From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #154 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 5 Sep 1990 Volume 3 : Issue 154 Today's Topics: UK virus centre proposal Re: Antivirus viruses Re: 1701/help (PC) virus analogy Re: Mysterious Message (PC) Brunnstein's virus list EEPROM BIOS (PC) Anti-virus viruses Re: Listing of Indonesian Viruses re: mysterious message MacIntosh virus VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 04 Sep 90 15:57:13 +0100 From: David.J.Ferbrache Subject: UK virus centre proposal Just a quick not to say that I am intending to submit a proposal under the UK Department of Trade and Industry Advanced technology program to establish a UK centre for virus research. The proposal encompasses a range of problems related to computer viruses, including: o Provision of a central UK monitoring and reporting location to which industry, commerce and academia can report new viruses and seek general advice on anti-virus procedures and software o Provision of a bulletin service (possibly by electronic as well as conventional means) warning of new strains that have been detected, and the likely activation dates for existing strains o Service to the research community such as work on disassembling new strains, tracking developments in camouflage techniques, assessment of vulnerability of new OS and software environments to viral attack. o Liason with commercial organisations and government organisations working in the field, including the provision of a point of contact for foreign agencies. The centre would also attempt to raise the level of awareness of the virus problem through seminars, conferences and other means. It is likely that the brief would also include acting as a reporting and co-ordination centre for worms active on wide area networks. The proposal will be for 3 years funding centred at two Universities in Lowland Scotland (Stirling and Heriot-Watt). At this stage I am interested in compiling a list of organisations who would be interested in the establishment of such a centre, and would co-operate in the exchange of information with the centre. A meeting is scheduled for September 11th with the DTI, thus an early response would be appreciated. - ------------------------------------------------------------------------------ Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 538 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ - ------------------------------------------------------------------------------ ------------------------------ Date: 04 Sep 90 15:40:58 +0000 From: francis@cis.ohio-state.edu (RD Francis) Subject: Re: Antivirus viruses elw@netxcom.DHL.COM (Edwin Wiles) writes: > 1) An Anti-virus virus COULD cause damage by infecting a boot > block or other file and damaging it in the process by ignorance > of special conditions. This is certainly a cause for concern to me. As a Macintosh user and system administrator, I am reasonably well acquainted with the various Macintosh viruses. It is my understanding that, as far as anyone can determine, every Mac virus has caused problems not by design, but rather through bugs which led to problems with specific applications, or the system in general (which is not to say no Mac virus has ever been written with malicious intent; simply that said intent has been on a much smaller scale than the actual effects of the virus might indicate). - -- R David Francis francis@cis.ohio-state.edu ------------------------------ Date: Tue, 04 Sep 90 11:40:02 -0400 From: Arthur Gutowski Subject: Re: 1701/help (PC) Well, from the jist of the discussion so far, it appears I was wrong about the *exact* cause of a 1701 error. But, the problem is still of a hardware nature, and not logical or virus related. In this case, a track 0 backup wouldn't do any good. If it's a controller or wiring problem, as some have suggested, then the drive is still ok, and no need to restore anything. The reason I suggested a physical drive error is because I know someone who had the misfortune of a 1701 error. My recollection of the account was a physical drive error. My apologies, I should have looked it up first. >Date: Fri, 31 Aug 90 16:19:48 EDT >From: Bruce Burrell > > In V3#151 of VIRUS-L, you state that a 1701 error indicates damage to >hard disk sector zero. Not so. It indicates a fixed disk POST error. >This is documented in the IBM Harware Service Manual. > The error can indicate a bad hard disk, of course, but it is much more >likely to be indicative of non-fatal problems, i.e. usually the data >can be retrieved, and in most of those cases (in my experience) the disk >is still useable. In any case, a virus this is not. /art ------------------------------ Date: Tue, 04 Sep 90 12:11:21 -0400 From: AZX@NIHCU.BITNET Subject: virus analogy > >Perhaps I'm contributing to this "beating the dead horse"; can we hear >from some of the fence-sitters out there? Has anyone's mind been >changed during these discussions? O.K. Anti-Virus Virus: 1) Morality I have no moral stand on this. If the earnest goal is to improve the computing community then and anti-virus virus may be a good idea. I have read a lot of attempts to compare human vaccine methods with anti-virus viruses. The analogy between biological and human viruses is another point of hot debate on VIRUS-L. Let's hit that issue first. An analogy need not be perfect, it should, however, be useful. The biological/computer virus analogy is useful. For example, in searching for a moral stance on anti-virus viruses several people here have talked about the Salk and Sabin vaccines. Sadly, there has been much misinformation. The good news is that the issue is being corrected by some better informed writers. It happens that the polio vaccines are not a good example for spreading protection without informed consent. I appeal to the medical community to give us a better example. Maybe a bioethics person can help. In the case of disease I suspect the good of the community comes first. There are other very useful aspects to the hydrocarbon/silicon virus analogy. The analogy works because now we can use words like: infection, spread, and replication, rather than having to invent new terminology. The analogy must, and does, fail at times. Yet a certain amount of flexibility in our interpretations can be quite useful. For example, while it is true that the computer has no inherent immune system, the operating system itself has certain properties of 'resistance' to infection. The introduction of programs like SCAN can be viewed as evolutionary steps in the creation of an immune system. The signature search of the antivirus programs is remarkably similar to certain functions of the mammalian immune system. Thus the organism is not the computer itself, but the computer, operating system, additional software, computer operator, and programmers who distribute the software. The computer is just the site of the infection. To finish the morality issue. It must first be possible to create an antivirus virus that is a significant benefit to the (computer) society without unacceptable damage to either computers or civil rights. 2) Reality I especially like the discussions on the difficulties and risks of producing a 'good' virus. Many of the opinions expressed come from people who have already made up their minds on the whole issue, but the comments themselves warrent merrit. We need to first agree that risks can never be zero, then try to decide what the minimum acceptable risk is. If the risk is far below the risk of getting an 'evil' virus, and the risk of damage is far below that of 'evil' viruses, then there may be some justification for thinking a safe and effective 'good' virus is possible. How about this: What if all the standard antivirus software was set up to identify this 'good' virus, with a standard method of detection and removal? Then only those (foolish) people who do not use detection programs will become infected. Unexpected interactions between 'evil' and 'good' viruses is an important consideration. Also, the danger that a 'good' viruses acting on unusual systems in a bad way could cause damage, is food for thought. There have been many other valuable comments on VIRUS-L. 3) Utility/Necessity If a virus outbreak is out of control because there are too many casual users who are infected, then an antivirus virus specific for that virus may become a necessity rather than just a utility. The future of antivirus viruses may be highly specific programs to aimed at attacking especially bad viruses. The least we could do is experiment with these programs until we feel that we have the expertise to write a good one. Someday we may need it. Andrew R. Mitz The opinions expressed here AZX@NIHCU do not necessarily reflect my own, let alone anyone else's. ------------------------------ Date: Tue, 04 Sep 90 20:49:00 +0000 From: "Cedomir Igaly" Subject: Re: Mysterious Message (PC) well!jabolins@apple.com (John Abolins) writes: >As for the question about the word "KONIEC" meaning anything, perhaps >it is a Eastern European (Slavic, perhaps) derivation of the German >word "Koenig" (can't render an umlaut here) meaning "King" , >"Monarch". Wrong! Word "KONIEC" is perhaps from Polish language and mean "THE END". As I said before, whole text was "The end of the program". Cedomir Igaly Zagreb - Yugoslavia ------------------------------ Date: 04 Sep 90 17:13:45 +0000 From: dweissman@amarna.gsfc.nasa.gov (WiseGuy) Subject: Brunnstein's virus list Whatever happened to Dr. Brunnstein's MAC Virus list that was supposed to be posted sometime in July?! This list was to be similar to his DOS lists (which he did release in late June). ------------------------------ Date: Tue, 04 Sep 90 15:05:48 -0400 From: AZX@NIHCU.BITNET Subject: EEPROM BIOS (PC) The newest generation of motherboards now being designed for PCs will be using EEPROM or other reprogrammable devices for the BIOS. The goal is to allow BIOS upgrades using floppy disks or even by telephone. Has anyone considered the potential virus-related risks associated with this move? Andrew R. Mitz Motto: You ain't late 'til you get there. ------------------------------ Date: Tue, 04 Sep 90 22:54:30 -0400 From: Peter_Urka@ub.cc.umich.edu Subject: Anti-virus viruses As Knox points out; some like the idea of AVV's, and some don't. Unlike Knox, I do believe that this discussion has had merit and people have changed their minds. I have received e-mail indicating this. I just hope that more people don't like the idea now than before, and that less people like the idea of AVV's now than before. Knox also points out that we may be seeing vaccines turning up. I believe that we, society, morally and legally, should be prepared to treat the authors of vaccines as authors of viruses are. Admittedly that is not too harsh, but perhaps that will change in the future. Peter Urka@ub.cc.umich.edu ------------------------------ Date: 05 Sep 90 09:18:25 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Listing of Indonesian Viruses Some comments about the Indonesian viruses... > * HACKER This one is known as "Ohio" elsewhere in the world - It is closely related to The next one - using the same "buggy" method of formatting track 40 and storing the virus code there. > * DENZUKO Known as Den Zuk. In addition to the information in the original message it must be added that the virus removes "Brain" and "Ohio" from diskettes, replacing them with copies of itself. The virus changes the volume label into Y.C.1.E.R.P, but as YC1ERP is the call-sign of a radio-amateur in Bandung, Indonesia, he is suspected of being the author. Both viruses are not able to format 1.2M or 3.5" diskettes properly - damaging the contents instead - the claim that "No damage come from this virus." is far from being correct. > * MARDI BROS Reported in France, and originally believed to have been written there. This virus contains the text "sudah ada vaksin" (Vaccine already exists), which I recently asked about. > * AMOEBA This virus has been known for some time, and detection/disinfection programs are available. > * MYSTIK This virus is known under the name of "Liberty". Detection and disinfection programs are available. > * PC CLUB > * AREMA > * SEMLOHE and KEONGZ > * PC MONSTAR > * ROBERT/NARWIN > * SUPERNOVA > * FREDDY None of those viruses are yet known in the West - maybe we can expect a flood of Indonesian viruses soon..... :-( - -frisk ------------------------------ Date: 05 Sep 90 19:28:19 +0200 From: "Otto.Stolz" Subject: re: mysterious message Dear ameteur linguist, > Rosarch ink blot test. Rorschach is a Swiss town at the Bodensee (lake of Constance), where this test presumably has been developed. > As for the question about the word "KONIEC" meaning anything, KONIEC (spelled in various ways according to language, but pronounced nearly identically) is found in South-Slavic languages, notably Serbo-Croatic, and if I'm not mistaken also in West-Slavic languages (as Polish, Czech and Slovakian). It's meaning is "end" (noun). > I hope this may provide clues to answer the question. So do I. Best wishes Otto Stolz ------------------------------ Date: 05 Sep 90 18:37:24 From: Subject: MacIntosh virus Does somebody have an idea how to manage with WDEF, a virus infecting DESKTOP on MACs. Lucien Bachner Paris France. Thank you ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 154] ******************************************