VIRUS-L Digest Friday, 10 Mar 1989 Volume 2 : Issue 62 Today's Topics: Bouncing ball (PC) Alameda virus? (PC) Possible Virus protection Flu_Shot+ queries answered (PC) Brain virus infection (PC) bouncing ball virus (PC) --------------------------------------------------------------------------- Date: 9 March 89, 13:12:01 MEX From: Mario Camou Riveroll Subject: Bouncing ball (PC) Here at the Monterrey Tech (Mexico City campus) we had an epidemic of the bouncing ball virus. This strain lodged itself in a couple of "bad" sectors (it marked them as bad in the FAT). There seem to be at least 2 strains, one that doesn't seem to have any adverse effects and another one that scrambles up the FAT and root directory. That's as much as I know about it. We call it the Italian Virus (don't know if this helps). Mario Camou EM302723@VMTECMEX "Those who can, do. Those who can't, teach. Those who can't teach, manage." ------------------------------ Date: 9 March 1989, 16:01:10 EST From: David M. Chess Subject: Alameda virus? (PC) John McAfee's article in the Feb 15 issue of Datamation, "The Virus Cure" (good article, poor title) lists a boot-sector virus that he calls the "Alameda Virus". I've never heard that name before, and it isn't on Dave Ferbrache's February list. It does sound sort of like the "Yale" boot virus (which McAfee doesn't list under that name); does anyone know if the two are in fact the same? If not, does anyone know any more about the "Alameda"? DC Watson Research ------------------------------ Date: Thu, 09 Mar 89 22:18:14 -0900 From: Reed Rector Subject: Possible Virus protection It seems to me that global methods of virus checking are limited by their scope. If there is an accepted way for the system to check for viruses, then people WILL find ways to get around it. On the other hand, if all programmers are encouraged to include routines that look for infection in every program they write, then the spread of viruses can be greatly slowed. If each program were to keep itself free of infection though methods developed seperatly by each programmer, then there would be no "standard" way for viruses to invade the software. These checks could be relativly simple checksum methods, but if each program has different code (even if they do the same basic thing) to do these checksums, then viruses could only carry patches for a few products. This method of individual program protection could be forced on the whole industry by only a few programmers. Once programs become available that have a "virus resistant" seal of approvial, they have a great advantage over competing products that don't. I'd be willing to bet that the cost of these routines would more than pay for themselves, while making the virus illiterate public safer. Thanks for your time, Reed Rector - Systems Programming, Univ of Alaska SXWRR@ALASKA (BITNET) SXWRR@acad3.fai.alaska.edu (Internet) * Disclaimer: All of the above views are mine (assuming you believe in free will), and in no way reflect the views of anyone else. ------------------------------ Date: Thu Mar 9 13:30:39 1989 From: utoday!greenber@uunet.UU.NET Subject: Flu_Shot+ queries answered (PC) (Sorry for the delay in responding...some hardware problems kept me offline for close to three weeks!) Paul: The checksum values shipped with the distribution copy of FLU_SHOT+ are dummy values. Although the next release will have an easier installation package, you simply must run the code, copy down the expected checksums, then edit them into the FLU_SHOT.DAT file. I didn't want to have the checksum routines in two places initially as an additional security precaution. Jelle: I'm in the process of invetigating what PCTools does which permits it to get around FSP1.51 - stay tuned for the next release, which will [hopefully] solve the problem. Ross Ross M. Greenberg UNIX TODAY! 594 Third Avenue New York New York 10016 Review Editor Voice:(212)-889-6431 BBS:(212)-889-6438 uunet!utoday!greenber BIX: greenber MCI: greenber PCMagNet: 72241,36 ------------------------------ Date: Thu Mar 9 13:41:19 1989 From: utoday!greenber@uunet.UU.NET Subject: Brain virus infection (PC) Rob: you were hit with what seems to be the so-called "Brain" Virus. There does not appear to be a seeder program of any sort. In general, this virus takes over the BIOS interrupt for INT13, and takes a look at the boot track on any disk it will [maybe] infect. If it finds the key of 1234 (as a number) stored starting at offset location 4 in the boot track, it assumes that the disk is already infected and leaves it alone. Ross M. Greenberg UNIX TODAY! 594 Third Avenue New York New York 10016 Review Editor Voice:(212)-889-6431 BBS:(212)-889-6438 uunet!utoday!greenber BIX: greenber MCI: greenber PCMagNet: 72241,36 ------------------------------ Date: Fri, 10 Mar 89 14:03 N From: ROB_NAUTA Subject: bouncing ball virus (PC) Thanks everybody for the replies. I can answer some questions. First of all it's not the face.com joke program, it's a real bootsector virus. It is indeed like someone described a virus that marks one sector bad, not three like the brain virus i read about in the magazine Computers & Security. Defeating it is easy but I'm glad there is no additional counter or timer. I found the following in the code of the bootsector.. XOR AH,AH INT 1A TEST DH,7F JNZ 0203 TEST DL,F0 JNZ 0203 PUSH DX CALL 03B3 INT 1A with AH=00 gets the time of day. This explains the assumed irrational behaviour: the virus appeared on IBM PC's but not on some others (i mean the ball part). I could never get it to bounce at home, probably because of the differences in cold boot time (the ibm takes forever)... and why it would appear after a cold boot but not after some warm boots.. Rob J. Nauta ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253