VIRUS-L Digest Friday, 16 Mar 1990 Volume 3 : Issue 59 Today's Topics: SCANRES and TOPS (PC) Re: New Trojan Horse ??? (Mac) Re: virus symptoms (Amiga) Serching for Information on Unix-virus vtrack-l RE: VIRUS DETECTION SOFTWARE Virus-L Index of V3 #1 to #57 (Misc & general) Re: Scanning MAC diskettes on a PC Policies and Strategies for Viruses PCDATA anti-virus toolkit - FREE (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- From: Chuck Hellier Subject: SCANRES and TOPS (PC) Greetings, Is anyone using SCANRES with PC TOPS v. 2.1? I am a network systems analyst for the University of Southern California. We have a large variety of MicroComputer networks on campus (Novell and AppleTalk, to name a few). TOPS is not very prevalent. The problem: whenever SCANRES is loaded before TOPS, something happens to the DOS file control system. After the TOPS kernel has loaded and resources have been published, files will not open normally: 1) WordPerfect complains about "insufficient FILES=" in config.sys 2) EDLIN complains that there are too many files open and 3) "TYPE [filename]" returns file not found! I can see [filename] in the directory! This is the configuration of the machine: HARDWARE : PC Clone, Turbo; 640K RAM ; TOPS Flashcard OS : MS DOS 3.21 CONFIG.SYS : FILES=20 BUFFERS=8 AUTOEXEC.BAT : SCANRES ECHO OFF PROMPT $P$G PATH=C:\;C:\TOPS ATALK.EXE PSTACK.EXE TOPSTALK.EXE TOPSKRNL.EXE TOPS.EXE /q STATION elizabeth TOPS.EXE /q PUBLISH C:\ as driveC /RW When SCANRES is moved to the end of AUTOEXEC.BAT, everything works fine- WP launches OK, EDLIN works OK, and TYPE [filename] does what it's supposed to. However, this is only a trivial solution to the problem (if someone boots that machine with infected diskette, which infects ATALK or TOPSTALK or TOPS {but not the system files :-)}, and then reboots from C:, the solution fails). Notes: I have not yet tried moving SCANRES down AUTOEXEC.BAT line by line to find the culprit (not enough time and it still would be a trivial solution). I have tried all versions of SCANRES (v.39 - v.59) with the same results. Does anyone know why loading SCANRES before TOPS would cause this problem? Does anyone use SCANRES and TOPS? Can anyone from Sun (TOPS) or McAfee shed some light? Note: I have not seen this problem occur in any environment other than TOPS - DOS, Novell, D-Link, LANSmart, PC-NFS, AppleShare PC, 3Com. - -- Chuck Hellier (hellier@skat.usc.edu) For you are young and life PC Systems Programmer is long and there i \cs time University of Southern California to kill today. ------------------------------ Date: 16 Mar 90 07:11:27 +0000 From: milano!werner@cs.utexas.edu (Werner Uhrig) Subject: Re: New Trojan Horse ??? (Mac) [Michael Hope asks about the recent trojans] I spoke just tonight with one of the persons involved in catching and reporting the trojans (there were 3 total reported so far, each nastier than the previous) - and whereas you may be able to recover some files with one or the other recovery program, you cannot count on that in all cases. no spreading of the trojans outside of the Canadian city has been reported yet (other than to the anti-viral software developers group of which I am member) and all kind of Canadian and US-police is trying to track down the perpetrators and a price has been put out on their scalp(s) ...(yep, folks, you can have my oldest son - or $10) I know only of one case where actual damage was done to a system (and that was carelesness or even stupidity, actually, after having been warned that the program was a trojan) if anyone knows of other sightings or other damage, please let me know. ---Werner - --------------------------> please send REPLIES to <------------------------ INTERNET: werner@cs.utexas.edu or: werner@rascal.ics.utexas.edu (Internet # 128.83.144.1) UUCP: ...!cs.utexas.edu!werner ------------------------------ Date: Thu, 15 Mar 90 16:14:57 +0000 From: spenser@ficc.uu.net (Spenser Aden) Subject: Re: virus symptoms (Amiga) SYKLB@NASAGISS.BITNET (Ken Bell) writes: >> I have a game called Hybris. After playing this for a while, the >> screen will "fuzz", what I mean is that the graphics seem to get >> confused and all I see is one big blur on the screen. I have >> tried this with two independent disks of the game (ie: I borrowed >> them from two different people). This may or may not have anything >> to do with the blanking. Are you running an A1000 with 256K RAM? The symptoms you're describing sound a lot like what happens when code was written under the assumption that the machine would have 512K of chip RAM, and when it tries to use memory that it doesn't have, the screen "freaks out", and the graphics are sometimes sort-of distinguishable, but only because you know what it should look like. This may not be a virus. Try the same software on an A500 or A2000 (but cold-boot the machine, and don't put any other disks in, and power-down afterward ... just in case! Try to avoid testing on a system with a hard drive attached.) - -Spenser - -- S. Spenser Aden (713) 274-5000 | Ferranti International Controls | spenser@ficc.uu.net | "And you were just ... a face in the crowd." Only my opinions, not Ferranti's.| -Tom Petty ------------------------------ Date: Fri, 16 Mar 90 10:21:36 -0500 From: RZ1S@DLRVMGO.BITNET (Christian Lohmann) Subject: Serching for Information on Unix-virus Hi- I'm new on this list. Has anyone some informations about Unix-virus (Sun). I know that there are all the old logs of this list, but that's too much to get this files by net. Thanx -Christian ------------------------------ Date: Tue, 13 Mar 90 16:09:53 -0500 From: woodb!scsmo1!don%cs.UMD.EDU@IBM1.CC.Lehigh.Edu Subject: vtrack-l I would be interested in a list for reporting known locations of virii and a small database for tracking them. I would like to see an entry like: VIRUS:20tricks LOCATION:University of DOOM CITY:Blousville STATE/COUNTRY:new africa LONGITUDE:xxx LATITUDE:xxx DATE: 10/25/90 - -- DON INGLI-United States Department of Agriculture - Soil Conservation Service INTERNET: scsmo1!don@uunet.uu.net PHONEnet: 314!875!5344 UUCP(short): uunet!scsmo1!don UUCP(long): uunet!mimsy!woodb!scsmo1!don These are my opinions. I represent myself. Who do you think you are, Bjorn Nitmo? David Letterman '90 Catch Phrase ------------------------------ Date: Thu, 15 Mar 90 21:15:00 -0800 From: jmolini@nasamail.nasa.gov (JAMES E. MOLINI) Subject: RE: VIRUS DETECTION SOFTWARE Another unnamed user (HBLADM1@UCONNVM.BITNET) writes: > We need advise please. > We have about 70 DOS machines here, some controlled by individuals, > some shared by several staff, and some available to the public. > We would like to have a virus detection capability-- a program > which would be housed in our micro support unit and only used > as part of trouble-shooting. > We would like to use SCAN, but the cost for one copy is the same > as the cost for 70 in our institutional setting ($1475). > Questions: 1. is the above a reasonable approach > 2. what software would VIRUS-L readers suggest You bring up an interesting point. How does someone do virus detection on a shoestring without violating copyrights, or shareware agreements? There happens to be an excellent little public domain program written by Len Levine called FILETEST that performs CRC's on files in your system. I believe that FILETEST, or some similar public domain program is an excellent product to put on all the PC's in the lab. It will (in most cases) DETECT an infection. But then you will need something like VIRUSCAN to IDENTIFY what that potential infection is. Nevertheless, you have reduced the investment you need to make in the identification utility since you only need it when something is flagged by the public domain program on one of the machines. This, however, assumes that you have fairly static executable configurations (no major code development, etc.) on the machines you are supporting. I will discuss this approach in greater detail if there is interest on the board. Jim Molini ------------------------------ Date: Fri, 16 Mar 90 08:23:20 +0000 From: Anthony Appleyard Subject: Virus-L Index of V3 #1 to #57 (Misc & general) SUBJECT ISSUE Latest copy 5 Introduction to anti-viral archives 28 Latest copy (January 31, 1990) 28 Virus Catalog February 1990 Edition 51 Dr. Brunnstein's [Virus catalog updated] 52 anti-viral archive sites for various computers whole of 53 [Ed. As with the other two (PC and Mac) index files, the remainder of this one is available via anonymous FTP from cert.sei.cmu.edu.] ------------------------------ Date: 16 Mar 90 12:25:16 +0000 From: woody@chinacat.Lonestar.ORG (Woody Baker @ Eagle Signal) Subject: Re: Scanning MAC diskettes on a PC SPBK09@SDNET.BITNET (Brian Piersel) writes: > On Tue, 06 Mar 90 01:12:47 -0500 Howard Haruo Fukuda said: > >MAINT@UQAM.BITNET (Peter Jones) writes: > >I don't think a PC equiped with a 3.5" drive can read a Mac formatted > >disk. A Mac formats the disk to 800K by using a variable speed > >controller which puts more data on the outer rings of the disk than on > >the inner ones. I'm not sure if it's possible to override the ROM on a > I've tried to read an 800K CP/M disk (formatted on a C-128) on a PC, > and the hardware just isn't capable of doing that. In this case, the > disks have 10 sectors/track, and PC drives can't read more than 9. In > the case of the Mac, with variable speed drives, that sure wouldn't > work without hardware modifications. No way to change drive speed > through software. The other problem, is that the 800K CPM disk is encoded with GRC or something similar rather than MFM, in it's native mode. I understand that the CPM disk is MFM, but I have to experience. There is a company, in DeKalb Ill, that produces a product called UNIFORM. Uniform can read and write nearly 200 cpm format disks on a PC. It alters drive tables,and installes a virtual drive that can access the cpm disk. >From that point on, it looks like an msdos disk, you can open files, create files etc etc on the CPM floppy, and it can be read on a CPM machine afterwards With the Compaticard II, you can handle any mix of 5 1/4 3 1/2 and 8 1/2 floppies. They also have a neat product called matchmaker that allows the free reading and writing of Mac disks, andallows full access to them. The actual name of the company escapes me at the moment, but it is something like Microware .... Cheers Woody ------------------------------ Date: 16 Mar 90 05:06:09 +0000 From: jay@axiom.maths.uq.OZ.AU (Joseph Young) Subject: Policies and Strategies for Viruses Hi there ... I'm currently on a working party looking at developing some overall strategies to ensure the potential danger of viruses is flagged minimised within our institution. We are looking at what should be done for both departmental and publically accessible (say student labs and library) equipment. As a starting point, I thought it might be worthwhile to see if other institutions had developed some policies and procedures along this line. At this stage we're concentrating on PCs (we mainly have IBM PC compatibles and Macintoshes) but any info would be greatly appreciated. I'm new to this group so I hope I'm not asking for something that has been dealt with to death. On the other hand, if there's enough interest I'm very willing to summarise and post on the net. Thanks in advance for any assistance. Joseph Young, ACSnet: axiom.maths.uq.oz ------------------------------ Date: Fri, 16 Mar 90 14:59:17 -0500 From: m19940@mwvm.mitre.org (Emily H. Lonsford) Subject: PCDATA anti-virus toolkit - FREE (PC) In the February 13 issue of PC Magazine, there's an article by Wolfgang Stiller which describes a toolkit that can be used to detect data modification/damage on a PC/DOS machine. The toolkit, PCDATA, can be downloaded from Compuserve. The toolkit is pretty extensive; for example, there's a utility to calculate two different cksums on files, another to do file compares and still a third to check the DOS boot sectors and partition tables. But the best part is, it's free. For more information, see p. 263 of the Feb. 13 1990 issue of PC Magazine. * Emily H. Lonsford * MITRE - Houston W123 (713) 333-0922 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253