VIRUS-L Digest Wednesday, 8 Feb 1989 Volume 2 : Issue 40 Today's Topics: Re: Info on How To Book Dormant Viruses (Mac & general) Virus susceptability (Mac) Re: CTRL-ALT-INS rebooting (PC) Virus Technical Report --------------------------------------------------------------------------- Date: Wed, 08 Feb 89 15:42:01 MEZ From: Konrad Neuwirth Subject: Re: Info on How To Book I know a german book called "Das Grosse Computervirenbuch" by a guy called Ralf Burger and published in germany by Data Becker. The people responsible for bringing the Data Becker things to America are Abacus Software. I don't have the address handy but can send it to you if you want. I just got to look for it.... - -Konrad [Ed. Thanks for the info. I trust that the version in America has been translated? I suppose that it's arguably a good idea to send information like this over the nets, but I feel that once a book like this has been published, any damage is already done. I think that it is certainly worth _our_ while to read books/publications/etc. like this for our own protection, if nothing else. Suggestions?] ------------------------------ Date: Wed, 08 Feb 89 13:15:54 EST From: Joe McMahon Subject: Dormant Viruses (Mac & general) The Scores/nVIR/Hpat/INIT 29 viruses can all be found, whether or not there is dormancy code in them, because the resources which define the viruses are detectable. This is what's so bad about the new ANTI virus; that sucker just munges itself into your code -- no detectable resources, no virus (from the current detectors). - --- Joe M. ------------------------------ Date: Wed, 8 Feb 1989 14:13 EST From: Bruce Ide Subject: Virus susceptability (Mac) Just by reading through this discussion, I see that the Apple Mac seems to be struck more by viruses than any other computer. Is this true, or do we just have a lot of Mac users here? Also, what makes the Mac environment so succeptable to these viruses? -Grey Fox ------------------------------ Date: Wed, 08 Feb 89 14:35:38 EST From: Neil Goldman Subject: Re: CTRL-ALT-INS rebooting (PC) Brent Ingerman responds to a question about *physically* preventing the computer to boot from the A drive. Zenith PC's have a 'setup' screen which is accessed via CTRL-ALT-INS. One of the options is to specify the drive from which to boot. Problems: 1. Any user having knowledge of the 'setup' screen could reset the boot drive to A. 2. Any user NOT having knowledge of the 'setup' screen could (and most likely would) find it 'by accident' when s/he, intending to press CTRL-ALT-DEL, presses CTRL-ALT-INS. 3. This fix is software-based. So here we return to the system-specific virus controversy, which I will not rehash here. I do not have the technical expertise to answer the *original* question of a *hardware* modification which would prevent booting from drive A. Any ideas? - -------------------------------------------------------------------- Neil A. Goldman NG44SPEL@MIAMIU.BITNET Replies, Concerns, Disagreements, and Flames expected. Mastercard, Visa, and American Express not accepted. Acknowledge-To: ------------------------------ Date: Wed, 8 Feb 89 19:03:34 GMT From: David.J.Ferbrache Subject: Virus Technical Report ------------------------------------------------------------- A review of the threat posed to the security and integrity of microcomputer systems posed by self-replicating code segments ------------------------------------------------------------- I am in the process of compiling information on existing computer viruses, with a view to the production of a technical paper reviewing the threat to system security posed by both present computer viruses and likely future developments. To this end I would be very grateful for information on individual infections, preferably detailing the symptoms observed, damage caused and disinfection techniques applied. Naturally I am also interested in details of the operation of the viruses, although I appreciate the reticence shown by infected parties to disseminate any details of virus operation, on the basis that it could lead to development of further viruses. The technical report is part of a Doctoral research thesis in computer security, and will be available in late May. Distribution of the technical report will be restricted to people who have a legitimate interest (ie systems managers, commercial concerns, research), as I expect to review the techniques exploited by viruses in a fair degree of detail at the BIOS/DOS interface level. The report will consider the techniques used by virus to duplicate, the ways in which viruses gain control of the computer system, the camouflage techniques adopted and a brief overview of the existing computer viruses. Finally the report will consider the likely development of the threat from viruses, and how this developing threat can be addressed by protective software in both virtual and non-virtual machine operating environments. At the moment I know of the following viruses: IBM PC MS/DOS 1. Lehigh variant 1 and 2 2. New Zealand (stoned) 3. Vienna (Austrian, 648) 4. Blackjack (1701, 1704) 5. Italian (Ping Pong) 6. Israeli variant 1 (Friday 13th, 1813, PLO, Jerusalem), variant 2, variant 3 (April 1st), variant 4 7. Brain (Pakastani) and variants 8. Yale Also potentially variant of the Rush Hour and VirDem viruses developed during the CCC's work on viruses. APPLE MAC 1. NVir variant A and B, Hpat 2. Scores 3. INIT 29 4. ANTI 5. Peace (MacMag) APPLE II 1. Elk AMIGA 1. SCA 2. Byte Bandit 3. IRQ ATARI ST 1. Boot sector 2. Virus construction set viruses Mainframe OS worms 1. Internet worm 2. DECNET worm 2. BITNET Xmas chain letter I would be grateful for any information on these, or any other viruses. Reports of infection may be given in confidence, in which case they will only be used as an indication of geographical distribution of infection. A summary of known viruses, their symptoms, geographic distribution and known disinfection measures will be posted to the list as soon as sufficient information is available to prepare an interim report. As part of the paper I will also be reviewing the effectiveness of viral disinfection software, and would thus be interested in details of any software you use, its effectiveness, and availability. Thanks for your time! For those interested here is a summary of a few of the virus reports published on virus-l and usenet, Subject, author and date Virus Virus-l issue THE AMIGA VIRUS - Bill Koester (CATS) SCA LOG8805 comp.sys.amiga, 13 November 1987 New Year's Virus Report - George Robbins IRQ 1 January 1989, comp.sys.amiga The Elk Cloner V2.0 - Phil Goetz ELK 26 Apr 1988 THE ATARI ST VIRUS - Chris Allen ATARI ST 22 March 1988, comp.sys.atari Features of Blackjack Virus, Otto Stolz BLACKJACK v2.24 24 Jan 1989 Comments on the "(c) Brain" Virus BRAIN LOG8805 Joseph Sieczkowski, Apr 1988 Brain and the boot sequence, Dimitri Vulis BRAIN v2.5 5 Jan 1989 The Israeli viruses, Y.Radai ISRAELI LOG8805 2 May 1988 VIRUS WARNING: Lehigh virus version II LEHIGH v2 v2.35 Ken van Wyk, 3 Feb 1989 The Ping-Pong virus, Y.Radai ITALIAN v2.18 17 Jan 1989 Known PC Viruses in the UK and their effects MOST PC v2.23 Alan Solomon, 1989 Yale Virus Info, Chris Bracy, YALE LOG8809a 2 Sep 1988 New Macintosh Virus, Robert Hammen ANTI comp.sys.mac, 7 Feb 1989 Hpat virus-it is a slightly modified nVIR HPAT Alexis Rosen, comp.sys.mac, 7 Jan 1989 INIT 29: a brief description, INIT 29 v2.18 Joel Levin, 18 Jan 1989 A detailed description of the INIT 29 virus INIT 29 v2.30 Thomas Bond, 27 Jan 1989 The Scores Virus, John Norstad SCORES LOG8804 info-mac digest, 23 Apr 1988 Macintosh infection at Seale-Hayne College TSUNAMI LOG8808d Adrian Vranch, 8 July 1988 DEFENCE DATA NETWORK MANAGEMENT BULLETIN, DECNET (see also v1.59a) 50, 23 Dec 1988, The internet worm program, an analysis INTERNET Gene Spafford, Nov 1988 I apologise for any researchers whose articles I have not cited, in what is currently an incomplete list of references. Hopefully, this article will be of some use in providing a general list of viruses which have affected computer systems in the past. Thanks for your time, and I look forward to any information you can supply me with. Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253