VIRUS-L Digest Monday, 28 Aug 1989 Volume 2 : Issue 181 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk [Ed. Sorry for the delay on this digest - I've been out of town for a couple of days.] Today's Topics: RE:locked macintosh disks vaccine source (PC) Collecting a Virus (Mac) (Hardware) Destructive Virus (Story) Infecting applications on locked Mac disks... Monitor destroying virus (PC) Monitor destruction List of Viruses/Antidotes/Vaccines for PC/AT/386 Re: Swap Virus (PC) V-REMOVE (PC) Looking for info in PC viruses lost address... Re: Locking Macintosh disks --------------------------------------------------------------------------- Date: Thu, 24 Aug 89 17:48:47 -0400 From: Sari <3XMQGAA@CMUVM> Subject: RE:locked macintosh disks In reply to Dan Carr's question. No, when you lock a macintosh disk and st ick in the drive, there is absolutley no way for the virus to infect the disk. Acknowledge-To: <3XMQGAA@CMUVM> ------------------------------ Date: Thu, 24 Aug 89 17:05:47 -0700 From: Steve Clancy Subject: vaccine source (PC) I would like to offer our bulletin board system once again to the readers of Virus-L as a source of VIRUSCAN and other "vaccine/scanner" programs that are occasionally mentioned here. I attempt to keep up with the most recent versions I can locate of the various programs, and usually also have the current version of the Dirty Dozen trojan horse/list. The Wellspring RBBS is located in the Biomedical Library of the University of California, Irvine (U.S.A). Numbers and settings are as follows: Line # 1 - (714) 856-7996 300-9600 (HST) N81 - 24 hours Line # 2 - (714) 856-5087 300-1200 baud N81 - Evenings & Weekends Callers from Virus-L should use the following passwords to allow immediate access to downloading of files: First name Last name Password ---------- --------- -------- VL1 BITNET BIT1 VL2 BITNET BIT2 All files are located in the VIR files directory. The system uses standard RBBS commands. I attempt to get my files from the original source whenever possible. % Steve Clancy, Biomedical Library % WELLSPRING RBBS % % University of California, Irvine % 714-856-7996 300-9600 24hrs% % P.O. Box 19556 % 714-856-5087 300-1200 % % Irvine, CA 92713 U.S.A. % % % SLCLANCY@UCI % "Are we having fun yet?" % ------------------------------ Date: Fri, 25 Aug 89 08:25:29 -0400 From: "Gregory E. Gilbert" Subject: Collecting a Virus (Mac) How does one go about "capturing" virus code on an infected disk or at least view the offending code? Would one use ResEdit? Any other comments are most welcome. Thanks much. ------------------------------ Date: Fri, 25 Aug 89 07:45:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: (Hardware) Destructive Virus (Story) >Does anyone on the list have some information about an alleged virus >that caused monitors on either older PCs, Ataris, or Amigas (I forgot which >platform.... The story is apocryphal. Roots are as follows: 1. Anything a computer can be programmed to do, a virus can do. Thus, if a computer can be programmed for behavior that will damage the hardware, then it can be destroyed by a virus. 2. Early IBM PC Monochrome Adapter had a flaw under which a certain set of instructions could interfere with the normal sweep circuit operation, causing camage to the monitor. 3. Based upon this combination of facts, there has been speculation about the possibility of a virus exploiting this, or similar, flaws. Much of it has been in this list. To my knowledge, no such virus has ever been detected. The number of such PCs is vanishingly small but larger than the ones that such a virus might find. Those that exist are so old that a monitor failure would be attributed to old age. A virus would likely go unnoticed. Of course, it is a little silly to build a computer such that it can be programmed to perform hardware damaging behavior. Such damage is likely to occur by error. That is how the flaw in the IBM's was discovered. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Fri, 25 Aug 89 08:19:02 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Infecting applications on locked Mac disks... No. If the write-protect mechanism is working properly, any software operation will be unable to change the contents of the disk. If the write-protect mechanism is somehow faulty, all bets are off. Note: The write-protect mechanism on Mac disks is done in hardware. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Fri, 25 Aug 89 08:38:34 -0700 From: Robert Slade Subject: Monitor destroying virus (PC) Regarding the request for information on a virus that destroyed monitors: I have had confirmed that there is a command for certain types of monitor adapter cards for the IBM/ISA/MS-DOS world which will turn off the "scanning" of the display. This means that a line or point may "burn in" on the monitor and destroy the phosphors at that point. When used "properly" it may also cause the CRT itself to overheat and burn out. The cards susceptible to this are all older CGA type. As far as I am aware, this code has never been incorporated into a virus. It would not do ttoo mcuh damage in any case, as it is very machine specific. ------------------------------ Date: 25 Aug 89 10:56:49 -0500 From: "Bob Johnson (312) 245-3532" Subject: Monitor destruction I seem to recall that the the olp IBM PCs ( and clones ) with EGA cards were susceptable to this problem. The cuase was the ability to change the scan rate of a card ( and thus the monitor ). If the scan rate was too high the flyback transformer in the monitor would over heat and catch on fire. I don't remember viruses doing this damage but rather public domain games and the like. Bj << u27745@uicvm.uic.edu >> ------------------------------ Date: Thu, 24 Aug 89 23:46:59 +0000 From: ames!fxgrp!pegasus!lan@uunet.UU.NET (Lan Nguyen) Subject: List of Viruses/Antidotes/Vaccines for PC/AT/386 Hi, I am compiling a list which consists of the following items: 1) Viruses, date first discovered, source(s). 2) Antidotes/Vaccines for the above viruses, latest version, when were they made available. Are they Public Domaine (PD), Shareware (Share) or Commercial (Cmc) products, Author(s). I wonder if such a list has already existed? if so could someone send me a copy preferrable via E-Mail. I will post my findings on the net to all interested parties in about two weeks time. Thank you all in advance for your help. Lan Internet: lan@fx.com UUCP: ...!ames!fxgrp!lan ------------------------------ Date: Fri, 25 Aug 89 17:48:56 +0300 From: "Yuval Tal (972)-8-474592" Subject: Re: Swap Virus (PC) I don't think that it is so important how we call the virus. I've decided to call it the swap virus becuase the message "The Swapping-Virus...' appears in it! We can also call him the Israeli Boot Sector or The Dropping Letter virus - it is not important! as long as people know by its name what it should look like! Meaning: Ping-Pong --> there is a ping pong on the screen so I think that calling it "The Dropping Letter Virus" will be just fine. I think that the name "Israeli boot sector" is not such a good name. Think about the simple users who do not care it this virus was written in Israel or in any other place. They also doesn't care if it a boot sector virus or anything else! Again, I think that the name should describe what the virus is doing! - -Yuval Tal +--------------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +-----------------------------------+--------------------------------------+ | Yuval Tal | "Remember the next time you hear a | | The Weizmann Institute Of Science | fighter jet go by - you are hearing | | Rehovot, Israel | the SOUNDS OF FREEDOM" - Major Bill | +-----------------------------------+--------------------------------------+ ------------------------------ Date: Thu, 24 Aug 89 08:36:01 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: V-REMOVE (PC) The HomeBase group is releasing a new disinfector program that is able to remove all known viruses, repair all infected COM files, repair most infected EXE files, replace infected partition tables and boot sectors, and generally make life easier for people with infected IBM PCs. Our previous practice of releasing one disinfector program per virus has given us a terrific maintenance headache, and so V-REMOVE (which does them all) is our next step on the path. What we need now are beta testers with Large virus libraries. Interested parties please contact John McAfee or Colin Haynes at 408 727 4559. Alan ------------------------------ Date: 25 Aug 89 23:00:29 +0000 From: audoire@inria.inria.fr (Louis Audoire) Subject: Looking for info in PC viruses I'm about to release a nice package fighting Macintosh viruses in real-time. I would like to add to my cdev virus eradicator the ability to clean PC files as most Mac now have FDHD drives. Where may I find the methods to remove viruses of PC files ? Yours, Maurice. ------------------------------ Date: Fri, 25 Aug 89 21:08:47 -0400 From: "W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET> Subject: lost address... Would the gentleman from New Zealand who contacted me by mail in response to something I posted on this list please re-contact me, either by E-mail or otherwise? I have lost the address entirely. [Apologies to the list - this is my only chance at relinking with this person.] A RESTRICTED, CONFIDENTIAL COMMUNICATION FROM THE VIRTUAL DESK OF: ............................................................................... |W. K. "Bill" Gorman Foust Hall # 5 | |PROFS System Administrator E-Mail & Message Computer Services | |Central Michigan University Encryption/Security Mt. Pleasant, MI 48859 | |34AEJ7D@CMUVM.BITNET Virus Countermeasures (517) 774-3183 | |_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_| These comments reflect personal opinions held at the time this was written. Copyright (C) 1989 W. K. Gorman. All rights reserved. ------------------------------ Date: 25 Aug 89 22:42:33 +0000 From: trebor@biar.UUCP (Robert J Woodhead) Subject: Re: Locking Macintosh disks DANIEL%NCSUVM.BITNET@IBM1.CC.Lehigh.Edu (Daniel Carr) writes: >i bet this question has been asked before, so please excuse me, but >is it possible for a virus to infect a locked macintosh disk? If the diskette is hardware locked (ie: the little slide is slid so that you can see a hole) then the hardware won't write onto that disk, so if you stick it into an infected machine it won't get infected. If, on the other hand, files on an unlocked disk are locked in _software_, they may be fair game to a persnickety virus. - -- (^;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-;^) Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP ``I can read your mind - right now, you're thinking I'm full of it...'' ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253