for Network Viruses I've recently completed a virus response procedure for our site, a statewide educational telecomputing network. This procedure establishes an emergency action plan that we hope would reduce the impact of a computer virus at WVNET. One of the sections in our procedure deals with notifying authorities. A couple of the following items took a little digging to get, and I think that having these on hand for reference would be useful. Every moment spent deciding what to do during an outbreak of a virus may give the virus another chance to spread. * VALERT-L list - if the virus is spreading outside of WVNET's network through BITNET or the Internet, a member of the Virus Response Team will post a warning to VALERT-L@LehiIBM1. This list is dedicated to posting emergency warnings of detected viruses. * BITNIC - the BITNET Information Center in Washington, DC, should be notified in the event of a virus which affects the BITNET network. Telephone number 202-872-4200. Contact persons as of June 7, 1989 are Michael Hrybyk, James Conklin (director), and Amanda Spiegel. * SRI-NIC - the SRI International Network Information Center is the central information site for the Internet. Telephone number 800-235-3155, available around the clock. There is no designated contact person for SRI-NIC. Besides the above three items, we also want to inform our management team, primary contacts at the campuses of our member schools, and (particularly where a serious incident is suspected to have originated from within WVNET's environment) legal counsel. [Ed. Another Internet contact point is the Computer Emergency Response Team at Carnegie Mellon's Software Engineering Institute.] ------------------------------ Date: 7 June 1989, 09:33:25 EDT From: David M. Chess Subject: re: Possible virus? (PC) > If you are... booting up from a bootable diskette (not a full DOS > disk) with no config.sys file, does it get the files and buffers > limits from the dos disk that originally made the bootable disk? No, when you boot from any disk without a CONFIG.SYS on it, DOS just takes the defaults for files and buffers. The defaults have varied with DOS version, I think. In 3.3, I believe the defaults were FILES=8 and BUFFERS=2, 3, 5, 10 or 15 (depending on diskette drives installed and memory size). See the DOS manual for details. DC ------------------------------ Date: Wed, 07 Jun 89 19:30:14 +0300 From: Y. Radai Subject: Re: naming confusion In #128 Ken writes: >One of the most frustrating things that I've run into is that viruses >get called different things by different people. Just look at a >couple of the more common ones - Israeli <=> PLO <=> Russian <=> Black >Hole <=> Little Black Box, Brain <=> Pakistani ... (the list goes on). >I'm not proposing any solutions here because, quite frankly, I'm not >aware of any real good solutions. Anyone have any suggestions? My >point is merely to point out the cause for confusion and hopefully >generate some discussion on it. I don't think we can prevent multiplicity of names, but some names are more reasonable than others. For example, if a user sees a region of his screen scroll up and leave a black rectangle, it's understand- able that he should call it the "Little Black Box" if he's never heard of the Israeli virus before. On the other hand, the term "PLO" as a name for the Israeli virus is entirely inappropriate since it suggests a political motive for the virus, a hypothesis which, to the best of my knowledge, has never been supported by *any evidence whatsoever*. The first person to suggest this motive seems to have been Vin McLellan, who wrote in a New York Times article of Jan 31, 1988 that the virus "was apparently intended as a weapon of political protest". But his sole "evidence" was the coincidence of dates which he discovered between the first day on which the virus would cause damage (it does this only on Friday-the- 13ths) and the 40th anniversary of the last day Palestine was under the British mandate (May 13, 1988)! I wrote to him, pointing out how flimsy his evidence was. I also pointed out that whatever psychologi- cal drive motivates most creators of viruses and Trojan Horses else- where in the world, and whatever motivated the author of the April- Fools-Day viruses (which were discovered in Israel about the same time, yet no one claims that *they* were politically motivated), is quite sufficient to motivate creation of our Friday-the-13th virus also. Now I have no doubt that McLellan's intentions were good. But as he eventually admitted to me, he "was too quick to assume too much about this virus, its author, and its intent." Unfortunately, his explanation was already accepted by many people, even to the point of dubbing this virus the "PLO" virus. The name "PLO" is therefore entirely inappropriate and I would like to request readers of this list to refrain from using this name. As for the other synonyms for the Israeli virus (btw, I can add 7 more to those mentioned by Ken), I can understand the reason for all of them except "Russian". Does anyone have any idea what motivated *that* name?? Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Wed, 07 Jun 89 12:13 CDT From: Gordon Meyer Subject: Are software developers releasing viruses? A virus-l writer recently asked about viruses being spread, on purpose, by software manufacturers. While I would like to think this isn't happening, there is evidence to the contrary. Dave Small, developer of the Magic Sac and Spectre 128 (two products that allow the Atari ST/Mega to emulate a Macintosh), has indicated that some developers might be introducing viruses as a means to fight software piracy. It's a simple premise. The developer "releases" a beta version of his program that is clearly labeled as being pirated. (A big "CRACKED BY CAPTAIN CROOK" will do it.) So far these programs have not been aimed at individual pirates per se, but rather the pirate bulleting board systems. When run they introduce a virus that waits for a future date (long enough to allow the program to be circulated in the pirate community) before going into action. Usually it looks for specific BBS files...if it finds them it starts to slowly corrupt the FAT table on the hard drive. Small has suggested that other "revenge" techniques are possible such as burning out the Atari color monitor by forcing the hardware into monochrome mode. I'm sure there are other possibilities as well. This information it taken from an article by Small, published in _Current Notes_. (August 1988) Any errors in the above summary should be blamed on me, not him. -=->G<-=- PS: Small didn't name any specific programs, but I know that a French game, "Manhattan Dealer", was known to contain a virus in it's pirated form. - -------------------------------------------------------------------- | Gordon R. Meyer, Northern Illinois University, Dept of Sociology | | GEnie: GRMEYER, CIS: 72307,1502, Phone: (815) 753-0555 | | Bitnet: Tee-Kay-Zero-Gee-Are-Em-One AT Enn-Eye-You.bitnet | |------------------------------------------------------------------| |------------------------------------------------------------------| | Disclaimer? Grad students don't need 'em! | |__________________________________________________________________| ------------------------------ Date: Wed, 7 Jun 89 20:51 N From: ROB_NAUTA Subject: virus desinfecting I got nobrain.c, a program that removes a Brain virus from a diskette, and antidote, which removes the pingpong virus from a disk. These tools made me wonder, is there a program that recognises viruses for the PC ? Mac antiviral programmes do, because everytime a new virus is found the tools can't help and a new version comes out, extended to recognise that one as well. Is there a program that says 'this disk (or COM or EXE file) is infected by ......' ?? I know FluShot+ warns if you boot from a Lehigh-infected disk. Furthermore, is there a program that desinfects COM or EXE files that were infected by, say, the 1701/1704, TSR virus etc ?? At the moment everybody says 'install your software from your backups and start with a clean system' but seeing how fast I can clear the Pingpong from a disk makes me interested to find out if there are programs that restore program files... If those programs don't exist, I may start writing my own tool for it, I will need some info then how I can recognise known viruses and how I can reconstruct the file (delete the first 1701 or 1704 bytes seems logical in that case, but is it correct, and what about the others??) I hope someone can help me, thanks in advance Rob J. Nauta - Fidelio Software ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253