Return-Path: Received: from csmes.ncsl.nist.gov (HAMLET.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST) id AA28013; Tue, 6 Oct 92 12:57:58 EDT Posted-Date: Tue, 6 Oct 1992 12:25:06 -0400 Received-Date: Tue, 6 Oct 92 12:57:58 EDT Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA10771; Tue, 6 Oct 92 12:48:53 EDT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA20016 (5.65c/IDA-1.4.4); Tue, 6 Oct 1992 12:25:06 -0400 Date: Tue, 6 Oct 1992 12:25:06 -0400 Message-Id: <9210061455.AA23896@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #160 Status: R VIRUS-L Digest Tuesday, 6 Oct 1992 Volume 5 : Issue 160 Today's Topics: Maltese Amoeba (PC) re: FLIP (PC) Re: TSR runtime scanner needed (PC) Re: Recent IBM Virus List? (PC) Re: A few questions (Stardot/V801/Michaelangelo) (PC) Re: Boot sector infected ! Virus ? (PC) Re: Recent IBM Virus List? (PC) Re: TSR runtime scanner needed (PC) Re: VIRSCAN detects Yankee-Doodle 2885 (PC) Re: Stoned and disk problems (PC) Ping Pong imitation (PC) Re: F-PROT 2.05a -- available yet ??? (PC) Re: VIRSCAN detects Yankee-Doodle 2885 (PC) Possible Virus (PC) Disinfection (Was: Re: more network security) Computer virus used for attempted blackmail: episode 2 MacMag, the original data virus! (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 30 Sep 92 22:30:08 -0400 >From: Jimmy Kuo Subject: Maltese Amoeba (PC) Jerry Reno asks: >Does anyone know anything about the Maltese Amoeba virus? I've >been out of it for a bit, and just got a memo from a software >company (John Wiley & Sons) informing me that some of their disks >were infected. >The letter only suggests that the virus "may, unfortunately, >affect files on your hard drive" and that it is only detectable >by the Norton Anti-Virus (Version 2.0). It will not detect as such if the August, or later, defs update is used. >Being from a department (MSU Dept. of Statistics) that does not >have acces to NAV, I'd really like to know if anyone has more >information..... Get a copy of NAVSCAN (freeware for individuals) and try it out at home. Jimmy Kuo cjkuo@ccmail.norton.com Norton AntiVirus Research ------------------------------ Date: Thu, 01 Oct 92 09:47:39 -0400 >From: 2007do@ankara2.af.mil (CS/DO;675-3254) Subject: re: FLIP (PC) Vivek Swarup of moh.gov.on.ca writes: >On 1 of our PCs CPAV detected some virus but could not tell us which >one. We obtained a copy of f-prot V2.02 which indicated this system >had a FLIP Virus. We obtained a new version of f-port (v2.05) which >indicated the PC has the TELECOM Virus. Shortly there after we had In the process of testing out some virus-scanning software (time- trials and such), VirX came up with the following: ============= VIRx Virus Scan Report Scan run on: Sep 24, 1992 at 16:04:36 Page: 1 Scanning: C: C: is dirty 109 directories examined. 534 files examined. 6 files infected. 0 viruses removed, 0 files deleted Boot Record was not infected. Memory check shows 0 viruses found Options and arguments: - Long Search Enabled. - Extra Memory Check Enabled - ----- C:\CPAV\VSAFE.COM Is infected with the Flip (W) virus. C:\CPAV\VWATCH.COM Is infected with the Flip (W) virus. C:\CPAV\VSAFE.SYS Is infected with the Flip (W) virus. C:\CPAV\VWATCH.SYS Is infected with the Flip (W) virus. C:\PCTOOLS\VDEFEND.COM Is infected with the Flip (W) virus. C:\PCTOOLS\VDEFEND.SYS Is infected with the Flip (W) virus. ========== All the files had been Scanned with Scan vers 95, with the -AV option. since removing the validation CRCs, everything comes up clean. When running one anti-virus program against another, or files CRCed by another, ????... Hope this helps.... Henry B. Tindall, Jr., SSgt, USAF Small Computer Support Center Izmir Air Station, Izmir, Turkey ------------------------------ Date: 02 Oct 92 16:07:43 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: TSR runtime scanner needed (PC) monta_l@dist.dist.unige.it (Marco Gualdi) writes: >similar program, so the sources are agreed. I have a lot of problem >with the Stanco virus (a local production, I suppose). Bontchev, Frisk >and McAfee know it, but no scanner recognize it, jet. Uh, F-PROT 2.05 recognizes it, although it gives a false alarm in one case (PKLITE'd BACKUP.EXE, I think)....sorry, fixed in 2.05a. - -frisk ------------------------------ Date: 02 Oct 92 16:14:08 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Recent IBM Virus List? (PC) mechalas@mentor.cc.purdue.edu (John Mechalas) writes: >Where can I find a current list of known IBM viruses that is in the >public domain? If you find one, let me know :-) Seriously, there is no list that is 100% up to date - with several new viruses arriving every day it is not possible. You can get a reasonably good list from several sources, but no 100% complete. I am looking for virus name: Yeah, me too :-) ....unfortunately, there is still a lot of naming confusion in this field. type: I assume you mean "Reasident/Non-resident" and what it infects, right ? disinfectant method: I am not sure what you mean by this - I don't any publically avalible virus list described the method to disinfect them. - -frisk ------------------------------ Date: 02 Oct 92 16:48:32 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: A few questions (Stardot/V801/Michaelangelo) (PC) KENNEY%NBECC.decnet@consrt.rockwell.com (NBECC::KENNEY) writes: > - - are StarDot and V801 related? I have no idea what NAV calls "V801", but the StarDot virus indeed has such variant. In fact, it has variants with infective lengths 600, 789, and 801. Assuming that NAV calls StarDot.801 "V801", I suspect that it has messed the two StarDot variants - StarDot.789 and StarDot.801. BTW, please not that this virus "pads" the files before infection in such a way, that their size becomes a multiple of 16. Therefore, while the length of the virus is 600/789/801 bytes, it can add more than this amount of bytes to the infected files. > - - how stealthy was Michaelangelo, and does it survive warm boots? It isn't stealth at all, and it does NOT survive warm boots. > - - can you tell where the start and end of an infected file are supposed to > be algorithmically, so that one routine could trim off all length-variants of > one or more virii? Umm... it depends on the particular virus. For some viruses you can, for some you cannot restore the original file exactly. The StarDot viruses are one example of viruses, for which it is not possible to restore the file size exactly. Another example is the good old Jerusalem - you cannot disinfect more EXE files correctly. Therefore, it is always a good idea not to rely on disinfection, but simply to delete all infected files and to restore them from clean backups. > Since Stoned + Michaelangelo = bye-bye FAT, this is getting No, Stoned + Michelangelo = bye-bye boot sector, not FAT. The FAT is damaged only no some (almost not used today) hard disks, and for these hard disks you don't need both viruses - either of them will do... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Oct 92 17:03:27 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Boot sector infected ! Virus ? (PC) cj@info.ucl.ac.be (Christine Jacqmot) writes: > The boot sector has been modified with the following byte sequence: > 08 01 00 02 00 02 00 00 F8 A0 00 1A 00 0E 00 1A Are those the -first- few bytes of the boot sector? If yes, then the boot sector does not contain a virus, it is just damaged. The damage could have been done by a virus, but there is no virus in the boot sector. > The effect is the following one: > whenever we try to read or write a floppy, the displayed message tells us > that there is "0 byte free, 0 byte allocated" on the floppy and then, > the contents of the diskette is lost. The reason for this is that the Drive Parameter Block table in the boot sector is damaged. > The problems began after having used CDROM's which contain demo's of > products available in sharewares (but maybe this is pure coincidence!) The damage might have been caused by a buggy program, yes. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Oct 92 17:35:50 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Recent IBM Virus List? (PC) mechalas@mentor.cc.purdue.edu (John Mechalas) writes: > Where can I find a current list of known IBM viruses that is in the > public domain? I am looking for virus name, type, disinfectant > method, and short description if possible. I see a lot of lists, but > most of them are either (a) old or (b) copyrighted. Hmm, I don't know whether the thing that you want exists... You could consider the following options: 1) Patricia Hoffman's VSUM. Shareware hypertext information about IBM PC viruses. Contains A LOT of information. Drawbacks: most of the information is incorrect and/or incomplete. Some of the virus variants listed even do not exist. Available from many places, including ours: ftp.informatik.uni-hamburg.de:pub/virus/progs/vsumx208.zip 2) The Computer Virus Catalog, published by VTC-Hamburg (i.e., us). Very technical, describes viruses for different platforms (IBM PC, Amiga, Atari ST, Macintosh). Freeware, but not public domain - we still have the copyright and you must not modify it, if you give it to others. Drawbacks: the IBM PC platform is not covered well. Only about 10% of the existing viruses for it are described. Available from ftp.informatik.uni-hamburg.de:pub/virus/texts/catalog/msdosvir.zip 3) The comparative scanner tests for FindVirus, F-Prot, and SCAN. They also list the standard CARO name of each virus, together with the names given by the above scanners. The list is very complete - it lists ALL viruses from our virus collection. It is public domain - you can do with it whatever you want. Drawbacks: only lists the viruses. No further information about them is given, except that they are divided into boot/MBR and file infectors. Available from ftp.informatik.uni-hamburg.de:pub/virus/texts/tests/naming.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Oct 92 18:04:23 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: TSR runtime scanner needed (PC) monta_l@dist.dist.unige.it (Marco Gualdi) writes: > I need a TSR runtime scanner with the ability to scan for a single > userdefined virus signature. Try TbScanX. You can get it from Simtel20 or its mirrors: oak.oakland.edu:pub/msdos/trojan-pro/tbscnx31.zip (unless a later release is available, of course). > I'm able to compile e/o assemble a > similar program, so the sources are agreed. No sources, sorry. > I have a lot of problem > with the Stanco virus (a local production, I suppose). Bontchev, Frisk > and McAfee know it, but no scanner recognize it, jet. F-Prot 2.05 recognizes it too well, alas... It even reports a false positive in some PKLited files. :-( Should be fixed in version 2.05a. BTW, both F-Prot and SCAN allow the user to use scan strings defined by him/herself. However, if you decide to do so, be careful not to fall in the same trap that Frisk did - it is very difficult to select a scan string for this virus that will not cause false positives, since the virus is PKLited itself... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Oct 92 18:12:39 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VIRSCAN detects Yankee-Doodle 2885 (PC) mechalas@mentor.cc.purdue.edu (John Mechalas) writes: > The PC-compatibles in our labs are using the IBM Anti-Viral package > VIRSCAN, version 2.1.9. > Recently, we have been getting a handful of reports of the Yankee > Doodle-2885 virus in some of our .EXE files. So far we have been able > to eliminate the viruses by replacing the infected files. > My questions are as follows: > 1) Does VIRSCAN have a tendancy to cause a false positive > for Yankee Doodle? I think we really do have a virus, but > I'd like to check this option anyway. At least the version that we have doesn't, but it is 2.2.3A. > 2) I check F-Prot's virus base, but of course every virus is > labeled differently between scanners. :) Which version of > Yankee Doodle do we have, as in what does this strain do? The standard CARO name of the virus that has probably infected your computer is Yankee_Doodle.TP-44.A. F-Prot calls it "Yankee (TP-44)". You could look in its virus help database under the entry "Yankee" or "Vacsina" (both point to one and the same text), but have in mind that the information about viruses in F-Prot's help database is very limited. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 02 Oct 92 18:42:54 +0000 >From: rslade@sfu.ca (Robert Slade) Subject: Re: Stoned and disk problems (PC) msp2@midway.uchicago.edu (Michael S. Post) writes: >I just got a new 486DX, and I partitioned the hard drive, putting DOS >5.0 into one partition and OS/2 2.0 into the other. Now, I am having >problems reading SOME of my high density 1.44" drives when I am in I am assuming that you have set up a "dual boot" machine with a FAT structure. The problems with the high density drives are a dead giveaway: it could almost be called another indicator of Stoned. >DOS. If I format a disk, and then type 'a:' to switch to the drive, >it tells me it can't read the disk. Also, some of my old disks can't >be read. In OS/2, I can read these same disks and format. I Yes, this is a common indicator of the presence of an MS-DOS boot sector infector. It'll work under DOS, but will not infect under OS/2 (even though it may possibly be present). >discovered that when my disks are write protected, they will continue >working if they already were. As soon as I remove write protection, >and the a: drive is used, even just doing a dir, suddenly something is >damaged. Quite so. As long as the diskette is protected, nothing will happen to it. However, as you have found, Stoned (and Michelangelo) are very infectious. When they infect a disk (and yes, just a DIR can do it) they reposition the original boot sector to an area that is mostly unused on low density disks. Unfortunately, it is vital on high density floppies. >When I ran SCAN v.93, it said that it found [Stoned] in memory and >Michaelangelo in the partition. Are these viruses causing the problem >with the disk drive, or is it something else? Note: my 1.2Mb 5.25" >drive, b:, is working just fine. You probably only have one virus, although it is possible to get both. You should boot your computer from a "known clean system disk" in order to get the most accurate diagnosis. You should also scan with another scanner in addition to SCAN. F-PROT and VIRx should be widely available, as should TBSCAN and HTSCAN. >I renamed autoexec.bat and config.sys, and still booting off of the >hard drive makes the stoned virus appear in memory. Where is it >coming from when I turn on the machine? The IO.SYS and MSDOS.SYS >files? They went through the scanning program OK. Could my purchased >install diskettes have a virus? Stoned (and Michelangelo, which is derived from Stoned) are "boot sector infectors". They do not attach to program files on the disk, but rather replace the boot sector program which has a given position on every disk. Specifically, they replace the "master boot record/sector" on the hard disk, and so they are the first thing to run when you turn the computer on. F-PROT should be able to clean it up for you (unless you have a more complex situation). DISKSECURE can also help, as possibly can running "FDISK /MBR". >Thanks. PLEASE, if you are responding, send a duplicate back to me. >Either reply to this address or send e-mail to mpost@math.ucla.edu. >Thanks again. I'll try! :-) ============== Vancouver ROBERTS@decus.ca | "If you do buy a Institute for Robert_Slade@sfu.ca | computer, don't Research into rslade@cue.bc.ca | turn it on." User p1@CyberStore.ca | Richards' 2nd Law Security Canada V7K 2G6 | of Data Security ------------------------------ Date: 02 Oct 92 19:22:44 +0000 >From: BRUTON raymond Subject: Ping Pong imitation (PC) Just a note, this may save somebody some headaches. I recently had what looked like the ping-pong virus with a squished ball (the normal curser) while running Soft-PC on an apple Powerbook. I tried unzipping FP-205.zip using PKZIP v1.93a alpha version, it would hang and the curser would go ping-pong fashion. I checked the disk with F-Prot205 and it was OK. I went back to the official version of PKZIP v1.10 and it would unzip OK. My PKZIP v1.93a would work fine on the same file of a normal 486-33 desktop system. It looks like some illegal instruction occurred on the Soft-PC powerbook configuration. One thought on this though, with the emerging of mixed technologies, could the Soft-PC's system areas be affected by viruses and could they be repaired in the regular ways and I don't think that I am able to do the standard procedure of booting from a non-infected floppy for scanning. hotpoint@cs.concordia.ca ------------------------------ Date: 03 Oct 92 10:13:28 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-PROT 2.05a -- available yet ??? (PC) mramey@milton.u.washington.edu (Mike Ramey) writes: >A message from Fridrik Skulason dated 18 Sep 92 announced his intention to >"upload 2.05a right after this weekend". Have I missed it? Is it >available? If so, where? Thanks, -Mike Ramey, UW, Seattle. Nope - you did not miss anything - there have just been some delays. I am spending a part of my time on a major revision of the program, so adding detection/disinfection of the 150+ new viruses does not get quite as high priority as usually. The revised "upload" date is Monday, Oct 5th. - -frisk ------------------------------ Date: Sun, 04 Oct 92 00:40:08 +0000 >From: mechalas@mentor.cc.purdue.edu (John Mechalas) Subject: Re: VIRSCAN detects Yankee-Doodle 2885 (PC) chess@watson.ibm.com (David M. Chess) writes: >> From: mechalas@mentor.cc.purdue.edu (John Mechalas) > >Sorry for the delay in responding! I was out last week on vacation... > >> 1) Does VIRSCAN have a tendancy to cause a false positive >> for Yankee Doodle? I think we really do have a virus, but >> I'd like to check this option anyway. > >No! We know of no 2885 false positives at all, so if you've gotten >reports in multiple files, it's almost certainly a real infection. >(If you'd like to uuencode and send me an infected file, I'd be glad >to verify the exact identity.) No need to. I believe you. :) The reason I originally asked was because it was always teh same three files that registered the infection. Since then, it has struck again on another PC, and this time a new file was infected, so I would agree with you in that we have real viruses. :) Thankx for the info. - -- John Mechalas [This space intentionally left blank] mechalas@mentor.cc.purdue.edu Purdue University Computing Center Help put a ban on censorship General Consulting #include disclaimer.h ------------------------------ Date: Sun, 04 Oct 92 03:52:00 +0000 >From: b645zjy@utarlg.uta.edu (STEPHEN HUFNAGEL) Subject: Possible Virus (PC) Hi. Does anyone know if there is a bug in VSHIELD ver 3.9 in detection of virus programs? The reason that I am asking is that VSHIELD ver 3.9 recently detected the "Crypt-1" virus in one of my programs. Unfortunately I do not have the disinfecting program that goes along with VSHIELD ver 3.9, and other virus dectection programs that I have used do not dectect anything wrong with the program. Some of the other programs that I have used to detect it are: VSHIELD ver 5.1c, SCANV ver 8.7b, F-PROT ver 2.05, and Norton Anti-Virus. What ever VSHIELD ver 3.9 is detecting is apparently not spreading as the problem is not detected in any other program of mine. And the program that is detected to be infected is a few hundred bytes smaller that the original one (VSHIELD does not detect the problem in the original or copies of the original). If anyone has any suggestions as to how to get rid of this possible virus, please contact me at: B645ZJY@UTARLG.UTA.EDU Also if anyone has any documentation on the "Crypt-1" virus, please E-mail that to me also (I have been unable to find any information on it). B645ZJY@UTARLG.UTA.EDU ------------------------------ Date: 03 Oct 92 10:18:09 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Disinfection (Was: Re: more network security) Vesselin Bontchev writes: >As a conclusion, it is a bad idea to rely on virus disinfectors. >Just delete the infected programs and replace them with clean >backup copies. Well, that is the "best" solution from many points of view - but there are two practical problems: 1) Many (most ?) users don't keep decent backups. 2) It takes a lot less time and effort to run a disinfector than to restore all files from a backup. - -frisk ------------------------------ Date: Sat, 03 Oct 92 07:39:19 -0400 >From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: Computer virus used for attempted blackmail: episode 2 >From UK newspaper "Daily Telegraph", Fri. 2 Oct 1992 p2:- (Hereinafter, '#n' = 'n pounds UK') A computer specialist who threatened to put a virus in a program of a client company in an argument over a phone bill was fined #500 and ordered to pay #500 costs yesterday. A jury at Newcastle upon Type Crown Court took more than siz hours to reach a 10-2 majority verdict in the case of Dr.Roy Booth, who had denied blackmail. The computer studies lecturer from Fieldhouse Road, Gateshead, Tyne and Wear [in NE England], said after the hearing that his job at Newcestle University was now in jeopardy. Dr.Booth had threatened to insert a virus into a computer game of Imec, a firm for which he had worked, when it refused to pay a #400 telephone bill he ran up while on a one week stay in America. Instead it was deducted from his fee. The lecturer said he had expected to be paid #900. The firm agreed to pay him #450 which, with the telephone bill deducted, left him with just #50. He said he had threatened to insert a computer virus in an attempt to "shake up" the company and encourage it to pay him in full. He had no intention of damaging to the program. Judge Michael Cartlidge, sentencing him accepted that the lecturer was only trying to get back money which he felt was due to him. But, he added: "You employed illegal methods to do it and you should be thoroughly ashamed of what you did." ------------------------------ Date: Fri, 02 Oct 92 18:52:55 -0700 >From: rslade@sfu.ca Subject: MacMag, the original data virus! (CVP) HISVIRD.CVP 920905 MacMag virus - "Data" Virus The most widely distributed early reports of the MacMag virus were undoubtedly those relating to its appearance on the Compuserve system. In a sense this notoriety is unfair: even those reports from Compuserve were prompted by the notice to Compuserve from someone who had first downloaded the file from Genie. Compuserve had nothing to do with the production of the file, and it was uploaded and distributed through other systems as well. However, the fact remains that the MacMag virus did get some distribution via a Hypercard "stack" that was, for a time, posted on Compuserve. Hypercard was the first widely available implementation of the "hypertext" or "hypermedia" concept. The basic idea is that related information is "linked" so that associated data can be seen together, or at least accessed quickly. An example might be that in reading email you might come across an unfamiliar term and be able to get a definition of it. At a higher level, when reading a news report of some conflict, you would be able to quickly "pull up" a map of the area, political history, studies of the ethnic groups involved and economic data about the products and exports of the area. Hypercard was also seen as a development tool. In any case, Hypercard "stacks" are essentially data bases with internal "link" information. As such, the initial report of the fact that "NEWAPP.STK", supposedly a file of information on new Apple products, actually altered system data met with skepticism. Even then it was "known" that viral program could not spread via data files. When this fact was confirmed, it was erroneously reported that MacMag was an example of a virus that could. (I've been guilty of this, myself.) In fact, the NEWAPP.STK might better be described as a "dropper". Semantics aside, how could a data file affect the system at all? Well, more and more programs have "macro", "script" or interpreter capability. Thus the distinction between data and program blurs. Hypercard stacks have "commands" as well as data associated with them. Generally, these commands only govern the ability to "flip" from one "card" to another. However, an extended command set, XCMD, allowed for additional functions beyond those normally available in Hypercard. This was used to affect the system changes. Other systems, such as Lotus 1-2-3, have macro capabilities associated within data files. In theory, it is possible for a virus to be able to switch forms from "object" to macro in the same way that multipartite viri switch from file to boot sector format. However, the viral code would be of considerable size. To date no such virus has been seen. copyright Robert M. Slade, 1992 HISVIRD.CVP 920905 =================== Vancouver ROBERTS@decus.ca | "Power users think Institute for Robert_Slade@sfu.ca | 'Your PC is now Research into rslade@cue.bc.ca | Stoned' is part of User p1@CyberStore.ca | the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 160] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253