VIRUS-L Digest Monday, 11 Sep 1989 Volume 2 : Issue 189 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New virus in israel (PC) nVir strikes again (Mac) Virus screening protocol? October 12/13 virus attacks (PC) NOCRIME version 1.1 now available (PC) --------------------------------------------------------------------------- Date: Fri, 08 Sep 89 18:43:43 +0200 From: Uzi Apple Subject: New virus in israel (PC) Hello all this is the first time that i write to virus-l because i really need help. My computer was infected by a new virus that called itself MIX1 virus , its symptoms are : 1) only EXE files are infected 2) the printer prints spelling mistakes 3) i see jumping ball on the screen (and it isnt the ping pong i checked) 4) i cant boot the system 5) the num lock doesnt work i can only write numbers if someone has the Unvirus for this Virus please connect me. Uzi - ------------------------------------------------------------------------------ - Uzi Apple InterNet: NYAPEL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU The Weizmann Inst. Of Science CsNet: NYAPEL@WEIZMANN.BITNET Rehovot BitNet: NYAPEL@WEIZMANN - ------------------------------------------------------------------------------ - ------------------------------ Date: Fri, 08 Sep 89 15:18:25 -0500 From: James Ford Subject: nVir strikes again (Mac) {Taken from the Crimson White, a student newspaper at the University of Alabama in Tuscaloosa.} A computer virus call "nVir" was discovered in early August after it infested itself into a number of University department MacIntosh computer systems. David Benson, Production manager for Student Publications, said the virus has completely infected the computer system of the Publications Building and is still active in the College of Communications and Rose Administration Buildings. Benson said the virus caused his computer to break down and erase 1.5K hours of programming. . . comparison of computer vs human virus deleted. . . Largin said he has approximately 200 disks of his own and noted that the college had "hundreds and hundreds" The program Interferon is being used to track down the virus and another called Vaccination is being used to treat the disks ------------------------------ Date: Fri, 08 Sep 89 19:36:55 -0400 From: UBY%NIHCU.BITNET@VMA.CC.CMU.EDU Subject: Virus screening protocol? I am trying to develop a protocol to insure that PC viruses are not introduced into our site from outside. Can anyone suggest what methods are necessary and sufficient to keep viruses from being imported on diskettes? Are the same methods necessary for information received electronically? Thanks, Jim Blakley ------------------------------ Date: Fri, 08 Sep 89 11:14:01 +0000 From: mcvax!rhi.hi.is!frisk@uunet.UU.NET (Fridrik Skulason) Subject: October 12/13 virus attacks (PC) Some bits of information on the Oct. 12/13 virus attacks. DATACRIME will indeed attack on Oct. 12, but turning off your computer on that day will not provide any protection against it. The first time an infected program is run on Oct. 12 or after that date, the virus will format the first few tracks of drive C: and then display the message: DATACRIME VIRUS RELEASED: 1 MARCH 1989 On a floppy-only computer it will do no damage at all. Two major variants of Datacrime are known to exist, one is 1168 bytes long, the other 1280. Both variants only infect .COM files. This virus originated in Europe, and is rare elsewhere. A new variant (Datacrime II) has appeared recently), but little information is yet available on it. Since I only received a copy of it yesterday I have not yet been able to check if it will behave as the other two variants on Oct. 12. The well-known Jerusalem virus will attack on October 13. So much has been written about that virus that I see no need to repeat that information here. The South-African "Friday the 13." virus reported by Jim Goodwin will attack on Oct. 13. This virus is very rare, and must not be confused with the Jerusalem virus, that also has been named "Friday the 13.". This virus will delete every program run on that date, and sometimes display the message We hope we haven't inconvenienced you This virus is not a great threat, since it is very rare - in fact it is so rare that it took me almost four months to obtain a copy. Recently a new virus was reported by the CVIA, which will probably activate on Oct. 13. (At least they reported that the actvation date was Friday 13.) This virus (named the "RAP virus") has not yet been described in detail. One more "Friday the 13." virus is reported to exist, but it will not become active until 1991. This is the SYS variant of the "Den Zuk" virus. Finally, two more viruses have been mentioned, with activation dates on Oct 12/13. > A West German virus, apparently discussed at a hacker's convention > in Amsterdam earlier this month, to be introduced through BITNET. > An enhanced version of an earlier Icelandic virus rewritten to avoid > detection by constantly changing its location in memory." This may be true, but so far I have not been able to confirm this. These viruses - if they exist - are not likely to have spread widely, and should not pose a serious threat. ------------------------------ Date: Fri, 08 Sep 89 17:10:37 -0700 From: fu@unix.sri.com (Christina Fu) Subject: NOCRIME version 1.1 now available (PC) NOCRM11.UUE is now available. The only difference it has from version 0.1 is that it now discriminates the way DATACRIME viruses discrimanate some files. Christina Fu ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253