VIRUS-L Digest Thursday, 8 Jun 1989 Volume 2 : Issue 132 Today's Topics: No Publishers' Viruses Re: FluShot+ version, the final word re: virus desinfecting The new Assembly PC List....!!! (The power) RE: Emergency contacts and vendors writing viruses --------------------------------------------------------------------------- Date: Wed, 7 Jun 89 17:49:13 pdt From: odawa@well.sf.ca.us (Michael Odawa) Subject: No Publishers' Viruses In virus-l 2:130, L. Anne Cole asked, > Is it possible that the software packagers are spreading viruses to their > competition (for obvious reasons). "Hi, I'm a virus, are you a database? > Are you my database? CRUNCH." Sounds rather strange, but... while in virus-l 2:131 Gordon Meyer responded, > While I would like to think this isn't happening, there is evidence to the > contrary. Let us set the record straight on this subject: No known software publisher has ever intentionally released a virus into circulation, nor is it likely that any would do so, as it would be contrary to their interests. Viruses threaten the entire software industry and expose the releasing party to an enormous legal liability. As "evidence to the contrary" Mr. Myer cites an article he read which in turn vaguely suggested that some (unnamed and unnameable) developers "might be introducing viruses as a means to fight software piracy." Software developers and publishers are as disturbed as anyone about the spread of viruses. We do not see their propagation to be in anyone's interest. As producers of software, we are offended by the way viruses assault our customers and deface the product of our labors. As heavy users of computer programs, we become as inconvenienced as anyone when we fall victim to a viral outbreak. The idea of releasing viruses to protect intellectual property rights sounds as bizarre to us as would be the idea of bombing libraries to protect authors' copyrights. The Software Development Council has an active Virus Task Force which exchanges viral identification information, and promotes the incorporation of antiviral measures into mainstream software products. If anyone would like information on what software developers are doing to fight viruses, please send me your snail mail address. Michael Odawa Software Development Council of North America odawa@well.uucp ------------------------------ From: hack@ztivax.siemens.com (Gerald Hackenberg) Date: Thu, 8 Jun 89 12:09:50 -0200 Subject: Re: FluShot+ version, the final word Could you please post it to comp.binaries.ibm? I have only access to the news groups. Thanx in advance P.S. If not possible could you send me a copy via email? [Ed. Not a bad idea - Ross?] ------------------------------ Date: Wed, 7 Jun 89 20:51 N From: Otto Stolz Subject: re: virus desinfecting Rob J. Nauta asked: > Furthermore, is there a program that desinfects COM or EXE files [...] > I may start writing my own tool for it [...] delete the first 1701 or > 1704 bytes seems logical in that case This procedure would certainly destroy your program. In fact, the term "relocating" link-virus is only a metaphor (as is virus, at all) for various techniques to achieve the following behaviour of the infected (another metaphor) program: 1. run viral code (a whole transient virus, or at least the installa- tion part in case of a resident virus); 2. resume normal operations of original program. With fully relocatable programs (I'm not quite sure whether all MS-DOS COM files qualify as such), this could indeed be achieved by inserting the viral code at the beginning of the file, but the 1704 (and other virus strains) use a different approach. 1704 overwrites the 1st 3 bytes of the COM file with a Jump instruction to the end of the file, where the main part of the viral code is appended; the original contents of the 3 bytes being overwritten are saved somwhere in the viral code (i.e. every file gets its own, suitably adapted, version of the virus appended). When the program is invoked, the virus restores the original content of its 1st 3 bytes before transferring controll there. Hence, if you want to remove a 1704 from a COM file, you have to: 1. Retrieve the original 1st 3 bytes from the viral code (which is not trivial, but I won't go into details, here); 2. Replace the 1st 3 bytes of the files with their original content; 3. optionally, remove the last 1704 bytes from the file. See below for a warning on the usefulness of this scheme. EXE files have an elaborated structure, complicating desinfecting (and btw. infecting) even more. > At the moment everybody says 'install your software from your backups > and start with a clean system' I'd rather say: start with a clean system and install your software from original distribution disks. - - In any case, you have to start with a clean system (i.e. switch off your computer, and boot it from a clean floppy disk), before you attempt anti-viral measures (be it diagnose, or repair). - - Usually, you don't know how long you have hosted the virus, so you do not know which of your backups to trust. So, rather use original (hopefully clean) distribution disks. - - If you devise a des-infectant program as outlined above, you can use it only for a particular virus strain. But the next day, you will run across a variant of the virus (which saves the 3 bytes at some other place or in some other way), and your des-infectant will destroy your program instead of repairing it. Better safe than sorry--hence, I do not use des-infectand programs, even if they are available. Otto Stolz ------------------------------ Date: Tue, 06 Jun 89 22:00:00 From: Luis Valdivia P. Subject: The new Assembly PC List....!!! (The power) ASSMPC-L THE MISSION Hi !!! Networkers and Hackers... This is an invitation to contribute to a new mailing list, ASSMPC-L. This list is located on USACHVM1 (in BITNET) and deals with issues related to the PC assembly languages (Intel 8086/88/286/386/...). There is an initial programming goal that the managers of this list wish to accomplish: We are inviting all users to assist in the coding of projects. For instance, our first task will be a Resident Program Manager. We will use Turbo Assembler or MacroAssembler to develop our applications. An second project will be an AV package to viruses, we have already a programs for Jerusalem and Brain, these could be help for it. (Thanks Ken). The users of this new surprising list will receive mail with code contributions and discussions, and eventually the program source listing finished with the help of the participants. Then, the list will propose a new project to work on. Any and all code contributions, ideas, and anything else that will help in achieving this opening goal will be appreciated, discussed, reported and acknowledged for the list. Virtually... ASSMPC-L Come !!! The power is with us... We hope for you... - Warning: The link to Chile is connect at 18:00 hrs, EDT. Before it time, you can not send an interactive command. - Subscriptions: Bitnet Users: - "Tell listserv at usachvm1 sub assmpc-l Your_full_name" (IBM Users) - "Note to listserv at usachvm1" (IBM users), with the following line: "sub assmpc-l Your_full_name" - Other's system users, please send mail to listserv@usachvm1, with the following line: "sub assmpc-l Your_full_name" Internet Users: - Please send mail to listserv@usachvm1.bitnet, with the following line: "sub assmpc-l Your_full_name" - Contributions: Bitnet Users: - "Note to assmpc-l at usachvm1" (IBM users). - Other's system users, please send mail to assmpc-l@usachvm1. Internet Users: - Please send mail to assmpc-l@usachvm1.bitnet. - Comments, Questions, Ideas and any other thing: Bitnet Users: - Please send mail to the Owner's list: Luis Valdivia P., lvaldivi@usachvm1 Pedro Sepulveda J., psepulve@usachvm1 Internet Users: - Please send mail to the Owner's list: Luis Valdivia P., lvaldivi@usachvm1.bitnet Pedro Sepulveda J., psepulve@usachvm1.bitnet Good Luck!!! ------------------------------ Date: Thu, 8 Jun 89 14:10 EDT From: Roman Olynyk - Information Services Subject: RE: Emergency contacts and vendors writing viruses In mentioning the "Computer Emergency Response Team" at Carnegie-Mellon as an Internet contact point for virus notification, you neglected to provide any lead. Is there an electronic mail address or telephone number for the CERT? [Ed. Sorry, the phone number for CERT is (412) 268-7090, and the e-mail address is CERT@SEI.CMU.EDU.] Also, in the subject of "Are software developers releasing viruses," I can add Microsoft Word... we have version 1.0 of Word at our site (if you can imagine that!). If you use a good disk editor and search for the string "evil" you will find the text: "The tree of evil bears evil fruit. Crime does not pay. Trashing program disk..." I can't say that this may actually happen, since I haven't tempted fate by making unauthorized copies. However, it is a bit disconcerting to see such a message imbedded in a commercial product. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253