VIRUS-L Digest   Monday, 21 Aug 1989    Volume 2 : Issue 178

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

Today's Topics:

Basic Virus Questions (PC)
NEW VIRUS DICOVERED AND DISASSEMBLED
Fixing Disinfectors/Virus Finders

---------------------------------------------------------------------------

Date:    18 Aug 89 10:52:00 -0400
From:    "Andrew R. D'Uva" <[email protected]>
Subject: Basic Virus Questions (PC)

After hearing quite a bit about viruses, particularly the Internet
'Worm' of November, 1988, I have a few questions concerning prevention
of virus infiltration on IBM PCs/clones using MS-DOS 3.3x or 4.01.

1) Is the possibility of virus infection limited to executable
  programs (.com or .exe extensions)? Or can an operating system be
  infected from reading a document file or graphic image?

2) Are there generic "symptoms" to watch for which would indicate a virus?

3) Any suggestions on guidelines for handling system archiving
  procedures so that an infected system can be "cleaned up"?

  Thanks for the help.

  Andrew D'Uva
  Jnet--->           ADUVA@GUVAX
  Internet--->       [email protected]

------------------------------

Date:    Fri, 18 Aug 89 19:07:11 -0500
From:    Christoph Fischer <RY15%[email protected]>
Subject: NEW VIRUS DICOVERED AND DISASSEMBLED


We just finished to disassemble a new virus, it was sent to us by the
university of Cologne. We haven't found any clue that this virus showed
up before.
Here are the facts we found:
  0. It works on PC/MS-DOS ver. 2.0 or higher
  1. It infects COM files increasing them by 1206 to 1221 bytes
     (placing the viruscode on a pragraph start)
  2. It infects EXE files in two passes: After the first pass the EXE
     file is 132 bytes longer; after the second pass its size increased
     by an aditional 1206 to 1221 bytes (see 1.)
  3. The virus installs a TSR in memory wich will infect executable
     files upon loading them (INT 21 subfunction 4B00) using 8208 bytes
     of memory
  4. The only "function" we found, was an audible alarm(BELL character)
     whenever another file was successfully infected.
  5. It infects COM files that are bigger than 04B6h bytes and smaller
     than F593h bytes and start with a JMP (E9h)
  6. It infects EXE files if they are smaller than FDB3 bytes (no
     lower limit)
  7. It opens a file named "VACSINA.   " without checking the return
     value. At the end it closes this file without ever touching it.

The facts 4 and 7 make us belive it is a "Beta-Test" virus that might
have escaped prematurely by accident.
The word VACSINA is really odd beause of its spelling. All languages I
checked (12) spell it VACC... only Norwegians write VAKSINE. Has anybod
an idea?
We produced an desinfectant and a guardian.
The PC room at Cologne (28 PCs) was also infected by DOS62 (Vienna)|
We call the virus VACSINA because of the unique filename it uses|

      Chris & Tobi & Rainer
*****************************************************************
* TORSTEN BOERSTLER AND CHRISTOPH FISCHER AND RAINER STOBER     *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067   *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET    *
*****************************************************************

------------------------------

Date:    Fri, 18 Aug 00 19:89:35 +0000
From:    [email protected] (Ross M. Greenberg)
Subject: Fixing Disinfectors/Virus Finders


To Mr. McAfee:  (Hi John!)

Simply do what I do: encrypt the string you're looking for yourself,
then decrypt it when you first run the program.  Works like a champ
here....

Sheesh!  Do i have to tell my competition everything?  :-)

Ross


------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.