VIRUS-L Digest Tuesday, 9 Jan 1990 Volume 3 : Issue 7 Today's Topics: public trust vs. viruses Partial VIRUSREM PACKAGE (Mac) Implied Loader Viruses (Mac) F-PROT anti-virus program (PC) Re: Questioning ethics at computing sites Virus Scare & Backups Jerusalem B Virus Remover (PC) Re: Alternative Virus Protection (Mac) Re: Virus Trends (and FAXes on PCs) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 08 Jan 90 09:46:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: public trust vs. viruses >As Mr. Murray correctly pointed out, much more users damage their own >data than are damaged by 'nasty' software. The Oct 13 scare made our >users, who number in the tens of thousands, FINALLY listen to our >pleadings to make backup copies of their software and data. That a lie happens to result in some behavior that you favor, does not make it any less a lie. While it may be true that the publicity did result in a temporary increase in backup behavior, the benefit of such behavior may not be in proportion to the damage to public trust. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Mon, 08 Jan 90 09:24:04 -0500 From: Joe McMahon Subject: Partial VIRUSREM PACKAGE (Mac) It seems that some nodes are refusing parts of the virus removal package because of file size constraints (100K max). We are looking into the problem. Anyone currently signed up for the package will receive the rest of the files as soon as we have determioned the best way to redistribute them. Thanks for your patience. --- Joe M. ------------------------------ Date: Mon, 08 Jan 90 10:46:04 -0500 From: Joe McMahon Subject: Implied Loader Viruses (Mac) Any resource which appears to be of an executable type which is found in a "non-application" file will be flagged as an "implied loader". You may have an invisible file called "PIC". Try looking at your disk with ResEdit or DiskTop. --- Joe M. ------------------------------ Date: Mon, 08 Jan 90 15:47:00 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT anti-virus program (PC) As some of you already know, I have been working on an anti-virus package the last five months or so. The English version of this package, F-PROT, is now (finally) ready for distribution. It can handle the following PC viruses: Agiplan, Alabama, Alameda (Yale), Amstrad, April 1., Brain, Cascade, Dark Avenger, DataCrime, DataCrime II, dBase, December 24th, Den Zuk/Ohio, Disk Killer (Ogre), Do-Nothing, 405, 4096, Fumble, Fu Manchu, Ghost, Icelandic/Icelandic II/Saratoga, Jerusalem/New Jerusalem/Sunday, Lehigh, MIX1, New-Zealand (Stoned), Oropax, Perfume, Ping-Pong/Typo, South African "Friday 13.", Sylvia, SysLock/Macho, Swap (Fallboot), Traceback/2930, Vacsina, Vcomm, Vienna/Lisbon, Virus-90, W13, Yankee Doodle and Zero Bug (Palette) Included in the package are programs for... ... scanning diskettes or files for infection (similar to SCAN and VIRSCAN) ... removing any viruses found without destroying the original programs (a complete set of disinfection tools) ... preventing infected programs from being executed (similar to SCANRES) ... adding "self-testing" to other programs ... providing protection against Trojans and much, much more... The programs included are even able to prevent the use of Dr Solomon's "fourth method". When new viruses appear, only a single tine, containing an encrypted signature string has to be added to one of the text files. The package will be distributed as shareware, (suggested contribution $15 US). The .ARC file is rather large (237K), but I will arrange for it to be uploaded to SIMTEL and the various anti-virus archives. I intended to have the program distributed on comp.sys.ibm.pc, but the resignation of the moderator there will probably delay that. I will also E-mail copies to those I have already promised a copy, but I simply cannot send copies to everyone interested. However, if you are willing to upload the package to a BBS or make it available to a number of other people, let me know and I'll E-mail you a copy. I will send the package as a XXencoded PKarc file. If you do not have xxdecode, I can include the source to it (in C). - -frisk ------------------------------ Date: Mon, 08 Jan 90 10:08:25 -0600 From: "McMahon,Brian D" Subject: Re: Questioning ethics at computing sites Jeff_Spitulnik@um.cc.umich.edu tells us of inaction at his institution upon discovery of a widespread WDEF infestation, and asks: > What should be done to rid UM of the WDEF virus or of any virus for >that matter? How does the bureaucracy at your institution handle it? >I question the ethicality of a laissez-faire attitude on viruses at >any institution. While I am unfamiliar with the bureaucracy at U. Mich., it certainly appears to me that Jeff has made a reasonable, good-faith effort to gain attention through the usual channels, and has been stone-walled. Rather than speculating as to why, the first priority should be to protect users from further damage. You need a campaign of public education, and you need it yesterday. I would suggest starting with the student consultants you mentioned in as online_help receivers. Give them the tools to detect, remove, and prevent WDEF (Disinfectant 1.5 with either GateKeeper Aid 1.0.1 or Eradicat'Em 1.0) and have them put the word out. If there is another staffer who is responsible for the students, it may be advisable to go through him first. Logon messages, signs in public Mac labs, and newsletter articles are other possible channels. Be sure to emphasize that there's no immediate cause for panic, only prudence. As for the ethical question ... In my personal opinion, KNOWINGLY allowing unsuspecting users to contract infections is EXTREMELY irresponsible. The question is, is the threat really "known" to the bureaucracy, or is this a case of "not my department?" If you have a co-ordinator of micro labs (or some such position), I might suggest a review of anti-viral procedures ... Brian McMahon Programmer Grinnell College Grinnell, Iowa 50112 (515) 269-4901 My own opinions, of course . . . ------------------------------ Date: Mon, 08 Jan 90 14:27:00 -0400 From: Norman Subject: Virus Scare & Backups > However, I really think that there was a major benefit to all of this [media > hype over virus scare] > ... >The Oct 13 scare made our users [...]FINALLY listen to our pleadings >to make backup copies of their software and data. Interesting...where I work (NOT York U, by the way), we had just the opposite happen. Since there was no apparent danger from the virus, there's obviously no need for backups. This belief is somehow supported by the fact that all 300+ computers in our building and remote offices survived the scare. (I won't mention the belief by some that the virus affected IBM labelled computers ONLY). And no amount of pleas or lecturing will get them to change. The only thing that seems to have an affect is when somebody drops a PC and trashes a hard disk in the process (and believe me, it's happened more than once). Norman cs117341@yusol.Bitnet cs117341@sol.YorkU.CA cs117341%yusol@mivma.mit.edu Not connected to York U (I'm just a student). Standard disclaimers apply. ------------------------------ Date: Tue, 09 Jan 90 09:18:53 +0000 From: MCGDRKG@CMS.MANCHESTER-COMPUTING-CENTRE.AC.UK Subject: Jerusalem B Virus Remover (PC) In reply to Andreas Pikoulas; Virus-l vol3 no.6: I have recently downloaded a program that heals/removes this virus. It is available from: WSMR-SIMTEL20.ARMY.MIL directory: PD1: file: M-JRUSLM.ARC Use anonymous FTP to gain access to the server. Bob.Gowans - ----------------------------------------------------------------------------- JANET: R.Gowans@uk.ac.MCC Internet: R.Gowans%MCC.ac.uk@cunyvm.cuny.edu Dept Civil Eng, EARN/BITNET: R.Gowans%MCC.ac.uk@UKACRL U.M.I.S.T, UUCP: ...!ukc!umist!R.Gowans Sackville Street, Manchester. FAX: [044 61 | 061] 200-4016 M60 1QD. ------------------------------ Date: 09 Jan 90 16:31:43 +0000 From: munnari!insted.unimelb.edu.au!LGEORGE@uunet.UU.NET (Lord Vader) Subject: Re: Alternative Virus Protection (Mac) 3XMQGAA@CMUVM.BITNET (Chris Khoury (Sari's Son)) writes: > Is there any alternative virus protection, detection init/cdev > besides vaccine and gatekeeper? I need to save space on my disk, so > gatekeeper is too large, but vaccine does not protect me disk from > the other virus's besides Scores and nVir. Any suggestions? I would > prefer that the program is shareware/PD. > > Chris Khoury > Acknowledge-To: <3XMQGAA@CMUVM> Have considered RWatcher? It is configurable. It can be found with all the other virus stuff at your friendly neighbourhood ftp outlet that stocks mac stuff, or just go straight to SUMEX and dont pass go :) - -- George Stamatopoulos #### ### La Trobe University - #### ### Lincoln School of Health Sciences #### ##### Computing Unit #### ##### incoln Melbourne #### Victoria ########## Australia ########## a Trobe ------------------------------ Date: Tue, 09 Jan 90 01:13:07 +0000 From: geof@aurora.com (Geoffrey H. Cooper) Subject: Re: Virus Trends (and FAXes on PCs) ras@rayssdb.ssd.ray.com (Ralph A. Shaw) writes: >Nagle@cup.portal.com says: > >> - A FAX message is a bitstream interpreted by an interpreter at >> the receving end. Could it be induced to do something interesting >> through the use of illegal bit patterns? One annoying thing you can do is to spew out paper from the remote fax. The protocol allows the paper length to be anything up to (i think) 65K lines or so, so you could spew out 25' of paper at a time, finishing the receiver's roll of paper and so rendering it useless. Note that it doesn't take much time to transmit this image, if it is toally white or black. - - Geof - -- geof@aurora.com / aurora!geof@decwrl.dec.com / geof%aurora.com@decwrl.dec.com ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253