From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #2 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 6 Jan 1992 Volume 5 : Issue 2 Today's Topics: Volume 5 is here Michelangelo virus on Zyxel disk (PC) Does this behavior sound like a virus (PC) Norton AntiVirus vs McAffee (PC) CIAC advisory 11 - Stoned-3 in Novelle distribution (PC) info request re:AT&T Starlan, etc. (PC) (UNIX) michaelangelo virus & HD's (PC) Re: Macs Running Soft PC (Mac) (PC) Re: Mac virus?: system crash (HELP!) (Mac) Disinfectant (Mac) Geraldo Show: Claims Viruses can blow up Monitors Virus writing contest Review: A Pathology of Computer Viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 03 Jan 92 15:10:52 -0500 From: Kenneth R. van Wyk Subject: Volume 5 is here Happy New Year, everyone. Now that 1992 is here, VIRUS-L is now up to Volume 5. I'd like to thank all of you who took the time to send me suggestions for improving the group - which isn't to say that I wouldn't welcome any more suggestions. I still have to get back to a few of you regarding your suggestions, and I'll do that shortly. Many of the suggestions which I received were excellent. I'll be incorporating a few immediately, and a few more as time permits. A couple of common themes were digest and archive organization, so I want to give those items attention as quickly as possible. First, all new digests archived on cert.sei.cmu.edu will be of the filename format: v#i###, starting with v5i001. In the past, I didn't use any preceeding zeros in the filenames; this will make it easier to get alphabetical directory listings. Also, I'm going to start working on a better organizational structure for the digests. One suggestion was to use more descriptive subject designators such as (PC) (question), (PC) (ALERT), etc. I'd like to hear what people think about that. In the meantime, I'll be trying to separate the postings by subject matter in the following order: Alerts and administrative announcements PC topics Mac topics General topics File archive updates Reviews & informative docs Meanwhile, progress on a FAQ continues. A number of folks sent in suggestions for the document, and some even volunteered to help. (Thanks!) What I'm specifically looking for is submissions of questions and answers, and I am collating the submissions into the FAQ itself. I expect the FAQ to be an ever-changing document, as questions appear and change with time, so please send in your submissions whenever you feel that something is appropriate for the FAQ. (For those of you just tuning in, FAQ stands for Frequently Asked Questions.) Finally, I've received updated copies of Anthony Appleyard's VIRUS-L digest index files for Volume 4, and I'll be putting these on the archive shortly. Keep those suggestions and FAQ submissions coming, please! Ken van Wyk ------------------------------ Date: Mon, 23 Dec 91 15:07:05 +0700 From: swimmer@stage.hanse.de (Morton Swimmer) Subject: Michelangelo virus on Zyxel disk (PC) Hello world, I've just become the proud owner of a Zyxel U-1924E modem (hurray!), but found the Michelangelo virus on the disk I got with it (boo!). The disk was not write-protected and the envelope it came in was open, so I cant say for sure whether it was Zyxel or the distributor. Normally one would not boot from this disk, so this is not a very serious problem. For me it is a novelty, though. In all these years of dealing with viruses, I have never before got one myself by accident. Cheers, Morton and seasons's greetings for all those who are still to celebrate. .............................................................................. .morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247. .internet: swimmer@stage.hanse.de or swimmer@rzsun1.informatik.uni-hamburg.de. ..............to leave only footprints, and take only memories................ ------------------------------ Date: 24 Dec 91 16:47:51 +0000 From: saake@anduin.ocf.llnl.gov (Mark Saake) Subject: Does this behavior sound like a virus (PC) The other day I inserted a floppy into the A: drive on my pc and tried to do a dir. I got the message back stating "Sector not found" and it was unable to read the disk. After trying several other disks, I figured my drive had bit the dust so I put in another. However, this drive exhibited the same behavior. I tried booting off a a floppy instead of the hard drive and was able to read other floppies fine, with and without write protect tabs. However, after some experimenting, I discovered that if I booted off the hard drive I could read floppies as long as they had the write protect tab on but the second I took the tab off the disks became trashed. Note that when booting off an original system floppy this behavior was not exhibited. Everything worked fine. Does this sound like a virus or a hardware problem? Since everything works fine when booting off a floppy, I am inclined to believe the latter. Any clues, as I have not had experience with any viruses before on my pc. thanks ------------------------------ Date: Thu, 26 Dec 91 00:58:34 +0700 From: girsch@fifi.univ-lyon1.fr (Arnaud Girsch) Subject: Norton AntiVirus vs McAffee (PC) Hi everybody !! A friend of mine has just bought the new versuion of Norton Anti Virus .. It contains Clinic, and Detect which remains resident in memory (as McAffee's Vshield !) Clinic can detect 700 viruses ... Does anybody know something about it ?? I'd like to know if Scan (McAffee) is better than NAV, or the contrary ! I know that Scan is updated very often ... but ??? Can anybody help me to make a choise between these two good softs ??? Thanks in advance !! Arnaud Girsch INSA Lyon France E-mail : girsch@fifi.univ-lyon1.fr ------------------------------ Date: Thu, 26 Dec 91 09:16:01 -0500 From: "Alan Fedeli" Subject: CIAC advisory 11 - Stoned-3 in Novelle distribution (PC) We also know Stoned-3 as NOINT. NOINT may be a useful addition to further correspondence on this advisory. ------------------------------ Date: Fri, 27 Dec 91 18:27:00 +0000 From: jahn@guinness.idbsu.edu (Greg Jahn) Subject: info request re:AT&T Starlan, etc. (PC) (UNIX) howdy. I have been asked to find out if anyone has experienced problems with viruses infecting AT&T 386 machines (Unix) running STARLAN 3.4, with LAN Manager ... connected to bunches of PCs, from whence stuff like Wordperfect is loaded. I'd guess that this would have to come from a student's personal disks being put into the PC's ???? much thanks in advance. - Greg P.S. Please repond via email, since I do not read/watch the newsgroups very closely, other than to make sure it's all still running ... - --- Greg Jahn, Boise State Univ.| "They were unemployed lawyers, / jahn@guinness.idbsu.edu / | pimps, and stockbrokers: / dosjahn@idbsu.bitnet / | Politicians in a word ..." / (208)385-3891.thephone / | - Hunter Thompson ------------------------------ Date: 31 Dec 91 02:47:00 +0000 From: homan@envmsa.eas.asu.edu (Thomas H. Homan (aka Bit Bucket Bandit)) Subject: michaelangelo virus & HD's (PC) Howdy, Is there some other program for removing the michaelangelo virus from a stricken hard drive....I have a Seagate 3120A (IDE) drive that I cannot remove this virus from. Here's what I have tried so far: 1 - Fprot 2.01 - nope 2 - Scan V80 - nope 3 - Scan v84 - nada 4 - Repartition drive as 40m and format - nope 5 - Return partition size to 100m and format - still there what can be done? any and all thoughts are appreciated. tom ------------------------------ Date: Mon, 30 Dec 91 12:07:08 -0500 From: fprice@itsmail1.hamilton.edu (Frank Price) Subject: Re: Macs Running Soft PC (Mac) (PC) In VIRUS-L Digest V4 #233, Mike Taylor asked: > I regularly use Soft PC on my Macintosh SE. Do I need MS DOS and >macintosh antiviral programs or will an antiviral program for the >macintosh suffice? SoftPC does such a good job of emulating an MS-DOS machine that many (most? virtually all?) viruses WILL infect it. SoftPC uses a (big) data file for the contents of the simulated PC's hard drive. I believe Mac antiviral programs consider this to be a data file and do not check it. Even if they did, they would not know how to recognize MS-DOS viral code. If you're worried, get yourself several MS-DOS antivirus programs and use them. I have used an old version of the IBM Corp virus scaner under SoftPC, but have not progressed beyond it as my MS-DOS activities are restricted to data/document files and are well-isolated from likely virus vectors. I've got my fingers crossed, because I expect it will be more difficult to control MS-DOS viruses--I don't know of a way to boot SoftPC from the proverbial "clean floppy". If a virus-eradicator can't clean SoftPC's hard drive, then I think we'll have to trash the "SoftPC C Disk" Mac file and reinstall from scratch. I suggest backing up documents (not applications) in a Mac folder. On the positive side, those evil-wicked-mean-n-bad-n-nasty MESSY-DOS monsters won't be able to break out of the SoftPC disk and infect our friendly Mac apps :-). - ---------------------------------------------------------------- Frank Price, Assoc. Dir., Academic Computing, Hamilton College 198 College Hill Rd., Clinton, NY 13323 Ph. (315) 859-4169 AppleLink: U0071 # Internet: fprice@hamilton.edu - ---------------------------------------------------------------- ------------------------------ Date: Tue, 31 Dec 91 15:56:54 -0500 From: fprice@itsmail1.hamilton.edu (Frank Price) Subject: Re: Mac virus?: system crash (HELP!) (Mac) In VIRUS-L Digest V4 #236 Christopher Manly wrote: >Does anyone have any information about a Mac virus that causes >programs to frequently "unexpectedly quit due to error type 1" I agree with phaedrus@u.washington.edu (VIRUS-L Digest V4 #236) that Manly almost certainly does not have a virus and he should probably check startup documents (INITs) and control panel devices (CDEVs). But I have two additional suggestions that have almost eliminated "unexpectedly quit" messages on my system. 1. If you are running MultiFinder, increase the application's memory allocation. In my experience a number of poorly-behaved programs are happier with larger allocations. 2. Increase the System Heap size. If you don't know what System Heap means, "do not try this at home." This approach may work even if you have already done the previous. One good diagnostic tool: keep an eye on the About the Finder window as you go about your usual activities. If a dark gray bar exceeds about 80% of the total bar length, procedure 1 or may help. (This is abridged from a longer note I sent him directly. If anyone else is interested, contact me directly.) - ---------------------------------------------------------------- Frank Price, Assoc. Dir., Academic Computing, Hamilton College 198 College Hill Rd., Clinton, NY 13323 Ph. (315) 859-4169 AppleLink: U0071 # Internet: fprice@hamilton.edu - ---------------------------------------------------------------- ------------------------------ Date: Tue, 31 Dec 91 23:53:56 +0000 From: twm3@world.std.com (Thomas W Moore) Subject: Disinfectant (Mac) The rest of the office has gotten Macs and is scared of VIRUSES :-(. But as they do not, wish not, and will not get communication capabilities, I have been asked to find a copy of disinfectant from Northwestern Univ. for them. Does anyone have a source for disinfectant? And then once I have it downloaded to my PC from my host, is it possible to get if over to the Mac. While we do have some conversion programs at the office, I am not sure if they will do a generic file conversion (i.e. a byte-to-bye). The program converts text files no problem, but a compressed executable. Oh. If you have a source for disinfectant, I take it will be in some compressed form. Does the Mac community have a program similar to pkzip/pkunzip which is also downloadable? Mind you the same problems of conversion from the PC to the Mac exists. 'Preciate your help in advance. - -Tom twm3@world.std.com ------------------------------ Date: Fri, 27 Dec 91 18:33:21 +0000 From: gerry@dialogic.com (Gerry Lachac) Subject: Geraldo Show: Claims Viruses can blow up Monitors You get a few days off for the holidays and you start watching trash TV. I was watching Geraldo Rivera's _Now It Can Be Told_ show, which featured viruses. One so-called expert who has testified before Congress and has some book out claimed that there are viruses out now that can blow up monitors. Anyone know what the name of this one is? :-) - -gerry - -- Who was that young hellcat, Smithers? % EMAIL: gerry@dialogic.com Homer Simpson, sir. % USMAIL: Dialogic Corp. Homer Simpson, I'll remember that name! % 300 Littleton Rd Parsippany,NJ - - Mr. Burns when he hired Homer % PHONE: (201)334-1268 ext 193 ------------------------------ Date: Mon, 23 Dec 91 10:09:38 +0700 From: swimmer@stage.hanse.de (Morton Swimmer) Subject: Virus writing contest ry15@rz.uni-karlsruhe.de writes: > Hi everybody, > a German computer magazine called 64'er by Markt & Technik has just > published an article on viruses. One part of the article is an announcemen > of a virus writing contest. Two quotes: > ... Actually the LKA 222 (Computer fraud section of the Police) told me about this. At the time, they were trying to take action against the magazine. I dont know if they can do much though, besides filing a formal complaint. Cheers, Morton .............................................................................. .morton swimmer..odenwaldstr.9..2000 hamburg 20..germany..tel: +49 40 4910247. .internet: swimmer@stage.hanse.de or swimmer@rzsun1.informatik.uni-hamburg.de. ..............to leave only footprints, and take only memories................ ------------------------------ Date: 31 Dec 91 23:09:50 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Review: A Pathology of Computer Viruses I recently received a copy of "A Pathology of Computer Viruses" by David Ferbrache of the UK Defense Research Agency. The book is copyrighted 1992, and is published by Springer-Verlag (ISBN 3-540-19610-2 and 0-387-19610-2). US price was $39.50. 300 pages. This book is an extraordinarily comprehensive book on the history, theory, and operation of computer viruses, and on virus countermeasures. It is the most complete book I have seen on the topic to date, and contains a very detailed description of how PC viruses work and spread, including viruses in networked environments, viruses in Amiga systems, and viruses in Unix. In fact, I expect David to get some criticism for the detail he presents, but it serves to make the subject matter much clearer. Chapter 1 is a general introduction to the topic of viruses, worms, and malware. Chapter 2 is devoted to the history of viruses and "malware" starting from the 1960s and thru the end of 1990. It has a very complete description of the earliest viruses, including some events and activities that have not been generally reported elsewhere. It also includes interesting information on related activities, such as the founding of the Virus-L mailing list. Chapter 3 is a nice introduction to the theory of computer viruses, including discussion of how computer viruses relate to biological viruses, and other related topics such as artificial life. Chapter 4 is a detailed discussion of how viruses operate in an IBM PC environment. This includes details on camouflage techniques and signatures as well as spread and activation. Chapter 5 provides extensive discussion of techniques to protect against computer viruses. Chapter 6 is a description of how viruses work in the Apple Macintosh. Chapter 7 discusses viruses in mainframes and Unix systems. Chapter 8 is devoted to "network viruses" -- worms. This includes analysis of early work, the Morris Worm, WANK, Christma Exec, and even a discussion of e-mail chain letters! The chapter also has a nice discussion of Internet protocols that lend themselves to abuse byd material that I wished to pursue further -- unfortunately, there were no citations to allow me to seek original sources. I do not doubt the accuracy of the information presented, but I feel that the lack of specific citations is a flaw in such a scholarly work. The book suffered from spotty copy-editing. I found many places where there were quite obvious typos. In a few places, these typos obscured the text's meaning or distorted some information. I am not sure whether to fault the author or the publisher, but is is sad to see in an otherwise excellent book by an established publisher. Another minor complaint is that there is no presentation of formal theory about viruses or worms. Although this is not an area that has seen much good work, it would have been useful to have some coverage of that material here to complement the higher-level descriptions. The appendix listing other references was good, and contained some references I have not seen before, but it did not give any indication which of the many references were particularly noteworthy or why the references were cited. For instance, a number of limited-availability BBS postings and Usenet articles were cited without an indication of why they were included. At the same time, the references did not list either of the fine collections of readings by Professor Peter Denning ("Computers Under Attack" ACM Press/Addison Wesley) and Professor Lance Hoffman ("Rogue Programs" Van Nostrand Reinhold), nor did it reference any of the publications by the NCSA. The book is written primarily for a British audience. This means that the coverage of US-specific items, such as anti-virus legislation, is briefer than a US reader might prefer. It also means that some small translation of terms is necessary in spots; of course, this same criticism can be made of many US-centric books being published in a non-US market. Despite these criticisms, I strongly recommend this book to anyone who is interested in computer viruses and security. It presents material clearly and comprehensively, and provides unbiased coverage of the area (David is not involved with the marketing of anti-virus software or seminars as are many other virus book authors). - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 2] ****************************************