V.I.R.U.S. Weekly - December 10, 1993 A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and newsletter is prepared by the Vancouver Institute for Research into User Security. For those without online service feeds, both V.I.R.U.S. Weekly and Monthly are available in hardcopy. For more information contact Robert Slade or CyberStore. copyright 1993, Robert M. Slade Other columns this week: Table of Contents: 1 McAfee 109 (MS-DOS) 2 Red Alert! (MS-DOS) 3 1984 (MS-DOS) 4 Call for the BOMBSQAD 5 How much for just Stoned? 6 Get well 7 YAEMA in Italian 8 Steady on, there, Rock ... 9 Caveat Emptor 10 Stop! You're both right! 11 Project XVIRA 12 News from the Southern Hemisphere 13 Safe Hex? Not in the USA 14 Getting information 15 "Survivor's Guide to Computer Viruses" NEW ANTIVIRALS McAfee 109 (MS-DOS) The 109 version of the SCAN suite has been released. Unfortunately, there was an almost immediate report of a trojan/infected 109 version (see "1984" this issue). Please check your source. Red Alert! (MS-DOS) A new heuristic scanner is said to be able to detect trojans, viral programs and ANSI bombs without signature files. The announcement by Matthew Probert states that a shareware version is available in the USA, and implies a commercial version overseas. NEW VIRAL PROGRAMS 1984 (MS-DOS) The trojanized/infected version of SCAN 109 (see this issue) is reported to have been contaminated by the 1984 virus. This code is reported as a multipartite virus and it is said that SCAN 109 will not detect it. A report from Australia says it is "sneaky" and "deadly", but gives no details. GOSSIP Call for the BOMBSQAD More information on the case between MJL Design and Forecast Installations. The software entity reported by the New York Times as a virus, and by various experts (including, I'm sorry to say, yours truly) as a logic bomb, may have been nothing more than a simple program lock. this is what is being claimed by MJL Design. Forecast Installations had an MJL technician arrested "on spec", as it were. The code, whatever it was, never did activate. How much for just Stoned? InformationWeek for November 29, 1993, has an article on the increasing number of insurance companies willing to write policies "covering" computer crime. One of the risks listed is for a computer virus attack. The minimum deductible listed for such an attack is $10,000. Using Peter Tippett's reported figures, this would work out to an infection of a minimum of 50 machines. Of course, that figure covers only disinfection. The article is not clear as to how such damage would be calculated. Get well Lee Jackson, author of the Hack Report and moderator of the Fidonet WARNINGS echo had to postpone the October Hack Report due to poor health, and is now reported sick again. (In his absence, WARNINGS has spawned a rather pointless argument about the source of AIDS.) YAEMA in Italian The-media-aren't-taking-this-seriously-dept.: Roberto Reymond reports an Italian informatics magazine whose November issue carries an "article" which cites MtE and Tremor as deadly new menaces, and basically advertises McAfee (one "expert" consulted is the local McAfee agent) and insurance (the other "expert" is an insurance agent). (See article this issue on the rise of computer crime insurance.) Steady on, there, Rock ... Rock Steady, supposedly founder of the original NuKE vx group and inspiration for the second one, is taking advantage of the confusion over moderators on the Fidonet VIRUS echo to post all kinds of messages. In a recent one, he condescends to bless a questioning reader with his knowledge of the Internet and ftp. In the process, he demonstrates that he has no idea of the difference between communications protocols and high speed modems ... Caveat Emptor We are seeing ever increasing reports of infected computers through commercial channels that some find hard to believe. Computer retailers are selling machines that are infected "from the shop". Rental agencies are renting machines with virus infections in place and active. Computer repair shops are infecting large numbers of computers going in for repairs and service. Please note: virus research is a very esoteric field. Just because someone knows how to put computers together, does not mean they know about viral programs or protection. Stop! You're both right! A popular passtime on the virus related nets, of course, is "what is your favourite antiviral?" A recent round in Fidonet generated an amusing set of postings with one person championing F-Prot and another stating that V-Alert was better. V-Alert couldn't be that much better than F-Prot: V-Alert *uses* F-Prot. Get yer facts straight *before* you post ... Project XVIRA Bangkok Security Associates are coming under some heavy criticism recently after several years of being largely ignored in North America. Posters associated with vx groups recently accused them of releasing a virus generator called Project XVIRA. The program may be real, of course, but with a name like that I'd suspect is was an antiviral. News from the Southern Hemisphere A report of a survey taken in Buenos Aires was posted on VIRUS-L/comp.virus. Unsurprising, but somewhat depressing, was the fast that aside from SCAN, which is having its problems, the top three antivirals used were long on promotion and short on substance. The top virus was Michelangelo, followed closely by Stoned, then Number of the Beast (aka 512), Jerusalem and Ping Pong. Safe Hex? Not in the USA The two "Regional Virus Centers" in the US for Safe Hex International have "retired". The two coordinators have found the task to be too time consuming. "Subscriptions" to "THE NEW SUPERKILLERS" will continue to be honoured until they expire, but no new subscriptions will be accepted. ============== Vancouver ROBERTS@decus.ca | "90% of infections Institute for Robert_Slade@sfu.ca | are Stoned." Research into rslade@cue.bc.ca | User p1@CyberStore.ca | - the viral corollary Security Canada V7K 2G6 | to Sturgeon's Law