From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #90 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 8 May 1990 Volume 3 : Issue 90 Today's Topics: MacWorld Citation High School Boy's Story was a Fake (Sharp virus) RE: Mac viral information (Mac) Military Viruses Morris Sentenced - Washington Post Article Virex anti-viral (Mac) Mainframe viruses Possible unidentified virus (MAC) Alameda virus (PC) Re: Mainframe viruses Virus frequencies (PC) re: mainframe viruses Sneak virus for the Mac - cures ? (Mac) Re: Auto-Validation VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 04 May 90 18:34:00 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: MacWorld Citation MacWorld is quoted on viruses as follows: >- - Doesn't mince words about viruses being "tools of vandalism --- bricks > hurled through your Mac's windows by people with apparently nothing > better to do with their time and programming skill... [c]omputer > viruses could be stopped dead if their creators turned their energies > toward being productive, not destructive." Hear, hear!! Would God that that were true. Which one would go away if its author reformed? Which author could put his back in the bottle if he wanted to? Which one have we ever succeeded in eliminating? Sorry. Even if no one ever writes another one, the chances that the world will ever again be free of them is small indeed. Unless we radically alter our behavior, we still run a very good risk of being overwhelmed. While it is clear that viruses are the moral, technical, and artistic equivalent of grafitti, grafitti was trivial to get rid of compared to viruses. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Mon, 07 May 90 18:35:20 +0900 From: Yoshio Oyanagi Subject: High School Boy's Story was a Fake (Sharp virus) I posted a news about two kinds of virus Namba I and Namba II on Sharp X68000. During the long vacation of Japan (so called Golden Week, until May 6) the story of a high school boy about making the virus with fourty people according to the request of a client turned to be a fake. Asahi Shinbun newspaper on its May 4 issue printed an apology for making trouble to many people with the unfounded story. It remains a mystery who made the two viruses and how the game software was contaminated by them. Yoshio Oyanagi (Univ. of Tsukuba) ------------------------------ Date: 07 May 90 09:38:13 -0500 From: Roy RoperSTCS Subject: RE: Mac viral information (Mac) MAC viral information: The person requesting information about Mac Virals should just get Disinfectant V1.7 and read the user help file. It has all the information you requested on every known Mac Virus. ------------------------------ Date: Mon, 07 May 90 10:52:12 -0400 From: Nick DiGiovanni Subject: Military Viruses Thought the following might stimulate some discussion. I just read in a newsbrief that the U.S. Army wants to turn viruses into military weapons. The idea is to use viruses to wreak havoc with computers in the battlefield. The newsbrief points out viruses could be used to disrupt military communications, impede weapons control and feed misleading data to enemy commanders. Viruses could also be used to alter programming of communcations satellites serving combat units. According to the newsbrief, the Army is willing to pay up to $550,000 to the company that comes up with a workable way to create such viruses and figures how to deliver the viruses into enemy computers by military radio. The newsbrief mentions detractors of the concept say the viruses could get loose and cause damage to the U.S. Army and civilians. The newsbrief closes by saying computer experts say creating such viruses is possible with current technology. [Ed. Could we have a citation on the article that you got this from, please?] ------------------------------ Date: 07 May 90 12:35:00 -0400 From: "zmudzinski, thomas" Subject: Morris Sentenced - Washington Post Article >From Page A1 of _The_Washington_Post_, Saturday, 5 May 1990 -- QUOTE: NO JAIL TIME IMPOSED IN HACKER CASE Creator of `Virus' Gets Probation, Fine By John Burgess, Washington Post Staff Writer Robert Tappan Morris, the graduate student who created the celebrated computer "virus" that paralyzed thousands of research computers nationwide in 1988, yesterday [4 May] was sentenced to three years' probation, fined $10,000 and ordered to perform 400 hours of community service. He received no jail time. Morris was the first person to be brought to trial under a 1986 federal law designed to shore up security for the computer systems that are playing an increasingly critical role in American life. His trial and sentencing had been closely watched by computer specialists for signs of how the justice system woul treat a virus case. Yesterday, some of these specialists argued that jail time was necessary to send a strong deterrent message against tampering with computers. Others said that prison time would have been an overreaction to the acts of a young man they felt intended no harm and was guilty mainly of youthful bad judgement. Morris, 25, smiled broadly after his sentencing by U.S. District Judge Howard Munson in Syracuse, N.Y. Morris hugged his mother, shook hands with his father and left the building without commenting. Keith Bostic, a University of California software specialist who helped stop the virus's spread, welcomed the decision not to send Morris to jail. "He was playing with fire, but he didn't really mean to burn anybody," said Bostic, who was called as a witness by the prosecution during Morris's trial. See HACKER, A10, Col 5. - ---------------------------------------------------------------------------- COMPUTER `VIRUS' AUTHOR ESCAPES PRISON SENTENCE -- A10, Col 5. Strong condemnation came from Rep. Wally Herger (R-Calif.), author of legislation that would outlaw viruses. "I am very disappointed that the sentence did not include some prison time for this serious offense," Herger said in a statement. "In this ground-breaking case, we must send a strong message that computer virus outbreaks will be punished severely." Computer viruses are programs--sets of instructions that tell a computer what to do--that replicate themselves and spread from computer to computer over telephone lines or exchanged data discs [sic]. They can cause harm by deliberately destroying information or taking up so much room in an infected computer's memory that normal functions are slowed or shut down. In November 1988, a virus raced across a national network of interlinked research computers known as the Internet, paralyzing or slowing down almost 6,000 machines in companies, government laboratories and universities but destroying no information. The case attracted international publicity and led to calls for new laws to close what were perceived as loopholes. The virus was quickly traced to Morris, at the time a Cornell University graduate student. He became a symbol of the computer "hacker" community, in which software enthusiasts delight in penetrating computer security arrangements. Further interest was created by the fact that Morris's father, Robert Morris, was a senior computer scientist at the top-secret National Security Agency. Morris's trail began in January and became a test case for whether the 1986 law, which does not mention viruses specifically, would be adequate to obtain a conviction. During the trial, Morris testified that the virus was an experiment that had run out of control due to a programming error. He was convicted and faced up to five years in prison and a $250,000 fine. Jude Franklin, who oversees computer security for Planning Research Corp., a McLean-based computer services company, said the prosecution and conviction of Morris would do the job of deterrence. The $10,000 fine was "severe" for a graduate student, Franklin said. "Clearly he's learned a lesson," Franklin said yesterday. "And much more importantly, the community of bright young graduate students and really bright hackers . . . have learned that this is not something they can do." But elsewhere, the sentence was called lenient. Justice Department spokesman Doug Tillett said the department was "a little disappointed." U.S. Attorney Frederick J. Scullin, who oversaw the prosecution, noted in a statement that future offenses of this type would be prosecuted "vigorously." Lance Hoffman, a George Washington University professor who specializes in computer security, declined comment on whether Morris deserved jail. But he said the sentence's lack of jail time will means [sic] the message sent to hackers will not be strong. - ----------------------------------------------------------------- END QUOTE Personal Note: There will be many flamers on this, and I think that before the hotter-headed among us start burning old UNIX workstations on the Morris's lawn, we should remember that we are part of a nation of laws. I do not agree with Judge Munson's sentence; I think it is little more than a slap on the wrist (does anyone REALLY believe that RTM Jr. won't get a bigger advance from his publisher than the $10K fine?); *B*U*T* Mr. Morris has been convicted and sentenced AND THAT'S THE END OF IT. Thank you. Tom Zmudzinski, Former DDN Network Security Officer "Posterity, you will never know how much it cost... ...to preserve your freedom! I hope you make good use of it" -- John Adams ------------------------------ Date: Mon, 07 May 90 10:36:52 -0600 From: dys%beta@LANL.GOV (Donna Stevens) Subject: Virex anti-viral (Mac) I have seen virtually no mention of the commercial software, Virex n.n on the list. This is an excellent anti-viral software produced by HJC Soft- ware (P. O. Box 51816, Durham NC 27717 - 919.490.1277). It is frequently updated; Virex is a scanner/repair, and the Init that comes with it is completely effective in preventing the loading of an infected floppy. I personally prefer Disinfectant n.n as a scan/repair software, but have insisted to many, many Mac users here that the Virex Init be installed in their system folder. The Init is a control panel document; it can be passworded and locked into the system folder. With many students using machines at various locations, plus files transferred back and forth between other facilities, some systems have become vulnerable to inadvertent infection. The Virex Init stops 'em cold! Virex, as I said before, is a *commercial* software--you have to pay for it. It has been, however, worth it when you consider the man-hours saved by preventing infections before they can occur. I am not affiliated with HJC in any way--just the old satisfied user syndrome--nor, of course, do I in any speak for the Laboratory. The above comments are strictly my opinion and based on my own personal experience. (Mac users--look into it!) Donna Stevens ------------------------------ Date: Mon, 07 May 90 12:10:58 -0400 From: Peter Jones Subject: Mainframe viruses >Date: Thu, 03 May 90 09:03:24 -0400 >From: Arthur Gutowski >Subject: Re: Mainframe viruses > >The easiest way would be to modify the first instruction to a BR to begining o f >viral code, and then as the last to instructions of the virus, execute the >origional first instruction and BR to beginning of code +1, tacking your virus >onto the end of the program. You have overlooked the problem of getting the base registers set up properly. If a program exceeds 4096 bytes in length, then the initial base register can't be used to address the end of the program. Assuming that a base register is available on entry (R15), I think you'd need 16 bytes to execute new code and return to the start of a program. It is assumed symbols R0-R15 refer to the general registers. Here's what the code might look like (this code has not been tested): USING X15,R15 X15 DS 0H * Initialization code STM R14,R12,12(R13) STANDARD SAVE INSTRUCTION * Overlaid code starts here ICM R7,B'1111',DISP LOAD DISPLACEMENT OF NEW CODE AR R7,R15 BR R7 DISP DC AL4(NEW-X15) where X15 is the location R15 points to * Can't use a relocatable address, because * this code isn't being relinked! * Original code continues here * .......... * New code starts here DROP R15 maybe USING NEW,R7 NEW DS 0H * New code goes contnues * End by restoring and executing overlaid code L R15,16(,R13) BR R15 END "Let your flippers do the walking" :-) Peter Jones (514)-987-3542 Internet:Peter Jones ? Internet:Peter Jones ? UUCP: ...psuvax1!uqam.bitnet!maint ------------------------------ Date: 07 May 90 19:22:45 +0000 From: ctne_ltd@uhura.cc.rochester.edu (Chris Newbold) Subject: Possible unidentified virus (MAC) Hello! I'm posting the following description of a viral problem that affects the Macintoshes of several of my friends (I use a PS/2). Since I have not read this newsgroup until now, please excuse me if this has already been covered and/or identified. Symptoms (below) spread rapidly from one machine/hard disk to another when files are copied and diskettes exchanged. - Distortion of the "arrow" and "watch" cursors into a garbled pattern of horizontal and verital lines, often during file copy operations. - Document icons are often distorted in a similar fashion, mostly when dragging them around the desktop. - Temporary disapperances of sections of windows, icons (including drive icons). - Desktop files are larger than usual, 96K rather than 64K for 20 MB drive. - Frequent system crashes. - Infected systems on floppies taking over uninfected systems (becomming the system disk). SAM 1.1, Disinfectant 1.7, Gatekepper 1.1.1 are all in use, but have been unable to identify any problems. Together, they check for the following viruses: AIDS, SCORES, nVIR, INIT 29, ANTI, MacMag, WDEF, ZUC, Hpat, nFLU, and MEV#. They have also contacted the makers of SAM and were told that these symptoms do not match any known virus. If anybody could offer any suggestions, or if anyone knows what this is, please e-mail what you've got to me. Thanx in adavance. - -- >>>> Chris Newbold <<<< * "If you fool around with a thing for very long you * University of Rochester * will screw it up." * Disclaimer: "All warranties expire upon payment of invoice." ctne_ltd@uhura.cc.rochester.edu * uhura.cc.rochester.edu!ctne_ltd@uunet ------------------------------ Date: Mon, 07 May 90 15:24:35 -0500 From: Naama Zahavi-Ely Subject: Alameda virus (PC) Hello! The Alameda virus is a boot-sector virus. On pc and xt-type machines, it is more or less unnoticable. On AT-type machines it makes system disks unbootable. It does not infect hard disks. We had a few cases of it here at Yale University a couple of years ago. At that time, we didn't recognize it as the Alameda virus, and it was reffered to as the "Yale" virus. We got rid of it and made our systems here much more virus-proof by creating write-protected start-up disks for our public networked no-hard-disk computers. Is it just my impression, or are boot-sector viruses more prevalent than COM or EXE-infecting viruses on the college/university scene? - -Naama + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + | Naama Zahavi-Ely | | Academic Computing Services e-mail ELINZE@YALEVM.BITNET | | Yale Computer Center Zahavi-Ely-Naama@Yale.Edu | | 175 Whitney Ave | | New Haven, CT 06520 | | (203) 432-6680 EXT. 341 | + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + ------------------------------ Date: 07 May 90 19:37:10 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Mainframe viruses Ah yes I do indeed mean BLDL... the VP/370 virus mentioned in "Viruses, A High Tech disease....".... Disassemblers are readily available for the MVS and VM environments in fact one has just gone commercial this year... now as to other matters IEBCOPY is one program that receives a Bootstrap Authorization during the process of system install... there are also certain Bootstrap SVC's (boot strap authorization i.e. sets TCBJSCBAUTH That the flag handled by APF... once that is set MODESET may be issued)...As far as IEHONESTY... it used to be a Storage Management verfication utility(FE Service Aid...) wasnt available to normal customers... versions existed for both VS/1 and MVS at the time.... and yes you are right Page Tables do not contain the executable image themselves... but they point to same in the Page Data Sets... once APF has been bypassed and Modeset issued... NO security package has much protection at this level... as far as is it hard to do.... you forget guys(they ones who say it is hard) when I went to school these were the only processors and OS available...at that OS/MVT and OS/MFT were the rage... with VS/1 coming on quick... By my count Many Thousands of people basically have the skill... fortunately few have the motivation... All systems are VUNERABLE no Matter how Obscure or Difficult... the skills are merely a matter of funding... or persistance... cheers kelly p.s. thanks for getting this thread going... NOW comp.virus is Truly Interesting!!! :) ------------------------------ Date: 07 May 90 00:00:00 -0500 From: "David.M..Chess" Subject: Virus frequencies (PC) Attached is a summary of the proportions of the various viruses that we've seen. The population is something like 100,000 computers, but of course in a real-life sample that large we have no way of knowing how complete our coverage of viruses in them is. Most of the computers involved are at Fortune-500-like companies. We're very interested in similar data that anyone else has collected. Do these numbers look at all like yours? Bouncing Ball 26% 1813 (Jerusalem) 21% 1704 15% Stoned 9% 1701 8% 648 (Vienna) 7% Brain 7% Yale 1% 17Y4 < 1% 2772 (Y.D.) < 1% 765 < 1% Disk Killer < 1% Lehigh 1 < 1% Sunday < 1% Sylvia < 1% These are totals; not all of these incidents were recent, by any means. Numbers for recent incidents would probably show lower percentages for the Bouncing Ball, and higher for the Stoned (that's a guesstimate). Any interestingly different (or even boringly similar!) data from anyone else would be greatly appreciated by all... DC ------------------------------ Date: Mon, 07 May 90 18:18:20 -0700 From: teda!RATVAX.DNET!ROBERTS@decwrl.dec.com (George Roberts) Subject: re: mainframe viruses Arthur Gutowski writes: >One big reason I can think of is that mainframe programmers, unlike the PC >programmer, is making a living at writing code. S/he is not usually willing I agree. That is probably one of the reasons and the others are probably social not technical. >together and the program has been replaced. But a virus bypasses those normal >means, and *could* do so successfully on a mainframe, although it would be >MUCH more difficult. On a mainframe, there is a higher possibility that >there are inter-program dependecies that would force relinking, and a virus >could much more easily wipe out a program call using overlay techniques. Don't these problems exist on personal computers? If the first instruction jumps to the virus which is added at the end of the program, there *usually* won't be a problem. Most viruses aren't perfect anyway. >Jim is right, with the complexity of what a virus on a mainframe would have >to deal with, and the knowledge required to write one in the first place, >compromising system integrity in *this* way is EXTREMELY DIFFICULT. It more Writing viruses that will *always* function properly *is* complex - both for personal computers, mini's, and mainframes. Some programs utilize bugs/features that weren't meant to be utilized. This is more common for some operating systems than others, and makes these programs more likely to be incorrectly infected. Mainframe operating systems tend to have more strict standards of programming conduct (not unix). This should make virus writing a little easier. Writing viruses that *usually* work should be about equally difficult for pc's, mini's, and mainframes. >structure, you can make certain modifications without rewriting. And tacking >onto the end is almost as easy as it is on a PC, because of the nature of >pds libraries. PCs are hard-sectored, and the entire sector must be read/ Why not also extend the file a little longer to accomodate those larger viruses? >done. It all comes down to trusting the people who have the ability to blow >something up to not blow it up and monitoring your system carefully. What are these security programs already on MVS that you imply can detect viruses? (I don't know much about MVS) I do know that many computers do *not* have system managers (mini's). If they do, the managing is often a side duty which isn't supposed to interfere with his/her main objective. These people often don't feel they have time to install and check security features. Some systems are more secure than others, but people are most often caught from the direction they least suspect it. If viruses are dismissed as impossible, they can infect that much more easily. - -George Roberts ..decwrl.dec.com!teda!ratvax.dnet!roberts ------------------------------ Date: Tue, 08 May 90 07:02:23 +0000 From: awl@extro.ucc.su.oz.au (Tony Locke) Subject: Sneak virus for the Mac - cures ? (Mac) I dont normally read this group, but does anyone know what can fix it? Interferon 3.1 identified the Sneak virus (Disinfectant 1.7 doesn't) in a Tops startup document. The virus cause various DA memory errors and ID=3 and ID=2 bombs. Please email me direct. Thanks Tony Locke Sydney University MicroComputer Support Group Uni Computing Service NSW, Australia. ------------------------------ Date: 08 May 90 10:39:59 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Auto-Validation bcstec!gentry@uunet.UU.NET (Tim Gentry) writes: >499229@VMTECMEX.BITNET (Alejandro J. Kurczyn S.) writes: >> Could it be possible for a program (Scanners, etc) to be >> auto-validated? >You bet it's possible. Turbo User Group publishes a newsletter/journal >called TUG Lines, and in issue #35 (published very recently) a method >of doing exactly that is presented, both in C and in Pascal. Yes, but their method is totally ineffective against viruses that make the original file appear non-infected while the virus is active in memory. In particular the Frodo (4096) virus is able to bypass it. It is possible to write a auto-validation program that is effective against all currently known program viruses, but the TUG solution is not the correct one. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ End of VIRUS-L Digest *********************