VIRUS-L Digest Tuesday, 13 Dec 1988 Volume 1 : Issue 45

VIRUS-L Digest Tuesday, 13 Dec 1988 Volume 1 : Issue 45

Today's Topics:
on CHRISTMA EXEC (IBM VM/CMS)
Undigestifyer for MSDOS?
Current status of Fred Cohen
RE: Low Level Formats on IBM's (PC)
contacting people at BITNET addresses
More on modem virus
Virus alerts
Re: CHRISTMA EXEC?? Kids Stuff!!!! (IBM VM/CMS)
re: modem virus
Re: PC virus reported in V1 I43 by [email protected]
MegaROM CD with nVIR (Mac)
Some people aren't fighting...

---------------------------------------------------------------------------

Date: Tue, 13 Dec 88 09:01:56 LCL
From: Bret Ingerman [{315} 443-1865] <[email protected]>
Subject: on CHRISTMA EXEC (IBM VM/CMS)

re: Gabriel Basco's recent note...

It would seehecking out the
code (which is what we did with the Christmas EXEC). If you can't
read the code, then you probably should not run the program.

BRET INGERMAN ACADEMIC COMPUTING SERVICES
______ SYRACUSE UNIVERSITY
/ | -------
| | BITNET: INGERMAN@SUVM
_________/ | NOISENET: (315) 443-1865
| * | SNAILNET: 215 Machinery Hall
/ SYRACUSE | Syracuse, NY 13244-1260 USA
|______________ |
|_ |
|__| DISCLAIMER: I didn't say that, did I???

------------------------------

Date: Sun, 11 Dec 88 13:16 EDT
From: Peter D. Junger <JUNGER@CWRU>
Subject: Undigestifyer for MSDOS?

I would be very happy to have an undigestifyer running on VMS,
but there is so little space on our node that I would be much better
off if I could down-load digests to my PC and do the undigestifying
there? Does an MSDing un-digestifier
for any system - please let me know so that I can post it on the
LISTSERV here.]

------------------------------

Date: Tue, 13 Dec 88 08:13 CST
From: Ken De Cruyenaere <KDC@UOFMCC> 204-474-8340
Subject: Current status of Fred Cohen

Fred was one of the speakers at the CSI conference in Miami last month.
At the time he said that anyone interested in more material should
leave their names. I did. I received the following:

Hi,
I'm sorry I have to do this by form letter,
but I go so many requests for
information about my papers, I simply couldn't do it any other way.
I put you in a mailing list for people interested in viruses so I
can continue to let you know about new results. If you want out of
the mailing list, just let me know.
I have 2 books on viruses that you might be interested in.
One is my PhD thesis, written in 1984 at USC, and has all of the
mathematical details you will likely ever want to see (and perhaps
more). The other is simply a collection of all the journal articles
I have published in the last 5 or so years placed in a single
binder for your reading convenience.
The cost (everything included - 1st class mail, etc.) is
$20/book, which should't break you or your organization. If you'd
like one or more of one or both, just fill in the form at the
bottom of the page, send a check or money order (payable to
Advanced Software Protection) to:
Fred Cohen
c/o Advanced Software Protection
PO Box 90069
Pittsburgh, PA 15224

I will get copies to you as soon as I can...
Thank you for your interest,

Fred Cohen
-------------------------------------------------------------
title how many total
Computer Viruses - the thesis _______ @$20 _______
Fred's Papers _______ @$20 _______
Grand Total $_______

------------------------------

Date: TUE DEC 13, 1988 09.50.15 EST
From: "David A. Bader" <DAB3@LEHIGH>
Subject: RE: Low Level Formats on IBM's (PC)

I recently low level formatted my 40 meg hard disk (not a fun
experience) because I had some minor non-virus related problems with a
partition. Anyway, the only program I had around to do this format
was a PD Low level format which did not ask me for my bad sector list
(which should be adhesed to the top of everyone's hard disk by the
manufacturer). However, I have seen some formatter's that do ask for
this list to be typed in.

-David Bader
DAB3@LEHIGH

------------------------------

Date: Tue, 13 Dec 88 09:57:01 est
From: [email protected]
Subject: contacting people at BITNET addresses

I am having trouble getting through to bitnet addresses. It
would be helpful for those who are asking for information to put the
address that those of us on arpanet could use. Several times I have
tried to contact people and the mail was sent back by the postmaster.
If anyone has the "rules" for changing bitnet addresses to arpanet
address format, I would appreciate it.

Greg - What is the title you are interested in? I have several
articles by Fred Cohen.

[Ed. On sending to BITNET from Internet/ARPAnet - Most mailers will
send mail addressed to [email protected] through the appropriate
gateway. If that doesn't work, you can usually get away with
user%node.BITNET@gateway - where "gateway" is a known Internet/Arpanet
to BITNET gateway, such as the one at CUNYVM.CUNY.EDU.]

------------------------------

Date: Tue, 13 Dec 88 10:29:10 EST
From: Don Alvarez <[email protected]>
Subject: More on modem virus

Quoting from issue 44:
I've just discovered probably the world's worst computer virus yet.
I had just finished a late night session of BBS'ing and file trading
when I exited Telix 3 and attempted to run pkxarc to unarc the
software I had downloaded. Next thing I knew my hard disk was seeking
..END Quote

I'm a Mac user and don't recognize those words. Is the
speaker talking IBM-PC words, Amiga words, VMS words, etc.
What kind of computer did he have?

If the virus is real, it must be writing itself into the
on-board storage space used in high-speed modems and then
instructing the modem to run that portion of memory (good way
to check if this virus is real: Does anyone know if high
speed modem chips are designed on Harvard-type architectures
(separate Program/Data), I think many DSP chips are now
designed that way). If my guess is right, the virus could
not propagate on modems with Harvard-Architecture as they
would be unlikely to have sufficient "program" memory for
a virus (the speaker mentions setting a "bit pattern in an
modem register," I can't believe that alone is enough
to make a hard-disk crashing virus).

The reason why I ask what kind of PC the author is using is that
it is EXTREMELY unlikely in my opinion that a virus of this sort
could infect different kinds of computers... Mac boot blocks dont
look anything like PC boot blocks.

Also, as I understand it, a good 9600baud modem is completely
transparent to the user... once you configure it, it looks like
a 9600 baud cable connected to a computer. Sounds to me like
this virus must be keyed not only to a specific computer but
also to a specific PC based file-capture program, and will probably
not propagate if all you do is 9600 baud terminal emulation.

- Don Alvarez

Disclaimer: "He's not the messiah, he's just a very naughty boy
(who of course isn't speaking for himself, his employer, or the
local dry-cleaner)."

+ -------------------------618 |
| (617) 253-7457 Cambridge, MA 02139 |
+ ----------------------------------------------------------- +

[Ed. I think that the first report of this purported virus was
referring to a PC environment.]

------------------------------

Date: Mon, 12 Dec 88 17:30:29 CST
From: David W. Richardson <[email protected]>
Subject: Virus alerts

On 12-9, Ben Chi <
([email protected]) asked for another listserv that would distribute virus
warnings. I have a suggestion:

1. All messages which are warnings use the same subject line, for
example Subject: "VIRUS WARNING: XXXXXXXX" where XXXXXXXX is the real
subject. We could use our mail directories to filter the vital info
from the rest of the list.

2. When digesting, put the VIRUS WARNINGs at the beginning of the
digests, so that we digest-readers can only worry about the vital
stuff (if we so choose).

Similarly, there could be a reserved subject called RECENT CUi-viral measures.

- -David Richardson
c044dwr <--reveiw this list on 1/1 for my new address

Are they viruses or viri? I'm asking.

[Ed. Viruses. Good suggestions, thanks... That, in conjunction with
the non-moderated (for timeliness) VALERT-L is what I'll shoot for.]

------------------------------

Date: 13 December 88, 18:51:33 +0100 (MEZ)
From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1
Subject: Re: CHRISTMA EXEC?? Kids Stuff!!!! (IBM VM/CMS)

> Or should we just don't run any programs that appear in the READER??

Gabe,

perhaps the rule should read:
Don't run any programs that you neither can read and understand,
nor have ordered from some trustworthy supplier,
regardless of the way or media of delivery
(i.e. this even applies to printed copies of source programs
in a language you are not familiar with).

Best regards
Otto

------------------------------

Date: Tue, 13 Dec 88 11ble enough so the virus could store itself in them all?

2. Do these modems have enough internal memory to store all the
infirmation needed?

3. No mention is made of what computer or operating systems
are being used (probably default=ms-dos on a pc clone).

Paranoid conjecture: there is >>>no<<< modem virus!!!
It is just a rumor being spread by a modem company that
either (1) does not sell fast modems or (2) will be coming
out shortly with a "virus-proof" modem.

Marty Cohen ([email protected], 128.99.0.1)

------------------------------

Date: Tue, 13 Dec 88 14:54:25 EST
From: Naama Zahavi-Ely <[email protected]>
Subject: Re: PC virus reported in V1 I43 by [email protected]

Hello!

This seems like a virus that we found here at Yale this summer. I
doubt very much that it originated here. If it is the same one, then
it is nearly invisible on a PC, but if you try to boot an AT from an
infected disk, it will "hang" with an undeputer will stay "hung". If one tries to
soft-boot an infected AT from a write-protected disk, it will seem to
function normally, but will still be infected. To the best of my
knowledge, the virus did not erase any FAT tables. Also to the best
of my knowledge, it was brought over to Yale unintentionally by a
visiting scholar.
I hope this helps!

Naama

+ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- +
| Naama Zahavi-Ely |
| Project ELI E-MAIL [email protected] |
| Yale Computer Center |
| 175 Whitney Ave |
| New Haven, CT 06520 |
| (203) 432-6600 ext. 341 |
+ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- +

------------------------------

Date: Shuster 74166,2027
>To: All
>
>Unfortunately, I have just discovered that the "MegaROM" CD-ROM (Vol
>1,Oct 88) is infected with the "nVIR" virus in seven files. What's
>worse is that among the infected files are Hypercard and Stuffit
>1.5.1, two applications most likely to be executed from it. Please
>check your copies of Hypercard and Stuffit (and the other applications
>listed below) for "nVIR" resources (numbered 1,2,3,6, and 7): if
>present, you're infected.
>
>The MegaROM CD is available from either Quantum Leap Technologies or
>Nimbus Information Systems. The one that I found to be infected is
>marked Volume 1, October 88 (another version is planned for January
>89). The infected files are:
> DAs:McSink 5.0:McSink Opener
> Graphics:*VideoWorks:BigSound VW Player
> Graphics:Dynamo
> Hypercard Files:Hypercard 1.21:Hypercard
> Hypercard Files:Sound Stacks:Sound Utilities:SoundMover
> Modem Files:Archiving Utilities:Stuffit Update:Stuffit 1.5.1
> Utilit. Note that Apple's Virus Rx currently will not detect this
>virus!
>
>It didn't do any damage to me (besides the time it took to disinfect).
>The first symptom I had was a bomb on startup, apparently forced by
>Vaccine when it adetects an infected System or Finder. Unfortunately,
>the disk was apparently infected just days before the final directory
>was built (all the modification dates of the infected applications are
>from 10/11 to 10/13/88).
>
>The CD is otherwise a tremendous bargain, with more than 300 megabytes
>of software and data for $50.
>
>--Cy Shuster-

The bomb is caused because Vaccine attempts to put up a dialog at INIT
time, but not all of the necessary managers are initialized then.

This infection has not yet been verified. Can others with this CD-ROM
disk check and post back to the list?

- --- Joe M.

------------------------------

Date: Tue, 13 Dec 88 15:58:18 EST
From: Joe McMahon <XRJDM@SCFVM>
Subject: Some peoplo-hum attitude indeed! Or worse!

A student came referred to me last week because her teacher said that
anyone whose final project bombed during the review would drop two
letter grades: that's from an "A" to a "C", "B" to a "D", etc. Fairly
stringent for a 1st quarter mac programming course.

She had made some references to fonts which were not resident on most
systems as well as a few other stupid mistakes (hell, her wholeprogram
was not very well thought out, but that's not my problem. In fact,
helping students with their programming is DEFINITELY NOT my problem)
and we recompiled and it worked (in its stupid way) well, without
bombing.

I took the liberty of insisting that I remove some disabled dotted
lines stuck at the end of some one-item pull down menus (more bad
interface) and found nVIR in her program and in her copy of RMaker on
her disk. My Mac is protected, so it wasn't a problem for me, but she
was going to go around and stick this disk in whatever computause
her to rebuild her resource file (LOTS of PICTs). She grabbed her disk
and ran from my office screaming that is wasn't her fault and why
didn't everyone leave her alone.

Subsequent conversations with her professor -- in a discrete manner --
revealed her to be earning about a "D" up to that point anyway.

So talk about "ho-hum". I'd call that "agressive and blatant
disregard".that "ag

- --scott

<< Ack!
<<
<< --- Joe M.

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253