VIRUS-L Digest Wednesday, 29 Mar 1989 Volume 2 : Issue 75 Today's Topics: "dBase virus" (PC) disinfectant (Mac) RE: Virus in PD Software Television & viruses News Usenet group comp.virus Re: Israeli viruses (PC) Disinfectant (Mac) --------------------------------------------------------------------------- Date: Tue Mar 28 22:23:43 1989 From: utoday!greenber@uunet.UU.NET Subject: "dBase virus" (PC) Hmmm. Although the transposition algorithm in the (what I'm calling) the dBase Virus was pretty simple, it took a while to hack through the virused code to see what was happening. Far easier than reconstructing the algorithm was merely to defang it as I indicated in my posting. Consider if the bad-guy encrypted the transposition-information file. Besides, I took some sort of perverse joy out of using the bad guys's code to reverse his "work" (we must all get our pleasures in some strange way, right? :-) ) Ross M. Greenberg UNIX TODAY! 594 Third Avenue New York New York 10016 Review Editor Voice:(212)-889-6431 BBS:(212)-889-6438 uunet!utoday!greenber BIX: greenber MCI: greenber CIS: 72461,3212 ------------------------------ Date: Wed, 29 Mar 89 08:03:27 CET From: "Willem N. Ellis" Subject: disinfectant (Mac) Disinfectant was announced a few days ago on the Infomac list. Bitnet users may obtain it from the LISTSERV @ RICE by sending a mail with as only text: $macarch get virus/disinfectant.hqx Unfortunately, I do not have description of the program at hand, but it looked impressive indeed. Willem N. Ellis ------------------------------ Date: Wed, 29 Mar 89 00:05 EST From: "SYSOP, THE SHENANDOAH VALLEY HELPLINE BBS: (703) 269-4802" Subject: RE: Virus in PD Software Roman Olynyk writes that CD-ROM is a good source of "sanitized" software. Although it may be more reliable than software downloaded from a local BBS, it still doesn't assure you of a clean program. Recently, here at JMU, several versions of Macintosh viruses made it onto campus through just such a media. Although the CD-ROM is unaffected by the virus, the software on it can be replaced. Not so for the data residing on your PC that you've put so much work into. I am a strong believer in the PD/Shareware concept, and feel that the programs are as safe as the shrink wrapped variety. However, I also think that getting it from the source is a reasonable precation. Chip Whiteside ------------------------------ Date: Tue, 28 Mar 89 21:35 EST From: Subject: Television & viruses FYI -- television & viruses I'm not sure how many "trekkies/trekkers" subscribe to this list, but this is the latest medium for public awareness of viruses. Last weeks Star Trek -- the Next Generation was centered around (of all things) viruses. The Enterprise was heading to the neutral zone to meet with a ship who was investigating a strange planet. During the ships contact with the planet, it received transmissions that were stored in the computer banks. After that, the ship began to experience mishaps and system failures here and there. When the Enterprise finally met up with the ship, they barely had time to download the logs and data before the ship exploded. They were convinced that it was a design flaw with the ship and not due to any external force. Well, to make a long story even longer, the Enterprise began to experience the same problems. Through careful analysis, they discovered that the errors were caused by a program which was attached to the downloaded logs. The program, once in the Enterprise's banks began to adapt to the environment and seek out available space and re-generate itself throughout the whole system. After a good amount of storyline, they finally figured out that the way to get rid of the "virus" was to shut down systems and (I'm paraphrasing) re-format and re-initialize from backups which were locked and stored in one of the bays. For a change, I saw nothing wrong with the way viruses were dealt with in a television program. This is far from the teenage revenge hacker with black, thick-rimmed glasses seeking to destroy the government. If anyone else has seen it, please let me know what you think. Reply to: RER1@SCRANTON ------------------------------ Date: Wed, 29 Mar 89 07:53:15 CST From: jwright@ATANASOFF.CS.IASTATE.EDU Subject: News Usenet group comp.virus To all virus-l readers, As some of you may be aware, there is an effort underway to establish a new newsgroup on the Usenet system: comp.virus. This group will have close ties to virus-l. The group will be moderated by Ken van Wyk. All traffic on virus-l will appear on comp.virus, and vice-versa. The most significant benefit of this will be the much larger base of informed computer users who can contribute to the group. Usenet propogates throughout the entire world, and has ties to many different networks. As a supplement to the creation of comp.virus, I have been trying to coordinate the establishment of a number of anti-viral archive sites. We currently have commitments for archive sites for Amiga, AppleII, Atari ST and Mac computers. I'm still trying to find an IBM PC site. Dave Ferbrache will be the European coordinator of comp.virus. He will handle issues of particular interest to European readers (conventions, archive sites, etc.). New group creation procedures on Usenet require an initial call for discussion, followed by a two week discussion period. Then a call for votes is posted, and a four week voting period ensues. After this, the group is created if (1) at least 100 votes have been received and (2) if the number of YES votes exceeds the No votes by at least 100. We are currently in the voting stage, which will end April 23. If you would like to cast a vote on this, send mail to jwright@atanasoff.cs.iastate.edu To vote for the creation of comp.virus, include the word "YES" in the subject line or body of the message. To vote against the creation of comp.virus, include the word "NO". Please, only vote if you actually receive Usenet and are a potential reader of comp.virus. Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 29 March 1989, 09:42:55 EST From: David M. Chess Subject: Re: Israeli viruses (PC) I have seen two "April 1st" viruses (they came to me from Israel; no telling where they started, of course!). One infects COM files and, if I'm reading it right, will display the message "YOU HAVE A VIRUS" any time any program is run in an infected system after April 1, 1988. So this one isn't likely to be around any more, if it ever was (because any infected system would be so obviously infected). The other one infects EXE files. It will print a message ("APRIL 1ST HA HA HA YOU HAVE A VIRUS") and hang the machine on any April 1st in 1988 or after. On any Wednesday after 1988/3/1, it will install a timer hook which will hang the system later on. If the year is 1980 (not set), it will also install the hook. So infected systems will hang on Wednesdays; again, a very unsubtle virus! I haven't heard any reports of either one recently, or outside of Israel. Of course, there may be other similar viruses around, and my notes above may not be at all true for them. If you get a virus that sounds like it might be one of them, have a guru rip it thoroughly apart, to make sure... DC ------------------------------ Date: 29 March 1989, 11:20:55 EST From: jln@acns.nwu.edu Subject: Disinfectant (Mac) Yes, Disinfectant is for real. I'm the author. I'm attaching a copy of the announcement I posted on the internet. The program is available via anonymous FTP from: sumex-aim.stanford.edu rascal.ics.utexas.edu It's also available on CompuServe, Genie, BIX, MacNet, CI$, Delphi, and AppleLink. - ---------- Announcement: Disinfectant 1.0 is the first public release of a new program to detect and remove Macintosh viruses. Features: - - Detects and repairs files infected by Scores, nVIR A, nVIR B, Hpat, AIDS, INIT 29, ANTI, and MacMag. These are all of the currently known Macintosh viruses. - - Scans volumes (entire disks) in either virus check mode or virus repair mode. - - Option to scan a single folder or a single file. - - Option to "automatically" scan a sequence of floppies. - - Option to scan all mounted volumes. - - Can scan both MFS and HFS volumes. - - Dynamic display of the current folder name, file name, and a thermometer indicating the progress of a scan. - - All scans can be canceled at any time. - - Scans produce detailed reports in a scrolling field. Reports can be saved as text files and printed with an editor or word processor. - - Carefully designed human interface that closely follows Apple's guidelines. All operations are initiated and controlled by 8 simple standard push buttons. - - Uses an advanced detection and repair algorithm that can handle partial infections, multiple infections, and other anomalies. - - Careful error checking. E.g., properly detects and reports damaged and busy files, out of memory conditions, disk full conditions on attempts to save files, insufficient privileges on server volumes, and so on. - - Works on any Mac with at least 512K of memory running System 3.2 or later. - - Can be used on single floppy drive Macs with no floppy shuffling. - - 8500 word online document describing Disinfectant, viruses in general, the Mac viruses in particular, recommendations for "safe" computing, Vaccine, and other virus fighting tools. The document can be saved as a text file and printed with an editor or word processor. We tried to include everything in the document that the average Mac user needs to know about viruses. I wrote Disinfectant with the help of an international group of Mac virus experts, programmers and enthusiasts: Wade Blomgren, Chris Borton, Bob Hablutzel, Tim Krauskopf, Joel Levin, Robert Lentz, Bill Lipa, Albert Lunde, James Macak, Lance Nakata, Leonard Rosenthol, Art Schumer, Dan Schwendener, Stephan Somogyi, David Spector, and Werner Uhrig. These people helped design and debug the program, edit the document, locate copies of the viruses for testing, and analyze the viruses. I wrote all the code, but I could not have written the program without their help. Disinfectant is an example of a new kind of cooperative software development over the internet. It was developed over a period of three and one half months starting on December 1, 1988. During this period I sent out nine development releases and nine Beta releases to the working group, and we exchanged several hundred notes. The result is a program that is much better than any one of us could have produced individually. We are offering this program free of charge as a public service. We hope that the Mac community finds it useful. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@acns.nwu.edu AppleLink: a0173 CompuServe: 76666,573 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253