VIRUS-L Digest Wednesday, 13 Sep 1989 Volume 2 : Issue 191 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: October 12/13-CORRECTION (PC) Iceland/Saratoga viruses (PC) Virus frequency (PC) Suggestions on subject lines in comp.virus nVIR A Found on Book's Disk (Mac) RE: October 12th 13th Virus (pc) --------------------------------------------------------------------------- Date: Tue, 12 Sep 89 13:55:21 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: October 12/13-CORRECTION (PC) I apologize for any confusion I may have caused, but it seems that the Datacrime viruses (1168 and 1280) do in fact not activate on Oct. 12. The correct activation date is Oct. 13. So: No viruses vill activate on Oct. 12, but quite a few will attack on Friday Oct. 13. Datacrime vill attack the first time an infected program is run, on (or after) Oct. 13. (Thanks to D. Chess for the correction) ------------------------------ Date: 12 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: Iceland/Saratoga viruses (PC) There seem to be three different viruses in this general family: - One is a resident EXE-file infector that infects every tenth EXE file executed, and sometimes will mark a free cluster on a hard disk as bad (the "damage" routine). I've seen this one called the "Saratoga 1". - The second (not that the order I'm listing them in necessarily means anything) is just like the first, except that it checks the segment of the INT13 vector, and if it's not 0070 or F000, it doesn't do anything. I've seen this called the "Saratoga 2", and also the "Icelandic Disk-Crunching virus" (that name is from Fridrik Skulason). - The third differs from the first in that it bypasses INT21 (by means that I suppose I shouldn't mention in public), and doesn't have the "mark a cluster bad" code. It doesn't have the INT13 check that the second version does. Fridrik Skulason calls this, quite reasonably, the "Icelandic Virus, version 2". Does this check correctly with everyone? The Saratoga/Icelandic nomenclature is a bit confusing, and I want to make sure that there's general agreement about the facts, if not the names... DC ------------------------------ Date: Tue, 12 Sep 89 20:58:52 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Virus frequency (PC) It was interesting to see the numbers by John McAfee, regarding the frequency of various PC viruses in the US. Just to illustrate how different things are elsewhere, here is an estimate of the situation here in Iceland. 1701/1704 60 % Ping-Pong 30 % Icelandic 5 % Brain 5 % No other virus has so far been detected here in Iceland, which quite surprising, since some viruses that are very common elsewhere, Jerusalem and Stoned in particular, should have arrived here by now. The major reason the 1701/1704 number is so high is that some large companies have been infected. They include the University of Iceland, the Post & Telephone company and two major computer companies here. In one case there was a company-wide infection, and a good reason for that. It seems that somebody in management had decided that only a handful of men should have permission to install new software. This was done for a number of reasons, one of them to minimize the likelihood of virus infections. What happened was that one person in this group got infected, and within two weeks he had spread the infection all over the company - You see, they were upgrading from DOS 3.2 to 3.3, and he was resposible for distributing the master copies to every department. On every disk was a copy of the Icelandic keyboard program - a program that was executed in AUTOEXEC.BAT. And - this program was infected with 1704. The past week the entire PC support department there has been working overtime cleaning up their mess and running disinfection programs. ------------------------------ Date: 12 Sep 89 09:58:57 +0000 From: d88-sli@nada.kth.se (Stefan Lindmark) Subject: Suggestions on subject lines in comp.virus As a reader of comp.virus and *many* other newsgroups there is one thing that I really appreciate: Intelligent subject lines. Lots of time can be saved if subject lines contain proper information so that uninterested readers may do effective kills. What has this got do to with comp.virus? I am (personally) interested only in articles regarding Macintosh virus strains. Thus I have put in my kill file PC, Amiga etc, so that I don't have to read them. Now this is my idea: Everybody should compose subject lines that show which computer system the article considers. Examples: Subject: New mega-nasty virus strain (Mac) Subject: Disk-destructive virus (Amiga) ... Comments? Suggestions? [Ed. A good point, and I've been promoting good subject lines on VIRUS-L/comp.virus for some time now. And, I do try to put a (PC), (Mac), etc. at the end of subject lines where applicable, if the author has not already.] Stefan Lindmark Email: d88-sli@nada.kth.se Snail-mail: Don't even bother... If everybody helped one newuser today, the world would look a bit happier. ------------------------------ Date: 12 Sep 89 09:04:13 +0000 From: chinet!henry@att.att.com Subject: nVIR A Found on Book's Disk (Mac) I just received the book "Applied HyperTalk" which contains a disk with HyperCard 1.2.2 on it. This disk is infected with nVIR A! The Book: Applied HyperTalk by Jerry Daniels and Mary Jane Mara Brady Utility, Prentice Hall Trade, Simon & Schuster ISBN: 0-13-040882-4 The Disk: Brady HyperCard 1.2.2 infected with nVIR A Also Several stacks and a text file which are not infected. I will be contacting the publisher, the Small Computer Book Club (where I got the book), and Apple about this. If you have a copy of this, PLEASE check it for viruses!!! Henry C. Schmitt Author of Virus Encyclopedia - -- H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: Wed, 13 Sep 89 11:50:00 -0500 From: Bradley James Bouwkamp Subject: RE: October 12th 13th Virus (pc) Everybody (the press ) is talking about the virus and as one person stated "The Mania is started". Well to add to the panic I just heard about it over the RADIO in Grand Rapids Mi. I Didn't here all of it, but mainly it said watch out for it and some "group of people" have a anti-virus for it and to give them a call if you wanted a copy. Brad Bouwkamp ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253