From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #91 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 9 May 1990 Volume 3 : Issue 91 Today's Topics: Greek "Pixel" virus (PC) Re: pc - archimedes virus? (PC) Viruses on an OS/2 server... (OS/2) Re: Military Viruses re: Virus information re: FSHIELD (PC) Re: possible virus? (Mac) There is no SNEAK Virus (Mac) How to setup a virus-prevention center How easy would it be to contaminate a Unix Computer? (UNIX) Some questions (PC) Auto-validation (PC) Re: Military Viruses Re #88:Computer Virus Catalog? Re: Virus video information Re: Virus frequencies (PC) Stoned virus removal (PC) Virus Video Shows Re: Military Viruses Military Virus and SciFi books VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 07 May 90 20:27:00 -0400 From: ELKALAMARAS%VASSAR.BITNET@CUNYVM.CUNY.EDU Subject: Greek "Pixel" virus (PC) I saw in a previous digest that people referred to a virus they called "the PIXEL virus". I don't know whether you all have information about this, but since I *used to* write for "PIXEL" magazine, I personally know the guy who wrote it and can therefore forward all the information needed to eradicate and completely destroy the "PIXEL" "Greek"(sic) virus. The author of the virus, Nick Nassufis, can be reached if you send mail to: Nick Nassufis "Pixel" magazine Compupress publications 44 Syngrou ave. Athens Greece (sorry, don't remember the zip code) And to set things straight, Nick published the virus for the same reason I will (if I finally do it) publish source code examples. To educate people on how to DESTROY them. Now, this had a side-effect, which I understand, is troublesome. But education is power... To leave people ignorant is I think, a crime! Oh, also: Nick published the source code of the vaccine (antivirus) in the next issue... You can get the magazine (which is unfortunately in greek :-) ) if you send a request to the address above. I can also send the source code of the vaccine to the list, but it will take me some time to get it from home in Greece... For any info on the virus, don't hesitate!!! Contact me, Lefteris Kalamaras e-mail : ELKALAMARAS@VASSAR.BITNET Snail-mail: Lefteris Kalamaras P.O.Box 3441 Vassar College Poughkeepsie NY 12601 ------------------------------ Date: 08 May 90 13:42:42 +0000 From: rcpieter@tuegate.tue.nl (Pieter Schoenmakers) Subject: Re: pc - archimedes virus? (PC) zmacy67@doc.ic.ac.uk (Roger Attrill) writes: > I have an Archimedes ( no harddisk ) which runs a PC emulator. On April 1st >the symptoms of a virus started. Every eighth disk access ( different disks), >the machine crashes, which can only be resolved by a control break reset. This is not a virus, it is the infamous I-have-seen-too-many-disks bug of the ADFS. This is a bug in the directory cache management. The cure is to dismount disks properly after use, or to *Configure ADFSDirCache 0k. Of course, the PC Emulator does not suffer this, since it does not use the ADFS. A virus on the Arc is quite difficult to write, since it can only be transferred by executable programs. !Boot files are easily checked for virus-like behaviour, and since there is no boot sector (OS in ROM), boot-sector viri are impossible. I have yet to hear about the first Archimedes virus. Tiggr ------------------------------ Date: Tue, 08 May 90 09:13:25 -0400 From: Alan Pierce Subject: Viruses on an OS/2 server... (OS/2) This may sound like and odd question, and I think I already know the answer, but here goes. Do I need to find any special virus scanners to run on an OS/2 server? Since, basically, OS/2 works on top of DOS, I believe there is no need for special scanners, but I need to find out. =================================================== Alan Pierce Technical Consultant Div. of Nutr. Sci. Cornell University APP@CORNELLA.BITNET =================================================== "I'm not laughing with you, I'm laughing AT you." ...me ------------------------------ Date: Tue, 08 May 90 09:49:14 -0400 From: Nick DiGiovanni Subject: Re: Military Viruses I was asked to give a citation on the newsbrief about U.S. Army plans to develop military viruses. The article appeared in my local newspaper on Sunday, May 6, 1990. It was a wire service report from Knight-Ridder Newspapers. The article was entitled ARMY SEEKING HELP TO CREATE "WEAPON" by Rory J. O'Connor. Hope this information is sufficient. Nick Di Giovanni EDP Audit Manager Rutgers University [Ed. Thanks for the clarification, Nick! It does help a lot of have a citation on any article/report being mentioned.] ------------------------------ Date: 08 May 90 00:00:00 -0500 From: "David.M.Chess" Subject: re: Virus information Thanks for the plug, Emily! *8) The paper is also available in softcopy from VIRUS-L, as IBM PAPER, and on CompuServ and various BBS's around the universe as VIRUSDOC.ARC, VIRUSD.ZIP, VIRUSDOC.TXT, IBMPAPER.ZIP... (Aren't small namespaces fun?) Note that the paper is about viruses in general, and what to do about them, and doesn't contain any "the XYZ virus does this and such" about specific viruses. DC ------------------------------ Date: 08 May 90 00:00:00 -0500 From: "David.M.Chess" Subject: re: FSHIELD (PC) Uzi Apple writes: > In other words, FShield protected > software will identify and remove any viral infection, > without the user having to do anything about it! Wild! Can you (or anyone else) say how it does that? For instance, if the original file is A B C D E how does it tell whether it's been infected by a virus like B C D E A rather than a virus like C D E A B or any of the other possibilities? Sounds like a Hard Problem to me; (how) does FSHIELD solve it? DC ------------------------------ Date: Tue, 08 May 90 11:34:01 -0400 From: Joe McMahon Subject: Re: possible virus? (Mac) > - Distortion of the "arrow" and "watch" cursors into a garbled > pattern of horizontal and verital lines, often during file copy > operations. Sounds like a trashed System file. May have been garbled by a disk error. All of the other symptoms (distorted/garbled icons, dropouts, crashes) are all likely in such a case. Other possibilities: an INIT conflict. > - Infected systems on floppies taking over uninfected systems > (becomming the system disk). Note:*this is normal*. It's what Apple calls a "switch-launch". Running a program on a disk which contains a valid System and Finder will cause the Mac to switch control to the new System and Finder. Solution? Get rid of the other System files. Recommendations: FTP a new copy of the system files from apple.apple.com and replace your System folders. One trasehed System could very well trash others. Don't unlock your disks when you use them on someone else's machine. Never, ever, use your originals of *anything* unlocked. Copy it, then use it. --- Joe M. ------------------------------ Date: Tue, 08 May 90 11:39:26 -0400 From: Joe McMahon Subject: There is no SNEAK Virus (Mac) If you find a "SNEAK" virus in TOPS using Interferon, it is more than likely a false alarm. The SNEAK virus test looks for a particular pattern of inter-segment calls and sets off an alarm if it finds it. This call happens to be common to CODE-segment infectors, but it is valid for a non-viral program to use it. TOPS does. If Disinfectant says it's not infected, then it doesn't have any known virus. I'll leave it to a TOPS expert to tell you what's really wrong. --- Joe M. ------------------------------ Date: Tue, 08 May 90 09:46:21 -0400 From: wack@csmes.ncsl.nist.gov (John Wack) Subject: How to setup a virus-prevention center One of the things I'll have to deal with shortly is how to setup a virus prevention center, basically an office of people ready to do incident handling and some limited research. We have a LOT of people out there with PCs (the U.S. Gov) and don't want to get hounded with false-alarm calls when a PC won't startup, etc. It occurs to me that this is an interesting "problem" if you will, and I haven't found much written about it in practical terms - the document I worked on didn't do a very good job of it. If anyone has setup such a center and has practical experience to share, I'd like to hear about it, with lots of do's and don'ts hopefully. It has been suggested to me that such a center ought to be two-tiered, with a front office handling PC problems, and then passing off the suspected virus situations to the virus prevention center - the users don't call the prevention center directly. The center then works directly with the users or if possible, deals thorugh the front office. It seems to me that basic research ought to include collection of statistics, knowledge of all tools that are out there, and then some publishing oriented towards the users. Any expereince to share on this? - - John Wack, NIST, wack@enh.nist.gov ------------------------------ Date: Tue, 08 May 90 07:50:36 -0500 From: agtoa!greyfox@uunet.uu.net Subject: How easy would it be to contaminate a Unix Computer? (UNIX) Since Unix can run on just about any computer from my Dinky '386 to a Cray Supercomputer, wouldn't it be nearly impossible to write a virus to corrupt Unix Binaries? You could target one system, or write a virus to run on just one system, but spreading it would be somewhat more difficult... A worm, on the other hand, would be moderately less difficult (As has already been demonstrated) since the mail systems are fairly consistant from Unix to Unix. If a system administrator has been lax with the security system, or mail should (GOD FORBID!) have bugs in it that are easy to discover and take advantage of, one could, for instance, uucp a bourne shell script or C shell script to a system and then UUxqt it. Then it could replicate and replicate and replicate for ever and ever. With the world drifting toward consistancy in computers and their operating systems, computers should be more succeptable to virii and worms as a natural side effect of it being easier to write a program that can just be recompiled and run on any environment. So we'd better make damn sure that the environment we finally decide to keep (Binex, Written and Compiled in D?) has many good security functions and that they are USED by the system administrators. For instance, if you set writepriv off on all executables, and have the operating system prompt with a "Are you sure?" message if you try to change it, that would probably help a lot. Yeah... create an operating system impossible to infect with Virii, move all American/Allied systems over to that, and then crank out virii on the "Bad Guys" Ms Dos. $550000 Please ;-) +--------------------------------------------------------------------------+ | Bruce Ide | agtoa!greyfox@uunet.uu.net | The Grey Fox, | | | | A schitzoprenic programmer who | | | | is his own programming team. | +-----------+----------------------------+---------------------------------+ ------------------------------ Date: Tue, 08 May 90 13:40:25 -0500 From: James Ford Subject: Some questions (PC) Some questions I though I would toss out to the public. They may/may not have been asked before. If you make a self-extracting archive (via PKZip, LHZ, PKArc, etc), what would happen to that file if a virus managed to attach itself? Would the EXE file still extract (ie, get the files + a virus)? Or would the archive not extract, yet you still get an infection? Perhaps none of the above? Remote Boot Proms - What would happen if someone booted from an infected disk (infecting your RAM with virus "x"), or ran a program putting virus "x" into memory, then proceeded to CNTL-ALT-DEL to a server using Remote Boot proms? Ie, a Tolken Ring 16/4A card remotely booting to a Novell NetWare 386 server. Would that have any effect on the virus? The server? (assuming general user rights, not SU rights) Other machines on the network? Is there a list of virii that a general user might be able to infect a server with? - ----------------------------------------------------------------------------- VSHLD62B.ZIP and FSHLD13.ZIP have been placed on MIBSRV (130.160.20.80) in the directory pub/ibm-antivirus for anonymous FTPing. - ---------- The truth is always the strongest argument. - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: Tue, 08 May 00 11:48:00 -0400 From: Bob Babcock Subject: Auto-validation (PC) >Yes, but their method is totally ineffective against viruses that make >the original file appear non-infected while the virus is active in >memory.... It is possible to write a auto-validation program that >is effective against all currently known program viruses... How can reliable auto-validation be done? Reading the disk image fails if a virus feeds back the un-infected image and checksumming the core image is awkward (to say the least) because of the changes made by the loader when the program is relocated. I ask because I'm about to release a (PC) program with checking code which I know is inadequate. ------------------------------ Date: Wed, 09 May 90 00:32:52 +0000 From: craigb@sdd.hp.com (Craig Bosworth) Subject: Re: Military Viruses U953001@RUTVM1.BITNET (Nick DiGiovanni) writes: >... I just read in >a newsbrief that the U.S. Army wants to turn viruses into military >weapons. The idea is to use viruses to wreak havoc with computers in >the battlefield. ... I think it would be exceedingly difficult to develop a virus that could be considered a reliable tactical weapon. However, I do think that computer sabotage of all types, including spreading viruses, could be an effective strategic weapon in an extended conflict. I wonder how the US compares to the Soviets in their dependence on computers and their computers' vulnerability to attack. BOS - -- Craig Bosworth (619) 592-8609 16399 West Bernardo Drive Hewlett-Packard, San Diego Division San Diego, CA 92127-1899 UUCP : {hplabs|nosc|hpfcla|ucsd}!hp-sdd!craigb Internet : craigb%hp-sdd@sde.hp.com (or @nosc.mil, @ucsd.edu) ------------------------------ Date: Tue, 08 May 90 17:34:00 +0700 From: BRUNNSTEIN@RZ.INFORMATIK.UNI-HAMBURG.DBP.DE Subject: Re #88:Computer Virus Catalog? For all those interested to receive the next edition (and future ones) of the Computer Virus Catalog: 1. the next edition will be mailed *early in June*; we are working very hard on it, but we have been overloaded with some serious virus cases, which diminished our time available for cataloguing viruses; I hope that you understand *our priority `analysis of new esp. serious attacks before documentation of known ones'*; among others, SUNDAY and 5120 recently detected in FRG, will be catalogued ; the next edition will contain about 15 MsDos virii (then, 47 MsDos virii catalogued) about 10 Atari virii (then, 16 Atari virii catalogued), and 14 more Amiga virii + updates of the published 24 virii. Moreover, we hope to publish, probably later in June, *about 10 MacVirii*, most of which with the aid of David Ferbrache, but some by our MacVirii group (which we *installed today, 8-May-1990*, under the impression of a heavy nVirB-accident in the European printing industry, and with the aid of Apple Germany which gives us a MAC for this work, as our Faculty refused to give us a Mac `because virus analysis should be done by the industry', and 'virus analysis is not sufficiently scientific', as some of our theoreticians and hardware specialists argued in the finance committee!). 2. As the number of virii grows strongly, we face the need to produce the *Computer Virus Catalog in a machine-readable form* which may be used, with a proper (relational) databank, to enquire a possible virus infection. To this end, we are presently discussing a formal *Threat Description Language/Virii* which was developed from the actual Virus Catalog Format (version 1.2). This work is essentially done by Morton Swimmer. After `internal discussions', we plan to publish the preliminary version and 10-15 virii mid-July,1990. We will send this to Virus-L, and we hope that you help us to validate the format until September. We then hope to produce an updated machine-readable format (2.0) in November 1990, and we hope then to have a C-based classification/query system (installed on a Sun) ready for distribution. (Future plans include a semi-automatic classification system). 3. Following our practice, new versions will be announced on Virus-L. 4. Those mail servers interested in the new editions should inform me (adresses below); I will place such adresses on our mailing list. Klaus Brunnstein - ----------------------------------------------------------------------- PostAdress: Prof.Dr. Klaus Brunnstein Faculty for Informatics,University of Hamburg,Schlueterstr.70,D2000 Hamburg 13 Tel: (40) 4123-4158 / -4162 Frau Leuschner/ -4175 Frau Fischer-Huebner ElMailAdr: Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de FromINTERNET:Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@Relay.CS.Net FromBITNET: Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@DFNGate.Bitnet FromUUCP: brunnstein%rz.informatik.uni-hamburg.dbp.de@unido.uucp - ----------------------------------------------------------------------- ------------------------------ Date: Tue, 08 May 90 18:16:45 -0400 From: bcs-jim@pro-angmar.UUCP (Jim Rinaldo) Subject: Re: Virus video information Virus Hunters: Don Ingli - USDA/Soil Conservation Service - Information Resource Mgmt. asked about videos on Virus protection and training. A local company, Commonwealth Films, has a few out, one being "Invasion of the Data Snatchers," which deals with computer viruses, and other computer problems. It is done in a comic-book style, and is quite good. This is a personal NOT PAID, recomendation. Commonwealth Films, 223 Commonwealth Ave., Boston, MA 02116 (617) 262-5634 FAX (617) 262-6948 They have preview/rent deals, etc. They also have a video on File retention called Buried Alive, and one on Data security called Locking the door. I have seen Buried alive, and it is also well done (for those of us buried in an avalanche of paper info). Jim Rinaldo The Boston Computer Society CAPs Group ------------------------------ Date: 09 May 90 09:57:22 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus frequencies (PC) Here is my personal estimate on the situation in Iceland right now. USA (Chess) Iceland > Bouncing Ball 26% 30 % > 1813 (Jerusalem) 21% 5 % > 1704 15% 50 % (2 variants) > Stoned 9% 2 % > 1701 8% 5 % > 648 (Vienna) 7% --- > Brain 7% 2 % > Yale 1% --- > 17Y4 < 1% --- > 2772 (Y.D.) < 1% --- > 765 < 1% --- > Disk Killer < 1% 2 % > Lehigh 1 < 1% --- > Sunday < 1% --- > Sylvia < 1% --- Icelandic 1/2/3 3 % Ghostballs 1 % What is most interesting is the high number of 1704 infections - perhaps not surprising as it managed to invade several software/computer companies here. Also interesting is the lack of any Vienna infections (other than the Icelandic 'GhostBalls' variant) and the relative rarity of Jerusalem infections. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: 09 May 90 00:00:00 -0500 From: SCP3001@SAKAAU03.BITNET Subject: Stoned virus removal (PC) Hi, Friends.. I face the problem of infecting my hard disk with the STONE VIRUS. Can any one of you tell me how to take out this virus..or do you have a suitable file to deal with it. (Could you tell HELP ME PLEASE... Saeed. ------------------------------ Date: Mon, 07 May 90 20:47:30 -0700 From: Alan_J_Roberts@cup.portal.com Subject: Virus Video Shows Don Ingli asked if any virus information videos were currently available. The VIRPRES.ZIP file developed by John McAfee can be downloaded from HomeBase and is available to all. It can be displayed on any VGA system, or overhead projection system that can connect to VGA. It's very good for presentations or virus training (it's in full color) and it covers most major virus issues - background, types of viruses, prevalence, infection mechanisms, network issues, protection techniques, etc., etc. Runs for about an hour if you are talking someone through it. It's big tho (>200K zipped) so allow plenty of time for the download. Alan ------------------------------ Date: Wed, 09 May 90 07:38:02 -0400 From: parmelee@wayback.cs.cornell.edu (Larry Parmelee) Subject: Re: Military Viruses > I just read in > a newsbrief that the U.S. Army wants to turn viruses into military > weapons. > [Ed. Could we have a citation on the article that you got this from, > please?] I must have seen the same article. Here it is, as it appeared in the "Syracuse Herald American" newspaper, Sunday May 6, 1990. - -Larry Parmelee parmelee@cs.cornell.edu *** COMPUTER BUG SOUGHT BY ARMY ** $500,000 prize awaits best virus * By Rory J. O'Connor Knight-Ridder news service The U.S. Army is looking for help to develop the seeds of new-age germ warfare: It wants business to help it turn computer "viruses" into military weapons. Experts predict the viruses, if successfully developed, could be used to wreak havoc on the increasing number of computers in the battlefield. The destructive computer programs, which have increasingly damaged commercial and research computer systems in the past four years, could be used to disrupt military communications, impede the control of weapons and feed misleading data to enemy commanders. The viruses could also be used to alter the programming of crucial communications satellites serving combat units, the experts said. The Army is soliciting bids from small businesses to determine the feasibility of using computer viruses in warfare. And it is willing to pay as much as $550,000 to a company that comes up with a plan for creating the programs -- and figures out how to use military radio systems to introduce them into enemy computers. A computer virus is a kind of program designed to disrupt normal operations of a computer system or damage data on that system by altering or destroying it. The rogue programs are most effective when introduced secretly into the computer system of an unsuspecting user and when their damage is subtle or hidden from the user for some time. Viruses are also self-duplicating and can spread undetected from an infected computer to other computer systems they contact. So far, more than 60 computer viruses have been identified, most of them attacking poorly guarded personal computers used by businesses, universities and individuals. The Army's virus would have to be more sophisticated than those programs. But some detractors of the concept say the Army could wind up with the same problem it has with biological weapons: creating destructive elements that might get loose and cause widespread damage to its own forces as well as civilians. "This stuff is very dangerous, and most people involved in creating viruses are not aware of the threat," said a Bay Area virus expert who asked not to be named. "You can't spread anthrax around the world and not have it come back around to you. And the enemy is using the same kind of computers and software that we are." Many experts who are fighting the explosion in virus activity by amateur programmers are especially angry at government efforts to develop the programs for the military. Some say it is particularly troubling in light of Friday's sentencing of Robert T. Morris Jr., convicted in federal court of sending a similar program through a government-sponsored computer network in 1988. "It bothers me that the government says in one breath (viruses) are bad and illegal and then asks for someone to develop them," said Glenn Tenney, a San Mateo, Calif., programmer and organizer of the annual computer Hackers Conference. "If Morris had done the same thing for the Army, they'd have paid him hundreds of thousands to do it. But he did it on the wrong side and got punished." Morris was sentenced in Syracuse Friday by Federal Judge Howard Munson to a $10,000 fine, three years of probation and 400 hours of community service. The Army's bid solicitation, titled "Computer Virus Electronic Counter Measure," was written by the Army's Signals Warfare Laboratory. It appears in the most recent collection of similar bid requests published by the government's Small Business Innovation Research Program. The Army would pay the winning bidder up to $50,000 to analyze the feasibility of creating the virus, said Joyce Crisci, the Army administrator for the project at Fort Monmouth, N.J. If that study is accepted, the company could get as much as $500,000 in research and development money. Crisci declined to provide further technical details of the project, saying such information could prejudice the bidding process. However, computer experts said creating a virus such as that sought by the Army was possible with current technology -- although some of the Army's requirements could make developing it more difficult than creating an ordinary personal computer virus. [Ed. Thank you!] ------------------------------ Date: Wed, 09 May 90 15:00:00 +0000 From: Geraldo Xexeo Subject: Military Virus and SciFi books >a newsbrief that the U.S. Army wants to turn viruses into military > weapons. The idea is to use viruses to wreak havoc with computers in > .......... Sorry, but this idea came from lots of Science Fiction books (the Cyberpunks, as Michael Gibson's THE NEUROMANCER), and short stories. As the Pentagonon is dealing with Artificial Reality, Networks and security (all at the same time, all SciFi stuff), they must be doing something like that. Actually, I believe they must be doing it just now, if not to attack "enemyes" computers, to study and avoid attacks to their own. Geraldo Xexeo - ----------------------------------------------------------------------- If you like computers and Science Fiction, please contact me at: XEXEO@VXCERN.DECNET.CERN.CH - ----------------------------------------------------------------------- [Ed. See article above.] ------------------------------ End of VIRUS-L Digest *********************