VIRUS-L Digest Thursday, 13 Apr 1989 Volume 2 : Issue 88 Today's Topics: General question.... Re: hard disk write protection antiviral archives (Mac) Re: nVIR Removal (Mac) Mac software repository Availability of FLU_SHOT+ on Simtel20.Army.Mil (PC) Hard disk write protection More on the Alameda Virus (PC) --------------------------------------------------------------------------- Date: Wed, 12 Apr 1989 19:57 EST From: Bruce Ide Subject: General question.... If the virus needs to access the disk to spread why not have the computer manufactorers modify their HARDWARE slightly so that any disk writes are questioned? It would get irritating to users, true, but if you don't specify save and a write occurs, I expect it would be questioned and perhaps the user would even have enough sense to deny access... This idea as I have it now is very rough... With some polishing, it might be ok, but you've probably had ones like it before, and I could probably read all about it if I felt like digging through several years worth of archives :) ------------------------------ Date: Wed, 12 Apr 89 23:06:56 EDT From: vanembur@gauss.rutgers.edu (Bill Van Emburg) Subject: Re: hard disk write protection > If you do figgure out how to do this, you could probably set up a > toggle switch or key thing to alllow you to write to your disk > when it's switched one way and keep write protection on when it's > switched the other. If you want to keep users out, set it up with the > key. If it's to keep viri out, set it up with the switch. It'll take The problem with this idea is that many programs need to write temporary files to disk. Often, the user is completely unaware that this is happening. If you set a hardware write protect, you may find that your favorite utility doesn't work. While this *could* serve a useful purpose in some settings, I don't feel that it could be a widespread solution. -Bill Van Emburg (vanembur@aramis.rutgers.edu) {...}!rutgers!aramis.rutgers.edu!vanembur ------------------------------ Date: Wed, 12 Apr 89 23:13:28 CDT From: "David Richardson, UT-Arlington" Subject: antiviral archives (Mac) In response to the question about antiviral archives, SUMEX-AIM.STANFORD.EDU has a HUGE Mac archive, which is anonymously ftp-able. It has all the anti-viral software, including disinfectant. - -David Richardson, The University of Texas at Arlington Bitnet: b645zax@utarlg Internet: b645zax@utarlg.arl.utexas.edu UUCP: ...!{ames,sun,texbell, }!utarlg.arl.utexas.edu!b645zax SPAN: ...::UTSPAN::UTADNX::UTARLG::b645ZAX US Mail: PO Box 192053 PhoNet: +1 817 273 3656 (FREE from Dallas, TX) Arlington, TX 76019-2053 ------------------------------ Date: Thu, 13 Apr 89 02:10 EDT From: "Mark H. Anbinder" Subject: Re: nVIR Removal (Mac) The nVIR virus (all currently-known strains, including those with different names) can be removed with the Disinfectant program, written by John Norstad and assisted by a group of programmers who collaborated via the Internet. Disinfectant 1.0 is available from various servers, or I could e-mail you a copy. Disinfectant 1.1, which includes mostly bug fixes, is expected to be released on Monday 17 April. If you wish to use it over a TOPS network, wait for 1.1. Mark H. Anbinder Department of Media Services Cornell University ------------------------------ Date: Thu, 13 Apr 89 08:37:07 EST From: Joe Simpson Subject: Mac software repository Joe McMahan maintains a superior repository of Mac software on LISTSERV at SCFVM The repository includes A Hypercard documentation stack VACCINE a very nice protection cDev GATEKEEPER another very nice protection cDev for programmers VirusRX Apple's disgnostic Interferon another very nice diagnostic. ------------------------------ Date: Thu, 13 Apr 89 07:53:08 MDT From: Chris McDonald ASQNC-TWS-R 678-4176 Subject: Availability of FLU_SHOT+ on Simtel20.Army.Mil (PC) FLU_SHOT+, Version 1.5, has been available on simtel20.army.mil for over one month. It can be found in the directory pd1:. The copy posted was obtained directly from the author, Ross Greenberg. [Ed. Thanks for the speedy work!] ------------------------------ Date: Thu, 13 Apr 89 10:24:51 CDT From: dennis@savant.BITNET Subject: Hard disk write protection >Could some hardware hacker upload instructions on disabling the write >capability of an XT or AT style hard disk? >[Ed. The problem with that is that the entire hard disk would be >read-only (which could be useful for some applications). >It'll take a bit of soldering, and a few thirty nine cent swtiches >from radio shack. Communications is obviously more difficult than just being able to send messages! I have developed a hardware write-protect swithc as mention. I received a patent on it almost a year ago. Let me make a few points. 1. It is 100% effective against modification of protected files. 2. You DO NOT have to protect the entire hard disk. 3. It requires more than a $.39 switch, unless you don't mind cooking your disk electronics. 4. It has been available for over two years. 5. It CAN NOT be disabled by ANY software! Dennis Director, dennis@math.nwu.edu ------------------------------ Date: Thu, 13-Apr-89 11:01:35 PDT From: portal!cup.portal.com!Gary_F_Tom@Sun.COM Subject: More on the Alameda Virus (PC) In digest 2.74, Y. Radai brought up some inconsistencies he had found between descriptions of the Yale virus and John McAfee's description of the Alameda virus. He asks: > So Gary, since you obviously are able to contact McAfee, would you > mind asking him (1) to clarify the inconsistency in the dates, (2) to > give us all available details on the Alameda-Merritt virus, and (3) to > provide all the evidence he has for concluding that Alameda = Yale. Here is John's response: > 04/04/89 00:25:26 > From: JOHN MCAFEE > > Gary, thanks again for serving as courier for these messages. In response > to the questions: The Alameda was first discovered in Spring 1987 at > Merritt College. It popped up again at Alameda College, where it received > large publicity, in February, 1988. It is identical to a virus given to > me by Loren Keim in October of 1988, and Loren called the virus the Yale > virus - hence my certainty. To remove any doubts, however, I am placing > my disassembly of the Alameda virus in the MS-DOS SIG for you to forward > along with my message. If I have been incorrect in my analysis, then I > apologize to the august body of East coast researchers. I think, however, > that the disassembly should match the Yale perfectly. Thank you for your > time. (The disassembly is called - ALAMEDA.ASM). The complete virus disassembly has been sent to Y. Radai via e-mail. Here is the comment block from the front of John's disassembly: ; This virus is of the "FLOPPY ONLY" variety. ; It replicates to the boot sector of a floppy disk and when it gains control ; it will move itself to upper memory. It redirects the keyboard ; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; it will attempt to infect any floppy it finds in drive A:. ; It keeps the real boot sector at track 39, sector 8, head 0 ; It does not map this sector bad in the fat (unlike the Pakistani Brain) ; and should that area be used by a file, the virus ; will die. It also contains no anti detection mechanisms as does the ; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; sector 9 because this is common to all floppy formats both single ; sided and double sided. It does not contain any malevolent TROJAN ; HORSE code. It does appear to contain a count of how many times it ; has infected other diskettes although this is harmless and the count ; is never accessed. ; ; Things to note about this virus: ; It can not only live through an ALT-CTRL-DEL reboot command, but this ; is its primary (only for that matter) means of reproduction to other ; floppy diskettes. The only way to remove it from an infected system ; is to turn the machine off and reboot an uninfected copy of DOS. ; It is even resident when no floppy is booted but BASIC is loaded ; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; it activates and infects the floppy from which the user is ; attempting to boot. ; ; Also note that because of the POP CS command to pass control to ; its self in upper memory, this virus does not work on 80286 ; machines (because this is not a valid 80286 instruction). ; ; The Norton utilities can be used to identify infected diskettes by ; looking at the boot sector and the DOS SYS utility can be used to ; remove it (unlike the Brain). Gary Tom Tandem Computers, Inc. Cupertino, CA ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253