Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA13925; Fri, 1 Jun 90 11:41:28 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA20661; Fri, 1 Jun 90 11:41:26 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA01870; Fri, 1 Jun 90 11:41:10 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa24398; 1 Jun 90 16:19 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Fri, 01 Jun 90 16:10:00 BST Message-Id: <$TGTWCZCFFBTX at UMPA> Subject: Virus-L vol 0 issue #0531 Virus-L Digest Tue, 31 May 88, Volume 0 : Issue #0531 Today's Topics write protect tab on floppies First of two forwarded submissions Second forwarded submission Did I say two? I meant three forwarded submissions... :-) Playboy virus - BEWARE! (thomas@uvabick (Thomas Fruin)) ------------------------------ Date: Tue, 31 May 88 07:39:31 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kenneth Ng Subject: write protect tab on floppies >From: MALCOLM@JVAX.CLP.AC.UK > >IBM-PC floppy write-protect logic is hardware. If a disk is write-prot >ected >it's *safe*. > Well, not always. I recall talk/flames several months back about a certain type of floppy disk drive (which one escapes me). Evidently the write protect hardware worked by sensing the reflection from the write protect tab to determine that the floppy was write protected. Evidently the designer never heard of black write protect tabs or of floppy disks that are manufactured without write protect slots. Remember to always check *EVERYTHING* the manufacturer claims before you need to. -------------------- Date: Tue, 31 May 88 10:52:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: First of two forwarded submissions The following is taken from a newspaper people's magazine, and describes some effects found in viruses that are different that I had seen up till this time. Quoted without permission from Editor and Publisher, May 21, 1988 _Computer_Virus_Hits_First_U._S._Newspaper_ by Mark Fitzgerald A computer virus has finally infected a newspaper computer system. The Providence Journal-Bulletin discovered the virus late on Friday May 13 when reporter Froma Joselow's personal computer disc was destroyed, the newspaper's systems engineer, Peter Scheidler, stated. "Her file allocation table was overwritten in a rather unusual way - it was all zeros," Scheidler said in a telephone interview. "Then this message appeared." The message included the name of a Lahore, Pakistan company, "Brain Computer Services," a 1986 copyright, the name of the two brothers who own the store - Basit and Amjad - plus the address of the store and its telephone. In the middle was this chilling message: "Welcome to the Dungeon ... Beware of this VIRUS. Contact us for a vaccination." [The article goes on to say that about 100 disks were infected, that the virus was contained totally in the boot block and that overwriting of the boot block cleared the disks. Other information in the story is no news to us. The only new thing to me is that my understanding of this "Brain" virus is that it was harmless, apparently not so with this implementation. Len Levine len@evax.milw.wisc.edu ] - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = This page intentionally = = Lehigh University Computing Center = left blank. = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Tue, 31 May 88 10:53:45 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Second forwarded submission >IBM-PC floppy write-protect logic is hardware. If a disk is write-protected, >it's *safe*. Well, yes and no. If you mean that a virus cannot write to a hardware protected diskette, you are quite right (although one should never say never :-)). However, it should be pointed out that hardware write protection can fail to work. Most floppy drives detect the presence of a write-protect notch with a mechanical or optical device. These devices are subject to failure. As a case in point, we purchased some 5.25 inch red floppy diskettes that did not have write-protect notches. We wanted to distribute site-licensed software, while making sure the software was returned to use in the same condition as when checked out. In order for us to put the site-licensed software on the diskettes, we altered a floppy drive by temporarily removing the mechanical switch that determined whether the floppy was write-protected. In the process, we found that one of our *UNaltered* drives read this write-protected diskette! It turned out that this drive used an optical means of sensing the status of the write-protect notch, and the light traveled through the red jacket of the floppy diskette. Although the diskette was write-protected, the hardware failed to detect this. I understand that some translucent write-protect tabs cause the same problem. The point is that a write-protected diskette is not completely immune from infection. - ------------------- John L. Cofer COFER@UTKVX1.BITNET - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = This page intentionally = = Lehigh University Computing Center = left blank. = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Tue, 31 May 88 10:55:14 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Did I say two? I meant three forwarded submissions... :-) RE: FLUSHOT4 IS VIRUS.... It is not. It is a hacked version of the program by Ross Greenberg; it is Trojan Horse since it does not replicate itself. Some chutzpahnik took a hacked version of TXT2COM utility for making executable text files. The hacked program does things that the original utility does not- like wipe out all files on the same drive from which it is run. The hacked TXT2COM was used on the FLUSHOT docs (which are ASCII) to make the FLUSHOT into the Trojan Horse. RE: Nomenclature.... A reminder that in discussing malicious programs on a serious level, it helps to keep our terms straight. Remember, the trait that makes a program a virus is its ability to replicate its code, usually INTO other, valid, programs. (A case of the un-common code. %-)) There are also automated Trojan Horses, such as the trouble- some version of CHRISMAS EXEC which are often called viruses. Some computer scientists have taken to calling these automated Trojans "bacteria". Also, it is good to remember that not all programs that wreck files, etc. are Trojans or viruses. There are a lot of buggy programs out there. For example, there is a debate about NOTROJ; some people have gotten burned by it, others have no problems. It may be that it was not designed to be harmful, but has bugs that make it harmful on many systems. RE: NAIVE QUESTIONS.... There no dumb questions that are asked (in the right place and time). The dumb question is the one that should have been asked but never was. As for the question about disconnecting the hard drive nad running floppies only is fesible and recommended for maxiumum protection while testing new programs. It is not a method suitable for everybody (sort of like GRAPE NUTS cereal). But even malicious programs that can overide software hard disk write protects can not override an open circuit. The trouble is the setting up and the cases where the software needs the capacity of a hard disk. My dream scenario would be cheap disposible hard disks for testing purposes. Electronic Petri Dishes. Thank you, J.D. Abolins - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = This page intentionally = = Lehigh University Computing Center = left blank. = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Tue, 31 May 88 16:31:07 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Werner Uhrig Subject: Playboy virus - BEWARE! (thomas@uvabick (Thomas Fruin)) [comp.sys.mac] From: thomas@uvabick.UUCP (Thomas Fruin) Newsgroups: comp.sys.mac Subject: Playboy virus - BEWARE! Message-ID: <258@uvabick.UUCP> Date: 30 May 88 23:19:47 GMT Through a dealer I heard that a new Macintosh virus had been sighted here in the Netherlands, in Utrecht to be precise. It was called Playboy or something similar, and after double clicking rapidly started showing you pictures of benevolent nude girls, while it was malevolently busy erasing your hard disk ... This is all I know. Just be sure to fight your desire to launch this nasty. -- Thomas Fruin fruin@hlerul5.BITNET University of Leiden thomas@uvabick.UUCP University of Amsterdam dibs@well.UUCP hol0066.AppleLink 2:512/114.FidoNet The Netherlands