From: Kenneth R. van Wyk (The Moderator) Errors-To: LUKEN@IBM1.CC.LEHIGH.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU BCC: VIRUS-L@IBM1.CC.LEHIGH.EDU Subject: VIRUS-L Digest V1 #35 Reply-to: VIRUS-L@IBM1.CC.LEHIGH.EDU --text follows this line-- VIRUS-L Digest Tuesday, 6 Dec 1988 Volume 1 : Issue 35 Today's Topics: FSP; Hardcard problem (PC) Re: Computer Virus Eradication Act of 1988 Did Morris write it all? RE: media (virus) humor vs. disinformation Christma Exec (IBM VM/CMS) BINHEX 4.0 and Stuffit ... URGENT ...!!! making amends Internet report (ASCII version) avail. for anon. FTP --------------------------------------------------------------------------- Date: Tue, 06 Dec 88 15:59:23 +0200 From: Y. Radai Subject: FSP; Hardcard problem (PC) Paul Coen asked for opinions on (1) FluShot+ 1.4 and (2) the inability to access a hard card when booting from a DOS 2.11 floppy. FLU_SHOT+ --------- I have been using FSP (FLU_SHOT+) 1.4 for several weeks. (Previously I used Version 1.2.) The first experiment I tried was to infect an FSP- protected computer with the Israeli virus. FSP prevented the virus from installing itself in RAM and notified me of the attempt. It also warns me of all attempts to format disks. In these two senses the program seems to be quite effective. When I tried to write-protect a file using the P option, I found that it worked well against attempts to write directly to the file, but that there was an easy way of getting around the write protection: create a new file containing the desired information, delete or rename the ori- ginal file, then rename the new file to the original name. Similarly, the read-protection on a given file can be circumvented by renaming the file. The checksum feature is quite fast. However, it is basically insecure since the checksum for any given file is the same for all users. Also, the files which are to be checksummed must be specified individually by the user since wildcard notation is not allowed with the C option. Particularly annoying is the fact that instead of the program recording the checksums automatically, the user is forced to enter each checksum manually into the file containing the filenames, after first running the program with dummy checksums in that file and writing down each "correction" displayed by the program. Finally, there is no provision for "static" checksumming, i.e. you can't ask for checksumming whenever you feel like it (unless you use something like MARK/RELEASE to get rid of the current invocation of the program and then reload it). Another problem which is quite annoying is that although my computer has no CMOS, every now and then, for no apparent reason, I get a mes- sage from FSP saying "CMOS has been changed!". I reply "Y" and the message usually goes away with no apparent ill effects. However, some- times I can't get rid of the message (along with a non-stop buzzing sound and inability to continue working) without re-booting. By the way, although the documentation doesn't mention it, I found that FSP didn't work properly when the value of FILES in the CONFIG.SYS file was 10 or less (the default is 8). A final point is that a program like FSP can be neutralized by a virus or Trojan which looks for it in memory and temporarily diverts inter- rupts hooked by the program until it has finished its dirty work. Another way of circumventing such a program might be to issue commands directly to the h.d. controller, provided it can be determined which controller is being used. Accessing hard disks when booting from diskettes ------------------------------------------------ Paul's question of why one can't access a hard card (or hard disk) when booting from a DOS 2.11 (or 2.xx) diskette has been answered by Wim Bonner. However, it is reasonable to ask whether a hard disk can be made inaccessible even when booting from a DOS 3.xx diskette. The answer is definitely yes, since it's a fact that PC-Lock does that. And I'm fairly certain that the way it does it is by modifying the partition table to make the DOS partition seem non-DOS even to 3.xx, and correcting for this when booting from the hard disk by means of a special device driver. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: 6 December 1988, 09:42:26 EST From: David M. Chess CHESS at YKTVMV Subject: Re: Computer Virus Eradication Act of 1988 Interesting stuff! Nice that our legislators are thinking about it. A few points: - It really ought to be the "Trojan Horse Eradication Act", since it covers the silly erase-all-files-and-print-"gotcha" programs that infants write and post to BBSs under attractive names, as well as covering (many? most?) spreading-type viruses. - Would it cover the Internet worm? I'm not sure in what sense the author of the worm program "provided" it "to others". Not *human* others, anyway. - Would it cover a virus that spread, but did no intentional damage? For instance, the Mac virus that (was supposed to) just put up a "message of peace" and then delete itself. Rumor says that it did do some unintentional damage if run on the wrong sort of system. This law, though, seems intended only to cover actions analogous to vandalism, rather than those analogous to unlawful entry. DC Watson Research * No one but me has any idea that I'm posting this ------------------------------ Date: Tue, 06 Dec 88 10:57 EST From: "Scott P Leslie" Subject: Did Morris write it all? Hi, This regards the possibility that Morris did not actaully write all (or even any) of the Internet worm. You can't really go by coding style and conten~ in this case. As most programmers know, some parts of your code look great, work well, and have perfect algorithms; however, other parts are hastily done and don't nearly show of your programming ability. Also, Morris supposeedly wasn't finished with the worm program and was just testing it a bit. While the programming style seems to indicate that other people should be investigated to see if they help create the program, it "style" doesn't really mean much. Also, other people could have worked on the project but not been in on the "release" of the worm. What do the lawyers out there say to their liability? . Scott P. Leslie (UNCSPL@UNC) Jax Note: The University of North Carolina does not support my comments! ------------------------------ Date: Tue, 6 Dec 88 09:45 EST From: "$CAROL@OBERLIN (BITNET)" <$CAROL%OCVAXC@OBERLIN.BITNET> Subject: RE: media (virus) humor vs. disinformation Oh, c'mon now...that first cartoon is from the NEW YORKER; I've cut it out and taped it to my office door. If you've seen enough of their other "drawings" (as they like to call them), you know that spoofing Zeitgeist fads is something they especially enjoy doing. In such cases, the very imprecision of a term as used by the masses is part of the humor. | Carol Conti-Entin (216) 775-8290 | $carol@oberlin -or- pconti@oberlin (BITNET) | Academic Computing Consultant | Houck Computing Center | Oberlin College | Oberlin, OH 44074 ------------------------------ Date: Tue, 6 Dec 88 12:53 EST From: Subject: Christma Exec (IBM VM/CMS) The following message came across the Joke-L List today. I don't know if this information has already been posted to this list (I am a recent subscriber) but I thought it might be useful. Happy hunting. Jon Baker {JEB107 at PSUVM) - - The original note follows - - Date: Mon, 5 Dec 88 13:30:02 CST Sender: "Funny Jokes, Funny Stories" From: Paul Heroy Subject: VIRUS WARNING WARNING ABOUT CHRISTMA EXEC!!!!!!! LSU, unfortunately, has been hit by the CHRISTMA EXEC and a few copies sent out by an administrator got loose and.... For those of you who don't know about this nefarious program, it is a benign virus that sends out multiple copies of itself to everyone it can find. It runs only on VM/CMS systems, and accesses NAMES, NOTEBOOK, and NETLOG files in its search for ids/nodes. I may have inadvertently posted this program on the Joke List - my apologies for this and any inconviences caused. If you get a copy of this, purge it. Thanks, Paul Heroy Computer Analyst Louisiana State University ------------------------------ Date: Tue Dec 06 15:13:26 1988 From: Pedro Sepulveda J. Subject: BINHEX 4.0 and Stuffit ... URGENT ...!!! Hi Networkers...! We need Binhex 4.0 and Stuffit... If you have this programs... Send us please... We need it's very urgently...! Thanks a lots... Viral Investigation Group Universidad de Santiago de Chile ------------------------------ Date: Tue, 6 Dec 88 14:41:01 EST From: Jefferson Ogata (me!) Subject: making amends Homer's idea of making amends is all very beautiful, but I think it really belongs in another universe for two important reasons. As I have pointed out before, we live in a punishment-oriented society; it is unfair to arrange amends-making methods for some criminals, while we continue to punish others. The U.S. legal system is not going to change. Another problem is that the amends-making arrangement opens up a great new realm of crime. Scenario: a company researcher discovers some- thing nifty, but holds off on letting anyone know about it. He promptly goes out and commits some large monetary crime, e.g. embezzlement. If he is caught, he now has the collateral he needs to buy back his esteem. In fact, he may bounce back higher than before, and receive useful publicity. To restate a point I made a while back: there's no point in us discus- sing what SHOULD happen to Morris. All we can talk about is what will happen. And it doesn't involve making amends. So forget it. - - Jeff Ogata ------------------------------ Date: Tue, 6 Dec 1988 15:53:21 EST From: Ken van Wyk Subject: Internet report (ASCII version) avail. for anon. FTP The ASCII .DOC version of Gene Spafford's report on the Internet Worm is now available for anonymous FTP from pine.circa.ufl.edu (the same place where the PostScript version of the same file is located). Enjoy, Ken ------------------------------ End of VIRUS-L Digest *********************