VIRUS-L Digest Wednesday, 27 Mar 1991 Volume 4 : Issue 48 Today's Topics: USSR BBSList Request for general virus info Re: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES" Need information about VIRUS BUSTER unknown virus (PC) Virus vs. hardware failures PC Emulator on an ST (PC) Layers of Help for Institutions New Innoc (PC) Whale virus, can anybody find it? (PC) virii of the unknown dimention (Amiga) H.C.S virus?????? (Amiga) Translation please... Kamasya virus Mutation (or not) of Stoned (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 23 Mar 91 09:05:00 -0500 >From: "Selden E. Ball, Jr." Subject: USSR BBSList Gentle folk, Many people are doubtless already aware of this, but it came as a bit of a surprise to me. It is now possible to direct-dial computer bulletin boards in the USSR and eastern European countries. Many of them are already on FidoNet. The following list of BBSs was recently posted to a widely read news group. The potential transmission speed for computer viruses is increasing faster than your favorite comparison. sigh. Selden Ball seb@lns61.tn.cornell.edu Original-Date: 15 Mar 91 23:01:15 EST Original-From: Frank Topping <76537.1713@CompuServe.COM> Original-Subject: USSR BBSList I thought some teachers might be interested in this - they're growing like wildfire & connectivity opportunities abound! - -frank Known USSR Bulletin Board Systems Version 10c of 3/13/91 Compilation (C) 1991 Serge Terekhov BBS name ! Data phone ! Modem ! FIDO addr -----------------------------!----------------!----------!------------ PsychodeliQ Hacker Club BBS +7-351-237-3700 2400 2:5010/2 Kaunas #7 BBS +7-012-720-0274 ? - Villa Metamorph BBS +7-012-720-0228 ? - WolfBox +7-012-773-0134 1200 2:49/10 Spark System Designs +7-057-233-9344 1200 2:489/1 Post Square BBS +7-044-417-5700 2400 - Ozz Land +7-017-277-8327 2400 - Alan BBS +7-095-532-2943 2400/MNP 2:5020/11 Angel Station BBS +7-095-939-5977 2400 2:5020/10 Bargain +7-095-383-9171 2400 2:5020/7 Bowhill +7-095-939-0274 2400/MNP 2:5020/9 JV Dialogue 1st +7-095-329-2192 2400/MNP 2:5020/6 Kremlin +7-095-205-3554 2400 2:480/100 Moscow Fair +7-095-366-5209 9600/MNP 2:5020/0 Nightmare +7-095-128-4661 2400/MNP 2:5020/1 MoSTNet 2nd +7-095-193-4761 2400/MNP 2:5020/4 Wild Moon +7-095-366-5175 9600/MNP 2:5020/2 Hall of Guild +7-383-235-4457 2400/MNP 2:5000/0 The Court of Crimson King +7-383-235-6722 2400/MNP 2:50/0 Sine Lex BBS +7-383-235-4811 19200/PEP 2:5000/30 The Communication Tube +7-812-315-1158 2400/MNP 2:50/200 KREIT BBS +7-812-164-5396 2400 2:50/201 Petersburg's Future +7-812-310-4864 2400 - Eesti #1 +7-014-242-2583 9600/MNP - Flying Disks BBS +7-014-268-4911 2400/MNP 2:490/40.401 Goodwin BBS +7-014-269-1872 2400/MNP 2:490/20 Great White of Kopli +7-014-247-3943 2400 2:490/90 Hacker's Night System #1 +7-014-244-2143 9600/HST 2:490/1 Lion's Cave +7-014-253-6246 9600/HST 2:490/70 Mailbox for citizens of galaxy +7-014-253-2350 1200 2:490/30 MamBox +7-014-244-3360 19200/PEP 2:490/40 New Age System +7-014-260-6319 2400 2:490/12 Space Island +7-014-245-1611 2400 - XBase System +7-014-249-3091 2400/MNP 2:490/40.403 LUCIFER +7-014-347-7218 2400 2:490/11 MESO +7-014-343-3434 2400/MNP 2:490/60 PaPer +7-014-343-3351 1200 2:490/70 -----------------------------!----------------!----------!------------ |--- Maximus-CBCS v1.02 | * Origin: The Court of the Crimson King (2:50/0) .................................................. Frank Topping, sysop Sacramento Peace Child - NorCal K-12Net Feed (916)451-0225 (1:203/454) ------------------------------ Date: Sat, 23 Mar 91 10:45:00 -0400 >From: Al Woodhull Subject: Request for general virus info Dear VIRUS-L readers, I can't claim to be a virus expert, but I am trying to learn as much as possible about virus action and prevention. As the only faculty member at Hampshire College who teaches assembly language programming and computer architecture I am the best candidate to become a local semi-expert. I am currently planning a presentation for faculty, staff, and students on the virus problem. I will concentrate on techniques to prevent virus infection and to recognize and to recover if prevention fails, but I will also, as time allows, say a little about the history of the problem and the mechanisms of PC viruses with which I am familiar. In the interest of avoiding duplication of effort I would be grateful if any readers of VIRUS-L could send me any materials they may have prepared for similar presentations, or pointers to available documents that they feel should be collected for a local reference collection on the subject. I will prepare some materials myself to hand out to those present, and I will be happy to share these, and anything I receive from others, with any VIRUS-L readers who want them. Thank you, Albert S. Woodhull awoodhull@hampvms.bitnet ------------------------------ Date: Sun, 24 Mar 91 01:54:28 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES" Umm, excuse me, I'm just a dumb Mac Admin, but I was under the impression that this "new strategy" was the current strategy. At least on Macs, where this whole thing started, the strategy is to zing the bugger. The PC anti-viral programs we've installed on our machines (all 100-200), essentially block spreads by watching what's going on and looking for virus-like code, then killing it (unless I have no concept of the way PC virus killers work) Mikey Mac Admin WSOM CWRU mike@pyrite.som.cwru.edu P.S. If I'm ignorant, please tell me and then explain why ------------------------------ Date: Sun, 24 Mar 91 20:55:08 +0000 >From: R.Grapes@massey.ac.nz (Robert Grapes) Subject: Need information about VIRUS BUSTER Hi, I am trying to obtain as much information as possible about a product called VIRUS BUSTER. The only information I have about it is that it appears to be an Australian product. Any help would be greatly appreciated. Thanks. ************************************************************************ Robert Grapes, Systems Programmer, Computer Centre, Massey University Voice: +64 63 69099 ext 7615 Email: R.Grapes@massey.ac.nz ************************************************************************ ------------------------------ Date: Mon, 25 Mar 91 14:20:53 +0100 >From: zrash01@convex.zdv.uni-tuebingen.de (H.P. Schill) Subject: unknown virus (PC) I've got a program (pkunzip) that seems to be infected by a virus. It is said that SCAN doesn't a virus. Also FPROT doesn't find anything. Running the infected program will load the virus into memory. When another program is executed, this program will become infected, increasing the size by 982 (or so) bytes. No other effects are known to me. Has anyone seen it before? Peter Schill Universitaet Tuebingen zrash01@convex.zdv.uni-tuebingen.de ------------------------------ Date: Mon, 25 Mar 91 10:10:58 -0800 >From: "Info Security 3-9797" Subject: Virus vs. hardware failures Eldar A. Musaev writes: > I am very often disturbed by users who takes hardware failures for > a virus.... What could we do to help users to distinct viruses > and failures? It has been my experience that it takes far less time to use your favorite anti-virus software to first check if a virus is present. If there is no indication of a virus, then check for hardware and other software kinds of problems. Bill Bauriedel Info. Security Office Stanford Univ. ------------------------------ Date: Mon, 25 Mar 91 16:59:37 +0000 >From: Andrew McLean Subject: PC Emulator on an ST (PC) I (sometimes) have access to an Atari ST with an software PC editor (PC-ditto). It occurs to me that if the emulator works well then it "should" be able to spread a virus just like a real PC. It also occurs to me that not all computers have hardware write protect on their floppy disks. The big question is can I safely put a write protected floppy into the ST drive while running a PC emulator (or otherwise) or am I in danger of aquiring a virus. What I particularly have in mind is my "trusted" DOS boot disks and disks containing virus scanners which are permanantly write protected (the write protect tabs are glued open or removed). Andrew McLean | Janet : PHR050@UK.AC.SOTON.IBM Department of Physics | Earn/Bitnet : PHR050@IBM.SOTON.AC.UK The University | or : PHR050%UK.AC.SOTON.IBM@UKACRL Highfield | INTERNET : PHR050@IBM.SOTON.AC.UK Southampton SO9 5NH | uucp : PHR050%UK.AC.SOTON.IBM@ukc.uucp tel. 0703 593084 ------------------------------ Date: Mon, 25 Mar 91 12:24:26 -0500 >From: Padgett Peterson Subject: Layers of Help for Institutions >From: eldar@lomi.spb.su (Eldar A. Musaev) >Subject: Re: Standardized virus signatures (PC) >The scanners have an unpleasant feature. If someone changes the >signature of the virus, it (virus) becames unfamiliar to scanner. >Subject: Hardware failures & viruses (PC) >I am very often disturbed by users who takes hardware failures for a virus. These and several recent postings from institutional users really have the same solution. Like the PC model I have been discussing lately, it is a layered solution: First, divide the institution into three elements: Users, Technicians, and Gurus (for want of a better term). The great bulk of the population are the Users. The are concerned with completion of tasks and require tools that are able to help them. Users should be concerned only with a binary question - Is the machine working properly ? Yes/No. In order to do this the user must be trained to be able to determine this. For a bare PC, this requires considerable sophistication but with layered in integrity checking such as we have discussed, all that may be necessary is to respond to a screen. The real message that is taught is that "If an exception occurs, call a technician". Second, the technician must be equipped with the tools of his/her trade. In the case of the PC, these will include viral scanning devices and programs. The technician's responsibility is again binary: Can I repair the machine ? Yes/No. To be able to do this, the technician is trained not only as a user (though this is necessary), but also in the repair and structure of the machine. Here the message is "Repair the machine if you understand the problem, call a Guru if not". Third is the "Guru" who may or may not be an employee but who is on call and is capable of determining any problem: hardware, software, mistake, or virus. Generally, this role will be handled by not more than one or two people in an organization who will also design "seamless" training. >From this structure, levels of responsibility will also emerge. The User is required only to report malfunctions. The technician to repair those problems that are understood, and the Guru to direct training and handle all else. The dicotomy of the Guru is necessary since this is where evaluations must be made to determine when to add functions, directions, and training to the lower levels. Unfortunately, in many organizations, the third level is left off and results in the problems that Mr. Musaev refers to. It would appear that in his organization that he is "informally" filling the "Guru" function without the auhorization to determine where the functional divisions are and what training each shall receive. With this three layer model, the division of labor becomes natural, provides natural filters at each level, and allows personnel to rise according to their ability. With proper training and internal integrity checking, the users can correct the bulk of their problems themselves or with a telephone call. Of the remainder, most can be corrected by the technicians, leaving the "Guru" to handle the few really difficult ones. Scanners, by their nature are a very valuable tool for the second level (technicians) since proper use and disinfection procedures require knowlege and training to determine how disinfection can be done with minimum impact (low level formatting is never necessary). At this point 90+% efficiency is sufficient so long as limitations are understood. They are also valuable tools for the "Guru" as an aid. Good Scanners state up front that only known malicious software can be found. And the technician must have a means to handle something he/she does not know how to handle. For this reason, the users must have a tool (whether they know it or not) that will detect change to a system, if it includes Scanning, fine but scanning alone is insufficient a "complete" answer. In my experience, the ratio of users/platforms to technicians is usually about 200:1 and it is unusual for any organization to have more than one or two "Gurus". Enough, Padgett ------------------------------ Date: Mon, 25 Mar 91 04:06:38 -0400 >From: MMCCUNE@sctnve.BITNET Subject: New Innoc (PC) INNOC has been updated to add two new viruses. It now inoculates against the Azusa and Joshi viruses. In addition to theses, INNOC already inoculates against the Ashar, Brain, Ping-Pong and Stoned viruses. INNOC will also remove all boot infectors already on the diskette. Anybody needing an inoculation program against a specific virus can read me at MMCCUNE@SCT.NVE (BITNET) or MMCCUNE@SCTNVE.PEACHNET.EDU (INTERNET).... ------------------------------ Date: 25 Mar 91 23:02:07 +0000 >From: csw76@seq1.keele.ac.uk (J.C. Kohler) Subject: Whale virus, can anybody find it? (PC) I have a computer which is infected by the Whale virus, but none of the virus-scanners I use can find it. I found the virus on the computer about a week ago, using McAffee's scan. I removed the infected files, but it keeps coming up. I have tried to find it with scan, f-prot and AVS. Is this because it is a stealth virus??? I think I'm going to do a low-level format on the disk now, to prevent any trouble in the fututre. But could anybody tell me why it is impossible to find it. Many thanks in advance, Christian Kohler University of Keele, United Kingdom csw76@uk.ac.kl ------------------------------ Date: 25 Mar 91 23:51:06 +0000 >From: bsercomb@gara.une.oz.au (ATOMIC PLAYBOY) Subject: virii of the unknown dimention (Amiga) DOES anyone know about the BSG-29 virus on the amiga?? you know, the one which prints up something like xxxxxxx is a transgression, piracy is a crime, this is the cure: BSG-29 sonderkommando. [I am not German] I would really like to know: 1. if it does anything painful to files/disk access etc. etc. 2. how the hell to kill it dead.... ATOMIC PLAYBOY thanx in advance........ ------------------------------ Date: Tue, 26 Mar 91 04:15:09 +0000 >From: set@phobos.cis.ksu.edu (Steve E Tietze ) Subject: H.C.S virus?????? (Amiga) I just found a virus calling its self the H.C.S virus and H.C.S virus II Help what do they do? I have a Amiga computer... Please Email me with suggestions of help. Email set@phobos.cis.ksu.edu ------------------------------ Date: Tue, 26 Mar 91 13:16:55 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Translation please... The following text is found inside the Kamasya virus - which happens to be virus #500 in my own list. Does it mean anything, and if so, which language is it ? I would guess it was a language related to Hindi, but I am not sure.... Kamasya nendriya pritir labho jiveta yavata jivasya tattva jijnasa nartho yas ceha karmabhih - -frisk [Ed. See follow-up below...] ------------------------------ Date: Wed, 27 Mar 91 09:12:38 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Kamasya virus I have been flooded with replies to my question about the text found inside the Kamasya virus Kamasya nendriya pritir labho jiveta yavata jivasya tattva jijnasa nartho yas ceha karmabhih I would like to thank all those providing a part translation or a part of it, in particular Rajesh Gupta, Sibabrata Ray, Anupam Joshi, Ajit Sanzgiri, A. Satish Pai, Girish Chandram, Everybody agreed it was difficult to translate this text in Sanskrit into English, but the meaning is something like: "As long as you live, sex and pleasing of the senses is useless. The essence of life is the desire to know, not money or fame." This text is surely the most curious I have found inside any of the 400+ viruses I have examined... - -frisk ------------------------------ Date: 26 Mar 91 11:17:37 -0500 >From: Pat Ralston Subject: Mutation (or not) of Stoned (PC) In the March 4th issue 34 VIRUS-L Digest we (IUPUI) reported what might be a mutation of Stoned or Stoned II. In that posting we said "McAfee's VIRUSCAN version 74B reports Stoned, but ONLY on FLOPPY disks". We have had many responses -- Thanks to all. Some of those responding felt that we are seeing old -- vanilla -- Stoned. One of the most heard responses was "have you tried version 75?". Yes, when version 75 was available to us we used it; with the same results. Stoned can be found on floppy disks but not the hard disk. We have sent a specimen to only one or two people who asked for it -- most major (familiar) names on this list. It is still an unsettling thought that this Stoned -- whether vanilla/common version or new hacked version -- can be found on floppy disks only. Pat Ralston IUPUI Indiana University - Purdue University at Indianapolis ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 48] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253