--------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGX00040 Date: 12/27/96 From: DAVID DESROSIERS Time: 10:21pm \/To: KURT WISMER (Read 3 times) Subj: Re: Virus infect picture -=> Quoting Kurt Wismer to The Visionary <=- KW> that depends heavily on how this is acheived... the virus could be KW> encoded in such a way as to be in the form of special codes which the KW> viewer interprets and executes... a function not required and probably KW> not accomplishable for any widely used image standard (you'd need some KW> code to mark the interpretive command as being such instead image data KW> and as such there would necessarily have to be some byte or string of KW> bytes that can't be used to represent a picture and would thus reduce KW> the available output of an image encoding algorith - which in turn KW> would make the pictures bigger)... KW> likewise you could simply store the virus in a little packet in the KW> image with a preceding code that told the viewer to save the virus to KW> a file and execute it... KW> of course no viewers have these capabilities regarding special KW> interpretive codes so theres little point... This was assuming that this was with an image viewer. What if your browser triggered a plugin like Adobe AcroRead, or Pkunzip, or some other app to which the virus was triggered to execute? I can imagine that this is going to be pretty common if someone acomplishes it. You would only have to fake a PkSfx header to trigger Pkunzip to "run" the file, and bam! you could be infected. Just a thought... -The Visionary visionary@brazerko.com ... Idealism increases in proportion to the distance from the problem. --- WtrGate+ 0.93.PRE1 beta sn 116 * Origin: hacker heaven bbs - #include (1:320/2600) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200000 Date: 12/26/96 From: DYLAN SIDES Time: 08:48pm \/To: JOHN KISMUL (Read 3 times) Subj: Macs Well nail me up and call me Jesus! It's John! Friday December 20 1996 17:08, John Kismul wrote to Rick Collins: JK> OK, but what type is those viruses that gets active when you execute a JK> command such as DIR A: I know that there is some viruses that works JK> like that. I think you're thinking about file-infector viruses that infect files that are listed when you type DIR. They can only do this after first being loaded into memory, however, for which you'd have had to execute an infected program in the normal way. That didn't make any sense, did it? ... Assembler Code: PDH: Page to Disk for the Hell of it ~~~ Tag-O-Matic V.11.98f (2712 Taglines) (Quoted 25%) Beta tested by me! --- * Origin: -=[t/-/e^]\/[atri><]=- (2:442/103.10) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200001 Date: 12/26/96 From: DYLAN SIDES Time: 08:56pm \/To: LEWIN EDWARDS (Read 3 times) Subj: Macs Well nail me up and call me Jesus! It's Lewin! Wednesday December 18 1996 19:32, Lewin Edwards wrote to Rick Collins: LE> The point is, that it is possible to download a Trojan/seeder, and LE> simply the act of downloading it, NOT taking ANY direct action to LE> launch it, puts the system at risk. That's no more dangerous than typing 'DELTREE /Y C:\' and then not pressing return after it.. ... Assembler Command: EOB: Execute Operator and Branch ~~~ Tag-O-Matic V.11.98f (2712 Taglines) (Quoted 37%) Beta tested by me! --- * Origin: -=[t/-/e^]\/[atri><]=- (2:442/103.10) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200002 Date: 12/29/96 From: DAVID DESROSIERS Time: 04:03pm \/To: DYLAN SIDES (Read 3 times) Subj: Re: Macs -=> Quoting Dylan Sides to Lewin Edwards <=- LE> The point is, that it is possible to download a Trojan/seeder, and LE> simply the act of downloading it, NOT taking ANY direct action to LE> launch it, puts the system at risk. DS> That's no more dangerous than typing 'DELTREE /Y C:\' and then not DS> pressing return after it.. That's a good explanation. One of the best I've heard so far. -The Visionary visionary@brazerko.com ... DEFINITION: Password- The nonsense word taped to the CRT. --- WtrGate+ 0.93.PRE1 beta sn 116 * Origin: hacker heaven bbs - #include (1:320/2600) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200003 Date: 12/29/96 From: DMITRY MOSTOVOY Time: 10:50pm \/To: MICHAEL MUELLER (Read 3 times) Subj: Re: Is ADInf foolable? (was Re: Here aga22:50:4812/29/96 Hi Michael! 21 Dec 96, letter Michael Mueller to Alexander Kovneristy: MM> When I remember right there was atleast one file virus infecting on MM> Int 13h calls. IMHO it was an EXE-Header-Virus. So you may spread the MM> virus all over with ADInf. No. It is not true. There is a lot of viruses infecting files or boot records on the Int 13h level. But ADinf does not go throw Int 13h chain. It does not process instruction "Int 13h"! While disk scanning ADinf uses instructions pushf Call DWORD PTR [Int 13h hardware BIOS entry address] So no active virus will obtain control and no virus can infect any files or boot sectors. And of course, no stealth virus can hide itself. With best regards, Dmitry Mostovoy --- GoldED 2.50+ * Origin: DialogueScience, Moscow; E-mail: dmost@dials.ru (2:5020/69.4) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200004 Date: 12/29/96 From: DMITRY MOSTOVOY Time: 10:40pm \/To: THE VISIONARY (Read 3 times) Subj: Re: Here again! Hi The! 22 Dec 96, letter The Visionary to Alexander Kovneristy: TV> I would have to say that if every .EXE file was engineered to TV> CRC itself before execution, there would be no more .EXE infections, TV> since that in itself is a fairly solid form of self-checking (although TV> can be worked around, but not very easily). The most simple stealth method is to take int 21h fun. 4bh and to desinfect file before execution. Virus code get control before executable file itself, so self-checking will not find any changes. And at the end of the execution virus reinfects the file. It is very widespread stealth method. Dmitry Mostovoy --- GoldED 2.50+ * Origin: DialogueScience, Moscow; E-mail: dmost@dials.ru (2:5020/69.4) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200005 Date: 12/30/96 From: ROD FEWSTER Time: 07:36pm \/To: ALL (Read 3 times) Subj: Echo Rules! . -=[ VIRUS_INFO RULES ]=- ~~~~~~~~~~~~~~~~ o The VIRUS_INFO conference is dedicated to the exchange of information about detecting and removing computer viruses, methods/software/techniques/etc to recover from virus attacks, new virus warnings, etc. Please keep your messages related to the topic of the conference. o Virus writers are welcome to participate, but bear in mind that this is an ANTI-virus conference. o Posting/requesting/offering viruses, virus source code, disassemblies, etc, will get you barred from the conference! o Praising/promoting the writing or spreading of viruses will get you barred from the conference! o Responding positively to "Where can I download a virus ?", "Where can I learn how to write a virus ?", "What's the password to VCL ?", and similar obviously PRO-virus messages will get you barred from the conference! o VIRUS_INFO is a REAL NAMES ONLY conference! Obviously this is impossible to police 100%, but use a reasonable facsimile of a human name if you want to remain anonymous. BBS aliases and "VX" nicknames will NOT be tolerated! o Do NOT reply to messages from anyone using an obvious alias! o VIRUS_INFO is an ENGLISH LANGUAGE ONLY conference. If you wish to converse in a language other than English ... use a LOCAL message area. o Users must not reply to messages from banned users, or quote messages from banned users, or crosspost messages by banned users from other conferences. The Banned User List is posted regularly and updated as required. Reading it might save you from joining it! o All messages must display a valid fidonet address in their origin line. o Do NOT use fancy "internet style" signatures in this conference ... save your artistic talents for the internet! o PGP or otherwise encrypted (including uuencoded) messages are NOT allowed! o PGP Public Key signatures may be used for message authentication, but ONLY if the message content warrants positive identification of its author. o Announcements of anti-virus program releases and updates are welcome, but blatant advertising will NOT be tolerated! (Anti-Virus authors and their agents should pay particular attention to this rule ... the moderator's definition of "blatant advertising" is extremely narrow!) o The moderator is the sole arbiter of all disputes arising in VIRUS_INFO! -=[ BANNED USER LIST ]=- ~~~~~~~~~~~~~~~~ DO NOT REPLY TO MESSAGES FROM BANNED USERS, OR QUOTE MESSAGES FROM BANNED USERS, OR CROSSPOST MESSAGES BY BANNED USERS FROM OTHER CONFERENCES! These actions will result in YOU being barred from posting in VIRUS_INFO! The current VIRUS_INFO conference blacklist is: Username Banned until: ~~~~~~~~ ~~~~~~~~~~~~~ 1. Zvi Netiv INDEFINITELY! 2. Dale Beaudoin INDEFINITELY! 3. Pablo Barrn INDEFINITELY! 4. Joe Sheeran INDEFINITELY! rod fewster Moderator - VIRUS_INFO --- * Origin: --==[ Secure Antivirus Systems International ]==-- (3:640/886) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200006 Date: 12/30/96 From: ROD FEWSTER Time: 07:55pm \/To: STEWART BUCKINGHAM (Read 3 times) Subj: VIRUS_INFO Rules! >-> This is VIRUS_INFO ... not CENSORED_LANGUAGE. > Yep, I know that. Presumably, from your response, off-topic abusive > language and personal attacks are acceptable in this echo? I assume you're complaining about Luther Kolb ? He took off a coupla weeks ago on a trip around the world, so unless he gets withdrawal symptoms and logs in from Tibet or wherever he is your sensiblities won't be offended for the next three or four months. --- * Origin: --==[ Secure Antivirus Systems International ]==-- (3:640/886) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200007 Date: 12/27/96 From: KEITH PEER Time: 05:43pm \/To: ALL (Read 3 times) Subj: Avp beta releases! AntiViral Toolkit Pro "beta" releases AVPLite 3.0 Beta AVP 1.05 for Windows 95 Beta AVP 3.0 for Novell Netware Beta In order to provide our customers with excellent antivirus protection, detection, and elimination we have pre-leased the upcoming versions of AntiViral Toolkit Pro for world wide testing. You can download a copy from http://www.command-hq.com Send any reports to: beta@command-hq.com Sincerely, Keith A. Peer ... Central Command Inc. U.S. Distributor for AVP and HS * Silver Xpress V4.01 SW12662 --- InterEcho 1.19 * Origin: PC-Ohio PCBoard * Cleveland, OH * 216-381-3320 (1:157/200) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1200008 Date: 12/28/96 From: TODD COPELAND Time: 02:23am \/To: VINCENT WONG (Read 3 times) Subj: Virus infect picture's? ->Is it possible for a virus to spread, infect and distrubute itself ->via a graphics file format e.g GIF, JPG, TIF etc... It could only alter the files, not "infect" them. A virus is nothing more then a executable program. The files you mentioned are not. * OLX 2.1 * Todd Copeland - TEAM OS/2 --- PCBoard (R) v15.3/M 100 * Origin: <> BBS Tampa, Florida (813) 276-0881 (1:377/188)