VIRUS-L Digest Friday, 9 Jun 1989 Volume 2 : Issue 133 Today's Topics: Re: naming confusion Re: Your assistance please... GateKeeper re: possible virus (pc) Software companies writing nasty s/w Warning New Virus (PC) RE: Possible virus? (PC) more on developers releasing viruses Upcoming Flu_Shot+ version (PC) --------------------------------------------------------------------------- Date: Thu, 8 Jun 89 12:55:58 PDT From: rmorey@ORION.CF.UCI.EDU Subject: Re: naming confusion Regarding the "PLO" virus and your suggestion that we not call it by that name, don't you think that your desire to suppress the link between the virus and something which obviously offends you (the name "PLO") is a political tactic? That particular virus is known to many people already as the "PLO virus"--now you expect them to have to worry about changing that name in their minds because it offends someone? Don't forget that viruses offend everyone, most certainly everyone who reads this net. We all have a common interest in combating viruses and their spread but I really doubt that we are going to spend much time worrying about their names. I apologize if this offends you but, given both my interest in international politics and my work in computers, I don't see how both should be meshed or affected at such a perfunctory level. Robert J. Morey [Ed. In mentioning the confusion in the naming convention for viruses, I never intended to start a political discussion/war - let's please not turn this into one.] ------------------------------ Date: Thu, 8 Jun 89 22:21:25 +0200 From: Johan Bengtsson Subject: Re: Your assistance please... Name of Virus: Israeli Virus (I belive) Computers/OS: Does run on IBM compatibles with DOS operating system. (though not when using the Novell network, interupt conflict) Virus activity: After infection, every program run received a copy of the virus. One type of executables (EXE files) were infected many times. This led to the eventual discovery of the virus. The sick systems did have a "symptom"; about two times each hour a small part of the screen was blanked out. Each Friday 13th, after an initial delay of about 30 min, *every* program run was *deleted*. This did not happen to us, countermeasures were applied in time. Countermeasures:A "vaccine" was developed by me, after disassembly of the virus code. This detected and prevented further infections. An "antidote" program was developed by the Comp. Dep. which was able to restore most infected programs. Later, we discovered that a "vaccine" and "antidote" had already been developed at an Israeli University. Place of events:University of Lulea, Sweden, October 1988 My name: Johan Bengtsson, at the time a last year student in Comp. Sc. Good luck with the book! - --BEN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Johan Bengtsson University of Lulea, SWEDEN Forskarvagen 149B S-951 63 LULEA Domain: d85-ben@luth.se SWEDEN Path: mcvax!enea!luth.se!d85-ben - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------ Date: Thu, 8 Jun 89 16:14:25 -0500 From: chrisj@emx.utexas.edu (Chris Johnson) Subject: GateKeeper >Though this is probably old news, I'd recommend adding GateKeeper to >your INITs. Though it's absolutely transparent for all disc writes >you tell it to allow, it forbids completely any writes it doesn't know >to be authorised. As soon as I discovered how effective it is, I >removed Vaccine from my system: GateKeeper is much more thorough (as >it checks the writing of *any* resource, not just CODE) and much less >intrusive. > >Best of luck with your disinfection. > >Alastair Milne If you liked GateKeeper 1.1, you'll really like GateKeeper 1.1.1. It's been in testing (in various stages of completion) for several months now and should be available in the next few weeks. One (potentially) troublesome bug has been fixed and a good number of enhancements have been added. More details on 1.1.1 later. By the way, you're right that GateKeeper doesn't *just* protect CODE resources, but it's not true that it protects *all* resources. Protecting all resources is unnecessary (besides, you wouldn't want to have to grant privileges to every program that modifies one of its own 'STR ' resources). What GateKeeper does do is protect every type of resource known to contain executable code (there're about 26 of them, running from INIT and CODE (which you might expect viruses to attack) to others like 'snth' and 'MBDF' (which you might not)). [Anyone interested in the exact list can check GateKeeper's 'Type' 1 resource.] Fortunately, most of these protections are unnecessary against the current crop of viruses (and let's hope it stays that way), but the protections are there just the same (to help make sure it *does* stay that way). In response to another question I noticed a few articles down, GateKeeper is available for anonymous ftp from Sumex, Simtel, emx.utexas.edu and rascal.ics.utexas.edu. If these won't work for you, you can always send me (Chris Johnson) mail as chrisj@emx.utexas.edu and I'll send you a copy. Cheers, - ----Chris (Johnson) - ----Author of GateKeeper ------------------------------ Date: Thu, 08 Jun 89 16:09:40 CDT From: "Rich Winkel UMC Math Department" Subject: re: possible virus (pc) > Another wierdness (or maybe not). If you are (BY THE WAY, WE >ARE TALKING ABOUT IBM CLONES) booting up from a bootable diskette (not a >full DOS disk) with no config.sys file, does it get the files and buffers >limits from the dos disk that originally made the bootable disk? It >must, obviously. Where does it keep this stuff? No, it just uses default values hardcoded in dos. The default for buffers is 2 for a PC, 3 for an AT. The default for files is 8. Rich ------------------------------ Date: ???, 02 Jan 80 17:06 EDT From: Bob Stratton Subject: Software companies writing nasty s/w In VIRUS-L Digest, Thursday, 8 Jun 1989, Volume 2 : Issue 132: odawa@well.sf.ca.us (Michael Odawa) writes: > Let us set the record straight on this subject: > No known software publisher has ever intentionally released a virus > into circulation, nor is it likely that any would do so, as it would > be contrary to their interests. Viruses threaten the entire software > industry and expose the releasing party to an enormous legal > liability. While the following information pertains specifically to a trojan horse, it is a prime example of a software company (or at the very least - individuals at a software company) writing deleterious software to further personal aims. I quote from the "Dirty Dozen List, Revision 8D"; SUG.ARC - " Words can not express my feelings about this trojan. SUG.ARC advertises that it can break SOFTGUARD copy protection, but upon invocation, it will scramble the FATs on drive A, B, C, and onwards to your highest drive. - ----> While this is certainly a nasty trojan, it is particularly - ----> repulsive because SOFTGUARD, CORP, THE CREATORS OF SOFTGUARD - ----> COPY-PROTECTION, WROTE IT - perhaps in response to declining - ----> business. [My emphasis - RJS III] They claim that anyone who runs SUG is breaking an original license agreement; therefore they may legally destroy data. I don't credit this, and neither does an attorney I know, so I eagerly anticipate Softguard's day in court." I wouldn't normally credit rumors of this sort, but this list has generally been well-researched, and the author(s) seem(s) to put a lot of time into verification of the reports he receives. Cheers, Bob - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Robert J. Stratton, III BITNET: BSTRATTO@NAS Stratton Systems Design INTERNET: BSTRATTO%NAS.BITNET@UUNET.UU.NET Alexandria, VA, USA USENET: uunet!NAS.BITNET!BSTRATTO PSTNET: 1-202-334-3638 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "Software is like entropy. It is difficult to grasp, weighs nothing, and obeys the Second Law of Thermodynamics; i.e., it always increases." -- Law XVII: "Augustine's Laws" -- Norman R. Augustine -- ------------------------------ Date: THU 08 JUN 1989 18:34:00 EDT From: IA96000 Subject: Warning New Virus (PC) Just thought you all might like to know the following: There is a new virus floating around, which attacks WP.EXE in particular and almost every other .EXE file it comes in contact with. It is self propogating and trashes files and disks. Some of the things to look for are as follows: 1) Strange blue/green blocks appear on the screen. 2) Running a .EXE you know is on the disk and getting a "File not found" error even though the .EXE is on the disk. 3) After 30 to 45 minutes everything seems to slow down. Doing a DIR takes 30 or 40 seconds for each line to appear. 4) It definitely spreads between .EXE files, although it appears .COM files are immune. 5) It will spread to all types (sizes) of floppy disk drives and will jump to a hard drive. More later... ------------------------------ Date: Thu, 8 Jun 89 21:40:26 -0400 From: Joe Sieczkowski Subject: RE: Possible virus? (PC) > Another wierdness (or maybe not). If you are (BY THE WAY, WE >ARE TALKING ABOUT IBM CLONES) booting up from a bootable diskette (not a >full DOS disk) with no config.sys file, does it get the files and buffers >limits from the dos disk that originally made the bootable disk? If there is no config.sys file on a bootable disk, DOS just uses the default buffer and file sizes which are quite small. It does not keep them from the original DOS disk that made it bootable. Dbase requires a minimium file and buffer size in order for it to run properly. Every bootable Dbase disk should have a config.sys file on it to meet these requirements. This might have been the cause of your problem. Joe ------------------------------ Date: Thu, 08 Jun 89 23:30 CDT From: Gordon Meyer Subject: more on developers releasing viruses At the risk of beating a dead horse, and restating a position that I made quite clear in my first posting, I feel I must respond in some form to the message from Michael Odawa of the "Software Development Council of North America". Rather than issue political statements about the possibilities I'll refer interested readers to the article I was speaking of. Despite Mr. Odawa's claims, there is evidence of "unknown" developers doing just what I outlined. I remind him, and all readers, that such evidence does *not* constitute proof. Can we agree that it is undesirable, but not impossible? - -=->G<-=- "The Revenge of the Developers" _Current Notes_ Volume 8. Number 6. August 1988 Back issues available for $2.50 from: Current Notes, Inc. 122 N. Johnson Rd. Sterling, VA 22170 Standard disclaimers apply. - -------------------------------------------------------------------- | Gordon R. Meyer, Northern Illinois University, Dept of Sociology | | GEnie: GRMEYER, CIS: 72307,1502, Phone: (815) 753-0555 | | Bitnet: Tee-Kay-Zero-Gee-Are-Em-One AT Enn-Eye-You.bitnet | |------------------------------------------------------------------| ------------------------------ Date: Thu, 8 Jun 89 15:00:24 EDT From: utoday!greenber@uunet.uu.net (Ross Greenberg) Subject: Upcoming Flu_Shot+ version (PC) Rob, a future version of FLU_SHOT+ will be available in the next few months to a)search your hard disk (upon request) to look for strains of a virus I know about and b)remove that virus from the infected program if possible. Same thing goes for Boot Sector Viruses, too. However, since I can only program in such a manner against viruses I know of, a new virus would not be noticed or removed. Each new virus I found would require a new version of FLU_SHOT+, and (after ten versions!) I'm sure some people are looking at the incremental benefits and presuming it isn;t worth the expense in time to update. I know that I'm sorta cautious not to release trivial updates, and I presume that the majority of the other anti-virus people must have the same attitude. Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253