VIRUS-L Digest Tuesday, 25 Jul 1989 Volume 2 : Issue 159 Today's Topics: query re: archive access re: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS) Missouri virus news? (PC) Wanted: Beta Testers for Flu_Shot+ (PC) RE: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS) update to F-PROT.ARC (PC) --------------------------------------------------------------------------- Date: Mon, 24 Jul 89 11:27:43 -0400 From: "M.S.Kolansky" Subject: query re: archive access Can someone tell me how to get at the LISTSERV virus archives. [Ed. Send mail to LISTSERV@LEHIIBM1.BITNET (same as LISTSERV@IBM1.CC.LEHIGH.EDU - for Internet users) containing one or more of the following commands: HELP - to get help INDEX VIRUS-L - to get a list of available files GET filename filetype - to retrieve a particular file (via e-mail) ] ------------------------------ Date: 24 Jul 89 00:00:00 +0000 From: David M. Chess Subject: re: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS) While I was lucky enough to be on vacation when CHRISTMA hit VNET, my impression is that (press to the contrary), VNET handled it about like BITNET did: a few nodes shut down or cold started, but most just installed and ran some filters on RSCS and local spool. Lots of human and CPU time and net bandwidth wasted, but not a system-wide shutdown. This is just an unofficial impression, of course! As far as I know, it's no harder to get a file from BITNET to VNET now than it was before CHRISTMA; the person you want to talk to on the VNET side has to be authorized with the gateway. Exactly how an IBMer gets authorized for BITNET access varies with site/division/etc. I'm authorized, for instance, and I can be sent mail from BITNET just by sending in the normal way to CHESS at YKTVMV (let's not all try this just to be sure it works, of course! Hehe). DC IBM T. J. Watson Research Center ------------------------------ Date: Mon, 24 Jul 89 15:07:42 -0400 From: "Dennis P. Moynihan" Subject: Missouri virus news? (PC) Way back in April the following was reported to this list: >Date: Thu, 27-Apr-89 13:57:27 PDT >From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM >Subject: Missouri Virus (PC) > >The Homebase group has logged over a dozen occurrences of this virus >but we have never successfully sampled it. The latest occurrence was >notable enough to pass on to Virus-L so that we might get some >assistance. The occurance was at the National Security >Administration. The virus came into their shop on a disk shipped with >the book - "DOS Power Tools", published by Bantam. This was the third >report of the virus entering an installation on this book. The virus >completely disables writing to the hard disk, but it does allow normal >reading of data already stored. Every site that has been hit has >destroyed or lost the original source disk, and the target disk. The >NSA is no exception. Robert Dimsdale of the NSA in Fort Meade >originally reported the virus to the CVIA and he cut the floppy into 8 >sections prior to calling. He then disrarded the standard CVIA advice >and low level formatted the hard disk. Anyone with any additional >information about this virus is invited to share that information with >what we already know by contacting the HomeBase board. We know that >Missouri is a virus and not a Trojan because we have documented four >occurances of its replication. Please do not contact Mr. Dimsdale >directly. Serious inquiries should be addressed through Jim Corwell >on Homebase. He will pass on your name to the NSA and they will >reply. > .... This just became a bit of a hot topic here today. We noted the report in our newsletter and have been receiving calls about it. Most have been from users who have "Dos power tools" and want to know if their machine will roll over any time soon. One, interestingly, was from Bantam. They wanted to know where we got this from. Anyway, have there been any more reports regarding this virus? I got the impression from the above that if a copy of "Dos power tools" had the virus people found out quick. Any other news in general on this? - -------------------------------------- Dennis Moynihan (DMOYNIHA@WAYNEST1) Computing and Information Technology Wayne State University Detroit, MI ------------------------------ Date: Mon, 24 Jul 00 19:89:34 +0000 From: utoday!greenber@uunet.uu.net Subject: Wanted: Beta Testers for Flu_Shot+ (PC) I'm all set to release a new version of FLU_SHOT+ and need some people as beta testers (all my current beta testers opted to take the summer off, those lucky dogs!). Requirements: MS-DOS 2.x - 4.x. In particular, I'm looking for 4.x people (there were some problems with the last release and 4.x) Send *me* E-mail, not the list. Many thanks. Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ Date: Mon, 24 Jul 89 16:14:00 -0700 From: "Hervey Allen, U of O Comp. Ctr., (503) 686-4394" Subject: RE: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS) I have been reading the discussions on VM/CMS as pertaining to viruses and security with some interest. I was the Senior Consultant/Programmer at a small college for a system running VM/CMS when the CHRISTMA EXEC program was making its rounds. There were two of us who had complete control over the machine we were work- ing on (a 4341-2 w/1500 accounts) which made it extremely easy to spot and eradicate the CHRISTMA EXEC. We routinely checked the number of Reader (mail) files on our machine. We noticed an increase in files over the span of a few hours that was unusual so we checked our RSCS spool to see if anything unusual was happening and spotted the CHRISTMA EXEC file showing up repeatedly. We then took a look at the CHRISTMA EXEC (which we had both received) and realized what it was doing. At this point we wrote a few lines of code to search for all occurrences of the CHRISTMA EXEC on the system (in Reader or on disk) and to delete any that were found. We warned our users not to run the CHRISTMA EXEC (in case we missed any) and then we periodically checked for the EXEC over the next few days. We did not think of putting the check directly into RSCS, which is a better idea. The reason I bothered to write this was to make note of the possibility that those places where people dealt directly with their machines and the operating systems seemed to catch the CHRISTMA EXEC almost immediately, whereas on the IBM VNET many of the machines ran systems such as PROFS that separate the users from the operating system and most of the machines were maintained by a larger number of people who had less direct control over their environ- ments. I'm not advocating either system over the other, but, to us, it was interesting how trivial a problem the CHRISTMA EXEC was to deal with. On IBM's VNET, however, the offending program was not noticed until network traffic had become so high, and system spool resources were becoming full enough (I assume) that they were forced to shut the network down. This begs the question as to whether or not systems that are designed to be user friendly and administrations that are set up to keep access to data restricted are more susceptible to viruses/worms/trojan horses. I don't expect to answer this question, but it does seem to be a re-occurring theme when dealing with viruses. Hervey Allen <> <> Student Programmer/Virus Consultant University of Oregon Academic Computer Services | Disclaimer: The opinions expressed here are my own and in no way reflect | | the opinions of the University of Oregon. | ------------------------------ Date: Tue, 25 Jul 89 05:39:26 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: update to F-PROT.ARC (PC) I'm sending out an update to the f-prot package. Apparently there is some problem with one of the programs and some TSR programs. The F-LOCK.EXE program is being replaced in this update. Jim ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253