VIRUS-L Digest Tuesday, 28 Mar 1989 Volume 2 : Issue 74 Today's Topics: RE: virus in PD software Disinfect 1.0 (Mac) The KillVirus Alarm (Mac) (from UseNet rec.ham-radio) virus in PKZIP? (PC) Re: Israeli viruses; Alameda virus (PC) RE: Zip virus (PC) --------------------------------------------------------------------------- Date: Tue, 28 Mar 89 09:41 EST From: Roman Olynyk - Information Services Subject: RE: virus in PD software Neil Goldman's comments about virus lurking in PD/Shareware are good. However, I'd like to add yet another way of obtaining "sanitized" copies of public domain good: CD-ROM. We (WVNET) distribute software from PC-SIG directly off of a laser disk. Although not 100% guaranteed, you can be sure that nothing can corrupt the software once it has been burned onto a CD-ROM disk -- at least not yet! ;-) ------------------------------ Date: Tue, 28 Mar 89 09:48:42 EST From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk) Subject: Disinfect 1.0 (Mac) A colleague just showed me a program, called Disinfect (version 1.0) that was announced in INFO-MAC. It claims to do quite a bit, including detect most major Mac viruses (Scores, ANTI, AIDS, Init 29, MacMag, etc.), and it is even supposed to be able to remove most (all?) of the above. The claims are quite impressive. I'm not a Mac user, however, so don't take my word for it. Anyone Mac people out there have any more info on this? Ken ------------------------------ Date: Tue, 28 Mar 89 11:41 EST From: Subject: The KillVirus Alarm (Mac) (This is in response to the recent report of an infection to the program resource KillVirus, for the Macintosh....) If memory serves me correctly (and I am sure that I will be corrected if I am wrong) KillVirus is not a program per se. The resource is meant to be the culture where viruses can infect a 'resource' and then the program can be edited to determine the exact workings of the virus. If you are waging war against a new virus this can be an extremely good thing, as you do not have to root around in the source code to find what you are looking for. If this is true (as I said before) then remove this copy of KillVirus and replace it with a clean copy. But be forewarned : you most certainly have a system infection on your hands, so before you go using your system, I reccomend a dose of Interferon (to find infections) and Vaccination (to remove them). Also - replace the system. This is the safest way of making sure you have a clean one to work with. I am open for comments or questions....after all, trying to keep our labs free of contamination keeps me open for help.... Thanks Jonathan Baker JEB107 @ PSUVM Penn State University. ------------------------------ Date: Tue, 28 Mar 89 11:49:25 EST Sender: Virus Alert List From: msmith@TOPAZ.RUTGERS.EDU Subject: (from UseNet rec.ham-radio) virus in PKZIP? (PC) Original-Date: 25 Mar 89 03:56:53 UTC (Sat) Original-From: wa2sqq@kd6th.nj.usa.hamradio (BOB ) PKZIP/PKUNZIP .92 AM40/AM41 Recent developments in the software world have required the famous PKARC software to be replaced by a new version called PKZIP/PKUNZIP. While several versions have been seen, the latest appears to be version .92 . Usually listed on landline BBS's is a program which will provide a menu driven screen for PKZIP, usually listed as AM-40 or AM-41. After running these one time, the embedded virus allocated 13 meg of memory to "never never land". It appears that this "strain" looks to see how much memory is occupied on the HD and then proceeds to gobble up an equal amount of unused memory. The results are devastating if you have more than 50% of the drives capacity in use. With the assistance of Gary WA2BAU I was able to retrieve the lost memory by using CHKDSK /f. For those of you who are not familiar with this DOS command, drop me a line @KD6TH and I'll elaborate. My sincere thanks goes out to Gary WA2BAU for saving me lots of disk handling ! Please pass this on to your local BBS and be sure to include the remedy. Best 73 de WA2SQQ Bob Kozlarek @KD6TH in Wycoff, NJ [Ed. Can anyone verify that this is actually a virus and not just a bug in the program, or a Trojan Horse?] ------------------------------ Date: Tue, 28 Mar 89 18:30:58 +0200 From: Y. Radai Subject: Re: Israeli viruses; Alameda virus (PC) To begin with, I thought it appropriate to warn readers that Fri13 (the Israeli Friday-the-13th virus) has apparently been "improved" (i.e. made less noticeable) by someone in the U.S. so that it increases the size of EXE files only once, does not cause a slowdown after 30 minutes, and does not scroll the screen. Of course, it still causes deletion of files executed on any Friday the 13th. In #71, David Ferbrache mentioned the two April 1 viruses which were discovered in Israel [at the beginning of 1988]. I too would like to hear of reports of the April 1 viruses elsewhere, not only recent outbreaks but also at any time in the past so that we can know whether these viruses really originated in Israel. Dave asked me for further details on these viruses. In principle, I'd be glad to oblige, but that requires research, which requires time, and since neither of these viruses seems to cause any real damage and both have apparently been eradicated locally, such research necessarily gets low priority. However, I will take this opportunity to make a few small clarifications and corrections to Dave's descrip- tion: (1) The variant of Fri13 ("sURIV 3.00") is not only "less dangerous", but not dangerous at all due to a bug; (2) the names "sURIV x.xx" which Dave has given them are based on strings which appear in the viral code (but they could probably be altered without disabling the viruses); (3) I wouldn't describe the April 1 viruses as "variants of the Friday 13th virus". In any case, I've promised to supply Dave with anti-viral programs and various text files for his server (sorry for not doing it yet, Dave), and will do so as soon as I find the time. At that time I'll also post a notice to the List. In #62 David Chess mentioned the Alameda Virus which was described by John McAfee in the Feb 15 issue of Datamation. Now I had seen another article of McAfee's in the Feb 13 issue of Computerworld which contained the same table of "the 6 most common computer viruses", and like David, I also conjectured that Alameda = Yale. Actually, from the few details which McAfee gives, about the only similarities are that both are PC boot sector viruses which do *not* mark as bad the sector on which they store the original boot code. However, the fact that none of the values of the generation counter found at Yale last August were less than 12h could be explained if Yale were a continu- ation of some other virus, such as Alameda. However, there was one point which bothered me: McAfee describes the Alameda virus as follows: "Stores original boot sector on first free sector." Now this is *not* true of the Yale virus, which always stores it in the ninth sector of Track 40. I decided that the des- cription by Chris Bracy and Loren Keim of the Yale virus was far more dependable than McAfee's meager description of the Alameda, and that there was a good chance that the two viruses are the same, after all. But what I don't understand now is what basis *McAfee* has for stating categorically that the two viruses are the same. And there's another peculiarity: In his original article, McAfee wrote that the origin of the virus was "Merritt College ... spring 1988". However, in his response of Mar 14 which was reprinted in VIRUS-L #71, he says "It was first discovered at Merritt ... in April of 1977". I originally thought: well, he obviously means April of 1988. But later he writes that the virus reached Alameda in Feb 1988. So now I'm thoroughly confused! So Gary, since you obviously are able to contact McAfee, would you mind asking him (1) to clarify the inconsistency in the dates, (2) to give us all available details on the Alameda-Merritt virus, and (3) to provide all the evidence he has for concluding that Alameda = Yale. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Tue, 28 Mar 89 14:48 EDT From: Paul Coen Subject: RE: Zip virus (PC) >While several versions have been seen, the latest appears to be >version .92 . Usually listed on landline BBS's is a program which will >provide a menu driven screen for PKZIP, usually listed as AM-40 or >AM-41. > >After running these one time, the embedded virus allocated 13 meg of >memory to "never never land". It appears that this "strain" looks to >see how much memory is occupied on the HD and then proceeds to Is the virus in PKZIP or in AM-40? From the sound of it this is in AM-40. Also, I've been running PKZIP 0.92 for a couple of weeks (on my HD) without a problem. I would adivse anyone looking to get Zip to either get it from someone reliable, or, from the PKWARE BBS in Wisconson. Also, any front-end menu programs should be downloaded from there. I don't have the number handy, but if anyone wants it I can get it. I'm not very suprised at this, since ARC/ZIP type programs have been a favorite of program writers for a couple of years now. Thanks for the warning..... ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253