VIRUS-L Digest   Wednesday, 21 Mar 1990    Volume 3 : Issue 61

Today's Topics:

Low level format (PC)
Utilities?
bogus Amiga program: 'VirusX 4.4'
Re: Getting files from "anonymous FTP"
probably not maliciouos [was Re: possible new trojan on Genie (Mac)]
Re: Stoned disinfection information (PC)
another trojan called "Virus Info" (Mac)
VirusX Trojan (Amiga)
VirusX Trojan (Amiga) More Info!
Vaxservers and Mac viruses

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

---------------------------------------------------------------------------

Date:    Mon, 19 Mar 90 16:06:06 -0000
From:    [email protected]
Subject: Low level format (PC)

Many of the articles I read on recovering from a virus infection
recommend a "low level format" of the hard disk as part of the
process. What is a "low level format" and how does it differ from just
using the DOS FORMAT command?
Thanks in advance for any information.

Rgds,
Iain Noble

- -----------------------------------------------------------------------------
Iain Noble                                   |
[email protected]                           |  Post:  Main Site Library,
JANET: [email protected]                    |         Teesside Polytechnic,
EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL       |         Middlesbrough,
INTERNET: LBA002%[email protected] |         Cleveland, UK, TS1 3BA
UUCP: LBA002%[email protected]            |  Phone: +44 642 218121 x 4371
- -----------------------------------------------------------------------------

------------------------------

Date:    19 Mar 90 22:54:52 +0000
From:    [email protected] (Bill King)
Subject: Utilities?

Can someone tell me where the best place to get the utilities neccessary
for de-arcing and unzipping the programs would be?  For example, I now
have v59 of scan and clean, but don't have the unzip program. Can someone
help me out here as to an ftp address where I could get the neccessary
programs? Thanks.
Bill

[Ed. The PKZIP and ARC programs are available, among many other
places, on SIMTEL20.ARMY.MIL by anonymous FTP.]

------------------------------

Date:    Tue, 20 Mar 90 00:02:36 -0500
From:    Jim Shaffer Jr <72750.2335%[email protected]>
Subject: bogus Amiga program: 'VirusX 4.4'

A notice has just been posted on CompuServe, by one of the sysops of the
Amiga Technical Forum, that a program purporting to be "VirusX 4.4" is
in circulation.  This is a bogus program!  The current version of VirusX,
as verified by its author, is 4.0.

No details of what "4.4" might do were mentioned.

------------------------------

Date:    20 Mar 90 10:31:50 +0000
From:    Sam Wilson <[email protected]>
Subject: Re: Getting files from "anonymous FTP"

In article 1914 of comp.virus [email protected]
  (Anthony Appleyard) writes:
>
> Information from "Kenneth R. van Wyk" <[email protected]>, with thanks.
> Some Virus-L messages say that the rest of the message can be got (say) "by
> anonymous ftp from  the/quick/brown/fox/jumps.over.the.lazy.dog".  For  the
> information  of those not very conversant with FTP, this can be done thus:-
>
> Type your computer's command "ftp cert.sei.cmu.edu". "cert.sei.cmu.edu"  is
> a  USA email address. It should be "[email protected]" if
> typed in UK (I think).

Nope!  There is no direct Internet FTP access for most people in the UK.
We have our own file transfer protocol known as NIFTP (or just FTP to
its friends) or 'Blue Book'.  It does not interwork with the Internet
and you can't use odd mail addresses like that given above.

If you need to access Internet FTP from the UK the NSFnet-Relay provides
a service of sorts but I don't know if it's public (yet?).  Mail
[email protected] ([email protected] for folks outside
the UK and some folks inside) for details.

Most anti-viral s/w is available in the UK - see the monthly sites
postings.

Sam Wilson
Network Planning, Edinburgh University Computing Service

------------------------------

Date:    20 Mar 90 14:02:12 +0000
From:    [email protected] (Werner Uhrig)
Subject: probably not maliciouos [was Re: possible new trojan on Genie (Mac)]

I wrote:

> a rumour has reached me that a program called "Totally Safe Sex"
> on Genie may be a new trojan.

         first disassembly and review makes it look like a harmless
         prank, but I'd still recommend that you do not run the program
         at this time unless you are absolutely certain you know how
         to prevent any potential dangers to your files ...

         apologies if you feel that this was an unnecessary alarm,
         but it seemed the lesser evil to pass on a false warning to
         waiting for 5 days to confirm it.

                             Cheers (or grumble?!?),                 ---Werner

------------------------------

Date:    Tue, 20 Mar 90 22:51:07 +0000
From:    [email protected] (Gary Mathews)
Subject: Re: Stoned disinfection information (PC)

[email protected] (MUSTAFA T. ALGHAZAL) writes:
>To all virus experts,
>     One of our systems here at SAKFU00 was infected by the STONED virus.
>     I remember that I read a note about how to remove this virus from a
>     hard disk ,but the writer was refering to some issues of COMPUTER
>     & SECURITY which we were not able to get.
>     If any of you knows step by step instructions to remove that virus,He
>     (or she) will be thankfull to send it to me directly or to the list.
>
>         Mustafa ALGhazal ( [email protected])
>         Academic Services Manager
>         King Faisal Univ.
>         Saudi Arabia

You could remove the stoned virus with McAfee's clean program or more
simply, by booting off a clean dos disk and use the sys command to
transfer a new copy of the MS-DOS system onto the hard disk.

         1) boot system on a clean disk
         2) sys c:
         3) "Stoned" virus is gone !

That's all.

-
------------------------------------------------------------------------------
\c-
Gary Jason Mathews      | [email protected]
Columbia University     | Death is life's way of telling you you've been fired.
- ------------------------+ CPU time flies when you have a lot of bugs

------------------------------

Date:    21 Mar 90 02:58:02 +0000
From:    [email protected] (Werner Uhrig)
Subject: another trojan called "Virus Info" (Mac)

         shortly after the first 2 trojans showed up on "that Canadian BBS"
         a third (but technically different) one showed up - and I do not
         believe anyone reported it publically yet (and I had hopes to
         snarf the "evil ones" with it. alas ....)

         This trojan claims to also be from the "DeathTrack" group as were
         the first two.

         it will *IMMEDIATELY* destroy your disk(s) - and I assume if anyone
         had run into it, we would have heard about it by now ...:-()

         well, if anyone sees it show up ANYWHERE (or any other program which
         you suspect after running it and finding your hard disk unusable
         immediately afterwards, for that matter) please let me know.
         (you do keep copies of all new software you download on more
          than one place, don't you?!!  else, if you execute it and it
          destroys the disk it was on .... right.  you can't send me a
          copy for analysis!)

                   Cheers (what for?! right!),             ---Werner

- --------------------------> please send REPLIES to <------------------------
INTERNET:                     [email protected]
              or: [email protected]     (Internet # 128.83.144.1)
UUCP:     ...<well-connected-site>!cs.utexas.edu!werner

------------------------------

Date:    21 Mar 90 04:42:17 +0000
From:    [email protected] (Brett L. Kessler)
Subject: VirusX Trojan (Amiga)

A friend of mine here at SUNY-Binghamton just informed me of a message
that was posted to CompuServe recently.  I've no idea as to how valid
it is, but it's better to be safe than sorry, even VIA 3rd-hand news.

It seems that somebody has released something called "VirusX 4.4" into
the public domain.  THIS IS A BOGUS PROGRAM, and may be a trojan.
According to Steve Tibbett (sp?), the author of VirusX, the most
recent version of the disinfectant is 4.0.

Just thought you might like to know.

+------///-+------------------| BRETT KESSLER |------------------+-\\\------+
|     ///  |         [email protected]          |  \\\     |
| \\\///   |              [email protected]                |   \\\/// |
|  \XX/    |              (PeopleLink)  B.KESSLER                |    \XX/  |
+----------+-----------------------------------------------------+----------+

------------------------------

Date:    21 Mar 90 07:17:17 +0000
From:    [email protected] (Brett L. Kessler)
Subject: VirusX Trojan (Amiga) More Info!

With regards to my earlier posting about the bogus version of VirusX
(version 4.4), here is the original text.  It originally appeared in
comp.sys.amiga and comp.sys.amiga.tech.  I thought that my posting was
a little sketchy, so here's a (slightly) better one.

- -----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----
There is a file going around now that supposedly has a new version of
VIRUSX.   The archive says the file has version VIRUSX 4.4 and that it was
released on March 10th.

I've done some analysis on the files in the archive, and the archive
appears to have the same executables as VirusX 4.0.  The doc files and
the C code in the archive talk about two viruses that are supposedly
"harmless".  It appears the messages were put there to lull people into
a false sense of security.

I've contacted Steve Tibbett he has confirmed that this archive was NOT
released by him.  He's working on a new version of VIRUSX, but this is
NOT IT.

WATCH OUT FOR THIS BAD ARCHIVE, AND LET PEOPLE KNOW ABOUT IT!

Official VIRUSX releases are posted to ALL the national networks by Steve
Tibbett, or by an official agent.
- ------------------
SR Pietrowicz    UUCP:  ...!uunet!modcomp!srp        CIS:  73047,2313
                             [email protected]
- -----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----

No more "hard info," but at least it's a confirmation that the darned
thing exists, and that it is probably trouble.

+------///-+------------------| BRETT KESSLER |------------------+-\\\------+
|     ///  |         [email protected]          |  \\\     |
| \\\///   |              [email protected]                |   \\\/// |
|  \XX/    |              (PeopleLink)  B.KESSLER                |    \XX/  |
+----------+-----------------------------------------------------+----------+

------------------------------

Date:    Tue, 20 Mar 90 14:22:00 -0600
From:    [email protected]
Subject: Vaxservers and Mac viruses

Hi all!

I think I already know the answer to this one, but could anyone
comment on Mac viruses infecting VAXen file servers.  It would seem to
me that this is impossible, but we'd like a more practical view.
Thanks.

Mike Post
Ripon College
[email protected]

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253