VIRUS-L Digest Friday, 28 Jul 1989 Volume 2 : Issue 163

VIRUS-L Digest Friday, 28 Jul 1989 Volume 2 : Issue 163

Today's Topics:

Vendor distribution of Jerusalem virus (PC)
Beta Testing for Flu_Shot+ (PC)
Virus Guard problems (PC)
VIRUSCAN and the 1701 virus (PC)
Re: resource fork viruses (Apple II)
do I need a doctor?
Re: Less well known viruses?
The British Computer Virus Research Centre
more on intentional viruses by software manuft.
Re: Viruscan tested.

---------------------------------------------------------------------------

Date: Thu, 27 Jul 89 09:06:27 -0500
From: "Mark S. Zinzow" <[email protected]>
Subject: Vendor distribution of Jerusalem virus (PC)

MetraByte Corp. shipped an ASYSTANT GPIB demo. disk with an MBC-488
card containing the Jerusalem virus to a department on campus. We
found the program VIRUSCAN to be very useful in detecting this virus
on the four systems in that dept. it had spread to. At this time we
have no indication of the virus speading anywhere else on campus, but
recommend the use of VIRUSCAN as a precaution.

According to a letter from MetraByte dated July 11, 1989, ASYSTANT
GPIB demo disks shipped after May 17, 1989 may contain the virus. In
another letter they note a possible symptom of the virus, "...a black
spot may appear on the disply periodically on the upper left hand side
of the screen. The virus blanks out a portion of the display of about
4 rows and 10 columns while in DOS or in some other application..."

We found the description of the Jerusalem virus in the file allvirus.txt
obtained from ms.uky.edu helpful in understanding the behavior of this
virus. Does anyone know if there is a PD program that will restore exe
and com files to their original state removing the infection?

- -------Electronic Mail----------------------------U.S.
Mail--------------------
ARPA: [email protected] Mark S. Zinzow, Research Programmer
BITNET: [email protected] University of Illinois at Urbana-Champaign
CSNET: markz%[email protected] Computing Services Office
"Oh drat these computers, they are 150 Digital Computer Laboratory
so naughty and complex I could 1304 West Springfield Ave.
just pinch them!" Marvin Martian Urbana, IL 61801-2987
USENET/uucp: {uunet,convex,att}!uiucuxc!uiucuxe!zinzow
Phone: (217) 244-1289 Office: CSOB 110 \markz%uiucvmd

------------------------------

Date: Thu, 27 Jul 89 08:24:28 -0400
From: "Gregory E. Gilbert" <[email protected]>
Subject: Beta Testing for Flu_Shot+ (PC)

Recently, Mr. Greenberg posted a notice he wanted beta testers for his
FluShot+. I tried to contact him at:

[email protected] .

The mail was returned with an uknown user: GREENBER .

Does anyone have a current address for Ross Greenberg? (I am a user at a
BITNET node)

Thanks for the help and I apologize for the Public posting of private
concerns.

Gregory E. Gilbert

[Ed. Ross is on a UNIX machine, try "greenber", not "GREENBER".]

------------------------------

Date: Thu, 27 Jul 89 09:28:00 -0700
From: GORDON_A%[email protected]
Subject: Virus Guard problems (PC)

A friend recently installed the memory resident program Virus Guard in
his AT clone. He then started having problems formating his floppy
drives. After Virus Guard was removed, the problems disappeared. Any
comments about this?

Allen Gordon

------------------------------

Date: Thu, 27 Jul 89 09:24:51 -0700
From: [email protected]
Subject: VIRUSCAN and the 1701 virus (PC)

This is a forwarded message from John McAfee:

============================================================================

Christer Olsson noted that VIRUSCAN will not detect the 1701/1704 virus
in EXE files. I originally designed the program not to check EXE files
for the 1701/1704 because the virus will not and cannot infect true EXE
programs. If, however, you rename your COM files to EXE files, as Christer
Olsson has stated, the virus will infect. I did not anticipate this
eventuality, and for timing purposes, scanned only COM files. On the
assumption that there will be others who rename COM files to EXE files,
version V31 of VIRUSCAN, which checks EXE files for 1701/1704, is now
available. It also has been modified to detect the new version of the
Icelandic.

John McAfee
VIRUSCAN available on HomeBase - 408 988 4004

------------------------------

Date: Thu, 27 Jul 89 16:22:44 -0400
From: [email protected] (David Wright)
Subject: Re: resource fork viruses (Apple II)

Maybe it's not that there aren't any good programmers any
more, maybe it's that theu moved off IBM and Apple Machines. Take
Cap'n Crunch... Now a big Amiga hacker... All the Amiga virus programs
"get down to the metal", and use direct patches to the CPU vectors to
protect themselves. In fact, the Amiga virus showed up long before the
Mac and PC viruses (that have been in the news recently), yet got
almost no publicity...

------------------------------

Date: 27 Jul 89 21:30:41 +0000
From: Eileen M Garland <[email protected]>
Subject: do I need a doctor?

I have a PS/2 Model 30. Recently, some diskettes have become suddenly
unreadable. In addition, executing WP5.0 became so slow that I erase
the exe file and copied the original back onto the hard disk.

Does this sound like some virus? If so, what do I do next? Please
explain in detailed, non-technical terms, if possible. (If this
news group is the wrong place for this type of question, I apologize;
I notice that the articles seem quite technical and fairly general,
but I could sure use some help.)

------------------------------

Date: 27 Jul 89 23:07:43 +0000
From: [email protected] (Kelly Goen)
Subject: Re: Less well known viruses?

I am passing the following message on for John MacAfee of the HomeBase BBS

There has been some confusion about the Bantam Book's "DOS
Power Tools" diskettes, and the recent Wayne State newsletter
advising purchasers of the book not to use the diskettes has
obviously concerned the editors at Bantam - and the warning is
unwarranted.
I was originally contacted by Robert Dimsdale of the NSA in
April of this year, reporting an unusual virus. He reported that
he 'believed' the infection came into the shop through the Bantam
book. Subsequent reports from two separate organizations also
indicated the 'possibility' of infection from the book. The
reports were placed on the HomeBase board as routine notes for the
HomeBase researchers tracing down the Missouri virus. I contacted
Bantam Books to report the possible occurrences, and their research
at that time indicated that the reported infections were caused by
agents other than the book. I concurred. The original Dimsdale
diskette was destroyed before it could be analyzed, and the hard
disk was low level reformatted. Both other reports yielded no
analyzable sample.
I have spoken twice with Steve Guty of Bantam today, and he
tells me that Bantam has sold over 200,000 copies of the book and
accompanying diskette. With this number of copies in circulation,
it is entirely reasonable to expect multiple occurrences of pre-
existing infection in a system which activate on or about the time
that the Power Tools diskette is installed. The user might then
equate the virus activation with installation of the diskette, even
though the virus may have been in the system for weeks or months
prior to the installation of the Power Tools diskette. This
happens hundreds of times each month with other software packages.
Rarely, in these cases, has the virus involved actually been
introduced with the diskette that was suspected by the system user.
Given the wide circulation of the Bantam book, it is highly
unlikely that it could contain a virus without overwhelming numbers of
infection occurrences being reported. Also, sample copies of the book
purchased around the country by researchers have shown no indication
of infection. The Wayne State newsletter recommendation, in my
opinion, should be ignored. The Bantam Book software appears as safe
as any vendor supplied software.

Disclaimer: Neither Amdahl Corp, Onsite Consulting nor CSS Inc.
have any comment on the above data, Nor is any claim
or warrenty made,given, expressed or implied as to
the accuracy or content of the above data.The e-mail was
passed as a courtesy to Interpath and as a Public
Service Message to clears misconceptions the net may
have had about the above subject matter.

------------------------------

Date: Thu, 27 Jul 89 19:31:00 -0400
From: [email protected]
Subject: The British Computer Virus Research Centre

I am not yet ready to institutionalize viruses. The rush to do so
strikes me as unseemly opportunism.

I recognize the need to do research and the value of the work done to
date. However, that work demonstrates that it can be done in existing
institutions with broad and noble missions. Narrow, specialized
institutions are not required. There creation runs the risk of
establishing the very behavior that they rightfully resist.

____________________________________________________________________
William Hugh Murray 216-861-5000
Fellow, 203-966-4769
Information System Security 203-964-7348 (CELLULAR)
Ernst & Young ARPA: WHMurray @ DOCKMASTER
2000 National City Center MCI-Mail: 315-8580
Cleveland, Ohio 44114 TELEX: 6503158580
FAX: 203-966-8612
21 Locust Avenue, Suite 2D Compu-Serve: 75126,1722
New Canaan, Connecticut 06840 TELEMAIL: WH.MURRAY/EWINET.USA

------------------------------

Date: Thu, 27 Jul 89 18:10:00 -0500
From: Gordon Meyer <[email protected]>
Subject: more on intentional viruses by software manuft.

A number of weeks somebody posed a question about software
companies releasing viruses, on purpose, in order to protect
their rights. At that time I responded with a reference to
an article where a software author reportedly did know of several
(or at least some) companies that were doing so. Obviously the
sources for such information were not disclosed.
I received a few flames for mentioning the article, but mostly
from industry mouthpieces that wanted to emphatically deny such
a thing was happening.

Well...yet another "industry insider" has hinted that such things
are happening:

Home-Office Computing. August 1988. Page 80. In a games preview
column the author states that some companies have developed
"virus protection" for their programs.... this "virus protection"
is designed to discourage crackers from re-engineering the program
code to remove copy protection.

That's all it says....very vague and could very well be another
case of "virus" being used in the wrong context. But, the blurb
does indicate that companies are doing so "secretly" and don't
want folks to know about it.

Again, turn off the flame throwers. I'm not saying such things
*are* going on....just that there are indications that it *may*
be. Screaming "no way" is ignoring the potential and fails to
account for these rumours.

- -=->G<-=-

------------------------------

Date: 27 Jul 89 23:59:32 +0000
From: [email protected] (Kelly Goen)
Subject: Re: Viruscan tested.

In article <[email protected]>, [email protected] (
CHRISTER OLSSON) writes:
> I tested VIRUSCAN but it can't found 1701/1704 (Cascade) virus in files
> with EXE-extension. If you rename a COM-file to an EXE-file, the 1701
> virus infected the file but VIRUSCAN don't check the file because
> VIRUSCAN only search COM-files for the 1701/1704 (Cascade) -virus.

According to john McAfee at homebase and my own research the 1701 and
1704 viruses are COM infectors only at this point... not exe!!!
hope this clears up any misconceptions
cheers
kelly

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253