========================================================================= Date: Fri, 29 Jul 88 00:41:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Joe: Regarding different viruses. When I said the VULT virus, I was referring to the Scores virus but scouldn't think of the name at the time. I also am not sure if the NASSA virus was Scores or not. A phone call to them got me a nasty message that NASA didn't have a virus just a little hardware problem that got out of hand. (Isn't that what the spce shuttle was?) The Christma Virus, as well as the nude women viruses I've seen on the Mac are just programs which print a picuture, look for a hard disk and copy themselves to it. I believe the ones with the nude women pictures were actually just programs someone wrote and someone else added the copy part. The problem with these viruses is taht you can't really stop a program from copying itself from disk to disk. I hadn't seen one which destoryed the FAT table, just ones that copy themselves. I hesitate to even dcall them viruses because they really dont' do anything other than propogate, but htat IS the definition of the virus. The Phantom attaches itself to executables. All the phantom does is print a little message about the Phatntom being some force of good and how no eveil will escape it and then it deletes its own code. I think its probably like the Aldus virus, but I'm not a Mac person. If you have a copy of a nude woman program that kills your hard disk, I wonder if it is the same nude woman program? ]I wonder why the writer did not put them dtogether? You refer to bacteriaum quite often. Do you mean Trojans? Unfortunately, when I refer to worm, its a speacial case of a computer virus. Loren Keim ========================================================================= Date: Fri, 29 Jul 88 02:51:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Re: Mac viruses Loren Keim writes: > For the Mac, I've seen aa version >of the CHRISTA virus (yes, simple damn thing copies itself >around your little Mac, its not written in Rex of course), >the Phantom, the NASA virus, the Aldus virus, and the VULT >virus. [and also a "playboy" type virus] By the VULT virus, I presume you mean the one more commonly known as "SCORES." But this is the first I've heard mention of the "Phantom" virus. I heard rumors of a NASA virus and a "Playboy" virus, but nothing substantial. Could you please describe these, _in detail_? I believe the Aldus virus you mention is the MacMag "Peace" virus. Is there a different CHRISTMA-type virus out there? What does it do? We have heard of one other virus- the "sneak." We have no information about it. Do you know if it really exists? /a ========================================================================= Date: Thu, 28 Jul 88 22:15:00 -0500 Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: converted from NETDATA format at UOFMCC From: Steve Morrison Subject: request for opinions on future... In-Reply-To: <270*b1morri@ccu.UManitoba.CA> The scenario could be a mad-hacker, plugging away at a keyboard in the back of a dimly lit office, creating a virus like no virus ever seen before. Viruses are going to be like methods of cheating at cards or on your spouse. The analogy would be having mice evolve into a bigger species to defeat mouse traps - unless the traps are built bigger, the mice will win. Thoughts from someone who was out in sun today.... Devo_Stevo aka Stephen D. Morrison B1Morri@CCU.UManitoba.CA ========================================================================= Date: Fri, 29 Jul 88 06:21:03 mdt Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- original Sender: tag was From: Bill Kinnersley Subject: Bacteria [In "", Loren K Keim -- Lehigh University said:] > > The Christma Virus, as well as the nude women viruses I've... > > themselves. I hesitate to even dcall them viruses because > they really dont' do anything other than propogate, but htat > IS the definition of the virus. > > You refer to bacteriaum quite often. Do you mean Trojans? > Unfortunately, when I refer to worm, its a speacial case of > a computer virus. > Both viruses and bacteria are self-propagating. The distinction is that a virus usually does so in a restricted fashion, to avoid detection while it does its dirty work. A bacterium's goal in life is to propagate rapidly without bound and thereby usurp the resources of the host system. The CHRISTMA Virus, I believe, was really a bacterium. ========================================================================= Date: Fri, 29 Jul 88 09:38:36 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: (revised) Monthly greeting from Ken [ Last modified 29-July-88 - Ken van Wyk ] Welcome! This is the monthly introduction posting for VIRUS-L, primarily for the benefit of any newcomers. Apologies to all subscribers who've already read this in the past (you'll only have to see it once a month and you can, if you're quick, press the purge key...:-). What is VIRUS-L? It is an electronic mail discussion forum for sharing information about computer viruses. Discussions should include (but not necessarily be limited to): current events (virus sightings), virus prevention (practical and theoretical), and virus questions/answers. The list is non-moderated and non-digested. That means that any message coming in goes out immediately. Weekly logs of submissions are kept for those people who prefer digest format lists (see below for details on how to get them). What isn't VIRUS-L? A place to spread hype about computer viruses; we already have the Press for that. :-) A place to sell things, to panhandle, or to flame other subscribers. If anyone *REALLY* feels the need to flame someone else for something that they may have said, then the flame should be sent directly to that person and/or to the list moderator (that'd be me, ). How do I get on the mailing list? Well, if you're reading this, chances are *real good* that you're already on the list. However, perhaps this document was given to you by a friend or colleague... So, to get onto the VIRUS-L mailing list, send a mail message to . In the body of the message, say nothing more than SUB VIRUS-L your name. LISTSERV is a program which automates mailing lists such as VIRUS-L. As long as you're either on BITNET, or any network accessible to BITNET via gateway, this should work. Within a short time, you will be placed on the mailing list, and you will get confirmation via e-mail. How do I get OFF of the list? If, in the unlikely event, you should happen to want to be removed from the VIRUS-L discussion list, just send mail to saying SIGNOFF VIRUS-L. People, such as students, whose accounts are going to be close (like over the summer...) - PLEASE signoff of the list before you leave. Also, be sure to send your signoff request to the LISTSERV and not to the list itself. Note that the appropriate node name is LEHIIBM1, not LEHIGH; we have a node called LEHIGH, but they are *NOT* one and the same. How do I send a message to the list? Just send electronic mail to and it will automatically be redistributed to everyone on the mailing list. By default, you will NOT receive a copy of your own letters. If you wish to, send mail to saying SET VIRUS-L REPRO I can't submit anything to the list - what's wrong? There have been a few cases where people found that they were unable to send anything in to VIRUS-L even though they were registered subscribers (only subscribers can participate). Let me try to explain. The LISTSERV program differentiates lowercase from UPPERCASE. So, if you've subscribed to the list as (for example) OPUS@BLOOM.COUNTY.EDU and your mail is actually coming through as Opus@Bloom.County.EDU, then the LISTSERV will think that you're not subscribed to the list. BITNET usernames and node names are automatically uppercased by the LISTSERV, but other network addresses are not. If your site (or you) should happen to make a change to, say, the system mailer such that it changes the case of your mail, there will be problems. If you're having problems submitting (you'll know this because the LISTSERV will say "Not authorized to send to VIRUS-L..."), try unsubscribing and re-subscribing. If that doesn't work, send me mail (LUKEN@LEHIIBM1.BITNET), and I'll try to fix things up. What does VIRUS-L have to offer? All submissions to VIRUS-L are stored in weekly log files which can be downloaded by any user on (or off) the mailing list; readers who prefer digest format lists should read only the weekly logs. There is also a small archive of some of the public anti-virus programs which are currently available. This archive, too, can be accessed by any user. All of this is handled automatically by the LISTSERV here at Lehigh University (). How do I get files from the LISTSERV? Well, you'll first want to know what files are available on the LISTSERV. To do this, send mail to saying INDEX VIRUS-L. Note that filenames/extensions are separated by a space, and not by a period. Once you've decided which file(s) you want, send mail to saying GET filename filetype. For example, GET VIRUS-L LOG8804 would get the file called VIRUS-L LOG8804 (which happens to be the monthly log of all messages sent to VIRUS-L during April, 1988). Note that, starting June 6, 1988, the logs are weekly. The new file format is VIRUS-L LOGyymmx where yy is the year (88, 89, etc.), mm is the month, and x is the week (A, B, etc.). Readers who prefer digest format lists should read the weekly logs and sign off of the list itself. Subsequent submissions to the list should be sent to me for forwarding. Also available is a LISTSERV at SCFVM which contains more anti-virus software. This LISTSERV can be accessed in the same manner as outlined above, with the exceptions that the address is and that the commands to use are INDEX PUBLIC and GET filename filetype PUBLIC. What is uuencode/uudecode, and why do I need them? Uuencode and uudecode are two programs which convert binary files into text (ASCII) files and back again. This is so binary files can be easily transferred via electronic mail. Many of the files on this LISTSERV are binary files which are stored in uuencoded format (the file types will be UUE). Both uuencode and uudecode are available from the LISTSERV. Uudecode is available in BASIC and in Turbo Pascal here. Uuencode is available in Turbo Pascal. Also, there is a very good binary-only uuencode/uudecode package on the LISTSERV which is stored in uuencoded format. Why have posting guidelines? To keep the discussions on-track with what the list is intended to be; a vehicle for virus discussions. This will keep the network traffic to a minimum and, hopefully, the quality of the content of the mail to a maximum. No one wants to read personal flames ad nausium, or discussions about the pros and cons of digest-format mailing lists, etc. What are the guidelines? As already stated, there will be no flames on the list. Anyone sending flames to the entire list must do so knowing that he/she will be removed from the list immediately. Same goes for any commercial plugs or panhandling. Submissions should be directly or indirectly related to the subject of computer viruses. Responses to queries should be sent to the author of the query, not to the entire list. The author should then send a summary of his/her responses to the list at a later date. "Automatic answering machine" programs (the ones which reply to e-mail for you when you're gone) should be set to *NOT* reply to VIRUS-L. Such responses sent to the entire list are very rude and will be treated as such. When sending in a submission, try to see whether or not someone else may have just said the same thing. This is particularly important when responding to someone else's posting (which should be sent to that person *anyway*). It's very easy to get multiple messages saying the exact same thing. No one wants this to happen. Thank-you for your time and for your adherance to these guidelines. Comments and suggestions, as always, are invited. Please address them to me, or . Ken van Wyk Kenneth R. van Wyk From the Devil's Dictionary: User Services Senior Consultant Barometer - an ingenious device Lehigh University Computing Center designed to inform the user what Internet: the weather is. BITNET: ========================================================================= Date: Fri, 29 Jul 88 10:05:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon In-Reply-To: Message of Fri, 29 Jul 88 00:41:46 EDT from A "bacterium" is a program which, in addition to doing something innocuous, creates copies of itself and spreads them. If you are on a network, it will try to spread itself across the net. Otherwise, it puts itself on all of the disks it can find. It does not sit around and try to reproduce itself by hooking into the system; it only reproduces when executed. The CHRISTMA EXEC is a bacterium. --- Joe M. ========================================================================= Date: Fri, 29 Jul 88 10:54:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: GILL@QUCDNAST Subject: New FluShot+ ? I just got a copy of FluShot+ V1.4 in the mail today from Ross Greenberg. The version date is June 21/88. Is this the new version that was hinted at on the net about 2 months ago? Has anyone tried using it yet? Are there copies on the LISTSERV? Do you want a copy on LISTSERV? I can send it if requested (and told where to send it). (I haven't done any testing yet, as my hard disk has decided to die. The doctors tell me it must be replaced. Has anyone ever heard of a hard disk life span of 2.5 years???) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Arnold Gill | If you don't complain to those who | Queen's University at Kingston | implemented the problem, you have | gill @ qucdnast.bitnet | no right to complain at all ! | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ========================================================================= Date: Fri, 29 Jul 88 19:03:02 +0300 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: Virus lists Several people have asked for lists of known viruses. Back in May I was told that Steve Gibson of Infoworld had requested examples of viruses and had re- ceived about 40 of them. I don't receive Infoworld, but if this information is correct, it seems to me that Steve should be willing to provide names and/or descriptions of them if someone were to contact him. (Maybe he's already published them in Infoworld.) Y. Radai Hebrew Univ. of Jerusalem ========================================================================= Date: Thu, 28 Jul 88 19:56:13 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford In-Reply-To: Message of Thu, 28 Jul 88 15:59:51 EDT from Here's one Alabama person on the list. How may I help you? James Ford ========================================================================= Date: Fri, 29 Jul 88 11:19:55 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Resent-From: Marilyn Everingham <11600ME@MSU> Comments: Originally-From: Marilyn Everingham <11600ME@MSU> From: Marilyn Everingham <11600ME@MSU> Let me introduce myself first... I'm the computing newsletter editor at Michigan State University and I joined this list to learn more about virii (which I certainly have). Now I am in the process of thinking about dis- seminating some of the information and have a question. I ran across some descriptions of virus types in an InfoWorld editorial and am wondering if they are generally accepted descriptions or something the writer invented. If anyone (and I'm sure many will) has opinions/facts/ ideas, please let me know. The virus descriptions are: GPIV -- General Purpose Infector Virus -- operates by tacking itself onto the front or back of any existing application program, generally specific to COM or EXE files. SPIV -- Special Purpose Infector Virus -- designed to inhavit only one version of one particular application program which makes it harder to detect. VCGPIV -- Very Clever General Purpose Infector Virus -- combines the features and capabilities of the GPIV with those of the SPIV and is able to find non- code-bearing regions within the bodies of other application programs for which it was not specifically designed and infect those programs; one of the hardest to spot or control; worst variations of this virus don't begin causing trouble until sometime after every last cadidate host application program in the system has been infected. CSIV -- Central System Infecting Virus -- doesn't fool around with infecting individual application programs but attacks and alters the core of the operating system; usually carried by a Trojan horse. Thanks in advance for help and ideas. /me ========================================================================= Date: Fri, 29 Jul 88 15:34:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess 862-2245" Subject: "Virus" or "Bacterium" We had a big brouhaha around here about what names to use for what. For practical purposes, it seems useful to distinguish between programs that just spread themselves at the >file< level (for instance, a FUN.EXE that copies itself, as FUN.EXE, to all the disks it can find), and code-fragments that insert themselves >into< already-existing executable files (as, for instance, the Jerusalem virus does). The biological analogies would suggest calling the latter things "viruses", and the former things "bacteria" (since bacteria reproduce on their own, while viruses insert themselves into already-existing cells). In general, bacteria are pretty easy to check for and kill ("inspect your disks for FUN.EXE, and erase it if found, without executing it"), while viruses are much harder (it doesn't make any sense to ask for a list of known virus-infected programs, for instance, since *any* executable file can come to contain a Jerusalem-type virus). It can be very hard to draw a firm line between the two, though, and it's not clear where the "(c) Brain" thing (for instance) fits into this distinction... DC ========================================================================= Date: Fri, 29 Jul 88 16:39:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University I received a number of confusing letters over the night. Apparently, some of you got my last letter and some didn't. I received an error that it didn't go out, but yet I received several replies on it. To recap quickly, what I said was that the CHRISTMA program for the Mac was simply an executable file. When it is run, it copies itself to your hard disk if it can find one, or back to a floppy if its run on a hard disk. Its not a very exciting program. The Phantom virus was sent to me from Maine, and I believe it is a re-vamped version of the Aldus virus, although I haven't got a copy of the Aldus virus. The Phantom simply will come up on your screen and say some message about justice. I will look back at my notes when I get home tonight and write out the exact message. Just to let you know, I seem to have received a threat-type letter today. It simply said that the PERFECT virus is on its way. It was a simple piece of laser printed paper left on my car window. I'm not sure if it was a joke or a threat. Loren ========================================================================= Date: Fri, 29 Jul 88 16:38:49 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: GPIV, SPIV, etc. I'm pretty sure those were made up by the Tech Talk feller especially for that column. I've never seen them anywhere else and, while they helped organize the column nicely, they don't really seem generally useful: a one-sentence description ("this virus infects only FINOGACALC.EXE") will be much more generally understandable than, say, "this is a SPIV". DC ========================================================================= Date: Fri, 29 Jul 88 16:59:35 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University First, I am having trouble sending mail to JFord and DHunt at their respective nodes. If either of you have alternate addresses, please send them to me, otherwise, I'll have to find a way around the points that are stopping me. Actually, I'm looking for Vin McL's address here as well, my mail to him doesn't seem to get through. Actually, since we are all spending so much time wishing to view each other's viruses and anti-viral programs, we should actually try to get this rather large group together at some point. If anyone would be interested in such a conference, please tell me (LKK0@LEHIIBM1) and I'll be happy to arrange one. Loren Keim ========================================================================= Date: Fri, 29 Jul 88 17:29:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Woody Subject: interesting statistic the August 1 issue of Business Week states " No one knows how many viruses have been planted. But John D. McAfee, a virus expert at InterPath Corp., a security consulting firm in Santa Clara, Calif., says there have already been 250,000 outbreaks. He estimates that 40 of the nation's largest industrial companies have been infected..." ========================================================================= Date: Sat, 30 Jul 88 00:51:49 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: "Bug" in mailer? Well folks, I'm not sure who to send this to, but since it was to Loren (LKK0 at LEHIIBM1) this list seems to be as good as any. Now, I have absolutely NO knowledge about REXX, but when it says "recipient OK", it should get there(?). I hate to sound like I'm turning this into MAILER-L or REXX-L, but............ :-) James Ford JFORD1 (notice the "1") @UA1VM P.S. The "purge" key should come in handy to some folks....... ------------------- message follows ------------------------------------ >======================================================================== >Received: from LEHIIBM1.BITNET by UA1VM.BITNET (Mailer X1.25) with BSMTPid >4492; Fri, 29 Jul 88 16:05:15 CST >Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer X1.25) with BSMTP id >1358; Fri, 29 Jul 88 16:48:58 EDT >Date: Fri, 29 Jul 88 16:48:57 EDT"F >From: Network Mailer >To: JFORD1@UA1VM.BITNET >Subject: mail delivery error >Batch SMTP transaction log follows: >220 LEHIIBM1.BITNET Columbia MAILER X1.25 BSMTP service ready. >050 HELO UA1VM.BITNET >250 LEHIIBM1.BITNET Hello UA1VM.BITNET >050 TICK 4418 >250 4418 ... that's the ticket. >050 MAIL FROM: >250 ... sender OK. >050 RCPT TO: >250 ... recipient OK. >050 DATA >354 Start mail input. End with . >554-Mail not delivered to some or all recipients: >554 No such local user: LKK0 >050 QUIT >221 LEHIIBM1.BITNET Columbia MAILER BSMTP service done. >Original message follows: X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X