VIRUS-L Digest Friday, 20 Jan 1989 Volume 2 : Issue 20
Today's Topics:
Friday the 13th virus
re: PC Viruses
RE: Any connection between ping-pong virus and Word Perfect? (PC)
re: PDP Virus
UK virus information server
---------------------------------------------------------------------------
Date: Fri, 20 Jan 89 08:28:50 EST
From: "John P. McNeely" <
[email protected]>
Subject: Friday the 13th virus
I read this on the RISKS discussion list concerning the rumors of
the Friday 13th virus.
- ---------------------------Original message----------------------------
Date: Wed, 18 Jan 1989 22:28:34 PST
From: Peter Neumann <
[email protected]>
Subject: Friday the 13th Again
There were various reports of Friday-the-13th virus deletions in
Britain, attacking MS-DOS systems. The so-called virus "has been
frisky and hundreds of people, including a large firm with over 400
computers, have telephoned with their problems," according to Alan
Solomon, director of S and S Enterprises, a data recovery center in
Chesham. The virus reportedly bore similarities to the Friday the
13th Israeli virus (13 May 1988, the previous Friday the 13th).
[Source: SF Chronicle, 14 Jan 1989, p. B1]
------------------------------
Date: 20 January 89, 15:01:30 +0100 (MEZ)
From: Otto Stolz <
[email protected]>
Subject: re: PC Viruses
First Main Proposition of Virus Hunting: Every program designed to
catch viruses can be circumvented by virus-writers who know its
principles of operation.
Second Main Proposition of Virus Hunting: Every virus can be catched
and prevented from further propagating, if its principles of operation
are known.
> Does anyone know where we can get a program which either runs resident
> on a PC and prevents viruses from attacking the hard disk
According to the above 1st Proposition, there is no such thing!
However, you may obtain programs to prevent particular virus strains
from propagating to your hard disk, e.g. IMMUNE for 4 Israeli strains.
To prevent Boot-Sector-Viruses from propagating, you can buy SafeGuard
cards for your PCs, to prevent booting from floppy disks, altogether.
Proceed thus: boot from a clean, original DOS diskette, format your
hard disk, re-install software on it, and then install the SafeGuard
card (do not allow for further booting until you've completed these
steps).
> or non-resident programs which detect the presence of a virus?
Again, there is no such thing! The best option you have: To detect
COM- and EXE-viruses, write your own program to compute some signature
value from all bytes in a file and compare it with a value obtained
earlier in the same way. Lock away the source of your program and
every hints on its algorithm in a safe place, and apply it regularly
to every program file you use (including itself).
I hope that helps
Otto Stolz
[Ed. Fred Cohen has an interesting way of phrasing your two
propositions - "There ain't a horse that can't be rode or a man that
can't be throwed."]
------------------------------
Date: Fri, 20 Jan 89 16:12:59 MET
From: <
[email protected]> (Dirk Bode)
Subject: RE: Any connection between ping-pong virus and Word Perfect? (PC)
Eldads Word Perfect problem sounds much like the problem we had at our
Computer Center. It is produced by a little memory resident virus
witch infects every COM or EXE File without damages, exept WP 4.2!!
Now, how can you detect this virus ?? First look at your memory
residents (with MAPMEM or such tools). There is after the virus is
installed a new program (nearly 1700 Byte). Every time you execute a
program the virus copy itself at the begining of this file. If you
execute an infected file the virus checks first if it's already
installed then execute the normal program. So, if you got this virus
you may never recognise until you use an copy of Word Perfect 4.2:
after infection you can't work from a HD. If somebody is interessted
in a program to check if a file is already infected send me a note!
Dirk Bode
Regionales Rechenzentrum Erlangen
[email protected]
------------------------------
Date: Fri, 20 Jan 89 10:55 EST
From: <
[email protected]>
Subject: re: PDP Virus
Thomas,
Oh, the memories that brings back.
You neglected to mention that the "PDP" was a "PDP-10". There are
lots of other PDPs in the world: PDP-11s and PDP-8s are still widely
used. PDP-10s have mostly gone the way of all good things. CompuServe
is still using a lot of them, but they don't run TOPS-10.
The program may have mutated since the last time I saw it (about 10
years ago), but here is what I remember. The program you describe was
neither a "virus" nor a "worm" in the current senses of those terms.
Probably the closest term would be "trojan horse".
The "cookie" program was a privileged program running under TOPS-10.
It was usually run by one "friend" to annoy another. It used a
privileged "ttcall" (TOPS-10 terminal I/O call) to allocate the
victim's terminal and would pester him or her mercilessly until either
the victim "fed" it a "cookie" or the perpetrator exited the program.
The computer's "system manager" had to be involved, since the program
needed to be "installed" (the Tops-10 terms were somewhat different),
so the program wasn't entirely uncontrollable.
Ah, those were the good old days: when 0.25 MIPS mainframes took up an
entire room, large disk drives were 20 MegaBytes, and you couldn't
afford more than 256KBytes of core memory.
Thanks for the nostalgia.
Selden E. Ball, Jr.
(Wilson Lab's network and system manager)
Cornell University Voice: +1-607-255-0688
Laboratory of Nuclear Studies FAX: +1-607-255-8062
Wilson Synchrotron Lab BITNET: SYSTEM@CRNLNS
Judd Falls & Dryden Road Internet:
[email protected]
Ithaca, NY, USA 14853 HEPnet/SPAN: LNS61::SYSTEM = 44283::SYSTEM
------------------------------
Date: Thu, 19 Jan 89 14:28:52 GMT
From: The Heriot-Watt Info-Server <
[email protected]>
Subject: UK virus information server
UK redistribution list and archive server
For the information of other UK and European members of the virus-l
list, there is now a UK redistribution of the valert-l and virus-l
lists from Heriot-Watt University, Edinburgh.
The virus-l redistribution currently has 42 members, 14 of which are
academic site or company central redistribution points.
There is also an information server located at Heriot-Watt which
currently holds:
1. All back issues of the virus-l list (in digest for from November, in
monthly or weekly log form from April)
2. Copies of the Trojan-PRO software from the RPICICGE archives
3. Copies of the LEHIIBM1 listserver software archives
4. Copies of the SCFVM listserver MAC software archives
5. Risks digests from November onwards
6. Various documentation on viruses, worms etc. Eg Gene Spaffords report
on the internet worm.
The information server is similar to the UK distributed information servers
and takes requests in the form of a mail message to the server mail
address <
[email protected]>
For help on the use of the server send a mail message with the request help, eg
request: help
For an index of the topics available send,
request: index
topic: index
For a list of all virus information available, send
request: virus
topic: index
If anyone has any reports or software which they would like to appear on this
server please feel free to send them to <
[email protected]>. Updates on new
items will be posted to the UK redistribution list. Any European subscribers
who wish to be kept informed of software availability please drop me a note.
Finally, if anyone has a binhex 4.0 conversion utility running under unix
I would dearly like a copy.
Yours sincerely,
Dave Ferbrache, <
[email protected]> [Janet]
Dept of computer science <
[email protected]> [Internet]
79 Grassmarket (UK) 031-225-6465 ext 553
Edinburgh. EH1 2HJ
[Ed. Thanks for all your time and effort, Dave! It is much
appreciated.]
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
