From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #186 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 20 Nov 1990 Volume 3 : Issue 186 Today's Topics: Re: virus: yankee doodle (PC) Re: Virus "WDEF A", help! (Mac) Cambridge virus (PC)???? re: New DOS virus for CUNY Grad Schl. Stoned-virus (PC) Re: Trojan Warning: SCANV70 (PC) Help! Policy recommendations sought. re: OS/2 Viruses (OS/2) Re: Is this a virus? Help! (PC) Re: Is this a virus? Help! (PC) List of known viruses urgently required. Re: Stoned in C: (PC) Viruses surviving warm boots. (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Sat, 17 Nov 90 11:54:13 -0700 From: Harry Brooks Subject: Re: virus: yankee doodle (PC) Hi, Can any of you answer Stuart's question/s below? Some other places for help are: 1) Home base BBS 408-988-4004 where programmers working on anti-virus software+ communicate/hang-out (Can we drop email to it from internet? If so, plz tell me address!) 2) virus-l newsgroup: subscribe via listserv@ibm1.cc.lehigh.edu or listserv@lehiibm1.bitnet 3) then there are different place for comp. types= mac, ibm, apple, ? 4) there is also an National Security Agency-National Institute of Standards and Technology 24-hour emergency room-- ouch--I only have the info on that at work and not at home SO, if anybody needs that AND it does not get posted by someone else--send me an email and I can send that to you on Monday from work. Request info from= brooksh@nyssa.cs.orst.edu harry brooks * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * email from Harry Brooks, U.S. Dept. of Interior, Bureau of Mines Library 1450 Queen Avenue Southwest, Albany, Oregon, USA 97321-2198 internet=brooksh@jacobs.cs.orst.edu fax=503-967-5936/FTS420-5936 tel=WORK503-967-5864/FTS420-5864 HOME 503-928-5445 NOTE: Comments above are not the official expressions of my employer. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ------------------------------ Date: 18 Nov 90 14:34:32 +0000 From: kevin@crash.cts.com (Kevin Hill) Subject: Re: Virus "WDEF A", help! (Mac) SURF124@KUB.NL (Willem van der Wal, ICP, NIAS) writes: >My hard disk refuses to save files, though I can still access them >Desinfectant 2.0 seems to have spotted a virus called "WDEF A". I'd >rather not re-initialize the (external) hard disk. The contamination >is of Israelian origin most likely. Could someone please tell me how >to proceed. >Many thanks, >Willem van der Wal, SURF124@KUB.NL.BITNET >From kevin Sun Nov 18 06:34:16 1990 My hard drive also has the same problems. It will read fine, but will not write. if anyone else has had similar problems, please write, perhaps the problem isn't hardware but a new virus? Or maybe I am just getting all excited for no reason.. Anyone who can help, I would greatly appreciate the help! Thanks. ------------------------------ Date: 16 Nov 90 22:10:37 +0000 From: scottb@hp-vcd.vcd.hp.com (Scott Bigelow) Subject: Cambridge virus (PC)???? A friend of mine has what he thinks is a new virus called the Cambridge virus. He discovered it when he went to change the clock back to standard time. This seems to have triggered the virus which destroyed the FAT area on his hard disk. Now the strange thing about this thing is that from what he has been told is that this virus does not reside on the disk, but in the computer (maybe clock ram??). Has anybody heard of this thing? Is it possible to create a virus that resides in ram? Any help in getting rid of this beast would be appreciated. Thanx, Scott scottb@hp-vcd.hp.com ------------------------------ Date: Mon, 19 Nov 90 11:59:00 -0500 From: Danny Choriki Subject: re: New DOS virus for CUNY Grad Schl. Hello, I reported the following incident but forgot the screen message which is as follows -- read on for more detail. Thanks again for any assistance. on jo assennettu icht deaktiviert werden -- Mausmenu ist aktiv cute huh. >We have a computer problem that looks alot like a malicious program to >us. Following is a brief description of the incident. Please be >descriptive in the subject line on any responses as my new mail messages >on any given day is 20+. > >The machine is an IBM-AT clone made by Maxum which we have had in an office >environment for over a year. Recently we have put the machine on a Novell >network and were in the process of adding on a serial mouse when this problem >arose. The machine no longer boots. It gets to the second line of the >config.sys file and then hangs. Booting from a floppy diskette will get the >machine into working order, however the hard disk is no longer available. > >Now for the truly bizarre stuff. The CMOS was slightly alterred (from what >I can see). The date was changed to 1942. The problem occurred the first >time after the machine was brought down after November 13th (which was 11/15). >as the guy who uses the machine likes to keep it on all the time.) > >Additionally, if you let the machine sit and attempt to boot for about 2 >minutes, you get a two line message which I at first thought was gobbledy- >gook and then on reflection realized looked alot like German. Our pseudo >interpretation is something like "the machine is disconnected, the master >menu is activated." > >Looks suspicious to me. I was going to include the text of the message >here but apparently I forgot to bring it home. I will repost with the >text after I get into work on Monday afternoon. However, any suggestions >or thoughts before then would be appreciated. > >Aloha, >Danny Choriki **************************************************************************** snail: Danny Choriki, Environmental Psychology Program, CUNY 33 West 42nd Street, New York, NY 10036-8099 Sol III, Milky Way, Local Group bitnet: dac@cunyvms1 econet: dchoriki internet: dac@timessqr.gc.cuny.edu compuserv: 71470,3060 - ---------------------------------------------------------------------------- [insert your favorite disclaimer about here...] ------------------------------ Date: 19 Nov 90 19:01:48 +0000 From: i6finn@vax87.aud.auc.dk Subject: Stoned-virus (PC) Some time ago I received a 5.25" disk (containing source-code, OBJ-files and .EXE-files) which I copied (using XCOPY) to the harddisk. I have used both the .OBJ and .EXE files. Later I found out that the disk contained a virus. SCANV67C reports that the BOOT sector of the disk (placed in A:) is infected by the STONED virus, but no viruses are detected on the C: drive ! Questions: 1) Is my C drive clean ??? 2) Is it safe just to copy the files to a new (clean) disk ? 3) If 1) and 2) have negative answers - what should I do ????? I'm sorry if these are trivial (stupid) questions but this is my first encounter with a virus. Please E-mail ( I6FINN@VAX87.AUD.AUC.DK ) Finn M.Jensen Dept. of Building Technology and Structural Engineering University of Aalborg DK-9000 Aalborg Denmark ------------------------------ Date: Mon, 19 Nov 90 19:12:13 +0000 From: keithm@ashtate.A-T.COM (Keith Mund) Subject: Re: Trojan Warning: SCANV70 (PC) s37775d@taltta.hut.fi (Pandy (A. Holmberg)) writes: > How can we trust this software in the future. > On the other hand: Which applications can we > *really* trust. > The only thing we can do is hope that the creators Speaking personally as a software author, buy software from the manufacturer or a legitimate dealer. The same fears you have are felt by them manyfold, and great care is taken to insure safe software. Although you threw out names of companies freely, none of them has distributed software with any problems. Why fear a problem that does not exist. Viruses are spread by individuals copying software, not by legitamate manufacturers. Keith Mund These are my editorial remards, not those of my employer. ------------------------------ Date: Mon, 19 Nov 90 16:58:39 -0700 From: James Fish Subject: Help! Policy recommendations sought. At Arizona State University, we have put together a "Network Virus Committee" to examine virus related issues and hopefully develop some polices and guidelines. I'm hoping some of you may be able to assist me in gathering information that would be of use to our committee. There are several things that would be of tremendous use: 1) Information from any other colleges, universities or other organizations that have addressed these same concerns on a campus wide basis. Specifically, final reports or recommendations on issues like education, prevention and eradication of viruses would be useful. 2) Polices for interconnecting LANs - specifically, we would like to have guidelines for departments that wish to connect their LANS to a recently installed Ethernet backbone at ASU. Our concern is that network administrators take proper steps to keep their networks clean and ultimately, prevent the spread of viruses across the backbone. 3) Any recommendations on articles and other literature appropriate to this area. Are there any places to FTP articles from? Also, we are interested in finding some knowledgeable individuals to come and speak to our committee and perhaps other members of the university community about these issues. 4) Specific recommendations on software to help in the detection, eradication and prevention of viruses for network servers, workstations, and stand alone machines would also be helpful. Ideally, we'd like something that is effective, adaptable and relatively inexpensive (as most you know, university budgets can impose a BIG restraint!) The platforms we are most concerned with are DOS (Windows, etc..), UNIX, and Macintosh. Any information any of you can provide on any or all of these areas would GREATLY be appreciated!! Thanks! James Fish Student Systems Analyst Arizona State University ISTJWF @ ASUVM.INRE.ASU.EDU ISTJWF @ ASUACAD.BITNET ------------------------------ Date: Mon, 19 Nov 90 19:40:01 From: microsoft!c-rossgr@uunet.uu.net Subject: re: OS/2 Viruses (OS/2) >From: Kevin_Haney@NIHDCRT > >I am doing research for a paper on viruses in OS/2 systems. I will be >covering OS/2-specific viruses (only theoretically at this point) as >well as DOS viruses on mixed DOS and OS/2 systems. Gee, Kevin: one can look upon viruses as the most efficient means to spread data amoung a population of users. It is well known that the most efficient means for a spread of data amoungst the OS/2 population would be for one user of OS/2 to hand the data disk to the other OS/2 user. - Oh no! Ross M. Greenberg - - representing self ------------------------------ Date: 20 Nov 90 05:17:04 +0000 From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) Subject: Re: Is this a virus? Help! (PC) rem@cs.bu.edu (Robert E. Mee) writes: > I recently noticed what seems to be a trojan on my PC. I notice two > files in my root directories (c and d) they have eight character > filenames (ex: 111E340A and 111E340F). They are only displayed when I > type "dir | more" in my root directory. The file names change (as well Dos fakes redirection pipes by creating a temporary file on the disk, and writing to it. Newer versions of dos have a function to make a temporary file. It is created from the time and date stamp, and is a hex number. When you do a dir | more, Dos creates a scratch file to put the output of dir into. More then takes that, and apparently uses a scratch file or perhaps Dos creates 2 scratch files. In any case, it is a standard feature of DOS, and not to worry. Cheers Woody ------------------------------ Date: Tue, 20 Nov 90 00:36:18 -0500 From: alarky@aragorn.csee.lehigh.edu (Dr. Arthur Larky-84068) Subject: Re: Is this a virus? Help! (PC) rem@cs.bu.edu wants to know if the files which show up when he does dir | more are a virus? No, they are evidence of the difference between Unix and MSDOS. The "|" is a "pipe" between two programs, passing the output of one into the input of the other. In Unix, the pipe is handled somewhere inside the system; in MSDOS, it is handled by re-directing the output into a temporary file and then re-directing the temporary file into the next program. Unfortunately, MSDOS has a tendency to leave the temporary files lying around. This is especially true if you abort the more output with a ^C. When you own a dog, you have to be prepared to use a "pooper-scooper" occasionally! Art Larky alarky@scarecrow.csee.lehigh.edu alarky@aragorn.csee.lehigh.edu Disclaimers re:Lehigh University apply. ------------------------------ Date: Tue, 20 Nov 90 11:02:00 +0100 From: "Olivier M.J. Crepin-Leblond" Subject: List of known viruses urgently required. Could someone please send me a quantitative list of all known viruses, worms, trojans, etc. A short (one line ?) description of each would be also welcome. E-mail it directly to me. Thanks. Olivier M.J. Crepin-Leblond, now at Imperial College London, UK. Communications and Signal Processing, Dept. of Elec. Engineering. Internet: Janet: ------------------------------ Date: Tue, 20 Nov 90 11:35:30 +0000 From: dkrause@orion.oac.uci.edu (Doug Krause) Subject: Re: Stoned in C: (PC) wct1@unix.cis.pitt.edu (William C Tom) writes: #According to ScanV67, the partition table of my hard disk has been #infected with the "Stoned" virus. # #Two questions: # #What effects might I see with this particular infection? C: might become unbootable, CHKDSK will find lots of lost clusters, and you'll get lots of cross-linked files. #*AND*, more importantly, how can I get rid of "Stoned" ?? Is there #a virus-killer program available ? CLEANP67.ZIP (at Simtel20 in PD1: will take care of Stoned. You will probably lose some files, especially executables which can't be reassembled by hand (I certainly did). Douglas Krause One yuppie can ruin your whole day. - ---------------------------------------------------------------------- University of California, Irvine Internet: dkrause@orion.oac.uci.edu Welcome to Irvine, Yuppieland USA BITNET: DJKrause@ucivmsa ------------------------------ Date: Tue, 20 Nov 90 14:11:00 +0100 From: Subject: Viruses surviving warm boots. (PC) > From: Michael_Kessler.Hum@mailgate.sfsu.edu > > 2. To avoid infecting the network should a student use outside > software on various stations, we recommend that all stations be turned > off after use so that nothing stays in memory (Jerusalem B survives > warm reboots). I have experimented quite a bit with Jerusalem-B but I have never seen it survive a warm boot. Could anyone explain to me how it is possible for any virus to survive a warm boot by any method other than infecting something on the boot disk. In my experience a warm reboot always re-initializes the interrupt vectors, a process that no virus in memory would survive. The only method I can think of is by intercepting the Ctrl-Alt-DEL keystroke and doing a reboot with int 19h, this would be difficult because it would require the virus to store the original interrupt vectors before anyone could alter them and hide in the top of the system memory. The only type of virus that could perform this would probably be a bootsector-virus. If a virus would use the above method it would probably alarm even a novice user because the system would no longer go through the BIOS startup tests. Maybe the 386+ processors have capabilities that make other methods possible? Peter van der Landen Erasmus University, Rotterdam. ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 186] ******************************************