VIRUS-L Digest Friday, 4 Aug 1989 Volume 2 : Issue 168 Today's Topics: Israeli boot viruses; New UnVirus (PC) New FTP source for anti-virals (PC) - Internet access required IBM Australian/Stoned Virus (PC) Re: viruses that reprogram ANSI keys Re: Shareware? Hmm... (Mac) --------------------------------------------------------------------------- Date: Thu, 03 Aug 89 17:07:48 +0300 From: Y. Radai Subject: Israeli boot viruses; New UnVirus (PC) Israeli boot-sector viruses --------------------------- At least two boot-sector viruses were discovered in Israel recently. One, which hooks interrupt 17h and causes letters sent to the printer to be replaced by similar sounding ones, was reported by Yair Gany and by myself in VIRUS-L at the end of June. I referred to it then as the "Mistake" virus, but I now prefer the name "Typo". Another virus, mentioned by John McAfee a few days ago, was de- scribed only as being a boot-sector virus discovered in Israel; he suggested calling it the "Israeli Boot" virus since he thought that no such viruses had been reported from Israel previously. But since the Typo is also a boot-sector virus, John's suggestion is inappropriate. I have not yet seen the new virus in action, but according to info sent me by Yuval Tal, it causes letters on the screen to fall. (There are two other viruses which fit this description: the Cascade/Autumn/ Blackjack virus and the Traceback virus, but they infect files, not boot sectors.) I suggest we call it the Swap virus, since the words SWAP VIRUS FAT12 appear in the modified boot sector. New version of UNVIRUS ---------------------- A few weeks ago I offered to send the virus-eradicating program UNVIRUS to anyone who wanted it. It has now been updated to eradicate many more viruses. I have sent a package UNVIR6.ARC to Keith Petersen for uploading to the SIMTEL20 archive. It consists of the following three files: UNVIR6.DOC Instructions for use of the following two programs. UNVIRUS.EXE Eradicates Israeli (2 strains), Ping-Pong, Brain, Typo, (Vers. 6) April-1-Com, April-1-Exe. IMMUNE.EXE Prevents infection by Israeli and April-1 viruses and (Vers. 5) notifies of presence in RAM of any boot-sector virus. The authors (Yuval Rakavy and Omri Mann) plan to extend UNVIRUS to many more viruses in the near$future, but they always give priority to those which have appeared in Israel. The next virus on the list will evidently be the Swap virus. Y. Radai Hebrew Univ. of Jerusalem P.S. Please do not send requests for UNVIR6 to me. If it is not yet on SIMTEL20 it soon will be. ------------------------------ Date: Thu, 03 Aug 89 12:15:52 -0500 From: kichler@ksuvax1.cis.ksu.edu (Charles Kichler) Subject: New FTP source for anti-virals (PC) - Internet access required The following files dealing with computer viruses are now available by anonymous ftp (file transfer protocol) from 'hotel.cis.ksu.edu' [Ed. IP number is 129.130.10.12] located in Computer Science Dept. at Kansas State University, Manhattan, KS. The files have been and will be collected in the future from reliable sources, although no warranty is implied or stated. I will attempt to update the files as often as possible. If anyone becomes aware of new updates or new anti-viral programs, let me know. All files are in the /ftp/pub/Virus-L sub-directory. ./ DETECT2.ARC.1 GREENBRG.ARC.1 VACCINE.ARC.1 ../ DIRTYDZ9.ARC.1 IBMPAPER.ARC.1 VACCINEA.ARC.1 00-Index.doc DPROT102.ARC.1 IBMPROT.DOC.1 VACI13.ARC.1 ALERT13U.ARC.1 DPROTECT.ARC.1 INOCULAT.ARC.1 VCHECK11.ARC.1 BOMBCHEK.ARC.1 DPROTECT.CRC.1 MD40.ARC.1 VDETECT.ARC.1 BOMBSQAD.ARC.1 DVIR1701.EXE.1 NOVIRUS.ARC.1 VIRUS.ARC.1 CAWARE.ARC.1 EARLY.ARC.1 PROVECRC.ARC.1 VIRUSCK.ARC.1 CHECK-OS.ARC.1 EPW.ARC.1 READ.ME.FIRST VIRUSGRD.ARC.1 CHK4BOMB.ARC.1 F-PROT.ARC.1 SCANV30.ARC.1 pk36.exe CHKLHARC.ARC.1 FILE-CRC.ARC.2 SENTRY02.ARC.1 pk361.exe CHKSUM.ARC.1 FILECRC.ARC.2 SYSCHK1.ARC.1 uu213.arc CHKUP36.ARC.1 FILETEST.ARC.1 TRAPDISK.ARC.1 CONDOM.ARC.1 FIND1701.ARC.1 TROJ2.ARC.1 DELOUSE1.ARC.1 FSP_16.ARC.1 UNVIR6.ARC.1 The current list only includes programs for MS/PC-DOS computers. I will continue to expand the collection to include some worthwhile textual documents and possible programs for other machines and operating systems. The procedure is to first ftp to the hotel.cis.ksu.edu. [Ed. type: ftp hotel.cis.ksu.edu (or ftp 129.130.10.12). Enter "anonymous" (without the quotes) as a username and "your id" as a password.] Then use 'cd pub/Virus-L'. Next get the files you would like. You will need the 'pk361.exe' to expand the ARChived programs. Be sure to place ftp in a binary or tenex mode [Ed. type "bin" at ftp> prompt]. Please note that the highly recommended VirusScan program (SCANV30.ARC.1) is available. If there are any questions, send mail to me and I will make every effort to help you as soon as time allows. [Ed. Sorry for all the editorial comments... And thank you for all of your efforts, Chuck!] Charles "chuck" E. Kichler, Into. to PC Instructor/Co-ordinator Computer & Info. Science Kansas State Univ. * Yesterday, Internet: kichler@ksuvax1.cis.ksu.edu | I knew the answers. BITNET: kichler@ksuvax1.bitnet * Today, UUCP: {rutgers,texbell}!ksuvax1!kichler | they changed the answers. ------------------------------ Date: 04 Aug 89 07:35:42 -0100 From: Jeff Raynor Subject: IBM Australian/Stoned Virus (PC) One of my colleagues has just become infected with the "Stoned/Australian" virus and contacted me for help. I have searched through my VIRUS-L archives for information. There seems little specific details of what part of the hard disk it infects, nor how to remove it. The best information was on 8-May-89 from Alan_J_Roberts/Jim Goodwin: >..this virus stores itself between the partition table and the > first partition. According to Norton Utilities, Absolute sector Side 0, Cylinder 0, Sector 1 is my partition table, while Sector 2 is the start of my DOS partition. Where is the virus supposed to reside? at the end of the 1st sector, or is there an error in my sector numbering? There is further mention that SYS fails to remove the virus (I can confirm that), but recommends MDISK. I have downloaded the MD40.ARC from Simtel, but find that it is DOS version specific, MD40 is for DOS 4.0 only. In this case, I need MD32, but would like MD30 and MD33 as we run 3.1 and 3.3 here. I would also like to see a DOS independent algorithm to remove the virus manually using DEBUG low-level read/writes or a Disk editor. Thanks for your help Jeff Raynor EARN: RAYNOR@RZSIN.SIN.CH Post: Paul Scherrer Institut, Badenerstrasse 569, 8048 Zurich, Switzerland. ------------------------------ Date: 03 Aug 89 22:18:25 +0000 From: hutto@attctc.Dallas.TX.US (Jon Hutto) Subject: Re: viruses that reprogram ANSI keys They don't usually harm people using communications softwares as much as it does BBS's, because the sequences are set for only certain directories, and files. IBM's ANSI.SYS doesn't let you filter them out eithere. There are some ANSI substitutes that do. Such as NANSI, and PC-Mag had one in an issue called ANSI.COM. - -- - -- Jon Hutto PC-Tech BBS (214)271-8899 2400 baud USENET: {ames, texbell, rutgers, portal}!attctc!hutto INTERNET: hutto@attctc.dallas.tx.us or attctc!hutto@ames.arc.nasa.gov ------------------------------ Date: Thu, 03 Aug 89 08:21:33 -0400 From: "W. K. Bill Gorman" <34AEJ7D@CMUVM.BITNET> Subject: Re: Shareware? Hmm... (Mac) Yeah, I know - wrong list, but... Wouldn't it be interesting if others, say auto dealers, took this same position,i.e., since one has the use of a vehicle purchased from them, kick in the difference in price between, say, the '89 and '90 models? Yeow!!! :-) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253