From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #162 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 25 Sep 1990 Volume 3 : Issue 162 Today's Topics: Re: Is this a VIRUS? (PC) Jerusalem B (PC) reinfection despite using VSHIELD? Re: Difficulty with F-Prot package (PC) Thanks for the help (Mac) Re: Viruses in Sound Effects (Mac) Book review VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 24 Sep 90 17:45:18 -0400 From: rae@po.CWRU.Edu (Robert A. Essig) Subject: Re: Is this a VIRUS? (PC) In a previous VIRUS-L Digest, ousama@compsci.bristol.ac.uk writes : >- - when the game starts it displays the message : > You've got ..K RAM more than ypu need Dude! >- - when I tried to reboot the system( warm boot), it displays the message: > THAT'S ALL DUDES! > This message stays on the screen antill another warm boot is performed. >_ XRAY didn't detect any strange activities, and the available anti-virus > software didn't detect anything. This is not a virus. The program is California Games by Epyx. The messages are part of the program. Do not worry. Later, Bob - -- Robert A. Essig | E-mail : rae@po.cwru.edu Chemical Engineer-in-Training @ C.W.R.U. | CWRU Class of 1992 (hopefully) Database Maintenance Clerk @ U.H. of C. | President of Glaser House | GO BROWNS! ------------------------------ Date: Mon, 24 Sep 90 17:20:05 -0500 From: dsndata!tssi!nolan@uunet.UU.NET Subject: Jerusalem B (PC) reinfection despite using VSHIELD? Last week I discovered the Jerusalem B virus on one of our PCs. It had only infected 7 files (around 30 times). I had run SCAN on that system on Aug 13th, so it arrived after that. I didn't find it on either of the other PC's, eliminated it from the infected system, and installed VSHIELD on all three PCs. The following afternoon, my assistant copied SCAN and CLEAN to a diskette that had previously been used only for transferring data files between PCs. After the 'copy' commands were done, he SCANned the diskette, and it had Jerusalem B on it. The copy was done from a system supposedly protected with VSHIELD. The system from which the copies were made is clean, according to SCAN. Can Jerusalem B infect data files, or is there something else on a 3 1/2 inch floppy that can contain Jerusalem B? At this point, the infected diskette contains only the 4 files that were copied to it last Thursday. - ------------------------------------------------------------------------------ Mike Nolan "To err is human, to forgive Tailored Software Services, Inc. is divine, to procrastinate is, Lincoln, Nebraska (402) 423-1490 um, can I get back to you on that?" UUCP: tssi!nolan (feed site changed, dsndata!tssi!nolan might be better) INTERNET: nolan@pythia.unl.edu (only if the other address doesn't work) ------------------------------ Date: Tue, 25 Sep 90 11:07:28 -0500 From: pjc@sirius.melb.bull.oz.au (Paul Carapetis) Subject: Re: Difficulty with F-Prot package (PC) > My initial attempts to install the F-Prot virus > protection package has met with several difficulties. > 1. Once the "device=c:f-driver.sys" > is added to config.sys on a Data Storage 386 SX > the system will not boot. > 2. The F-oschk program when run with all 5 parameters > to check the boot sector as well as the partition > boot record causes repeated problems, because > the boot sector changes with each boot on the the > systems I have tried it on thus far. > It seems that without these two modules working for > us will would not be adequately protected against > boot sector/partition boot record virii. > Dan Mandell > Computer Services, Saint Mary's College > Xlykn8@irishmvs.bitnet Dan, I have been testing FPROT on a Bull 386SX with no problems. I am surprised that you have had problems with F-DRIVER.SYS - I have had none. Is it possible that this problem may be a conflict with any of the software you are running? Especially, check any T&SR software. As for the boot sector problem - writing to the boot sector regularly is BAD practise along with executables that modify themselves! There is nothing you can do about this apart from complain to the manufacturers! | Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-------------------------| | ACSnet : pjc@bull.oz | What's said here is my | | Internet: pjc@melb.bull.oz.au | opinion (and its right!)| ------------------------------ Date: Mon, 24 Sep 90 20:21:24 -0400 From: pro-angmar!achilles@alphalpha.com (David Holland) Subject: Thanks for the help (Mac) Thanks everybody for the help and suggestions. It seems that a combination of upgrading to System 6.0.3 and rebuilding the desktop took care of the problems. The overt problems, that is... I'm hoping there isn't anything else there. (fingers crossed) Particular thanks for the (two) copies of Disinfectant 2.1; as soon as I can get it transferred from my PC to a Mac I can even use it... David A. Holland Internet: pro-angmar!achilles@alphalpha.com | There is no great aeneas@blade.mind.org (slower) | talent without a Citadel: blade!aeneas@{undermind, overmind} | mixture of madness. Fidonet: David Holland @ 1:322/337 (not preferred) | -Seneca ------------------------------ Date: 25 Sep 90 08:30:57 +0000 From: panix!alexis@cmcl2.nyu.edu (Alexis Rosen) Subject: Re: Viruses in Sound Effects (Mac) Look, this whole discussion of nVIR in sound files is bogus. nVIR and its variants can only *infect* applications (including Finder and DA Handler) and the system file. Of course, it can *affect* anything. The assertion that you should check everything is fairly decent advice for beginners, but there are definitely many types of files that will remain forever uninfectable. (That is, with a healthy contagious virus.) In general, these are data files which don't contain information which is interpreted as anything like instruction sequences by a fairly generic command processor. Yes, I know that that's a pretty vague definition, but it's pretty accurate too for all of that. Note that this definition pretty much rules out ever having a complete active virus in a sound file (in the formats which we generally use. If someone were to invent a sound format that, like TrueType for example, were to consist of data and instructions, that might just possibly be excepted). I wonder about how close a "command processor" has to be to a turing machine in order to be ably to spread infectious code. Some requirements are obvious, some are not. Interestingly enough, this definition allows for viruses in english text. Of course, those viruses infect humans. Specifically, their brains. (Mention "memes" in sci.nanotech if you want to get flooded with info about this...) - --- Alexis Rosen cmcl2!panix!alexis ------------------------------ Date: Sun, 23 Sep 90 19:51:00 -0400 From: Jon David Subject: Book review [Ed. This review was done (but as yet unpublished) for the NYPC Magazine. Jon David is head of the New York PC club security subgroup. (For those of you just tuning in, VIRUS-L welcomes independent, objective book and product reviews. If you would like to submit a review for distribution, please keep it short enough (a couple screenfulls, maximum) for the digest, or else it will be distributed via the VIRUS-L/comp.virus archives.)] A Short Course on Computer Viruses (a book review) by Jon David - ---------------------------------- Dr. Frederick B. Cohen has just come out with a new book, A Short Course on Computer Viruses. It is not by far the first book on computer viruses, and it will certainly not be the last. Atypically, though, it is one of particular worthiness. Dr. Cohen is referred to as "the father of the virus." While he did not create the virus, he published much original work on viruses in the early '80s, most of it theoretical, or at least heavily mathematically based. This work was originally relegated to academic circles, but has since become the heart of the set of classic virus literature. Further, Dr. Cohen has since taken his virus investigations out of the lab and applied them to the real world. For companies and individuals recognizing the need to understand viruses before attempting to treat them, Dr. Cohen offers a full day course on computer viruses. (And, by the way, not just PC viruses; it also treats mainframe viruses, network viruses, etc.) This book, while not a word-for-word transcription of this course, seems a fairly close approximation. (Although I have not attended Dr. Cohen's course, I have heard him speak on several occasions, and the book is true to those presentations wherever the topics coincide.) The book is written with a wry sense of humor throughout (and it is important to know this, otherwise you might find some things set forth a bit outrageous). This makes reading it, if not enjoyable, at least a lot more enjoyable than other virus texts. It covers everything from what viruses are and how they impact information systems, through present defenses and future directions. I found the sections on peer network problems and exposure analysis particularly worthwhile. The examples given are clear and ideal answers to the "But why to you say that?" questions my customers always ask when I create security and anti-virus methodologies for them. In the course of treating viruses, Dr. Cohen explains the differences between sound defenses and solid defenses, between contamination exposure and leakage exposure, between protection with your priority being secrecy and it being integrity and the like. As you read this, these may seem fine points, of interest only to students of security (they apply, by the way, to all security, not just virus protection), but let me assure you (and as you will find out by reading the book), this is not the case, and understanding these things will make you a better and more intelligent computer user. In all honesty, the vast majority of readers will have trouble with some parts of the book. The first chapter, for example, uses quite a bit of mathematical "English" (user U-sub-1 evokes program P-sub-1 infected with virus V-sub-1 at time T-sub-1, etc.), and the fantastic chapter on exposure analysis is quite heavily mathematical in parts. Be assured, though, that missing some of the fine points of some sections does not take away from the tremendous value of the rest of the book. A Short Course on Computer Viruses should be MUST reading for everyone impacted by viruses or any other facet of information security (and this is not just security leaders, or even controllers, auditors and the like, but includes virtually every computer user). Dr. Cohen's book is 196 pages (including a 5-page table of contents, a 3-page "Good Joke" and an outstanding 14-page annotated bibliography), is available from ASP Press PO Box 81270 Pittsburgh, PA 15217 and sells for $48.00 (single quantity, including postage & handling, and with significant volume discounts available). (ASP Press takes checks or money orders, not credit cards.) ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 162] ******************************************