VIRUS-L Digest Thursday, 15 Mar 1990 Volume 3 : Issue 58 Today's Topics: Origins of Virus VALERT-L usage Possible virus alert (PC) Re: Printer Related Virus? (Mac) Re: Etymology of the word "virus" New Trojan Horse ??? (Mac) re: Viruses using Hamming (PC) Re: Possible New VIRUS Or Just H/W Problem ? (Amiga) Re: Unidentified Virus (PC) suggestions for anti-virus program wanted (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 13 Mar 90 13:58:40 +0000 From: DEL2@phoenix.cambridge.ac.uk Subject: Origins of Virus My OED and Lewis & Short agree that "virus" is a perfectly good Latin word, meaning "slime", "poison", "venom" &c, and taken over into English with all these meanings at least as early as 16th Century. Perfectly straightforward second declension (like "dominus"), so genitive and plural are "viri". Regards, Douglas de Lacey. ------------------------------ Date: Tue, 13 Mar 90 11:26:40 -0500 From: Holly Lee Stowe Subject: VALERT-L usage >Alan Thew said: >>Why not create a second list, comp.virus.reports (and something like >>vrepor-l for bitnet users) so that those who want to monitor/report >>virus spread can do so, and others can chose not to read it? > >[Ed. That's pretty much what VALERT-L is for. It is not directly >cross-posted to a newsgroup, however, although I do re-post relevant >VALERT-L mail on VIRUS-L/comp.virus.] I was always under the impression that VALERT-L was primarily concerned with reports of NEW viruses, not infection tracking. Perhaps I was mistaken, but I think a third tracking-oriented list might well be of value to those who are truly interested in tracking. In that respect people who want/need to know about NEW viruses don't have to be inundated with reports of infections. - -Holly [Ed. VALERT-L is for reporting virus infections. The distinction between existing and new viruses was never made. However, I'm not fundamentally opposed to creating a list for tracking these things. If anyone wants to do that, I'd be glad to help them out as much as possible.] +---------------------------------------------------------------------+ | @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ Holly Lee Stowe | | @@@ @@@ @@@ @@@ @@@ @@@ @@@ @@@ Bitnet: IHLS400@INDYCMS | | @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ IUPUI Computing Services | | @@@ @@@@@@@@ @@@ @@@@@@@@ @@@ 799 West Michigan Street | | Indiana U. - Purdue U. at Indianapolis Indianapolis, IN 46202 | +---------------------------------------------------------------------+ Friends don't let friends use DOS. - -=-=-=-=- -=-=-=-=-=- -=-=-=-=- ------------------------------ Date: Tue, 13 Mar 90 13:54:00 -0500 From: Yahn Zawadzki Subject: Possible virus alert (PC) This maybe should have been directed at Virus-Alert, but I am not too sure: I am running an AT clone with a 20M (8425) Miniscribe drive. I have noticed how the drive power fails (you can hear the drive whine, power light goes off) every 4-6 minutes if the system clock is between 4 and 11 pm (at least that's what I tested 'succesfully'). If the clock is changed, nothing happens. Boot sector looks OK, booting from a floppy eliminates the problem. None of my .exe and .com files have increased in length, no new files were addes, the only software I use is either from vendors or Simtel. I have not imported any new packages within last 2-3 months. I have low-level formatted the drive, and restored all programs from originals (and Simtel). System seems to be OK now. None of my files were deleted, none of the programs seems to have been changed (I run a homemade bit comparison on the last backup and original executables). The only damage done by this 'something' was during a save or read operations, where the computer would respond with 'drive read error' (or 'drive not ready'). Has anyone else experienced this sort of a problem? I strongly suspect a virus, since all evidence seems to point to a clock-checking code. On the other hand, I cannot find a trace of the viral code. I still have the backups, but I have not been able to reproduce the error (stores itself on the hard drive only..???). One more thing: the number of the bad sectors has increased significantly in the past 2 months. Nothing outrages, but significant. I analysed the bad sectors, but they are just filled with '@'s (all except the ones present when I bought the drive). I would appreciate any advice, as I expect that a vendor copy of one of my programs may contain the viral code... Thanks. Jan Zawadzki S72UZAW @ TOWSONVX (bitnet) yahn @ MIDGET.TOWSON.EDU (internet) ------------------------------ Date: Tue, 13 Mar 90 16:20:02 -0500 From: Yary Richard Phillip Hluchan Subject: Re: Printer Related Virus? (Mac) Well, there is no "PDEF", but there are printer drivers (files containing code) which could become infected. Also, every Laserwriter printer has a 68000 and at least a meg of memory, someone could conceivably infect that. That's all we need, a PostScript virus... (Is there a week lag in messages, or has the net been dead since 6 Mar? Perhaps a virus is chewing them all up...) [Ed. There was a problem with comp.virus distribution related to my change in email address; it is fixed now.] ------------------------------ Date: Tue, 13 Mar 90 09:06:40 +0000 From: Anthony Appleyard Subject: Re: Etymology of the word "virus" Dr. Martin Erdelen on Fri, 09 Mar 90 at 08:54:16 - -0500 wrote: "...would somebody please tell me the etymology of the word "virus" and therefrom deduce the correct declination (esp. genitive & plural)... I'd like to get some truly technical information.... Could it be that "virus" is an artificial term in the first place?...". "virus" is a normal Latin 2nd declension word, meaning 'poison':- Nom Voc Acc Gen Dat&Abl Sing virus vire virum viri viro Plur viri viri viros virorum viris Some case forms coincide with case forms of the irregular noun "vir" = 'man', except for the length of the stem vowel. This is academic, as the plural of 'virus' as used as English by biologists etc, is 'viruses'. 'Virus' was first used in English in its present meaning as 'filterable virus' to mean a supposed (and later proved to exist) infective agent which couldn't be seen with the microscopes of the time and would get through filters that would stop bacteria. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 13 Mar 90 08:52:56 GMT ------------------------------ Date: 14 Mar 90 02:34:21 +0000 From: ccmlh@iceman.oz.au (Michael L Hope) Subject: New Trojan Horse ??? (Mac) Hi, Recently I saw a rather disturbing article on what appeared to be a distructive Macintosh trojan horse in Canada. The article appeared in the 19th February issue of the Australian magazine COMPUTING on page eight. The article refers to two programs 'Mosaic' and 'Fontfinder' that were downloaded from a bulliten board in Canada and contained the trojan horse. The trojan then destroyed the directories of all unlocked hard and floppy disks that were available. This included the disk containing the trojan program. The affected disks were then named "Gotcha!". In the article most of the data was apparently recovered using a utility program, except for the filenames. Does anyone know more on this trojan? Is it isolated to Canada? Is this the only destructive trojan/virus program attacking the mac? Michael Hope James Cook University {ccmlh@iceman.jcu.oz} ------------------------------ Date: Wed, 14 Mar 90 15:15:00 +0700 From: SWIMMER@RZ.INFORMATIK.UNI-HAMBURG.DBP.DE Subject: re: Viruses using Hamming (PC) Its true, the use of Hamming by viruses isn't very worrying- from our point of view anyway. It is just a bit of trivia. Vesselin told me the behind T.P. using Hamming in his viruses, was to prevent hackers from patching his viruses. Unfortunately it doesn't help much against those that dissasseble them. Of course, viruses that do use Hamming have one adventage: they are less likely to be modified, which make detection a bit easier (less variants). Cheers, Morton Virus Test Center, University of Hamburg ------------------------------ Date: 15 Mar 90 02:55:48 +0000 From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath) Subject: Re: Possible New VIRUS Or Just H/W Problem ? (Amiga) robi@attila.esa.oz (RoBeRt KaRp) writes: }SYSTEM: } Amiga 2000B, 1084s monitor, 2088 Bridge Board, } Seagate Hard Disk. } }SYMPTOM: } Screen goes the _BACKGROUND_ colour. } }DESCRIPTION: } This happens at seemingly random times, however, it only } occurs when there is some kind of screen activity, } e.g. opening or closing a window. It occurs more frequently } when the machine has been on for a while. The only way to get } the screen back is rebooting. } } NOTE: I have full control of the computer at all times, I } just can't see anything. I don't know if this is even relevant, but I have an IBM PC/AT on my desk that had similar symptoms. We fixed it by sending the monitor out for repairs. Interestingly, the temporary replacement monitor showed similar symptoms. (The original would turn green, the replacement went red). It took a few tries to get the monitor fixed, but I've had no problems with it for a couple of months now. - -- The Polymath (aka: Jerry Hollombe, M.A., CDP, aka: hollombe@ttidca.tti.com) Citicorp(+)TTI Illegitimis non 3100 Ocean Park Blvd. (213) 450-9111, x2483 Carborundum Santa Monica, CA 90405 {csun | philabs | psivax}!ttidca!hollombe ------------------------------ Date: 15 Mar 90 12:35:29 +0000 From: REEVES-T@osu-20.ircc.ohio-state.edu (teTRis Addict) Subject: Re: Unidentified Virus (PC) If you everything you said is correct I don't think you have any virus. If you booted from a CLEAN flopy after power had been OFF, no virus can be active in the system. Note there are two conditions to above. I guess if you had some unusual hardware - like battery powered ram, you might have a virsu - but you would have failed the second condition. Of course as youy mentioned there is a small amount of battery powered memeory - for clock and setup parameters. However any virus code inserted there could only be active if read and executed by a disk based program. It can't "jump out" on it own - DOS will never read and execute that data. It is very possible you have a hardware failure - possibly in the disk controller, - or even in screnn ram, or video cricuits - after all what we see on a disk or in ram all depends on the video working correctly! An unstaed assumption is that after you boot from clean floppy you do NOT execute any program on hard drive or floppy of uncertain status. I suggest you FTP to WSMR-SIMTEL20.ARMY.MIL or other virus archive site and obtain SCANV59. Use it to check your floppies. I alos suggest you seek local help from somebody if at all possible. Reeves-t@osu-20.ircc.ohio-state.edu ------------------------------ Date: Thu, 15 Mar 90 09:20:05 -0500 From: HBLADM1@UCONNVM.BITNET Subject: suggestions for anti-virus program wanted (PC) We need advise please. We have about 70 DOS machines here, some controlled by individuals, some shared by several staff, and some available to the public. We would like to have a virus detection capability-- a program which would be housed in our micro support unit and only used as part of trouble-shooting. Knowing that detection is a) not 100% and b) after-the-fact, we will advise our users that their backups are the bottom line defense against viruses (etc.) We would like to use SCAN, but the cost for one copy is the same as the cost for 70 in our institutional setting ($1475). Questions: 1. is the above a reasonable approach 2. what software would VIRUS-L readers suggest ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253