VIRUS-L Digest Monday, 7 Aug 1989 Volume 2 : Issue 169 Today's Topics: Infection report (PC) re: Israeli boot viruses - naming (PC) FluShot+v1.6 boot block checksum alerts? (PC) Re: viruses that reprogram ANSI keys All about Virus (PC) axe by sea (PC) --------------------------------------------------------------------------- Date: Fri, 04 Aug 89 10:22:00 -0500 From: Holly Lee Stowe Subject: Infection report (PC) I asked Ken (hi!) whether I should report a recent infection here to someone, and to whom I should report it, and he suggested that I post it here and let those folks doing tracking contact me if need be... so... :-) We recently have found Yale/Alameda in 3 of our micro clusters on a total of approximately 10-12 disks. We also found it on one of our faculty's disks. Fortunately, we feel we caught it early on, and this particular virus is not difficult to eradicate, nor does it cause irreparable damage. The bad news is that we still do not have permission to put regular disk checking in place for our IBM clusters, and the discovery of the virus was more an accident than anything else. One of our consultants recently downloaded VIRUSCAN off Homebase and was showing it to another consultant. (Since our Scores infection in our Mac clusters last winter, every time a disk doesn't work, we here the cries of "Virus!". It turns out that this time it was valid.) I hope that with this infection, as it was with Scores, we will be given the green light to make some checking policies in the IBM clusters as well as the Mac's. Those who track infections of various viruses are welcome to contact me at IHLS400@INDYCMS.BITNET if they wish. Please don't become concerned if I don't respond immediately as I'm getting ready to go on *VACATION!* for 2 weeks. I will reply on my return. (Computers... just say NO! :-) - -Holly If something is preposterous, does it later become postposterous? ------------------------------ Date: 04 Aug 89 00:00:00 +0000 From: David M. Chess Subject: re: Israeli boot viruses - naming (PC) Y. Radai: > I suggest we call it the Swap virus, since the words > SWAP VIRUS FAT12 appear in the modified boot sector. Although Yuval's sample disk does contain those words, I assumed that he must have put them there himself, as a way of labelling the diskette. When the virus spreads, it does not (as far as I've been able to tell from both testing and disassembly) put those words in the boot sector. All it does is change the initial JMP, and overlay 31 bytes of the original boot sector (in the message-text area in at least some versions of DOS) with its code to load and call the main virus from its "bad" sector. The words "SWAP VIRUS" don't occur anywhere on the freshly-infected diskette I just produced. Since the virus doesn't really "swap" anything, I'm not sure how good a name that is, although "Israeli boot" is poor for the reason you give. Naming is a pain, isn't it? We could call it the "Falling Letters Boot Virus" (tho' there'll probably be another one next month...). DC ------------------------------ Date: Fri, 04 Aug 89 13:26:00 -0600 From: Pete Klammer/303-556-3915 Subject: FluShot+v1.6 boot block checksum alerts? (PC) Help! I am either infected or else just mystified! (Or...???) I am getting frequent messages from FluShot+ version 1.6 saying, Boot Record Checksum(s) do not match! and, indeed, if I go into DEBUG>L 0 2 0 1, there I find at offset 002E/ 5F 0E 0A at one time and B8 E2 09 at another. My boot block is changing! VIRUSCAN version 0.4V30 does not detect anything. My boot-block documentation here is scanty... I did a VOLABEL C: and the label I gave does not appear anywhere in DEBUG>D 0 L 200 output... am I really looking at my boot block? Isn't that where the label is? /** --poko " I'm half Estonian, which makes up for the other half. " Pete Klammer/Systems Programmer/(303)556-3915 PKLAMMER@PIKES.COLORADO.EDU CU-Denver Computing Services / Campus Box 169 BITNET: PKLAMMER@CUDENVER 1200 Larimer St NC2506 / Denver CO 80204-5300 UU:!boulder!pikes!pklammer **/ ------------------------------ Date: 04 Aug 89 20:27:47 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: viruses that reprogram ANSI keys In article <0004.8908041206.AA09232@ge.sei.cmu.edu>, hutto@attctc.Dallas.TX.US (Jon Hutto) writes: > They don't usually harm people using communications softwares as much as > it does BBS's, because the sequences are set for only certain directories, > and files. The trick of defining a command sequence to create sushi on a unix system would compromise root integrity... most comm software that is capable of either emul atining programmable terminal sequences or ansi.sys and programs that implement those sequences are capable of accepting a command line into a buffer or windo w with the view attribute set to non-visible and then retransmitting that comma nd to the host unix system all under remote control.... I could hardly call tha t harmless... furthermore most users including a surprising number of systems a dministration types are unaware that their terminal or programmable termulator/ file transfer package can be tricked in this fashion..> > Jon Hutto PC-Tech BBS (214)271-8899 2400 baud > USENET: {ames, texbell, rutgers, portal}!attctc!hutto > INTERNET: hutto@attctc.dallas.tx.us or attctc!hutto@ames.arc.nasa.gov Kelly Goen Cybernetic Systems Specialists Inc. Disclaimer: My Thoughts are my own. Neither Amdahl Corp nor Onsite Consulting m ake any warranty and/or have anything to do with the information contained abov e! p.s. sushi --> SuperUser SHell Interactive the trick above is known as a boomer ang also!! ------------------------------ Date: 04 Aug 89 23:53:21 +0000 From: mcvax!edvvie!eliza!andreas@uunet.UU.NET (Andreas Brandl) Subject: All about Virus (PC) I am looking for Anti-Virus-Software or Software to found viruses. If there is everyone out there who can help me, please write me. And if you don`t have Software i am also happy about a lot of sentenses. (New Virus, Software, Letters, .....) In my last mail, i don't write anything about my Work-System. I am working on an IBM PS/2 Computer. Please before you send programs, please Email me before. (andreas@edvvie.at) Many Thanks, Andreas ------------------------------------------------------------------ EDV Ges.m.b.H Vienna Andreas Brandl Hofmuehlgasse 3 - 5 USENET: andreas@edvvie.at A-1060 Vienna, Austria/Europe Tel: (0043) (222) 59907 (8-16 CET) ------------------------------ Date: Sat, 05 Aug 89 12:59:00 -0400 From: IA96000 Subject: axe by sea (PC) i did not mean to propse that axe is the cure all or preventative for viral infections. i just wanted to point out what we had found. in most cases, a virus attacking a program which has been axed creates a situation where the axe'd program will not load properly due to the compression used when the program was axe'd. basically axe reads a file and like arc applies a compression formula to the file and then writes the file back to the disk along with a special loader incorporated in the file. when a virus attacks the file, it changes (obviously) some of the compressed data. however it does not really know that the data has been compressed by axe. so when the user goes to load the program the loader cannot un-compress the data and halts operation. while not a cure all or anything like that it is a good way to spot instantly if a file has been tampered with. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253