VIRUS-L Digest Friday, 16 Dec 1988 Volume 1 : Issue 50 Today's Topics: Report of Scores Author Is there someplace that all the information is kept?? Common sense re: software suppliers Brain Virus at Yale (PC) Re: Brain virus at Yale (PC) What does the Brain virus do? (PC) Brain at U of Vermont (PC) -- forwarded msg from LIAISON list VIRUS WARNING: Brain virus at Univ. of Vermont (PC) --------------------------------------------------------------------------- Date: Fri, 16 Dec 88 09:17:50 EST From: Don Alvarez Subject: Report of Scores Author The Rumor Manager in the latest issue of MacUser claims that Apple has known the author of the Scores Virus for "several months" now, and that the matter is in the hands of their lawyers. ....And on the 8th day, the Lord created civil suits.... - Don + ----------------------------------------------------------- + | Don Alvarez MIT Center For Space Research | | boomer@SPACE.MIT.EDU 77 Massachusetts Ave 37-618 | | (617) 253-7457 Cambridge, MA 02139 | + ----------------------------------------------------------- + ------------------------------ Date: Fri, 16 Dec 88 09:42 EST From: Subject: Is there someplace that all the information is kept?? It occured to me today that I have heard many requests for essentially the same thing : "What is such and such virus, how does it work, what does it infect, and how can I protect against it?" It would seem to me that these requests become repetitive, and that the people with the answers must be getting sick of sending replies in time after time. A letter posted a few days ago comes to mind : Someone asking if there was a master file with descriptions of all known viruses for the IBM Pc and the Mac. My question is, Is there? Such a file would prevent a lot of hassles, and perhaps at the beginning of each week the digest could print the location of such files and any recent updates that have been added. Now I realize this is asking a lot of the list owner. As if he doesn't have enough to do already. But perhaps it is time someone else jumped into the fray, and compiled such a list. I am sure that there are many 'experts' who would be willing to write information for such a file, it would just be a matter of editing it together. Or perhaps this has already been done, and I don't know about it. And that is just as bad - if it exists everyone should know where to get it, even me. Jon Baker JEB107 at PSUVM.Bitnet Psuvm.Psu.Edu Disclamer : I would do it myself, but I am not the most knowledgable person in terms of viruses. I would most certainly make a mess of it.... [Ed. The closest existing thing (that I know of) to what you propose is the Dirty Dozen list. I don't know how up to date that is, though, as I don't have a recent copy. Any volunteers to send me that and/or other such lists so that I can post them on the LISTSERV?] ------------------------------ Date: 16 December 88, 16:46:22 +0100 (MEZ) From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1 Subject: Common sense re: software suppliers > CHRISTMA EXEC *did* come from a trustworthy supplier! I did not say "don't run programs you haven't got from a trustworthy supplier", I rather said "programs you have *ordered* from a trustworthy supplier". As CHRISTMA EXEC has shown, extreme care is approprate for programs you are supplied with for no obvious reason. > Even shrink-wrapped software from a multi-million dollar corporation > cannot be considered as coming from a trustworthy supplier You are right insofar that even they are not infallable. However, you can be sure that they will undertake every possible attempt to minimize impact on their customers (they will suffer great losses if they won't succeed). At least you know whom to sue for lost property :-) > If you mean not to run any program you can't read and understand *even* > if from a trustworthy supplier, then you've just killed the n many cases. That's the reason, computer-users & media are so upset about viruses & other malicious software (I mean software doing real harm, e.g. anihilating programs or valuable data -- not just spreading and saying "You've got a Virus", every April fool's day): This kind of malice shakes our society to its very foundations; it resembles offering toxic or rotten food in a restaurant, or loosening bolts at the steering assembly of other people's cars. However, a certain amount of caution can be expected from the customer's side: you probably would not go out to a dirty restaurant, and you would ask everybody (even your friends) what they were doing under your car, if you catched them working there and hadn't asked them for help. My recent note meant to establish this sort of common sense for receiving and running programs, now we all have heared of possible virus carriers. > Sometimes even the people writing the software do not understand all of > it. Then, t have to live with incompetence in every trade :-) Nevertheless, best wishes to everybody Otto ------------------------------ Date: Fri, 16 Dec 88 10:50 EST From: Don Kazem Subject: Brain Virus at Yale (PC) In reference to the message from Naama Zahavi-Ely about the Brain Virus, it seems that this is a different version of the Brain virus than the one I have seen. Since last summer we have been studying the virus issue and trying to come up with countermeasures to protect our evironment. Few Months ago I did obtain a disk that had been contaminated with the Brain Virus, and used Norton Utilities to look at the whole disk; sector by sector. The message that was embeded in that disk was similar to the one that Naama had mentioned, but not execatly the same. I found that same machine and performed a warm boot, the new disk also became infected. Nothing short of turning the machine off and then back on was safe enough. Don Kazem-Zadeh National Academy of Sciences DKAZEM@NAS.BITNET ------------------------------ Date: Fri, 16 Dec 88 11:44:14 EST From: Naama Zahavi-Ely Subject: Re: Brain virus at Yale (PC) Hello Virus-l folk, The following is a note I sent to user support personnel at Yale following the discovery of a few diskettes infected with the Brain virus, all belonging to one user. I would appreciate any comment, and especially any correction! Feel free to plagiarize, anybody who has the need -- just make sure you check for corrections in the next few issues of VIRUS-L. I do not claim any extensive knowledge of viruses! Thanks, Naama - ------- Hello everybody! Three days ago we discovered at Yale several diskettes infoes not infect network drives. How can you tell that a diskette is infected: 1) Boot the computer from a clean DOS diskette or from a hard disk (this is important!). 2) Use the Norton Utilities, or some other software that lets you look at disk sectors (like DWALK from PCSOFT), and look at the boot sector. If the disk is infected, you'll see the following text: Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thank GOODNESS!! BEWARE OF THE er VIRUS : \this program is catching program follows after these messeges Note: if you boot from an infected diskette and thus have an infected system, any attemp to read the boot sector seems to be diverted and display the correct boot sector (which is kept elsewhere on the diskette in a sector marked as bad), and you would not be able to see the above text! So make sure you boot from a clean systte, with 0 bytes, and each of the infected diskettes has 3072 bytes in "bad" sectors. For all we know, the user may have had infected diskettes for a long time - we discovered the infection while trying to solve an unrelated WordPerfect problem. Luckily all our public diskettes are write-protected. How to get rid of the virus: 1) Cold-boot the computer from a clean DOS disk with a write-protect tab. 2) Format a new diskette. 3) Copy the files from the infected diskette to the new diskette. Do NOT use the DISKCOPY command -- use COPY *.* (this virus is a boot sector virus and will not get copied). 4) Cold-boot the computer again from the clean DOS disk. 5) Re-format the infected diskette. It should now be safe for use. This virus is a boot-sector virus -- meaning that it infects a computer's memory (for the session) only if the computer is booted from an infected diskette. Otherwise, even if the diskettes are infected, the computer is not and the viruy booting from an infected diskette), then ANY disk activity with a 5.25" diskette will infect the diskette -- even a simple DIR command. If your DIR commands suddenly start taking longer than usual, check your system. Of course, the virus cannot write past a write-protect tab, so if you use them you are safe even on other people's systems. I do NOT think this warrants VIRUS ALARM notices all over the place -- students have other things to worry about this time of the year! The worst that can happen is that some diskettes will get infected, and this would mean only that 6 sectors on the diskette would get overwritten and marked as bad. Even this can easily be avoided with minimal safe computing habits: always boot from your own write-protected diskette, and do not share diskettes promiscuously. If you lend a diskette to somebody else (to copy a file, etc), put a write-protect tab on it. This is all there is to it! Please let me know of any sightings, and I'll be CK@UCI.BITNET> Subject: What does the Brain virus do? (PC) A student recently brought in a disk contaminated with the Brain virus. I confiscated the disk, and gave her a clean one in exchange. I'm hoping that this was an isolated incident, but just in case it wasn't, I'd like to know what the Brain virus does. Thanks in advance. ==================================================================== Bob Hudack Microcomputer Services Group Computing Facility University of California, Irvine RJHUDACK@UCI.BITNET ------------------------------ Resent-From: Naama Zahavi-Ely Subject: Brain at U of Vermont (PC) -- forwarded msg from LIAISON list Date: Fri, 16 Dec 88 11:33:44 EST From: Anne Chetham-Strode Forwarded from the LISTSERV group, Network Sites Liaison (LIAISON@MARIST): We have discovered the Pakistani BRAIN virus on 5 1/4" disks in our public microcomputer labs. The most recent versions ofhis particular strain. We would like to disassemble the virus and write our own software to sanitize disks. I would appreciate suggestions from readers about about which disassembler to use and where to get it. Also, I would appreciate hearing from readers who have experience disassembling viruses. Please respond to me directly, ACS at UVMVM on BITNET. Thank you, Anne Chetham-Strode Microcomputer Systems Analyst University Computing Services University of Vermont Burlington, VT 05405 ------------------------------ Date: Fri, 16 Dec 88 13:37:52 EST Sender: Virus Alert List From: Ken van Wyk Subject: VIRUS WARNING: Brain virus at Univ. of Vermont (PC) I just got another report of the Brain virus - this time at the University of Vermont. Will this thing never die?! Here are the details: Date: Fri, 16 Dec 88 11:35:15 EST From: Steve Cavrak .... \----------------------------------------------------------------------/ At this point, we've replaced all boot disks in the labs, trained our consultant staff as well as other lab managers on disinfection procedures, written a disinfection brochure, and are preparing a mailing for all PC owners on campus. We're currently reverse engineering the virus to get a better handle on its behavior so that when students return in January we can handle the onslaught. (By the way, do you have a good disassembler that you can recommend.) A check of a batch of diskettes with the DEBRAIN program shows that although the first 3 sectors of BRAIN match expectations, other sections may be different. Some of our users have MS-DOS 3.2 and have found that the that DEBRAIN doesn't correctly recognize the newer DOS messages. NOTE: Just as I post this, we've come across one disk with the BRAIN message reading "Welcome to the fungeon." Now wasn't that clever of the little beast. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253