VIRUS-L Digest Wednesday, 28 Jun 1989 Volume 2 : Issue 143 Today's Topics: Other Mac viruses Virus Identification Software Re: Request for info on viruses (PC) Re: Mac anti-viral archives (correction) Vaccine/GateKeeper and old Macs Anyone heard of this new virus ?? (PC? No system given) Virus attacking WP 5.0 (PC) Mac anti-viral archives (update) Re: virus distributed on Compuserve (Mac) -------------------------------------------------------------------------------- Date: Mon, 26 Jun 89 13:42 EDT From: Subject: Other Mac viruses ACSAZ@SEMASSU, 26-JUN-1989 Hello, Besides nVir and Scores, what other viruses are `out' for the Mac. I am interested in their frequency of appearence and how they can be identified and dealt with. Muchos Gracias, Alex Z... . . . ------------------------------ From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Virus Identification Software Date: Sun, 25-Jun-89 22:27:13 PDT David Loveless and other Virus-L users have asked about virus identification software for PC viruses. The people at HomeBase have put together a program called VIRUSCAN that is able to find and identify the 53 viruses classified by Jim Goodwin in May of this year. The program Scans entire systems or individual diskettes and runs pretty fast (1 minute for each 200 executable files). It's shareware and available on the HomeBase BBS - 408 988 4004. Disinfectors for each virus are also available. ------------------------------ Date: 26 June 1989, 16:47:06 EDT From: David M. Chess Subject: Re: Request for info on viruses (PC) > The virus replaces command.com with a new version that > is stored in some bad sectors on the disk. Hm. The "Brain" virus that I've seen changes the boot sectors of floppy disks, not COMMAND.COM. Are you sure about that? DC ------------------------------ Date: Mon, 26 Jun 1989 19:03:02 CDT From: Werner Uhrig Subject: Re: Mac anti-viral archives (correction) I see that the entry for RASCAL needs to be improved a little; please use the following: rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is ??.??.??.??. Archives can be found in /mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. ------------------------------ Date: Tue, 27 Jun 89 10:45:18 PDT From: dplatt@coherent.com (Dave Platt) Subject: Vaccine/GateKeeper and old Macs > PS I've discovered that GateKeeper won't work on our ancient 128/512k > Macs to stop reinfection with the dose of nVirB we have going around. > Am I right? If I am any helpful suggestions? You're probably right. The oldest versions of the System do not scan the System folder for INIT (Startup), RDEV (Chooser), and cdev (Control Panel) files; INIT resources contained in these files will not be executed. GateKeeper and Vaccine are both cdev files. You _might_ be able to install a hacked-up copy of Vaccine into the System file on your startup disk(s). You'd need to configure Vaccine on a more-modern machine... probably "protection on, expert display, don't compile MPW INITs, don't show icon at startup". Then, use ResEdit to copy the INIT and FKDT resources from the configured copy of Vaccine, and paste them into the System file on your startup floppy. You could also try configuring the copy of Vaccine to display its icon at startup time; you'd then need to copy the ICN# resource from the Vaccine file and add it to the System. I haven't tried this and can't assure you that it would work... but it's probably worth a try. Do it on _copies_ of Vaccine and of your startup floppy, of course! Best of luck! Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 ------------------------------ From: gany%TAURUS.BITNET@CUNYVM.CUNY.EDU Date: Tue, 27 Jun 89 22:57:37 +0300 Subject: Anyone heard of this new virus ?? (PC? No system given) Yesterday and today articles about a new virus appeared in an Israeli paper (Maariv). It seems that the virus (some sort of a TSR maybe ?) is planting typos (i.e typing mistakes) when printing to the printer. It does not affect the screen or the data on disk itself. It was even claimed that it is a mutant of the "bouncing ball" virus. Anyone heard of such virus. Has anyone been hit by that beast - or is it just the cucamber season again ?? Yair Gany School of Math. & Computer Science gany@Math.Tau.Ac.il Tel Aviv University gany@TAURUS.Bitnet ------------------------------ Date: Tue, 27 Jun 89 15:45 EDT From: Don Kazem Subject: Virus attacking WP 5.0 (PC) We have a problem here with Wordperfect 5.0 and I am not sure if it is a virus infection. It does look quite suspicious, however. The problem is that when WP 5.0 is loaded and users try to retrieve a file that was created by the same program, an error message appears stating that there is not enough storage. This is despite the fact that there is 5 Megs of space left. This does not happen with every file, but the ones that this happens to, are trashed beyond repair. Although, the size of the WP.EXE has not changed, the checksum is radically different from the copy of WP.EXE on the master disk. Has anyone encountered anything like this before? Do you think this could be virus? DKAZEM@NAS ------------------------------ Date: 27 Jun 89 20:30:32 GMT From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Mac anti-viral archives (update) < This is an update to the listing of anti-viral archive sites for > < the Mac. In the previous posting, the IP number for Sumex was wrong. > < The other change has been the addition of SCFVM to the list. > < Jim > # Anti-viral archive sites for the Macindroids... # Listing of 27 June 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is ifi.ethz.ch Danny Schwendener Access is through SPAN/HEAPNET, but can also be reached using X.25 and modem ports (no direct dialins, though). Archives are in process of moving to a new machine. pd-software.lancaster.ac.uk Steve Jenkins I'm not sure of access, but you Brits ought to know by now. :-) rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is ??.??.??.??. Archives can be found in /mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 26.0.0.74. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Wed, 28 Jun 89 08:55:56 EDT From: Kenneth R. van Wyk Subject: Re: virus distributed on Compuserve (Mac) Regarding my recent query as to whether a Mac virus may have been distributed via Compuserve at some time, I quote Dr. Fred Cohen ("On the Implications of Computer Viruses and Methods of Defense", Computers and Security, Vol. 7, No. 2, Pg. 169): "On the very widely used Compuserve network, a virus was apparently planted to infect the initialization files of the Apple MacIntosh. This virus was designed to put an advertisement on the screen on a particular date and then delete itself. It was noticed by a programmer browsing through his system initialization files and was traced to a company that had added a program to the Compuserve library. The perpetrator was barred from Compuserve 'forever'. Compuserve has countered by providing a public domain program that constantly runs in the background checking for modifications to system initialization files and asks the user if these are desired." Thanks for all who added their input. Ken Kenneth R. van Wyk Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University Internet: ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253