VIRUS-L Digest Wednesday, 21 Mar 1990 Volume 3 : Issue 61 Today's Topics: Low level format (PC) Utilities? bogus Amiga program: 'VirusX 4.4' Re: Getting files from "anonymous FTP" probably not maliciouos [was Re: possible new trojan on Genie (Mac)] Re: Stoned disinfection information (PC) another trojan called "Virus Info" (Mac) VirusX Trojan (Amiga) VirusX Trojan (Amiga) More Info! Vaxservers and Mac viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 19 Mar 90 16:06:06 -0000 From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: Low level format (PC) Many of the articles I read on recovering from a virus infection recommend a "low level format" of the hard disk as part of the process. What is a "low level format" and how does it differ from just using the DOS FORMAT command? Thanks in advance for any information. Rgds, Iain Noble - ----------------------------------------------------------------------------- Iain Noble | LBA002@pa.tp.ac.uk | Post: Main Site Library, JANET: LBA002@uk.ac.tp.pa | Teesside Polytechnic, EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough, INTERNET: LBA002%pa.tp.ac.uk@cunyvm.cuny.edu | Cleveland, UK, TS1 3BA UUCP: LBA002%tp-pa.ac.uk@ukc.uucp | Phone: +44 642 218121 x 4371 - ----------------------------------------------------------------------------- ------------------------------ Date: 19 Mar 90 22:54:52 +0000 From: william@eniac.seas.upenn.edu (Bill King) Subject: Utilities? Can someone tell me where the best place to get the utilities neccessary for de-arcing and unzipping the programs would be? For example, I now have v59 of scan and clean, but don't have the unzip program. Can someone help me out here as to an ftp address where I could get the neccessary programs? Thanks. Bill [Ed. The PKZIP and ARC programs are available, among many other places, on SIMTEL20.ARMY.MIL by anonymous FTP.] ------------------------------ Date: Tue, 20 Mar 90 00:02:36 -0500 From: Jim Shaffer Jr <72750.2335%COMPUSERVE.COM@IBM1.CC.Lehigh.Edu> Subject: bogus Amiga program: 'VirusX 4.4' A notice has just been posted on CompuServe, by one of the sysops of the Amiga Technical Forum, that a program purporting to be "VirusX 4.4" is in circulation. This is a bogus program! The current version of VirusX, as verified by its author, is 4.0. No details of what "4.4" might do were mentioned. ------------------------------ Date: 20 Mar 90 10:31:50 +0000 From: Sam Wilson Subject: Re: Getting files from "anonymous FTP" In article 1914 of comp.virus XPUM04@prime-a.central-services.umist.ac.uk (Anthony Appleyard) writes: > > Information from "Kenneth R. van Wyk" , with thanks. > Some Virus-L messages say that the rest of the message can be got (say) "by > anonymous ftp from the/quick/brown/fox/jumps.over.the.lazy.dog". For the > information of those not very conversant with FTP, this can be done thus:- > > Type your computer's command "ftp cert.sei.cmu.edu". "cert.sei.cmu.edu" is > a USA email address. It should be "edu.cmu.sei.cert@uk.ac.nsfnet-relay" if > typed in UK (I think). Nope! There is no direct Internet FTP access for most people in the UK. We have our own file transfer protocol known as NIFTP (or just FTP to its friends) or 'Blue Book'. It does not interwork with the Internet and you can't use odd mail addresses like that given above. If you need to access Internet FTP from the UK the NSFnet-Relay provides a service of sorts but I don't know if it's public (yet?). Mail Postmaster@uk.ac.NSFnet-Relay (...@NSFnet-Relay.ac.uk for folks outside the UK and some folks inside) for details. Most anti-viral s/w is available in the UK - see the monthly sites postings. Sam Wilson Network Planning, Edinburgh University Computing Service ------------------------------ Date: 20 Mar 90 14:02:12 +0000 From: werner@cs.utexas.edu (Werner Uhrig) Subject: probably not maliciouos [was Re: possible new trojan on Genie (Mac)] I wrote: > a rumour has reached me that a program called "Totally Safe Sex" > on Genie may be a new trojan. first disassembly and review makes it look like a harmless prank, but I'd still recommend that you do not run the program at this time unless you are absolutely certain you know how to prevent any potential dangers to your files ... apologies if you feel that this was an unnecessary alarm, but it seemed the lesser evil to pass on a false warning to waiting for 5 days to confirm it. Cheers (or grumble?!?), ---Werner ------------------------------ Date: Tue, 20 Mar 90 22:51:07 +0000 From: gm@cunixb.cc.columbia.edu (Gary Mathews) Subject: Re: Stoned disinfection information (PC) DEVMTG12@SAKFU00.BITNET (MUSTAFA T. ALGHAZAL) writes: >To all virus experts, > One of our systems here at SAKFU00 was infected by the STONED virus. > I remember that I read a note about how to remove this virus from a > hard disk ,but the writer was refering to some issues of COMPUTER > & SECURITY which we were not able to get. > If any of you knows step by step instructions to remove that virus,He > (or she) will be thankfull to send it to me directly or to the list. > > Mustafa ALGhazal ( DEVMTG12@SAKFU00.BITNET) > Academic Services Manager > King Faisal Univ. > Saudi Arabia You could remove the stoned virus with McAfee's clean program or more simply, by booting off a clean dos disk and use the sys command to transfer a new copy of the MS-DOS system onto the hard disk. 1) boot system on a clean disk 2) sys c: 3) "Stoned" virus is gone ! That's all. - ------------------------------------------------------------------------------ \c- Gary Jason Mathews | gm@cunixd.cc.columbia.edu Columbia University | Death is life's way of telling you you've been fired. - ------------------------+ CPU time flies when you have a lot of bugs ------------------------------ Date: 21 Mar 90 02:58:02 +0000 From: milano!werner@cs.utexas.edu (Werner Uhrig) Subject: another trojan called "Virus Info" (Mac) shortly after the first 2 trojans showed up on "that Canadian BBS" a third (but technically different) one showed up - and I do not believe anyone reported it publically yet (and I had hopes to snarf the "evil ones" with it. alas ....) This trojan claims to also be from the "DeathTrack" group as were the first two. it will *IMMEDIATELY* destroy your disk(s) - and I assume if anyone had run into it, we would have heard about it by now ...:-() well, if anyone sees it show up ANYWHERE (or any other program which you suspect after running it and finding your hard disk unusable immediately afterwards, for that matter) please let me know. (you do keep copies of all new software you download on more than one place, don't you?!! else, if you execute it and it destroys the disk it was on .... right. you can't send me a copy for analysis!) Cheers (what for?! right!), ---Werner - --------------------------> please send REPLIES to <------------------------ INTERNET: werner@cs.utexas.edu or: werner@rascal.ics.utexas.edu (Internet # 128.83.144.1) UUCP: ...!cs.utexas.edu!werner ------------------------------ Date: 21 Mar 90 04:42:17 +0000 From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler) Subject: VirusX Trojan (Amiga) A friend of mine here at SUNY-Binghamton just informed me of a message that was posted to CompuServe recently. I've no idea as to how valid it is, but it's better to be safe than sorry, even VIA 3rd-hand news. It seems that somebody has released something called "VirusX 4.4" into the public domain. THIS IS A BOGUS PROGRAM, and may be a trojan. According to Steve Tibbett (sp?), the author of VirusX, the most recent version of the disinfectant is 4.0. Just thought you might like to know. +------///-+------------------| BRETT KESSLER |------------------+-\\\------+ | /// | consp11@bingvaxu.cc.binghamton.edu | \\\ | | \\\/// | consp11@bingvaxa.BITNET | \\\/// | | \XX/ | (PeopleLink) B.KESSLER | \XX/ | +----------+-----------------------------------------------------+----------+ ------------------------------ Date: 21 Mar 90 07:17:17 +0000 From: consp11@bingvaxu.cc.binghamton.edu (Brett L. Kessler) Subject: VirusX Trojan (Amiga) More Info! With regards to my earlier posting about the bogus version of VirusX (version 4.4), here is the original text. It originally appeared in comp.sys.amiga and comp.sys.amiga.tech. I thought that my posting was a little sketchy, so here's a (slightly) better one. - -----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X----- There is a file going around now that supposedly has a new version of VIRUSX. The archive says the file has version VIRUSX 4.4 and that it was released on March 10th. I've done some analysis on the files in the archive, and the archive appears to have the same executables as VirusX 4.0. The doc files and the C code in the archive talk about two viruses that are supposedly "harmless". It appears the messages were put there to lull people into a false sense of security. I've contacted Steve Tibbett he has confirmed that this archive was NOT released by him. He's working on a new version of VIRUSX, but this is NOT IT. WATCH OUT FOR THIS BAD ARCHIVE, AND LET PEOPLE KNOW ABOUT IT! Official VIRUSX releases are posted to ALL the national networks by Steve Tibbett, or by an official agent. - ------------------ SR Pietrowicz UUCP: ...!uunet!modcomp!srp CIS: 73047,2313 73047.2313@compuserve.com - -----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X-----8X----- No more "hard info," but at least it's a confirmation that the darned thing exists, and that it is probably trouble. +------///-+------------------| BRETT KESSLER |------------------+-\\\------+ | /// | consp11@bingvaxu.cc.binghamton.edu | \\\ | | \\\/// | consp11@bingvaxa.BITNET | \\\/// | | \XX/ | (PeopleLink) B.KESSLER | \XX/ | +----------+-----------------------------------------------------+----------+ ------------------------------ Date: Tue, 20 Mar 90 14:22:00 -0600 From: POST@ADMIN.ripon.edu Subject: Vaxservers and Mac viruses Hi all! I think I already know the answer to this one, but could anyone comment on Mac viruses infecting VAXen file servers. It would seem to me that this is impossible, but we'd like a more practical view. Thanks. Mike Post Ripon College POST@ADMIN.RIPON.EDU ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253