VIRUS-L Digest             Wednesday, 8 Feb 1989        Volume 2 : Issue 40

Today's Topics:
Re: Info on How To Book
Dormant Viruses (Mac & general)
Virus susceptability (Mac)
Re: CTRL-ALT-INS rebooting (PC)
Virus Technical Report

---------------------------------------------------------------------------

Date:         Wed, 08 Feb 89 15:42:01 MEZ
From:         Konrad Neuwirth <[email protected]>
Subject:      Re: Info on How To Book

I know a german book called "Das Grosse Computervirenbuch" by a guy
called Ralf Burger and published in germany by Data Becker.  The people
responsible for bringing the Data Becker things to America are Abacus
Software. I don't have the address handy but can send it to you if you
want. I just got to look for it....

- -Konrad

[Ed. Thanks for the info.  I trust that the version in America has
been translated?  I suppose that it's arguably a good idea to send
information like this over the nets, but I feel that once a book like
this has been published, any damage is already done.  I think that it
is certainly worth _our_ while to read books/publications/etc. like
this for our own protection, if nothing else.  Suggestions?]

------------------------------

Date:         Wed, 08 Feb 89 13:15:54 EST
From:         Joe McMahon <[email protected]>
Subject:      Dormant Viruses (Mac & general)

The Scores/nVIR/Hpat/INIT 29 viruses can all be found, whether or not
there is dormancy code in them, because the resources which define the
viruses are detectable.

This is what's so bad about the new ANTI virus; that sucker just
munges itself into your code -- no detectable resources, no virus
(from the current detectors).

- --- Joe M.

------------------------------

Date:         Wed, 8 Feb 1989 14:13 EST
From:         Bruce Ide <[email protected]>
Subject:      Virus susceptability (Mac)

    Just by reading through this discussion, I see that the Apple Mac
seems to be struck more by viruses than any other computer. Is this
true, or do we just have a lot of Mac users here? Also, what makes the
Mac environment so succeptable to these viruses?

                                    -Grey Fox

------------------------------

Date:         Wed, 08 Feb 89 14:35:38 EST
From:         Neil Goldman <[email protected]>
Subject:      Re: CTRL-ALT-INS rebooting (PC)

Brent Ingerman responds to a question about *physically* preventing
the computer to boot from the A drive.  Zenith PC's have a 'setup'
screen which is accessed via CTRL-ALT-INS.  One of the options is to
specify the drive from which to boot.

Problems: 1. Any user having knowledge of the 'setup' screen could reset
            the boot drive to A.

         2. Any user NOT having knowledge of the 'setup' screen could
            (and most likely would) find it 'by accident' when s/he,
            intending to press CTRL-ALT-DEL, presses CTRL-ALT-INS.

         3. This fix is software-based.  So here we return to the
            system-specific virus controversy, which I will not rehash here.

I do not have the technical expertise to answer the *original*
question of a *hardware* modification which would prevent booting from
drive A.

Any ideas?

- --------------------------------------------------------------------
Neil A. Goldman                        [email protected]

Replies, Concerns, Disagreements, and Flames expected.
Mastercard, Visa, and American Express not accepted.
Acknowledge-To: <NG44SPEL@MIAMIU>

------------------------------

Date:       Wed, 8 Feb 89 19:03:34 GMT
From:       David.J.Ferbrache <[email protected]>
Subject:    Virus Technical Report

      -------------------------------------------------------------
      A review of the threat posed to the security and integrity of
      microcomputer systems posed by self-replicating code segments
      -------------------------------------------------------------

I am in the process of compiling information on existing computer
viruses, with a view to the production of a technical paper reviewing
the threat to system security posed by both present computer viruses
and likely future developments.

To this end I would be very grateful for information on individual
infections, preferably detailing the symptoms observed, damage caused
and disinfection techniques applied. Naturally I am also interested in
details of the operation of the viruses, although I appreciate the
reticence shown by infected parties to disseminate any details of
virus operation, on the basis that it could lead to development of
further viruses.

The technical report is part of a Doctoral research thesis in computer
security, and will be available in late May. Distribution of the
technical report will be restricted to people who have a legitimate
interest (ie systems managers, commercial concerns, research), as I
expect to review the techniques exploited by viruses in a fair degree
of detail at the BIOS/DOS interface level. The report will consider
the techniques used by virus to duplicate, the ways in which viruses
gain control of the computer system, the camouflage techniques adopted
and a brief overview of the existing computer viruses. Finally the
report will consider the likely development of the threat from
viruses, and how this developing threat can be addressed by protective
software in both virtual and non-virtual machine operating
environments.

At the moment I know of the following viruses:

IBM PC MS/DOS
1. Lehigh variant 1 and 2              2. New Zealand (stoned)
3. Vienna (Austrian, 648)              4. Blackjack (1701, 1704)
5. Italian (Ping Pong)                 6. Israeli variant 1 (Friday 13th, 1813,
                                         PLO, Jerusalem), variant 2, variant 3
                                         (April 1st), variant 4
7. Brain (Pakastani) and variants      8. Yale

Also potentially variant of the Rush Hour and VirDem viruses developed
during the CCC's work on viruses.

APPLE MAC
1. NVir variant A and B, Hpat           2. Scores
3. INIT 29                              4. ANTI
5. Peace (MacMag)

APPLE II
1. Elk

AMIGA
1. SCA                                  2. Byte Bandit
3. IRQ

ATARI ST
1. Boot sector                          2. Virus construction set viruses

Mainframe OS worms
1. Internet worm                        2. DECNET worm
2. BITNET Xmas chain letter

I would be grateful for any information on these, or any other
viruses.  Reports of infection may be given in confidence, in which
case they will only be used as an indication of geographical
distribution of infection.

A summary of known viruses, their symptoms, geographic distribution
and known disinfection measures will be posted to the list as soon as
sufficient information is available to prepare an interim report.

As part of the paper I will also be reviewing the effectiveness of
viral disinfection software, and would thus be interested in details
of any software you use, its effectiveness, and availability.

Thanks for your time!

For those interested here is a summary of a few of the virus reports
published on virus-l and usenet,

  Subject, author and date                     Virus      Virus-l issue

  THE AMIGA VIRUS - Bill Koester (CATS)        SCA        LOG8805
      comp.sys.amiga, 13 November 1987

  New Year's Virus Report - George Robbins     IRQ
      1 January 1989, comp.sys.amiga

  The Elk Cloner V2.0 - Phil Goetz             ELK
      26 Apr 1988

  THE ATARI ST VIRUS - Chris Allen             ATARI ST
      22 March 1988, comp.sys.atari

  Features of Blackjack Virus, Otto Stolz      BLACKJACK  v2.24
      24 Jan 1989

  Comments on the "(c) Brain" Virus            BRAIN      LOG8805
      Joseph Sieczkowski, Apr 1988

  Brain and the boot sequence, Dimitri Vulis   BRAIN      v2.5
       5 Jan 1989

  The Israeli viruses, Y.Radai                 ISRAELI    LOG8805
      2 May 1988

  VIRUS WARNING: Lehigh virus version II       LEHIGH v2  v2.35
      Ken van Wyk, 3 Feb 1989

  The Ping-Pong virus, Y.Radai                 ITALIAN    v2.18
      17 Jan 1989

  Known PC Viruses in the UK and their effects MOST PC    v2.23
      Alan Solomon, 1989

  Yale Virus Info, Chris Bracy,                YALE       LOG8809a
      2 Sep 1988

  New Macintosh Virus, Robert Hammen           ANTI
      comp.sys.mac, 7 Feb 1989

  Hpat virus-it is a slightly modified nVIR    HPAT
      Alexis Rosen, comp.sys.mac, 7 Jan 1989

  INIT 29: a brief description,                INIT 29    v2.18
      Joel Levin, 18 Jan 1989

  A detailed description of the INIT 29 virus  INIT 29    v2.30
      Thomas Bond, 27 Jan 1989

  The Scores Virus, John Norstad               SCORES     LOG8804
      info-mac digest, 23 Apr 1988

  Macintosh infection at Seale-Hayne College   TSUNAMI    LOG8808d
      Adrian Vranch, 8 July 1988

  DEFENCE DATA NETWORK MANAGEMENT BULLETIN,    DECNET     (see also v1.59a)
      50, 23 Dec 1988,

  The internet worm program, an analysis       INTERNET
      Gene Spafford, Nov 1988

I apologise for any researchers whose articles I have not cited, in
what is currently an incomplete list of references. Hopefully, this
article will be of some use in providing a general list of viruses
which have affected computer systems in the past.

Thanks for your time, and I look forward to any information you can
supply me with.

Dave Ferbrache                            Personal mail to:
Dept of computer science                  Internet <[email protected]>
Heriot-Watt University                    Janet    <[email protected]>
79 Grassmarket                            UUCP     ..!mcvax!hwcs!davidf
Edinburgh,UK. EH1 2HJ                     Tel      (UK) 031-225-6465 ext 553

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.