|
Virus- L Digest, Vol 1, Issue 50
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From: Kenneth R. van Wyk (The Moderator) <[email protected]>
Errors-To: [email protected]
To: [email protected]
BCC: [email protected]
Subject: VIRUS-L Digest V1 #50
Reply-to: [email protected]
--text follows this line--
VIRUS-L Digest Friday, 16 Dec 1988 Volume 1 : Issue 50
Today's Topics:
Report of Scores Author
Is there someplace that all the information is kept??
Common sense re: software suppliers
Brain Virus at Yale (PC)
Re: Brain virus at Yale (PC)
What does the Brain virus do? (PC)
Brain at U of Vermont (PC) -- forwarded msg from LIAISON list
VIRUS WARNING: Brain virus at Univ. of Vermont (PC)
---------------------------------------------------------------------------
Date: Fri, 16 Dec 88 09:17:50 EST
From: Don Alvarez <boomer@space.mit.edu>
Subject: Report of Scores Author
The Rumor Manager in the latest issue of MacUser claims
that Apple has known the author of the Scores Virus for
"several months" now, and that the matter is in the hands
of their lawyers.
....And on the 8th day, the Lord
created civil suits....
- Don
+ ----------------------------------------------------------- +
| Don Alvarez MIT Center For Space Research |
| [email protected] 77 Massachusetts Ave 37-618 |
| (617) 253-7457 Cambridge, MA 02139 |
+ ----------------------------------------------------------- +
------------------------------
Date: Fri, 16 Dec 88 09:42 EST
From: <[email protected]>
Subject: Is there someplace that all the information is kept??
It occured to me today that I have heard many requests for essentially
the same thing : "What is such and such virus, how does it work, what
does it infect, and how can I protect against it?" It would seem to
me that these requests become repetitive, and that the people with the
answers must be getting sick of sending replies in time after time.
A letter posted a few days ago comes to mind : Someone asking if there
was a master file with descriptions of all known viruses for the IBM
Pc and the Mac. My question is, Is there? Such a file would prevent
a lot of hassles, and perhaps at the beginning of each week the digest
could print the location of such files and any recent updates that
have been added.
Now I realize this is asking a lot of the list owner. As if he
doesn't have enough to do already. But perhaps it is time someone
else jumped into the fray, and compiled such a list. I am sure that
there are many 'experts' who would be willing to write information for
such a file, it would just be a matter of editing it together.
Or perhaps this has already been done, and I don't know about it. And
that is just as bad - if it exists everyone should know where to get
it, even me.
Jon Baker JEB107 at PSUVM.Bitnet
Psuvm.Psu.Edu
Disclamer : I would do it myself, but I am not the most knowledgable
person in terms of viruses. I would most certainly make a mess of
it....
[Ed. The closest existing thing (that I know of) to what you propose
is the Dirty Dozen list. I don't know how up to date that is, though,
as I don't have a recent copy. Any volunteers to send me that and/or
other such lists so that I can post them on the LISTSERV?]
------------------------------
Date: 16 December 88, 16:46:22 +0100 (MEZ)
From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1
Subject: Common sense re: software suppliers
> CHRISTMA EXEC *did* come from a trustworthy supplier!
I did not say "don't run programs you haven't got from a trustworthy
supplier", I rather said "programs you have *ordered* from a
trustworthy supplier". As CHRISTMA EXEC has shown, extreme care is
approprate for programs you are supplied with for no obvious reason.
> Even shrink-wrapped software from a multi-million dollar corporation
> cannot be considered as coming from a trustworthy supplier
You are right insofar that even they are not infallable. However, you
can be sure that they will undertake every possible attempt to
minimize impact on their customers (they will suffer great losses if
they won't succeed). At least you know whom to sue for lost property
:-)
> If you mean not to run any program you can't read and understand *even*
> if from a trustworthy supplier, then you've just killed the entire
> software business.
You've pointed out perfectly well that we have to trust other people
in many cases. That's the reason, computer-users & media are so upset
about viruses & other malicious software (I mean software doing real
harm, e.g. anihilating programs or valuable data -- not just
spreading and saying "You've got a Virus", every April fool's day):
This kind of malice shakes our society to its very foundations; it
resembles offering toxic or rotten food in a restaurant, or loosening
bolts at the steering assembly of other people's cars. However, a
certain amount of caution can be expected from the customer's side:
you probably would not go out to a dirty restaurant, and you would ask
everybody (even your friends) what they were doing under your car, if
you catched them working there and hadn't asked them for help. My
recent note meant to establish this sort of common sense for receiving
and running programs, now we all have heared of possible virus
carriers.
> Sometimes even the people writing the software do not understand all of
> it.
Then, they'd better attend a course in structured programming or give
up programming, altogether. But alas, Peter & Hull have shown us that
we will have to live with incompetence in every trade :-)
Nevertheless, best wishes to everybody
Otto
------------------------------
Date: Fri, 16 Dec 88 10:50 EST
From: Don Kazem <[email protected]>
Subject: Brain Virus at Yale (PC)
In reference to the message from Naama Zahavi-Ely about the
Brain Virus, it seems that this is a different version of
the Brain virus than the one I have seen. Since last summer
we have been studying the virus issue and trying to come up
with countermeasures to protect our evironment.
Few Months ago I did obtain a disk that had been
contaminated with the Brain Virus, and used Norton Utilities
to look at the whole disk; sector by sector.
The message that was embeded in that disk was similar to the
one that Naama had mentioned, but not execatly the same.
I found that if I booted a machine with an infected disk,
and then put a new clean boot disk WITH A WRITE PROTECT
TAB in the same machine and performed a warm boot, the new
disk also became infected. Nothing short of turning the
machine off and then back on was safe enough.
Don Kazem-Zadeh
National Academy of Sciences
[email protected]
------------------------------
Date: Fri, 16 Dec 88 11:44:14 EST
From: Naama Zahavi-Ely <[email protected]>
Subject: Re: Brain virus at Yale (PC)
Hello Virus-l folk,
The following is a note I sent to user support personnel at Yale
following the discovery of a few diskettes infected with the Brain
virus, all belonging to one user. I would appreciate any comment, and
especially any correction! Feel free to plagiarize, anybody who has
the need -- just make sure you check for corrections in the next few
issues of VIRUS-L. I do not claim any extensive knowledge of viruses!
Thanks,
Naama
- -------
Hello everybody!
Three days ago we discovered at Yale several diskettes infected with
the Brain virus. This is NOT an emergency -- we have no reason to
belive that the infection has spread. This virus does not infect hard
disks and certainly does not infect network drives.
How can you tell that a diskette is infected:
1) Boot the computer from a clean DOS diskette or from a hard disk (this is
important!).
2) Use the Norton Utilities, or some other software that lets you look at disk
sectors (like DWALK from PCSOFT), and look at the boot sector. If the disk
is infected, you'll see the following text:
Welcome to the Dungeon © 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE
RECORD v9.0 Dedicated to the dynamic memories of millions of virus who
are no longer with us today - Thank GOODNESS!! BEWARE OF THE er VIRUS
: \this program is catching program follows after these messeges
Note: if you boot from an infected diskette and thus have an infected
system, any attemp to read the boot sector seems to be diverted and
display the correct boot sector (which is kept elsewhere on the
diskette in a sector marked as bad), and you would not be able to see
the above text! So make sure you boot from a clean system.
Infected diskettes also have their volume name set to © Brain,
unless the diskette had some other volume name to begin with.
This variant of Brain seems to create a hidden file on the diskette,
with 0 bytes, and each of the infected diskettes has 3072 bytes in
"bad" sectors.
For all we know, the user may have had infected diskettes for a long
time - we discovered the infection while trying to solve an unrelated
WordPerfect problem. Luckily all our public diskettes are
write-protected.
How to get rid of the virus:
1) Cold-boot the computer from a clean DOS disk with a write-protect tab.
2) Format a new diskette.
3) Copy the files from the infected diskette to the new diskette. Do NOT use
the DISKCOPY command -- use COPY *.* (this virus is a boot sector virus and
will not get copied).
4) Cold-boot the computer again from the clean DOS disk.
5) Re-format the infected diskette. It should now be safe for use.
This virus is a boot-sector virus -- meaning that it infects a
computer's memory (for the session) only if the computer is booted
from an infected diskette. Otherwise, even if the diskettes are
infected, the computer is not and the virus will not spread. If you
always cold-boot from a hard disk or from a clean write-protected
diskette, you are safe from it.
Once a computer's memory is infected (by booting from an infected
diskette), then ANY disk activity with a 5.25" diskette will infect
the diskette -- even a simple DIR command. If your DIR commands
suddenly start taking longer than usual, check your system. Of course,
the virus cannot write past a write-protect tab, so if you use them
you are safe even on other people's systems.
I do NOT think this warrants VIRUS ALARM notices all over the place --
students have other things to worry about this time of the year! The
worst that can happen is that some diskettes will get infected, and
this would mean only that 6 sectors on the diskette would get
overwritten and marked as bad. Even this can easily be avoided with
minimal safe computing habits: always boot from your own
write-protected diskette, and do not share diskettes promiscuously.
If you lend a diskette to somebody else (to copy a file, etc), put a
write-protect tab on it. This is all there is to it!
Please let me know of any sightings, and I'll be happy to answer any
questions I can,
Have a good weekend,
Naama
------------------------------
Date: Thu, 15 Dec 88 10:45:27 -0800
From: Bob Hudack <[email protected]>
Subject: What does the Brain virus do? (PC)
A student recently brought in a disk contaminated with the Brain
virus. I confiscated the disk, and gave her a clean one in exchange.
I'm hoping that this was an isolated incident, but just in case it
wasn't, I'd like to know what the Brain virus does.
Thanks in advance.
====================================================================
Bob Hudack
Microcomputer Services Group
Computing Facility
University of California, Irvine [email protected]
------------------------------
Resent-From: Naama Zahavi-Ely <[email protected]>
Subject: Brain at U of Vermont (PC) -- forwarded msg from LIAISON list
Date: Fri, 16 Dec 88 11:33:44 EST
From: Anne Chetham-Strode <ACS@UVMVM>
Forwarded from the LISTSERV group, Network Sites Liaison
(LIAISON@MARIST):
We have discovered the Pakistani BRAIN virus on 5 1/4" disks in our
public microcomputer labs. The most recent versions of the DEBRAIN
and NOBRAIN disinfection programs that we have received appear to be
less than completely effective against this particular strain.
We would like to disassemble the virus and write our own sootware to
sanitize disks. I would appreciate suggestions from readers about
about which disassembler to use and where to get it. Also, I would
appreciate hearing from readers who have experience disassembling
viruses. Please respond to me directly, ACS at UVMVM on BITNET.
Thank you,
Anne Chetham-Strode
Microcomputer Systems Analyst
University Computing Services
University of Vermont
Burlington, VT 05405
------------------------------
Date: Fri, 16 Dec 88 13:37:52 EST
Sender: Virus Alert List <[email protected]>
From: Ken van Wyk <[email protected]>
Subject: VIRUS WARNING: Brain virus at Univ. of Vermont (PC)
I just got another report of the Brain virus - this time at the
University of Vermont. Will this thing never die?! Here are the
details:
Date: Fri, 16 Dec 88 11:35:15 EST
From: Steve Cavrak <[email protected]>
Subject: VIRUS WARNING: Brain Virus at Univ. of Vermont (PC)
On December 13th, we discovered a copy of the Brain virus on a
diskette at the University of Vermont. A quick survey of the
various labs at the University (using DEBUG or the Norton utilities)
revealed that the virus had spread to most laboratories --- we've just
finished the fall semester and lab use was at an all time high.
The brain strain found at UVM identifies itself with the following
message in sector 0:
/----------------------------------------------------------------------\
Welcome to the Dungeon
© 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES
.730 NIZAM BLOCK ALLAMA IQBAL TOWN LABORE-PAKISTAN..PHONE
:430791,443248,280530. Beware of this VIRUS......Contact us for
accination.......
<u<end-file-marker> ....
\----------------------------------------------------------------------/
At this point, we've replaced all boot disks in the labs, trained
our consultant staff as well as other lab managers on disinfection
procedures, written a disinfection brochure, and are preparing a
mailing for all PC owners on campus.
We're currently reverse engineering the virus to get a better
handle on its behavior so that when students return in January
we can handle the onslaught. (By the way, do you have a good
disassembler that you can recommend.)
A check of a batch of diskettes with the DEBRAIN program shows that
although the first 3 sectors of BRAIN match expectations, other
sections may be different. Some of our users have MS-DOS 3.2 and
have found that the that DEBRAIN doesn't correctly recognize the
newer DOS messages.
NOTE: Just as I post this, we've come across one disk with the
BRAIN message reading "Welcome to the fungeon." Now wasn't that
clever of the little beast.
------------------------------
End of VIRUS-L Digest
*********************
|
|
