krvw@SEI.CMU.EDU (The Moderator Kenneth R. van Wyk) (08/11/89)
VIRUS-L Digest Friday, 11 Aug 1989 Volume 2 : Issue 173 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: LaserWriter (Mac) Re: DataCrime II - tiny clarification (PC) Re: Memory Resident ViruScan (PC) DATACRIME-2 (PC) --------------------------------------------------------------------------- Date: Thu, 10 Aug 89 09:13:59 -0400 From: Tom Coradeschi <tcora@PICA.ARMY.MIL> Subject: Re: LaserWriter (Mac) >Is there such a thing as a LaserWriter virus on an AppleTalk net? We >printed out a directory listing from a MacII hooked to a net and on >two of the pages got these large black lock-like looking things in the >middle of the page. The funny thing is, they were different sizes, >one was big, one was small. If the lock looking things were next to files or folders, (assuming you sorted the directory by name, type, size or date, of course) that means that the files they were adjacent to are locked. Select those files under the Finder and to a "Get Info..." (CMD-I), and you should see the locked file checkbox marked. If the locks _aren't_ next to any files... you got me swingin'. tom c Electromagnetic Armament Technology Branch US Army Armament Research, Development and Engineering Center Picatinny Arsenal, NJ 07806-5000 ARPA: tcora@pica.army.mil UUCP: ...!{uunet,rutgers}!pica.army.mil!tcora BITNET: Tcora@DACTH01.BITNET ------------------------------ Date: 10 Aug 89 20:52:18 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: DataCrime II - tiny clarification (PC) The comments about the cache usage on datacrime2 is somewhat fallacious... while there is most certainly the 6 byte instruction on board the chip and its status is relayed via signal pins to external devices... that is not the reason why CV and debug lose control during the jmp to loc 124(1 byte into a multibyte instruction...the actual reason is that while tracing under cv a set of internal simulation registers are continually utilized, the jump into the middle of an instruction causes them to lose synchronization with the program running...these simulation registers are what allow the debugger to disassemble code correctly... TurboDebug's ability to merely handle the the situation without error merely means that more robust code is executing than codeview...(I have the latest for both and have tested both) datacrime2 code was more unique than most viruses in this regard but hardly very sophisticated... cheers kelly p.s. before suspecting true skulduggery exmine the tool for fallacious results!! disclaimer I do not represent Amdahl Corp...or Onsite consulting I represent me(myself only) ------------------------------ Date: Thu, 10 Aug 89 09:14:56 -0400 From: bnr-vpa!bnr-fos!bnr-public!mlord@gpu.utcs.toronto.edu (Mark Lord) Subject: Re: Memory Resident ViruScan (PC) Would you consider perhaps someday posting VIRUSCAN to comp.binaries.ibm.pc ? I know I would love to have a copy, and there are probably thousands of other interested onlookers as well. I know there are archive sites, but that doesn't help those of us who lack BITNET and FTP access. Cheers, - -Mark ------------------------------ Date: Thu, 10 Aug 89 22:20:31 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: DATACRIME-2 (PC) I just caught David Chess's posting about the Datacrime-2 virus. He's absolutely correct about the ease in bypassing the virus's de-garbling code. Not that I had a chance to find out for myself. As I was psyching myself up to the disassembly challenge, John McAfee sent me two very good and well commented disassemblies, one of which, I believe, was from David Chess himself. It's not very satisfying to settle for someone else's disassembly, no matter how well done, but it's even harder to do your own when at least two are in front of your face. Which leads me to a question. Why do three or four dozen people (at least) disassemble every new virus that pops up? I'm not complaining in the least. Just wondering if some of us are redundant. Should we maybe draw straws to see who gets to do the next one, and the rest of us go see a movie or something instead? I don't know. But back to the Datacrime-2. Even though, as I was shown, you can set a breakpoint at 124H, it is still unnerving not to be able to single step a virus. I like to take my time - do one instruction and contemplate it. Savor the meaning of a single branch instruction; the simplicity of an XOR; the power of a multiply. To be forced to submit to the brutal pace of two to three hundred operations per millisecond - - even for a short loop - is not my idea of a good time. And as to Dave's comment about adding 90 seconds to his disassembly time, he can only speak for himself. When MY debugger kicked out to DOS, I spent at least a half hour trying to figure out which virus had infected my debugger, and how could I have been so stupid as to let it happen. I spent the next half hour complaining about the bug in Codeview, and the half hour after that I watched a 1963 Andy Griffith Show on television to try and calm down. So I'm not so sure the virus designer was just showing off. He/she/it nearly off'd one of us. Alan Roberts ------------------------------ End of VIRUS-L Digest *********************