Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04556; Wed, 20 Jun 90 17:29:00 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA07149; Wed, 20 Jun 90 17:28:58 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23463; Wed, 20 Jun 90 17:28:46 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23331; 20 Jun 90 16:24 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:34:08 BST Message-Id: <$TGWGCZNQBTRK at UMPA> Subject: Virus-L vol 0 issue #1026 Virus-L Digest Wed, 26 Oct 88, Volume 0 : Issue #1026 Today's Topics UIUC Brain update ** no subject, date = Wed, 26 Oct 88 09:11:52 CDT read-only, again hardware damage LISTSERV@RPICICGE ------------------------------ Date: Wed, 26 Oct 88 00:49:44 CDT From: "Mark S. Zinzow" Subject: UIUC Brain update What has been done about our Brain virus infection: 1) As previously noted the Brain virus was discovered here on Thursday October 20, 1988. Since then, we have guestimated that the infection had spread for at least three weeks undetected. 2) Information files and programs have been obtained from Lehigh, NBBS, Bitnic, and other sources. 3) Files and programs distributed on campus via anonymous ftp from uxe.cso.uiuc.edu (128.174.5.54). 4) Our samples of the Brain virus have been compared to the known original version to determine that we have a mutant which might be more dangerous than the original. Ours has a different message at the beginning, so may behave differently than the known version. Once difference is the string "VIRUS_SHOE RECORD v9.0" shortly after the "Welcome to the Dungeon" message in the boot sector. What remains to be done: 1) A simple summary of all the useful anti-virus measures needs to be written and distributed to PC Users at large and all labs. (This should include information on other viruses and general protection measures.) This document will serve in the interim along with BRAIN.MCPART_T. 2) Our samples of the Brain virus need to be analyzed and disassembled to see how it behaves relative to the original Brain. 3) Some of the programs we have which check for and remove the brain virus need to be evaluated, and/or compiled, debugged, and distributed. We should also check the software available on Simtel20, and Dave Chamber's BBS for his program V-finder. Files Available on Description Source uxe in /micro/pc/virus or pc/virus from anonymous ftp VIRUS-L.FILELIST List of files available from Lehigh U. ListServ@LEHIIBM1 VIRUS-L.LOG88* Logs of Bitnet virus discussion list ListServ@LEHIIBM1 b88* Excerpts from the above for quick reading MARKZ@vmd.cso.uiuc.edu BRAIN.MCPART_T Good article on the first Brain virus ListServ@BITNIC debrain.exe Program to check for and remove Brain sherk@umd5.UMD.EDU virdoc2.txt General virus documentation Homebase BBS review.pro A review of protection software VIRUS-L.LOG8806 README.virus This file zinzow@uxe.cso.uiuc.edu Complete listing of the above directory at the time of this writing: BRAIN.MCPART_T VIRUS-L.LOG8808A VIRUS.CERNY_J CHECKMEM.C VIRUS-L.LOG8808B VIRUS.SHEEHA_M CHKUP14.UUE VIRUS-L.LOG8808C b8804 NOBRAIN.C VIRUS-L.LOG8808D b8805 RISKS.LOG VIRUS-L.LOG8808E b8806 VIRUS-L.FILELIST VIRUS-L.LOG8809A b8807 VIRUS-L.LOG8806A VIRUS-L.LOG8809B book VIRUS-L.LOG8806B VIRUS-L.LOG8809C debrain.exe VIRUS-L.LOG8806C VIRUS-L.LOG8809D dir VIRUS-L.LOG8807A VIRUS-L.LOG8809E readme.debrain VIRUS-L.LOG8807B VIRUS-L.LOG8810A review.pro VIRUS-L.LOG8807C VIRUS-L.LOG8810B virdoc2.txt VIRUS-L.LOG8807D VIRUS-L.LOG8810C VIRUS-L.LOG8807E VIRUS-L.LOG8810D Files Available on Description Source uxe in /micro/pc/exec-pc/new or pc/exec-pc/new fsp_14.arc Flushot Plus 1.4 Exec-PC BBS, Milw. WI Many interesting files are here, but this the one of primary interest. See the files xfer*.arc for complete descriptions of all Exec-PC files through Oct. 17, 1988 including those kept here. (note: Files from Exec-PC are put first in the new directory on uxe, then moved to exec-pc when the next batch is added.) Files Available on Description Source uxe in /micro/pc/mac/virus or pc/mac/virus DUKVACC.TXT Vaccine for "Dukakis" HyperCard virus ListServ@SCFVM (NASA) NVIRVACC.SITHQX Vaccine for nVIR virus ListServ@SCFVM (NASA) - -----Electronic Mail----------------------------U.S. Mail-------------------- ARPA: markz@vmd.cso.uiuc.edu Mark S. Zinzow, Research Programmer BITNET: MARKZ@UIUCVMD.BITNET University of Illinois at Urbana-Champaign CSNET: markz%uiucvmd@uiuc.csnet Computing Services Office "Oh drat these computers, they are 150 Digital Computer Laboratory so naughty and complex I could 1304 West Springfield Ave. just pinch them!" Marvin Martian Urbana, IL 61801-2987 USENET/uucp: {ihnp4,convex,pur-ee,cmcl2,seismo}!uiucdcs!uiucuxc!uiucuxe!zinzow (Phone: (217) 244-1289 Office: CSOB 110) ihnp4!pyrchi/ \markz%uiucvmd -------------------- Date: Wed, 26 Oct 88 09:11:52 CDT Comments: Resent-From: RBCSCG05 From: RBCSCG05 Thought this should be forwarded here !! RECEIVED 26 OCT 1988 @ 9:11 Chris Osterheld Sent: 10/26/88 03:49 Rcvd: 10/26/88 03:49 Number: 4 To: COSTERHD@SFAUSTIN From: MAC-USER Subject: !! VIRUS WARNING !! Date: Wed, 26 Oct 88 08:13:28 ECT Reply-To: EARN Macintosh Users List Sender: EARN Macintosh Users List From: Christian Falk 7-593891 To: Chris Osterheld Today, I received an upgrade disk from High Performance Systems INC, containing STELLA 2.0 for Academe. Both STELLA and System files contained the nVIR-resources.I have noticed the company. Please forward this note ! -------------------- Date: Wed, 26 Oct 88 10:11:25 EDT From: "David M. Chess" Subject: read-only, again SSAT@PACEVM suggests that making command.com and the system files read-only should be part of a virus-protection scheme. While it can't hurt (unless it leads to a false sense of security), and it may prevent you from some accidents, it is trivial (a couple dozen bytes of code) for a virus to alter a file despite the fact that it is marked read-only. All the viruses for PC-DOS that I've seen in fact do this, and aren't even slowed down by a read-only setting. For that matter, except for the Lehigh COMMAND.COM virus, the viruses that I've seen don't touch (or don't have to touch) either COMMAND.COM or any of the system files. The Jersulem virus, for instance, spreads between normal (non-system) EXE and COM files (I forget whether or not it will infect COMMAND.COM given the chance; but it doesn't *have* to be able to). So, as has been said here a couple of times before, read-only is very very little help against viruses. DC -------------------- Date: Wed, 26 Oct 88 13:00:00 PDT From: "JOHN D. WATKINS" Subject: hardware damage Hmm...the space shuttle uses magnetic core memory! So where are the temp sensors... Kevin -------------------- Date: Wed, 26 Oct 88 19:36:00 EDT From: Paul Coen Subject: LISTSERV@RPICICGE Quite a few people have been referring to the LISTSERVer at RPICICGE as a source for files (SIMTEL20 redistribution). I thought I'd post this message John Fisher sent out on PCSERV-L some time ago:- ...................................................................... From: BITNET%"FISHER@RPICICGE" "John S. Fisher" 22-SEP-1988 10:25:45.04 To: Paul Coen Subj: Unhappy state of affairs Received: From BITNIC(MAILER) by DRUNIVAC with Jnet id 4235 for PCOEN@DRUNIVAC; Thu, 22 Sep 88 10:25 EDT Received: by BITNIC (Mailer X1.25) id 4233; Thu, 22 Sep 88 10:29:35 EDT Date: Thu, 22 Sep 88 09:45:24 EDT Reply-To: Public domain software servers Sender: Public domain software servers From: "John S. Fisher" Subject: Unhappy state of affairs To: Paul Coen The PC software server available through LISTSERV@RPICICGE (and shadowed by a few TRICKLE servers) has not been doing very well lately. Well, that is being polite. This has been one rotten summer for the server. The cheap excuse of Simtel20 being down for a major part of August is just that, cheap. Had it been up the whole time, the server here would probably not have noticed. The server gets its files via FTP over the internet direct from Simtel20. At least that is what it tries to do. My system is connected to one of the NSF regional networks (NYSERNET in this case). That in turn is connected via gateways to the various other networks that make up the internet. The path from NYSERNET to MILNET (where Simtel20.ARMY.MIL is to be found) has been extremely unreliable for quite some time. In the spring of this year the server was able to move 100-200 files per day in response to requests (with the balance of requests being satisified from a local cache of popular files). For most of the summer the transfer rate has never exceeded 20. For one solid week now the total number of files transfered is exactly zero. The server is providing no service at all. Actually, it is providing a disservice by giving the impression it will really do something. Enough. If by Monday of next week (26 October 88) there is no ray of hope for improved connectivity between here and Simtel20, service will be discontinued. There is not necessarily any group of individuals or network equipment at fault, either; the situation simply is what it is. So, I should face reality and stop pretending to be able to do something that I can not. Be that as it may, there are many of you out there on Bitnet, running some flavor of VM, connected to the internet by either FAL or WiscNet, who actually can get to Simtel20 reliably. I'm looking for volunteers, people willing and able to provide access to all or some (one even) of the many archives available at Simtel20. If you have the system, I have the software. Regards, JSFisher ...................................................................... I have not heard any updates on the situation, so I assume little has changed. Has anyone heard differently? +----------------------------------------------------------------------------+\ | Paul R. Coen | | | Bitnet: PCOEN@DRUNIVAC U.S. Snail: Drew University CM Box 392, | | | PCOEN@DREW Madison, NJ 07940 | | | Disclaimer: I represent my own reality. | | +----------------------------------------------------------------------------+ | \ \| \_____________________________________________________________________________\ -------------------- *** end of Virus-L issue ***