VIRUS-L Digest              Monday, 17 Apr 1989         Volume 2 : Issue 91

Today's Topics:
Fred Cohen's papers...
re: Yale virus = Alameda virus (PC)
Disinfectant 1.1 (Mac)
Re: More on Yale virus (PC)
Information wanted on "Stoned" virus (PC)
re: computers & media piece on virus-l

---------------------------------------------------------------------------

Date:    Sat, 15 Apr 89 13:00:35 EST
From:    (David M. Gursky) [email protected]
Subject: Fred Cohen's papers...

The question came up recently about Fred Cohen's papers and how to
obtain them.  The address in Pittsburgh is correct (Fred Cohen, c/o P.
O. Box 90069, Pittsburgh, Pennsulvania 15224).  The cost (for those
who have misplaced the message from December) is $20 for Fred's
thesis, and $20 for the assorted articles.

------------------------------

Date:         Sat, 15 Apr 89 15:44:28 EDT
From:         Naama Zahavi-Ely <[email protected]>
Subject:      re: Yale virus = Alameda virus (PC)

The "Yale" virus indeed does not work on 20286 machines, in the sense
that if one tries booting a 20286 machine with an infected disk the
machine will hang.  In effect, the ONLY active part of the machine at
that point is the virus -- if you then do Ctrl-Alt-Del with a
non-write-protected disk in the A drive, that diskette will get
infected.  On a PC, if you boot from an infected disk, the virus is
loaded into memory and will infect other disks upon soft-boot, but
otherwise it is completely transparent and is not likely at all to be
discovered.  The only reason we caught it at Yale is that all our
machines are 20286 machines, and we were suddenly faced with machines
not booting properly.  The person who we suspect brought the virus to
Yale (unknowingly) insisted at the time that his disk, which was not
working properly at our public facilities, was working perfectly at
his home and elsewhere.  He was using ordinary PCs at these places.  I
have also verified this effect myself using an authentic copy of the
"Yale" virus.

I personaly am convinced that the Yale virus is the same as the
Alameda virus.

Thanks,

+ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- +
|  Naama Zahavi-Ely                                                    |
|  Project ELI                           E-MAIL [email protected]   |
|  Yale Computer Center                                                |
|  175 Whitney Ave                                                     |
|  New Haven, CT 06520                                                 |
|  (203) 432-6600 ext. 341                                             |
+ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- +

------------------------------

Date:        Mon, 17 Apr 89 08:44:28 EDT
From:        [email protected]
Subject:     Disinfectant 1.1 (Mac)

Disinfectant Version 1.1 Announcement & Press Release.

April 16, 1989.

Disinfectant 1.1 is a new release of a program to detect and remove
Macintosh viruses.

Version 1.1 recognizes the new MEV# virus that was discovered in
Belgium a few weeks ago.  Version 1.1 also fixes a few bugs and adds
several new features.  For a detailed list of all the changes see the
new section titled "Version History" in the online document.

We recommend that all Disinfectant users obtain a copy of the new
version.

With version 1.1 we are also now distributing a formatted version of
the document, with screen shots and other pictures, a table of
contents, etc.  See the online document for details on how to obtain a
copy.

Version 1.1 has been posted to CompuServe, AppleLink,
comp.binaries.mac, and info-mac.  It should be available from those
sources soon, as well as from many other bulletin boards, commercial
online services, user groups, and Internet archive sites.

Features:

- - Detects and repairs files infected by Scores, nVIR A, nVIR B, Hpat,
 AIDS, MEV#, INIT 29, ANTI, and MacMag.  These are all of the currently
 known Macintosh viruses.
- - Scans volumes (entire disks) in either virus check mode or virus
 repair mode.
- - Option to scan a single folder or a single file.
- - Option to "automatically" scan a sequence of floppies.
- - Option to scan all mounted volumes.
- - Can scan both MFS and HFS volumes.
- - Dynamic display of the current folder name, file name, and a thermometer
 indicating the progress of a scan.
- - All scans can be canceled at any time.
- - Scans produce detailed reports in a scrolling field.  Reports can be
 saved as text files and printed with an editor or word processor.
- - Carefully designed human interface that closely follows Apple's
 guidelines.  All operations are initiated and controlled by 8 simple
 standard push buttons.
- - Uses an advanced detection and repair algorithm that can handle partial
 infections, multiple infections, and other anomalies.
- - Careful error checking.  E.g., properly detects and reports damaged and
 busy files, out of memory conditions, disk full conditions on attempts
 to save files, insufficient privileges on server volumes, and so on.
- - Works on any Mac with at least 512K of memory running System 3.2
 or later with HFS.
- - Can be used on single floppy drive Macs with no floppy shuffling.
- - 11,000 word online document describing Disinfectant, viruses in
 general, the Mac viruses in particular, recommendations for "safe"
 computing, Vaccine, and other virus fighting tools.  We tried to
 include everything in the document that the average Mac user needs to
 know about viruses.

I wrote Disinfectant with the help of an international group
of Mac virus experts, programmers and enthusiasts: Wade Blomgren,
Chris Borton, Bob Hablutzel, Tim Krauskopf, Joel Levin, Robert Lentz,
Bill Lipa, Albert Lunde, James Macak, Lance Nakata, Leonard Rosenthol,
Art Schumer, Dan Schwendener, Stephan Somogyi, David Spector, and
Werner Uhrig.

These people helped design and debug the program, edit the document,
locate copies of the viruses for testing, and analyze the viruses.  I
wrote all the code, but I could not have written the program without
their help.

Disinfectant is an example of a new kind of cooperative software
development over the internet. It was developed over a period of three
and one half months starting on December 1, 1988. During this period I
sent out nine development releases and nine Beta releases to the
working group, and we exchanged several hundred notes. The result is a
program that is much better than any one of us could have produced
individually.

We are offering this program free of charge as a public service.  We
hope that the Mac community finds it useful.

John Norstad
Academic Computing and Network Services
Northwestern University

Bitnet:      jln@nuacc
Internet:    [email protected]
AppleLink:   a0173
CompuServe:  76666,573

------------------------------

Date:         17 April 1989, 09:22:27 EDT
From:         David M. Chess  <[email protected]>
Subject:      Re: More on Yale virus (PC)

The Yale virus (at least the one I have!) does contain a "POP CS".
Mr. McAfee is oversimplifying slightly again; "POP CS" is a perfectly
valid instruction on '286 machines in real mode (which is how DOS
runs).  It's just not a valid instruction in protect mode (which is
how OS/2 runs, for instance).  I'm not quite clear on when in the boot
cycle an OS/2 machine enters protect mode; in any case, the virus does
contain "POP CS", but that's consistent with your having seen it on
ATs.

DC

------------------------------

Date:    Mon, 17 Apr 89 13:35 EDT
From:    [email protected]
Subject: Information wanted on "Stoned" virus (PC)

Has anyone encountered a virus that writes the message "Your PC is now
Stoned! LEGALISE MARIJUANA!" in the boot sector of an infected floppy?
Any information would be appreciated.

Tom Sheriff
Microcomputer Support Group
University of North Carolina at Greensboro
[email protected]

------------------------------

Date:         Mon, 17 Apr 89 15:15:16 EST
From:         Neil Goldman <[email protected]>
Subject:      re: computers & media piece on virus-l

Dear Dimitri,

Hi.  I just read your posting.  It is very insightful and interesting.
It is unfortunate that there is no practical way for those of us who
'understand' the issues to serve as editors-in-chiefs for all
publications of this type.

This serves as another facet of problems with the media.  Presumably,
the author of the article has some expertise.  But even if he doesn't,
the reader will still place (undue) reliance upon his statements.

For some problems, unfortunately, there is no easy solution.

- - Neil

***************************************************************
*Neil A. Goldman                        [email protected]*
*                                                             *
*   Replies, Concerns, Disagreements, and Flames expected     *
*    Mastercard, Visa, and American Express not accepted      *
***************************************************************
Acknowledge-To: <NG44SPEL@MIAMIU>

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.