VIRUS-L Digest Wednesday, 26 Jul 1989 Volume 2 : Issue 160 Today's Topics: Re: virus sociology VNET and the CHRISMA EXEC (IBM VM/CMS) Computer Virus Research Less well known viruses? Viruscan tested. ***WARNING*** VIRUSCAN Trojan (PC) ------------------------------------------------------------ Date: 25 Jul 89 12:47:21 +0000 From: krvw@sei.cmu.edu (Kenneth van Wyk) Subject: Re: virus sociology In article virus sociology of 21 Jul 89 20:10:28 GMT mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) writes: > The question is: can we speculate that many, if not most, of this >scum reads (and perhaps participates) in this newsgroup? Isn't the >effort of cataloging all the viri egging the scum on to greater >efforts? I suppose that it's possible to find a pessimistic outlook on just about everything... The flip side of it is that we're getting valuable information out to people who really need it to understand (hence cope with) the virus problem. I think that positive side outweighs any negative side. > The next question is: how much effort should we be putting into >getting the vendors of various machines and operating systems to >design their software to be virus-proof as opposed to writing new >virus detectors/fixers? Let's face it, the current generation of >personal computers have non-existant security not only from viri but >also from user screwups. Newer machines are already being equipped with features, such as hardware memory protection, privileged i/o instructions, etc., that can help in preventing viruses. It's still up to the operating system software to properly use the available hardware. To that end, I believe that it is worthwhile for customers to push vendors to supply more secure and thoroughly tested hardware and software. Ken ------------------------------ Date: Tue, 25 Jul 89 09:49:00 -0400 From: John McMahon Subject: VNET and the CHRISMA EXEC (IBM VM/CMS) ***> From: David M. Chess ***> Subject: re: the CHRISTMA EXEC on BITNET and VNET (IBM VM/CMS) ***> ***> While I was lucky enough to be on vacation when CHRISTMA hit ***> VNET, my impression is that (press to the contrary), VNET ***> handled it about like BITNET did: a few nodes shut down or ***> cold started, but most just installed and ran some filters ***> on RSCS and local spool. Lots of human and CPU time and net ***> bandwidth wasted, but not a system-wide shutdown. This is ***> just an unofficial impression, of course! As I recall, VNET Topology is not like BITNET's. BITNET is currently a tree structure, slowly migrating to a mesh topology backbone of sites connected via the BITNET II software (NJE over TCP/IP). VNET, on the other hand, is a set of trees connected by a fairly extensive wide-area mesh backbone. As I recall (it's been a while), this mesh backbone only consists of a handful of nodes (Sixteen to Twenty), one at each major IBM center. Shutting that down would effectively isolate each IBM center. As to whether or not that is a "System-Wide" shutdown, well you will have ask the media. As to whether or not that happened, you would have to ask IBM. +------------------------------------+----------------------------------------+ |John "Fast Eddie" McMahon | Span: SDCDCL::FASTEDDY (Node 6.9) | |Advanced Data Flow Technology Office| Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV | |Code 630.4 - Building 28/W255 | Bitnet: FASTEDDY@DFTBIT | |NASA Goddard Space Flight Center |GSFCmail: JMCMAHON | |Greenbelt, Maryland 20771 | Phone: x6-2045 | +------------------------------------+----------------------------------------+ ------------------------------ Date: Tue, 25 Jul 89 11:28:00 -0500 From: Subject: Computer Virus Research I am doing research at the University of Tennessee on the current state of computer viruses. Most of the material that I have found to date has been written by members of this discussion list. I would appreciate direct correspondence from members who have written papers, books or articles or who are currently conducting research in this area. If nothing else, I would like to make a reference to other research work that is being conducted by members of the discussion list. If any of you have other material that can be sent to me electronically, I would appreciate it. I will redistribute a complete list of these research references via this discussion group. ------------------------------ Date: Tue, 25 Jul 89 19:36:47 -0000 From: David.J.Ferbrache Subject: Less well known viruses? Having just finished an update on the list of known IBM and MAC viruses I have come across a few reported viruses which no/few details seem to be available on. These are: IBM PC Boot sector Nichols virus both are incorporated in the 0.29 viruscan test 2730 virus strings, but have not been reported in full IBM PC Link viruses Screen characteristic lengths and identifying signatures Dbase are currently unknown for these two viruses covered in Ross's article in the June edition of byte Agiplan So far no-one seems to have a sample of this virus available, also no signatures have been provided Mistake Again no signatures available I would also be interested in characteristic lengths and signature byte sequences for a number of the Homebase variants described in Jim Goodwin's list. On a further point a remarkable similarity has been established between the Saratoga and Icelandic (variant 1) virus code. This similarity is reflected in the code sequences used by Viruscan 0.29. The question raised by this observation is which came first, the Saratoga virus detected in California or the Icelandic virus. With the recent report of a second strain of the Icelandic virus which bypasses Interrupt table dos call monitoring methods it seems that the virus is under active development by a hacker in Iceland. Finally, I will be forwarding three notes from Joe Hirst in the next few days concerning the Ashar variant of Brain, Saratoga virus and his views on the foundation of national research centres. I will establish a temporary mail account for his centre and will relay any correspondence received. - ------------------------------------------------------------------------------ Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------------ ------------------------------ Date: 26 Jul 89 00:12:43 +0200 From: cth_co@tekno.chalmers.se (CHRISTER OLSSON) Subject: Viruscan tested. I tested VIRUSCAN but it can't found 1701/1704 (Cascade) virus in files with EXE-extension. If you rename a COM-file to an EXE-file, the 1701 virus infected the file but VIRUSCAN don't check the file because VIRUSCAN only search COM-files for the 1701/1704 (Cascade) -virus. ------------------------------ Date: Tue, 25 Jul 89 19:47:00 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: ***WARNING*** VIRUSCAN Trojan (PC) Someone has taken the VIRUSCAN program and hacked it into a trojan. Richard Levey of Shareware Enterprises in Elmont, NY, and J.J. Webb of Lockheed have both submitted copies of a program that they thought was identical to VIRUSCAN version 19 in the way it operated. On analysis, the program turned out to be Viruscan V19 with a number of modifications. No attempt was made to modify the VIRUSCAN program messages, internal data strings or instruction sequences, with the single exception of the copyright notice. The copyright notice was changed to 'Copyright 1989, WileySoft Corporation". The only modification made to the documentation was the change of name and address to: WileySoft 11 Trafalgar Square Nashua, NH 03063 And a request to send $24 to the above address was added. The program was then compressed, a front end loader/decompressor was tacked on, and the final package was infected with what appears to be a modified version of the Jerusalem virus. The final EXE file was named SCAN (the same as the VIRUSCAN executable module) and was 22917 bytes long. A check with the local Nashua phone company found no listing for such a company, and no WileySoft Corporation was registered in the state of New Hampshire. VIRUSCAN users should be aware of this trojan program. Please check that your executable module is exactly 34400 bytes long. All versions of VIRUSCAN have been this length and all future versions are planned to have the same length. Ensure that the McAfee Associates copyright is displayed with the version ID and phone number in the first display line. If there are any questions about the validity of your program, an original copy may be downloaded from HomeBase, 408 988 4004, from SIMTEL20 or some other reliable source. John McAfee ..-.... ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253