VIRUS-L Digest Tuesday, 13 Dec 1988 Volume 1 : Issue 45 Today's Topics: on CHRISTMA EXEC (IBM VM/CMS) Undigestifyer for MSDOS? Current status of Fred Cohen RE: Low Level Formats on IBM's (PC) contacting people at BITNET addresses More on modem virus Virus alerts Re: CHRISTMA EXEC?? Kids Stuff!!!! (IBM VM/CMS) re: modem virus Re: PC virus reported in V1 I43 by MIKEMAC@UNB.BITNET MegaROM CD with nVIR (Mac) Some people aren't fighting... --------------------------------------------------------------------------- Date: Tue, 13 Dec 88 09:01:56 LCL From: Bret Ingerman [{315} 443-1865] Subject: on CHRISTMA EXEC (IBM VM/CMS) re: Gabriel Basco's recent note... It would seehecking out the code (which is what we did with the Christmas EXEC). If you can't read the code, then you probably should not run the program. BRET INGERMAN ACADEMIC COMPUTING SERVICES ______ SYRACUSE UNIVERSITY / | ------- | | BITNET: INGERMAN@SUVM _________/ | NOISENET: (315) 443-1865 | * | SNAILNET: 215 Machinery Hall / SYRACUSE | Syracuse, NY 13244-1260 USA |______________ | |_ | |__| DISCLAIMER: I didn't say that, did I??? ------------------------------ Date: Sun, 11 Dec 88 13:16 EDT From: Peter D. Junger Subject: Undigestifyer for MSDOS? I would be very happy to have an undigestifyer running on VMS, but there is so little space on our node that I would be much better off if I could down-load digests to my PC and do the undigestifying there? Does an MSDing un-digestifier for any system - please let me know so that I can post it on the LISTSERV here.] ------------------------------ Date: Tue, 13 Dec 88 08:13 CST From: Ken De Cruyenaere 204-474-8340 Subject: Current status of Fred Cohen Fred was one of the speakers at the CSI conference in Miami last month. At the time he said that anyone interested in more material should leave their names. I did. I received the following: Hi, I'm sorry I have to do this by form letter, but I go so many requests for information about my papers, I simply couldn't do it any other way. I put you in a mailing list for people interested in viruses so I can continue to let you know about new results. If you want out of the mailing list, just let me know. I have 2 books on viruses that you might be interested in. One is my PhD thesis, written in 1984 at USC, and has all of the mathematical details you will likely ever want to see (and perhaps more). The other is simply a collection of all the journal articles I have published in the last 5 or so years placed in a single binder for your reading convenience. The cost (everything included - 1st class mail, etc.) is $20/book, which should't break you or your organization. If you'd like one or more of one or both, just fill in the form at the bottom of the page, send a check or money order (payable to Advanced Software Protection) to: Fred Cohen c/o Advanced Software Protection PO Box 90069 Pittsburgh, PA 15224 I will get copies to you as soon as I can... Thank you for your interest, Fred Cohen ------------------------------------------------------------- title how many total Computer Viruses - the thesis _______ @$20 _______ Fred's Papers _______ @$20 _______ Grand Total $_______ ------------------------------ Date: TUE DEC 13, 1988 09.50.15 EST From: "David A. Bader" Subject: RE: Low Level Formats on IBM's (PC) I recently low level formatted my 40 meg hard disk (not a fun experience) because I had some minor non-virus related problems with a partition. Anyway, the only program I had around to do this format was a PD Low level format which did not ask me for my bad sector list (which should be adhesed to the top of everyone's hard disk by the manufacturer). However, I have seen some formatter's that do ask for this list to be typed in. -David Bader DAB3@LEHIGH ------------------------------ Date: Tue, 13 Dec 88 09:57:01 est From: preedy@nswc-wo.arpa Subject: contacting people at BITNET addresses I am having trouble getting through to bitnet addresses. It would be helpful for those who are asking for information to put the address that those of us on arpanet could use. Several times I have tried to contact people and the mail was sent back by the postmaster. If anyone has the "rules" for changing bitnet addresses to arpanet address format, I would appreciate it. Greg - What is the title you are interested in? I have several articles by Fred Cohen. [Ed. On sending to BITNET from Internet/ARPAnet - Most mailers will send mail addressed to user@node.BITNET through the appropriate gateway. If that doesn't work, you can usually get away with user%node.BITNET@gateway - where "gateway" is a known Internet/Arpanet to BITNET gateway, such as the one at CUNYVM.CUNY.EDU.] ------------------------------ Date: Tue, 13 Dec 88 10:29:10 EST From: Don Alvarez Subject: More on modem virus Quoting from issue 44: I've just discovered probably the world's worst computer virus yet. I had just finished a late night session of BBS'ing and file trading when I exited Telix 3 and attempted to run pkxarc to unarc the software I had downloaded. Next thing I knew my hard disk was seeking ...END Quote I'm a Mac user and don't recognize those words. Is the speaker talking IBM-PC words, Amiga words, VMS words, etc. What kind of computer did he have? If the virus is real, it must be writing itself into the on-board storage space used in high-speed modems and then instructing the modem to run that portion of memory (good way to check if this virus is real: Does anyone know if high speed modem chips are designed on Harvard-type architectures (separate Program/Data), I think many DSP chips are now designed that way). If my guess is right, the virus could not propagate on modems with Harvard-Architecture as they would be unlikely to have sufficient "program" memory for a virus (the speaker mentions setting a "bit pattern in an modem register," I can't believe that alone is enough to make a hard-disk crashing virus). The reason why I ask what kind of PC the author is using is that it is EXTREMELY unlikely in my opinion that a virus of this sort could infect different kinds of computers... Mac boot blocks dont look anything like PC boot blocks. Also, as I understand it, a good 9600baud modem is completely transparent to the user... once you configure it, it looks like a 9600 baud cable connected to a computer. Sounds to me like this virus must be keyed not only to a specific computer but also to a specific PC based file-capture program, and will probably not propagate if all you do is 9600 baud terminal emulation. - Don Alvarez Disclaimer: "He's not the messiah, he's just a very naughty boy (who of course isn't speaking for himself, his employer, or the local dry-cleaner)." + -------------------------618 | | (617) 253-7457 Cambridge, MA 02139 | + ----------------------------------------------------------- + [Ed. I think that the first report of this purported virus was referring to a PC environment.] ------------------------------ Date: Mon, 12 Dec 88 17:30:29 CST From: David W. Richardson Subject: Virus alerts On 12-9, Ben Chi < (BEN@ALBNYVM1.BITNET) asked for another listserv that would distribute virus warnings. I have a suggestion: 1. All messages which are warnings use the same subject line, for example Subject: "VIRUS WARNING: XXXXXXXX" where XXXXXXXX is the real subject. We could use our mail directories to filter the vital info from the rest of the list. 2. When digesting, put the VIRUS WARNINGs at the beginning of the digests, so that we digest-readers can only worry about the vital stuff (if we so choose). Similarly, there could be a reserved subject called RECENT CUi-viral measures. - -David Richardson c044dwr <--reveiw this list on 1/1 for my new address Are they viruses or viri? I'm asking. [Ed. Viruses. Good suggestions, thanks... That, in conjunction with the non-moderated (for timeliness) VALERT-L is what I'll shoot for.] ------------------------------ Date: 13 December 88, 18:51:33 +0100 (MEZ) From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1 Subject: Re: CHRISTMA EXEC?? Kids Stuff!!!! (IBM VM/CMS) > Or should we just don't run any programs that appear in the READER?? Gabe, perhaps the rule should read: Don't run any programs that you neither can read and understand, nor have ordered from some trustworthy supplier, regardless of the way or media of delivery (i.e. this even applies to printed copies of source programs in a language you are not familiar with). Best regards Otto ------------------------------ Date: Tue, 13 Dec 88 11ble enough so the virus could store itself in them all? 2. Do these modems have enough internal memory to store all the infirmation needed? 3. No mention is made of what computer or operating systems are being used (probably default=ms-dos on a pc clone). Paranoid conjecture: there is >>>no<<< modem virus!!! It is just a rumor being spread by a modem company that either (1) does not sell fast modems or (2) will be coming out shortly with a "virus-proof" modem. Marty Cohen (mcohen@nrtc.northrop.com, 128.99.0.1) ------------------------------ Date: Tue, 13 Dec 88 14:54:25 EST From: Naama Zahavi-Ely Subject: Re: PC virus reported in V1 I43 by MIKEMAC@UNB.BITNET Hello! This seems like a virus that we found here at Yale this summer. I doubt very much that it originated here. If it is the same one, then it is nearly invisible on a PC, but if you try to boot an AT from an infected disk, it will "hang" with an undeputer will stay "hung". If one tries to soft-boot an infected AT from a write-protected disk, it will seem to function normally, but will still be infected. To the best of my knowledge, the virus did not erase any FAT tables. Also to the best of my knowledge, it was brought over to Yale unintentionally by a visiting scholar. I hope this helps! Naama + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + | Naama Zahavi-Ely | | Project ELI E-MAIL ELINZE@YALEVM.BITNET | | Yale Computer Center | | 175 Whitney Ave | | New Haven, CT 06520 | | (203) 432-6600 ext. 341 | + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + ------------------------------ Date: Shuster 74166,2027 >To: All > >Unfortunately, I have just discovered that the "MegaROM" CD-ROM (Vol >1,Oct 88) is infected with the "nVIR" virus in seven files. What's >worse is that among the infected files are Hypercard and Stuffit >1.5.1, two applications most likely to be executed from it. Please >check your copies of Hypercard and Stuffit (and the other applications >listed below) for "nVIR" resources (numbered 1,2,3,6, and 7): if >present, you're infected. > >The MegaROM CD is available from either Quantum Leap Technologies or >Nimbus Information Systems. The one that I found to be infected is >marked Volume 1, October 88 (another version is planned for January >89). The infected files are: > DAs:McSink 5.0:McSink Opener > Graphics:*VideoWorks:BigSound VW Player > Graphics:Dynamo > Hypercard Files:Hypercard 1.21:Hypercard > Hypercard Files:Sound Stacks:Sound Utilities:SoundMover > Modem Files:Archiving Utilities:Stuffit Update:Stuffit 1.5.1 > Utilit. Note that Apple's Virus Rx currently will not detect this >virus! > >It didn't do any damage to me (besides the time it took to disinfect). >The first symptom I had was a bomb on startup, apparently forced by >Vaccine when it adetects an infected System or Finder. Unfortunately, >the disk was apparently infected just days before the final directory >was built (all the modification dates of the infected applications are >from 10/11 to 10/13/88). > >The CD is otherwise a tremendous bargain, with more than 300 megabytes >of software and data for $50. > >--Cy Shuster- The bomb is caused because Vaccine attempts to put up a dialog at INIT time, but not all of the necessary managers are initialized then. This infection has not yet been verified. Can others with this CD-ROM disk check and post back to the list? - --- Joe M. ------------------------------ Date: Tue, 13 Dec 88 15:58:18 EST From: Joe McMahon Subject: Some peoplo-hum attitude indeed! Or worse! A student came referred to me last week because her teacher said that anyone whose final project bombed during the review would drop two letter grades: that's from an "A" to a "C", "B" to a "D", etc. Fairly stringent for a 1st quarter mac programming course. She had made some references to fonts which were not resident on most systems as well as a few other stupid mistakes (hell, her wholeprogram was not very well thought out, but that's not my problem. In fact, helping students with their programming is DEFINITELY NOT my problem) and we recompiled and it worked (in its stupid way) well, without bombing. I took the liberty of insisting that I remove some disabled dotted lines stuck at the end of some one-item pull down menus (more bad interface) and found nVIR in her program and in her copy of RMaker on her disk. My Mac is protected, so it wasn't a problem for me, but she was going to go around and stick this disk in whatever computause her to rebuild her resource file (LOTS of PICTs). She grabbed her disk and ran from my office screaming that is wasn't her fault and why didn't everyone leave her alone. Subsequent conversations with her professor -- in a discrete manner -- revealed her to be earning about a "D" up to that point anyway. So talk about "ho-hum". I'd call that "agressive and blatant disregard".that "ag - --scott << Ack! << << --- Joe M. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253