VIRUS-L Digest Tuesday, 2 Jan 1990 Volume 3 : Issue 2 Today's Topics: Network server infections (PC) December 24. virus (PC) December 24th virus (PC) Bug in Virus Buster 1.10 (PC) Viruses Rhyme And Reason DIRTYD9C.ARC - The Dirty Dozen List #9C (Trojan/Virus/Pirate) Yankee Doddle (no system given) Re: Stoned Virus Killer (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 27 Dec 89 12:13:37 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Network server infections (PC) I received a note in the mail recently asking about viruses infecting network file servers. Since the reply might be of general interest, I am also posting it here. Boot sector viruses will not spread via the network, but most program viruses are able to do so, under certain circumstances. Assume we have two users, A and B connected to the network. 'A' runs by accident an infected program. The virus (assuming it is not of the Direct Action type) will stay resident and monitor the execution of other programs. Now, if 'A' runs a (non-infected) program located on the network server, the virus will try to infect it as it is executed. If the network software is able to make the files read-only or execute-only and the user can not change that with an ATTRIB -R command, the virus will not be able to infect the programs on the server. However, if 'A' is the supervisor or somebody else with write access, the virus will be able to infect the programs on the server. Later, when 'B' runs an infected program from the server, his machine will be infected and also the programs located there. - -frisk ------------------------------ Date: Wed, 27 Dec 89 12:31:36 +0000 From: Fridrik Skulason Subject: December 24. virus (PC) On December 24. several PCs here in Iceland refused to run any programs, displaying the message "Gledileg Jol" instead. On Dec. 25th everything was back to normal. This seems to be a new .EXE infecting virus of Icelandic origin, possibly a variant of the Icelandic-1 virus. A full description will be posted as soon as I receive a sample. - -frisk ------------------------------ Date: Thu, 28 Dec 89 01:34:33 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: December 24th virus (PC) I just received a sample of the "December 24th" virus I reported on VALERT-L earlier today. As I suspected, the virus is just a new variant of the Icelandic virus, or rather a variant of Icelandic-2. The major changes I have seen are: The virus length is now 848-863 bytes If an infected program is run on December 24th, any attempt to run another program later that day will just produce the message "Gledileg Jol" (Icelandic for "Merry Christmas"). The creation date of infected files is not changed. A few NOP instructions have been added. Apart from this, the virus seems very similar to Icelandic-2. (Infects only .EXE files, only 1 out of 10, bypasses INT 21 etc.) More details later, when I have had the time to disassemble the entire virus. - -frisk ------------------------------ Date: Thu, 28 Dec 89 13:20:24 +0200 From: "Yuval Tal (972)-8-474592" Subject: Bug in Virus Buster 1.10 (PC) I would like to report about a bug that was found in Virus Buster 1.10. Virus Buster will not remove some EXE viruses from the file. Instead, it would make them unavailable. The new version of Virus Buster will be released soon with those bugs fixed. Truly sorry, Yuval Tal Author of Virus Buster +--------------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +----------------------+---------------------------------------------------+ | Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) | | P.O Box 1462 | BBS: +972-8-421842 * 20:00-7:00 * 2400 * N81 | | Rehovot, Israel | FidoNet: 2:403/136 (CoSysop) | +----------------------+---------------------------------------------------+ | "Always look on the bright side of life" *whistle* - Monty Phython | +--------------------------------------------------------------------------+ ------------------------------ Date: 28 Dec 89 05:07:36 GMT From: Bill.Weston@f12.n376.z1.FIDONET.ORG (Bill Weston) Subject: Viruses Rhyme And Reason I'm not sure that writing viruses will ever stop. Ross Greenberg wrote perhaps the best psychological profile of the "virus programmer" that I have ever read. (It's in the docs of FLUSHOT, you've all read it...) The virus writer likes causing damange. He thinks it's funny and makes him feel powerful. You can bet that most of them are reading what is written here. Just look at the worldwide scope of the current AIDS virus scam. To this day, tha STONED virus still infects thousands of systems all over the world. (Poorly written as it is..) The target of many virus writers are the millions of PC users who don't know much about computers. The novice user, or perhaps the user who knows how to run programs but does not know much about DOS, is the primary mark. A friend of mine was just such a person. Less than 20 days after buying his PC he was hit by the STONED virus. He did not know how to protect himself. Lots of grins for the programmer. There will always be socially retarded morons to write virus programs. There is only one way to stop them - cold. Forums such as this. It is possible that this very ECHO stopped and cured the AIDS virus... I wonder how many thousands of PC users did not install that "program" thanks to what they read here. ---- REMEMBER ---- There is *NO* better protection than FULL AND ADEQUATE BACKUPS!!!!! Bill Weston == ...!usceast!uscacm!12!Bill.Weston ------------------------------ Date: Fri, 29 Dec 89 15:04:00 -0700 From: Keith Petersen Subject: DIRTYD9C.ARC - The Dirty Dozen List #9C (Trojan/Virus/Pirate) I have uploaded the latest version of Eric Newhous' "Dirty Dozen List" to SIMTEL20: pd1: DIRTYD9C.ARC The Dirty Dozen List #9C (Trojan/Virus/Pirate) - --Keith Petersen Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.arpa BITNET: w8sdz@NDSUVM1 Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: Sun, 31 Dec 89 18:18:15 +0000 From: ousama%compsci.bristol.ac.uk@NSFnet-Relay.AC.UK Subject: Yankee Doddle (no system given) Hi, Could somebody send me information about the YANKEE DODDLE virus, and a disinfector, Thanx in advance M.O. FADEL ousama@uk.ac.bristol.compsci Bristol University Comp Sci Dept. (UK) ------------------------------ Date: 31 Dec 89 01:12:00 +0000 From: munnari!softway.sw.oz.au!mgarrett%peg.UUCP@uunet.UU.NET Subject: Re: Stoned Virus Killer (PC) Well for floppy disks there is a program to rewrite boot sectors and its called sys.com try reading you dos manuals. If the disk does not have room for a system use debug L 0 0 0 1 to read a clean boot sector from disk in drive A W 0 1 0 1 to write over the infected disk in drive B note the disk can be a non bootable disk ie no system and still have the virus on it. ie even if you boot it and it reports no system on disk please insert dos disk , it has loaded the virus in memandy and infected your harddisk (if you have one). If you have an infected harddisk get either norton disk doctor or McFee's virus software. mark ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253