VIRUS-L Digest   Tuesday, 22 Aug 1989    Volume 2 : Issue 179

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

Today's Topics:

Swap Virus (PC)
DEMO Software Disk Infected (Jerusalem, Version B) (PC)
Hygeine Questions
New German Virus (PC)

---------------------------------------------------------------------------

Date:    Mon, 21 Aug 89 09:47:00 -0500
From:    Craig Minton <[email protected]>
Subject: Swap Virus (PC)

I just received my bitnet account about a month ago and just subscribed
to this list about a week ago.  In the past week, I have seen the Swap
Virus mentioned several times.  Since I'm sure that it has already been
discussed alot on this list, I would appreciate any information on it
that I could get.  Please send this to me personally unless you feel
it hasn't been discussed enough or something new is going on with it.
               Thanx,
                  Craig

------------------------------

Date:    Mon, 21 Aug 89 11:32:19 -0500
From:    [email protected]
Subject: DEMO Software Disk Infected (Jerusalem, Version B) (PC)

A research and development lab located at Ft. Belvoir Virginia had
their PC's infected with the Jerusalem, Version B, Virus.  Further
investigation uncovered the virus entered the lab through a DEMO
software disk from ASYST Software Technologies supplied with a
IEEE-488 board from METROBYTE.  The infected program is RTDEMO2.EXE.

In a conversation with Mr. Dave Philipson from ASYST, to the best of
his knowledge, 50 to 100 copies of the infected software were
released.  The infection entered their facility through software
received from their parent company in England.

Mr. Brent Davis of METROBYTE informed me that the DEMO disk was
supplied with three (3) of their products; MBC-488, IE-488 and
UCMBC-488.  METROBYTE is in the process of contacting all purchasers
of these products.

Many thanks to Mr. John McAfee for his assistance, SCAN34 which was
used to identify the type of virus, and M-JRUSLM which was used to
eradicate the virus.

Both ASYST and METROBYTE were extremely helpfull and responded
expeditiously to the problem.  Many thanks to Mr. Brent Davis and Mr.
Dave Philipson for their action and assistance.

************** From the Desk of Mr. James M. Vavrina **************
*            Comm 202-355-0010/0011  AV 345-0010-0011             *
*                  DDN [email protected]                  *
*******************************************************************

------------------------------

Date:    Mon, 21 Aug 89 13:36:00 -0400
From:    [email protected]
Subject: Hygeine Questions


>1) Is the possibility of virus infection limited to executable
>   programs (.com or .exe extensions)? Or can an operating system be
>   infected from reading a document file or graphic image?

While a virus must succeed in getting itself executed, there are a
number of solutions to this problem besides infecting .exe and .com.
While it will always be sufficient for a virus to dupe the user, the
most successful ones are relying upon bootstrap programs and loaders
to get control.

>2) Are there generic "symptoms" to watch for which would indicate a
virus?

Any unusual behavior may signal the presence of a virus.  Of course
most such unusual behavior is simply an indication of user error.
Since there is not much satisfaction to writing a virus if no one
notices, most are not very subtle.  However, the mandatory behavior
for a successful virus is to write to shared media, e.g., floppy,
diskette, network, or server.  (While it may be useful to the virus or
disruptive to the victim to write to a dedicated hard disk, this is
not sufficient for the success of the virus.)

>3) Any suggestions on guidelines for handling system archiving
>   procedures so that an infected system can be "cleaned up"?

WRITE PROTECT all media.  Preserve vendor media indefinitely.  Never
use the backup taken on one system on any other.  Be patient when
recovering; be careful not to reinfect.  (Computer viruses are
persistent on media.)

Quarantine systems manifesting strange behavior.  Never try to
reproduce symptoms on a second machine.  Never share media
gratuitously.  (Note that most PC viruses are traveling on shared
MEDIA rather than on shared PROGRAMS.)

____________________________________________________________________
William Hugh Murray                     216-861-5000
Fellow,                                 203-966-4769
Information System Security             203-964-7348 (CELLULAR)
                                       ARPA: WHMurray@DOCKMASTER
Ernst & Young                           MCI-Mail: 315-8580
2000 National City Center               TELEX: 6503158580
Cleveland, Ohio 44114                   FAX: 203-966-8612
                                       Compu-Serve: 75126,1722
                                       INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D              DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840           PRODIGY: DXBM57A
- --------------------------------------------------------------------

------------------------------

Date:    Mon, 21 Aug 89 14:49:57 -0700
From:    [email protected]
Subject: New German Virus (PC)

This is a forward from John McAfee:
=============================================================================

   The VIRUSCAN version V35 now identifies the virus reported by
C. Fischer in Germany.  As always, the trickiest problem is the name.  We
can't very well use the host program length increment as the nomenclature
this time because the length can change anywhere from 1206 to 1353 bytes
(1206 min for COM files; 1221 + 132 max for EXE files).  Using the bell sound
as a name is questionable since the virus appears to be a prototype version
and it seems likely that the bell sound may be removed and replaced in the
final? version.  I don't like using Vacsina as the name because it is a data
string that can be trivially changed without materially affecting the virus.
However, conversations with Chris Fischer indicate that he wishes to call the
virus Vacsina, so that's what VIRUSCAN displays when the virus is present.

P.S. We are still struggling over the name of the "Israeli Boot/
Swap/Fat 12/Whatever" virus reported by Uval Tal.  Y. Radai is adamant that
it be called the Swap virus.  However, no-one that I am aware of has been
able to make the the "Swap..." message reported by Yuval replicate onto
another diskette.  When the virus replicates, the area reported by Yuval to
contain the message insists on transferring itself as binary zeros.  It seems
to me that someone merely placed the text message into the virus thinking
that it would replicate along with the virus.  Until I am further
enlightened, I think that the VIRUSCAN descriptor for this virus should
remain as is.
John McAfee

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.