VIRUS-L Digest Monday, 17 Apr 1989 Volume 2 : Issue 91 Today's Topics: Fred Cohen's papers... re: Yale virus = Alameda virus (PC) Disinfectant 1.1 (Mac) Re: More on Yale virus (PC) Information wanted on "Stoned" virus (PC) re: computers & media piece on virus-l --------------------------------------------------------------------------- Date: Sat, 15 Apr 89 13:00:35 EST From: (David M. Gursky) dmg@mwunix.mitre.org Subject: Fred Cohen's papers... The question came up recently about Fred Cohen's papers and how to obtain them. The address in Pittsburgh is correct (Fred Cohen, c/o P. O. Box 90069, Pittsburgh, Pennsulvania 15224). The cost (for those who have misplaced the message from December) is $20 for Fred's thesis, and $20 for the assorted articles. ------------------------------ Date: Sat, 15 Apr 89 15:44:28 EDT From: Naama Zahavi-Ely Subject: re: Yale virus = Alameda virus (PC) The "Yale" virus indeed does not work on 20286 machines, in the sense that if one tries booting a 20286 machine with an infected disk the machine will hang. In effect, the ONLY active part of the machine at that point is the virus -- if you then do Ctrl-Alt-Del with a non-write-protected disk in the A drive, that diskette will get infected. On a PC, if you boot from an infected disk, the virus is loaded into memory and will infect other disks upon soft-boot, but otherwise it is completely transparent and is not likely at all to be discovered. The only reason we caught it at Yale is that all our machines are 20286 machines, and we were suddenly faced with machines not booting properly. The person who we suspect brought the virus to Yale (unknowingly) insisted at the time that his disk, which was not working properly at our public facilities, was working perfectly at his home and elsewhere. He was using ordinary PCs at these places. I have also verified this effect myself using an authentic copy of the "Yale" virus. I personaly am convinced that the Yale virus is the same as the Alameda virus. Thanks, + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + | Naama Zahavi-Ely | | Project ELI E-MAIL ELINZE@YALEVM.BITNET | | Yale Computer Center | | 175 Whitney Ave | | New Haven, CT 06520 | | (203) 432-6600 ext. 341 | + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + ------------------------------ Date: Mon, 17 Apr 89 08:44:28 EDT From: jln@acns.nwu.edu Subject: Disinfectant 1.1 (Mac) Disinfectant Version 1.1 Announcement & Press Release. April 16, 1989. Disinfectant 1.1 is a new release of a program to detect and remove Macintosh viruses. Version 1.1 recognizes the new MEV# virus that was discovered in Belgium a few weeks ago. Version 1.1 also fixes a few bugs and adds several new features. For a detailed list of all the changes see the new section titled "Version History" in the online document. We recommend that all Disinfectant users obtain a copy of the new version. With version 1.1 we are also now distributing a formatted version of the document, with screen shots and other pictures, a table of contents, etc. See the online document for details on how to obtain a copy. Version 1.1 has been posted to CompuServe, AppleLink, comp.binaries.mac, and info-mac. It should be available from those sources soon, as well as from many other bulletin boards, commercial online services, user groups, and Internet archive sites. Features: - - Detects and repairs files infected by Scores, nVIR A, nVIR B, Hpat, AIDS, MEV#, INIT 29, ANTI, and MacMag. These are all of the currently known Macintosh viruses. - - Scans volumes (entire disks) in either virus check mode or virus repair mode. - - Option to scan a single folder or a single file. - - Option to "automatically" scan a sequence of floppies. - - Option to scan all mounted volumes. - - Can scan both MFS and HFS volumes. - - Dynamic display of the current folder name, file name, and a thermometer indicating the progress of a scan. - - All scans can be canceled at any time. - - Scans produce detailed reports in a scrolling field. Reports can be saved as text files and printed with an editor or word processor. - - Carefully designed human interface that closely follows Apple's guidelines. All operations are initiated and controlled by 8 simple standard push buttons. - - Uses an advanced detection and repair algorithm that can handle partial infections, multiple infections, and other anomalies. - - Careful error checking. E.g., properly detects and reports damaged and busy files, out of memory conditions, disk full conditions on attempts to save files, insufficient privileges on server volumes, and so on. - - Works on any Mac with at least 512K of memory running System 3.2 or later with HFS. - - Can be used on single floppy drive Macs with no floppy shuffling. - - 11,000 word online document describing Disinfectant, viruses in general, the Mac viruses in particular, recommendations for "safe" computing, Vaccine, and other virus fighting tools. We tried to include everything in the document that the average Mac user needs to know about viruses. I wrote Disinfectant with the help of an international group of Mac virus experts, programmers and enthusiasts: Wade Blomgren, Chris Borton, Bob Hablutzel, Tim Krauskopf, Joel Levin, Robert Lentz, Bill Lipa, Albert Lunde, James Macak, Lance Nakata, Leonard Rosenthol, Art Schumer, Dan Schwendener, Stephan Somogyi, David Spector, and Werner Uhrig. These people helped design and debug the program, edit the document, locate copies of the viruses for testing, and analyze the viruses. I wrote all the code, but I could not have written the program without their help. Disinfectant is an example of a new kind of cooperative software development over the internet. It was developed over a period of three and one half months starting on December 1, 1988. During this period I sent out nine development releases and nine Beta releases to the working group, and we exchanged several hundred notes. The result is a program that is much better than any one of us could have produced individually. We are offering this program free of charge as a public service. We hope that the Mac community finds it useful. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@acns.nwu.edu AppleLink: a0173 CompuServe: 76666,573 ------------------------------ Date: 17 April 1989, 09:22:27 EDT From: David M. Chess Subject: Re: More on Yale virus (PC) The Yale virus (at least the one I have!) does contain a "POP CS". Mr. McAfee is oversimplifying slightly again; "POP CS" is a perfectly valid instruction on '286 machines in real mode (which is how DOS runs). It's just not a valid instruction in protect mode (which is how OS/2 runs, for instance). I'm not quite clear on when in the boot cycle an OS/2 machine enters protect mode; in any case, the virus does contain "POP CS", but that's consistent with your having seen it on ATs. DC ------------------------------ Date: Mon, 17 Apr 89 13:35 EDT From: SHERIFF@UNCG.BITNET Subject: Information wanted on "Stoned" virus (PC) Has anyone encountered a virus that writes the message "Your PC is now Stoned! LEGALISE MARIJUANA!" in the boot sector of an infected floppy? Any information would be appreciated. Tom Sheriff Microcomputer Support Group University of North Carolina at Greensboro SHERIFF@UNCG.BITNET ------------------------------ Date: Mon, 17 Apr 89 15:15:16 EST From: Neil Goldman Subject: re: computers & media piece on virus-l Dear Dimitri, Hi. I just read your posting. It is very insightful and interesting. It is unfortunate that there is no practical way for those of us who 'understand' the issues to serve as editors-in-chiefs for all publications of this type. This serves as another facet of problems with the media. Presumably, the author of the article has some expertise. But even if he doesn't, the reader will still place (undue) reliance upon his statements. For some problems, unfortunately, there is no easy solution. - - Neil *************************************************************** *Neil A. Goldman NG44SPEL@MIAMIU.BITNET* * * * Replies, Concerns, Disagreements, and Flames expected * * Mastercard, Visa, and American Express not accepted * *************************************************************** Acknowledge-To: ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253