davidf@CS.HW.AC.UK (David.J.Ferbrache) (07/26/89)
Having just finished an update on the list of known IBM and MAC viruses I have come across a few reported viruses which no/few details seem to be available on. These are: IBM PC Boot sector Nichols virus both are incorporated in the 0.29 viruscan test 2730 virus strings, but have not been reported in full IBM PC Link viruses Screen characteristic lengths and identifying signatures Dbase are currently unknown for these two viruses covered in Ross's article in the June edition of byte Agiplan So far no-one seems to have a sample of this virus available, also no signatures have been provided Mistake Again no signatures available I would also be interested in characteristic lengths and signature byte sequences for a number of the Homebase variants described in Jim Goodwin's list. On a further point a remarkable similarity has been established between the Saratoga and Icelandic (variant 1) virus code. This similarity is reflected in the code sequences used by Viruscan 0.29. The question raised by this observation is which came first, the Saratoga virus detected in California or the Icelandic virus. With the recent report of a second strain of the Icelandic virus which bypasses Interrupt table dos call monitoring methods it seems that the virus is under active development by a hacker in Iceland. Finally, I will be forwarding three notes from Joe Hirst in the next few days concerning the Ashar variant of Brain, Saratoga virus and his views on the foundation of national research centres. I will establish a temporary mail account <bcvrc@cs.hw.ac.uk> for his centre and will relay any correspondence received. - ------------------------------------------------------------------------------ Dave Ferbrache Internet <davidf@cs.hw.ac.uk> Dept of computer science Janet <davidf@uk.ac.hw.cs> Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------------
kelly@uts.amdahl.com (Kelly Goen) (07/28/89)
I am passing the following message on for John MacAfee of the HomeBase BBS There has been some confusion about the Bantam Book's "DOS Power Tools" diskettes, and the recent Wayne State newsletter advising purchasers of the book not to use the diskettes has obviously concerned the editors at Bantam - and the warning is unwarranted. I was originally contacted by Robert Dimsdale of the NSA in April of this year, reporting an unusual virus. He reported that he 'believed' the infection came into the shop through the Bantam book. Subsequent reports from two separate organizations also indicated the 'possibility' of infection from the book. The reports were placed on the HomeBase board as routine notes for the HomeBase researchers tracing down the Missouri virus. I contacted Bantam Books to report the possible occurrences, and their research at that time indicated that the reported infections were caused by agents other than the book. I concurred. The original Dimsdale diskette was destroyed before it could be analyzed, and the hard disk was low level reformatted. Both other reports yielded no analyzable sample. I have spoken twice with Steve Guty of Bantam today, and he tells me that Bantam has sold over 200,000 copies of the book and accompanying diskette. With this number of copies in circulation, it is entirely reasonable to expect multiple occurrences of pre- existing infection in a system which activate on or about the time that the Power Tools diskette is installed. The user might then equate the virus activation with installation of the diskette, even though the virus may have been in the system for weeks or months prior to the installation of the Power Tools diskette. This happens hundreds of times each month with other software packages. Rarely, in these cases, has the virus involved actually been introduced with the diskette that was suspected by the system user. Given the wide circulation of the Bantam book, it is highly unlikely that it could contain a virus without overwhelming numbers of infection occurrences being reported. Also, sample copies of the book purchased around the country by researchers have shown no indication of infection. The Wayne State newsletter recommendation, in my opinion, should be ignored. The Bantam Book software appears as safe as any vendor supplied software. Disclaimer: Neither Amdahl Corp, Onsite Consulting nor CSS Inc. have any comment on the above data, Nor is any claim or warrenty made,given, expressed or implied as to the accuracy or content of the above data.The e-mail was passed as a courtesy to Interpath and as a Public Service Message to clears misconceptions the net may have had about the above subject matter.