VIRUS-L Digest Thursday, 15 Dec 1988 Volume 1 : Issue 48

VIRUS-L Digest Thursday, 15 Dec 1988 Volume 1 : Issue 48

Today's Topics:
Report of Brain unclear
Details on Brain virus at Yale (PC)
generic undigestifier

---------------------------------------------------------------------------

Date: Thu, 15 Dec 88 09:13:26 EST
From: Joe Simpson <[email protected]>
Subject: Report of Brain unclear

The origional Pakastani Brain has several properties.
1. The infection vector is a trap in the boot block. Brain only
activates when an infected diskette is booted.
2. The origonal Brain only infects 5.25 inch floppies. It has specific
checks that permit it to aviod 3.5 inch floppies and hard disks.

A recent report suggested that Brain came as a no charge extra with a
commercial word processor. Unless the victim tried to boot a diskette
from the vendor the origional brain could not have infected the
victims diskettes.

If there is a "Brain injector" out there I would like to have that
verified. It would change the rules of the game.

If there is a version of Brain that infects hard disks I would like to
have that verified as well.

In a similar vein, there has been an incredible report of V.22 bis
modems serving as a carrier for a hostile agent program. Since a V.22
bis modem is a computer it would be helpful for someone with a clear
understanding of V.22 bis and the common implementations to comment on
the likelihood of risk from this quarter.

[Ed. I would think that a good "moral to the story" is that one should
not jump to conclusions; that only perpetuates rumors. It would be
premature to place too much faith in either report until they can be
verified, or at least until a further description, which is accurate
in technical details, is offered.]

------------------------------

Date: Thu, 15 Dec 88 10:29:41 EST
From: Naama Zahavi-Ely <[email protected]>
Subject: Details on Brain virus at Yale (PC)

Two days ago we discovered at Yale several diskettes infected with the
Brain virus. The version we have contains in its boot sector the
following text:

Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE
RECORD v9.0 Dedicated to the dynamic memories of millions of virus who
are no longer with us today - Thank GOODNESS!! BEWARE OF THE er VIRUS
: \this program is catching program follows after these messeges

The infected diskettes also had their volume name set to (c) Brain.

This variant of Brain seems to create a hidden file on the diskette,
with 0 bytes, and each of the infected diskettes has 3072 bytes in bad
sectors. For all we know, the user may have had infected diskettes
for a very long time -- we discovered the infection while trying to
solve an unrelated WordPerfect problem. Luckily all our public
diskettess are write-protected.

Now the questions: can this virus infect hard disks under any
circumstances? How do systems (RAM) become infected -- at start-up
only, or otherwise? How do other disks become infected: when
formatted, written to, soft-booted? What is the most trouble-free way
of getting rid of it? I suggested formatting a new diskette on a
clean system, copying the files over, then re-formatting the infected
diskette -- would that work? Are there any dangers involved with this
virus, other than the 3 bad sectors mentioned above? I have seen
recommendations of DEBRAIN, but I am afraid it might give people a
false sense of security against viruses in general, so if the
reformatting method mentioned above would work, I would rather use it
- -- but I would welcome any opinions to the contrary.

Please send to me or to the list any helpful hints you can think of --
any information would be appreciated!

Thanks,
Naama

+ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- +
| Naama Zahavi-Ely |
| Project ELI E-MAIL [email protected] |
| Yale Computer Center |
| 175 Whitney Ave |
| New Haven, CT 06520 |
| (203) 432-6600 ext. 341 |
+ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- +

------------------------------

Date: Thu, 15 Dec 1988 16:26:34 EST
From: Ken van Wyk <[email protected]>
Subject: generic undigestifier

Thanks to Jeff Ogata for sending in a generic undigestifier written in
C. It appears to be very standard C and compiled as-is on our Sun.
It should compile with most C compilers including WATERLOO C on IBM
VM/370 machines. The program does the following:

1) read in (via stdin) a file containing a VIRUS-L digest.
2) output individual files (digest.1, digest.2, ...), each containing
one message.
3) output a file (digest.contents) containing the table of contents
for that message.

It can also extract a specific message number from a digest. I'll
make this program available from our LISTSERV in the near future.

A couple other people have also volunteered to send in undigestifying
programs, and there is apparently one available for anonymous FTP from
SIMTEL-20.ARMY.MIL in the PD1:<MSDOS.C> directory. Thanks to everyone
who sent me info, etc.!

One person who offered to put together a small program asked what kind
of functionality would be best. That made me realize that I should've
specified something from the beginning... I don't want to sound
ungrateful to Jeff and the others who've helped; we already have a lot
more now than what we started with! But, let me point out what I'd
consider to be an ideal undigestifier for the average digest reader
(any digest, not just VIRUS-L).

An ideal undigestifier would read in table of contents of a digest and
display it on the screen. Then, it would allow the user to point at
one or more individual messages and view, extract, print, or perhaps
even invoke a text editor to generate a reply file suitable for
merging into the local mail system.

Thanks again to Jeff and the others! I hope this doesn't sound as
though your efforts aren't appreciated.

Any comments or suggestions?

Ken

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253