home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Hacker Chronicles - A…the Computer Underground
/
The Hacker Chronicles - A Tour of the Computer Underground (P-80 Systems).iso
/
misc
/
v05i016.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
21KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #16
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Tuesday, 28 Jan 1992 Volume 5 : Issue 16
Today's Topics:
Plastique Virus... (PC)
Re: Fprot v2.02 on risc (PC)
Re: NCSA has tested Antivirus Programs (PC)
Re: .SYS Infector? Really? Info Please! (PC)
Re: vsum info... (PC)
Re: VIRUS at AT286 in SCAN85 (PC)
FAT chance? (PC)
Possible Virus, Help!! (PC)
re: New virus????? (PC)
F-PROT/CPAV conflict (PC)
CDef Virus (Mac)
very strange Mac behavior (Mac)
Re: New Antivirus Organization Announced
Re: Trojan definition? Special case
Re: Sigs
new from Padgett Peterson (PC)
"Commercial safety" myth
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 20 Jan 92 16:04:00 -1100
From: Veyis MUEZZINOGLU <VEYIS@TRERUN.BITNET>
Subject: Plastique Virus... (PC)
Hi everybody!
We have trouble with a virus whose name is PLASTIQUE.
I think it infect both .EXE and .COM files and place itself to FAT.
Once a file infected, then it does not working and operating
system (or virus itself) gives
"Sector not found..."
or
"File allocation table error on drive...."
errors.
Also, it doesn't possible to copy it.
After this information, does anybody know where can we get
an antivirus program which remove this virus from our PCs.
Thanks in advance...
Veyis Muezzinoglu
Erciyes University VEYIS@TRERUN.BITNET
Computer Center
------------------------------
Date: 27 Jan 92 12:36:14 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Fprot v2.02 on risc (PC)
JFORD@UA1VM.BITNET (James Ford) writes:
> Also, I attempted to ftp the file ccc21.zip (?), but was unable to access
> the server using anonymous. If someone has it, please upload it to risc
Ooops, I published the address incorrectly. Mea culpa, sorry. The
correct name of the file is ccc91.zip, it is on
ftp.informatik.uni-hamburg.de [134.100.4.42], in the /pub/virus/texts
directory. Please note that we have only one (and quite slow) modem,
so I'll appreciate if the file is made available on more popular
archive sites as well. One more time sorry for the confusion.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 27 Jan 92 12:50:21 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: NCSA has tested Antivirus Programs (PC)
RADAI@HUJIVMS.BITNET (Y. Radai) writes:
> >There are currently several products, which claim to add a
> >"self-disinfecting" envelope to other programs: I have only McAfee's
> >FShield, but have heard about at least three more - The Untouchable,
> >something from Central Point Software, and a product under
> >development, which I discuss with someone from Bogota, Colombia (if I
> >remember correctly, else - sorry)
> Sorry, that's not accurate. F-Shield (now called File Protector and
> no longer associated with McAfee) does indeed add a self-disinfecting
> envelope to other programs, but Untouchable certainly does not. It
> keeps all the disinfectant info in a central database. (It does check-
> sum itself before checking other files and warns you if it has been
> modified, but it does not *disinfect* itself on the fly as described
> in your quote from Frisk.)
I didn't express myself clearly enough, sorry. My arguments were
mainly against the generic disinfection, regardless how it is
implemented. I agree that keeping the information in a database is
much more correct than to attach it to the files, but I still claim
that generic disinfection is impossible in the general case (even if
using only the currently known infection techniques, and maybe even
with the currently existing viruses). Any, yes, I know that The
Untouchable does not destroy files when it tries to disinfect them,
since it checks whether the repaired file will have the same checksum
as the originals.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 27 Jan 92 13:06:38 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: .SYS Infector? Really? Info Please! (PC)
RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes:
> What's this about a .sys infector? (Frisk Skulason mentions this in a
> recent Virus-l digest.) Some more information please, this is news for
> me.
The device drivers (usually stored in files with SYS extension)
contain executable code, just as the COM and EXE files. They can even
be of the two possible types - COM-type device drivers, and EXE-type
device drivers. Well, to be exact, they have a somewhat special
header, but it is well documented in the manuals and anybody who
bothers to read them can figure out how to write a device driver
infector.
It is arguable whether a device-drivers infecting virus will have any
chance to spread only, but nobody said that it must infect only device
drivers... One could (in fact several people already did) write a
virus, which infects both EXE & COM files and device drivers... In
fact, it could infect boot sectors, partition tables, OBJ files,
libraries, etc...
There have been device drivers infecting viruses since more than two
years - the Happy New Year (Bulgarian) was the first one, but it's not
so easy to make it infect device drivers, so several people haven't
noticed that. Currently I can recall at least about two other device
drivers infecting viruses, both of Russian origin - SVC 6.0 and
Starship. Yet, I know only about one virus scanner, which checks the
device drivers properly - the Dr. Alan Solomon's AntiVirus ToolKit.
Hope the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 27 Jan 92 13:26:30 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: vsum info... (PC)
hobbit@vax.ftp.com (*Hobbit*) writes:
> Forgive me if this is a faq; I haven't seen any recent references. Is
> there a plaintext version of vsumx.h! that is readable by humans
> without use of a program?
The package includes the program in question, so you can read it
without problems. If you read it -carefully-, you'll see the
explanation why Patti switched to hypertext versions (hint: look at
the Revision History entry). Although I would like to be able to print
porions of it into files in plain-text mode, without using dirty
tricks and printer redirection...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 27 Jan 92 13:20:30 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: VIRUS at AT286 in SCAN85 (PC)
tkorho@cs.joensuu.fi (Tommi Korhonen) writes:
> Mine 286 did also JAM after i GOT THE SCAN85.ZIP!!!!!
[description deleted]
Hmm, sounds more like a hardware problem, or a corrupted DOS... (No
problem to write a virus, which does the same, of course, but I don't
think this is your case. And it's certainly not because of SCAN /AV.
You could remove the checksums with SCAN /RV and check whether the
problems disappears. Another advise, boot from a clean DOS system disk
and perform a SYS on your hard disk (or use Norton's "make disk
bootable", if the version of your SYS is not smart enough). No
guarantees, but the problem may disappear. Also try CHKDSK and watch
for any reports about corrupted files...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Fri, 24 Jan 92 20:54:16 +0000
From: lark@Solbourne.COM (Daniel Larkin)
Subject: FAT chance? (PC)
Hi,
Does anyone know of any virus that attacks strictly
the FAT on the hard disk, and if so, what choices
(if any) is there to combat this problem? Any
information on this will be appreciated.
Thanks,
DAN L.
------------------------------
Date: Mon, 27 Jan 92 14:10:00 -0600
From: "RICKY GATES" <RCG1659@TNTECH.BITNET>
Subject: Possible Virus, Help!! (PC)
I was working on a friends Gateway 2000 386SX-20 MHz computer this
weekend, when every time I hit the space bar on the keyboard. It stops
taking input from the keyboard, but the computer types out TUMARC FROM
CHINA on the screen and beeps for about 3 to 4 minutes. It then stops
and leaves the text on the screen. I can backspace it off the screen,
but as soon as I hit the spacebar again it does it again. I asked my
friend when it started doing this to him. He replied that it started
doing it a little while after installing Calender Creater Plus,
AddressBook, and one other program from Power-Up software. I am
wondering if anyone out there has heard of this problem or virus. I
looked in McAfee's virus list and it is not listed, so I am wondering
if this a new virus that has not yet been seen. If anyone has any
suggests at all please send me e-mail. Thanks!!!
Ricky Gates
TTU College of Business
Microcomputer Specialist and LAN Mgr
(615) 372-3684
BITNET: RCG1659@TNTECH.BITNET
------------------------------
Date: 27 Jan 92 15:32:13 -0500
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: re: New virus????? (PC)
>From: diaz@leland.stanford.edu (Kathy Diaz)
>I have a question it seems that I have come across some sort of virus.
>My Dos Machine has in every directory a file called aux.
Various words, including "aux", "con" and "prn", are reserved device
names in DOS. If you try to do anything with them as though they were
files, various odd and unexpected things can happen. "aux" actually
tells DOS to read to / write from the serial port; if the right sort
of device were hooked up there, it might actually work, although I
haven't heard of anyone doing it. "con" tells DOS to treat the
keyboard/screen (the "console") as a file; this can be very useful (as
in COPY CON: TEST.JNK), but many editors will get very confused when
faced with "edit con". Or "edit aux". For more info, see the index
of most DOS manuals, under "device names".
Probably not a virus! *8)
- ---
David M. Chess mI' jIHbe' jay'!
High Integrity Computing Lab loD tlhab jIH!
IBM Watson Research -- qama''e'
------------------------------
Date: Tue, 28 Jan 92 00:06:44 +0700
From: frisk@complex.is (Fridrik Skulason)
Subject: F-PROT/CPAV conflict (PC)
A user of F-PROT 2.02 just reported a conflict between that program and the
Central Point anti-virus program:
It seems that "Secure Scan" reports:
VSAFE.SYS Infection: New or modified variant of Flip
VWATCH.SYS Infection: New or modified variant of Flip
This means that both FLIP signatures are found in the program, but it does not
appear to be a normal infected file - perhaps a new variant.
Actually, this is a false alarm, caused by the fact that the folks at CP
use the same signatures as I do, and they do not store them in encrypted form
in the file - something any decent anti-virus program should do... :-)
So, if you get this particular message on these files don't worry...I'll do
something about this in the next version, although I really consider this
to be CP's problem....
- -frisk
------------------------------
Date: Mon, 27 Jan 92 08:54:31 -0500
From: Ed Maioriello <edm@athena.cs.uga.edu>
Subject: CDef Virus (Mac)
Hello All,
I have been seeing alot of the CDEF virus lately. Does anyone have
any info on the way the virus works etc. It seems to be caught quite
nicely by the Disinfectant init, and removed easily by Disinfectant
2.5.1, but I would like to know more about it.
Thanks in advance.
Ed Maioriello emaiorie @ uga.cc.uga.edu
University Computing & Networking Services edm @ athena.cs.uga.edu
University of Georgia edm @ aisun1.ai.uga.edu
Athens, Ga. 30602 (404) 542-5162
------------------------------
Date: 24 Jan 92 21:41:17 +0000
From: peter@sysnext.library.upenn.edu (Peter C. Gorman)
Subject: very strange Mac behavior (Mac)
Hello -
I've got a Mac IIsi, system 6.0.7, that's behaving very strangely:
- - When anyone tries to access the Page Setup or Print functions from
just about any application, Gatekeeper says that the application is
trying to violate res(system) privileges against the System -
RsrcMapEntry(DRVR2).
- - The Mac was working perfectly happpily until a few days ago; the
user doesn't know of any changes that were made. (But this is a
semipublic machine)
- - Some applications also trigger the warning when loading or when
trying to open a document.
- - Disinfectant 2.5.1 sees nothing wrong.
Has anyone seen this sort of this thing before? I don't want to raise
the virus alarm prematurely; It's possible that something's been
corrupted by other means.
Oh yeah - replacing the System file and printer drivers doesn't change
anything.
Thanks for your help.
- --
Peter Gorman
University of Pennsylvania
Library Systems Office
peter@sysnext.library.upenn.edu
------------------------------
Date: Mon, 27 Jan 92 09:21:13 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: New Antivirus Organization Announced
RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes:
>The following is from the Dec 30,1991/Jan 6,1992 issue of Network World.
> Northern Telecom, Inc. and universities in Hamburg, Germany, and
> Iceland.
Hm...I suppose that "University of Iceland" is supposed to refer to
me... but it is a misunderstanding - I quit my job at the university
last April, and now concentrate my efforts on the development of my
product, and virus-related work.
- -frisk
------------------------------
Date: 27 Jan 92 13:15:53 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Trojan definition? Special case
vail@tegra.com (Johnathan Vail) writes:
> The definition I have in my glossary is:
> ________________
> trojan (horse) - This is some (usually nasty) code that is added to,
> or in place of, a harmless program. This could include many viruses
> but is usually reserved to describe code that does not replicate
> itself.
> ________________
Hmm, the definition is not that bad, but I think that a more exact one
would be "a program, which intentionally performs some undocumented
functions"... Oh well.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Fri, 24 Jan 92 21:22:58 +0000
From: rslade@cue.bc.ca (Rob Slade)
Subject: Re: Sigs
willimsa@unix1.tcd.ie (alastair gavi williams) writes:
> So, what's a signature virus? Does it require the file to be
The signature virus is a joke. You will note, on those sigblocks that
have it, the note "append me to your sig file".
It is strikingly similar to the "classified ads" virus. The one that
says "send a copy of me to your local paper classified ads section".
==============
Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?"
Institute for Robert_Slade@sfu.ca | "I can't see."
Research into rslade@cue.bc.ca | "Why not?"
User CyberStore Dpac 85301030 | "The power's off
Security Canada V7K 2G6 | here."
------------------------------
Date: Tue, 28 Jan 92 09:53:00 -0500
From: HAYES@urvax.urich.edu
Subject: new from Padgett Peterson (PC)
Hello.
Just received from A. Padgett Peterson and made available:
FIXUTIL2.ZIP:
> Minor updates of FIXUTIL - CHKBOOT finds FORM family, FixFBR won't
> flag Zenith boot records as suspect - .doc reflects lower pricing
> (why not ?) minor ASCII changes.
Best, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond hayes@urvax.urich.edu (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: Sun, 26 Jan 92 21:07:52 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: "Commercial safety" myth
DEFMTH8.CVP 920126
The "Commercial Safety" Myth
If I had to choose one viral myth which most contributed to the
unchecked spread of viral programs that exists today, it would be that
of the "safety" of commercial software. Although there is little
agreement as to actual numbers, most virus researchers would agree with
the statement that the vast majority of viral infections are caused by
viri which are both easy to detect and easy to remove. Yet one recent
survey of 600,000 PCs indicated that 63% had been hit with an infection.
Why? Easy. Only 25% had any kind of protection against viri. (Note -
even more disturbing - *at least* 48% *have been hit and STILL HAVE NOT
TAKEN PRECAUTIONS!*)
I am often faced with the assertion from computer users that, "Oh, I
don't need to worry about viruses. *I* only use *commercial* software.
If it doesn't have shrink wrap, it doesn't go into *my* computer!" This
statement, and feeling of false security, relies on three assumptions:
1) that shareware is a major viral vector, 2) commercial software is
never infected, only shareware and pirate software are and 3) there are
no viral vectors other than software.
Although shareware has been involved in the spread of viral programs, it
is difficult to say how much of a role that it plays. In nine years of
involvement with the local and extended communications community, I have
not yet downloaded a file which I found to contain a viral program
infection. (Except for the ones that were sent to me as such.) Note
that I am not making any claims to superior knowledge or expertise here:
my random sampling of interesting looking files off the nets and boards
has yet to pull in one which is infected. Others say otherwise,
although it was interesting to note, in a recent conversation where
someone to the opposing view, that he finally had to admit he'd never
downloaded an infected file either. In fact, for many years, shareware
antivirals were the only reasonable form of protection.
Every major microcomputer operating system except CP/M has had at least
one instance of a major commercial software vendor distributing infected
programs or media. They take precautions, of course, but apparently
still don't give virus checking a high enough priority.
Besides which, there are other possibilities for obtaining viral
infections from "commercial" sources. Most commercial software is still
distributed on writable media. Software retailers will often accept
"returned" software, re-wrap it (shrink wrapping is easy to do) and
resell it - often without checking for any incidental infection.
Hardware or system retailers are all too often selling infected systems
these days, not knowin
Downloaded From P-80 International Information Systems 304-744-2253