VIRUS-L Digest Wednesday, 27 Mar 1991 Volume 4 : Issue 48

VIRUS-L Digest Wednesday, 27 Mar 1991 Volume 4 : Issue 48

Today's Topics:

USSR BBSList
Request for general virus info
Re: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES"
Need information about VIRUS BUSTER
unknown virus (PC)
Virus vs. hardware failures
PC Emulator on an ST (PC)
Layers of Help for Institutions
New Innoc (PC)
Whale virus, can anybody find it? (PC)
virii of the unknown dimention (Amiga)
H.C.S virus?????? (Amiga)
Translation please...
Kamasya virus
Mutation (or not) of Stoned (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: 23 Mar 91 09:05:00 -0500
>From: "Selden E. Ball, Jr." <[email protected]>
Subject: USSR BBSList

Gentle folk,

Many people are doubtless already aware of this, but it came as a bit
of a surprise to me.

It is now possible to direct-dial computer bulletin boards in the USSR
and eastern European countries. Many of them are already on FidoNet.
The following list of BBSs was recently posted to a widely read
news group.

The potential transmission speed for computer viruses is
increasing faster than your favorite comparison.
sigh.

Selden Ball
[email protected]

Original-Date: 15 Mar 91 23:01:15 EST
Original-From: Frank Topping <[email protected]>
Original-Subject: USSR BBSList

I thought some teachers might be interested in this - they're growing
like wildfire & connectivity opportunities abound!

- -frank
Known USSR Bulletin Board Systems
Version 10c of 3/13/91
Compilation (C) 1991 Serge Terekhov

BBS name ! Data phone ! Modem ! FIDO addr
-----------------------------!----------------!----------!------------
PsychodeliQ Hacker Club BBS +7-351-237-3700 2400 2:5010/2
Kaunas #7 BBS +7-012-720-0274 ? -
Villa Metamorph BBS +7-012-720-0228 ? -
WolfBox +7-012-773-0134 1200 2:49/10
Spark System Designs +7-057-233-9344 1200 2:489/1
Post Square BBS +7-044-417-5700 2400 -
Ozz Land +7-017-277-8327 2400 -
Alan BBS +7-095-532-2943 2400/MNP 2:5020/11
Angel Station BBS +7-095-939-5977 2400 2:5020/10
Bargain +7-095-383-9171 2400 2:5020/7
Bowhill +7-095-939-0274 2400/MNP 2:5020/9
JV Dialogue 1st +7-095-329-2192 2400/MNP 2:5020/6
Kremlin +7-095-205-3554 2400 2:480/100
Moscow Fair +7-095-366-5209 9600/MNP 2:5020/0
Nightmare +7-095-128-4661 2400/MNP 2:5020/1
MoSTNet 2nd +7-095-193-4761 2400/MNP 2:5020/4
Wild Moon +7-095-366-5175 9600/MNP 2:5020/2
Hall of Guild +7-383-235-4457 2400/MNP 2:5000/0
The Court of Crimson King +7-383-235-6722 2400/MNP 2:50/0
Sine Lex BBS +7-383-235-4811 19200/PEP 2:5000/30
The Communication Tube +7-812-315-1158 2400/MNP 2:50/200
KREIT BBS +7-812-164-5396 2400 2:50/201
Petersburg's Future +7-812-310-4864 2400 -
Eesti #1 +7-014-242-2583 9600/MNP -
Flying Disks BBS +7-014-268-4911 2400/MNP 2:490/40.401
Goodwin BBS +7-014-269-1872 2400/MNP 2:490/20
Great White of Kopli +7-014-247-3943 2400 2:490/90
Hacker's Night System #1 +7-014-244-2143 9600/HST 2:490/1
Lion's Cave +7-014-253-6246 9600/HST 2:490/70
Mailbox for citizens of galaxy +7-014-253-2350 1200 2:490/30
MamBox +7-014-244-3360 19200/PEP 2:490/40
New Age System +7-014-260-6319 2400 2:490/12
Space Island +7-014-245-1611 2400 -
XBase System +7-014-249-3091 2400/MNP 2:490/40.403
LUCIFER +7-014-347-7218 2400 2:490/11
MESO +7-014-343-3434 2400/MNP 2:490/60
PaPer +7-014-343-3351 1200 2:490/70
-----------------------------!----------------!----------!------------

|--- Maximus-CBCS v1.02
| * Origin: The Court of the Crimson King (2:50/0)

.................................................

Frank Topping, sysop
Sacramento Peace Child - NorCal K-12Net Feed (916)451-0225 (1:203/454)

------------------------------

Date: Sat, 23 Mar 91 10:45:00 -0400
>From: Al Woodhull <AWOODHULL%[email protected]>
Subject: Request for general virus info

Dear VIRUS-L readers,
I can't claim to be a virus expert, but I am trying to learn
as much as possible about virus action and prevention. As the only
faculty member at Hampshire College who teaches assembly language
programming and computer architecture I am the best candidate to
become a local semi-expert.
I am currently planning a presentation for faculty, staff, and
students on the virus problem. I will concentrate on techniques to
prevent virus infection and to recognize and to recover if prevention
fails, but I will also, as time allows, say a little about the history
of the problem and the mechanisms of PC viruses with which I am
familiar.
In the interest of avoiding duplication of effort I would be
grateful if any readers of VIRUS-L could send me any materials they
may have prepared for similar presentations, or pointers to available
documents that they feel should be collected for a local reference
collection on the subject.
I will prepare some materials myself to hand out to those
present, and I will be happy to share these, and anything I receive
from others, with any VIRUS-L readers who want them.

Thank you,
Albert S. Woodhull [email protected]

------------------------------

Date: Sun, 24 Mar 91 01:54:28 +0000
>From: [email protected] (Michael Kerner)
Subject: Re: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES"

Umm, excuse me, I'm just a dumb Mac Admin, but I was under the
impression that this "new strategy" was the current strategy. At
least on Macs, where this whole thing started, the strategy is to zing
the bugger. The PC anti-viral programs we've installed on our
machines (all 100-200), essentially block spreads by watching what's
going on and looking for virus-like code, then killing it (unless I
have no concept of the way PC virus killers work)

Mikey
Mac Admin
WSOM
CWRU
[email protected]

P.S. If I'm ignorant, please tell me and then explain why

------------------------------

Date: Sun, 24 Mar 91 20:55:08 +0000
>From: [email protected] (Robert Grapes)
Subject: Need information about VIRUS BUSTER

Hi,

I am trying to obtain as much information as possible about a product
called VIRUS BUSTER. The only information I have about it is that it
appears to be an Australian product. Any help would be greatly
appreciated.

Thanks.

************************************************************************
Robert Grapes, Systems Programmer, Computer Centre, Massey University
Voice: +64 63 69099 ext 7615 Email: [email protected]
************************************************************************

------------------------------

Date: Mon, 25 Mar 91 14:20:53 +0100
>From: [email protected] (H.P. Schill)
Subject: unknown virus (PC)

I've got a program (pkunzip) that seems to be infected by a virus. It
is said that SCAN doesn't a virus. Also FPROT doesn't find anything.
Running the infected program will load the virus into memory. When
another program is executed, this program will become infected,
increasing the size by 982 (or so) bytes. No other effects are known
to me.

Has anyone seen it before?

Peter Schill
Universitaet Tuebingen
[email protected]

------------------------------

Date: Mon, 25 Mar 91 10:10:58 -0800
>From: "Info Security 3-9797" <[email protected]>
Subject: Virus vs. hardware failures

Eldar A. Musaev writes:

> I am very often disturbed by users who takes hardware failures for
> a virus.... What could we do to help users to distinct viruses
> and failures?

It has been my experience that it takes far less time to use your
favorite anti-virus software to first check if a virus is present. If
there is no indication of a virus, then check for hardware and other
software kinds of problems.

Bill Bauriedel
Info. Security Office
Stanford Univ.

------------------------------

Date: Mon, 25 Mar 91 16:59:37 +0000
>From: Andrew McLean <[email protected]>
Subject: PC Emulator on an ST (PC)

I (sometimes) have access to an Atari ST with an software PC editor
(PC-ditto). It occurs to me that if the emulator works well then it
"should" be able to spread a virus just like a real PC. It also
occurs to me that not all computers have hardware write protect on
their floppy disks. The big question is can I safely put a write
protected floppy into the ST drive while running a PC emulator (or
otherwise) or am I in danger of aquiring a virus. What I particularly
have in mind is my "trusted" DOS boot disks and disks containing virus
scanners which are permanantly write protected (the write protect tabs
are glued open or removed).

Andrew McLean | Janet : [email protected]
Department of Physics | Earn/Bitnet : [email protected]
The University | or : PHR050%UK.AC.SOTON.IBM@UKACRL
Highfield | INTERNET : [email protected]
Southampton SO9 5NH | uucp : PHR050%[email protected]
tel. 0703 593084

------------------------------

Date: Mon, 25 Mar 91 12:24:26 -0500
>From: Padgett Peterson <padgett%[email protected]>
Subject: Layers of Help for Institutions

>From: [email protected] (Eldar A. Musaev)

>Subject: Re: Standardized virus signatures (PC)
>The scanners have an unpleasant feature. If someone changes the
>signature of the virus, it (virus) becames unfamiliar to scanner.

>Subject: Hardware failures & viruses (PC)
>I am very often disturbed by users who takes hardware failures for a virus.

These and several recent postings from institutional users
really have the same solution. Like the PC model I have been
discussing lately, it is a layered solution:

First, divide the institution into three elements: Users, Technicians,
and Gurus (for want of a better term). The great bulk of the
population are the Users. The are concerned with completion of tasks
and require tools that are able to help them. Users should be
concerned only with a binary question - Is the machine working
properly ? Yes/No. In order to do this the user must be trained to be
able to determine this. For a bare PC, this requires considerable
sophistication but with layered in integrity checking such as we have
discussed, all that may be necessary is to respond to a screen. The
real message that is taught is that "If an exception occurs, call a
technician".

Second, the technician must be equipped with the tools of his/her
trade. In the case of the PC, these will include viral scanning
devices and programs. The technician's responsibility is again
binary: Can I repair the machine ? Yes/No. To be able to do this, the
technician is trained not only as a user (though this is necessary),
but also in the repair and structure of the machine. Here the message
is "Repair the machine if you understand the problem, call a Guru if
not".

Third is the "Guru" who may or may not be an employee but who is on
call and is capable of determining any problem: hardware, software,
mistake, or virus. Generally, this role will be handled by not more
than one or two people in an organization who will also design
"seamless" training.

>From this structure, levels of responsibility will also emerge. The
User is required only to report malfunctions. The technician to repair
those problems that are understood, and the Guru to direct training
and handle all else. The dicotomy of the Guru is necessary since this
is where evaluations must be made to determine when to add functions,
directions, and training to the lower levels.

Unfortunately, in many organizations, the third level is left off and
results in the problems that Mr. Musaev refers to. It would appear
that in his organization that he is "informally" filling the "Guru"
function without the auhorization to determine where the functional
divisions are and what training each shall receive.

With this three layer model, the division of labor becomes natural,
provides natural filters at each level, and allows personnel to rise
according to their ability. With proper training and internal
integrity checking, the users can correct the bulk of their problems
themselves or with a telephone call. Of the remainder, most can be
corrected by the technicians, leaving the "Guru" to handle the few
really difficult ones.

Scanners, by their nature are a very valuable tool for the second
level (technicians) since proper use and disinfection procedures
require knowlege and training to determine how disinfection can be
done with minimum impact (low level formatting is never necessary). At
this point 90+% efficiency is sufficient so long as limitations are
understood. They are also valuable tools for the "Guru" as an aid.
Good Scanners state up front that only known malicious software can be
found. And the technician must have a means to handle something he/she
does not know how to handle.

For this reason, the users must have a tool (whether they know it or
not) that will detect change to a system, if it includes Scanning,
fine but scanning alone is insufficient a "complete" answer.

In my experience, the ratio of users/platforms to technicians is
usually about 200:1 and it is unusual for any organization to have
more than one or two "Gurus".

Enough,
Padgett

------------------------------

Date: Mon, 25 Mar 91 04:06:38 -0400
>From: [email protected]
Subject: New Innoc (PC)

INNOC has been updated to add two new viruses. It now inoculates
against the Azusa and Joshi viruses. In addition to theses, INNOC
already inoculates against the Ashar, Brain, Ping-Pong and Stoned
viruses. INNOC will also remove all boot infectors already on the
diskette. Anybody needing an inoculation program against a specific
virus can read me at [email protected] (BITNET) or
[email protected] (INTERNET)...<MM>.

------------------------------

Date: 25 Mar 91 23:02:07 +0000
>From: [email protected] (J.C. Kohler)
Subject: Whale virus, can anybody find it? (PC)

I have a computer which is infected by the Whale virus, but none of
the virus-scanners I use can find it. I found the virus on the
computer about a week ago, using McAffee's scan. I removed the
infected files, but it keeps coming up.

I have tried to find it with scan, f-prot and AVS. Is this because it
is a stealth virus???

I think I'm going to do a low-level format on the disk now, to prevent
any trouble in the fututre.

But could anybody tell me why it is impossible to find it.

Many thanks in advance,

Christian Kohler
University of Keele, United Kingdom

[email protected]

------------------------------

Date: 25 Mar 91 23:51:06 +0000
>From: [email protected] (ATOMIC PLAYBOY)
Subject: virii of the unknown dimention (Amiga)

DOES anyone know about the BSG-29 virus on the amiga?? you know, the
one which prints up something like xxxxxxx is a transgression, piracy
is a crime, this is the cure: BSG-29 sonderkommando. [I am not German]

I would really like to know:

1. if it does anything painful to files/disk access etc. etc.
2. how the hell to kill it dead....

ATOMIC PLAYBOY

thanx in advance........

------------------------------

Date: Tue, 26 Mar 91 04:15:09 +0000
>From: [email protected] (Steve E Tietze )
Subject: H.C.S virus?????? (Amiga)

I just found a virus calling its self the H.C.S virus and H.C.S virus
II Help what do they do? I have a Amiga computer...

Please Email me with suggestions of help.

Email [email protected]

------------------------------

Date: Tue, 26 Mar 91 13:16:55 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Translation please...

The following text is found inside the Kamasya virus - which happens
to be virus #500 in my own list. Does it mean anything, and if so,
which language is it ?

I would guess it was a language related to Hindi, but I am not sure....

Kamasya nendriya pritir
labho jiveta yavata
jivasya tattva jijnasa
nartho yas ceha karmabhih
- -frisk

[Ed. See follow-up below...]

------------------------------

Date: Wed, 27 Mar 91 09:12:38 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Kamasya virus

I have been flooded with replies to my question about the text found
inside the Kamasya virus

Kamasya nendriya pritir
labho jiveta yavata
jivasya tattva jijnasa
nartho yas ceha karmabhih

I would like to thank all those providing a part translation or a part
of it, in particular Rajesh Gupta, Sibabrata Ray, Anupam Joshi, Ajit
Sanzgiri, A. Satish Pai, Girish Chandram,

Everybody agreed it was difficult to translate this text in Sanskrit
into English, but the meaning is something like:

"As long as you live, sex and pleasing of the senses is useless.
The essence of life is the desire to know, not money or fame."

This text is surely the most curious I have found inside any of the 400+
viruses I have examined...

- -frisk

------------------------------

Date: 26 Mar 91 11:17:37 -0500
>From: Pat Ralston <[email protected]>
Subject: Mutation (or not) of Stoned (PC)

In the March 4th issue 34 VIRUS-L Digest we (IUPUI) reported what
might be a mutation of Stoned or Stoned II. In that posting we said
"McAfee's VIRUSCAN version 74B reports Stoned, but ONLY on FLOPPY
disks". We have had many responses -- Thanks to all. Some of those
responding felt that we are seeing old -- vanilla -- Stoned. One of
the most heard responses was "have you tried version 75?".

Yes, when version 75 was available to us we used it; with the same
results. Stoned can be found on floppy disks but not the hard disk.
We have sent a specimen to only one or two people who asked for it --
most major (familiar) names on this list.

It is still an unsettling thought that this Stoned -- whether
vanilla/common version or new hacked version -- can be found on floppy
disks only.

Pat Ralston IUPUI
Indiana University - Purdue University at Indianapolis

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 48]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253