051332@UOTTAWA.BITNET (John Turnbull) (03/08/88)
A program called VDU_2_0.PRG has been posted to the FILESERVers at CANADA01 and UHUPVM1. It is claimed that it will cure the 'Boot sector' virus and immunize the disk from future infection with this virus. Does anybody have any information about this virus, its mode of infection, mechanism, symptoms or how wide-spread it may have become? Please post replies to the net. Most people will be interested. /JT John Turnbull, NetNorth: 051332@uottawa 30 Somerset Ave, BITNET: 051332@uottawa Dept. of Biology, ARPAnet: 051332%uottawa.bitnet@wiscvm.wisc.edu Univ. of Ottawa, UUCP: ...!psuvax1!051332%uottawa.BITNET Ottawa, Ontario, JANET: 051332%uottawa@rl.earn CANADA, K1N 6N5. ICBM: 45 25' 33'' N 75 39' 05'' W
davidli@umn-cs.cs.umn.edu (Dave Meile) (03/09/88)
In article <8803081650.AA29358@ucbvax.Berkeley.EDU> 051332@UOTTAWA.BITNET (John Turnbull) writes: > >A program called VDU_2_0.PRG has been posted to the FILESERVers at >CANADA01 and UHUPVM1. It is claimed that it will cure the 'Boot sector' >virus and immunize the disk from future infection with this virus. > >Does anybody have any information about this virus, its mode of >infection, mechanism, symptoms or how wide-spread it may have become? > The program is legitimate. There has been a virus located and dissected in Europe. I first heard about it a month ago, when I got the back issues of an informational disk called ST NEWS from Richard Karsmakers from The Netherlands. He was *quite* furious when the virus was discovered. I haven't personally looked at the program on CANADA01, but I *do* have all copies of ST NEWS relative to the virus, its detection and quashing. If you'd like to see a copy of ST NEWS and read about the whole thing yourself, you can send me a disk and return postage (or two disks for the last two issues). I wrote to ST NEWS and now I [and our local user group, MAST] will be distributing the disk in the U.S. I can't write much more about the subject, since I haven't paid all that much attention till mid-February. The 'details' are on the disk. The VDU program was, I believe, written in GFA BASIC. If you want to see the issues discussing the virus, send a disk (or two) and enough postage to get them back to you to: Dave Meile Box 13038 Minneapolis, MN 55414 Future (and back) issues will be handled via MAST. Look for an announcement. -- Dave Meile
rjung@sal23.usc.edu (Robert Jung) (03/10/88)
In article <8803081650.AA29358@ucbvax.Berkeley.EDU> 051332@UOTTAWA.BITNET (John Turnbull) writes: >A program called VDU_2_0.PRG has been posted to the FILESERVers at >CANADA01 and UHUPVM1. It is claimed that it will cure the 'Boot sector' >virus and immunize the disk from future infection with this virus. > >Does anybody have any information about this virus, its mode of >infection, mechanism, symptoms or how wide-spread it may have become? > >Please post replies to the net. Most people will be interested. /JT Yes, this is interesting, especially since I find it hard for a virus to proliferate on a microcomputer (since it gets coldstarted quite often, relative to mainframes, where these things are easy). I'm also interested in what this virus does. Rumor mill in the L.A. area has it that there are at least two viruses running around, but I can't confirm (supposedly one is from Germany, and ST-Express has a program to "find" it). There is also a utility program and a desk accessory that's supposed to "check" your disks for the virus. Whether or not they really work is another matter. A local ST programmer here says that he's dissected the code, and while he doesn't know exactly what it does (either that, or he's not telling me), it "modifieds the disk I/O buffers in some manner"...Sounds like bad news to me. Any virus information would be handy. Just what DOES this thing do, anyway? --R.J., sharing information B-) P.S. Has anyone else heard the rumor that (one of) the Amiga virus programs is designed to cause "a massive worldwide screw-up" on some prespecified date? ______________________________________________________________________________ Bitnet: rjung@castor.usc.edu "Who needs an Amiga?" = == = = == = Power WithOUT the Price = == = ===== == ===== Just because it's 8-bits doesn't make it obsolete. ==== == ====
rjung@sal23.usc.edu (Robert Jung) (03/10/88)
In article <4235@umn-cs.cs.umn.edu> davidli@umn-cs.UUCP (Dave Meile) writes: >In article <8803081650.AA29358@ucbvax.Berkeley.EDU> 051332@UOTTAWA.BITNET (John Turnbull) writes: >>Does anybody have any information about this virus, its mode of >>infection, mechanism, symptoms or how wide-spread it may have become? > >The program is legitimate. There has been a virus located and dissected >in Europe. I first heard about it a month ago, when I got the back >issues of an informational disk called ST NEWS from Richard Karsmakers from >The Netherlands. He was *quite* furious when the virus was discovered. Can you post a short summary of what is the purpose of the virus (ie, what was it supposed to do)? There's been a lot of (now confirmed) talks about the ST virus, but no one I've met can tell me just what it does. --R.J. B-) What kind of a twisted mind would write such a thing? ______________________________________________________________________________ Bitnet: rjung@castor.usc.edu "Who needs an Amiga?" = == = = == = Power WithOUT the Price = == = ===== == ===== Just because it's 8-bits doesn't make it obsolete. ==== == ====
mpsimon@phoenix.Princeton.EDU (M. Patrick Simon) (03/10/88)
In article <8803081650.AA29358@ucbvax.Berkeley.EDU> 051332@UOTTAWA.BITNET (John Turnbull) writes: > >A program called VDU_2_0.PRG has been posted to the FILESERVers at >CANADA01 and UHUPVM1. It is claimed that it will cure the 'Boot sector' >virus and immunize the disk from future infection with this virus. > >Does anybody have any information about this virus, its mode of >infection, mechanism, symptoms or how wide-spread it may have become? > >Please post replies to the net. Most people will be interested. /JT > >John Turnbull, NetNorth: 051332@uottawa The magazine ST Applications warned of a virus being spread around via "disks from W. Germany". They did not give any information on how the virus is spreading (ie part of a larger program?), but the disk for this issue is supposed to have a virus detecting program on it. No info as to exactly what damage the virus is capable of doing either. --Patrick Simon mpsimon@phoenix.princeton.edu 3/9/88
Usenet_News_Of_221/162@isishq.UUCP (Usenet News Of 221/162) (03/11/88)
From: rjung@sal23.usc.edu (Robert Jung) Date: 9 Mar 88 18:43:43 GMT Organization: University of Sout --- ConfMail V3.31 * Origin: The Waterloo Window: watmath!isis!171![userid] (1:221/171) SEEN-BY: 221/0 162 171 171
unpowell@csvax.liv.ac.uk (03/16/88)
In article <8803081650.AA29358@ucbvax.Berkeley.EDU> 051332@UOTTAWA.BITNET (John Turnbull) writes: > >A program called VDU_2_0.PRG has been posted to the FILESERVers at >CANADA01 and UHUPVM1. It is claimed that it will cure the 'Boot sector' >virus and immunize the disk from future infection with this virus. > >Does anybody have any information about this virus, its mode of >infection, mechanism, symptoms or how wide-spread it may have become? > >Please post replies to the net. Most people will be interested. /JT > >John Turnbull, NetNorth: 051332@uottawa I've seen an ST virus, I don't if we're all talking about one or many viruses here. The way it worked was by altering the MEDIACH vector (I think), location $472, to point to itself. Then whenever a disk is swapped, and TOS calls the media change handler, the virus is executed. The virus then calls the normal media change handler (and the BIOS parameter block is read from the disk), the virus then wrote itself onto the new disk. The virus did do a little bit of checking on the newly inserted disk before it read itself in. If the new disk already had a virus on it with a higher generation number (yes it keeps a count of how many times it has reproduced) it would read this new version into memory and make it the "resident" virus. It also some other checks on the boot sector of the new disk, which I'm not quite sure about. It seemed to be checking the boot sector for a particular program and if it found it, it would execute it. I'm not sure, but it could be waiting for a second virus to come along which would maybe cause it to become malicious.... ******************************************************************************** "...there's no success JANET unpowell@uk.ac.lis.csvax like failure and UUCP {backbone}!mcvax!ukc!mupsy!lis-cs!unpowell failure's no success ARPA unpowell%csvax.lis.ac.uk@nss.cs.ucl.ac.uk at all..." B.Dylan ********************************************************************************