VIRUS-L Digest Wednesday, 7 Jun 1989 Volume 2 : Issue 130 Today's Topics: Protection Software (PC) Possible virus? (PC) LapLink II (PC) Re: IEEE Article on LapLink SEARCH FOR A PERSON Dirty dozen viruses --------------------------------------------------------------------------- Date: Sun, 4 Jun 89 14:18:20 GMT From: mcvax!rhi.hi.is!frisk@uunet.UU.NET (Fridrik Skulason) Subject: Protection Software (PC) Recently I wrote a message, asking for volunteers to test a new TSR virus protection program. By now they probably have received the source code and are testing the program. This program is a part of a protection package, which will be sent to the anti-viral archives when finished. (By the way, who are the managers of the various archives ?) Now I have a question: Does anyone out there know of a package for testing protection software ? If not, would anybody be interested in creating such a package ? It would consist of a number of programs, intended to test various methods of attack. I have written two such programs, one for attacking the boot sector (in 4 basically different ways), and the other for attacking .EXE files (using a wide variety of methods). I also have a request: Included in my package is an inoculation program. It is designed to fight specific BSV, by writing a few bytes to the boot sector, making the diskette look as if it has already been infected. Currently the program inoculates against Brain, Ping-Pong and Marijuana. I do not have the other known BSV (Yale, Den Zuk and Nichols) in my collection, and I would be very grateful if somebody could E-Mail me some information on how those viruses check if the diskette is already infected. Fridrik Skulason University of Iceland Computing Services frisk@rhi.hi.is ------------------------------ Date: Tue, 6 Jun 89 10:07 EDT From: "L. ANNE COLE" Subject: Possible virus? (PC) Hello Everybody: At the end of last semester I ran into a recurring "degradation" in my students' software (dbase iii+) diskettes (maybe 5 of 40). Things we so hectic (my first year here), that I just had them go get new copies (boo). So I didn't get a copy of the problem disks. As I started to recover after finals, I got to thinking... Here is what we saw. Whenever they tried to get a print screen while in dbiii+, the printer went crazy, started spewing out garbage, and had to be reset (powered down and back) before the next job could be run. We were doing joins - might have some- thing to do with that (but that wouldn't explain the other 35 or so). Another wierdness (or maybe not). If you are (BY THE WAY, WE ARE TALKING ABOUT IBM CLONES) booting up from a bootable diskette (not a full DOS disk) with no config.sys file, does it get the files and buffers limits from the dos disk that originally made the bootable disk? It must, obviously. Where does it keep this stuff? (I'm digging into dos and masm this summer, I hope this is not too stupid a question.) I think this is unrelated to the above problem - maybe not. Finally, I just heard a rumor, myth, . . . Supposedly, someone read this somewhere. Is it possible that the software packagers are spreading viruses to their competition (for obvious reasons). "Hi, I'm a virus, are you a database? Are you my database? CRUNCH." Sounds rather strange, but... Thanks people, L. Anne Cole Asst.Prof. Computer Science Dept. SUNY Plattsburgh Plattsburgh, NY ------------------------------ Date: Tue, 6 Jun 89 16:10 EDT From: WHMurray@DOCKMASTER.ARPA Subject: LapLink II (PC) >By requiring that the receiving machine be notified of the transfer, >LapLinks' designers have reduced the chance of malice. Nonsense. To use LapLink one must have control over both the Laptop and the desktop machine. Indeed, what LapLink is designed to do is to permit the transfer of data between COOPERATING PCs. It contains no risk that a PC can transfer data to a non-cooperating PC. LapLink does contain the capapbility to be bootstrapped from, for example, a laptop with 3.5" drives, to a desktop with only 5.25" drives. This capability permits the laptop owner to use a 5.25"-only machine in a distant city even if he forgets to carry a copy of LapLink on 5.25" with him. However, he must be physically connected by cable to the target machine. If yours is the target machine and the source machine is not connected with your permission, then this capability is the least of your worries. This bootstrap capability is more analogous to a LOAD than to a virus or worm. The comparison of this capability to a virus originated with an overzealous reporter. It was not news when he wrote it; it is not news now. The analogy has destroyed any hope that the authors of the program might ever have had for their press release. It has interfered with their legitimate right to publicize their capability. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Wed, 7 Jun 89 00:04:31 +0300 From: makela@jyu.fi (Otto J. Makela) Subject: Re: IEEE Article on LapLink Oh no! Not another case of a "virus" invented by the media! It was bad enogh when they decided to call the November Worm a virus... This prog sounds just like a worm to me. At least from the description. But this is nothing new. The PCU (PC to Unix) software sold by Unisys for quite a time now has a feature where it automatically sends the C code for a simple file transfer program to the receiving Unix system, and then compiles it... nothing new here... (what was the hooha about doing MODE ? Didn't make very much sense...) Otto J. Makela (with poetic license to kill), University of Jyvaskyla InterNet: makela@tukki.jyu.fi, BitNet: MAKELA_OTTO_@FINJYU.BITNET BBS: +358 41 211 562 (V.22bis/V.22/V.21, 24h/d), Phone: +358 41 613 847 Mail: Kauppakatu 1 B 18, SF-40100 Jyvaskyla, Finland, EUROPE ------------------------------ Date: Wed, 07 Jun 89 11:47:29 MEZ From: Ghost Subject: SEARCH FOR A PERSON Woe to me, HELP HELP!! Hi there, i have got a problem. last month i got the corewars package from anyone out there, but i forgot his address. if he hear my scream for help may i ask him for sending me his address. if anyone else out there know his location and computer-address, please send it to me. above is my nickname only. my real name is thomas friedrich. the carewars packege is written by Maz Spork, the DaneBrain from danemarc. thanks to all, who understand my interest, Thomas Friedrich, UZR50F at DBNRHRZ1 ' Ghost PCSERV-L@RPICICGE 6/07/89 Search for a Person ------------------------------ From: David.J.Ferbrache Date: Wed, 7 Jun 89 13:07:28 BST Subject: Dirty dozen viruses Jim Wright sent me a copy of version 9B of the Dirty Dozen list (thanks Jim), in this list of IBM PC Trojans there are two entries flagged as viruses, these are: ARC533.EXE This is a new virus program designed to emulate Sea's ARC program. It infects the Command.com. PK35B35.ARC This was supposed to be an update to PKARC file compress utility which when used eats you FATS and is or at least Rumored to infect other files so it can spread - possible VIRUS? Question- has anyone suceeded in verifying that these two Trojan horses do in fact contain (and initiate) viral code, and if so can someone arrange to isolate the contained viruses and provide an analysis for the group. On a side note version 9B is now available from Heriot-Watt info-server to sites in Europe (not uucp domain), send a message of the form request: virus topic: ibmpc.dirty the file is 51K long. [Ed. Jim sent me a copy of the same file - I'll have it available here shortly.] - ------------------------------------------------------------------------- Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253