davidf@CS.HW.AC.UK (David.J.Ferbrache) (07/26/89)
Having just finished an update on the list of known IBM and MAC viruses
I have come across a few reported viruses which no/few details seem
to be available on. These are:
IBM PC Boot sector
Nichols virus both are incorporated in the 0.29 viruscan test
2730 virus strings, but have not been reported in full
IBM PC Link viruses
Screen characteristic lengths and identifying signatures
Dbase are currently unknown for these two viruses covered
in Ross's article in the June edition of byte
Agiplan So far no-one seems to have a sample of this virus
available, also no signatures have been provided
Mistake Again no signatures available
I would also be interested in characteristic lengths and signature byte
sequences for a number of the Homebase variants described in Jim Goodwin's
list.
On a further point a remarkable similarity has been established between
the Saratoga and Icelandic (variant 1) virus code. This similarity is
reflected in the code sequences used by Viruscan 0.29. The question
raised by this observation is which came first, the Saratoga virus detected
in California or the Icelandic virus. With the recent report of a
second strain of the Icelandic virus which bypasses Interrupt table
dos call monitoring methods it seems that the virus is under active development
by a hacker in Iceland.
Finally, I will be forwarding three notes from Joe Hirst in the next
few days concerning the Ashar variant of Brain, Saratoga virus and
his views on the foundation of national research centres. I will establish
a temporary mail account <bcvrc@cs.hw.ac.uk> for his centre and will relay
any correspondence received.
- ------------------------------------------------------------------------------
Dave Ferbrache Internet <davidf@cs.hw.ac.uk>
Dept of computer science Janet <davidf@uk.ac.hw.cs>
Heriot-Watt University UUCP ..!mcvax!hwcs!davidf
79 Grassmarket Telephone +44 31-225-6465 ext 553
Edinburgh, United Kingdom Facsimile +44 31-220-4277
EH1 2HJ BIX/CIX dferbrache
- ------------------------------------------------------------------------------kelly@uts.amdahl.com (Kelly Goen) (07/28/89)
I am passing the following message on for John MacAfee of the HomeBase BBS
There has been some confusion about the Bantam Book's "DOS
Power Tools" diskettes, and the recent Wayne State newsletter
advising purchasers of the book not to use the diskettes has
obviously concerned the editors at Bantam - and the warning is
unwarranted.
I was originally contacted by Robert Dimsdale of the NSA in
April of this year, reporting an unusual virus. He reported that
he 'believed' the infection came into the shop through the Bantam
book. Subsequent reports from two separate organizations also
indicated the 'possibility' of infection from the book. The
reports were placed on the HomeBase board as routine notes for the
HomeBase researchers tracing down the Missouri virus. I contacted
Bantam Books to report the possible occurrences, and their research
at that time indicated that the reported infections were caused by
agents other than the book. I concurred. The original Dimsdale
diskette was destroyed before it could be analyzed, and the hard
disk was low level reformatted. Both other reports yielded no
analyzable sample.
I have spoken twice with Steve Guty of Bantam today, and he
tells me that Bantam has sold over 200,000 copies of the book and
accompanying diskette. With this number of copies in circulation,
it is entirely reasonable to expect multiple occurrences of pre-
existing infection in a system which activate on or about the time
that the Power Tools diskette is installed. The user might then
equate the virus activation with installation of the diskette, even
though the virus may have been in the system for weeks or months
prior to the installation of the Power Tools diskette. This
happens hundreds of times each month with other software packages.
Rarely, in these cases, has the virus involved actually been
introduced with the diskette that was suspected by the system user.
Given the wide circulation of the Bantam book, it is highly
unlikely that it could contain a virus without overwhelming numbers of
infection occurrences being reported. Also, sample copies of the book
purchased around the country by researchers have shown no indication
of infection. The Wayne State newsletter recommendation, in my
opinion, should be ignored. The Bantam Book software appears as safe
as any vendor supplied software.
Disclaimer: Neither Amdahl Corp, Onsite Consulting nor CSS Inc.
have any comment on the above data, Nor is any claim
or warrenty made,given, expressed or implied as to
the accuracy or content of the above data.The e-mail was
passed as a courtesy to Interpath and as a Public
Service Message to clears misconceptions the net may
have had about the above subject matter.