VIRUS-L Digest Tuesday, 26 Sep 1989 Volume 2 : Issue 203 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Warning - Mac software NoteWriter infected 123 virus (PC) More Datacrime hoopla, propoganda, and general paranoia re: should we fight fire with fire A book with a long title... centel corp. and viruscan Self Replicating Virus Hunter / Seekers anti-virus software accessibility --------------------------------------------------------------------------- Date: Mon, 25 Sep 89 11:52:57 -0400 From: GATEH%CONNCOLL.BITNET@VMA.CC.CMU.EDU Subject: Warning - Mac software NoteWriter infected Forwarded warning from Info-Mac. (Ken, if this has already appeared in a VIRUS-L digest, please ignore. Apologies to all if this is a duplicate!) - - Gregg TeHennepe gateh@conncoll - --- Forwarded mail from Info-Mac@sumex-aim.stanford.edu Date: Tue, 19 Sep 89 10:46 EDT From: (Peter Jorgensen) Subject: WARNING NoteWriter Software Infected! A few words of warning for potential and actual NoteWriter users. We bought two copies of NoteWriter Software and both disks were infected with Scores and nVir. Attempting to install the (copyprotected) software on a Mac II running Vaccine failed, and rendered the original unusable. The backup disk which we ordered was also infected. The publisher has been very unhelpful. Their tech support doesn't know anything about viruses, virus protection programs (like Vaccine) or most of what else we tried to ask them. Peter Jorgensen Microcomputer specialist Colgate University - Hamilton, NY 13346 AppleLink - U0523 BITNET - PJORGENSEN@COLGATEU tel - 315-824-1000 ext 742 - --- End of forwarded message from Info-Mac@sumex-aim.stanford.edu ------------------------------ Date: Mon, 25 Sep 89 18:47:00 -0400 From: IA96000 Subject: 123 virus (PC) for lack of a better name and until/if someone objects with a legitimate reason, i feel the name for the virus targeted at release 3 of lotus 123 should be called 123nhalf since it causes your spreadsheet to be saved exactly one half the size it should be. in any event, an update is in order. we have now discovered that this virus will only, repeat only infect the 123dos.exe file, when running on a machine with a '286 processor. it will not infect the file on a '386 system. we are attempting to determine the exact reason for this strange coincidence. it is felt at the current time that the way a '386 creates virtual machines may have something to do with it. the virus also will not infect files unless there is a minimum of 3 megabytes of extended memory. expanded memory does not matter and does not come into the picture. a scan program is now available which quickly checks the 123dos file in three different locations to determine if the virus is present. a copy is on the way to mr. mcafee of mcafee associates for his observations. hopefully mr. mcafee will post it on homebase so the rest of the readers can benefit from this program. the name of the scan program is 123scan.exe and it should be at mcafee associates bythe end of this week. we have no way of uploading to the mainframe here, so i cannot convert it to a .uue file for transit through the nets. however the program is shareware and will soon be available. for those of you who are not familiar with this virus, it infects the large file named 123dos.exe which is now used in release 3 of lotus 123. there is only one symptom, but that is all this one needs. if your copy of 123dos.exe is infected, no matter what size spreadsheet you create and save, it will only be saved as one half the size. in other words, a 100 x 100 cell spreadsheet will only be saved as a 50 x 50 cell spreadsheet. as you can imagine this can be quite a problem. well, that's it for now! ------------------------------ Date: Mon, 25 Sep 89 19:13:23 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: More Datacrime hoopla, propoganda, and general paranoia. I've just spent the past three hours reading and re-reading various forms of hype about the alleged upcoming attack on October 13 of the Datacrime virus. I would like to make a couple comments about this. First and foremost, there is no doubt in my mind (nor has there ever been any doubt in my mind), that Datacrime is a real virus, causes real problems, and will next strike on October 13 (it is, after-all, a "time-bomb" virus, that activates on specific dates, in this case, Friday the 13ths). I have real doubts however that this virus has made any inroads into the United States beyond the 10 cases John McAfee has cited previously. I suppose it is a good thing that the NoCrime application has been updated to detect a new strain of DataCrime, and that all sorts of other PC-based applications have been updated to detect DataCrime, (as an aside, the people who make "Quarantine" for the MS-DOS called me today to let me know they are sending me a demo copy of their application to beat on, and they made a point to let me know it detects DataCrime!), *however*, all of this does not an epidemic make! Sure people are updating their applications to fight Datacrime; Datacrime is a known virus that uses established infection techniques! It's not that hard (I would imagine) to make the changes to the applications to fight Datacrime. When it all comes down to it, if the desktop computers of the United States were under attack right now by Datacrime (or any of dozens of other viruses), we would be seeing signs of it, and Virus-L would be full of reports of infections. No infections, no virus. Now can everyone please calm down? The sky is not falling. Disclaimer: Dis is soup. Dis is art. Soup. Art. [Apologies to L. Tomlin.] David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Mon, 25 Sep 89 18:47:00 -0400 From: IA96000 Subject: re: should we fight fire with fire i do not think a new anti-virus is the answer. i think software manufacturers have to take the initiative in the virus war. for instance, the 123scan.exe program which detects the 123nhalf virus, uses the new selftest (tm) module to detect any changes made to the program file after it was compiled. selftest (tm) is not perfect, but what is these days? in any event in three months of testing, a program protected by selftest (tm) has never failed to indicate that a change has been made. selftest (tm) was written by and for shareware authors. it adds just a few seconds to the load time of a program, and detects a change in file length, or bit level changes made to the file. i think it is time that the manufacturers who have raked in the money for years get more involved in the fight against viruses. the opinions expressed in this message are my own. ------------------------------ Date: Mon, 25 Sep 89 19:19:31 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: A book with a long title... John McAfee has just published a book on viruses entitled: "Computer Viruses, Worms, Data Diddlers, Killer Programs, and other Threats To Your System: What The Are, How They Work, and How to Defend Your PC or Mainframe Environment" (By McAfee and Colin Hayes, from St. Martin Press -- $24.95 hardback, $16.95 softback). My questions about the propriety of calling Viruscan "shareware" aside, I've had a copy of the book set aside and I'm picking it up tonight. John's work in this area is well-known, and I anxiously look forward to reading this (but at 350 pp, don't count on hearing any comments from me soon about it!) And would someone from Homebase *please* ask John to make the title of his next book shorter! David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Mon, 25 Sep 89 19:14:00 -0400 From: IA96000 Subject: centel corp. and viruscan in a recent message to this list from david gursky, he made a statement which needs to be corrected. he made the statement "if the author of a package wants to limit the sources from which his or her work is available, fine! but by doing so you forfeit the right to label,your work as shareware!" this is not so. shareware is for the most part copyrighted and mr. mcafee's software does indeed carry a copyright! as the owner of a work which is copyrighted, j. mcafee caN CALL IT SHAREWARE OR ANY OTHER NAME HE DESIRES, EVEN FREEWARE, AND STILL MAINTAIN THE ABSOLUTE RIGHT TO DETERMINE WHO MAY OR MAY NOT DISTRIBUTE HIS COPYRIGHTED WORK! A copyrighted work is the sole property of the holder of the copyright.like it or not, that is the law of the land. until such time a case comes to court, copyrighted shareware remains the property of the copyright holder, who may decide who has the right to distribute such work. the opinions expressed here are my own. ------------------------------ Date: Tue, 26 Sep 89 03:51:38 GMT From: utstat!davids@uunet.UU.NET (David Scollnik) Subject: Self Replicating Virus Hunter / Seekers In a recent posting CZMUREK%DREW.BITNET@VMA.CC.CMU.EDU writes ... % I began to design a virus algorythm that would eventually serve % as the platform for the destruction of other viruses. It's purpose % would be to infect single programs, single disks, or multiple disks in % the first, second and third versions respectively. Before any alarm % sets in here about my intentions, I would like to say that the purpose % here is to aid in the effort to combat these little nasties. I thought many of you might be interested to know that at least one such "utility" has been written and distributed for the Amiga. The one I have heard of is called "System-Z" , which is composed of two parts , namely the System-Z "installer" and the Sys-Z "bootblock". When an Amiga is booted up from a disk containing the Sys-Z bootblock, it announces to the user that it is now present in memory ( until the machine in question is de-powered ) by way of a quick rainbow screen and a short series of musical notes. This program will identify a variety of Amiga specific viruses located in other disk's bootblocks, and allow the user the option of overwriting the bootblock of the infected disk with the Sys-Z bootblock. Apparently it does NOT write itself indiscriminately to other disk's bootblocks, but only when the user selects to do so. Many Amiga users do not consider this to be a virus , but many others do. In fact , at least one Virus Checker / Disinfectant / Obliterator I know of considers it to be a virus , and identifies it as such. The reason many do consider it a virus is the fact that it locates itself in the bootblock. I believe that this "utility" hails from Europe , and might even of been of a commercial nature. Perhaps someone else out there has more info on this creature. I have never actually seen it in action , only seen documentation on it in forums like this and in one Virus Killer's documentation. -- David P.M. Scollnik | UUCP: utstat!davids University of Toronto | bitnet: davids@utstat.utoronto Deptartment of Statistics | arpa: davids@utstat.toronto.edu (hi mom !!!) ------------------------------ Date: Sat, 23 Sep 89 11:11:00 -0400 From: IA96000 Subject: anti-virus software accessibility some universities have no pratical way of allowing students or faculty to download software acquired over the network. this can be a problem for many reasons. i know that homebase exists, however to call there once a week or so to obtain the latest copies of the viral software packages can get to be expensive. does anyone know of any reliable bbs in the new york area which maintains copies of the latest viruscan, etc; programs? if not, i would be willing to make copies and distribute them to anyone who sends a disk and return postage. of course, this is only if mr. mcafee would give his permission, and if i can get clean copies to begin with. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253