VIRUS-L Digest Friday, 31 Mar 1989 Volume 2 : Issue 78 Today's Topics: Disinfectant 1.0 (Mac, was Re: Disinfect 1.0) 4PLAY EXEC (IBM VM/CMS Trojan horse) Macintosh Virus AIDS nVIR --------------------------------------------------------------------------- Date: 29 Mar 89 12:12 +0200 From: Danny Schwendener Subject: Disinfectant 1.0 (Mac, was Re: Disinfect 1.0) >A colleague just showed me a program, called Disinfect (version 1.0) >that was announced in INFO-MAC. It claims to do quite a bit, >including detect most major Mac viruses (Scores, ANTI, AIDS, Init 29, >MacMag, etc.), and it is even supposed to be able to remove most >(all?) of the above. >Anyone Mac people out there have any more info on this? Disinfectant detects and removes all the currently known code-based viruses (there are script-based viruses, like the Hypercard Dukakis virus, which won't be touched by this program). It also removes multiple infections, which is an innovation in the virus fighting world. The user interface is simple, the on-line documentation extensive and accurate. And, furthermore, it is free. Its author is John Norstad (jln@nuacc.bitnet). It has a minor problem in conjunction with servers: moving or deleting files on the server while Disinfectant is browsing through the directories may cause the program to skip some files. This problem is common to most disk browsers. Nevertheless, the author is working on the problem. The current solution to the problem is to disconnect or write-protect the server for other users while Disinfectant is running. The current version is configured for following viruses: MacMag (aka Peace, Drew, FreeHand, etc.), Scores, nVIR A and B as well as its two name mutations Hpat and AIDS, INIT29 and ANTI. If you have the founded impression that a virus is missing in the list, drop me or John a mail. The 'Sneak' virus has only been rumored. No one who claimed having seen it has been able to found his claims. - -- Danny +-----------------------------------------------------------------------+ | Mail : Danny Schwendener, ETH Macintosh Support | | Swiss Federal Institute of Technology, CH-8092 Zuerich | | Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman | | Internet: macman@ifi.ethz.ch Voice : yodel three times | +-----------------------------------------------------------------------+ ------------------------------ Date: 30 March 1989 16:01:47 CST From: Mark S. Zinzow Subject: 4PLAY EXEC (IBM VM/CMS Trojan horse) Another Trojan EXEC! Original-Date: Thu, 30 Mar 89 10:37:50 EST Original-Sender: BITNIC TECHREP List Original-Subject: Security situation on network IMPROPER EXEC with UNETHICAL Embedded CODE Causes Possible SECURITY Situation on Network An EXEC that contains questionable code has been discovered on the network--the EXEC is a sexually oriented game called "4PLAY" which apparently has existed for 18 months. Embedded within the code are commands that record all console activity which is then collected and sent to a specific network userid. This is done without the knowledge or consent of the person activating this code (that is, playing the game). This presents an obvious intrusion of privacy and also a "security hole". The security problem arises in that the EXEC does not close the CONSOLE. (If it did, the user would receive a message allowing her or him to to detect the recording of information entered.) The result is that console activity continues to be recorded after the completion of the game and UNTIL the user actually LOGs off the account. Consequently, the unsuspecting user may be transmitting other data as well, that is, any confidential data that the console processes in line mode will be recorded, possibly compromising security: passwords could be transmitted. When the user signs off the userid accessing this EXEC, the capturing of all console activity ceases. THE USE OF COMPUTER NETWORKS TO OBTAIN INFORMATION WITHOUT THE PRIOR KNOWLEDGE AND CONSENT OF THE USER IS UNETHICAL. THE USE OF BITNET FOR TRANSMITTING SUCH GAMES AR THIS IS NOT WITHIN BITNET's MISSION TO ENHANCE EDUCATION AND RESEARCH. If you are aware that this software exists on your system, the BITNIC encourages you to contact the persons responsible for your system and alert them to the situation and the need for removal of this software. The following action to curtail such activity, taken by the node that identified the problem, may be helpful to you in guarding against such network misuse: Immediately--remove the offending software and warn users. Long term----use a security system (if you have one) to permit only authorized id's to send spool data or files beyond your node. ------------------------------ Date: Fri, 31 Mar 89 13:40:46 MET+0100 Sender: Virus Alert List From: ACMJOJO@HUTRUU0.BITNET Subject: Macintosh Virus AIDS nVIR AIDS Warning Macintosh Virus. AIDS spreads using applications and system. nVIR clone !!!!! I do not know, if someone reported this virus already. Some one changed all ASCCI strings 'nVIR' to 'AIDS'. So the AIDS virus is nVIR. Fast way to get rid of the virus is the following. Get a copy of ANTIPAN, and a file editor, SUM, MacTools or FEdit, change all nVIR strings in ANTIPAN to AIDS, and your problem is solved. If the resource 'CODE' id 0 is locked or protected, the ANTIPAN program does not remove the virus. Unlock or unprotect the resource using ResEdit Jo van Bilsen ACCU Utrecht Nederland (Holland) ACMJOJO@HUTRUU0 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253