VIRUS-L Digest Tuesday, 21 Nov 1989 Volume 2 : Issue 246 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Known PC virus list Where did they come from ? (PC) A new LISTSERV group Re: 80386 and viruses (PC & UNIX) Re: 80386 and viruses (PC & UNIX) CVIA clarifications followup on mind viruses Virus Disinfectors (Mac) Potential Virus? (Mac) Computer Virus Catalog Index:November'89 --------------------------------------------------------------------------- Date: Tue, 21 Nov 89 16:25:22 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Known PC virus list A few comments: - since the boot part of the ghost virus does not spread, it can not properly be called a virus, so I do not think it should be included. - The Pentagon virus does not work. Why include it ? - Why not include Agiplan, Oropax, Missouri, Macho and Nichols ? - Do-nothing Remains resident - 1168/1280 do not use self-encryption. Apart from this it's a good list. - -frisk ------------------------------ Date: Tue, 21 Nov 89 16:26:30 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Where did they come from ? (PC) I am trying to compile a list showing where the various viruses seem to have originated. Here is what I have got so far, but I am sure the list contains several errors, and I would be very grateful for any comments and corrections. Boot Sector Viruses: Alameda USA Brain Pakistan ? Den Zuk/Ohio Venezuela ? Indonesia ? Disk Killer USA ? Stoned New-Zealand/Australia Missouri USA ? Nichols USA ? Pentagon UK ? Ping-Pong Italy (Torino ?) Typo Israel Swap Israel Program Viruses Aids USA Agiplan W. Germany Alabama Israel ? April 1st Israel Cascade USA ? Dark Avenger ? DataCrime W. Germany ? The Netherlands ? DataCrime-2 ? dBase USA Do-Nothing Israel 405 UK ? Fumble USA Fu Manchu UK ? Ghost Iceland Icelandic/Saratoga Iceland/USA Jerusalem/variants/Sunday Israel/USA Lehigh USA Mix1 Israel Oropax W. Germany Screen USA South African South Africa SysLock/Macho/Advent W. Germany Traceback ? Vacsina W. Germany ? Vienna/Lisbon Austria/Portugal Yankee ? Zero Bug ? - -frisk ------------------------------ Date: 21 Nov 89 00:00:00 +0000 From: BAUMARD.Philippe.42.64.31.89.BAUMARD@FRAIX11 (33) Subject: A new LISTSERV group Dear Virus-L networkers, a new list has been created. Its name is APOGEES (LISTSERV at FRMOP11.BITNET). APOGEES is open to any networker with practical experience in the fields of strategic and critical information management. We are by now working on supervisory systems for strategic technological information. Applicants are welcome. Please send a note to BAUMARD at FRAIX11. Virtually, APOGEES Management. ------------------------------ Date: 21 Nov 89 17:49:52 +0000 From: williams@cs.umass.edu Subject: Re: 80386 and viruses (PC & UNIX) peter%ficc@uunet.UU.NET (Peter da Silva) writes... >> The isolation hardware in the I386 makes it possible to construct a >> contained execution environment... Such an environment would be a >> useful place to test untrusted programs. > >> Has anyone constructed such an environment? > >Yes. > >It's called "Merge 386" or "Vp/IX". > >[Ed. These products, by the way, are DOS emulation boxes for i386 >based UNIX and XENIX products.] Would someone elaborate on this? Surely a program (virus or otherwise) running under the emulator could do the same things, including deleting all the files it can find, as on DOS. What protection is provided? Perhaps not allowing access to the FAT, boot sector, etc.? ------------------------------ Date: Tue, 21 Nov 89 13:46:23 -0500 From: Kenneth R. van Wyk Subject: Re: 80386 and viruses (PC & UNIX) >> Would someone elaborate on this? Surely a program (virus or otherwise) >> running under the emulator could do the same things, including deleting all >> the files it can find, as on DOS. What protection is provided? Perhaps >> not allowing access to the FAT, boot sector, etc.? At least in the case of VP/ix (which I used on a Zenith 386 SCO Xenix system when I worked at Lehigh), all DOS calls are subject to "approval" by Xenix - or UNIX for that matter, on a 386 UNIX system. All interrupts, etc., are handled by Xenix in the end. The DOS session(s) runs as a virtual 8086 on the 386, and is given an image file which appears to be a physical hard disk to the DOS session. The "boot sector" per se is just part of a file on the Xenix file system (or on a floppy if the VP/ix system is rebooted from floppy). I would imagine that this logical physical (?!) drive would be subject to boot sector infections, but the actual Xenix disk is treated as a network disk. If a VP/ix process tries to delete or alter any of the Xenix files, it would be subject to standard Xenix file protection mechanisms. I never did try to perform any direct (via hardware) read or writes on the hard disk, but I suspect that they would be stopped. Can anyone confirm this? One interesting side-effect of the way VP/ix works is that a (ctrl-alt-del) reboot really works - and can, in fact, be used to reboot from floppy. The VP/ix session boot DOS, while leaving the Xenix system quite in-tact. Very disconcerting the first time it's done. Running a DOS emulator under UNIX (or Xenix), in my opinion, would be a very expensive anti-virus tool. To me, there are plenty of other good reasons to run UNIX on a 386 or 486. Ken ------------------------------ Date: Mon, 20 Nov 89 23:04:16 -0800 From: portal!cup.portal.com!Gary_F_Tom%Sun.COM@vma.cc.cmu.edu Subject: CVIA clarifications Original-Date: 11-20-89 18:10:56 Original-From: John McAfee I regret that Ross Greenberg and three of my other competitors mentioned in his statement persist in an attitude of hostility toward myself and my endeavors. I have no answer to Ross's allegations that could possibly suffice, other than that my own recollections of the events he described differ radically from his descriptions. I must set the record straight on two points however: First, Ross states that the CVIA sells anti-viral software and that SCAN is one of its products. The CVIA does not sell any product, SCAN or otherwise, and has never sold any product. It is a non-profit corporation funded solely by the membership and its only other source of income is through the distribution of a public information packet (price - $4.00; cost to produce - $4.70). Second, Ross states that the CVIA is an organization of antiviral product vendors. This is entirely incorrect. The majority of members are computer manufacturers or software houses with no existing or planned antivirus products as part of their product lines. It is true that the beginning membership was composed of antiviral product vendors, but the understanding from the beginning was that the organization must have (and indeed now has) a broad industry participation. John McAfee ------------------------------ Date: Tue, 21 Nov 89 10:10:03 -0700 From: Peter Zukoski Subject: followup on mind viruses Dear virus-folk: thanks for all the responses to Richard Dawkins questions. Here's some further thoughts from Richard on the topic of mind viruses...He and I would be interested in your opinions, especially on evolving/mutating virus technology. Has anyone seen viri which evolve, or mutate in response to the environment which it is in? Or viri which recognize and "use" other viri which might be present? OK Richard, you may begin... - ---------------------------- There is something important about the distinction between what I call Anarchic Replicators and Socialized Replicators. In the world of DNA, anarchic replicators are things like viruses, or smaller units with names like viroids or plasmids, which parasitically exploit the large-scale transcribing and copying machinery in cells, machinery which has been put together by cooperating teams of socialized replicators. Socialized replicators are the ordinary mainline genes that travel from generation to generation in sperms or eggs and cooperate to build big survival-machines like our bodies. In a sense, our 'own' genes are parasitic on each aother's efforts, just as virus genes are parasitic on the efforts of other genes. In the world of mind viruses, the reason large religions like Islam or Roman Catholicism fascinate (as well as repel) me is that they are large aggregations of mutually socialized viruses, which work to sustain other members of the cluster and work to destroy alternative replicators. e.g. Islam has a rule that apostates must be punished by death. The rule of priestly celibacy in Catholicism at first sight doesn't seem like a self-preserving replicator. But it frees the priest's time for more active proselytizing, and it enjoys a good mutualistic relationship with another rule of contraception among non-priests. In the world of computer viruses, I find it harder to find an analogy for socialized replicators. I gather that anti-virus programmers have already used the 'biological control' self-replication technique - sending in a tame,'good' virus to catch the bad one. This reminds us of the possibility of a kind of ecology of computer viruses building. We are reminded of this, again, in another of the papers which states that viruses that were originally intended to be benign can turn unintentionally malignant when the user upgrades to a new Operating System. A given OS serves as an environment in which a virus may flourish or not, may behave benignly or malignantly. Couldn't we envisage a time when the whole computer environment facing a new virus is put together, not just by one monolithic OS, but by the OS plus a motley collection of aleady-infiltrated viruses, some benign, some malignant, s ome medicinal. New viruses will be written to flourish, not just in known OSs, like System 6, System 7 and so on, but in a background containing an unknown but statistically guessable collection of already existing viruses. Already, the environment that even a legitimate programmer has to cope with is more than just the operating system - think of the motley collection of co-resident INITs and Desk Accessories that you have to worry about when writing a program for public consumption. A virus ecology will just complicate the picture, in the same 'biological' direction. The language I am now using is not too far from the language that I use (e.g. in The Selfish Gene and The Extended Phenotype) to describe the co-evolution of genes in genomes. So far, as far as I know computer viruses don't evolve. Even with viruses manufactured by conscious human programmers, something like a mutually co-evolved cluster of viruses could come to constitute the environment to which any future virus has to accommodate itself. If truly evolving (self-modifying in adaptive directions) viruses start to arise, the trend will go even further. Software Companies may have to write their products to be compatible, not just with numbered versions of 'The System', but with the changing statistical ensemble of fellow-travellers both good and bad. I'd be interested in hearing whether any of this makes sense. Richard - ----------------------- "Do what you want -- you will anyway." PeterZ ------------------------------ Date: 21 Nov 89 14:06:19 -0500 From: Pat Ralston Subject: Virus Disinfectors (Mac) Thanks to Alan for his contribution on Fri. Nov. 17th. Listing many or all of the Virus Disinfectors and the viruses associated with them was a big help and a time saver. Hunting through the back issues of this list for specific information is becoming an unruly task for me. Now will some one do the same kind of list for the Mac? Thank you in advance. Pat Ralston ------------------------------ Date: Tue, 21 Nov 89 14:53:48 -0500 From: joel_glickman@MTS.RPI.EDU Subject: Potential Virus? (Mac) I have just recently noticed a problem on my Mac. After using Cricket Graph I checked the last modified date and the program had just been modified. After noting this, I began checking other programs and found that my copy of Versaterm Pro was also being modified every time I ran it. It was at that point that I checked these programs on other people's Macs in the office and saw that these programs were not being modified on some, while they were being modified on others.. I am running Gatekeeper and Vaccine and have checked these programs with Disinfectant and they report no trouble. My question is: Should these programs modify themselves when I just run them. All I do is run them and quit immediately and they are modified??? Do you think I have a virus problem??? Joel Glickman Rensselaer Polytechnic Institute. ------------------------------ Date: 21 Nov 89 17:42:00 +0100 From: Klaus Brunnstein Subject: Computer Virus Catalog Index:November'89 The Computer Virus Catalog now classifies 45 viruses (AMIGA:24;MSDOS:15; Atari:6). Activities are undertaken to make the documents available via servers in different regions of the world; we hope that we can announce such servers in the next weeks. If you wish to receive the documents (see Index appended, with length of the documents given) sooner, please send a short request to the author. Klaus Brunnstein ======================================================================== == Computer Virus Catalog Index == ======================================================================== == Status: November 15, 1989 (Format 1.2) == == Classified: 15 MSDOS-Viruses (MSDOSVIR.A89) == == 24 AMIGA-Viruses (AMIGAVIR.A89) == == 6 Atari-Viruses (ATARIVIR.A89) == == Updates since last edition (July 31, 1989) marked: U (column 70)=U= == Additions since last edition (July 31, 1989) marked: + (column 70)=+= ======================================================================== == Document MSDOSVIR.A89 contains the classifications of the == == following viruses (1.138 Lines, 6.271 Words, 62 kBytes): == == == == 1) Autumn Leaves=Herbst="1704"=Cascade A Virus == == 2) "1701" = Cascade B = Autumn Leaves B = Herbst B Virus == == 3) Bouncing Ball = Italian = Ping Pong= Turin Virus =U= == 4) "Friday 13th" = South African Virus =+= == 5) GhostBalls Virus =+= == 6) Icelandic#1 = Disk Crunching = One-in-Ten Virus =U= == 7) Icelandic#2 Virus =+= == 8) Israeli = Jerusalem A Virus =U= == 9) MachoSoft Virus =+= == 10) Merritt = Alameda A = Yale Virus == == 11) Oropax = Music Virus == == 12) Saratoga Virus =+= == 13) SHOE-B v9.0 Virus == == 14) VACSINA Virus =+= == 15) Vienna = Austrian = "648" Virus =U= == == == Remark: The following 13 MS-DOS-Viruses are presently being classi-== == fied and will be published in the next edition (December 31,1989): == == .) Brain A = Pakistani A-Virus (Pakistani Virus Strain) == == .) Datacrime I = 1168 Virus (Datacrime Virus Strain) == == .) Datacrime II = 1280 Virus (Datacrime Virus Strain) == == .) Den Zuk Virus (Venezuela/Search Virus Strain) == == .) Lehigh Virus == == .) FuManchu Virus (Israeli Virus Strain) == == .) NewZeeland= Marijuana= Stoned Virus (NewZealand Virus Strain) == == .) Pentagon Virus == == .) SURIV 1.01,2.01,3.00 Viruses (Israeli Virus Strain) == == .) Traceback Virus == == .) 405 Virus == ======================================================================== == Document AMIGAVIR.A89 contains the classifications of the == == following 24 viruses (2.272 Lines, 9.421 Words, 106 kBytes): == == == == 1) AEK-Virus = Micro-Master Virus (SCA Virus Strain) =U= == 2) BGS 9-Virus =+= == 3) Byte Bandit Virus =U= == 4) Byte Bandit Plus Virus (Byte Bandit Virus Strain) =+= == 5) Byte Warrior#1 Virus = DASA-Virus (Byte Warrior Strain) =U= == 6) Disk Doctors Virus =U= == 7) Gaddafi-Virus =U= == 8) Gyros Virus =U= == 9) IRQ-Virus =U= == 10) LAMER (Exterminator) Virus =U= == 11) LSD Virus (SCA Virus Strain) =+= == 12) NORTH STAR I Antivirus-Virus (NORTH STAR Virus Strain) =U= == 13) NORTH STAR II Antivirus-Virus (NORTH STAR Virus Strain) =U= == 14) Obelisk Virus =U= == 15) Paramount Virus = Byte Warrior#2 Virus (Byte Warrior Strain) =U= == 16) Pentagon Antivirus-Virus =+= == 17) Revenge 1.2G Virus =+= == 18) SCA-Virus =U= == 19) System Z 3.0 Antivirus-Virus (System Z Virus Strain) =U= == 20) System Z 4.0 Antivirus-Virus (System Z Virus Strain) =U= == 21) System Z 5.0 Antivirus-Virus (System Z Virus Strain) =+= == 22) Timebomb 1.0 Virus =+= == 23) VKill 1.0 Virus = Camouflage Virus =U= == 24) WAFT-Virus =+= == == == Remark: the following 8 AMIGA-viruses are presently analysed, clas-= == sified and will be published in the next edition (12/31/1989): == == .) BUTONIC 1.1 Virus == == .) JOSHUA Virus == == .) LAMER EXTERMINATOR Virus 1.0, 2.0, 3.0 == == .) SYSTEM Z 5.1, 5.3 Virus == == .) WARHAWK Virus == ======================================================================== == Document ATARIVIR.A89 contains the classifications of the == == following 6 viruses (375 Lines, 2.045 Words, 21 kBytes): == == == == 1) ANTHRAX = Milzbrand Virus =+= == 2) c't Virus == == 3) Emil 1A Virus = "Virus 1A" == == 4) Emil 2A Virus = "Virus 2A" = mad Virus == == 5) Mouse (Inverter) Virus =U= == 6) Zimmermann-Virus == == == == Since last edition, ANTHRAX V. has been added. We have problems to == == get viruses, as many users wish to exchange their viruses (like == == stamps) against our's, which we generally refuse: the Virus Test == == Center's ethical standard says, that we do not spread viruses! == == Please send infected programs without preconditions. == ======================================================================== == For essential updates (marked "U="), we wish to thank D.Ferbrache,== == Y.Radai and F.Skulason for their continued help and support. == == Critical and constructive comments as well as additions are == == appreciated. Especially, descriptions of recently detected viruses = == will be of general interest. To receive the Virus Catalog Format, == == containing entry descriptions, please contact the above address. == ======================================================================== ======================================================================== == The Computer Virus Catalog may be copied free of charges provided == == that the source is properly mentioned at any time and location == == of reference. == ======================================================================== == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Schlueterstr. 70, D2000 Hamburg 13, FR Germany == == Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner == == Tel: (040) 4123-4158 (KB), -4715 (SFH), -4162(Secr.) == == Email (EAN/BITNET): Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de == ======================================================================== == This document: 117 Lines, 701 Words, 9 kBytes == ======================================================================== ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253