VIRUS-L Digest Thursday, 10 Aug 1989 Volume 2 : Issue 172 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Unix archive site DataCrime II - tiny clarification (PC) Virus in Gould logic analyzer distribution (MAC) Macintosh virus sites Macintosh anti-viral archive sites LaserWriter (Mac) --------------------------------------------------------------------------- Date: 09 Aug 89 13:57:52 +0000 From: krvw@sei.cmu.edu (Kenneth Van Wyk) Subject: Unix archive site It looks like we have an archive site for Unix anti-virus software (wuarchive.wustl.edu (IP#=128.252.135.4)). Now all we need is some software for the archive. It would seem logical to start by putting all of the documents on the Internet Worm there (which is already done), but I'd also like to see some software tools. For example, a tool for automating checksums (and/or CRCs) on specified, or all, binary files would be a good starting point. The files on wuarchive.wustl.edu are in "~ftp/usenet/comp.virus". The current document files there are in the "doc" directory (of the above directory) and any programs, as they're made available, will be in the "src" directory. Contributions of both software and documentation are encouraged, as are ideas, suggestions, comments, etc. And thanks to Chris Myers for supplying the archive directory! Thanks, Ken ------------------------------ Date: 09 Aug 89 00:00:00 +0000 From: David M. Chess Subject: DataCrime II - tiny clarification (PC) Alan Roberts is basically right about the oddness of the "DataCrime II"s self-degarbling code. One small point (just so we don't get too impressed with these virus-writers): while the trick that Alan refers to does prevent the virus from degarbling itself if you single-step through it, it's still trivial to disassemble; just set a breakpoint right after the degarbling loop (there's even one clear byte there to make it easy!), and let it run until then. The virus writer was probably trying to show off, and no doubt thinks him/her/itself very clever, but in fact the trick added about 90 seconds to the time required to analyze the virus, and was hardly worth the effort... DC ------------------------------ Date: Wed, 09 Aug 89 09:41:57 -0600 From: dce@Solbourne.COM (David Elliott) Subject: Virus in Gould logic analyzer distribution (MAC) Yesterday, one of the people here discovered that the Mac II's we are using as part of a Gould logic analyzer setup came from Gould infected with nVIR. The disk is marked as CLAS 4000 Software Version A12 Gould knows of this problem, and I assume they are taking appropriate steps. David Elliott dce@Solbourne.COM ...!{uunet,boulder,nbires,sun}!stan!dce ------------------------------ Date: Wed, 09 Aug 89 13:23:53 -0400 From: Sari Khoury <3XMQGAA@CMUVM.BITNET> Subject: Macintosh virus sites Are there any virus archives for the Macintosh besides MACSERVE@PUCC AND LISTSERV@RICE? Acknowledge-To: <3XMQGAA@CMUVM> [Ed. See next message...] ------------------------------ Date: 09 Aug 89 17:36:03 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites Apparently I missed the posting of the Mac archive sites. Sorry folks. I'm trying to automate things a bit, and must have lost it in the confusion. # Anti-viral archive sites for the Macintosh # Listing of 08 August 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is ifi.ethz.ch Danny Schwendener Interactive access through SPAN/HEPnet: $SET HOST 20766 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via SPAN/HEPnet from 20766::DISK8:[MAC.TOP.LIBRARY.VIRUS] pd-software.lancaster.ac.uk Steve Jenkins No access details yet. rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE to listserv@scfvm.bitnet and you will receive regular updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 10 Aug 89 02:43:26 +0000 From: carroll1!dnewton@uunet.UU.NET (Dave Newton) Subject: LaserWriter (Mac) Is there such a thing as a LaserWriter virus on an AppleTalk net? We printed out a directory listing from a MacII hooked to a net and on two of the pages got these large black lock-like looking things in the middle of the page. The funny thing is, they were different sizes, one was big, one was small. I didn't read about those in any Apple book 8-) - -- "Life is just a popularity contest, and I didn't get my entry in on time." -David L. Newton David L. Newton (414) 524-7253 dnewton@carroll1.cc.edu =8-) (smiley w/ a mohawk) (414) 524-7343 uunet!marque!carroll1!dnewton ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253