VIRUS-L Digest Thursday, 29 Jun 1989 Volume 2 : Issue 144 Today's Topics: Random comments (Mac) Re: Virus Identification Software VIRUS ALERT: New Virus? (PC) The "Mistake" Virus (PC) RE: Mac Archives - correction RE: questions re: HomeBase virus detection program (PC) NEW VIRUS?? (PC?) 2 remarks File: "VIRUS-L MAIL" being sent to you virus bulletin newsletter -------------------------------------------------------------------------------- Date: Wed, 28 Jun 89 11:10:30 EDT From: Joe McMahon Subject: Random comments (Mac) (Alex Z.) asks: >Besides nVir and Scores, what other viruses are `out' for the Mac. I >am interested in their frequency of appearence and how they can be >identified and dealt with. The current count is 9. Scores, nVIR (two strains and three clones - MEV#, Hpat, and AIDS), INIT 29, Peace, and ANTI. Get a copy of my virus doc stack from the LISTSERV at SCFVM; if you need help in doing that, drop me some E-mail. Kenneth R. van Wyk quotes Fred Cohen: > ... "On the very widely >used Compuserve network, a virus was apparently planted to infect the >initialization files of the Apple MacIntosh. This virus was designed >to put an advertisement on the screen on a particular date and then >delete itself. It was noticed by a programmer browsing through his >system initialization files and was traced to a company that had added >a program to the Compuserve library. The perpetrator was barred from >Compuserve 'forever'. Compuserve has countered by providing a public >domain program that constantly runs in the background checking for >modifications to system initialization files and asks the user if >these are desired...." The virus portion is correct; it refers to the "Peace" virus. It was distributed in a Trojan HyperCard stack. The anti-viral in question is Vaccine, distributed by CE Software, *not* CompuServe. CIS did not sponsor the development or distribution of this program; it was done solely in a spirit of public service by Don Brown at CE Software. --- Joe M. ------------------------------ Date: Wed, 28 Jun 89 10:44:18 PDT From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: Re: Virus Identification Software Sounds Good. Do they plan to make this software available to host sites on the Internet such as SIMTEL20? REgards, RollO Rogers, COMPUSEC SPEC, NOSC S D ------------------------------ Date: Wed, 28 Jun 89 19:31:46 MEZ Sender: Virus Alert List From: Christoph Fischer Subject: VIRUS ALERT: New Virus? (PC) We were called for assistance in two virus cases today. Both seem to be caused by the same virus. Symptoms: COM Files grow by 50 Bytes Upon reboot the system will keep booting over and over again (till power off) Both incidents were not at our location so we will have to wait until paper mail will get them through to us for further tests. Sites of appearance: Rosenheim West-Germany (Bavaria) Ettlingen West-Germany (Baden) ***************************************************************** * Torsten Boerstler and Christoph Fischer * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Wed, 28 Jun 89 15:36:31 +0300 From: Y. Radai Subject: The "Mistake" Virus (PC) As some of you may already have read in the press, a new PC virus, the "Mistake" virus, has been reported in Israel. As I have already been getting inquiries about it, I thought I might as well publish what I know, even though I haven't yet seen it, so that what I report here is second-hand info. Its main symptom is that certain characters in printouts are re- placed by others. In the case of letters, the replacement is always by another letter which is pronounced similarly, e.g. K by C. The same thing happens with Hebrew letters (which on Israeli computers replace the foreign letters at Ascii 128-154), making it almost certain that the virus was authored by an Israeli. Digits are also replaced. The virus has been reported in banks in Tel Aviv and at the Univ. of Tel Aviv. According to a newspaper report, the virus even caused the Hebrew equivalent of the following sentence to be printed: "4 times 4 equals 16, more or less" (there was no indication of what the undistorted original was). (Note: Replacements do not appear on the screen or in files, only in printouts.) So much for the symptoms. As to the mechanism, it's said to be a boot-sector virus installing itself in 2K at the upper end of RAM. It may be a mutation of the Ping-Pong (Italian) virus. In any case it has been removed by a program designed to remove the P-P virus. As with other boot-sector viruses, it could presumably be wiped out also by performing SYS on the infected disk (immediately after a cold boot from a clean DOS diskette). Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Wed, 28 Jun 89 11:30 MST From: GORDON_A@CUBLDR.Colorado.EDU Subject: RE: Mac Archives - correction . < Please get the file 00README.TXT and review it offline. Subject: RE: questions re: HomeBase > It's shareware and available on the HomeBase BBS - 408 988 4004. This is my first time replying to the list, so be gentle with me :-) Does the HomeBase BBS have a FidoNet node number, and if so does it accept file requests? Also, if you are giving info on a BBS, please include the FidoNet node number if it has one. Thanks in advance. Roger Safian ------------------------------ Date: Wed, 28 Jun 89 23:23 N From: "Rob J. Nauta" Subject: virus detection program (PC) I just read the message by Alan J. Roberts about a program that scans a disk for the 53 known viruses. He also states that it is available from the homebase BBS, which i unfortunately cannot call from here - too expensive! The adress he gave (portal!cup.portal.com!Alan_J_Roberts@sun.COM) is too nonstandard for my mailer, even gMAIL won't send my message, that's why i would like to ask if anyone would be so kind to send me this program. It sounds like the thing I was asking for in an issue of this digest a few weeks back. I would be very grateful. Also adding it to the listserv files or sending it to simtel-20 to be added to sounds like the thing to do beause i think a lot of people would be interested in this great program.. With thanks in advance, Rob J. Nauta. rcstrn@heitue51.bitnet ------------------------------ Date: 29 Jun 89 07:53:00 GMT-15:00 From: "DSC T. DEJANE" Subject: NEW VIRUS?? (PC?) The follow was recieved over the IBMPC-L list. ------------------------------ Date: Tue, 13 Jun 89 17:39:41 EDT From: ejs@goldhill.com (Eric Swenson) Subject: Virus? Help! My wife's office has gotten the following messages printed out on their networked laserprinter. She doesn't know which workstation on the Novell network originated the printouts and no banners on printed documents are used, so it is hard to track down. In any case, the output included: THE COPY BANDITO SAYS YOUR SYSTEM HAS BEEN INVADED BY STRANGE BEINGS WHO SEEK TO DISRUPT THE NORMAL LIFE ESSENSE PURVEYING YOUR PLACE OF WORSHIP. WHAT IS IT THAT YOU PRAY TO? IS ANYONE SMART ENOUGH? TIMES UP! !!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!! BOW DOWN NO ONW [sic] HAS THE BRAINS Has anyone seen this before? Does anyone have an suggestions as to how to track down which program contains this virus (if it is a virus)? Thanks. -- Eric ------------------------------ Date: Wed, 28 Jun 89 20:37 EST From: Dimitri Vulis Subject: 2 remarks 1. The English language has certain traditional ways of naming groups of animals, e.g., a goggle of goblins, a school of fish, a pack of wolves, etc. Since both `virus' and `Trojan horse' have some kind of animal overtones, I wonder what other people (preferably English majors) think is a good way to name a group of those beasts. Definitely not `diskful'---a disk is likely to be anything but full after a visitation. A test-tube of viruses? A can of worms? A pack of Trojan horses? `This BBS offers a horde of Trojan Horses for downloading.' Please reply directly to me, and I'll summarize in the newsgroup. 2. Ross Greenberg is alleged to have written in Byte, June '89, page 275: >In the DOS environment, viruses use JMPs or other system files >to ply their trade. I know that Ross knows that JMP is an instruction, not a system file. Moral: check your proofs, or (c)Brain will infect every NOP in your system. Dimitri Vulis Department of Mathematics CUNY GC ------------------------------ Received: from IBM1.CC.Lehigh.Edu by spot.CC.Lehigh.EDU (5.59++/1.14) id AA13214; Thu, 29 Jun 89 04:20:55 EDT Message-Id: <8906290820.AA13214@spot.CC.Lehigh.EDU> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.Edu (IBM VM SMTP R1.2) with BSMTP id 6824; Thu, 29 Jun 89 04:21:55 EDT Received: by LEHIIBM1 (Mailer R2.03A) id 8899; Thu, 29 Jun 89 04:21:51 EDT Date: Thu, 29 Jun 89 04:21:50 EDT From: Revised List Processor (1.6a) Subject: File: "VIRUS-L MAIL" being sent to you To: VIRUS-L@spot.CC.Lehigh.EDU Received: from UKACRL.BITNET by (Mailer R2.03A) with BSMTP id 8897; Thu, 29 Jun 89 04:20:13 EDT Received: from RL.IB by UKACRL.BITNET (Mailer X1.25) with BSMTP id 9541; Thu, 29 Jun 89 09:15:20 BST Received: from RL.IB by UK.AC.RL.IB (Mailer X1.25) with BSMTP id 3165; Thu, 29 Jun 89 09:15:20 BS Via: UK.AC.TP.PA; 29 JUN 89 9:15:17 BST Date: Thu, 29 Jun 89 09:16:26 BST From: LBA002@PRIME-A.TEES-POLY.AC.UK To: virus-l@LEHIIBM1 Subject: gatekeeper/vaccine on old macs > PS I've discovered that GateKeeper won't work on our ancient 128/512k > Macs to stop reinfection with the dose of nVirB we have going around. > Am I right? If I am any helpful suggestions? You're probably right. The oldest versions of the System do not scan the System folder for INIT (Startup), RDEV (Chooser), and cdev (Control Panel) files; INIT resources contained in these files will not be executed. GateKeeper and Vaccine are both cdev files. You _might_ be able to install a hacked-up copy of Vaccine into the System file on your startup disk(s). You'd need to configure Vaccine on a more-modern machine... probably "protection on, expert display, don't compile MPW INITs, don't show icon at startup". Then, use ResEdit to copy the INIT and FKDT resources from the configured copy of Vaccine, and paste them into the System file on your startup floppy. You could also try configuring the copy of Vaccine to display its icon at startup time; you'd then need to copy the ICN# resource from the Vaccine file and add it to the System. I haven't tried this and can't assure you that it would work... but it's probably worth a try. Do it on _copies_ of Vaccine and of your startup floppy, of course! Best of luck! Dave, Thanks for the above. I tried it and although all the copying and pasting via ResEdit worked OK, no joy when I booted up with the new system. The Vaccine icon didn't appear and re-infection occurred when I used an infected disk on the machine. I have an application called "Immunity" which is supposed to protect the System file from re-infection by inserting nVir=10 code into the resource fork of the sytem file. It doesn't seem to insert it into other files that could be infected eg. Finder, MacWrite, MacPaint etc. Could I use ResEdit to copy the nVir=10 code and paste it into the other files/ applications? Rgds, Iain Noble ------------------------------ Date: Thu, 29 Jun 89 09:19:46 BST From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: virus bulletin newsletter Somebody was asking about a new monthly newsletter I mentioned called "Virus Bulletin." All I've got in the way of more information is a price 195 pounds, and a UK telphone number 0844 290396 Rgds, Iain Noble ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253