VIRUS-L Digest Friday, 28 Jul 1989 Volume 2 : Issue 163 Today's Topics: Vendor distribution of Jerusalem virus (PC) Beta Testing for Flu_Shot+ (PC) Virus Guard problems (PC) VIRUSCAN and the 1701 virus (PC) Re: resource fork viruses (Apple II) do I need a doctor? Re: Less well known viruses? The British Computer Virus Research Centre more on intentional viruses by software manuft. Re: Viruscan tested. --------------------------------------------------------------------------- Date: Thu, 27 Jul 89 09:06:27 -0500 From: "Mark S. Zinzow" Subject: Vendor distribution of Jerusalem virus (PC) MetraByte Corp. shipped an ASYSTANT GPIB demo. disk with an MBC-488 card containing the Jerusalem virus to a department on campus. We found the program VIRUSCAN to be very useful in detecting this virus on the four systems in that dept. it had spread to. At this time we have no indication of the virus speading anywhere else on campus, but recommend the use of VIRUSCAN as a precaution. According to a letter from MetraByte dated July 11, 1989, ASYSTANT GPIB demo disks shipped after May 17, 1989 may contain the virus. In another letter they note a possible symptom of the virus, "...a black spot may appear on the disply periodically on the upper left hand side of the screen. The virus blanks out a portion of the display of about 4 rows and 10 columns while in DOS or in some other application..." We found the description of the Jerusalem virus in the file allvirus.txt obtained from ms.uky.edu helpful in understanding the behavior of this virus. Does anyone know if there is a PD program that will restore exe and com files to their original state removing the infection? - -------Electronic Mail----------------------------U.S. Mail-------------------- ARPA: markz@vmd.cso.uiuc.edu Mark S. Zinzow, Research Programmer BITNET: MARKZ@UIUCVMD.BITNET University of Illinois at Urbana-Champaign CSNET: markz%uiucvmd@uiuc.csnet Computing Services Office "Oh drat these computers, they are 150 Digital Computer Laboratory so naughty and complex I could 1304 West Springfield Ave. just pinch them!" Marvin Martian Urbana, IL 61801-2987 USENET/uucp: {uunet,convex,att}!uiucuxc!uiucuxe!zinzow Phone: (217) 244-1289 Office: CSOB 110 \markz%uiucvmd ------------------------------ Date: Thu, 27 Jul 89 08:24:28 -0400 From: "Gregory E. Gilbert" Subject: Beta Testing for Flu_Shot+ (PC) Recently, Mr. Greenberg posted a notice he wanted beta testers for his FluShot+. I tried to contact him at: UTODAY!GREENBER@UUNET.UU.NET . The mail was returned with an uknown user: GREENBER . Does anyone have a current address for Ross Greenberg? (I am a user at a BITNET node) Thanks for the help and I apologize for the Public posting of private concerns. Gregory E. Gilbert [Ed. Ross is on a UNIX machine, try "greenber", not "GREENBER".] ------------------------------ Date: Thu, 27 Jul 89 09:28:00 -0700 From: GORDON_A%CUBLDR.Colorado.EDU@IBM1.CC.Lehigh.Edu Subject: Virus Guard problems (PC) A friend recently installed the memory resident program Virus Guard in his AT clone. He then started having problems formating his floppy drives. After Virus Guard was removed, the problems disappeared. Any comments about this? Allen Gordon ------------------------------ Date: Thu, 27 Jul 89 09:24:51 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: VIRUSCAN and the 1701 virus (PC) This is a forwarded message from John McAfee: ============================================================================ Christer Olsson noted that VIRUSCAN will not detect the 1701/1704 virus in EXE files. I originally designed the program not to check EXE files for the 1701/1704 because the virus will not and cannot infect true EXE programs. If, however, you rename your COM files to EXE files, as Christer Olsson has stated, the virus will infect. I did not anticipate this eventuality, and for timing purposes, scanned only COM files. On the assumption that there will be others who rename COM files to EXE files, version V31 of VIRUSCAN, which checks EXE files for 1701/1704, is now available. It also has been modified to detect the new version of the Icelandic. John McAfee VIRUSCAN available on HomeBase - 408 988 4004 ------------------------------ Date: Thu, 27 Jul 89 16:22:44 -0400 From: davewt@NCoast.ORG (David Wright) Subject: Re: resource fork viruses (Apple II) Maybe it's not that there aren't any good programmers any more, maybe it's that theu moved off IBM and Apple Machines. Take Cap'n Crunch... Now a big Amiga hacker... All the Amiga virus programs "get down to the metal", and use direct patches to the CPU vectors to protect themselves. In fact, the Amiga virus showed up long before the Mac and PC viruses (that have been in the news recently), yet got almost no publicity... ------------------------------ Date: 27 Jul 89 21:30:41 +0000 From: Eileen M Garland Subject: do I need a doctor? I have a PS/2 Model 30. Recently, some diskettes have become suddenly unreadable. In addition, executing WP5.0 became so slow that I erase the exe file and copied the original back onto the hard disk. Does this sound like some virus? If so, what do I do next? Please explain in detailed, non-technical terms, if possible. (If this news group is the wrong place for this type of question, I apologize; I notice that the articles seem quite technical and fairly general, but I could sure use some help.) ------------------------------ Date: 27 Jul 89 23:07:43 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Less well known viruses? I am passing the following message on for John MacAfee of the HomeBase BBS There has been some confusion about the Bantam Book's "DOS Power Tools" diskettes, and the recent Wayne State newsletter advising purchasers of the book not to use the diskettes has obviously concerned the editors at Bantam - and the warning is unwarranted. I was originally contacted by Robert Dimsdale of the NSA in April of this year, reporting an unusual virus. He reported that he 'believed' the infection came into the shop through the Bantam book. Subsequent reports from two separate organizations also indicated the 'possibility' of infection from the book. The reports were placed on the HomeBase board as routine notes for the HomeBase researchers tracing down the Missouri virus. I contacted Bantam Books to report the possible occurrences, and their research at that time indicated that the reported infections were caused by agents other than the book. I concurred. The original Dimsdale diskette was destroyed before it could be analyzed, and the hard disk was low level reformatted. Both other reports yielded no analyzable sample. I have spoken twice with Steve Guty of Bantam today, and he tells me that Bantam has sold over 200,000 copies of the book and accompanying diskette. With this number of copies in circulation, it is entirely reasonable to expect multiple occurrences of pre- existing infection in a system which activate on or about the time that the Power Tools diskette is installed. The user might then equate the virus activation with installation of the diskette, even though the virus may have been in the system for weeks or months prior to the installation of the Power Tools diskette. This happens hundreds of times each month with other software packages. Rarely, in these cases, has the virus involved actually been introduced with the diskette that was suspected by the system user. Given the wide circulation of the Bantam book, it is highly unlikely that it could contain a virus without overwhelming numbers of infection occurrences being reported. Also, sample copies of the book purchased around the country by researchers have shown no indication of infection. The Wayne State newsletter recommendation, in my opinion, should be ignored. The Bantam Book software appears as safe as any vendor supplied software. Disclaimer: Neither Amdahl Corp, Onsite Consulting nor CSS Inc. have any comment on the above data, Nor is any claim or warrenty made,given, expressed or implied as to the accuracy or content of the above data.The e-mail was passed as a courtesy to Interpath and as a Public Service Message to clears misconceptions the net may have had about the above subject matter. ------------------------------ Date: Thu, 27 Jul 89 19:31:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: The British Computer Virus Research Centre I am not yet ready to institutionalize viruses. The rush to do so strikes me as unseemly opportunism. I recognize the need to do research and the value of the work done to date. However, that work demonstrates that it can be done in existing institutions with broad and noble missions. Narrow, specialized institutions are not required. There creation runs the risk of establishing the very behavior that they rightfully resist. ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) Ernst & Young ARPA: WHMurray @ DOCKMASTER 2000 National City Center MCI-Mail: 315-8580 Cleveland, Ohio 44114 TELEX: 6503158580 FAX: 203-966-8612 21 Locust Avenue, Suite 2D Compu-Serve: 75126,1722 New Canaan, Connecticut 06840 TELEMAIL: WH.MURRAY/EWINET.USA ------------------------------ Date: Thu, 27 Jul 89 18:10:00 -0500 From: Gordon Meyer Subject: more on intentional viruses by software manuft. A number of weeks somebody posed a question about software companies releasing viruses, on purpose, in order to protect their rights. At that time I responded with a reference to an article where a software author reportedly did know of several (or at least some) companies that were doing so. Obviously the sources for such information were not disclosed. I received a few flames for mentioning the article, but mostly from industry mouthpieces that wanted to emphatically deny such a thing was happening. Well...yet another "industry insider" has hinted that such things are happening: Home-Office Computing. August 1988. Page 80. In a games preview column the author states that some companies have developed "virus protection" for their programs.... this "virus protection" is designed to discourage crackers from re-engineering the program code to remove copy protection. That's all it says....very vague and could very well be another case of "virus" being used in the wrong context. But, the blurb does indicate that companies are doing so "secretly" and don't want folks to know about it. Again, turn off the flame throwers. I'm not saying such things *are* going on....just that there are indications that it *may* be. Screaming "no way" is ignoring the potential and fails to account for these rumours. - -=->G<-=- ------------------------------ Date: 27 Jul 89 23:59:32 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Viruscan tested. In article <0005.8907261137.AA08543@ge.sei.cmu.edu>, cth_co@tekno.chalmers.se ( CHRISTER OLSSON) writes: > I tested VIRUSCAN but it can't found 1701/1704 (Cascade) virus in files > with EXE-extension. If you rename a COM-file to an EXE-file, the 1701 > virus infected the file but VIRUSCAN don't check the file because > VIRUSCAN only search COM-files for the 1701/1704 (Cascade) -virus. According to john McAfee at homebase and my own research the 1701 and 1704 viruses are COM infectors only at this point... not exe!!! hope this clears up any misconceptions cheers kelly ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253