Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA25942; Tue, 12 Jun 90 06:56:48 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA13029; Tue, 12 Jun 90 06:56:45 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA04360; Tue, 12 Jun 90 06:56:37 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa11018; 12 Jun 90 11:42 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu>
Date:         Tue, 12 Jun 90 11:09:56 BST 
Message-Id:   <$TGVTCZHTCBWF at UMPA>
Subject:      Virus-L vol 0 issue #0821



Virus-L Digest Sun, 21 Aug 88, Volume 0 : Issue #0821

Today's Topics

RE: Hiding a virus between disk sectors
Viral information file

------------------------------

Date:         Sun, 21 Aug 88 15:20:00 EST
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         ZDABADE@VAX1.CC.LEHIGH.EDU
Subject:      RE: Hiding a virus between disk sectors

>
>I really can't see the practicality of viruses hiding in between
>sectors.  For one there isn't much room, maybe space for several
>bytes, no more.  The virus would have to be careful not to
>overwrite the following sync mark or make the next sector unreadable
>by DOS.  Finally, there would have to be a sophisticated program
>to read the data between sectors, concatenate the information (ie
>the virus), and then execute it in memory.  Since this sopisticated
>program is not a part of DOS, and since it itself could
>not be hidden between sectors, the point of putting a virus
>in between sectors is moot.
>
>Joes

I've been playing around with my Options board and found that there  is  at
least  50K  of characters that I can string together between sectors on the
40 tracks of a 360K IBM floppy. (There is probably  twice  that  much  data
room available, but then it might interfere with the buffers of data on the
physical  disk  for  marking  where a sector begins and ends and the sector
type bytes(good, bad, etc.). Would it not be trivial for someone to write a
small useful utility (or take an already existing one) that a lot of people
might use, and tack on the data to propogate this type of virus? How  would
the   detection  of  this  virus  have  to  change  from  already  existing
techniques? File size changes wouldn't be that evident  because  the  virus
would  be  hidden  on  a  non-counted part of a dsik, and the virus carrier
program would still be the same general size with just a jump to the  virus
code... Any ideas out there?

David

/-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
|    From:  David A. Bader, Studentis Maximus                             |
|                                                                         |
|    DAB3@LEHIGH                       SloNet: 1402 Lorain Avenue         |
|    ZDABADE@VAX1.CC.LEHIGH.EDU                Bethlehem, Pa.  18018      |
|    HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU                                   |
|                                                                         |
|    SchoolNet: Box 914,               -On a mostly harmless              |
|            Lehigh University,         blue green planet...              |
|          Bethlehem, Pa.  18015       -And loving it!                    |
\________________________________________________________________________/

--------------------

Date:         Sun, 21 Aug 88 17:06:50 PDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Robert Slade <USERCE57@UBCMTSG>
Subject:      Viral information file

Regarding the request for an archive of virus message information,  I  have
been  collecting  and  distributing  such  for  some  time,  predating  the
existence of VIRUS-L. As explanation, herewith (and  I  apologize  for  the
length) a recent submission to RISKS-FORUM.

One other thing. The file has now passed 700K. Multiple floppies would be a
good idea.

Following my recent reposting of the directions for the "Virus  file"  (and
pursuant  to  Chip  Copper's  attempt  to  establish  a  "Center  for Virus
Control"), I received the following message:

   Subject: Virus collection???
   From: JKILLY@BINGVMB

Hello--I saw your posting of a set of collected virus  messages  in  RISKS,
and  I  just  had  to  respond.  Please forgive, but are you for real? This
sounds like you're dispensing  hellish  little  packages  of  unadulterated
evil!  If  the  "collection" is so interesting, why don't you upload it and
distribute it in a format that is not so inherently threatening?  A  person
would have to be nuts to put your 5.25" diskette in any micro (I guess some
clean  shop  that  destroys  units on a good day might find it acceptable).

I'm not mad, just curious: What *is* the point of distributing  this  stuff
on diskette? Thanks very much for your response.

                                             --Jake

There seem to be two issues to  address  here.  One  is  the  already  well
addressed  theme  of  whether  or  not  you  talk about matters relating to
security. I generally come down on the "let the users know, and  chance  it
on  the hackers" side of the discussion. In the case of viri, the users are
everywhere, and (as has been ably pointed out by others) society in general
is going to be affected by the mere *existence* of virus programs. So, I am
compiling and distributing the material.

Second issue: *what* am I compiling. First off, I  am  not  collecting  and
distributing  virus programs themselves (so you can give up on the requests
"Ultimate_Hacker", and sorry, Chip, I wish I *could* help.) The file  is  a
collection  of  messages  from RISKS-FORUM, INFO-MAC, INFO- IBMPC, VIRUS-L,
Computers and Society Digest and various text postings on private  bulletin
boards.  *All*  the  material  is therefore readily accessible; I am simply
trying to save time for those who are trying to work in this  area.  Simply
collating all the material is taking several hours per week, and I have not
yet had time to edit it all.

The bulk of the material is from RISKS. The topics I select for  are  those
announcing or analysing new viri, those suggesting virus protection schemes
(and critiques of those suggestions), opinion pieces on the implications of
viri  and  some  messages  on  related security matters (such as the recent
discussion of "block mode" on terminals.)

The total size of the file is now in excess of 700K, and is being sent  out
in  archived  form.  (The  current  archive  breaks  out  into  two  files,
MASTER1.VIR and MASTER2.VIR.) I suspect that by the time you read this, the
total file will no longer fit on a single disk, even archived. FTP  is  not
available  from UBC, and I am not going to send out a 700K+ file out as one
or more message(s) on a daily basis.

Future editions of this file can be obtained by sending a PC formatted disk
in a (Canadian) stamped, self addressed mailer to:

Robert M. Slade, 3118 Baird Road, North Vancouver, B. C., Canada V7K 2G6

I hope this goes some way to allaying Jake's fears. Prudent  caution  would
appear  to  be  very  healthy  in our current environment (although I would
think you could find *some* way of testing what you  receive  from  unknown
sources.)

Disclaimer: ... ah, what's the point.  Nobody'd believe it anyway ...

P. S. - Herewith a local virus warning from a ways back ...

- -------------------

From:    Greg Slade                               Rec'd
To:      All                                      Msg #55, 13-May-88 12:17pm
Subject: *** Warning ***

From:    Steve Fairbairn
To:      All                                      Msg #162,
29-Apr-88 03:14pm
Subject: TROJAN **** ALERT ****

* Original: FROM.....Tom Sirianni (153/4)
* Original: TO.......All Sysops (153/102)
* Forwarded by.......OPUS 153/703

* Original: FROM.....Tom Sirianni (105/301)
* Original: TO.......All (105/301)
* Forwarded by.......OPUS 105/301

To All:

        New TROJAN has hit Portland, Oregon. Two CONSULTANTS who
use TURBO PASCAL were using a program called:

D-XREF60.COM

the program was originally from a PC-SIG library in California
but it may show up on the local BBS's.  **** BEWARE ****

This program is supposed  to  be  a  cross  reference  program  for  Pascal
programmers  it  does what it says PLUS it randomly deletes file names from
the DIR then it all at once scrambles the FAT. Authors name?  The  infamous
DORN  STICKLE!  Poor  boy is really getting blamed for a bunch of stuff. At
any rate be careful of this one.  I  repeat  this  is  a  verified  TROJAN.

This message may be TRANSPOSED to the PUBLIC to help the average
User defend him/her self.

Tom Sirianni of 105/301

- - ConfMail V3.31
 * Origin: SCP Business BBS * This WOC's PC-Pursuitable
1-503-648-6687 (1:105/301)

From:    Charles Howes
To:      All                                      Msg #184,
06-May-88 10:48pm
Subject: novirus.arc

I suspect, after having my system quit, that NOVIRUS.ARC is in
fact a virus.
My hard disk just wouldn't boot.  I couldn't figure out
what was wrong, so I copied off only necessary files and then
reformatted in dos 3.3.  About the only good thing I can say
about the program is that it got me to upgrade to 3.3 from 3.1.
Whoopee.

The above were posted on Dial-A-File. I cannot comment on the content as I
have never used either program, but I would advise caution on the part of
those who come into contact with them. Greg?

--------------------

*** end of Virus-L issue ***