VIRUS-L Digest Wednesday, 28 Jun 1989 Volume 2 : Issue 143

VIRUS-L Digest Wednesday, 28 Jun 1989 Volume 2 : Issue 143

Today's Topics:
Other Mac viruses
Virus Identification Software
Re: Request for info on viruses (PC)
Re: Mac anti-viral archives (correction)
Vaccine/GateKeeper and old Macs
Anyone heard of this new virus ?? (PC? No system given)
Virus attacking WP 5.0 (PC)
Mac anti-viral archives (update)
Re: virus distributed on Compuserve (Mac)

--------------------------------------------------------------------------------

Date: Mon, 26 Jun 89 13:42 EDT
From: <[email protected]>
Subject: Other Mac viruses

ACSAZ@SEMASSU, 26-JUN-1989

Hello,
Besides nVir and Scores, what other viruses are `out' for the Mac. I
am interested in their frequency of appearence and how they can be
identified and dealt with.

Muchos Gracias,

Alex Z... . . .

------------------------------

From: [email protected]
Subject: Virus Identification Software
Date: Sun, 25-Jun-89 22:27:13 PDT

David Loveless and other Virus-L users have asked about virus
identification software for PC viruses. The people at HomeBase have
put together a program called VIRUSCAN that is able to find and
identify the 53 viruses classified by Jim Goodwin in May of this year.
The program Scans entire systems or individual diskettes and runs
pretty fast (1 minute for each 200 executable files). It's shareware
and available on the HomeBase BBS - 408 988 4004. Disinfectors for
each virus are also available.

------------------------------

Date: 26 June 1989, 16:47:06 EDT
From: David M. Chess <[email protected]>
Subject: Re: Request for info on viruses (PC)

> The virus replaces command.com with a new version that
> is stored in some bad sectors on the disk.

Hm. The "Brain" virus that I've seen changes the boot sectors
of floppy disks, not COMMAND.COM. Are you sure about that?

DC

------------------------------

Date: Mon, 26 Jun 1989 19:03:02 CDT
From: Werner Uhrig <[email protected]>
Subject: Re: Mac anti-viral archives (correction)

I see that the entry for RASCAL needs to be improved a little;
please use the following:

rascal.ics.utexas.edu
Werner Uhrig <[email protected]>
Access is through anonymous ftp, IP number is ??.??.??.??.
Archives can be found in /mac/virus-tools.
Please retrieve the file 00.INDEX and review it offline.
Due to the size of the archive, online browsing is discouraged.

------------------------------

Date: Tue, 27 Jun 89 10:45:18 PDT
From: [email protected] (Dave Platt)
Subject: Vaccine/GateKeeper and old Macs

> PS I've discovered that GateKeeper won't work on our ancient 128/512k
> Macs to stop reinfection with the dose of nVirB we have going around.
> Am I right? If I am any helpful suggestions?

You're probably right. The oldest versions of the System do not scan
the System folder for INIT (Startup), RDEV (Chooser), and cdev (Control
Panel) files; INIT resources contained in these files will not be
executed. GateKeeper and Vaccine are both cdev files.

You _might_ be able to install a hacked-up copy of Vaccine into the
System file on your startup disk(s). You'd need to configure Vaccine
on a more-modern machine... probably "protection on, expert display,
don't compile MPW INITs, don't show icon at startup". Then, use
ResEdit to copy the INIT and FKDT resources from the configured copy of
Vaccine, and paste them into the System file on your startup floppy.
You could also try configuring the copy of Vaccine to display its icon
at startup time; you'd then need to copy the ICN# resource from the
Vaccine file and add it to the System.

I haven't tried this and can't assure you that it would work... but it's
probably worth a try. Do it on _copies_ of Vaccine and of your startup
floppy, of course! Best of luck!

Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805
UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: [email protected]
INTERNET: [email protected], [email protected]
USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303

------------------------------

From: gany%[email protected]
Date: Tue, 27 Jun 89 22:57:37 +0300
Subject: Anyone heard of this new virus ?? (PC? No system given)

Yesterday and today articles about a new virus appeared in an Israeli
paper (Maariv). It seems that the virus (some sort of a TSR maybe ?)
is planting typos (i.e typing mistakes) when printing to the printer.
It does not affect the screen or the data on disk itself. It was even
claimed that it is a mutant of the "bouncing ball" virus. Anyone
heard of such virus. Has anyone been hit by that beast - or is it just
the cucamber season again ??

Yair Gany School of Math. & Computer Science
[email protected] Tel Aviv University
[email protected]

------------------------------

Date: Tue, 27 Jun 89 15:45 EDT
From: Don Kazem <[email protected]>
Subject: Virus attacking WP 5.0 (PC)

We have a problem here with Wordperfect 5.0 and I am not
sure if it is a virus infection. It does look quite
suspicious, however.

The problem is that when WP 5.0 is loaded and users try to
retrieve a file that was created by the same program, an
error message appears stating that there is not enough
storage. This is despite the fact that there is 5 Megs of
space left. This does not happen with every file, but the
ones that this happens to, are trashed beyond repair.

Although, the size of the WP.EXE has not changed, the
checksum is radically different from the copy of WP.EXE on
the master disk.

Has anyone encountered anything like this before?
Do you think this could be virus?

DKAZEM@NAS

------------------------------

Date: 27 Jun 89 20:30:32 GMT
From: [email protected] (Jim Wright)
Subject: Mac anti-viral archives (update)

< This is an update to the listing of anti-viral archive sites for >
< the Mac. In the previous posting, the IP number for Sumex was wrong. >
< The other change has been the addition of SCFVM to the list. >
< Jim >

# Anti-viral archive sites for the Macindroids...
# Listing of 27 June 1989

cs.hw.ac.uk
Dave Ferbrache <[email protected]>
NIFTP from JANET sites, login as "guest".
Electronic mail to <[email protected]>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The Mac index for the virus archives can be retrieved as
request: mac
topic: index
For further details send a message with the text
help
The administrative address is <[email protected]>

ifi.ethz.ch
Danny Schwendener <[email protected]>
Access is through SPAN/HEAPNET, but can also be reached using
X.25 and modem ports (no direct dialins, though).
Archives are in process of moving to a new machine.

pd-software.lancaster.ac.uk
Steve Jenkins <[email protected]>
I'm not sure of access, but you Brits ought to know by now. :-)

rascal.ics.utexas.edu
Werner Uhrig <[email protected]>
Access is through anonymous ftp, IP number is ??.??.??.??.
Archives can be found in /mac/virus-tools.
Please retrieve the file 00.INDEX and review it offline.
Due to the size of the archive, online browsing is discouraged.

scfvm.bitnet
Joe McMahon <[email protected]>
Access is via LISTSERV.
SCFVM offers an "automatic update" service. Send the message
AFD ADD VIRUSREM PACKAGE
and you will receive updates as the archive is updated.
You can also subscribe to automatic file update information with
FUI ADD VIRUSREM PACKAGE

sumex.stanford.edu
Bill Lipa <[email protected]>
Access is through anonymous ftp, IP number is 36.44.0.6.
Archives can be found in /info-mac/virus.
Administrative queries to <[email protected]>.
Submissions to <[email protected]>.
There are a number of sites which maintain shadow archives of
the info-mac archives at sumex:
* MACSERV@PUCC services the Bitnet community
* LISTSERV@RICE for e-mail users
* FILESERV@IRLEARN for folks in Europe

wsmr-simtel20.army.mil
Robert Thum <[email protected]>
Access is through anonymous ftp, IP number 26.0.0.74.
Archives can be found in PD3:<MACINTOSH.VIRUS>.
Please get the file 00README.TXT and review it offline.

Jim Wright
[email protected]

------------------------------

Date: Wed, 28 Jun 89 08:55:56 EDT
From: Kenneth R. van Wyk <[email protected]>
Subject: Re: virus distributed on Compuserve (Mac)

Regarding my recent query as to whether a Mac virus may have been
distributed via Compuserve at some time, I quote Dr. Fred Cohen ("On
the Implications of Computer Viruses and Methods of Defense",
Computers and Security, Vol. 7, No. 2, Pg. 169): "On the very widely
used Compuserve network, a virus was apparently planted to infect the
initialization files of the Apple MacIntosh. This virus was designed
to put an advertisement on the screen on a particular date and then
delete itself. It was noticed by a programmer browsing through his
system initialization files and was traced to a company that had added
a program to the Compuserve library. The perpetrator was barred from
Compuserve 'forever'. Compuserve has countered by providing a public
domain program that constantly runs in the background checking for
modifications to system initialization files and asks the user if
these are desired."

Thanks for all who added their input.

Ken

Kenneth R. van Wyk
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
Internet: <[email protected]>

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253