VIRUS-L Digest   Friday, 15 Sep 1989    Volume 2 : Issue 193

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
 - Ken van Wyk

Today's Topics:

Notes on the SWAP virus (PC)
Macintosh Virus List
Virus Article in the making
??? Virus (Mac)
A question on detecting viruses on bootable disks (PC)
Request for info: Apollo Workstations
Request for basic info
How does one disinfect nVIR from an Appletalked network
12th National Computer Security Conference

---------------------------------------------------------------------------

Date:    14 Sep 89 17:49:48 +0000
From:    frisk@rhi.hi.is (Fridrik Skulason)
Subject: Notes on the SWAP virus (PC)

The SWAP virus that was recently discovered in Israel is somewhat
different from other PC boot sector viruses. Normally a BSV replaces
the boot sector with virus code, and stores the original boot sector
somewhere. In some cases the boot sector is stored in unused space,
which is then marked as bad in the FAT (Ping-Pong, Typo, Brain). In
other cases the virus stores the boot sector in a sector that is not
likely to be used (Yale, Den Zuk, Stoned). One virus (Pentagon) even
stores the boot sector in a hidden file.

When the computer is booted from an infected disk, the code on the
boot sector will read the rest of the virus into memory. The virus
will then install itself, read the original boot sector and transfer
control to it.

SWAP is different - it does not store the original boot sector at all.
Instead it assumes that bytes 196-1B4 (hex) on the boot sector contain
messages that can be safely overwritten. This is true for most (but
not all) boot sectors. It also assumes that the boot sector starts
with a JMP instruction.

The virus then replaces these bytes with code to read the rest of the
virus (which is stored at track 39, sectors 6 and 7) into memory. The
virus will then execute the original boot code.

The fact that this virus does not store the original boot sector makes
it hard (and in some cases impossible) to repair an infected diskette.

         Fridrik Skulason          University of Iceland
         frisk@rhi.hi.is

         Guvf yvar vagragvbanyyl yrsg oynax .................

------------------------------

Date:    Thu, 14 Sep 89 11:58:07 -0400
From:    "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU>
Subject: Macintosh Virus List

If anyone has a list of currently known viruses for the Macintosh I would
very much appreciate a copy.

Thank you very much!

Gregory E. Gilbert
Academic Consultant
University of South Carolina
Columbia, South Carolina   USA   29205
(803) 777-6015

------------------------------

Date:    Thu, 14 Sep 89 11:42:04 -0400
From:    "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU>
Subject: Virus Article in the making

Evidently our institution has come of age and the powers at be have
decided that an article on viruses is needed for our newsletter.  I
would be most grateful if those that have been through this "rite of
passage" could forward their prose to me either e-mail or traditional
mail.

Specifically what I am looking for are works that discuss viruses,
trojan horses, worms, etc ... in general; problems that such beasts
have caused on other campuses; and specifically how the fixes work
(i.e. do fixes insert code into the virus files to render them
harmless, are they removed totally, how do various fixes find the
offending code?)

The article which I am writing is for a nontechnical campus computing
news- letter and if any one is interested in reviewing the article
before a final draft is made I would welcome the critism.  Just send
me your e-mail address.

Thank you very much I certainly appreciate the effort.

Gregory E. Gilbert
Academic Consultant
University of South Carolina
Columbia, South Carolina 29205
(803) 777 - 6015

------------------------------

Date:    Thu, 14 Sep 89 13:34:11 -0400
From:    "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU>
Subject: ??? Virus (Mac)

Recently we have had problems running Adobe Illustrator on a MacIIcx.
When opened a dialog box appears and says that not enough memory is
available.  Multifinder is not running and other applications are not
running so there should be enough memory available.

On running Disinfectant 1.2 a number of times nothing was located.
Upon view- ing the System file in the System Folder I noted that it
had been modified just an hour or two earlier.  I "ResEditted" the
system file and did not find anything that was extremely obvious.

Any clues?  Thanks in advance.

Gregory E. Gilbert
Academic Consultant
University of South Carolina
Columbia, South Carolina   USA   29208
(803) 777-6015

------------------------------

Date:    14 Sep 89 15:10:00 -0400
From:    "Damon Kelley; (RJE)" <damon@umbc2.umbc.edu>
Subject: A question on detecting viruses on bootable disks (PC)

    I've recently read George Woodside's file on how viruses work
(obtained from SIMTEL20.ARPA, VIRUS101.001-004).  He says that a virus
latches on a read/write interrupt to spread itself.  Would the
instructions the interrupt calls be near or located at the first JMP
instruction in the boot sector?
    From reading a certain reference that concerns the programming of
the IBM PC, I have the impression that that JMP instruction in the
boot sector is quite consistant for the type of PC a user uses.  If
that JMP instruction is changed, does that signal a virus present, or
have virus writers skipped around that limitation and had the virus
write over what code is found at that JMP destination?

jnet%"damon@umbc"
damon@umbc.bitnet
damon@umbc2.umbc.edu


------------------------------

Date:    Thu, 14 Sep 89 10:25:55 -0400
From:    KARYN@NSSDCA.GSFC.NASA.GOV
Subject: Request for info: Apollo Workstations

Has anyone ever heard anything about viruses on an Apollo workstation
running DOMAIN?

*-- *-- *-- *-- *-- *-- *-- *-- *--

Karen Pichnarczyk
KARYN@nssdca.gsfc.nasa.gov
ARC Professional Services Group
1801 Alexander Bell Drive
Reston, VA 20906
703-648-0770

------------------------------

Date:    Fri, 15 Sep 89 00:59:09 -0400
From:    "Interface Associates, Inc." <Q4071@pucc.princeton.edu>
Subject: Request for basic info

If I may be permitted to post a very basic question?  Although I have
over ten years' experience in DP, and can intuit how viruses might
operate, I find myself distressingly unfamiliar with the practical
side and jargon.  Is there a good reference on the subject with which
I can begin to bring myself up to speed?

Please reply by E-mail to Q4071@PUCC.PRINCETON.EDU.  The retention
periods have gotten very short on this system, and I may not log on in
time to see posted replies (not to mention the probable duplication).

[Ed. I'd be willing to bet that there are others with the same
questions - please send a summary of any responses to the list.]

=========================================================================
Robert A. West c/o Interface Associates, Inc.    (Q4071@PUCC)
US Mail: 666 Plainsboro Rd. Office Commons, Suite 1A, Plainsboro NJ 08536
Voice  : (609) 275-5711

------------------------------

Date:    15 Sep 89 06:26:29 +0000
From:    Jeff Medcalf <mimsy!oddjob.uchicago.edu!uokmax!jeffm@uunet.UU.NET>
Subject: How does one disinfect nVIR from an Appletalked network of macs?

The microcomputer lab at the University of Oklahoma has several
Macintoshes linked together by Appletalk.  The nVIR virus (don't know
which variant) has hit them hard, and I would like the answers to some
questions for them:

1) How do you disinfect such a network when being attacked?

2) Is there a program available which will not only kill infected
   folders, but will change each byte that the folder currently
   represents to null (to delete the virus code entirely, not just the
   directory entry)?

3) How does one detect other likely viruses (I am new to comp.virus,
   and have no idea of how to get hold of disinfectant programs).

4) How far can the source of the infection be traced (for example, not
   at all, to the machine, to the date, to the time, to the user)?

5) Are any programs available which constantly monitor problem files
   and inform of modifications to them?

Thank you very much

jeffm@uokmax.UUCP   |  Arkansas state motto:  At Least We're Not Oklahoma.  |
Jeff Medcalf    +-----------------------------------------------------------+
- ----------------|       Artificial Intelligence?  As opposed to what?     |
                +-----------------------------------------------------------+

------------------------------

Date:    Fri, 15 Sep 89 07:47:14 -0400
From:    dmg@lid.mitre.org (David Gursky)
Subject: 12th National Computer Security Conference

As a follow-up to the recent notes about the 12th National Computer
Security Conferences, let me add hotel rooms in the Inner Harbor area
are going fast...

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253