VIRUS-L Digest Wednesday, 1 May 1991 Volume 4 : Issue 72
Today's Topics:
Re: Viruses & System 7.0 (Mac)
WDEF is benign? (Mac)
HyperCard Virus and Disinfectant (Mac)
First sighting of Dark Avenger (PC)
Re: can we trust diskette write-protection? (PC)
Re: Malicious Program Definitions
Virucide query (PC)
Version 77 of McAfee anti-virals for MS-DOS (PC)
Re: HyperCard virus --should I wait to script? (Mac)
Stoned Virus (PC)
Bouncing Ball at British Telecom (= UK telephone system)(PC)
Virus at Common Cold research Unit, Cardiff, Wales, UK
Any bugs in McAfee's v76? (PC)
Thank You (EMPIRE, PC virus help)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 29 Apr 91 06:34:42 +0000
>From:
[email protected] (Mark Phaedrus)
Subject: Re: Viruses & System 7.0 (Mac)
[email protected] (Dave Martin) writes:
>Of course, compatibility of old viruses aside, I get this gut feeling
>that Sys7 will open the doors for more viruses, and make old ones
>spread more easily. How will SAM react to an infected file run from a
>FileShare folder? Or if someone puts a disk with WDEF into a drive
>while a shared folder is open. Will SAM or any of the other active
>detectors warn you when a virus tries to get in from the back door?
>Does the AppleEvent manager have any built-in precautions to prevent
>viri from sending events out to programs? Or from interfering with VM?
I think all the hype over System 7 has caused a lot of people to
have incorrect ideas about what System 7 is like. It does not
magically change all the rules of Mac programming; in fact, based on
my experience, it's more compatible with older software than System 6
was. It does add new features, but in almost all cases it adds them
in a way that makes them very comparable to existing ones (just a
heckuva lot easier to use).
FileShare, for instance, is almost exactly equivalent to
AppleShare, but without the dedicated server. A program in a
FileShare folder (virus-infected or not) appears the same way as a
program in an AppleShare server folder, and viruses and
virus-detection utilities should react to it in roughly the same way.
Any virus detector worth its weight in RAM will check every resource
file that's opened, no matter where it comes from. So FileShare
shouldn't create any new problems there (except for the problem of
uneducated users networking for the first time who don't realize the
potential for infection, and without any AppleShare administrator to
troubleshoot).
There's no "protection" code in AppleEvents, as far as I know,
and the reason is simple; what good would it do? Sure, a virus could
trigger spurious AppleEvents, but a virus under either System 6 or 7
can do things that are a heckuva lot worse; delete files, format
disks, crashing the system, etc. Until code is added to make it
impossible for a virus to do these things (which brings up the age-old
problem: how to distinguish a virus from a legitimate request to
delete a file, etc.?), it seems silly to try to throw in code to keep
a virus from choosing Quit or whatever.
Finally, virtual memory is exactly the same as physical memory,
only slower. About the only VM-specific nasty a virus could pull off
would be to mess up or delete the virtual-memory storage file on the
hard disk; this would crash the system, but again, as crashing the
system is trivial under either System (the tricky thing to do is
*avoid* crashing it... :) ), no new security holes are added here.
IMHO, System 7 will, if anything, make it a bit harder for
viruses and Trojan horses to propagate, if only by cleaning up the
System Folder a bit. How many of us would even notice if somebody
slipped one more file into the morass of junk (whoops, vital System
extensions) that all of us keep in there? By sorting things out into
at least a few subgroups, the new System will make it easier to keep
some sort of grasp of what's going on in there.
Internet:
[email protected] (University of Washington, Seattle)
The views expressed here are not those of this station or its management.
"If you can keep your head while those about you are losing theirs,
consider an exciting career as a guillotine operator!"
------------------------------
Date: 29 Apr 91 09:04:16 -0500
>From: "William J. Hobson" <
[email protected]>
Subject: WDEF is benign? (Mac)
For those who comment that WDEF is benign -- try telling that to the
user who has just lost an hour's work when Microsoft Word 4.0
"unexpectedely quits". We definately don't consider that trivial.
William J. Hobson Phone: (409) 845-9999 O.E.T. Rm. 123
| Virus Buster "Have Software - Will Travel" |
| All Opinions are mine - not my employer's |
|______________________________________________________|
------------------------------
Date: Mon, 29 Apr 91 12:43:31 -0600
>From:
[email protected] (John Norstad)
Subject: HyperCard Virus and Disinfectant (Mac)
Pat Ralston (IPBR400&INDYCMS.BITNET) writes:
>I have found John Norstad to be very responsive in the past when new
>Mac viruses developed. John, are you working on this one too? Or
>does anyone else know if the Disinfectant virus checking software is
>being updated to include the HyperCard virus?
Disinfectant does not attempt to deal with application-specific
viruses which spread via application scripting languages. These are
very different kinds of viruses from the "normal" kinds of viruses
Disinfectant was designed to handle. Modifying Disinfectant to detect
and repair these kinds of viruses would be a major project, and I do
not have the time or energy to undertake such a new project right now.
This recent "Three Tunes" virus is not the first HyperCard virus -
there was a very similar HyperCard virus named "Dukakis" which
appeared several years ago. Disinfectant doesn't recognize that virus
either.
Symantec's SAM 3.0 does detect HyperCard viruses.
John Norstad
Academic Computing and Network Services
Northwestern University
[email protected]
------------------------------
Date: 29 Apr 91 11:26:03 -0500
>From: Pat Ralston <
[email protected]>
Subject: First sighting of Dark Avenger (PC)
This posting is just to let the virus trackers know.... We have had
our first reported sighting of Dark Avenger here at IUPUI (Indiana
University - Purdue University at Indianapolis)
It showed up on a LAN server in one of our open computer clusters. It
was eradicated but the software it damaged had to be reinstalled on
the server.
I have been, for some time, suggesting that our computer clusters have
a dedicated viurs checking DOS computer and a dedicated Mac. And that
our users be requested to submit their disks for checking before they
enter the cluster to use the LAN. Of course, that would not
absolutely insure a virus free LAN but it would help us help innocent
and uninformed users. My suggestion is getting more attention now
that we were hit on the server.
Thanks again to all those people out there that made it possible for
us to catch and destroy this virus -- both documentation and virus
checking software were a big help to us.
Pat Ralston IUPUI
------------------------------
Date: Tue, 30 Apr 91 12:11:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: Re: can we trust diskette write-protection? (PC)
[email protected] (Jim Bradley) writes:
> I write-protected each with a silver sticker from another box of diskettes.
> I subsequently discovered that I could *freely* write or erase files from
> any of these "write-protected" diskettes in the 1.2M half-height floppy drive
> of an AT-clone or in the retro-fit 360K half-height floppy drive of an IBM XT
