VIRUS-L Digest Monday, 3 Jul 1989 Volume 2 : Issue 147 Today's Topics: new network-virus group? nVIR and Appletalk (Mac) VACATION Virus Reported on INFO-VAX List (VAX/VMS) Update on boot virus in Germany (PC) Re: New Virus - Fu Manchu? ---------------------------------------------------------------------- Date: Fri, 30 Jun 89 12:55:48 -0500 From: "Jeffery K. Bacon" Subject: new network-virus group? A little while ago, there was some hashing about the overly pcoriented direction of this list or something like that. (Forgive me, I had 4+ week's worth of mail to catch up on in the past 1-1/2 wks, and it's been a while since I read the virus-l notebook - which was sizeable. So...) Anyway. I don't mean to hash on the pc virus gurus and the pc virus problems - I will definitely agree, they are very serious, and need much attention. In fact, I will say right here and now that THIS netgroup, in my wide and varied experience, is one of THE most productive and useful groups I have EVER seen ANYWHERE in netland. (Please note that when I say 'PC', I mean 'personal computer' in general, not IBM-PC&clones.) This of course needs to continue. My thought here is that the group has kind of shifted directions towards the PC environment. But the networking environment and the issues surrounding it are very different. There are of course no major network virus dangers right now, but network security and finding loopholes is always a major concern. Is there a place for another list concerning viruses in the network and PC-NFS/LAN environment? I remain kind of neutral on the issue, I just bring it up here for thought. There might be some overlap with VIRUS-L as it is, or perhaps with the SECURITY list, that might want to be considered. But I personally know that most of what passes thru VIRUS-L nowadays is of little interest to me because I rarely if ever work with pc's. I imagine there are others who are like me here too. Whaddya think? Instead of discussing it here, it might be better to perhaps have the comments sent to me (bacon@mtus5.bitnet) and I'll compile them. I'll leave that to Ken to decide. [Ed. Thanks for offering to compile the "votes", Jeff - I hope you're prepared for some more mail to wade through! :-) I've received lots of requests for, among other things, a Mac-only and a PC-only list. If the readers feel that it is time to split the already heavy traffic into separate groups, then it would seem (to me) to make sense to have a Net-only group. I also think that if such a split is desired, then we'd have to find a moderator/digestifier for each group, since I don't think that I'll have enough time to handle all three (or however many) groups. So, be careful what you ask for, you just may get it. Feedback, both positive and negative, is appreciated.] Jeffery Bacon Academic Computing Svcs, Michigan Technological University bitnet: uucp: !rutgers!umix!anet!bacos ------------------------------ Date: 06 (null) 89 09:06:28 +0000 From: E. C. Greer Subject: nVIR and Appletalk (Mac) We've found a few MAC's here with nVIR (both A and B), and we're having some success in dealing with the infections using SAM. So far the affected machines appear to be isolated cases, but I'm concerned becaues most of our 100+ MAC's are networked with Appletalk. Can anyone tell me whether nVIR can be spread over Appletalk? If so, under what conditions is it spread, and what countermeasures can I take? ------------------------------ Date: Fri, 30 Jun 89 13:43:00 -0500 From: "Brian D. McMahon" Subject: VACATION Virus Reported on INFO-VAX List (VAX/VMS) The following recently appeared on INFO-VAX; I have no further information. Can anyone confirm/deny/elaborate? >Date: 26 JUN 89 22:05:24.55-GMT >From: INFOVAX@FRIPN51.BITNET >To: INFO-VAX@KL.SRI.COM >Subject: RE: automatic mail answering service : WARNING, MAY BE VIRUS > >TAKE CARE: the program VACATION (distributed on a mailing list) is a >potential VIRUS for ALL the people registered on this list if used >with no modifications. It will reply to the list, so to itself...and >so on... And you will be on vacation, so you will not stop it quickly. >Suppose just a few people of INFO-VAX use this program, and imagine >the disaster, because it will also reply to all the mailing send by >all the runing copy of this monstrosity. >Surely it was not the will of the author of VACATION, but this >program IS A VIRUS ! > >Bernard PERROT >Institut de Physique Nucleaire >Orsay - France - [Ed. It appears to me to be more a case of an infinite mail loop than anything that could be called a virus. I frequently get messages on VIRUS-L/comp.virus which are sent from a VACATION program (VMS or Unix). Since VIRUS-L is moderated, however, I merely delete the message. If the message goes out to the list, and the VACATION program replies, you have an endless cycle. Use any VACATION program very cautiously.] ------------------------------ Date: 30 Jun 89 00:00:00 +0000 From: Christoph Fischer Subject: Update on boot virus in Germany (PC) CONTINOUS BOOT VIRUS UPDATE Finally we received a copy of the virus that appeared at two places in West-Germany. 1. Both Viruses are identical 2. It infects COM files 3. It is a direct virus (no TSR) 4. Its size is 648 bytes (like the DOS62 virus) (the first value we announced was 50bytes the value phoned to us by the panicing owner of the infected PC. We assumed part of the virus hiding out in uninitialized DATA sections. 5. It continuosly boots over and over again 6. It overwrites the first 5 bytes with a JMP (3 Bytes) and byte 4 with BAh and byte 5 with B8h. 7. The JMP points to the beginning of the virus wich starts with PUSH CX MOV DX, Subject: Re: New Virus - Fu Manchu? This virus was found by Joe Hurst in the united Kingdom and he shoukld have finished disassembling it by now (but I have not spoken to him for a while) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253