VIRUS-L Digest Tuesday, 7 Feb 1989 Volume 2 : Issue 38 Today's Topics: Re: How-to-Infect Book Re: new Anarchist's Cookbook VirusDetective's configurability (Mac) --------------------------------------------------------------------------- Date: Mon, 06 Feb 89 16:19:58 CST From: Rob Caton Subject: Re: How-to-Infect Book > In Bill Machrone's column in the latest PC Magazine (Feb. 28, >1989) he mentions that he has seen a book which shows interested >parties not how to protect oneself against viruses and the like, but >how to WRITE the suckers. The author has thoughtfully provided ...(Stuff deleted)... >Great. An "Anarchist's Cookbook" for computers. I think the concept >is pretty reprehensible. I wouldn't be surprised if it does exist. I have seen a book called "The Computer Underground" which gives tips and techniques for breaking into computer systems, phreaking, blue boxing, etc. I'm just surprised that a book on writing viruses hasn't been released earlier. >Art Weisenseel >PR0032@BINGVMB.BITNET Robert Caton C70301RC@WUVMD Washington University ------------------------------ Date: Mon, 06 Feb 89 19:25:04 EST From: "Jeffery K. Bacon" Subject: Re: new Anarchist's Cookbook I personally found the Anarchist's Cookbook to be an awfully enlightening and useful book, if only because it taught me things I didn't know and might need someday. (Yeah, I read it. Couldn't find a copy to buy for myself tho.) It also taught me what I might want to look out for. I don't think the parallel is quite accurate. I can think of cases where I could use what I learned from the Cookbook. Why would anyone ever NEED to write a virus/worm/trojan? In any case, I'm afraid something like this was bound to happen eventually anyway. It's a free-information society, and virus-writing tricks are as much information as anything else. Besides, it might sell. I for one would be most interested in seeing such a book, esp since it would help me to understand what these people are doing in the first place. (The smallest computer I know anything useful about is an IBM PC-RT; my normal working habitat is 370 VM/CMS and SunOS. My knowledge of PCs extends to writing very simple batch files, and all I know about a Mac is 'point-and-click-and-pray', so I tend to get left in the dust sometimes.) Just as a matter of debate, do (the collectve you) think that such a book would be that harmful? If someone was really intent on writing a virus, it seems that they would find out what they need to know anyway, somehow. Sure, there would be a few who would 'dabble-and-poke' at it because of the book, but they probably wouldn't be able to do anything much. ??? (Point-of-debate only; I tend to think some other things.) -JB ------------------------------ Date: Tue, 7 Feb 89 13:12 GMT From: Danny Schwendener Subject: VirusDetective's configurability (Mac) Today a user came by and told me he found the "INIT 10" virus. When I asked what virus he was talking about, he replied "I don't know. But someone on [network name deleted] recommended to add INIT 6,10 17 and 32 to the Search list in VirusDetective". As I expected, the user had found a legal INIT 10 resource in a CDEV (Vaccine), and thought it was a virus. Those of you who follow the virus discussions will probably know that the Scores virus creates *among other resources* three INIT resources of ID 6, 10 and 17, and that the nVIR virus writes 6 nVIR resources as well as one INIT 32 resource into the System. But finding a single INIT 10 without any other symptoms does not necessarily mean that you're infected, even if that INIT is in the System file. To detect Scores, Virus Detective's Author Jeffrey Shulman has included the search string "CODE Jstart 7026 - for finding Scores in applications". If you want to search for Scores in the System file, too, include the search string "DATA Dual -4001 7026 - for finding Scores in System". But don't look for a plain INIT 6 or 10 or 17, as there are plenty of them in the sane world. Don't abuse the configurability of Programs such as VirusDetective. Adding strings like "INIT ID 6" or "INIT ID 32" will not increase the program's success rate. Au contraire. All it will change is that you'll have VirusDetective ringing bells and whistling like crazy on many uninfected CDEVs and INITs. Following are the Search strings that are included in VirusDetective 2.0 (plus one that finds Scores in the System). They are sufficient to detect the nVIR, Hpat, Scores and INIT29 viruses on your disks. nVIR any - For finding nVIR in all files Hpat any - For finding nVIR in all files INIT Dual 29 712 - For finding INIT29 in non-application files CODE Jstart 712 - For finding INIT29 in applications CODE Jstart 7026 - For finding Scores in applications DATA Dual -4001 7026 - For finding Scores in System,Desktop,Scores files (*) (*) Note that if VD rings on this, the two System files "Note Pad File" and "Scrapbook File" will be infected, too, and should be removed. - -- Danny Schwendener ETH Macintosh Support, ETH-Zentrum, CH-8092 Zuerich, Switzerland Bitnet: macman@czheth5a UUCP: cernvax!ethz!macman InterNet: macman@ifi.ethz.ch Voice: yodel three times ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253