VIRUS-L Digest Wednesday, 8 Nov 1989 Volume 2 : Issue 236 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Introduction to the anti-viral archives UNIX anti-viral archive sites Apple II anti-viral archive sites Atari ST anti-viral archive sites Amiga anti-viral archive sites IBMPC anti-viral archive sites Documentation anti-viral archive sites Macintosh anti-viral archive sites New anti-virus files uploaded to SIMTEL20 (PC) Re: Where are the Sophisticated Viruses? (PC) --------------------------------------------------------------------------- Date: 08 Nov 89 05:19:49 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Introduction to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 07 November 1989 This posting is the introduction to the "official" anti-viral archives of virus-l/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. Jim ==== cruft for the lawyers ==== The files contained on the participating archive sites are provided freely on an as-is basis. To the best of our knowledge, all files contained in the archives are either Public Domain, Freely Redistributable, or Shareware. If you know of one that is not, please drop us a line and let us know. PLEASE NOTE The Managers of these systems, and the Maintainers of the archives, CAN NOT and DO NOT guarantee any of these applications for any purpose. All possible precautions have been taken to assure you of a safe repository of useful tools. Unfortunately, in this day and age nothing is certain. It is awful that these people have to worry about legalities when they are only trying to provide a free and useful service. But facts are facts. Your use of the archives relieves the sites from any liability. Sigh. ------------------------------ Date: 08 Nov 89 05:20:49 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: UNIX anti-viral archive sites # Anti-viral and security archive sites for Unix # Listing last changed 30 September 1989 attctc Charles Boykin Accessible through UUCP. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index For further details send a message with the text help The administrative address is sauna.hut.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.3.119. (Note that this IP number is likely to change.) ucf1vm Lois Buwalda Accessible through... wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ Date: 08 Nov 89 05:18:15 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archive sites # Anti-viral archive sites for the Apple II # Listing last changed 30 September 1989 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 08 Nov 89 05:18:37 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archive sites # Anti-viral archive sites for the Atari ST # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is . panarthea.ebay Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to . uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 08 Nov 89 05:17:51 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archive sites # Anti-viral archive sites for the Amiga # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow Lionel Hummel The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.54. Another possible source is uihub.cs.uiuc.edu at 128.174.252.27. Check there in /pub/amiga/virus. ------------------------------ Date: 08 Nov 89 05:19:26 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archive sites # Anti-viral archive for the IBMPC # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is ms.uky.edu Daniel Chaney This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.54. vega.hut.fi Timo Kiravuo This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 128.214.3.82. wsmr-simtel20.army.mil Keith Peterson Direct access is through anonymous ftp, IP 26.2.0.74. The anti-viral archives are in PD1:. Simtel is a TOPS-20 machine, and as such you should use "tenex" mode and not "binary" mode to retreive archives. Please get the file 00-INDEX.TXT using "ascii" mode and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@ (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ Date: 08 Nov 89 05:18:59 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Documentation anti-viral archive sites # Anti-viral archive sites for documentation # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is lehiibm1.bitnet Ken van Wyk new: This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: 08 Nov 89 05:20:23 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites # Anti-viral archive sites for the Macintosh # Listing last changed 07 November 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is ifi.ethz.ch Danny Schwendener Interactive access through DECnet (SPAN/HEPnet): $SET HOST 57434 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via DECnet (SPAN/HEPnet) from 57434::DISK8:[MAC.TOP.LIBRARY.VIRUS] rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. ------------------------------ Date: Wed, 08 Nov 89 01:15:00 -0700 From: Keith Petersen Subject: New anti-virus files uploaded to SIMTEL20 (PC) I have uploaded the following files to SIMTEL20: pd1: SCANRS48.ARC Resident program to scan for many viruses SCANV48.ARC VirusScan, scans disk files for 48 viruses SCANRS48 and SCANV48 were downloaded from the Homebase BBS. - --Keith Petersen Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.arpa BITNET: w8sdz@NDSUVM1 Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: 08 Nov 89 11:23:12 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Where are the Sophisticated Viruses? (PC) jim frost writes: >Limiting Propagation Rates. Some viruses do this. SysLock, Icelandic and Typo-COM will only infect some of the programs they have a chance to infect. They use different methods, like "only every other day" or "only every tenth program run". >Limiting Re-Infections. Most simple viruses don't detect systems >which have already been infected and will re-infect them. Actually very few viruses infect the same "victim" over and over. Some boot sector viruses do, but the only program virus which does so is the original version of the Israeli (Jerusalem) virus. > >Detecting and Avoiding "Virus-Protected" Hosts. I have yet to see a >virus which looked at the state of a system to detect virus detection >mechanisms to nullify them and/or avoid infecting them. One virus - the "Icelandic" virus - makes an attempt at this. It will not infect a system if it determines that any program has hooked INT 13. Since all virus monitoring programs do that, it will not be detected by them. (In practice this does not work too well, because of a bug in the code..) >Staying Within Normal System Activity Boundaries. Most resident viruses do this. >Hiding From Standard System Utilities. This is the difficult part. Very few existing viruses are able to do this properly. Most boot sector viruses will decrease the amount of memory available - for example turning a 640K machine into a 639K one. Program viruses can in many cases be detected by using a ordinary memory mapping utility. Still, quite a few manage to hide even from that, but there is room for much improvement in this area :-( >Modifying Hosts To Make Them More Susceptible To Re-Infection. This brings up the topic of "virus types we have not seen yet". I have written a document describing a few types of viruses that could theoretically be written, but are currently unknown. Description of one of the types follows. 7) The "AIDS" type. This type of virus is very dangerous. Not because it destroys programs or data, but because it attacks the protection mechanism in the computer. These viruses can be divided in two subgroups. Specific: These viruses will search for known anti-virus programs and disable or destroy them. They might to that by patching the code in memory and then overwriting parts of the protection programs on the disk. General: These viruses must be much more complicated, but they could for example try to determine what programs had hooked a specific interrupt. Then they might modify a few memory locations in order to bypass those programs. A virus of this type might not do any further damage, but it would leave the system vulnerable to attacks by other viruses, which might then have a devastating effect. >By now you should get the idea that almost every virus we've seen is >primitive, although several showed some of the survival traits which I >outline above. Given the limited resources of PC environments, it's >unlikely that you'll get a very sophisticated virus. I must disagree. In the PC environment it is not a question of limited resources, but rather the fact that any user process has full access to ALL resources and can even directly manipulate the hardware if required. So, my opinion is that it is even easier to write a sophisticated virus on the PC than in most other environments. Finally, I want to add one "feature" to the description of a sophisticated virus: "Bypass protection programs and jump directly to the hardware, DOS or BIOS routines." There are quite a few "filter" programs available that will monitor every INT 13, INT 21, INT 40.... call and alert the user if an attempt is made to do an illegal operation. They are, however, almost useless against viruses that can access the system directly in the way described above. Only two or three viruses do this now, but I am certain that more virus writers will figure out how to do this in the future. :-( - -frisk Fridrik Skulason University of Iceland frisk@rhi.hi.is Computing Sevices Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253