VIRUS-L Digest Thursday, 6 Apr 1989 Volume 2 : Issue 82 Today's Topics: A New Virus Perhaps (PC) Bad, Bad, Bad Boot Blocks (Mac) Mac Boot Sector Virus -scary thought WARNING: ORGASM EXEC (VM/CMS) ORGASM EXEC siting in Florida (VM/CMS) Cornell RTM Worm Report --------------------------------------------------------------------------- Date: Thu, 06 Apr 89 13:36:26 MEZ From: Ghost Subject: A New Virus Perhaps (PC) We have possibly found a new virus. It's characteristic is a string named "Packed file is corrupt". It can be found in PCTOOLS and other programs. New buyed program discs are infected, but till now he didn't do anything. It is about 900 Byte long and ends with the upper string. Does anyone heard of him or does anyone has it in his software?? Thomas Friedrich, RHRZ Bonn, Germany ------------------------------ Date: Thu, 06 Apr 89 08:58:31 EDT From: Joe McMahon Subject: Bad, Bad, Bad Boot Blocks (Mac) Well, from looking in general at the history of Mac viruses so far, they've followed Apple's implementation guidelines remarkably well :-). The viruses all used standard Mac facilities in a slightly nonstandard way to reproduce and spread; the ANTI virus (the most recent one) is the first to do anything different, and that one *still* doesn't really do anything exceptional. The boot blocks are a different matter. As I recall, part of the "bootstrap" code is in the ROM (the blinking-question-mark disk) and part on the disk itself. I also don't believe that there are calls like MessWithBootBlocks(); you'd have to get down there at the device level and mess with it. Not that this couldn't be done, it's just much harder that diddling another virus with ResEdit and releasing it. --- Joe M. ------------------------------ Date: Thu, 6 Apr 89 13:03:20 CDT From: "David Richardson, UT-Arlington" Subject: Mac Boot Sector Virus -scary thought David M Gursky (dmg@mwunix.mitre.org) writes: >My question is this: Why can't the bootstrap code on tracks 0 and 1 of >a Mac disk be infected? Would Vaccine prevent such an infection? Good question, scary. I am forwarding his original msg to info-mac@sumex-aim-stanford.edu. As configured, Vaccine would definately *NOT* stop it, and there is no current detection for this type of infection (other than by hand with FEdit or the like). - -David Richardson, The University of Texas at Arlington Bitnet: b645zax@utarlg Internet: b645zax@utarlg.arl.utexas.edu UUCP: ...!{ames,sun,texbell, }!utarlg.arl.utexas.edu!b645zax SPAN: ...::UTSPAN::UTADNX::UTARLG::b645ZAX US Mail: PO Box 192053 PhoNet: +1 817 273 3656 (FREE from Dallas, TX) Arlington, TX 76019-2053 ------------------------------ Date: Thu, 6 Apr 89 15:28 EDT From: Subject: WARNING: ORGASM EXEC (VM/CMS) *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** An exec file known as ORGASM was released about two days ago on the PSUVM system. This file was obviously written up here, and was detected by Computer center personnel soon after it was released. It sends null messages to all users linked to a particular disk and then sends the file to all users listed in the names file it finds. Up to this point I believed that we had a local outbreak....the file was written with Penn State in mind...probably by a student. However, I just got done talking with another person down at University of Central Florida, and she reports that a copy was found at her location. Therefore, I am now assuming that this program has spread across BITNET. I just felt that everyone on this list should be warned of the possible problems in letting this program spread. Jonathan Baker JEB107 at PSUVM.BITNET The Pennsylvania State University. DISCLAMER : I am just a student...not an employee. I am doing this only to keep the community infomed about possible problems. [Ed. Jonathan later sent me the following message that was posted by the Penn State computing center warning its users of the EXEC. Thanks to all for the prompt reports!] Date: Tue, 04-Apr-89, 16:07:30 EDT From: "Al Williams" Subject: IMPROPER PROGRAMS BEING DISTRIBUTED ON PSUVM A program called ORGASM EXEC is being distributed, and might be found in your reader (RDRLIST) or on mindisks you link and access. DO NOT RUN THIS PROGRAM. DISCARD it from your reader, or ERASE it from your disk. It may do some things without warning you, and does at least two things programs should not do: it sends a null message via RSCS (resulting in "...") to all or most logged-on users, and it mails a copy of itself to all users listed in your NAMES file. The message is annoying to recipients and should be embarrassing to you. Mailing out copies should also be embarrassing, but more importantly wastes resources and has the potential of "clogging" our system and others we are connected to. Distributing or providing access to any program that acts in a surreptitious manner is considered an invalid use of your computer account and in violation of University policies. While you may not realize what a program does, you are responsible if you execute it. If you are not sure a program behaves properly, DISCARD IT! ALW ------------------------------ Date: Thu, 06 Apr 89 16:24:48 EST From: Lois Buwalda Subject: ORGASM EXEC siting in Florida (VM/CMS) Hello, I've run across another one of those lovely viruses which goes by the name of ORGASM EXEC. It is disguised as a message server type utility (approximately 1400+ lines long), with the virus itself relatively cleverly hidden (the size of the file itself makes it difficult to detect). The virus is effective in only 2 instances: 1) If the user has a disk defined as virtual addr 319. It queries all users connected to this disk and propogates itself to them. 2) If the site uses RXNAMES, a Penn State University tool. The EXEC then sends itself to all people in the user's NAMES file. It appears to be "safe" if these two conditions are not met. The virus originated at PSUVM, although at the time of this posting the writer has not yet been caught. Lois Buwalda Systems Support University of Central Florida ------------------------------ Date: Thu, 6 Apr 89 13:45:04 PST From: PJS%naif.JPL.NASA.GOV@Hamlet.Bitnet Subject: Cornell RTM Worm Report Just read in the April 3 _Unix Today_ that Cornell is releasing a report today on the Internet Worm. Does anyone know where I can get a copy? Peter Scott (pjs@naif.jpl.nasa.gov) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253