VIRUS-L Digest Friday, 31 Mar 1989 Volume 2 : Issue 79 Today's Topics: RE: The Star Trek virus. Re: Arcmaster bug (PC) Disinfectant 1.0 Bugs (Mac) Hypercard based viruses... (Mac) How can I get into VIRUS-L archives administrative message (please read) --------------------------------------------------------------------------- Date: Fri, 31 Mar 89 09:13 EST From: Morton Downey Jr. for President. Subject: RE: The Star Trek virus. There's been some mention of the Star Trek: The Next Generation episode "Contagion". The episode seemed to me to be an attempt to educate people about viruses. What the episode said to me was, that while viruses can be potentially dangerous (i.e. it destroyed the Yamato), the solution to them is fairly simple (a shut down of the Enterprise computer, clean out effected memory, then a restart). This seems to be a much better way to discuss the problem than the sensationalism that goes on when viruses are discovered. Tom Kummer ------------------------------ Date: Fri, 31 Mar 89 09:35:24 EST From: "Peter G. Rose" Subject: Re: Arcmaster bug (PC) >>The supposed bugs in ARCMASTER 4xx do not exist. ... >>the directory that you specify for it to use to unarc and arc files to >>MUST be a special blank directory ... >>[If you] specify your root directory ... it would automatically erase >>all files in that directory. Ok, its not a bug, its a design error. It's STILL wrong. If the damn thing is going to require its own special blank directory, why doesn't it create its own? P.Rose [Ed. If the problem was actually due to a design error, as appears to be the case, then it is a problem unrelated to viruses that should be taken up with the author of Arcmaster.] ------------------------------ Date: Fri, 31 Mar 89 10:46:24 EST From: jln@acns.nwu.edu Subject: Disinfectant 1.0 Bugs (Mac) Disinfectant 1.0 has been released for about a week and a half now, and for the most part it seems to be working well. There have been a few bug reports, however, and I want to let you know that I'm working on a 1.1 release to fix them. It will be at least a few weeks before I release it. I want to wait a bit until I'm certain that we've discovered all the problems in 1.0. Until then, watch out for the following problems. Some kinds of "damaged" files could cause version 1.0 to hang, bomb, or put up its "out of memory" alert. Version 1.1 will do a better job of checking for damaged files. If you get a bomb, hang, or out of memory alert while scanning with 1.0, try removing the file that was being scanned from your disk and then scan the disk again. Scanning an active server disk in 1.0 is problematic. If other users create or delete files or folders while the scan is in progress, it can sometimes cause other files or folders to be skipped or scanned twice. This is a problem shared by almost all programs which scan disks. We've designed and implemented an improved disk scanning algorithm for 1.1 to avoid this problem. Note that in any case we continue to recommend that you take servers out of production to scan them. This is the only way to avoid file busy errors and insufficient privileges errors. Version 1.0 evidently doesn't work at all over a TOPS network. We'll try to find out why and fix it if possible. For now you should not attempt to scan non-local disks over TOPS. Disinfectant works on unenhanced 512K Macs with System 3.2 or later, but it requires the "Hard Disk 20" file. We overlooked this in our testing of version 1.0. Version 1.1 will check to make sure this file is present, and issue an alert if it is missing. Version 1.0 doesn't properly display its icon in the Finder, because we forgot to set the "bundle bit" when we shipped the program. This stupid mistake will be fixed in 1.1. If you run 1.0 on a GateKeeper-protected system to try to repair infected files, and if you forgot to add Disinfectant to GateKeeper's list of privileged applications, you will get "unexpected" error messages. In 1.1 we will try to special-case these errors and issue a better message that mentions GateKeeper explicitly. We received reports that in some cases Disinfectant claims that a file is infected, even when other virus tools report that the file is uninfected (e.g., Virus Rx 1.4a1 and Virus Detective). This is possible, since Disinfectant uses stronger checks than most of the other tools. The files sent to us were indeed partially infected, but not contagious. We'll document this possibility in version 1.1. The version 1.1 document will correct a few minor typos and errors, and we'll add a "Version History" section. Thanks to everybody who's written about Disinfectant - I enjoy and appreciate your notes. Special thanks to those people who have reported bugs. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@acns.nwu.edu AppleLink: a0173 CompuServe: 76666,573 ------------------------------ Date: Fri, 31 Mar 89 11:17:38 EST From: dmg@mwunix.mitre.org Subject: Hypercard based viruses... (Mac) Original-To: david@cs.hw.ac.uk In your message entitled "Anti viral software and known viruses", you referenced two Hypercard viruses, "Dukakis" and "Hyperavenger". If I am not mistaken, there is one Hypercard virus, known as "Dukakis", written by the self-proclaimed "Hyperavenger" David Gursky, W143 Member of the Technical Staff Special Projects Department The MITRE Corporation ------------------------------ Date: Fri, 31 Mar 89 14:54 CST From: Chris Garrigues <7thSon@SLCS.SLB.COM> Subject: How can I get into VIRUS-L archives I just discovered that one of our Macs got infected by the "SCORES" virus. Since I'm not generally interested in viruses, I don't subscribe to the list, but in this case, I'd like to look at your archives to search for messages on this subject. How can I do this? (Or could someone just forward me anything I need to know?) Chris Garrigues, Systems manager, Schlumberger Laboratory for Computer Science [Ed. This comes up periodically, so I thought I'd include it here. VIRUS-L archives are available via anonymous FTP from IBM1.CC.LEHIGH.EDU (in weekly format) and from lll-winken.llnl.gov (in per-digest format). BITNET readers can get to the archives by sending mail (or interactive message) to LISTSERV at LEHIIBM1 (*NOT* VIRUS-L at LEHIIBM1). The message should read: GET VIRUS-L LOGyymmx where "yy" is the year (88, 89...), mm is the month (01...), and x is a letter corresponding to the week of the month (A, B,...). So, the archive file for the second week of March, 1989 is VIRUS-L LOG8903B.] ------------------------------ Date: Fri, 31 Mar 89 16:39:04 EST From: luken@ubu.cc.lehigh.edu (Kenneth R. van Wyk) Subject: administrative message Greetings all, VIRUS-L is now up to just about 1200 direct subscribers. Among other things, this means that the amount of bounced mail (due to computers or networks being down, disk quotas exceeded, etc.) gets to be pretty major here. The most common cause of this is when an account gets removed from a machine, I get a message back saying "user unknown" for every digest that goes out. It's not uncommon for me to get 30 such messages in a day. (Violins start playing...*:) Sometimes, bounced messages snowball. For example, some mail relays try to connect for 3 days, and then send back a bounced message once every 3 days for 12 days. Needless to say, the information flow can be high. What to do... If the message is obviously due to a permanent thing, such as a user being removed from a system, then I remove the address from the list. If the message could be due to an intermittent problem, such as a network link being down, then I give that address a day or two to clean up its act. Having failed that, I remove the user from the list. The moral to this long sob story is this: if you've not received any digests in quite a while (a week or so), and/or if you know that your e-mail system was down for a period of time, you may well have gotten removed from the list, not because I'm out to get you, but because I have to try to keep bounced mail (read: time) to a minimum. If this happens, please understand, and re-subscribe (if you wish to rejoin the list, that is...). (I'll add this to the "welcome" message for new subscribers.) Ken ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253