VIRUS-L Digest Monday, 3 Jul 1989 Volume 2 : Issue 148 Today's Topics: Re: Request for info on viruses (PC) joe mcmahon - ancient macs Re: Request for info on viruses (PC) Trojan horse on CompuServe ERIC NEWHOUSE where are you? Re: CMS viruses (IBM CMS) more on West German boot virus ---------------------------------------------------------------------- Date: 03 Jul 89 14:42:09 +0000 From: dinda@cat51.cs.wisc.edu (Peter Dinda) Subject: Re: Request for info on viruses (PC) (c)Brain also seems to randomly mark sectors bad - whether there is anything in them or not. At UW-Madison's Academic Computing Center (MACC), we've also noticed that a new version of the virus is making its way into our labs - one that does not leave the (c)Brain warning and thus, can not be detected by our NOBRAIN program. Has anyone seen a detector that works by finding 'unique' code in the boot record? Peter A. Dinda (also dinda@WIRCS3.macc.wisc.edu) ------------------------------ Date: Mon, 03 Jul 89 15:37:38 -0000 From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: joe mcmahon - ancient macs Dear Joe, We are using System 3.2, Finder 5.3 (you see we really do have antiques!) I think this is because of having to use version 3.1 of the laserwriter to drive an equally ancient laserwriter. The machines have actually been upgraded to 800k RAM and it maybe that they can run on a more modern version of the system which will handle Vaccine etc. Any help welcome. Rgds, Iain Noble ------------------------------ Date: Mon, 03 Jul 89 12:37:56 -0400 From: ugcantie@cs.Buffalo.EDU (Bruce Cantie) Subject: Re: Request for info on viruses (PC) We have had the same (c) Brain running around UB for some time now, but have managed to kill it off. We Have the source code (written in C) for NOBRAIN, which will remove the bad sectors, and volume. We had picked up the cure from another University, and put it in all of our micro sites. Bruce Cantie --- ugcantie@sybil.cc.buffalo.edu ------------------------------ Date: Mon, 03 Jul 89 09:18:38 -0700 From: Steve Clancy Subject: Trojan horse on CompuServe I posted this message on the CompuServe Information Service today, and thought I would share it with the other members of Virus-L. The text of the message follows: . "I recently downloaded a file from library #2 of the SCIFI forum. The file, called STARS3.EXE is a trojan horse. It has been mentioned for at least a couple of years in a listing of known trojan horses and viruses called "The Dirty Dozen." The description (from DIRTY DOZEN VER. 8B) is included below: * * STAR.EXE 3072 T Beware RBBS-PC SysOps! This file puts some stars on the screen while copying RBBS-PC.DEF to another name that can be downloaded later! * After downloading this file, I checked it carefully using a program called CHK4BOMB.EXE which, among other things, dumps the program listing to the screen so that any ASCII threats, taunts, etc. can be seen. I found the strings "RBBS-PC DEF" and "RBBS-PC" in this program. * Now the security present in current versions of RBBS does not allow any file with the extension "DEF" to be downloaded by users. In addition, running this program DID NOT copy my RBBS-PC.EXE file to RBBS-PC.DEF as explained above, however, there may be some timing feature that I am not aware of. * In any event, I would highly suggest that you remove this file as soon as possible! It is potentially a dangerous file that is designed (though not very well!) to compromise the security of anyone who runs the RBBS-PC bulletin board software. * Please don't hesitate to contact me if you have any further questions. * Steve Clancy 714-856-7309, 71066,416" . . % Steve Clancy, Biomedical Library % WELLSPRING RBBS % % P.O. Box 19556 % 714-856-7996 300-9600 % % University of California, Irvine % 714-856-5087 300-1200 % % Irvine, CA 92713 % % % SLCLANCY@UCI % "Are we having fun yet?" % ------------------------------ Date: Mon, 03 Jul 89 09:57:46 -0700 From: Steve Clancy Subject: ERIC NEWHOUSE where are you? Well, it seems that Eric Newhouse, author of the famous "Dirty Dozen" has dropped out of sight again. I recently attempted to call his bulletin board system, but found that it was no longer his BBS. The Dirty Dozen is a great list of known trojan horse for the PC, and I would like to keep getting the updates. If anyone knows what his new number is, please let me know. Thanks. % Steve Clancy, Biomedical Library % WELLSPRING RBBS % % P.O. Box 19556 % 714-856-7996 300-9600 % % University of California, Irvine % 714-856-5087 300-1200 % % Irvine, CA 92713 % % % SLCLANCY@UCI % "Are we having fun yet?" % ------------------------------ Date: Mon, 03 Jul 89 13:08:54 -0400 From: Ed Nilges Subject: Re: CMS viruses (IBM CMS) >>in Communications Monitoring System (CMS) version 4 for IBM's MVS >>operating system where a dangerous virus could be introduced by simply >>programming 16 lines of code. That's Conversational Monitor System (formerly Cambridge Monitor System), and it is independent of, not "for", MVS. To my knowledge, ALL viruses on this system require some human action (to pull files in from the "virtual reader" user input queue). Although certain idiotic viruses (the CHRISTMA virus being the most notable) have affected CMS, it is not as subject to damage as is unix, where files are transmitted directly to the user's file space, rather than an independent queue. ------------------------------ Date: 03 Jul 89 00:00:00 +0000 From: Christoph Fischer Subject: more on West German boot virus DURING THE WEEKEND WE DISASSEMBLED THE VIRUS AND SOLVED THE MYSTERY ABOUT THE CONTINOUS BOOTING: AT BOTH LOCATIONS WE WERE CALLED TO, THE VIRUS HAD PATCHED A JUMP TO THE BIOS WARMBOOT ROUTINE IN TO THE COMMAND.COM WHICH WILL YIELD AN ENDLES BOOTING PROCESS SINCE WHEN THE SYSTEM COMES UP THE FIRST THING IT DOES IS STARTING COMMAND.COM. THE VIRUS PATCHES ITSELF INTO A PROGRAM IF ANY OF THE LOWORDER BITS OF SYSTEM TIME (SECONDS) ARE NON ZERO. IF ALL ARE ZERO IT PATCHES THIS FAR JUMP TO THE BIOS INTO THE PROGRAM. SO OUR CASE HAPPENS ONLY IN ONE OUT OF EIGHT CASES. FOR TWO LOCATIONS THIS MAKES 1 IN 64 CASES. :-) THE CODE OF THE VIRUS SEEMS TO BE IDENTICAL TO WHAT IS DESCRIBED AS DOS62 OR VIENNA SINCE WE DO NOT HAVE EITHER OF THE ORIGINAL VIRUSES WE CANNOT TELL FOR SURE WHETHER IT IS AN ORIGINAL OR A MUTANT. ANYHOW THE CODE SEEMS TO BE SOMEWHAT ARKWARD IN SOME PLACES, WHICH COULD BE A SIGN FOR A PATCHED VERSION. BYE CHRIS & TOBI ***************************************************************** * Torsten Boerstler and Christoph Fiscier * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253