From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #177 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Thursday, 1 Nov 1990 Volume 3 : Issue 177 Today's Topics: Re: The Virus in Society Re: Help - virus. (PC) Law suits re: Possible virus on Commodore Re: Help - virus. (PC) Removing Joshi virus (PC) novell question (PC) Information about VMS viruses. (VAX VMS) News from Bulgaria (PC) WordPerfect and Jerusalem B virus (PC) Looking for a school VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 30 Oct 90 11:37:00 -0400 From: "Carol Conti-Entin, ext. 8778" <$CAROL@OCVAXC.BITNET> Subject: Re: The Virus in Society >Not hype, John. There are a limited number of hours in the day and in >a life. I'm pretty sure that the virus writers of the world think >they're having a wonderful time. But, as I hate anyone who wastes my >time, I've also taken a strong dislike to anyone who wastes another's >time. The computing field is no longer as open as it once was. A >field that I love working in no longer is a "trustworthy" one. Ross has "hit the nail on the head" as far as I'm concerned. I work in User Services at a college. We have only 3.5 FTE employees in our Academic Computing Services group. Although I personally have not been hit, some of our Mac users were before we had the necessary information to make protection widely available. In addition to Macs, we support MS-DOS machines and a VAXcluster. The proliferation of viruses means that we must spend valuable time upgrading our preparedness, which deprives our users of consulting support time. Presumably, every college and university is having staff time go down the drain in the same way. The one "silver lining" to this is "the VIRUS-L community." Thank you, Ken, for all the time you spend so that the rest of us can obtain the necessary resources quickly. Thank you, all of you who have written detection and removal programs and made them available at little or no cost, so that colleges can afford them! |-------------------------------------------------------------------| | Carol Conti-Entin Academic Computing Consultant 216-775-8778 | | Houck Computing Center Oberlin College Oberlin, OH 44074 | | Bitnet: pconti@oberlin Internet: pconti@ocvaxa.cc.oberlin.edu | |-------------------------------------------------------------------| ------------------------------ Date: 30 Oct 90 19:18:09 +0000 From: nol2321%dsacg4.dsac.dla.mil@dsac.dla.mil (Jim Dunn) Subject: Re: Help - virus. (PC) NO, the hidden subdirectories called DELETED are NOT virus or trojan! They are simply an action of a program by Microsoft, called RM.EXE. You see, the Microsoft Editor brags being able to bring back old edits, and the only way to do that is to SAVE them. It creates the DELETED subdirectory and stores the files in there. As for the 'e5' filenames, never heard of it. ALSO, the SCANv68 is A TROJAN!!! Jim, jdunn@dsac.dla.mil ------------------------------ Date: Tue, 30 Oct 90 11:12:09 -0800 From: teda!RATVAX.DNET!ROBERTS@decwrl.dec.com (George Roberts - page 0571) Subject: Law suits Jon David tells of his experience with Novell/NetWare. I found your story interesting, but confusing. First you seem to say they didn't pay you, then you seem to say they did. If you work for them, they might consider your news release to be "company confidential". Is Novell part of NetWare? - - George Roberts ...decwrl.dec.com!teda!ratvax.dnet!roberts ------------------------------ Date: Tue, 30 Oct 90 20:09:48 -0500 From: pro-angmar!achilles@alphalpha.com (David Holland) Subject: re: Possible virus on Commodore > I really doubt there is a virus on your friend's Commodore 64. > There just simply isn't any place for it to go, since it doesn't have > battery backup and doesn't load in any files from disk everytime it's > used. [...] What about the disk drive? Remember, the disk drive in a C64 is an autonomous, programmable unit that could easily hide a virus. Such a thing could spread to every executable program without much trouble, unfortunately. Worse, the 64's disk drives are so slow that people might not notice the extra delay... :^) David A. Holland Internet: pro-angmar!achilles@alphalpha.com | There is no great aeneas@blade.mind.org (slower) | talent without a Citadel: blade!aeneas@{undermind, overmind} | mixture of madness. Fidonet: David Holland @ 1:322/337 (not preferred) | -Seneca ------------------------------ Date: 31 Oct 90 09:40:00 +0100 From: Markus Fischer Subject: Re: Help - virus. (PC) klavan@emerald.rutgers.edu (Jeff Klavan) writes: > Hi people - has anyone heard of this virus? (Mcafee's "SCAN" doesnt > recognize it) > > All around my hard drive, directories with the names "DELETED" are > appearing which is getting very annoying. (thats virus #1) > > The second, perhaps related, perhaps not, does the following - it > erases file from my hard drive, and leaves only one character in the > file. (Hex e5) > [...] About the `deleted' directories, I once used one of MicroSoft editors called `m' (I think it was with a FORTRAN compiler), which did exactly that: create *hidden* directories with name `deleted' to store the older versions of your files. Of course, there were several tools (don't remember the names) that allowed you to list, restore, and delete these backups. For a better diagnosis, you should try to pinpoint the exact behavior of the `virus': remove all `deleted' directories, and check for their appearance between every application you run. Then list the content of the dirctory, look at the files, and try to find out how they are related to what you were doing (or to anything else in your system...). The same goes for the second `virus'. Which files get deleted, when do they get deleted, etc. Of course, you *have* a complete backup of your data files. Markus Fischer, Dpt. of Anthropology, Geneva. ------------------------------ Date: Wed, 31 Oct 90 11:35:54 +0700 From: "Donny Gilor" Subject: Removing Joshi virus (PC) Using a small signature (EB1F) for detecting the Joshi virus (or any other virus) is not recommended. A future system or virus may have the same signature and the results would be unpredictable. Dr. Virus ------------------------------ Date: Wed, 31 Oct 90 08:45:00 -0500 From: Preston@DOCKMASTER.NCSC.MIL Subject: novell question (PC) I had a report from someone who has been having trouble with a small Novell 286 network. While the problems don't sound to me like any known executable file virus, perhaps someone has seen similar symptoms. The server is not dedicated. There have been a few file size changes, to COMMAND.COM, and other files, on the order of 3K in size. This is on server files, not workstation files. Once a message was printed "The world will hear from me again". The latest copy of McAfee's Scan shows nothing, and any copies of the "infected" files do not appear to have a virus infection after examination by experienced virus people. Entire directories (Public) and individual programs including the backup program have been wiped out several times. User logins have disappeared. There may have been unusual .BAT files appearing and disappearing. The server has been downed several times. If anyone has seen any symptoms similar to this recently, please let me know. Charles M. Preston CompuServe 74025,367 Box 240027 907-344-5164 Anchorage, AK 99524 BIX cpreston ------------------------------ Date: Wed, 31 Oct 90 10:32:00 -0400 From: "RED MENACE!!! shall live forever..." Subject: Information about VMS viruses. (VAX VMS) To all Vax-users, October 31, 1990 I am currently a graduate student at Southeastern Massachusetts University and will be starting my Research Thesis in January 1991. My proposed interest is to develop a virus scanning program for the VMS operating system. I am writing this letter for assistance in obtaining information in relation to VMS operating system viruses. If anyone has any knowledge of any such viruses, could you please send me all possible information in regards to them. Please send any informtion directly to the following BITnet address: IN::"PCIS14ST@SEMASSU.BITNET" Thanks in advance, Scott Turbiner +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- SSSSSSSSS MM MM U U Scott Turbiner S M M M M U U Computer Science Graduate Student S M M M M U U Southeastern Massachusetts University SSSSSSSSS M MM M U U Old Westport Road, MA 02747 S M M U U BITnet: PCIS14ST@SEMASSU.BITNET S M M U U SSSSSSSSS M M UUUUU +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ------------------------------ Date: Wed, 31 Oct 90 11:32:12 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: News from Bulgaria (PC) I just received a package of the latest collection of Bulgarian viruses from Vesselin Bontchev. Some of the viruses were previously known, but quite a few are new. It included the following viruses: 1024 (2 variants) 1226 2100 Amstrad-852 Anthrax Anti-Pascal (5 variants) Dir Evil Kamikazi MG Proud Tiny family (10 variants) Trackswap VFSI So, as you can see, the Bulgarians are still quite active - the total of Bulgarian virus variants is now well over 100. Some notes: The Bulgarian "Tiny Family" is not related to the Danish "Tiny" virus at all. The Bulgarians may have seen that virus as a challenge to write an even smaller virus, which they did - the smallest virus is 134 byte long. Evil, Proud, 1226 and Phoenix were all made available in three different ways: A standard infected .COM file, A "-M" file. A "-D" file. This should not be interpreted as if there are three different variants of each virus. The "-M" file is just a sample .COM file infected with multiple copies of the virus, as it is occasionally unable to recognize existing infections. The "-D" file is just a memory dump of an infected .COM file, created by Vesselin Bontchev, after the virus has decrypted itself in memory. This file will replicate as well, as the virus contains code to check if it is already encrypted or not. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Wed, 31 Oct 90 15:28:00 -0500 From: Michael_Kessler.Hum@mailgate.sfsu.edu Subject: WordPerfect and Jerusalem B virus (PC) We have been infected with a Jerusalem B virus, and apparently have gotten rid of it. However, 5 minutes later, we get a phone call from a network user (always the same) having problems with Word Perfect (lines doubling themselves and hiding the line under. We checked their hard disk, we checked the WP directory, I took down the network and ran a check on all the partitions. Nothing. And then WordPerfect starts acting up. We can't figure out if now we are dealing with a bug in WordPerfect or with a virus we can't detect. Clearly WP.EXE needs to be reinstalled once infected. Is this true of *.FIL files? Any suggestions? ------------------------------ Date: Wed, 31 Oct 90 11:35:09 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Looking for a school Regular readers of VIRUS-L/comp.virus probably know me as the author of the F-PROT anti-virus package and as the technical editor of the Virus Bulletin, but unlike most of my postings, this one is not virus-related. [Ed. Even though this is "not virus-related", I've asked Frisk to post summaries of any suggestions that he gets to the list, since I believe it could be of general interest to a number of readers.] The university of Iceland only offers a BS degree in Computer Science, and my plans to obtain a MS or a PhD degree have now been delayed for several years...first because of my software business here in Iceland, then because of me waiting for my wife to finish her study. Right now, however, we are looking for a school which offers what we are looking for - it must be very strong in the areas of computer security and artificial intelligence (my major areas of interest), and it must also offer a good MBA program (in particular including 'International Business') for her. The last requirement is that the school must be in an English-speaking country - preferably USA or the UK. If the school is interested in getting a PC-virus specialist that would help, of course :-) So, if any of you VIRUS-L/comp.virus readers know of a school which fits our requirements, I would be grateful for the information. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 177] ******************************************