VIRUS-L Digest Thursday, 20 Jul 1989 Volume 2 : Issue 155 Today's Topics: Is this a Macintosh Virus? VIRUSCAN program (PC) Re: virus interviews Re: CMS viruses (IBM CMS) More on VIRUSCAN (PC) VACATION & VALERT-L (was Re: VACATION Virus) (Possibly) a new COMMAND.COM virus (PC) Leisure Suit Larry .... (PC) --------------------------------------------------------------------------- Date: Wed, 19 Jul 89 08:41:00 -0500 From: Subject: Is this a Macintosh Virus? Has anyone ever encountered a virus that changes the normal "watch" cursor to a cockroach? This happened several times within ResEdit, but disappeared after ResEdit was exited and could not be repeated. The disk has been inspected with Disinfectant and SAM. No viruses were found. I also checked for unknown INIT resources in the system folder. The same system was recently infected by nVIR. Disinfectant was used to eradicate it. Any words of wisdom? ------------------------------ Date: Wed, 19 Jul 89 10:09:53 -0700 From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: VIRUSCAN program (PC) For those who are interested in such things: a. The VIRUSCAN software now called SCANV26 is available for downloading from SIMTEL20 as SCANV26.ARC.1, same directory as before. b. I ran the scanv26 (scan 0.3V27) program on a DOS V2.11 PC and it scanned multiple (7) diskettes on Drives A: & B: with no problems. This program correctly identified the number of directories/sub-directories and files contained on each separate disk. NOTE: I understand that as of yesterday, Version29 is now available from the HOMBASE BBS. REgards, RollO~~ ------------------------------ Date: Wed, 19 Jul 89 12:03:00 -0700 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: virus interviews > A Mr. Atsushi Tanaka is visiting me today from Japan, interviewing me for > Nikkei Computer Magazine. He will be in the San Francisco area July 11 & > July 13, and wishes to meet with people involved in anti-virus and computer > security activities on a wide variety of machines from Micros to Mainframes. > > If anyone is interested and can spend some time doing an interview, please > send me mail at the below address, including phone number, and I'll pass > the information on to Tanaka-san. Unfortunately I was out of town!!!grin!! but for future reference John McAfee locally here in santa clara is probably the best one to talk to... a lot of the local antiviral people dump all their data on him... reach him at Interpath Corp at 408-988-3832 cheers kelly ------------------------------ Date: Wed, 19 Jul 89 12:25:00 -0700 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: CMS viruses (IBM CMS) > >>in Communications Monitoring System (CMS) version 4 for IBM's MVS > >>operating system where a dangerous virus could be introduced by simply > >>programming 16 lines of code. > > That's Conversational Monitor System (formerly Cambridge Monitor System), > and it is independent of, not "for", MVS. To my knowledge, ALL viruses > on this system require some human action (to pull files in from the > "virtual reader" user input queue). Although certain idiotic viruses > (the CHRISTMA virus being the most notable) have affected CMS, it is > not as subject to damage as is unix, where files are transmitted > directly to the user's file space, rather than an independent queue. sorry guys I hate to dispel your fantasies on both of you but rumuour are getting rife as of late and its time to quench some of them: 1. CMS is also known as VM/CMS its the equivalant of a complete OS in its own virtual machine... 2. neither MVS nor VM could be infected by 16 bytes of code in an none obtrusive manner... an overwriting virus possibly...!! however these are both large expensive mainframe SCP(system control programs) note I didnt include cms in this he is a user interface!! but they most defintely can be infected!!!!!! 3. given the richness of the 2 above environments and both of them predate any other System control programs currently used now... no human intervention is necessary for an infection mechanism to accomplish its designed task!!!! 4. to acheive point 3 above... one must be what is knwown in IBM Parlance as a SYSPROG not just a technical support specialist... in other words it most likely is not going to be the local 14 year old sunnyvale hacker!!!(that would implement this code) cheers kelly ------------------------------ Date: Wed, 19 Jul 89 21:51:10 -0000 From: A.SIGFUSSON@ABERDEEN.AC.UK Subject: More on VIRUSCAN (PC) After my first comments on VIRUSCAN I have had some replies from other people and this program seems to work in different ways on different machines. I have used it on a COMMODORE PC 10 II and an AMSTRAD 1640, both using MSDOS 3.2 and in both cases when doing a multiple scan of diskettes the program thinks it is scanning the same diskette. I have tried this both on drive A: and B: and this makes no difference. Rollo D. Rodgers has tried this on different types of machines and had no difficulties if the scan was done on the B: drive using DOS 3.2 (I think) but if scanned on drive A: the scan is not done properly. As I Pointed out this can be avoided by doing something different like DIR or as Rollo D. Rogers suggested by hitting *C before each disk. There is a new version of VIRUSCAN out now and since I do not have a copy I dont know if this has been fixed but I would be interested to know or if somone could mail me a copy. Best regards, Arnor Sigfusson (A.SIGFUSSON@UK.AC.ABERDEEN) ------------------------------ Date: 19 Jul 89 22:14:27 +0000 From: bucsb!ckd@husc6.harvard.edu (Christopher Davis) Subject: VACATION & VALERT-L (was Re: VACATION Virus) In article <> VIRUS-L@IBM1.CC.Lehigh.EDU writes: - - [Description of Vacation "virus" deleted] - - - - [Ed. It appears to me to be more a case of an infinite mail loop than - - anything that could be called a virus. I frequently get messages on - - VIRUS-L/comp.virus which are sent from a VACATION program (VMS or - - Unix). Since VIRUS-L is moderated, however, I merely delete the - - message. If the message goes out to the list, and the VACATION - - program replies, you have an endless cycle. Use any VACATION program - - very cautiously.] All the vacation programs I've ever seen only send one reply to any address; this is to prevent mail loops such as the one that we saw on VALERT-L not too long ago. [For those not on the list, what happened is that a VACATION program sent one--count 'em, one--reply to the list (a reply to a mis-sent subscription request, at that!). Then, some JANET site started bouncing mail back due to a full disk at one site--but was bouncing it to THE LIST ADDRESS. Needless to say, the resulting mail loop was rather horrendous, especially since the messages got bigger each time. --ckd] - -- /\ | / |\ @bu-pub.bu.edu | Christopher K. Davis, BU SMG '90 / |/ | \ %bu-pub.bu.edu@bu-it.bu.edu | uses standardDisclaimer; \ |\ | / | BITNET: smghy6c@buacca \/ | \ |/ @bucsb.UUCP or ...!bu-cs!bucsb!ckd if you gotta. --"Ignore the man behind the curtain and the address in the header." --ckd-- ------------------------------ Date: Wed, 19 Jul 89 23:11:29 +0000 From: Fridrik Skulason Subject: (Possibly) a new COMMAND.COM virus (PC) Yesterday I went to check out a reported virus infection in a large company here. The main symptom was that COMMAND.COM would grow by approx. 400 bytes, when it was infected. The virus was a bit similar to the original "Jerusalem" virus in one respect - it was unable to recognize existing infections and the file would just grow and grow (which caused it to be noticed). When I arrived, they were very proud that they had just "wiped out" the infection. They did not reformat every single hard disk, as one site here that got infected by the Ping-Pong virus just did, but they wiped out every copy of COMMAND.COM using WIPEFILE, and then restored them from the original floppies. So - I was unable to obtain a sample. Since the description does not fit any virus that I know of, I would like to ask everybody if they have heard of this virus, which (just possibly) arrived with a number of illegal copies of software from Hong-Kong. If I obtain a sample or more information, I will post a full description on VIRUS-L. ------------------------------ Date: Thu, 20 Jul 89 08:33:06 -0500 From: Thomas Heil Subject: Leisure Suit Larry .... (PC) Hello! Could someone please summarize the "Leisure Suit Larry" trojan horse case for me? I heard about it but didn't learn the details yet. Please respond directly to me as I'm not on this list. Thanks in advance, T.H. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253