VIRUS-L Digest Monday, 5 Jun 1989 Volume 2 : Issue 128 Today's Topics: nVIR Origins (Mac) .ZIP Ansi codes (PC) Re: comp.virus usenet virus handbook Re: nVirB infection at teesside poly, uk (Mac) naming confusion --------------------------------------------------------------------------- Date: Fri, 02 Jun 89 17:48:51 EDT From: Joe McMahon Subject: nVIR Origins (Mac) I vaguely remember downloading some assembler code from CIS a looong while back (pre-Scores) that purported to be source for a virus similar to nVIR. I didn't save it, mostly because I didn't see any use for it then. It would have been a good guide to writing an anti-viral, I suppose. In fact, if I remember right, the resources it used were indeed called nVIR! --- Joe M. Internet: xrjdm@scfvm.gsfc.nasa.gov | "I've seen yellow stripes down the Phone: (301) 286-8090 | middle of the road, but never CIS: 72330,554 | quite so WIDE..." - Dorothy ------------------------------ Date: Sat, 03 Jun 89 00:34:41 CDT From: James Ford Subject: .ZIP Ansi codes (PC) This was taken from an IBM SIG conference. This is *NOT* a virus/trojan warning/alert; however I thought it might be of interest. James Original-From: Sysop Of 107/522 Original-Subject: .ZIP Utility ALERT FILES UPLOADED TO YOUR SYSTEM THAT HAVE BEEN COMPRESSED UTILIZING PHIL KATZ'S PKZIP/PKUNZIP UTILITY COULD CRASH YOUR SYSTEM WHEN UNZIPPED! As most of you know it is possible to reprogram your keyboard (and other things) using ANSI Escape sequences... .ZIP programs will allow the use of ANSI in the comments section... I have received several such "innocent looking" files in the last two weeks. One caused my F1 key to display a wide DOS Directory, the other attempted to delete all files on my hard drive! ------------------------------ Date: Sun, 4 Jun 89 15:18:38 BST From: "David.J.Ferbrache" Subject: Re: comp.virus usenet virus handbook The idea of a handbook associated with the newsgroup is an excellent one, although I would caution that such a handbook can not be a comprehensive guide to known viruses and trojan horses without a significant (major) amount of effort on the part of the editorial committee. There are a number of excellent general papers available describing the nature of computer viruses, and the countermeasures which can be taken to prevent their spread. A general guide should probably incorporate this information, together with a short symptomatic description of the major common computer viruses across all systems. It would also be worth incorporating and updating the Dirty dozen list (by the way 8D available from Heriot-Watt University archive). It would also be useful to incorporate a public domain anti-viral software guide (a la Compute's computer virus book), including details of software availability via Jim Wright's archive site initiative. > (1) How much information should be provided in the general guide? Hmm, I would say that the guide should be aimed at casual non-systems programmers. The use of binary and resource editors together with disk recovery and reconstruction techniques are probably best ommitted from the beginners section. It might be possible to describe the use of norton utilities to destroy boot sector viruses on the IBM, and resedit to identify and repair infected Mac applications. In general however there is little or no reason to utilise Resedit directly when such powerful repair tools as Disinfectant are available. The guide should include: 1. A general introduction to the concept of a virus 2. Brief historical overview and perspective on the threat 3. Operational principles of viruses in brief (v101?) 4. Prevention, detection and recovery from viral infection (ie backups, software policies, use of checksum and file alteration checking techniques, disk access monitors etc.. mentioning the categories of anti-viral software). (maybe also include a checklist of simple anti-viral measures) 5. Known viruses (symptomatic description in brief) a. IBMPC b. MAC c.Atari d.Amiga e.Apple II 6. Trojan horses and other replicating programs Appendices: Glossary. Public domain software - availability and review. References. Dirty Dozen Trojan List. Bulletin Board contacts. > (2) How best do we handle duplicate effort? There is quite a bit of duplication to date, in Europe Klaus' virus directory will hopefully serve as a central focus for the viral code analysis and disassembly. In the UK there is CoTRA (computer threat research association) and the BCVRC (British computer virus research centre). A number of people are producing listing of known viruses, documentation on anti-viral techniques and software etc. The Homebase bulletin board, CVIA, SDCNA, NCSC, MacMash etc all jump to mind as possible organisations worth contacting. > (3) How do we assemble the editor staff? Tricky. Ideally you want the widest possible spread of expertise, preferably including an Atari ST and Amiga expert (George Woodside, Steve Tibbett ??). When the project gets off the ground I am sure you will not be short of volunteers for the project, if you wish any feedback on the UK virus scene then please get in touch and I will be happy to help. > (4) How much staff do we need? One or two for each supplement? One > for each general chapter? Should we have a chief editor or two to > oversee the whole effort and help to assure that project goals are > being met? How about a temporary peer review group to evaluate each > section as the guide is being built for the first time? Ideally a general editor who has a wide experience of viruses across all systems to prepare the introductory section, volunteers for each major machine type to deal with the specific problems of that machine (known viruses, specific disinfection software reviews etc). If you wish to include a degree of technical detail then this might include advanced recovery techniques (eg boot sector, partition record, resource and binary editing), use of signature recognition to detect viral infection, repair of infected application programs, maybe even a catalog of viruses with algorithmic descriptions. > (5) How about a different name for the effort? I would suggest an ad-hoc mailing list. Such discussion is not suitable for a newsgroup as such (unless possibly a temporary alt. group). Easiest is to add volunteers or interested parties to the list, with a known redistribution address at your site. I suspect that the effort may generate a great deal of discussion which would probably swamp most newsgroups! Thanks for volunteering Jim, Good luck. - ------------------------------------------------------------------------- Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------- ------------------------------ Date: Sun, 04 Jun 89 00:15:26 -0700 From: Alastair Milne Subject: Re: nVirB infection at teesside poly, uk (Mac) Though this is probably old news, I'd recommend adding GateKeeper to your INITs. Though it's absolutely transparent for all disc writes you tell it to allow, it forbids completely any writes it doesn't know to be authorised. As soon as I discovered how effective it is, I removed Vaccine from my system: GateKeeper is much more thorough (as it checks the writing of *any* resource, not just CODE) and much less intrusive. Best of luck with your disinfection. Alastair Milne ------------------------------ Date: Mon, 5 Jun 89 11:45:50 EDT From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk) Subject: naming confusion David Ferbrache helped me out in my quest for information on the Little Black Box virus (Thanks David!). Apparently, this virus is a strain of the Israeli virus. ...which brings me to my point. One of the most frustrating things that I've run into is that viruses get called different things by different people. Just look at a couple of the more common ones - Israeli <=> PLO <=> Russian <=> Black Hole <=> Little Black Box, Brain <=> Pakistani ... (the list goes on). I'm not proposing any solutions here because, quite frankly, I'm not aware of any real good solutions. Anyone have any suggestions? My point is merely to point out the cause for confusion and hopefully generate some discussion on it. Ken ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253