From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #152 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 4 Sep 1990 Volume 3 : Issue 152 Today's Topics: Anti-virus viruses Sudah ada vaksin (PC) Re: Desktop Manager for WDEF/CDEF (Mac) 1701 / Help (PC) Listing of Indonesian Viruses Re: help/1701 (PC) Will the real LHarc please stand up? Re: Periodic virus sighting report Dutch Intermediar mentions "Benign viruses" Mysterious Message (PC) posted by Fridrik Skulason Vol 3 No 150 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 31 Aug 90 12:06:57 -0900 From: "Jo Knox - UAF Academic Computing" Subject: Anti-virus viruses Okay, okay: Saulk/Salk/Sabin---I agree with others who have stated that the analogy is a stretch; in fact, I think we should drop this particular line; the analogy is irrelevant. Maybe we should drop the entire discussion of anti-virus viruses; as far as I can tell, some here tend to favor the idea, and some think it reprehensible, and I don't think anyone has changed anyone else's opinion... Before I drop the subject, though, I would like to rebut WHMurray@DOCKMASTER.NCSC.MIL: > > An anti-virus could be written to infect only certain types of > > operating systems. > > No, I am sorry, it could not. It could be written not to infect > certain known operating systems, but it could not be written to > "infect only certain" ones. The susceptibility of unknown systems > cannot be known. You just about lost me, here; I was thinking in terms of "platforms", rather than differing OS versions. Still, I disagree: I haven't heard of any virus which is infectious across platforms (IBM-Mac or anything else), though I guess "Frankie" is getting close. Every virus that I know of is already platform-specific, and I don't see why it shouldn't be easy to make a virus OS-specific: (pseudo code) if( os-version != "6.0.5" ) exit; infect_it(); Perhaps I'm contributing to this "beating the dead horse"; can we hear from some of the fence-sitters out there? Has anyone's mind been changed during these discussions? It may also be we're all just getting typing practice: we will see viruses of this sort, and I think not too long from now. I hope whoever releases such creates a well-behaved little demon...! ------------------------------ Date: Fri, 31 Aug 90 19:55:33 -0400 From: Elliott Parker <3ZLUFUR@CMUVM.BITNET> Subject: Sudah ada vaksin (PC) Mike Lawler quotes Fridrik Skulason in asking the meaning of "sudah ada vaksin" in Virus-L 3:151. I missed the original question which would put it into context, but the language is either Indonesian or Malay (Bahasa Malaysia) which are almost identical. It means "already have (had?) a (the?) vaccine," depending on the context. Mike said it was Arabic to him. Not bad. :-) Malay can be written in Arabic script and is then called Jawi. - ------------------------------------------------------------------------ Elliott Parker BITNET: 3ZLUFUR@CMUVM Journalism Dept. Internet: eparker@well.sf.ca.us Central Michigan University Compuserve: 70701,520 Mt. Pleasant, MI 48859 USA UUCP: {psuvax1}!cmuvm.bitnet!3zlufur ------------------------------ Date: 01 Sep 90 20:22:53 +0000 From: jaustin@helix.nih.gov (James Austin) Subject: Re: Desktop Manager for WDEF/CDEF (Mac) Unfortunately, Desktop Manager will not completely protect you against CDEF and WDEF. DM generates its own files (Desktop DB and Desktop DF) and ignores the old-style Desktop file completely, so if you delete that (which DM does not do) then there is no Desktop file for viruses to infect ON YOUR HARD DISK. However, DM does not change the way floppy disks manage their desktops, and it doesn't actually keep the viruses from loading into memory. If you were using DM and mounted an infected floppy, those viruses could not infect your hard disk, but they would load into memory, where they would remain until you dismounted the floppy. While in memory, they seek out other Desktop files to infect, so they could still spread to other floppies or other network volumes. Even if the Desktop file on a volume is not being used because of DM, they can still infect it, and that still causes problems, especially with AppleShare servers. DM is still worth using, but it's not a cure. As it is, DM is still officially available only with AppleShare, but Apple really doesn't care if you use it elsewhere (though they also do not support such use). System 7 will adopt a similar scheme for managing desktop information on hard disks, but like DM, it must leave floppies along for compatibility.-- Disclaimer: My opinions neither reflect nor influence those of the NIH, where I have the authority of a small beaker. jaustin@helix.nih.gov ------------------------------ Date: 01 Sep 90 11:34:44 +0700 From: CETEK63@TECHNION.BITNET Subject: 1701 / Help (PC) Arthur Gutowsky writes that the 1701 indicates a defective sector 0 in your drive. WRONG !!! This error indicates lack of power, due to a poor connection, or fluctuating mains supply. The best solution is to power the machine down and up again. If it does'nt help, open it up and make sure all cables and cards are tight in place. If that does'nt help yet, get a technical person to check your power supply and your disk. Any how, it certainly DOESN'T mean a defective sector on disk, but rather some defect with the electrical circuicitry. Enjoy your virus.. It's fun... :-) Shahar. ------------------------------ Date: Sat, 01 Sep 90 23:41:26 -0700 From: sulistio@sutro.SFSU.EDU (Sulistio Muljadi) Subject: Listing of Indonesian Viruses This is the translated version of an article in an Indonesian Computer Magazine, as I noted in a posting of VIRUS-L edition Friday, August 31, 1990 about mysterious message. In the magazine, also shown the picture of the author of SEMLOHE AND KEONGZ virus. No more information I have instead of this one. ========================================================================= INDONESIAN VIRUS * HACKER Hacker is come from Bandung, Indonesia. A rectangle will appear from a line and then it will become bigger horizontally. Inside the rectangle, written Bandung and the author, Hacker. There is no damage from this virus. * DENZUKO With a nice graphic, come from left and right, the computer write DENZUKO in the monitor screen. The author of this virus is the same with HACKER. Those 2 viruses are the cause of boot-sector viruses in Indonesia. No damage come from this virus. From these viruses come many modification. Modification usually made on the graphics which is uniqe. And also there is a program which will change the graphic DENZUKO into the graphics you would like to be. * PC CLUB With a different technique, without warm-boot (ctrl-alt- del), a message will appear every 30 minutes. To eliminate this virus is using SYS command. No major damage caused by this virus. * MARDI BROS Is a boot-sector virus and appear by warm-boot. This virus made from a University in Jakarta, Indonesia. There may be another version of this virus which will damage hard- disk. * AREMA This virus is come from Malang, Indonesia. AREMA is an abbreviation of "Arek-Arek Malang" or in English mean "People of Malang." No clear idea who made this virus, but it seems that this virus is a modification of DENZUKO. * SEMLOHE and KEONGZ This virus once grow very fast in East Java, Indonesia. The author, Sigit Wasista, live in Surabaya, Indonesia said that this virus made only for experiment only. After there are CBrain, Hacker, and Denzuko viruses, Sigit tried to view and analyize those viruses and add background song when the viruses come and finally SEMLOHE AND KEONGZ created. * PC MONSTAR PC MONSTAR virus made by Handiyanto, a student of one University in Indonesia in computer major. TOETOE RULIANDA also from one University in Indonesia with the same major. This virus grow in East Java, and it has the same style and appearnace looks like Denzuko * ROBERT/NARWIN This virus using the same method as PC CLUB. But it is using graphics instead of text. The letters that appear looks like Japanese character (Katakana), so it is called Japan Virus * SUPERNOVA The author Fen Tjin, a student from a university in Jakarta, Indonesia. This is the first local virus that made some damages, reformat the diskette. This virus will format the diskette when there is instruction to print to the printer. And there will be message in the printer, and then it stop. * FREDDY Freddy was made by one of a student in a academy of computer in Indonesia. It infected the program, not a boot sector virus. The program infected is IBMBIO.COM The characteristic of this virus is the appearance of FREDDY in a box. * AMOEBA This is a .COM and .EXE virus. This virus infect when using disk access, such as copy, dir, etc. When "DIR" command is instructed, the virus will search for COMMAND.COM and if that file is free of virus, it will infect. When it is active, it will appear a message "SMA KHETAPUNK - NOUVEL Band A.M.O.E.B.A. by PrimeSoft Inc." This message only appear on CGA. "SMA KHETAPHUNK" is an Indonesian Senior High School, the name of the school is "SMA KETAPANG." * MYSTIK This virus will infect .EXE and .COM file. To find out if a file is infected, we can use "TYPE" command to one of the file that is suspected. If we did it, the message "- MYSTIC - COPYRIGHT (C) 1989 - 2000 by SsAsMsUsEsL" This is a new virus and there is no vaccine. The author, Samuel, this year, he just graduated from Senior High School. He is working in one of the center of Computer business in Jakarta, Indonesia. ================================================================= Disclaimer: This article is translated freely without permission from an Indonesian computer magazine, " InfoKomputer ", July 1990. Most of the article is not translated exactly words by words. And I don't have any other information about this viruses. And I don't have these viruses. Mul sulistio@sutro.sfsu.edu ------------------------------ Date: 02 Sep 90 06:39:38 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: help/1701 (PC) elev50@castle.ed.ac.uk (N Porfiris) writes: > I have got my PC infected by a virus.When I try to boot it up a 1701 > appears under the last date used information, followed by an inquiry to > boot it up from drive a. I have tried chkdsk but no drive c can be No you don't. 1701 is an internal diagnostic error message. It means hard disk controller failure. Generaly, it is caused by a dead hard disk. open the case up, and check all the controller cables. Next power the system up, while holding a pencil or screwdriver against the hard disk case and the other end pressed into your ear (it makes it easier to hear if the hard disk is spinning up.) If you don't detect that the hd is spinning up, then you probably have a bad hdisk, (generaly it is the controller board on the bottom of the hard disk). It it spins up, then it may be the disk controller card it's self. This is a good argument against refering to viruses by numbers. This individual has confused a virus number with an error message. Cheers Woody ------------------------------ Date: Sun, 02 Sep 90 13:43:33 -0400 From: Wayne Aiken Subject: Will the real LHarc please stand up? What is the current valid version of the LHarc archiver? I have found two different ones which claim to be it, and I have also heard warnings about versions labelled 1.14 being bogus. I received two versions. The first was uploaded to my BBS: LH113DE COM 36575 5-14-90 9:18p and this is from SIMTEL20, uploaded in July: LH114B COM 36204 8-29-90 12:59a When I unpacked the first, it displayed a title screen: >LHarc's SFX 1.13S (c)Yoshi, 1989. >LHarc v1.13d Jan 15, 1990 > >This is perhaps the final version of LHarc v1.1xx series. > >See you again with new LH v.2.xx series! > >---------------------------------------------------------------------- >From LHarc v1.13c: > > Minor bug was fixed in large SFX model. > > In ordinary usage, LHarc v1.13c makes no trouble. > >---------------------------------------------------------------------- > > NIFTY-Serve SDI00506 H.Yoshizaki > ASCII-pcs pcs02846 Yoshi > >Type Y to extract your new LHARC.EXE and manual for LHarc v1.13c. Note where it says "this is perhaps the final version of LHarc v1.1xx series". The title in the documentation file says: > User's Manual for High-Performance File-Compression Program > > LHarc Version 1.13d > 01/15/90 > > Copyright (c) Haruyasu Yoshizaki (Yoshi), 1988-90 and the revision history says: >LHarc User's Manual page 22 > >10. History of Revisions > >v1.13d > 1. Minor trouble on MS-DOS 2.xx fixed in large SFX model. > >v1.13c > 1. Following Mr.Okumura's sugestion, a check is now made for Contrast this with the title in the documentation for version '1.14 beta': > User's Manual for High-Performance File-Compression Program > > LHARC Version 1.14a > 07/31/89 > > Copyright (c) Haruyasu Yoshizaki (Yoshi), 1988-89 Note that version '1.14b' predates '1.13d' by about 5 months. The revision history for '1.14b' is: > LHARC User's Manual page 22 > >10. History of Revisions > >v1.14b > 1. Modified the '.' and the 'o' , to '0' and '[' for the graph > when (Un)LHARC'ing. This was done because someone patched my > v1.13 to do this and then called it ICE, preventing (s)he was > me! > > >v1.13c > 1. Following Mr.Okumura's sugestion, a check is now made for No mention whatsoever of version '1.13d'!! One or the other of these, possibly both, is bogus. SCANV v66 did not detect any viruses in either executable or archive. Thanks for any help you can provide on this. Wayne Aiken netoprwa@ncsuvm.bitnet "You can BE what PO Box 30904 netoprwa@ncsuvm.ncsu.edu you WON'T!!" Raleigh, NC 27622 slack@ncsu.edu --"Bob" (919) 782-8171 BBS: (919) 782-3095 ------------------------------ Date: 03 Sep 90 08:45:16 +0000 From: lexw@idca.tds.philips.nl (Lex Wassenberg) Subject: Re: Periodic virus sighting report krvw@cert.sei.cmu.edu (Kenneth R. van Wyk) writes: > ...... it is always advisable > to scan (using your favorite UP-TO-DATE virus scanner) ALL newly > purchased software. Then *WHY* is it that I almost NEVER see any virus signature mentioned here in comp.virus? If that would be the case I could fairly easily update my virus scanner by just reading this group carefully (I don't now how to download signature files from any bbs, although it seems to be possible from the site where I work). If there are new virusses analyzed, could there *please* be posted a signature to this group including info like name, length and BOOT/EXE/COM infection? Thanks. _ _ / U | Lex Wassenberg, Philips TDS, Apeldoorn, the Netherlands /__ < lexw@idca.tds.philips.nl 88 |_\ "Since nobody understands me, I speak only for myself." ------------------------------ Date: 03 Sep 90 09:07:02 +0000 From: jurjen@cwi.nl (Jurjen NE Bos) Subject: Dutch Intermediar mentions "Benign viruses" In the latest issue of the Dutch weekly "Intermediar" I found an article that shocked me. It told about a virus that was made to "update" databases that contained peoples' addresses and such. The author claimed that it was convenient to have up-to-date databases that were maintained this way. He used as an example that "If you look for people interested in a certain subject, you may find only two people if you search on Monday, and already six if you look on Wednesday." I find it frightening that somebody finds this kind of viruses a good thing, while we know that every idiot can change those programs to very nasty harmful objects. He mentioned that a virus doing this was developed to "update" HyperCard databases. So Mac users, look out for this guy! It's just a warning. There are people who believe in "good" viruses. - -- | | "Never imagine yourself not to be otherwise than what | | Jurjen N.E. Bos | it might appear to others that what you were or might | | | have been was not otherwise than what you had been | | jurjen@cwi.nl | would have appeared to them to be otherwise." | ------------------------------ Date: Mon, 03 Sep 90 17:16:02 -0700 From: well!jabolins@apple.com (John Abolins) Subject: Mysterious Message (PC) posted by Fridrik Skulason Vol 3 No 150 "Does the text 'Sudah ada vaksin' mean anything in language?" A short quote like that is similar to the Rosarch ink blot test. One can read different things into it. As one person said, it could be for "I should have had a vaccine." From my knowledge of Latvian, the quote looks like a scatalogical reference to vaccines, something roughly translated as "Excrement upon vaccine". But the quote is not Latvian. It may be another language of Eastern Europe, perhaps Lithuanian or Polish. Again, the quote is much too short and I am am an ameteur linguist. As for the question about the word "KONIEC" meaning anything, perhaps it is a Eastern European (Slavic, perhaps) derivation of the German word "Koenig" (can't render an umlaut here) meaning "King" , "Monarch". I hope this may provide clues to answer the question. J. D. Abolins 301 N. Harrison Str. #197 Princeton, NJ 08540 609-633-0740 ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 152] ******************************************