VIRUS-L Digest Wednesday, 12 Jul 1989 Volume 2 : Issue 149 Today's Topics: VIRUS-L has been down, sorry VIRUSCAN Availability (PC) Re: nVIR and AppleTalk (Mac) Re: ancient macs Re: Other Mac viruses VIRUSCAN.ARC (PC) vaccine & ancient macs Virus Plea #2 Re: Anyone heard of this new virus ?? (PC? No system given) Re:nVIR and Appletalk (Mac) Re: Request for info on viruses (PC) viruscan placed on system for anonymous FTP access Another strain of Lamer Exterminator on amiga. RE: VACATION Virus Reported on INFO-VAX List (VAX/VMS) Loren Keim and Proceedings ---------------------------------------------------------------------- Date: Wed, 12 Jul 89 14:00:00 From: krvw@SEI.CMU.EDU Subject: VIRUS-L has been down, sorry Sorry for the downtime, folks, but we experienced a water main breakage here last week which knocked out our air conditioning (hence, our computers) until today. Hopefully things will slowly return to normal around here now. Ken ------------------------------ Date: Mon, 03 Jul 89 18:20:06 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: VIRUSCAN Availability (PC) Hi everyone. I posted a note last week about the availability of VIRUSCAN on HomeBase and we have been literally swamped ever since with requests for information and downloads. Unfortunately, HomeBase is a small-town country-atmosphere BBS with a single data line and we cannot support the volume of requests that we've had. Also, I am a nyophyte at using Usenet and Unix and cannot navigate well enough to even upload or download data. If there is some kind and generous user of Virus-L that could get a copy off of HomeBase and somehow make it available through SIMTEL (whatever that is) or some other medium, we would be eternally grateful. As for the rest of you, I would like to ask that you not call HomeBase for the file, but have patience and wait for it to be made available some other way. Thanks, and the regular users of HomeBase (who are currently up in arms 'cause they can't get on) thank you too. Alan Roberts HomeBase - 408 988 4004 ------------------------------ Date: Tue, 04 Jul 89 15:36:00 -0400 From: "Mark H. Anbinder" Subject: Re: nVIR and AppleTalk (Mac) Any Macintosh virus that spreads when an infected program is executed can be spread over AppleTalk networks, IF you are using file sharing or file server software such as AppleShare or TOPS. If you execute a program on a remote computer that happens to be infected, the System software on your local computer can be infected. From there, you will infect any other program you use. nVIR is particularly effective at spreading from program to program in this way, so be sure that any shared software, or anything on a shared file server volume, is clean. As evidence: my hard drive was heavily infected with nVIR when someone else on my network (I'm running TOPS) asked to try out the software on my drive. He executed a couple dozen programs... shortly after having played an nVIR-infected game on his own computer. The disk containing the nVIR virus was never physically even NEAR my computer. Mark H. Anbinder ------------------------------ Date: Tue, 04 Jul 89 15:41:00 -0400 From: "Mark H. Anbinder" Subject: Re: ancient macs Chances are your computers were not just upgraded to 800K RAM; there is no such configuration for any Macintosh. The DISK DRIVES might now be 800K disk drives (allowing you to use double-sided disks) rather than 400K drives. What matters for your purposes is whether you have 512K of RAM or 1Mb. Or, of course, 128K, if your Macs are REALLY ancient. The way to determine this is to boot your computers with any startup disk, then, while in the desktop, choose About the Finder from the Apple menu. There should be a notation in the resulting window telling you how much memory your computer has. Vaccine is fully compatible with any System whose Control Panel desk accessory lets you choose between multiple Control Panel Devices (cdevs) such as "General," "Monitors," "Mouse," etc. The best way to determine whether your computers can run such a version of the System software is to try startup disks with various System/Finder combinations. See your dealer for assistance. Mark H. Anbinder ------------------------------ Date: 03 Jul 89 22:09:10 +0200 From: Subject: Re: Other Mac viruses >From macman Mon Jul 3 22:09:02 MET 1989 remote from ethz >Newsgroups: comp.virus >Organization: ETH Zuerich, Switzerland There are quite a few other viruses on the loose: Several new strains of nVIR (named Hpat, AIDS, etc), with mainly the same infection code. Some are more harmful, some are less. Then, INIT 29, which is extremely virulent (active), but doesn't destroy anything. ANTI, which cannot be detected by ResEdit or older virus detection programs. This one is fairly widespread in Europe, but not much in the USA (the opposite is with Scores). Prevention methods, besides fair computer hygiene (i.e. being careful when swapping disks with someone else) i urgently recommend the *regular* use of a virus detector such as Disinfectant or VirusDetective (commercial products like sam or virex do the same job, but cost). By regular, I mean on every new disk/program you receive, even if it was a sealed original, *plus* once a week on your hard disk. - -- Danny Schwendener MASH Virus Group +-----------------------------------------------------------------------+ | Mail : Danny Schwendener, ETH Macintosh Support | | Swiss Federal Institute of Technology, CH-8092 Zuerich | | Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman | | Internet: macman@ifi.ethz.ch Voice : yodel three times | +-----------------------------------------------------------------------+ ------------------------------ Date: Wed, 05 Jul 89 09:47:07 -0700 From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: VIRUSCAN.ARC (PC) hi, i recently downloaded the file above from SIMTEL20. It contains a .EXE program called SCAN which i have run on Z-248 hard disk PC several times so far. When it completes the run it gives a message which sez the hard disk is "clean" That none of the 19 viruses were found on the disk. Does anyone know of a user that actually "found" any viruses when using this SCAN.EXE program? REgards, RollO~~ ------------------------------ Date: Thu, 06 Jul 89 10:18:27 -0000 From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: vaccine & ancient macs Dear Joe, Thanks for the latest message and your patient help. I've tried System 4.1 and Finder 6.0 on the Macs but I keep getting the "bomb" and ID=12. Methinks the upgrade wasn't as total as I imagined? However the cutting and pasting of vaccine as suggested seems to have worked (at least the vaccine icon appears when I boot up.) I haven't tested it with an infected disk yet. I'll let you know what happens. Rgds, Iain Noble ------------------------------ Date: Wed, 05 Jul 89 22:12:00 -0400 From: "I've been sold....." Subject: Virus Plea #2 VIRUS-PLEA 2/4 Hello, my name is Bill Hadley. I would like to ask a favor of the readers of VIRUS-L. I am doing research (which will hopefully become a book) on computer viruses and computer security. What I would like you to do, is to write me a letter if you have ever had an experience with a virus or trojan horse program. What I would ask that you include in your letter is: Name of the Virus or Trojan Horse. What computer and operating system does this virus/trojan horse exist on. What did the virus/trojan horse do. How did you deal with it. Where did this happen (ie. George Mason University in Fairfax, Virginia...or company name..whatever..). What is your name (if you don't mind if I put it in a section of names in the back of my book). If you would please answer these questions and send them directly to me, WLHADLEY@GMUVAX.GMU.EDU (not VIRUS-L), I would greatly appreciate it. This will assist me on trying to track what viruses have spread and how. If you have had problems with more than one of these evil programs, then answer these questions for each virus/trojan in your letter (even the Internet Worm which struck last November). If more than one person writes me from one node with the same information, that is okay...it will help me in the verification of virus reports. Please only answer this message once. I will try to post it once a month for the next three or four months to try to catch new readers. I realize that I will receive alot of mail, I have already tried to make room for that. I thank you in advance for your assistance. I will post to the list any thing I find of urgent importance to the readers of VIRUS-L. Again, thank you for your time. Bill Hadley WLHADLEY@GMUVAX.GMU.EDU WLHADLEY@GMUVAX2.GMU.EDU ------------------------------ Date: 06 Jul 89 14:46:17 +0000 From: wasatch.utah.edu!c-msmith%ug.utah.edu@cs.utexas.edu (Matt Smith) Subject: Re: Anyone heard of this new virus ?? (PC? No system given) >Yesterday and today articles about a new virus appeared in an Israeli >paper (Maariv). It seems that the virus (some sort of a TSR maybe ?) >is planting typos (i.e typing mistakes) when printing to the printer. I've also heard of a virus that randomly scans the screen and looks for 4 consecutive numbers in a row (like 1234), and then proceeds to rearrange them in a different fashion. That would certainly wreak havoc in a spreadsheet program. Matt Smith c-msmith@ug.utah.edu ------------------------------ Date: Wed, 05 Jul 89 09:41:33 -0400 From: Joe McMahon Subject: Re: nVIR and AppleTalk (Mac) E. C. Greer asks: >Subject: nVIR and Appletalk (Mac) > >We've found a few MAC's here with nVIR (both A and B), and we're >having some success in dealing with the infections using SAM. So far >the affected machines appear to be isolated cases, but I'm concerned >becaues most of our 100+ MAC's are networked with Appletalk. Can >anyone tell me whether nVIR can be spread over Appletalk? If so, under >what conditions is it spread, and what countermeasures can I take? nVIR can transmit to a new machine in two ways: 1) The user runs an infected program on the machine, which installs the virus in the System file. After the "incubation period", the infected System file begins to spread the virus to applications run on the machine. 2) The user boots an infected System of his or her own and then runs applications which reside on the machine. This can infect appli- cations even if the "normal" folder on the machine contains a virus blocker like Vaccine. If your AppleTalk network only is used for mail or access to LaserWriters, you shouldn't have a problem. If you have AppleShare servers, make sure the servers are protected. You may have to disinfect the odd machine here and there, but the servers should be safe. --- Joe M. ------------------------------ Date: 05 Jul 89 00:00:00 +0000 From: MIROWSKI@FRECP12.BITNET Subject: Re: Request for info on viruses (PC) Responding to a "Request for info on viruses (PC)", Reynolds Cafferata says "be sure to write a booting sector to boot disks and non-booting to non- booting disks". There is no need to care about this because all boot sectors are identical for a given DOS version. FORMAT A:/S and FORMAT A: produce the same boot sector. So you can write the same boot sector to all disks. You should only verify that what you write to the disk is really a DOS sector and not a sector produced by PCFormat or other software. Depending on whether you ask for a booting or a non-booting disk, PCFormat will copy the DOS boot sector or a sector of his own (that only displays a message without trying to search for DOS files further on the disk) when you format one. It's rarely necessary to care about the distinction between 360 Ko and 1.2 Mo disks, because the information about the format is in the second sector of the disk (the first FAT sector) and DOS will take this second information in consideration. You will probably prefer to copy a 360 Ko boot sector to a 360 Ko disk and a 1.2 Mo boot sector to a 1.2 disk. The manipulation is very simple. You need only DEBUG : You start DEBUG C:+> DEBUG You put a non-infected, FORMAT formatted disk in A:, close the door and type -l 0 0 0 1 You replace it by the disk you want to desinfect and type -w 0 0 0 1 That's all | You can repeat the last line for all the disks you need. When you replace the boot sector on a booting disk, you should do it with a boot sector from the same DOS version. On a DOS disk you can also replace the boot sector doing SYS on it. It doesn't work on non-bootable disks. Adam MIROWSKI ------------------------------ Date: Thu, 06 Jul 89 09:14:00 -0400 From: "Gerry Santoro - CAC-PSU 814-863-4356" Subject: viruscan placed on system for anonymous FTP access I dialed into the Homebase system and downloaded a copy of VIRUSCAN.ARC. I then placed it on my NeXT system to make it available for anonymous FTP. The system name is is SNAFU.PSU.EDU and the file is in binary. Anyone experiencing problems trying to get to it should send me mail at GMS@PSUVM.PSU.EDU. Since SNAFU is a test/development system I can't guarantee that it will always be available. I just wanted to facilitate getting this program out to people. - ----------------------------------------------------------------------------- gerry santoro, ph.d. *** STANDARD DISCLAIMER *** center for academic computing This posting is intended to penn state university | represent my personal opinions. gms @ psuvm.psu.edu -(*)- It is not representative of the gms @ psuvm.bitnet | thoughts or policies of anyone ..!psuvax1!psuvm.bitnet!gms else here or of the organization. - ----------------------------------------------------------------------------- ------------------------------ Date: 10 Jul 89 07:14:24 +0000 From: rivm!ccemdd@uunet.UU.NET (Marco Dedecker) Subject: Another strain of Lamer Exterminator on amiga. Here is a warning to all amiga users, who completely rely on the current available viruskillers. The virus called 'Lamer Exterminator' has more then one strain. At least one of strains will be recognized by virusX 3.2, but I came across another strain that wasn't recognized by it. And so far I haven't found a program that noticed the virus when it was in memory. The guardian only sees it when you execute the bootblock within the guardian, but it can't kill the virus although it said it did kill it. The virus uses the KickTagPtr to stay resident and it manipulates the exec call DoIO, to make it reactivate after you have done somekind of IO. Marco Dedecker. ------------------------------ Date: 07 Jul 89 13:32:48 +0000 From: ZDEE699@ELM.CC.KCL.AC.UK Subject: RE: VACATION Virus Reported on INFO-VAX List (VAX/VMS) In VIRUS-L Digest, Monday, 3 Jul 1989, Volume 2 : Issue 147, Brian D. McMahon writes: >The following recently appeared on INFO-VAX; [...] > >>Date: 26 JUN 89 22:05:24.55-GMT >>From: INFOVAX@FRIPN51.BITNET >>To: INFO-VAX@KL.SRI.COM >>Subject: RE: automatic mail answering service : WARNING, MAY BE VIRUS >> >>TAKE CARE: the program VACATION (distributed on a mailing list) is a >>potential VIRUS for ALL the people registered on this list if used >>with no modifications. It will reply to the list, so to itself...and >>so on... And you will be on vacation, so you will not stop it quickly. [...] >> >>Bernard PERROT >>Institut de Physique Nucleaire >>Orsay - France - The moderator of VIRUS-L, Kenneth van Wyk answers: >[Ed. It appears to me to be more a case of an infinite mail loop than >anything that could be called a virus. [...] [...] > If the message goes out to the list, and the VACATION >program replies, you have an endless cycle. As Ken van Wyk said, this is a case of infinite mail loop. There is probably nothing wrong with the VACATION program, and the remedy lies in the list moderator/management's side. To avoid this problem of infinite mail loop when VACATION is run, or a gateway is shutdown, many fileservers use a different address to receive commands and to send information. So if the data is returned to the sender (in this case the listserver), it ends-up in a different account and is NOT sent back again. Examples: send commands to: and the server answers with id: so if the data "bounces back", it is returned to the id NISTLIBD where it is not processed again, and dies there. send articles to: and the distribution is with id: etc. etc. The point is that for some reason (can you explain, Ken ?) bitnet listservers use the same ID to send and receive mail. Before VIRUS-L was moderated, messages bouncing back from gateways were redistributed again since the return path for bounced messages was the sender: Now, I believe that most of the time, the messages are sent by the moderator, to the postmaster of the remote site, who sorts-out the problem with the user on the remote computer. But few lists are moderated, and perhaps it could be time to think about a way to stop these loops which I agree are very irritating to other users. Olivier Crepin-Leblond Computer systems & Electronics, Dept. of Elec. Engineering, King's College London, England ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |Olivier M.J. Crepin-Leblond | - If no-one can do it | |JANET : | then do it yourself | |BITNET : | - If you can't do it, | |INTERNET: | then P A N I C ! ! | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: 07 Jul 89 00:00:00 +0000 From: David M. Chess Subject: Loren Keim and Proceedings Does anyone have current contact info for Loren Keim (or does he still follow this list)? I have one or two people here who are waiting for copies of the Proceedings of the conference that he put together the other year. Anyone know the status? DC ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253