VIRUS-L Digest Monday, 31 Jul 1989 Volume 2 : Issue 164 Today's Topics: BBS virus possibilities (PC) Re: Beta Testers for FLU_SHOT+ "Computer Condom" (from Risks digest)... virus identification TRUSS???? any one know??? (no system given) message virus (was: Computer Virus Research) Jerusalem Disinfector --------------------------------------------------------------------------- Date: 26 Jul 89 04:56:51 +0000 From: consp21@bingvaxu.cc.binghamton.edu Subject: BBS virus possibilities (PC) I have been working as an undergraduate consultant here at SUNY for a while now, and have been part of our battles with the (c) Brain virus that has been making the rounds; and have seen the damage that can be done. I would appreciate it if someone would post a list that details which kinds of viruses (and which known viruses) can be transmitted along with archived IBM PC files (assuming that the files were clean when put in the archive), and how they can be found and eliminated. Thanks in advance for your help... - ----------------------------------------------------------------------------- Kenneth J. Hoover | "LN03, I knew LaserWriter. I worked with LaserWriter. SUNY-Binghamton | LaserWriter was my friend. LN03, you're no LaserWriter!" - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 28 Jul 00 19:89:12 +0000 From: utoday!greenber@uunet.uu.net Subject: Re: Beta Testers for FLU_SHOT+ Wow! The response has been overwhelming! The beta list is filled up as of now with more testers than I could reasonably handle! VIRUS-L certainly has some interesting people with some interesting hardware and software: one beta-tester is running with a super-micro and a DOS emulation box! Anyway: to those who responded, I expect the alpha to finish this weekend, and disks to ship early next week. The first beta period is gonna close rapidly -- and you'll get instructions on what being a beta tester means. My thanks to those who responded and to Ken for the list, my apologies for those a little late in responding. Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ Date: Fri, 28 Jul 89 23:18:17 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: "Computer Condom" (from Risks digest)... [From the Seattle Weekly, 5/3/89] PUT A CONDOM ON YOUR COMPUTER Every worry that your computer might be hanging out in a network where it will pick up some disgusting virus? Empirical Research Systems of Tacoma suggests you supply it with one of their "computer condoms". This high-tech prophylactic is a combination of hardware and software embodied in a controller card that simply replaces the one already in the machine. Rick Cummings, the company's president, says the system "stops all viruses" by monitoring the user network, the keyboard, and the program in use. He notes that the system is programmable to alter the parameters of its control on any given machine, but he guarantees that, "when programmed to your requirements, it will not allow viruses to enter." The technology was developed through successful efforts to protect a group of European banks from the massive virus that penetrated European computer networks last autumn. "Naturally these became our first orders," Cummings says. He has since picked up an additional 2500 firm orders in Europe, with 5000 more contingent on inspection of the product. In the United States, the product has been reviewed by Boeing Computer Services and computer technicians at the UW. It will be on the domestic market "early next autumn at a cost of under $1000," Cummings says. DG -- Pardon me while I laugh uncontrollably. ------------------------------ Date: 29 Jul 89 00:00:00 +0000 From: Christoph Fischer Subject: virus identification In our computerviruslab we have been working on the problem of mutants of several viruses. Initially we intended to make antiviruspackages more secure. Since a single byte added or removed from the virus code will cause most antiviruspackages to do erroneous repair attempts which might result in even bigger harm than the virus itself will do. Furthermore watertight identification leads to a better 'Epidemiology' of the different virusstrains. Thanks to the kind help of fellow virus researchers all over the world we were able to obtain and tryout quite a few viruses and their mutants. PROPOSAL VIRUS IDENTIFICATION ALGORITHM PURPOSE: Positive and secure identification of *known* viruses to prevent repair attempts on files infected by unknown mutants of a virus. REPLACES: Identification by a unique string of code. (Which might still be unaltered at the same offset in the code of a new variant of the virus) METHOD: 1. Identification of the *known* virusstrain by a unique string or other feature (sUMsDos, (C)Brain, or the 1Fh in the seconds of the filetime) 2. Relocation to segmentoffset 0 and possible decryption of the viruscode. (This might be necessary for mutiple parts of the virus) 3. Writing zero over sections that contain variant parts like garbage from the last infection attempt or a time- bomb counter. 4. Finally a CRC-sum is generated (maybe using more than one polynominal) If this signature matches the one calculated on the virus code for which the removalalgorithm was designed it is safe to apply this antivirusprogram. IMPLEMENTATION: We have done a testimplementation in C and for 2 virusstrains (6 viruses yet). Our goal is to prepare a toolset for quick addition of new variants to the set identifyable viruses. ADVANTAGE: Antivirus tools can identify exactly a specific virus without encorporating full or partial viruscode in the antivirusprogram. (This would be a security risk if done in comercial or PD software) Any comments sugestions welcome respond to VIRUS-L or directly we will summarize to the list| Currently we are also working on virus behavior in networks. For this we have setup a 4 machine Novell network. (PS2/80, PS2/60, Atari386, and a good old PC-XT). Here also any sugestions and help are welcome| ******************************************************************* * Christoph Fischer and Torsten Boerstler * * Micro-BIT Virus Center / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ******************************************************************* ------------------------------ Date: 29 Jul 89 11:41:36 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: TRUSS???? any one know??? (no system given) In A past issue of the Whole earth review there was an article on computer viruses... in there was a security monitor program referred to as truss .... anyone ever hear of it??????? thanx in advance kelly return replys to kelly@uts.amdahl.com ------------------------------ Date: 30 Jul 89 17:17:17 +0000 From: hutto@attctc.Dallas.TX.US (Jon Hutto) Subject: message virus (was: Computer Virus Research) You might be interested to know that even messages can have damaging viruses in them. On several local BBS's there have been Escape sequences that have redevined keys so as to when the sysop is in dos and hits a key, it starts deleting files and directories. The worst thing about this is that people have been able to do this for a long time. they are explained in the DOS Technical Reference manual. There are also rumors of a ZMODEM virus that spreads visa ZMODEM transfers, but I have not been able to find out very much about it, and it may be just a rumor. ------------------------------ Date: Sat, 29 Jul 89 15:59:43 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Jerusalem Disinfector Mark Zinzow asked if there were a public domain program that would restore programs infected with the Jerusalem virus to their original, uninfected condition. John McAfee's M-series programs have just been made shareware (M-1 removes the Jerusalem from COM and EXE files and restores them), and the programs are available on HomeBase - 408 988 4004. Alan ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253