VIRUS-L Digest Friday, 20 Jan 1989 Volume 2 : Issue 20 Today's Topics: Friday the 13th virus re: PC Viruses RE: Any connection between ping-pong virus and Word Perfect? (PC) re: PDP Virus UK virus information server --------------------------------------------------------------------------- Date: Fri, 20 Jan 89 08:28:50 EST From: "John P. McNeely" Subject: Friday the 13th virus I read this on the RISKS discussion list concerning the rumors of the Friday 13th virus. - ---------------------------Original message---------------------------- Date: Wed, 18 Jan 1989 22:28:34 PST From: Peter Neumann Subject: Friday the 13th Again There were various reports of Friday-the-13th virus deletions in Britain, attacking MS-DOS systems. The so-called virus "has been frisky and hundreds of people, including a large firm with over 400 computers, have telephoned with their problems," according to Alan Solomon, director of S and S Enterprises, a data recovery center in Chesham. The virus reportedly bore similarities to the Friday the 13th Israeli virus (13 May 1988, the previous Friday the 13th). [Source: SF Chronicle, 14 Jan 1989, p. B1] ------------------------------ Date: 20 January 89, 15:01:30 +0100 (MEZ) From: Otto Stolz Subject: re: PC Viruses First Main Proposition of Virus Hunting: Every program designed to catch viruses can be circumvented by virus-writers who know its principles of operation. Second Main Proposition of Virus Hunting: Every virus can be catched and prevented from further propagating, if its principles of operation are known. > Does anyone know where we can get a program which either runs resident > on a PC and prevents viruses from attacking the hard disk According to the above 1st Proposition, there is no such thing! However, you may obtain programs to prevent particular virus strains from propagating to your hard disk, e.g. IMMUNE for 4 Israeli strains. To prevent Boot-Sector-Viruses from propagating, you can buy SafeGuard cards for your PCs, to prevent booting from floppy disks, altogether. Proceed thus: boot from a clean, original DOS diskette, format your hard disk, re-install software on it, and then install the SafeGuard card (do not allow for further booting until you've completed these steps). > or non-resident programs which detect the presence of a virus? Again, there is no such thing! The best option you have: To detect COM- and EXE-viruses, write your own program to compute some signature value from all bytes in a file and compare it with a value obtained earlier in the same way. Lock away the source of your program and every hints on its algorithm in a safe place, and apply it regularly to every program file you use (including itself). I hope that helps Otto Stolz [Ed. Fred Cohen has an interesting way of phrasing your two propositions - "There ain't a horse that can't be rode or a man that can't be throwed."] ------------------------------ Date: Fri, 20 Jan 89 16:12:59 MET From: (Dirk Bode) Subject: RE: Any connection between ping-pong virus and Word Perfect? (PC) Eldads Word Perfect problem sounds much like the problem we had at our Computer Center. It is produced by a little memory resident virus witch infects every COM or EXE File without damages, exept WP 4.2!! Now, how can you detect this virus ?? First look at your memory residents (with MAPMEM or such tools). There is after the virus is installed a new program (nearly 1700 Byte). Every time you execute a program the virus copy itself at the begining of this file. If you execute an infected file the virus checks first if it's already installed then execute the normal program. So, if you got this virus you may never recognise until you use an copy of Word Perfect 4.2: after infection you can't work from a HD. If somebody is interessted in a program to check if a file is already infected send me a note! Dirk Bode Regionales Rechenzentrum Erlangen unrzc6@derrze0.bitnet ------------------------------ Date: Fri, 20 Jan 89 10:55 EST From: Subject: re: PDP Virus Thomas, Oh, the memories that brings back. You neglected to mention that the "PDP" was a "PDP-10". There are lots of other PDPs in the world: PDP-11s and PDP-8s are still widely used. PDP-10s have mostly gone the way of all good things. CompuServe is still using a lot of them, but they don't run TOPS-10. The program may have mutated since the last time I saw it (about 10 years ago), but here is what I remember. The program you describe was neither a "virus" nor a "worm" in the current senses of those terms. Probably the closest term would be "trojan horse". The "cookie" program was a privileged program running under TOPS-10. It was usually run by one "friend" to annoy another. It used a privileged "ttcall" (TOPS-10 terminal I/O call) to allocate the victim's terminal and would pester him or her mercilessly until either the victim "fed" it a "cookie" or the perpetrator exited the program. The computer's "system manager" had to be involved, since the program needed to be "installed" (the Tops-10 terms were somewhat different), so the program wasn't entirely uncontrollable. Ah, those were the good old days: when 0.25 MIPS mainframes took up an entire room, large disk drives were 20 MegaBytes, and you couldn't afford more than 256KBytes of core memory. Thanks for the nostalgia. Selden E. Ball, Jr. (Wilson Lab's network and system manager) Cornell University Voice: +1-607-255-0688 Laboratory of Nuclear Studies FAX: +1-607-255-8062 Wilson Synchrotron Lab BITNET: SYSTEM@CRNLNS Judd Falls & Dryden Road Internet: SYSTEM@LNS61.TN.CORNELL.EDU Ithaca, NY, USA 14853 HEPnet/SPAN: LNS61::SYSTEM = 44283::SYSTEM ------------------------------ Date: Thu, 19 Jan 89 14:28:52 GMT From: The Heriot-Watt Info-Server Subject: UK virus information server UK redistribution list and archive server For the information of other UK and European members of the virus-l list, there is now a UK redistribution of the valert-l and virus-l lists from Heriot-Watt University, Edinburgh. The virus-l redistribution currently has 42 members, 14 of which are academic site or company central redistribution points. There is also an information server located at Heriot-Watt which currently holds: 1. All back issues of the virus-l list (in digest for from November, in monthly or weekly log form from April) 2. Copies of the Trojan-PRO software from the RPICICGE archives 3. Copies of the LEHIIBM1 listserver software archives 4. Copies of the SCFVM listserver MAC software archives 5. Risks digests from November onwards 6. Various documentation on viruses, worms etc. Eg Gene Spaffords report on the internet worm. The information server is similar to the UK distributed information servers and takes requests in the form of a mail message to the server mail address For help on the use of the server send a mail message with the request help, eg request: help For an index of the topics available send, request: index topic: index For a list of all virus information available, send request: virus topic: index If anyone has any reports or software which they would like to appear on this server please feel free to send them to . Updates on new items will be posted to the UK redistribution list. Any European subscribers who wish to be kept informed of software availability please drop me a note. Finally, if anyone has a binhex 4.0 conversion utility running under unix I would dearly like a copy. Yours sincerely, Dave Ferbrache, [Janet] Dept of computer science [Internet] 79 Grassmarket (UK) 031-225-6465 ext 553 Edinburgh. EH1 2HJ [Ed. Thanks for all your time and effort, Dave! It is much appreciated.] ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253