VIRUS-L Digest Tuesday, 12 Jun 1990 Volume 3 : Issue 112 Today's Topics: George of the Jungle virus????? (Mac) More George of the Jungle... (Mac) Flushot version? (PC) SNEAK - a virus? (Mac) Re: Creation of New Viruses to Sell Product Re: Documented mainframe viral attacks What's the best pc clone virus protection pgm? (PC) The "Tiny" virus (PC) Hardware security - Virus's and Solutions Inbound File Filters (IBM Mainframes) NETSC63B.ZIP in Simtel Archives (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 11 Jun 90 14:54:01 +0000 From: hemstree@handel.CS.Colostate.Edu (charles he hemstreet) Subject: George of the Jungle virus????? (Mac) I work at a computer lab here on campus, and we had someone come in and ask about this.. I may not ahve this totally correct... WHAT IT DOES..... 1. It's a file in the system folder... 2. If you open it (it say's it's a word perfect document) it causes the system to crash and gives message that says it can't open it, and that it needs wordperfect to open it. (Opposite order listed) 3. Comes and goes, not consistent. First noticed it on Friday the 8th. 4. Not associated with anything purchased. 5. Seems to have quite a bit of activity. 6. Virus protection and disinfectant schemes don't seem to care that it's around. I know this is vague. Please help me ask the person the correct questions so I can help you out more. Is there any kind of standardized virus report form? Thanks for your help. We are currently trying to obtain a copy of this thing. Still not sure if it's a virus or not. Thanks for your help... Chip !===========================================================================! ! Charles H. Hemstreet IV !internet: hemstree@handel.cs.Colostate.Edu ! ! Colorado State University ! "stay out of trouble!" -RoboCop ! !===========================================================================! ------------------------------ Date: 11 Jun 90 15:07:29 +0000 From: hemstree@handel.CS.Colostate.Edu (charles he hemstreet) Subject: More George of the Jungle... (Mac) Well, I'm not sure what I've got here, but may not be as serious as I thought. We have got a copy here at the lab. It's has the WordPerfect feather on a trashcan Icon. I opened it on an isolated SE by double-clicking on the trash/feather icon. WordPerfect complains that it can't open this kind of document. On the isolated SE, WordPerfect goes ahead and opens an untitled document. Is this a standard WordPerfect Icon? The person found this document in his system folder. I have a copy on floppy if anyone would care to look at it. Chip !===========================================================================! ! Charles H. Hemstreet IV !internet: hemstree@handel.cs.Colostate.Edu ! ! Colorado State University ! "stay out of trouble!" -RoboCop ! !===========================================================================! ------------------------------ Date: Mon, 11 Jun 90 08:26:50 -0700 From: Robert Slade Subject: Flushot version? (PC) I have seen a copy of FSP_17.ARC on wuarchive.wustl.edu. The latest version I was aware of was 1.6. Ross having not been terribly active on the list lately, does anyone know if this is legit? ------------------------------ Date: Mon, 11 Jun 90 17:14:45 +0000 From: mrys@ethz.UUCP, mrys@ethz.UUCP (Michael Rys) Subject: SNEAK - a virus? (Mac) Configuration: Mac II and Mac IIcx connected over TOPS. There were some problems with printing, saving, opening files etc. Using Disinfectant 1.8 did not find any viri. Interferon 3.1 reported a SNEAK virus. Some time ago, somebody said this is not aa virus. What is it then?!!! Any help appreciated.../Michael +---------------------------------------------------------------+ | Michael Rys, V. Conzett Str. 34; CH-8004 Zuerich; Switzerland | +---------------------------------------------------------------+ | UUCP: mrys@ethz.UUCP or EAN: mrys@ifi.ethz.ch | | mrys@bernina.UUCP IPSANet: mrys@ipsaint | | Voice: +41 1 242 35 87 | +---------------------------------------------------------------+ - -- Wovon man nicht sprechen kann, darueber muss man schweigen. -- Ludwig Wittgenstein, Tractatus logico-philosophicus ------------------------------ Date: 11 Jun 90 19:45:54 +0000 From: mike@client2.DRETOR (Mike Cummings ) Subject: Re: Creation of New Viruses to Sell Product WHMurray@DOCKMASTER.NCSC.MIL writes: >>This leaves a greater potential for companies to profit from the >>creation of new viruses. > >New viruses do not sell product. Old viruses sell product. There >are not enough copies of a new virus to be noticed. This is true in the short term, but every virus has to start small, even the biggest and most prolific. A company looking far to its future - ie. a couple of years, might stand to benifit from such a policy. I'd hate to think that it would happen though - it's pretty morally reprehensible. It's like a drug company developing and releasing new diseases, just to keep up the demand for new medicines. On the other hand, I don't think that it is too likely. There are two reasons for this: (i) the dangers for the company are too great. If any news of such activity was leaked or discovered, it would be curtains in a big way. Such security compromises are just too likely for the company to risk it. (ii) more impiortantly perhaps, is that companies distributing virus scanners are unlikely to need to resort to such tactics. We don't seem to have any lack of new viruses out there. Hackers seem only too ready to write, and worse yet, distribute viruses. Until we educate such criminals in responsible use of computers, virus scanners will be a healthy business. - ------->>>>>>>>>>>>> mike%zorac@dretor.dciem.dnd.ca ------------------------------ Date: Tue, 12 Jun 90 02:16:17 +0000 From: peter@ficc.ferranti.com (Peter da Silva) Subject: Re: Documented mainframe viral attacks [ Supposed mainframe virus attacks ] > The ones that come to my mind (and I believe all have been reported > here) are the XMAS, BUL, 4PLAY, and HEADACHE execs on VM/CMS and the > RTM worm and WANK worm on Unix. I don't know about the others, but the XMAS was a trojan horse worm, RTM was a directly attacking worm, and the WANK worm was on VAX/VMS, not UNIX. All of these, I believe, used network utilities and mail programs to infect hosts. - -- `-_-' Peter da Silva. +1 713 274 5180. 'U` Have you hugged your wolf today? @FIN Dirty words: Zhghnyyl erphefvir vayvar shapgvbaf. ------------------------------ Date: 11 Jun 90 22:48:00 -0500 From: "55SRWLGS" <55srwlgs@sacemnet.af.mil> Subject: What's the best pc clone virus protection pgm? (PC) Like to get some opinions on this one. If you could only get one program for your pc/pc-xt/pc-at or clone, what would it be? This is dicey, I know, what with viruses constantly evolving. Recently a lot of folks have been leaning towards McAffee's SCAN program. Then there was one by a fellow, whose name escapes me right now. He was offering a reward of a cache of free software to whomever turned in a virus programmer, and helped get him/her arrested and convicted. Anyway, appreciate a lot of opinions, and experiences, good or bad. I think we may be getting up a site liscense deal, and so I need some help towards getting the best for the buck. Frank Starr Omaha, Nebraska (55srwlgs@saacemnet.af.mil>" ------------------------------ Date: Tue, 12 Jun 90 09:54:01 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: The "Tiny" virus (PC) Among the 10 (or so) new PC viruses which have appeared this month is one which is by far the smallest one known - only 163 bytes. It is very primitive - does not restore the original date/time of infected files for example. In fact, it does nothing but replicate. The virus infects only .COM files, by adding itself to the end and placing a 3-byte JMP at the beginning. When an infected program is run, the virus will search the current directory for a program to infect. "Tiny" seems to be based on the Kennedy virus, and was sent to me from Denmark by the same person who sent me a sample of Kennedy. - -frisk ------------------------------ Date: 11 Jun 90 15:01:33 +0000 From: Subject: Hardware security I have had a quote attributed to me that was not mine. I would appreciate it greatly if people would get their facts straight before posting messages. And don't whine about your Mail program not working right. If it doesn't work, trash it! The quote that was attributed to me was actually posted by Mike Cummings. The person who falsely paired me to this quote was Valdis Kletnieks. Now to reply to Valdis: I agree with Mike! This is a stupid thing to do! What is the point of having hardware protection if it is so easy to defeat! Perhaps you are not familiar with the PS/2s. Some of them can have the case removed in under 15 seconds, and the wire could be swapped in another 3. Close the case in another 15. Copy a diskette in one minute. Power the machine off. There!!! In less than two minutes in your office, I can steal confidential files off your hard drive that you THOUGHT were protected by hardware protection. I can do that during the day while you walk to the coffee pot and back. If however, I had to disable your machine for two hours to eliminate your password, it would be MUCH more obvious that something was happening. Or do you lock your door every time you leave your office? Later THE GAR ------------------------------ Date: 12 Jun 90 09:30:34 +0700 From: Subject: - Virus's and Solutions I have 2 questions about viruses please can some body answer?? q1. There is a virus which reduce speed of booting plus reduce capacity of drive i.e you can't read high density diskette drive on it will be only 360k. What is the virus name and what is the solution??? q2. Virus lives in memory when you put system off you can't get rod off it, It will go to clock ROM chip!! Is there any solution other than disconnecting battery?? Thanks in advance Azim Syed Systems Programmer Riyadh Saudi Arabia ------------------------------ Date: Mon, 11 Jun 90 17:50:24 -0400 From: "David F. Lambert" Subject: Inbound File Filters (IBM Mainframes) >Date: Fri, 08 Jun 90 17:52:36 -0400 >From: Arthur Gutowski >Subject: RE: Documented mainframe viral attacks > >spoelhof@newkodak.kodak.com (Gordon Spoelhof) asks: >. >. >>5. What preventative measures are taken? > >One, never trust unexpected files from unknown sources. Even though it may >not be a virus or worm as such, it has the potential of being a Trojan. >Two, monitor Virus-L/Valert-L for warnings of new/recurring problems. >Three, make sure your operations and tech support staff monitor things >like (on VM) spool space filling up with a certain filename, perhaps even >setting up filters in RSCS to reject all such files (when a confirmed report >is received). News facilities to spread the word to users to be on the >lookout for such a file also help. >These are things that we've done to keep attacks to a minimum. I just saw an IBM announcement a week or two ago which mentioned free security enhancements for RSCS. Several of these features looked pretty useless, except for one which provides the file filter mentioned above. That seems like a useful hunk of code to help nip things quickly. -Dave ------------------------------ Date: Mon, 11 Jun 90 22:53:00 -0400 From: Subject: NETSC63B.ZIP in Simtel Archives (PC) Maybe I missed the little write up on Virus-L about the new Netscan but why the new version? I looked in the documentation and it doesn't say anything about the "B" version. Maybe the moderator can quickly clear this up for me? Thanks. Santo Nucifora (SANTO@SENCA.BITNET) P.S. Just being a little cautious :-) ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 112] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253