VIRUS-L Digest Monday, 26 Jun 1989 Volume 2 : Issue 141 Today's Topics: Re: The strange story of the WordPerfect virus (PC) Re: Request for info on viruses (PC) Re: Virus policy Apple II anti-viral archives IBMPC anti-viral archives Atari ST anti-viral archives Amiga anti-viral archives Introduction to the anti-viral archives [Ed. I'm back... As I said before, my new email address is krvw@sei.cmu.edu] --------------------------------------------------------------------------- Date: Tue, 20 Jun 89 14:34:59 -0400 From: greg@phoenix.Princeton.EDU (greg Nowak) Subject: Re: The strange story of the WordPerfect virus (PC) Thanks for all your good work in studying the WordPerfect virus. I haven't yett been infected by it, but since I am a WordPerfect 4.2 user, I suspect that I might be someday. Could you please send me a uuencoded copy of the virus-eradication program you mentioned? many thanks! ...!rutgers!phoenix.princeton.edu!greg Greg Nowak/Phoenix Gang/Princeton NJ 08540 ------------------------------ Date: Tue, 20 Jun 89 17:25:58 PDT From: rtc@bally.Bally.COM (Reynolds Cafferata) Subject: Re: Request for info on viruses (PC) (C)Brain infected many disks at the George Washington University. It is a product of some guy in Pakistan. The only saving grace to this virus is that it changes the volume name, as you must have noticed when it infects a disk. The virus replaces command.com with a new version that is stored in some bad sectors on the disk. THe new command.com has two nasty functions. First, when ever the disk is accessed, it checks to see if the disk being accessed is infected. If it isn't then it infects that disk. Second, it will periodically add more bad sectors to disks. The virus can only be loaded by booting the computer with an infected disk. It becomes a big problem in environments were people sit down and use already booted machines. A printer pc was the main distributor of the virus at GWU. The version we faced did not seem to affect hard disks. The simplest cure we found was to boot a system with a disk that we were positive was not infected, and then read the first sector off of that disk with a block & track editor. Finally, write the good 1st sector onto the infected disk. Be sure to write a booting sector to boot disks and non-booting to non-booting disks. As for the bad sectors containing the command.com substitute, they are harmless without the companion boot sector and are best just left alone. This virus cost many of my friends a lot of data--we would love to meet the guy who wrote it in some dark alley. In any event, I hope this posting is helpful. Reyonlds Cafferata ------------------------------ Date: Wed, 21 Jun 89 18:19 PDT From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Virus policy Hi margie, having dealt with this problem as a consultant at a couple of silicon valley corps I have just one issue to raise from your article. In most cases the person who is the human causative agent in the spread of an infection is in most cases totally unaware that some of the disk that he/she/it is using are infected... thus it is kind of hard to discipline that person... what could be done instead is to set up a test cpu that the software can be run on first to attempt to detect evidence of infectious agents(of course if the virus in question has a sufficiently long pre-trigger level even that may not be sufficient) (n.b. a pre-trigger is used in this context to describe an interval that the virus will not manifest its infectious capability) kelly goen CSS Inc. ------------------------------ Date: 22 Jun 89 12:23:53 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archives # Anti-viral archive sites for the Apple II types... # Listing of 22 June 1989 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is pd-software.lancaster.ac.uk Steve Jenkins I'm not sure of access, but you Brits ought to know by now. :-) - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 22 Jun 89 12:25:23 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archives # Anti-viral archive sites catering to the IBMPC crowd... # Listing of 22 June 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is ms.uky.edu Daniel Chaney This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. pd-software.lancaster.ac.uk Steve Jenkins I'm not sure of access, but you Brits ought to know by now. :-) - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 22 Jun 89 12:24:35 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archives # Anti-viral archive sites for the Atarians... # Listing of 22 June 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is . pd-software.lancaster.ac.uk Steve Jenkins I'm not sure of access, but you Brits ought to know by now. :-) ssyx.ucsc.edu Steve Grimm Access to the archives is through FTP or mail server. With ftp, look in the directory /pub/virus. The IP address is 128.114.133.1. For instructions on the mail-based archiver server, send help to . - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 22 Jun 89 12:23:16 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archives # Anti-viral archive sites for the Amigoids... # Listing of 22 June 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. pd-software.lancaster.ac.uk Steve Jenkins I'm not sure of access, but you Brits ought to know by now. :-) uxe.cso.uiuc.edu Lionel Hummel Currently, the anti-viral archives don't have a home of their own. There is a lot of stuff to be found throughout the Fish collection. The IP address is 128.174.5.54. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 22 Jun 89 12:22:14 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Introduction to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 22 June 1989 This posting is the introduction to the "official" anti-viral archives of virus-l/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC and Macintosh microcomputers, as well as sites carrying research papers and reports of general interest. We don't yet have a site dedicated to the "big boys", but are on the look. There have been nibbles. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have an archive site and would like to volunteer your site (and are in a position to do so! :-), send me a message. Also, if you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. With this update I'd like to welcome two new sites. Mac folks probably are already familiar with sumex. Now it has been granted "official" status. :-) Another new site is unm, which provides ethics related papers (university policies, state laws, etc.). Give it a look! If you have any corrections to the lists, please let me know. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253