VIRUS-L Digest Wednesday, 31 May 1989 Volume 2 : Issue 123 Today's Topics: RE: Virus writing Use Disinfectant (Mac) Re: Mac II virus? Atari ST boot sector virus wasn't a new strain... Virus Maker (PC) --------------------------------------------------------------------------- Date: Tue, 30 May 89 16:58 EDT From: Subject: RE: Virus writing Ahem, WRONG! Hi, considr you have a harddisk machine ohhh say a Mac II and you put a new (from the company) disk ooohhh say Aldus Freehand in the drive. Now, on your hard disk, you have all the programs that you BOUGHT (yes, the "B" word!). You install your copy of Freehand on the harddisk BUT it has SCORES ON IT! Do you still think that Virus writing is not a crime? This actually happened to us at Southeastern U.. Luckily, we have people here who have a clue and we fixed it. Defining the term `Virus' and criminal actions is not easy. Technically, a virial program that would search out and destroy resident copies of scores or nVir or etc is a virus and the distinction is only in the intent of the programmer and the result of his and many in between (those who swap disks). In short, (and as of now) a criminal virus is one that is capable of destroying/altering information and is resident in a `parasite' state. This does not include programs that search out and destroy the above as their purpose is to remove the danger not to cause it. Remember this is not a comprehensive defination. good discussions, let's kep it up and make something of it. Alex Zavatone Library Mac Software Chief Southeastern Massachusetts Unv. acsaz@semassu disclaimer: nope. ------------------------------ Date: Tue, 30 May 89 17:31:36 EDT From: Joe McMahon Subject: Use Disinfectant (Mac) > ... I ran Interferon 3.1 and it showed a virus type 003 in my TOPS > file ... I hereby declare June "Stop Using Interferon and Use Disinfectant, Please" Month. TOPS uses a non-standard, unusual, but NOT illegal or viral, segmentation scheme. CODE 0 immediately jumps to another segment, which Interferon labels as a "sneak" (BTW: there is no such virus; it's just a made-up term). Interferon's check is too weak; it catches OK programs (like TOPS) and causes unnecessary heartburn and agonization. Disinfectant does not do this. It was an attempt to make a "predictive" detector which would alert you if it found something that looks like a virus. If you must have a predictive checker, try Steve Brecher's Repair program (available via anonymous FTP from sumex-aim.stanford.edu as /info-mac/virus/repair.hqx). It is supposedly able to detect clones of the nVIR virus and stomp them. It won't find anything else weird, though. --- Joe M. ------------------------------ Date: Tue, 30 May 89 16:23:38 PDT From: dplatt@coherent.com (Dave Platt) Subject: Re: Mac II virus? > After attending a virus seminar, I went back and checked my Mac II, > and noticed that the System file had been modified earlier that day. > I ran Interferon 3.1 and it showed a virus type 003 in my TOPS file. > The Interferon documentation says that virus type 003 is the "SNEAKS" > virus, and that this virus affects the INITs in the System folder. > There are only 6 INITs in my System folder, one for each of the three > TOPS files: TOPS, SOFTTALK, and SPOOL. EasyAccess has three INITs. I > ran ResEdit over all the INITs and couldn't find any strings like > "Evil Wizard," or anything else overtly suspicious. Interferon has a tendency to report "sneak" infections in some cases in which it should not. I believe that recent versions of TOPS trigger this alert. I suggest that you download a copy of Disinfectant from the archives at SUMEX-AIM.Stanford.Edu and use it to scan your system. It is much less prone to false alarms, and will detect viruses that Interferon will miss. > Another symptom: I've been running Gatekeeper in Notify Only mode for > the past month, and whenever I bring up the machine, it gives warnings > for SPOOL and TOPS. I've ignored those messages, thinking that TOPS > (and SPOOL) were just performing some misinterpretted, but legal > operation. TOPS and a number of other useful INITs (e.g. the Moire screen-saver, the RAM Disk CDEV, etc.) tend to modify themselves. Open the Gatekeeper Control Panel window, flip the switch to "Settings", add these files to the applications/inits list (or select them, if they're already there) and then grant them "Res: self" permission. This will prevent the alerts from occurring when these INITs twiddle with their own resources, but it will prevent them from infecting other files if they are indeed virus-ridden. > Anyone having similar experiences? Am I infected? Yup. I don't believe so. > Thanks. You're welcome! - -- Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 ------------------------------ Date: Tue, 30 May 89 21:25 CDT From: Gordon Meyer Subject: Atari ST boot sector virus wasn't a new strain... A couple of weeks ago I reported an ST boot virus to digest readers. At that point the virus had just been discoverd and I knew very little about it. I sent a copy of the virus to George Woodside, author of the public domain VKILLER, in hopes that he could identify it. He could. The virus I had was the "mouse inversion" virus. It copies itself to the bootsector of disk, keeping a counter of it's activities. When the counter reaches five it inverts the vertical movements of your mouse. When it reaches five again it puts everything back to normal. This cycle just keeps repeating. No damage is done other than stomping on various boot sectors. Woodside's latest version of Vkiller (2.20 May 1989) *will* recognize this virus. The version I had (2.01) would not. As far I know VKILLER 2.20 is not yet available on CIS or GEnie. A couple things to note: When VKILLER 2.20 recognizes this virus it says that it (the virus) checks for executable boot sectors and doesn't write over any that it finds. My experience does *not* confirm this as the *#&$ thing stomped on an executable boot sector of mine! Woodside's FLU.PRG, a virus simulator, is a handy thing to have. I know it's available via FTP from one of the Atari archives. I can't FTP from NIU so I don't know much more. FLU.PRG demonstrates, in a non-harmful manner, what the known 15 ST viruses do. Not only does it help in identifying them, but it helps to satisfy ones morbid curiousity about such things w/out having to actually get an infected disk. In summary: I was infected by a known virus. It wasn't "new", as I thought it might be, it's just that the version of VKILLER I was running couldn't identify it. - -=->G<-=- PS: Please don't ask me to uuencode the file and send it to you. Such things don't work at this site. If I get information on when/where the newest version of VKILLER is available I'll post a short note here. - -------------------------------------------------------------------- | Gordon R. Meyer, Northern Illinois University, Dept of Sociology | | GEnie: GRMEYER, CIS: 72307,1502, Phone: (815) 753-0555 | | Bitnet: Tee-Kay-Zero-Gee-Are-Em-One AT Enn-Eye-You.bitnet | |__________________________________________________________________| ------------------------------ Date: Wed, 31 May 89 07:56:08 EDT From: Andy Wing Subject: Virus Maker (PC) Hi, This might sound a bit unusual but I'd like to get a copy of Virus-Maker. My department is in charge of a computer lab where our user community can test and evaluate a wide variety of HW/SW systems. We are also supposed to be the 'source' of PC knowledge. Recently we were caught off guard by the BRAIN virus and we had to scramble to recover the data of a few distressed users. What I'd like to be able to do is at my leisure use a 'guinea pig' PC for testing purposes. If we can see how some of these darn things work, then we'll know better how to counter them. We currently have c-4 and flushot3 in addition to the regular Norton /PCtools programs to help us. BTW, the ROM check option on Flushot3 managed to crash our Compaq Deskpro-286 when I tested it with PCtools doing low level disk access. I had to reboot with the configuration disk and reinit the PROM. Also I got CHEKUP18 from SCFVM and it hung both the Compaq and the XT. Any thoughts on these glitches? Andy Wing Senior Analyst, TEMPLE U. HEALTH SCIENCES CTR. V2002A AT TEMPLEVM (BITNET) [Ed. I'd suggest starting with new versions of the programs that you're using - get FluShot+ 1.52.] ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253