Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA26039; Tue, 12 Jun 90 07:30:55 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA13230; Tue, 12 Jun 90 07:30:53 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA04558; Tue, 12 Jun 90 07:30:44 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa11457; 12 Jun 90 11:52 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu>
Date:         Tue, 12 Jun 90 11:07:36 BST 
Message-Id:   <$TGVTCZHTCBTD at UMPA>
Subject:      Virus-L vol 0 issue #0810



Virus-L Digest Wed, 10 Aug 88, Volume 0 : Issue #0810

Today's Topics

Re: Re: Re: "2600" Quarterly, Summer, 1988
"Computers and Security," Virus Supplement
Re: Trapping Disk Calls
Re: Virii and Screen Output
Re: Trapping Disk Calls

------------------------------

Date:         Wed, 10 Aug 88 09:20:00 PDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Ed Sakabu <CSMSETS@UCLAMVS>
Subject:      Re: Re: Re: "2600" Quarterly, Summer, 1988

I think (correct me but please don't flame me if I'm wrong) TAP went
under (financially that is) and some of the staff brought it back as
2600.

       --Ed

> Is 2600 magazine anything like the TAP issues of Old??
>
>                               Greg.

--------------------

Date:         Wed, 10 Aug 88 14:03:00 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         WHMurray@DOCKMASTER.ARPA
Subject:      "Computers and Security," Virus Supplement

The current issue (April?) Volume 7, number 2, of the subject journal
has a special supplement on computer viruses.  It may be of interest to
the readers of this forum.

regards, Bill

--------------------

Date:         Wed, 10 Aug 88 18:49:58 CDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Len Levine <len@EVAX.MILW.WISC.EDU>
Subject:      Re: Trapping Disk Calls
In-Reply-To:  Message from "Art Larky" of Aug 2, 88 at 3:28 pm

>
>You won't catch my virus by watching for DOS calls, because I won't use
>them.

>...

>  Command.com is a great place to hide a virus, not only because it has
>room for it, but also because it gets executed immediately after your
>autoexec, so your chances of catching the virus depend upon what you do
>in autoexec.  Also, everyone has command.com and everyone uses it all
>the time, so it has lots of chances of spreading an infection.

Just a slight correction, command.com is executed *before* autoexec.bat

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Leonard P. Levine                  e-mail len@evax.milw.wisc.edu    |
| Professor, Computer Science                Office (414) 229-5170    |
| University of Wisconsin-Milwaukee          Home   (414) 962-4719    |
| Milwaukee, WI 53201 U. S. A.               Modem  (414) 962-6228    |
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

--------------------

Date:         Wed, 10 Aug 88 19:00:27 CDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Len Levine <len@EVAX.MILW.WISC.EDU>
Subject:      Re: Virii and Screen Output
In-Reply-To:  Message from "Amanda B Rosen" of Aug 8, 88 at 12:59 (midnight)

>
>David Slonosky's idea of a virus concealing itself is quite interesting, but
>there is a reason I don't think it could work.
>
>To really hide, the virus would have to remember the code it was overwriting.
>Otherwise, finding a chunk of $00s or No-ops in the middle of your code would
>be pretty suspicious (unless you're looking at COMMAND.COM :-)
>
...
>The point is, this virus rapidly grows so complex that it couldn't hide. The
>original copy would be huge, and it would have a significant effect on the
>system.
>
not so.  There is lots of room, just declare a few disk blocks to be
unavailable in the FAT, and use that space.  Noone looks to see what
happens to the bad block space, even of a floppy.

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Leonard P. Levine                  e-mail len@evax.milw.wisc.edu    |
| Professor, Computer Science                Office (414) 229-5170    |
| University of Wisconsin-Milwaukee          Home   (414) 962-4719    |
| Milwaukee, WI 53201 U. S. A.               Modem  (414) 962-6228    |
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

--------------------

Date:         Wed, 10 Aug 88 23:29:00 -0500
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
Comments:     converted from NETDATA format at UOFMCC
From:         Steve Morrison <b1morri@CCU.UMANITOBA.CA>
Subject:      Re: Trapping Disk Calls
In-Reply-To:  <428*b1morri@ccu.UManitoba.CA>

  Can you not adjust your CONFIG.SYS to hide almost anything within your RAM?
Stevo

--------------------

*** end of Virus-L issue ***