VIRUS-L Digest Monday, 4 Dec 1989 Volume 2 : Issue 252 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Jerusalem-B in demo progs. (PC) Jerusalem B virus infection (PC) A virus story Trojan Horse Alert - Norton followup (PC) Is there a SCANV51? (PC) Re: Info on Jerusalem Virus (PC) Scanv49/Scanrs49 woes (PC) Re: JUDE Virus (?????) Mac Viruses and Anti-Semitism... --------------------------------------------------------------------------- Date: Fri, 01 Dec 89 12:11:02 -0500 From: Laurence Bates Subject: Jerusalem-B in demo progs. (PC) We have recently located the Jerusalem-B virus on a bunch of VGA demo programs including Rolex, Raisins, Fuse etc. I don't suppose these were the original carriers but it might be worth double checking VGA demo programs that get passed around. Fortunately we caught the programs before any harm was done. They did infect our SCANV program however. MANY MANY thanks to the creators of SCANV40. I'll be in touch with McAffee Associates but for future reference - which source has the most recent version of this program? Acknowledge-To: ------------------------------ Date: Fri, 01 Dec 89 14:32:42 -0500 From: bill@eedsp.gatech.edu (Bill Berbenich) Subject: Jerusalem B virus infection (PC) On Tuesday, Nov. 28, we had an infection of the Jerusalem B virus here in at least two campus DOS student clusters (56+ machines). As a result of regular backups being made of the server in at least one of the clusters, a verified uninfected restoral was successfully made and all cluster disks were again checked for infection. It would appear that the majority of the damage has been repaired, but it is likely that there are some infected floppies floating around now. Users are being advised of this and appropriate software has been installed to help prevent a reoccurrance of the infection. More specific information can be obtained by sending e-mail to me directly. Bill Berbenich bill@eedsp.gatech.edu Ga. Inst. of Technology School of Electrical Engineering ------------------------------ Date: Fri, 01 Dec 89 21:16:03 -0500 From: seborg@umbc3.umbc.edu (Mr. Brian Seborg) Subject: A virus story [Ed. In addition to this story, Mr. Seborg submitted a detailed description of the Brain virus and his University's encounter with it. Due to the article's length, I'm sending it out to the VIRUS-L/comp.virus documentation archive sites rather than including it here in a digest. Thanks for the articles Brian.] Inside a Virus Fighter's Head copyright 1989 Brian H. Seborg Now is the winter of my discontent. It has been cold all day, and a looming specter of destruction dampened my spirits. Would it strike again? No one knew whether we were safe in our sheltered system, or whether we would be wrenched from our tranquility into the gut-wrenching realization that we had to fight, had to protect ourselves against the menace that had destroyed so many others who were caught unprepared. I looked intently at my screen making sure to note every nuance of my environment. The flicker of a drive light sent me into a protective mode of questioning, "should that have happened?", "was that legitimate?", "has that happened before?" The whirring of drives spinning quietly in place made my body tense, expecting the worst, hoping that it wouldn't happen, at least not today, not now. I hadn't had a chance to back-up many of the bytes which could be forever lost if today happened to be the day. God, how I hated those vermin who had let loose these horrors that destroyed at random the hopes and thoughts of the innocent. But they had not gotten to me. No, for I was not innocent. Though I had jumped into the breach, I had been ready. I am ready. Though I despise them, I am also indebted to them. Not for the destruction they have caused, but for the skill I have been forced to master in order to fight them. Not because they were skilled, but because I am more so. They will not wound me easily, and I will not be easily dispatched. I have been victorious in countless battles which are now but ghosts in my memory. Only once have I been close to defeat, but, in the end I prevailed. My mind saved me when my defenses had failed. Not so the Taiwanese. He had not been so lucky. He had appeared with his work maimed and crippled. Most of it beyond recognition. But he was brave, and we fought together. Fought until we had rooted out and killed the disease which had caused his loss. Or so we had thought. One had survived, and lived on in our systems. Somehow it had gotten through our defenses, though we thought them impenetrable. But it was not as smart as I. Not quite. I found it. Found it minutes before it would have destroyed my system leaving my disk to thrash in agony as my dreams and thoughts evaporated in front of my eyes. But it was not to be. Not on this particular day. It reared its ugly head, and I chopped it off at the neck. I have preserved its offspring in captivity so that I may learn from them. But they no longer hold any power over me. Still, I must watch. Watch and wait for the next time, for there will be a next time. So I stare at my screen spellbound, and listen intently to the whirring of the drives, their flickering lights pulsing in the half-light of my office. I am ready. To the vermin and their creations I mentally extend the challenge: Go for it! ------------------------------ Date: Thu, 30 Nov 89 09:55:44 -0500 From: "Anthony W. Pieper" Subject: Trojan Horse Alert - Norton followup (PC) [Ed. From the VALERT-L mailing list.] TROJAN HORSE ALERT ( extracted from Info-IBMPC ) There is a file going around called either NORTSTOP.ZIP or NORTSHOT.ZIP which, by it's (sparse) documentation and the copyrigh inside the EXE file, claims to be from Norton Computing. Because of the sparse and unprofessionally presented docs, I looked within the EXE file and found: The Norton Public Domain Virus Utility, PD Edition 5.50, (C)1989 Peter Norton Your System has been infected with a Christmas virus! Selected files were just eliminated! Without these files, you might as well use your computer as a damn, boat anchor! If you do NOT own a boat, you may want to replace the files which were just erased. Try to determine which files they were. HARDY HA! HA! HA! HOW DO YOU FEEL NOW; YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR! =================== PKUNZIP reports: 1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW 38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE - ----- ------ --- ------- 39972 30806 23% 2 I spoke with Craig and Tony from Norton Computing and it sure ain't their's. I DID run McAfee's SCANV on it, and it came up empty, so either SCANV simply can't recognize it, or it's a prank, but either way, it has no business being in circulation. Be on the look out! To: ALL From: TONY MCNAMARA Subj: Trojan Horse We at Peter Norton Computing would like to bring to your attention an unauthorized trojan horse named NortStop.ZIP or NortShot.ZIP (these files are the same). This file was NOT produced with the knowledge or permission of PNCI. This file is not a virus (it does not infect files). Instead, it is a trojan horse (it must be run explicitly to cause any damage). When run, it lists the directory and claims the system is virus-free. Between December 24th and December 31st, however, it will erase files in several directories based on their extensions. These files can be recognized by their sizes (NortStop.ZIP is 31744 bytes, NortStop.EXE is 38907 bytes), or by doing a text search for the strings "NORTSHOT.EXE" in the ZIP, "Norton Public" in the EXE. If you find or hear of these files, please contact us immediately through Tony McNamara, 213/319-2076 (voice), TMCNAMARA 381-9188 (MCI), or CompuServe (72477,2504). Again, these files are in no way associated with PNCI. Please help us track down and eliminate these files. Thank you, Peter Norton ************** From the Desk of Mr. James M. Vavrina ************** * Comm 703-355-0010/0011 AV 345-0010-0011 * * DDN SDSV@MELPAR-EMH1.ARMY.MIL * ******************************************************************* ------------------------------ Date: 03 Dec 89 04:44:52 +0000 From: chaim@eniac.seas.upenn.edu (Chaim Dworkin) Subject: Is there a SCANV51? (PC) Is there a SCANV51 in existance? The Sunday after Thanksgiving I called a couple of BBSs in the Boston area and found a file called SCANV51.ZIP posted on one or two of them. I looked on Simtel20 and on vxc.cso.uiuc.edu and could find only SCANV49. Chaim ------------------------------ Date: 04 Dec 89 07:03:33 +0000 From: inesc!ajr@relay.EU.net (Julio Raposo) Subject: Re: Info on Jerusalem Virus (PC) I have dealt with a strike of Jerusalem's virus on a friend's PC and succeded in producing a program to wipe out all viruses from the disk. Since I claim no copyright over the code I will post it in a few days. Antonio Julio Raposo (ajr@inesc, LISBOA, PORTUGAL) [Ed. The code, when posted, will be forwarded to the VIRUS-L/comp.virus PC archive sites.] ------------------------------ Date: 04 Dec 89 13:10:06 +0000 From: anigbogu@loria.crin.fr (Julian ANIGBOGU) Subject: Scanv49/Scanrs49 woes (PC) I just downloaded and uudecoded Scanv49.arc and Scanrs49.arc from Simtel. The trouble is that when I try to execute either of them the pc I'm using hangs! I've used both Dos 3.1 and 3.2 with the same result. Can some virus guru out there please tell me what I'm doing wrong. I'm supposed to be looking out for viruses, not to hang the machine! I know I have a virus stalking around here and somehow attached to all labelled disks which makes me believe it infected Label.com. Not only that, I recently bought both Pctools 5.1 and Turbo C 2 & Assembler and on doing executing simply Dir to check the contents of the diskettes they all reported one hidden file with size 0 bytes! They couldn't have left Central Points and Borland already infected! I've just found out to my discomfort that practically all pc's here are infected. Please HELP before I send all these stuffs flying through the window! Thanks in advance. e-mail: anigbogu@loria.crin.fr | Maybe I'm wrong but I have the weird | | feeling I've been out there before. | ---------------------------------------- ------------------------------ Date: Sat, 02 Dec 89 17:01:09 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: Re: JUDE Virus (?????) Mac There's not much to say about it so far. It is apparently sufficently different from other nVIR clones so that older versions of Disinfectant will not catch it (there is allegedly a Disinfectant 1.3 that will catch it though) but not so different that Virus Detective will not catch it. Of course, Virus Detective has the advantage that it will allow the user to add new search strings for new viruses as they are found. ------------------------------ Date: Sat, 02 Dec 89 17:06:25 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: Viruses and Anti-Semitism... I could not help but notice that the lastest version of nVIR adds new resources called "JUDE". Furthermore, the virus was reported by the folks over in Switzerland, where German is widely spoken. Jude is German for "Jew". Call me paranoid, but could there be some connection? My personal suspicion is that this clone was created by some anti-semitic group in Germany (which is unfortunately seeing a rise in anti-semitic acts, as is this country), and that the virus simply made its way into Switzerland. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253