Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA04546; Wed, 20 Jun 90 17:28:26 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA07140; Wed, 20 Jun 90 17:28:26 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA23429; Wed, 20 Jun 90 17:28:16 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa23311; 20 Jun 90 16:23 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: DAVIDF@cs.heriot-watt.ac.uk
Date:         Wed, 20 Jun 90 16:34:24 BST 
Message-Id:   <$TGWGCZNQBTRN at UMPA>
Subject:      Virus-L vol 0 issue #1027



Virus-L Digest Thu, 27 Oct 88, Volume 0 : Issue #1027

Today's Topics

HELP!
Re: Dissertation Copy?
UIUC Brain update
Detection
LaserWriters and memory
Hardware damage

------------------------------

Date:         Thu, 27 Oct 88 00:17:21 CDT
From:         GX6692@SIUCVMB
Subject:      HELP!

I was sent to this list by some people from another list (GAMES-L) since  I
mentioned  a  virus  on  that list etc... It seems that our school has just
been hit with what has become commonly  known  as  the  Pakistan  virus.  I
personally  have lost MANY hours of work to this bug. If ANYONE can help me
(so that I may help others) on how to deal with this  PLEASE  let  me  know
ASAP.  The  virus  hit here so bad that we made the St. Louis Post Dispatch
(newspaper), Tribune (Chicago newspaper), and a few other lesser newspapers
etc... I work at one of the Computer Labs here at school. My job is  mostly
to  help  people  and  distribute  software. The problem is that our school
software has also been VERY much affected. So you can see that we are up  a
certain  creek  without  a  mode of propulsion. Thanks for all your help in
advance... vince laurent, GX6692@SIUCVMB

--------------------

Date:         Thu, 27 Oct 88 11:21:00 LCL
From:         "H.Ludwig Hausen +49-2241142426" <HAUSEN@DBNGMD21>
Subject:      Re: Dissertation Copy?

Hello, I would like to know this  source  also.  So  ,  please  e-mail  the
address if you get one. Thanks. HL. Hausen
o----------------------------------------------------------------------o
| GMD Schloss Birlinghoven       Telefax   +49-2241-14-2618            |
| D-5205 Sankt Augustin 1        Teletex   2627-224135=GMD VV          |
|        West  GERMANY           Telex     8 89 469 gmd d              |
|                                E-mail    hausen@dbngmd21.BITNET      |
|                                Telephone +49-2241-14-2440 or 2426    |
o----------------------------------------------------------------------o
|    GMD (Gesellschaft fuer Mathematik und Datenverarbeitung)          |
|    German National Research Institute of Computer Science            |
|    German Federal Ministry of Research and Technology (BMFT)         |
o----------------------------------------------------------------------o

--------------------

Date:         Thu, 27 Oct 88 11:12:18 EDT
From:         "David M. Chess" <CHESS@YKTVMV>
Subject:      UIUC Brain update

>                                ...  Ours has a different message at
>  the beginning, so may behave differently than the known version.
>  Once difference is the string "VIRUS_SHOE  RECORD   v9.0" shortly
>  after the "Welcome to the Dungeon" message in the boot sector.

Although I can't of course know that it's the same thing that you have,  it
may  be  somewhat  comforting  to  know  that  I've  seen  a virus with the
"VIRUS_SHOE" wording in it, and that it proved to be exactly  identical  to
the  standard "Brain" virus, except for the unused text areas. The readable
parts of the boot record in the variant that I've seen included:

     Welcome to the Dungeon  (c) 1986 Brain & Amjads (pvt) Ltd
     VIRUS_SHOE RECORD v9.0   Dedicated to the dynamic memories
     of millions of virus who are no longer with us today -
     Thanks GOODNESS !!   BEWARE OF THE er VIRUS  :  this
     program is catching    program follows after these messeges

"Thanks GOODNESS" and "messeges" are the originator's typos, not mine!  The
string  "(c)  Brain"  had also been replaced with the string "(c) ashar" in
one place. But all the code was identical. I first encountered this variant
in Paris, and have since seen it in a university in Texas.

Don't be too comforted by this, of course! It may well be that someone  has
taken  the  original  variant  and  added  nasty  things  to it. So be very
careful, and do have your technical-types dig into it.

Dave Chess, Watson Research

--------------------

Date:         Thu, 27 Oct 88 18:24:08 CDT
From:         Chip McGuill <PINKY@TAMCBA>
Subject:      Detection

I need some detailed information on detection and the prevention of viruses
on MSDOS computers. Please post to me directly. Thanks.
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
%  Chip McGuill                   !                                  %
%  Academic Computer Center       !  <PINKY@TAMCBA>                  %
%  Texas A & M University         !  <N166AY@TAMVM1>                 %
%  129 Blocker                    !__________________________________%
%  College Station, TX  77840     !  Disclaimer:  Everything I say   %
%                                 !  has nothing to do with whom I   %
%  (409) 845-3893                 !  work for.                       %
\_________________________________!__________________________________/

--------------------

Date:         Thu, 27 Oct 88 16:08:19 EDT
From:         me! Jefferson Ogata <OGATA@UMDD>
Subject:      LaserWriters and memory

I am forwarding this message about LaserWriters to the list at the author's
request.

Subject: LaserWriter hacking

Some of the LaserWriter's memory is not erased at power-down - I don't know
the exact technology used, some sort of EPROM, I suppose. But the  password
is  stored  in  it.  It  is  possible  to change the password (null in most
networks) over the AppleTalk so that only you can use the printer. The only
fix is to send the machine back for a new, blank, EPROM, since the password
protects the printer against  future  attempts  at  password  modification.

I haven't done this; I know about it from someone who worked out how to  do
it but refrained from trying the experiment.

best wishes - jack

Jack Campin,Computing Science Department,
Glasgow University, 17 Lilybank Gardens, Glasgow G12 8QQ, SCOTLAND.
041 339 8855 x6045 wk 041 556 1878 ho
ARPA: jack%cs.glasgow.ac.uk@nss.cs.ucl.ac.uk  USENET: jack@glasgow.uucp
JANET: jack@uk.ac.glasgow.cs
PLINGnet: ...mcvax!ukc!cs.glasgow.ac.uk!jack
[end of forwarded message]
......................................................................
A  little  info  about  memory:  most  computer  memory   these   days   is
complementary metal-oxide semiconductor (CMOS) technology. Because of power
and  price,  dynamic  memory  is  used  for storage. Dynamic memory must be
periodically refreshed, or it forgets things. Since this refreshing process
requires external logic or an active processor, static memory is  used  for
non-volatile applications. Static memory does not need to be refreshed, but
tends  to  use  more  power.  So CMOS low-power (LP) static memory is used;
these devices have an inactive low-power mode that can be maintained for  a
long time with an onboard battery power supply.

EPROMs cannot be re-written after having been programmed, unless  they  are
erased  with  ultraviolet  light.  Many  distribution EPROMs these days can
never be erased, since they are encased  in  solid  epoxy  carriers.  These
devices  are  technically  PROMs, however, they are the same devices as the
EPROMs, in cheaper packaging. Eraseable EPROMs  come  in  ceramic  carriers
with a quartz window on top.

EEPROMs can be electrically erased, so they may  be  used  on  a  board  as
non-volatile  memory,  but the support circuitry required to erase them and
reprogram them  makes  such  applications  impractical.  In  fact,  EEPROMs
themselves  are  pretty  impractical,  and  not  widely  used.  The support
circuitry required to program  a  simple  EPROM  is  impractical  as  well.
Programming any kind of EPROM typically requires a 21V or 25V power supply,
and  most  computers  don't  need  such  voltages for any other purpose. So
onboard EPROM programmers are also quite rare.

Here are a few acronyms:
CMOS:    complementary metal-oxide semiconductor
CMOS-LP: complementary metal-oxide semiconductor - low power
PROM:    programmable read-only memory
EPROM:   eraseable programmable read-only memory
EEPROM:  electrically eraseable programmable read-only memory

- Jeff Ogata
Gee...maybe I should move this over to MEMORY-L... :-)

--------------------

Date:         Thu, 27 Oct 88 18:55:00 EST
From:         Dimitri Vulis <DLV@CUNYVMS1>
Subject:      Hardware damage

A virus does not actually have to _damage_ the hardware; it may achieve the
same results by programming it to operate it  in  such  a  manner  that  it
appears  damaged. For example, suppose a PostScript trojan causes black and
white streaks to appear at random on printed pages; you're  going  to  have
your  printer  serviced,  and it'll cost you the same (in terms of time and
money) as if it were broken. Or, a virus might create bad sectors on a hard
disk, causing you to replace the disk. The possibilities are  endless,  and
it's  much  easier  to do (and hence more dangerous) than outright hardware
damage. -Dimitri Vulis, Math Dept, CUNY Graduate Center

--------------------

*** end of Virus-L issue ***