VIRUS-L Digest Thursday, 14 Sep 1989 Volume 2 : Issue 192 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Detecting/fighting the DOS-62/UNESCO virus (PC) Dirty-Dozen list virus mania Datacrime viruses (PC) 12th National Computer Security Conference DataCrime Virus Worries (PC) --------------------------------------------------------------------------- Date: Wed, 13 Sep 89 16:54:21 +0000 From: sal@basp.nmpcad.se (Soren Altemark) Subject: Detecting/fighting the DOS-62/UNESCO virus (PC) My MS-DOS system has been infected by some virus. From descriptions of known viruses I think that the one I've been attacked by is DOS-62 or UNESCO virus. COM files infect (~+650 bytes) COM files only and randomly make infected files initiate a warm-boot. I just want to know if someone out there know the details of this virus and if there is any program that can help identify infected files and otherwise give me guidelines how to fight the virus. Thanks, Soren Soren Altemark, Swedish Institute of MicroElectronics, IM PO Box 1084, S-164 21 KISTA, SWEDEN, Phone: +46 8 7521173, Fax: +46 8 7505430 E-mail: sal@nmpcad.se or {uunet,mcvax,munnari,ukc,unido}!sunic!nmpcad.se!sal ------------------------------ Date: Wed, 13 Sep 89 10:06:54 -0700 From: cgorman@XHMEIA.Caltech.Edu (SHIP O' SHRIMP) Subject: Dirty-Dozen list Does anyone have any information about the Dirty Dozen virus/trojan list? An issue (perhaps the only issue) came out on 5/5/88 and is in the virus-L filelist under the name DIRTY.DOZEN. The list intimates that regular issues of it would be published. However, I have found no further issues, and the author (who asks to be contacted by BBS) BBS number is no longer in service. - - Chris Gorman Cgorman@xhmeia.caltech.edu/cgorman@citchem.bitnet ------------------------------ Date: Wed, 13 Sep 89 12:54:10 -0500 From: Jim Ennis Subject: virus mania Hello, I saw a short piece on the CNN 30 minute news show this morning about the October 12th virus. They did point out that only a few people may be affected by this virus. Jim Ennis UCF Computer Services ------------------------------ Date: Wed, 13 Sep 89 11:04:43 -0700 From: portal!cup.portal.com!cpreston@Sun.COM Subject: Datacrime viruses (PC) Since there is sudden increased media attention concerning a "Columbus Day" virus, including warnings being sent out nationwide by government agencies, it may be time to mention again (VIRUS-L V2 #174) that the McAfee Associates VIRUSCAN V36 does successfully locate instances of the 1168 and 1280 (DATACRIME) virus. In addition to detecting the apparently original versions, which format cylinder 0 of a hard disk on or after October 13, the scan string in VIRUSCAN will locate the same viruses with a minor change, specifically, a different activation date. I used the network version of VIRUSCAN on a Novell network to search for and successfully locate a program infected with the 1168 virus. Only those network server areas normally accessible to the person running the program are checked, so it should be run by someone with appropriate privileges. The Homebase BBS number for VIRUSCAN (SCANV36.ARC) is 408-988-4004. For those who cannot obtain a copy of VIRUSCAN,and wish to use a program similar to Norton Utilities to search for these viruses, the search strings used by VIRUSCAN are the following: 1168 EB00B40ECD21B4 1280 00568DB43005CD21 These identifying strings are supplied with the permission of Mr. McAfee. Charles M. Preston 907-344-5164 Information Integrity MCI Mail 214-1369 Box 240027 BIX cpreston Anchorage, AK 99524 cpreston@cup.portal.com ------------------------------ Date: Wed, 13 Sep 89 15:34:00 -0400 From: Jack Holleran Subject: 12th National Computer Security Conference Information: 12th National Computer Security Conference Registration: 12th National Computer Security Conference c/o Office of the Comptroller National Institute of Standards and Technology A807, Administration Building Gaithersburg, MD 20899 Dates: October 10-13, 1989 Place: Baltimore Convention Center Payment: $150.00 before September 25, 1989 $175.00 after September 25, 1989 Conference hotels in area, single cost, and local phone numbers: Hyatt Regency $99.00 (301) 528-1234 Days Inn Inner Harbor $59.00 (301) 576-1000 Holiday Inn $69.00 (301) 685-3500 Baltimore Marriott $79.00 (301) 962-0202 Radisson Plaza $80.00 (301) 539-8400 Best Western Hallmark $52.00 (301) 539-1188 Additional information: Tammie Grice (301) 975-2775 Payment: Mastercard, VISA, checks, money orders, training or purchase requests. (payment to "National Institute of Standards and Technology/Computer Security Conference") ------------------------------ Date: 13 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV.BITNET Subject: DataCrime Virus Worries (PC) I think the reason that people are writing/talking so much about the DataCrime viruses, despite the fact that they seem to be much rarer than say the Jerusalem, is simply that they're so much more *destructive*. If we're just counting infections, one JV infection equals one DataCrime infection. But if we're counting the actual destruction wreaked, a Jerusalem infection is comparatively mild (some EXE and COM files to be restored/recovered), compared to a worst-case DataCrime activation (large numbers of hard disks with cylinder 0 gone, and all the data unreachable). I suspect that's the basis for the apparently disproportionate worry; I'm not saying it's necessarily - -warranted-, just suggesting an explanation... DC ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253