VIRUS-L Digest Friday, 1 Dec 1989 Volume 2 : Issue 251 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: More anti-virals (IBMPC) Introduction to the anti-viral archives Amiga anti-viral archive sites Apple II anti-viral archive sites Atari ST anti-viral archive sites Documentation anti-viral archive sites IBMPC anti-viral archive sites Macintosh anti-viral archive sites UNIX anti-viral archive sites Virus Demos? Ping-Pong virus version B Latest VIRUSCAN (SCAN.EXE) version (PC) Requesting info on Yale Virus (PC) Information requested MDISK - Boot virus removing program (PC) Virus Simulator Found! (PC) Virus attack [AMIGA] --------------------------------------------------------------------------- Date: Tue, 28 Nov 89 23:59:00 -0600 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: More anti-virals (IBMPC) In addition to the files mentioned here, I'm trying to see that all the IBMPC archive sites are "in sync" with one another. This generally means that older files will be sent to sites, but there are some goodies out there. After a while, check up on your favorite archive site. Short listings... ckot095.zip Shell program to use with scanv and archived files dirtyd9b.zip Version 9B of the Dirty Dozen list of Trojan programs fsp_17.arc FluShot+ v1.7, checksums and resident protection nobrains.arc Docs and progs for dealing with Brain virus scanrs49.zip Resident program to scan executables for viruses scanv49.zip Program to scan files/dirs/disks for viruses shez491.zip Shell program to use with scanv and archived files virstop.zip Resident program to scan executables for viruses Long listings... ckot095.zip Update to the shell program for manipulating archives. (ARC, ZOO, PAK, ZIP, LZH, etc.) Compatible with scanv. Should fix previous problem with deleting files. DOS4.01 users be cautious. This program is meant for command line and batch usage. dirtyd9b.zip Excellent list of Trojan Horse and pirated programs. As for the virus listings, they seem to be in a *very* preliminary stage of development. Two of the "virus" listings include: | COMMAND.COM | This is a traditional Virus. Originating | in colleges and universities across the | nation, and in particular at Lehigh | College, this virus will embed itself in | COMMAND.COM. Remember, command.com is a virus which infects itself, in a traditional sort of way. :-) | UNIX | Version 4.3 of UC Berkley's UNIX is | apparently an INTERNET virus which | travels by mail packet. Beware. Got that? Everybody delete that nasty Unix from your systems. :-) fsp_17.arc Version 1.7 of FluShot+. Checksums files, and provides runtime protection from malicious programs. One of the many documentation files provided is 40 pages long. There's lots of information for beginning to intermediate DOS users. Apparently this announcement slipped through the cracks earlier. nobrains.arc I took a couple existing programs to eradicate the Brain virus, found the source code for them and packed it all up together with a bunch of informational text. Starter kit for the brain infected. scanrs49.zip Yet another update. Includes table of viruses and characteristics, plus validation program. scanv49.zip Yet another update. Includes table of viruses and characteristics, plus validation program. shez491.zip Update to the shell program for manipulating archives. (ARC, ZOO, PAK, ZIP, LZH, etc.) Compatible with scanv. This program is meant for interactive browsing. virstop.zip A program that does essentially what scanres does, but according to the author, it's cheaper and it's faster. Jim ------------------------------ Date: 29 Nov 89 18:20:34 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Introduction to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 29 November 1989 This posting is the introduction to the "official" anti-viral archives of virus-l/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. Jim ==== cruft for the lawyers ==== The files contained on the participating archive sites are provided freely on an as-is basis. To the best of our knowledge, all files contained in the archives are either Public Domain, Freely Redistributable, or Shareware. If you know of one that is not, please drop us a line and let us know. Reports of corrupt files are also welcome. PLEASE NOTE The Managers of these systems, and the Maintainers of the archives, CAN NOT and DO NOT guarantee any of these applications for any purpose. All possible precautions have been taken to assure you of a safe repository of useful tools. Unfortunately, in this day and age nothing is certain. It is awful that these people have to worry about legalities when they are only trying to provide a free and useful service. Sigh. ------------------------------ Date: 29 Nov 89 18:24:09 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archive sites # Anti-viral archive sites for the Amiga # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow Lionel Hummel The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.54. Another possible source is uihub.cs.uiuc.edu at 128.174.252.27. Check there in /pub/amiga/virus. ------------------------------ Date: 29 Nov 89 18:24:41 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archive sites # Anti-viral archive sites for the Apple II # Listing last changed 30 September 1989 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 29 Nov 89 18:25:07 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archive sites # Anti-viral archive sites for the Atari ST # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is . panarthea.ebay Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to . uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 29 Nov 89 18:25:50 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Documentation anti-viral archive sites # Anti-viral archive sites for documentation # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is lehiibm1.bitnet Ken van Wyk new: This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: 29 Nov 89 18:26:24 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archive sites # Anti-viral archive for the IBMPC # Listing last changed 29 November 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is ms.uky.edu Daniel Chaney This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.54. vega.hut.fi Timo Kiravuo This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 130.233.200.42. wsmr-simtel20.army.mil Keith Peterson Direct access is through anonymous ftp, IP 26.2.0.74. The anti-viral archives are in PD1:. Simtel is a TOPS-20 machine, and as such you should use "tenex" mode and not "binary" mode to retreive archives. Please get the file 00-INDEX.TXT using "ascii" mode and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@ (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ Date: 29 Nov 89 18:26:47 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites # Anti-viral archive sites for the Macintosh # Listing last changed 07 November 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is ifi.ethz.ch Danny Schwendener Interactive access through DECnet (SPAN/HEPnet): $SET HOST 57434 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via DECnet (SPAN/HEPnet) from 57434::DISK8:[MAC.TOP.LIBRARY.VIRUS] rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. ------------------------------ Date: 29 Nov 89 18:27:17 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: UNIX anti-viral archive sites # Anti-viral and security archive sites for Unix # Listing last changed 30 September 1989 attctc Charles Boykin Accessible through UUCP. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index For further details send a message with the text help The administrative address is sauna.hut.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.3.119. (Note that this IP number is likely to change.) ucf1vm Lois Buwalda Accessible through... wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ Date: Thu, 01 Dec 89 08:26:11 +0000 From: munnari!mlacus.oz.au!ash@uunet.uu.net Subject: Virus Demos? (PC) I have seen conflicting descriptions of what the Marijuana virus displays on the screen. Not being afflicted myself, touch wood, I don't know whom to believe. Three sources I have seen claim that the "Legalise marijuana" message is seen, and ALan Solomon recently said at a Melbourne seminar that this message is embedded in the virus code, and is not seen on the screen. This anomaly is a minor issue, but it set me wondering how does the average user (beginner) know when a virus has struck her/him? There is no shortage of virusbusters able and willing to help such people for a fee. It would be a good idea for someone who has samples of all known viruses to create a "virus demo" program using something like Dan Bricklin's Demo for the purpose. I haven't seen this program (DB's D), so I don't know if it could mimic all viruses. It would also not work with a virus that does its damage in the background and leaves no screen message. Our user group would like to create a library of viruses for testing new antivirus programs, but I appreciate that no self-respecting custodian of samples would turn over copies to us without some cast-iron guarantees of keeping the samples under lock and key. Hence the suggestion for a harmless virus demo for known culprits that leave a screen symptom. Ash Nallawalla, Editor PC Update, Melbourne PCUG.: ============================================================================= Ash Nallawalla ?[D?[D?[D Tel: +61 3 823-1959 Fax: +61 3 820-143 4 ZL4LM/VK3CIT Postal: P.O. Box 539, Werribee VIC 3030, Australia. ------------------------------ Date: 30 Nov 89 13:58:10 +0000 From: ssircar@ecs.umass.edu (Good writers re-write -- not write!) Subject: Ping-Pong virus version B At my university, we have a several computers infected with the Ping Pong virus version B. What is the easiest way to remove the virus? Let me rephrase that. How can I remove the virus without erasing the data? ------------------------------------------------------------------------------ Santanu Sircar BITNET: ssircar@umaecs.bitnet University of Massachusetts/Amherst INTERNET: ssircar@ecs.umass.edu |-----------------------------------------------------------------------------| "A pig ate his fill of acorns under an oak tree and then started to root around the tree. A crow remarked, `You should not do this. If you lay bare the roots, the tree will wither and die.' `Let it die,' said the pig. `Who cares so long as there are acorns?'" ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 30 Nov 89 18:27:00 -0500 From: IA96000 Subject: Latest VIRUSCAN (SCAN.EXE) version (PC) I just downloaded the latest version of SCAN, and in reading the documentation file, I noticed that SCAN now uses SELF TEST? At least that is what it says in the opening paragraph of the latest documentation file. Did I read it wrong? (It was late at night!) ------------------------------ Date: Thu, 30 Nov 89 19:05:34 -0400 From: Elizabeth Caruso Subject: Requesting info on Yale Virus (PC) After running VIRSCAN on a Dos 3.1 floppy disk, it reported that the boot sector was infected with the Yale Virus. When we booted a pc with this disk the following message was displayed: "This is a message from the U.S. Space Fedearation". Is this message part of the virus or was it just placed by a user? WE ARE REQUESTING ANY INFO YOU HAVE ABOUT THE YALE VIRUS! Thanks in advance! ------------------------------ Date: Thu, 30 Nov 89 20:26:12 +0000 From: "A.G. Miller" Subject: Information requested AT THIS MOMENT I AM TRYING TO COMPILE A LARGE AMOUNT OF DATA ON CERTAIN ACTIVITY. IF ANYONE IN THE GROUP KNOWS OF ANY DETAILS OF SYSTEMS BEING HACKED INTO OR BETTER STILL SYSTEMS BEING HACKED INTO AND NASTIES PLACED IN THEM THEN I WOULD LIKE TO KNOW. THIS INFORMATION IS REQUIRED FOR A STUDY INTO COMPUTER SECURITY AND RELATED TOPICS. MAIL TO miller@uk.ac.hw.ee ALLAN MILLER DEPARTMENT OF ELECTRICAL AND ELECTRONIC ENGINEERING. HERIOT WATT UNIVERSITY EDINBURGH SCOTLAND. THANKYOU........ ------------------------------ Date: Fri, 01 Dec 89 09:05:43 +0000 From: MCGDRKG@CMS.MANCHESTER-COMPUTING-CENTRE.AC.UK Subject: MDISK - Boot virus removing program (PC) Has anyone used this package? I have tried it to remove Stoned virus from the partition table of a hard disk and it seems to work ok. However when I tried to remove the same virus from the boot sector of a floppy I keep getting an Abort error message - not able to continue (from the program). As the documentation on this package is rather scarce I would appreciate any advice or comment( I have followed the procedure as given in the documentation several times to make sure I did it right!). Our DOS is version 3.3 and I used the MD33 F command to disenfect floppies. Bob.Gowans PS. I obtained the package from WSMR-SIMTEL20.ARMY.MIL PD1:MD.ARC.1 JANET: R.Gowans@uk.ac.MCC Internet: R.Gowans%MCC.ac.uk@cunyvm.cuny.edu Dept Civil Eng, EARN/BITNET: R.Gowans%MCC.ac.uk@UKACRL U.M.I.S.T, UUCP: ...!ukc!umist!R.Gowans Sackville Street, Manchester. FAX: [044 61 | 061] 200-4016 M60 1QD. ------------------------------ Date: Fri, 02 Dec 89 00:25:13 +0000 From: munnari!mlacus.oz.au!ash@uunet.uu.net Subject: Virus Simulator Found! (PC) As luck would have it, just hours after I posted my request for a harmless virus simulation suite, someone gave me a suite of programs written by Joe Hirst in MS-DOS format archived as VIRSIMUL.ARC. The files have a date of 8 Sep 89, so I may not have the latest set. The suite contains the more common viruses (simulated) that have visual effects. ============================================================================= Ash Nallawalla Tel: +61 3 823-1959 Fax: +61 3 820-1434 ZL4LM/VK3CIT Postal: P.O. Box 539, Werribee VIC 3030, Australia. ------------------------------ Date: 01 Dec 89 16:16:37 +0000 From: armhold@topaz.rutgers.edu (George Armhold) Subject: Virus attack [AMIGA] The other day someone brought the Byte Bandit virus into our lab. A user came in to print from the Amiga using Scribble!. He booted from his Workbench and proceeded to have several problems printing to the Apple Imagewriter II. After he left I re-booted with my Workbench which runs VirusX3.20 as part of its startup-sequence. To my surprise VirusX reported that the Byte Bandit virus was in memory, and had infected the disk in df2:! Removing the virus with VirusX was simple enough. My question is, could this virus (Byte Bandit) have been responsible for the problems we had printing? We had the right printer driver, and the preferences settings all seemed OK but it just would not print properly. It changed type style randomly, stopped printing half way through a job, and wouldn't abide to margin settings. I've never had this type of problem before with Scribble!, which leads me to believe that the virus might have had something to do with it. I know that virii on the Mac tend to affect printing. Has anyone else experienced this situation? - -George ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253