VIRUS-L Digest Thursday, 4 May 1989 Volume 2 : Issue 104 Today's Topics: New Jerusalem Virus (PC) Missouri Virus (PC) Bad sectors and viruses (PC) Virus testing at Social Security Administration UK conference re: Forwarded Message From Jim Goodwin (PC, 1704, Stoned) NAMES file (VM/CMS) New Virus utility, "SecureInit(tm)" [Mac] [Ed. This is the first digest that will (read: should) be going out to comp.virus as well as the familiar VIRUS-L mailing list. Currently, only digests are being sent to comp.virus. I hope to have distribution of undigestified messages over comp.virus working soon. Feedback is invited.] --------------------------------------------------------------------------- Date: Sat, 29-Apr-89 13:32:14 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New Jerusalem Virus (PC) Andrew Carroll asked me to forward the following message for him: Original-Date: 04/28/89 23:29:58 Original-From: ANDREW CARROLL Thanks for passing on the message for me. I need some help from the VIRUS-L users and I understand they have some information about infections. I am a CVIA volunteer and I've been tracking the New Jerusalem virus. It's the one that does a disk format on April 1, 1990, and has the EXE bug fix. The earliest occurance that I can find is October 6, 1988 in Vancouver. If anyone has verified an earlier infection please contact me. Everything I've seen so far indicates that the source is Vancouver. Data to the contrary is urgently needed. Andrew Carroll - HomeBase - 408 988 4004 or C/O Alan Roberts. ------------------------------ Date: Sun, 30 Apr 89 17:40-0400 From: David.Slonosky@QueensU.CA Subject: Missouri Virus (PC) I have a copy of this DOS Power Tools disk. How do you detect if there is indeed a virus lurking on this disk? I've been working with two floppy drive systems only -- is this a problem? __________________________________ | | David Slonosky/QueensU/CA,"",CA | Know thyself? | SLONOSKY@QUCDN | If I knew myself, I'd run away. | |__________________________________| ------------------------------ Date: Sun, 30 Apr 89 18:14-0400 From: David.Slonosky@QueensU.CA Subject: Bad sectors and viruses (PC) I think this has been discussed before, but is there a mechanism by which a virus can hide in a bad sector? How does DOS declare that a given sector is "bad", i.e. where on the disk does the information reside? Can a bad sector be protected from being reformatted if the virus author was clever enough? __________________________________ | | David Slonosky/QueensU/CA,"",CA | Know thyself? | SLONOSKY@QUCDN | If I knew myself, I'd run away. | |__________________________________| ------------------------------ Date: Sun, 30-Apr-89 23:53:19 PDT From: portal!cup.portal.com!garyt@Sun.COM Subject: Virus testing at Social Security Administration Lynn McLean (on the Homebase BBS) asked me to forward this to VIRUS-L: Original-Date: 04/28/89 17:19:42 Original-From: LYNN MCLEAN My co-worker and his colleague in the microcomputer support center at the Social Security Administration have just finished a review of anti-virus products. They tested against 14 viruses (which I helped obtain from a nefarious member of the Homebase board) and collected over 20 products to review. The viruses were a subset of Goodwin's collection and, supposedly, the most common ones. The results of the review were that none of the products were effective. The Tracer program (I understand it's been renamed Sentry and placed in public domain) was able to detect them all, but only if the system was re-booted every day or so. Most of our network systems are never re-booted, or booted only every few months, and many of the test viruses activated after only a few weeks in the system. So it doesn't do any good to detect a virus a month after it's destroyed the system. The rest of the products could not even detect half of the viruses, at any time. I don't know of any other review that has used any more viruses than we did, but the results couldn't come out much different if they included some of the same viruses that we used. I hope this information is useful to some of the users. Lynn McLean ------------------------------ Date: Mon, 1 May 89 09:59 N From: ROB_NAUTA Subject: UK conference I read the advertisment for the virus conference which will be held in the UK. The ad mentiones a price of 235 pounds, and states that a disk with antiviral tools will be part of the deal. I wonder, did you write those tools yourself or are they PD utilities ? I am not sure if the authors of those tools would like this, their shareware licences are quite clear about commercial use, and selling those tools for such an amount of money is nothing more than a copyright violation. Again, only if the tools on the disk ARE shareware tools like FluSHot + ... I know, in the current virus panic there is a lot of money to be made from worrying users, but keep it clean... Greetings Rob ------------------------------ Date: 1 May 1989, 09:16:50 EDT From: David M. Chess Subject: re: Forwarded Message From Jim Goodwin (PC, 1704, Stoned) Thanks for the forwarding, Alan! It would be nice if there were an easy BBS<->BitNet link; I don't know of one, but You Never Can Tell... I stand corrected on POP CS. I'm still adamant (see last issue) about the 1704-on-vanilla-PC issue. The 1701 has a bug, but so does the 1704! Perhaps there's yet a third variant that has neither bug? In any case, the code you posted awhile back does indeed *not* successfully differentiate vanilla machines from clones. As a friendly suggestion, I might caution you to be a little less free with name-dropping! You and Alan have managed to insult both the NSA and IBM in your last couple of items! *8) (Somewhat more seriously, definite statements like "XXX was the first company hit by the YYY virus" are always dangerous, since you can almost never have sufficient evidence that they're true...) On the Australian virus: the version that I've seen will infect the master boot record of hard disks, and the SYS command will do nothing to remove it from there (since SYS only writes to the partition boot record, I think?). And it does display the first half of the message ("Your PC is now stoned") on something like one boot in eight (depending on the system clock). Sorry to be so contrary! Monday morning, ya' know... *8) DC ------------------------------ Date: Mon, 1 May 89 10:03 EST From: "Thomas R. Blake" Subject: NAMES file (VM/CMS) >[Ed. How about renaming (or encrypting) your names file all the time, >except when you're in MAIL or MAILBOOK? Not elegant, perhaps, but >probably effective.] MAIL, MAILBOOK, NAMES, LNAME, TELL, SENDFILE, CHAT, XYZZY Think of any others? It seems wiser to examine any strange EXEC's you may receive before running them, no matter who they come from. Or simply rename you NAMES file before running any new EXEC's. Thomas R. Blake Lead Programmer Analyst Academic Computing SUNY Binghamton 13901 [Ed. Good points, I neglected those other programs.] ------------------------------ Date: Mon, 01 May 89 14:48:36 EDT From: dmg@mwunix.mitre.org Subject: New Virus utility, "SecureInit(tm)" [Mac] A new anti-virus packaged recently appear on the Twilight Clone BBS here in Washington called "SecureInit(tm)". It comes from someone named "P. Guberan" in Switzerland and the docs were written by Dany Hofmann. Hofmann makes some rather boisterours claims about the package in the documentation, and I do not believe they can be attributed to his "more than bad English". I've not tried the application. If the description is accurate, this stuff does some pretty heavy duty tinkering around. For example, the documentation states SecureInit installs some invisible inits in my System Folder. Why not make them visible, and let the user decide on visibility/invisibilty (there are a wide variety of utilities that let you do this). I may do some experimenting with this later, and report on what I think. If anyone leaves a note on the Clone about this package, I'll forward them up here too. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253