VIRUS-L Digest Thursday, 14 Sep 1989 Volume 2 : Issue 192
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to
[email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
- Ken van Wyk
Today's Topics:
Detecting/fighting the DOS-62/UNESCO virus (PC)
Dirty-Dozen list
virus mania
Datacrime viruses (PC)
12th National Computer Security Conference
DataCrime Virus Worries (PC)
---------------------------------------------------------------------------
Date: Wed, 13 Sep 89 16:54:21 +0000
From:
[email protected] (Soren Altemark)
Subject: Detecting/fighting the DOS-62/UNESCO virus (PC)
My MS-DOS system has been infected by some virus. From descriptions of
known viruses I think that the one I've been attacked by is DOS-62
or UNESCO virus. COM files infect (~+650 bytes) COM files only and
randomly make infected files initiate a warm-boot.
I just want to know if someone out there know the details of this
virus and if there is any program that can help identify infected
files and otherwise give me guidelines how to fight the virus.
Thanks,
Soren
Soren Altemark, Swedish Institute of MicroElectronics, IM
PO Box 1084, S-164 21 KISTA, SWEDEN, Phone: +46 8 7521173, Fax: +46 8 7505430
E-mail:
[email protected] or {uunet,mcvax,munnari,ukc,unido}!sunic!nmpcad.se!sal
------------------------------
Date: Wed, 13 Sep 89 10:06:54 -0700
From:
[email protected] (SHIP O' SHRIMP)
Subject: Dirty-Dozen list
Does anyone have any information about the Dirty Dozen virus/trojan
list? An issue (perhaps the only issue) came out on 5/5/88 and
is in the virus-L filelist under the name DIRTY.DOZEN. The list
intimates that regular issues of it would be published. However,
I have found no further issues, and the author (who asks to be
contacted by BBS) BBS number is no longer in service.
- - Chris Gorman
[email protected]/
[email protected]
------------------------------
Date: Wed, 13 Sep 89 12:54:10 -0500
From: Jim Ennis <JIM%
[email protected]>
Subject: virus mania
Hello,
I saw a short piece on the CNN 30 minute news show this morning
about the October 12th virus. They did point out that only a few
people may be affected by this virus.
Jim Ennis
UCF Computer Services
------------------------------
Date: Wed, 13 Sep 89 11:04:43 -0700
From:
[email protected]
Subject: Datacrime viruses (PC)
Since there is sudden increased media attention concerning a "Columbus
Day" virus, including warnings being sent out nationwide by government
agencies, it may be time to mention again (VIRUS-L V2 #174) that the
McAfee Associates VIRUSCAN V36 does successfully locate instances of
the 1168 and 1280 (DATACRIME) virus.
In addition to detecting the apparently original versions, which format
cylinder 0 of a hard disk on or after October 13, the scan string in
VIRUSCAN will locate the same viruses with a minor change, specifically,
a different activation date.
I used the network version of VIRUSCAN on a Novell network to search
for and successfully locate a program infected with the 1168 virus.
Only those network server areas normally accessible to the person
running the program are checked, so it should be run by someone with
appropriate privileges.
The Homebase BBS number for VIRUSCAN (SCANV36.ARC) is 408-988-4004.
For those who cannot obtain a copy of VIRUSCAN,and wish to use a
program similar to Norton Utilities to search for these viruses, the
search strings used by VIRUSCAN are the following:
1168 EB00B40ECD21B4
1280 00568DB43005CD21
These identifying strings are supplied with the permission of Mr. McAfee.
Charles M. Preston 907-344-5164
Information Integrity MCI Mail 214-1369
Box 240027 BIX cpreston
Anchorage, AK 99524
[email protected]
------------------------------
Date: Wed, 13 Sep 89 15:34:00 -0400
From: Jack Holleran <
[email protected]>
Subject: 12th National Computer Security Conference
Information: 12th National Computer Security Conference
Registration: 12th National Computer Security Conference
c/o Office of the Comptroller
National Institute of Standards and Technology
A807, Administration Building
Gaithersburg, MD 20899
Dates: October 10-13, 1989
Place: Baltimore Convention Center
Payment: $150.00 before September 25, 1989
$175.00 after September 25, 1989
Conference hotels in area, single cost, and local phone numbers:
Hyatt Regency $99.00 (301) 528-1234
Days Inn Inner Harbor $59.00 (301) 576-1000
Holiday Inn $69.00 (301) 685-3500
Baltimore Marriott $79.00 (301) 962-0202
Radisson Plaza $80.00 (301) 539-8400
Best Western Hallmark $52.00 (301) 539-1188
Additional information: Tammie Grice (301) 975-2775
Payment: Mastercard, VISA, checks, money orders, training or purchase
requests. (payment to "National Institute of Standards and
Technology/Computer Security Conference")
------------------------------
Date: 13 Sep 89 00:00:00 +0000
From:
[email protected]
Subject: DataCrime Virus Worries (PC)
I think the reason that people are writing/talking so much about the
DataCrime viruses, despite the fact that they seem to be much rarer
than say the Jerusalem, is simply that they're so much more
*destructive*. If we're just counting infections, one JV infection
equals one DataCrime infection. But if we're counting the actual
destruction wreaked, a Jerusalem infection is comparatively mild (some
EXE and COM files to be restored/recovered), compared to a worst-case
DataCrime activation (large numbers of hard disks with cylinder 0
gone, and all the data unreachable). I suspect that's the basis for
the apparently disproportionate worry; I'm not saying it's necessarily
- -warranted-, just suggesting an explanation... DC
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
