From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #75 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 25 Mar 1992 Volume 5 : Issue 75 Today's Topics: Naming questions (PC) IBM boot message non-virus (PC) Stoned, No-Int, and SCANV86B (PC) Re: Measuring Michelangelo (PC) Dir-II virus (PC) False reports from heuristic analysis (PC) Disk Compression and Anti-Viruses (PC) DOS version backward compatibility (PC) Re: Which Package is Best? (PC) (Clarification) Re: Mardi Bros (PC) Re: Victor Charlie program (PC) Re: F-PROT warning: false positive? (PC) Disinfectant 2.7 Withdrawn (Mac) Disinfectant 2.7.1 (Mac) re: Network Viruses (not just PC) What does "Reverse Engineering" include? Re: Origins of viruses CRCs- How do they work? Doing research for speech on viruses Re: Origins of viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 24 Mar 92 09:35:00 -0500 From: Ron Whittle Subject: Naming questions (PC) Well, after having 1 virus identified as 4 different viruses ( and I'm only using 3 scanners! ), I have to ask if anyone has a virus scanner name cross reference? In a related question, I have a Dark Avenger virus that the VSUM listing describes as being either variant C or D. How do I tell the difference? Is there a 'central clearing house' for virus names yet? Ron Whittle Internet : CSCRDW%CURIE@epavax.rtpnc.epa.gov | EPA/NAREL VMSnet : CURIE::CSCRDW | Voice : (205) 270-3482 FTS 228-3482 | This message is not self FAX : (205) 270-3454 FTS 228-3454 | referential. This one is. ------------------------------ Date: Tue, 24 Mar 92 11:43:00 -0400 From: Rich Stillman x6135 Subject: IBM boot message non-virus (PC) >When turning this computer on, a message like follows appears on > ok IBM >(the ok has a circle around it and is crossed out like a no smoking sign) This is IBM's graphic to inform you that your system has failed the power-on self test (POST) somehow. If this happens, put in your Reference Disk and press the F1 key. If the error is minor enough, the system will usually boot and the reference disk will tell you what went wrong. If more serious, you may not be able to boot. Since the problem is intermittent, now is the time to deal with it. But it's not a virus, just a normal part of IBM's system software. Rich ------------------------------ Date: 24 Mar 92 11:02:00 -0600 From: "William Walker C60223 x4570" Subject: Stoned, No-Int, and SCANV86B (PC) From: bm656@cleveland.Freenet.Edu (Mark D. Gold) > ... While checking for the Michaelangelo virus with SCANV86B, I > noticed that all of teh computers are infected with No-INT (Stoned) > virus in the partition table. I'd like to find out more about teh > Stoned virus, but what I really need to know is the following: Will I > either have to (a) SCAN all of the hundreds of diskettes in the office > and clean them if infected or (b) buy software that checks diskettes > when they're inserted into a disk drive? From: 861033h@aucs.acadiau.ca (Michael S. Hogan) > One of my professors here at Acadia has been having a recurring > problem with the No-Int Stoned virus. I, as well as our computer > centre, have cleaned it off his machine using MacAfee's Clean program > and FDSIK /MBR among others. > How is the Virus transferred? We try to scan all disks prior to their > use in the machine, but it never finds anything. I have installed the > VSHIELD program and it doesn't seem to catch it prior to infection. > Once the drive has been cleaned, we are having problems with storing > and retreval of files (almost requiring a complete re-installation). > Does this virus do anything other than infect the partition table? > Is there a way to correct the problems it creates (clean it out) and > have reasonably good performace afterwards?? From: cmcl2!panix.com!ss@uunet.UU.NET (Steve Steinberg) > evans@aplcen.apl.jhu.edu (Robert Evans) writes: > > With the Michelangelo scare, he has used SCANv86b, which has reported > > a virus found "No Int [Stoned]" and is wondering is the the strain to > > which Michelangelo belongs, or is it a different one? > > 1) What damage does it do? > > 2) How does it get activated? > I also found No-Int (with Stoned) on 15 out of 50 PCs. I'm not sure > about what it does. I pushed the date ahead to Fri. the 13th > (3/13/92) and nothing happened. From: Hama@DOCKMASTER.NCSC.MIL (Gord Hama) > I noticed that when I scanned a MICH infected diskette with SCANV86B > that it reported reported the NOINT, The diskette was re-scanned using > V84 and sure enough the MICHAELANGELO was reported. I recall that on > the week of Mar 02 there were numerous NOINT reports, but few > MICHAELANGELO's being found. II tested a NOINT sample with V84, but > it is reported as a STONED related virus. > I wonder if the NOINT reports were really NOINT or MICHEALANGELO? > Anyone notice a sudden surge in NOINT reports? McAfee's ViruScan 8.3V86B has a bug in it (or more correctly, an error in the scanning strings) which causes it to identify the "Stoned" virus as "No-Int Virus [Stoned]." Also, when CleanUp is removing this virus, it reports "Found No-Int Virus [Stoned]" and "Found Stoned Related Virus [Stoned]" both, but only "1 virus removed." This has been reported to McAfee Associates. I don't know how SCAN, CLEAN, or VSHIELD 86B treat the REAL "No-Int" virus, since I don't have a copy of it. You can use a disk editor (Norton, PC-Tools, etc.) to look at an infected boot sector to see which virus it actually is -- "Stoned" will have "Your PC is now Stoned! LEGALISE MARIJUANA!" or something close, but "No-Int" will not. "Stoned" and "No-Int" infect a PC's hard disk when a machine is booted from an infected floppy, either intentionally or accidentally, and regardless of whether the floppy is completely bootable or not. Once there, it will be loaded on every boot from the hard disk, become resident in memory, and reduce "total bytes memory" (as reported by CHKDSK) by 2048 bytes. From there, it will infect EVERY floppy accessed in the A: drive, even by doing so little as a DIR A:. "Stoned" has no activation date or intentionally destructive payload, though it can, by the way it infects disks, can cause damage, ranging from lost files to a corrupted FAT, depending on the system, diskette density, and hard disk format. "No-Int" is less likely to damage a high-density diskette, but it does have a simple stealth capability -- it prevents access to the boot sector when it's in memory. To clean the virus from the hard disk, you must first boot from a known clean boot floppy, then remove the virus from the drive. Often, a recurring infection will result from attempting to remove the virus from the hard drive without first booting from a clean floppy, or from not cleaning ALL of the associated floppies. Remember, it takes only ONE infected floppy to start it back up again. If it had overwritten part of the directory, you may be able to use CHKDSK /F to recover those files which had their directory entries wiped out by the real boot sector. If it had overwritten part of the FAT, good luck. Most likely only a person very experienced at disk recovery or a restoration from a complete backup can help. As for why VSHIELD won't recognize it in Mr. Hogan's case, I don't know. Since the scan strings for SCAN and CLEAN are faulty, it's possible that the strings for VSHIELD are faulty, too. It may also be possible that the strings these programs use were accidentally matched to the "Stoned" virus, and Mr. Hogan has the REAL "No-Int" virus. Aryeh, do you have an idea on this? I have not observed the identification problem Mr. Hama reports, that SCAN 86B mislabels "Michelangelo" as "No-Int." SCAN 86B identified "Michelangelo" as "Michelangelo Virus [Mich]" for me, and CLEAN 86B successfully cleaned it. Perhaps there is another strain of "Michelangelo," or Mr. Hama's copy of "Michelangelo" was damaged in such a way to cause the misidentification. "Michelangelo" is not a strain of "Stoned," because it is too different, but it is close enough for analysts to say that it may be a poorly hacked version of "Stoned." > Maybe Stoned/No-Int is corrupted. Can I get my money back? "Stoned" and "No-Int" are distributed on an as-is basis. No warranties are either expressed or implied. However, the authors SHOULD be held responsible for any damage resulting from the use of these programs. ;-) Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "Non sequitur -- your facts are Arnold Engineering Development Center | un-coordinated." M.S. 120 | -- NOMAD Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Tue, 24 Mar 92 13:25:00 -0600 From: Ken De Cruyenaere 204-474-8340 Subject: Re: Measuring Michelangelo (PC) In virus-l # 5073 bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: (regarding the media crying wolf) >The next time (March 6, 1993), they probably won't. Since the virus >continues to spread, this will cause much more hard disks to be wiped >out than this year. That's why March 6, 1994 will be a good "next >time"... :-) Do you really think so ? I would have thought that copies of Michelangelo, aside from captive copies, would be few and far between after March 6th. Either: --- found and erradicated before March 6th (largely thanks to all the media attention) --- or self destructed when it activated on march 6th. (If Michelangelo doesn't kill itself on March 6th, it certainly draws attention to itself...) Ken - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator - Computer Services University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: Tue, 24 Mar 92 14:30:55 -0500 From: "Matthew W. Hanley" Subject: Dir-II virus (PC) I have a user that came in with a hard drive infected by the DIR-II virus. He claims that VSCAN does not detect it, but F-PROT does, although F-PROT will not remove it. Since it is his home machine I cannot verify this, so my question is: How should he go about removing the virus? I'm hoping that there is a solution other than reformatting the hard drive. Thanks. - -Matthew Hanley ------------------------------ Date: Tue, 24 Mar 92 15:43:29 -0500 From: FRYSTD@ACAD.LVC.EDU (Michael Fry) Subject: False reports from heuristic analysis (PC) Vesselin recommends that public distribution of heuristic analysis stop. I hope it doesn't. If the hurricane of questions about its reports is too much, create a blanket response and send it automatically. Mike Fry Lebanon Valley College Annville, PA ------------------------------ Date: Tue, 24 Mar 92 15:44:45 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Disk Compression and Anti-Viruses (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: Stacker and viruses (PC) >Fortunately, Stacker comes with a wonderful utility, called SCHECK, >which is able to repair the damage, or at least to minimize it. It is >something like CHKDSK and PKZIPFIX combined. I'm not aware of the >existence of such tool for SuperStor (the Stacker's alternative, which >comes with DR DOS 6.0). Actually, there is but not in the Brain-Dead DR-DOS version of SuperStor. The *real* distribution (I have v1.3h but 2.0 is out now) from Addstor includes an effective but very slow defragmenter and a "repair" utility that seems to work well (fixed a couple of problems I created) in the included "SSUTIL" program. With the DR-DOS 6.0 version (1.06 fixes some earlier problems), a "DISKOPT" program is included but is definately not a defragmenter. Until I bought the $39 upgrade, the disks were getting slower and slower... After using the 1.3h defrag utility, the speed was restored. There really is a difference and near 120 MB out of my obsolete ST-251-1 and ST-225 is *almost* enough. Having two effective competitiors is the best way to get technology improvements going. Warmly, Padgett ------------------------------ Date: Tue, 24 Mar 92 18:07:55 -0500 From: Libbie Counselman Subject: DOS version backward compatibility (PC) gary@sci34hub.sci.com writes: >lunde@casbah.acns.nwu.edu (Albert Lunde) writes: >> 1 - how many versions do we need? (I know having everyone >> bring in a disk formatted with their DOS version >> would be one approach, but I'm looking for a middle ground.) > >Having everyone bring a formatted disc would increase the risk of >infection, as well. I think you'd need 3.3, 4.01, and 5. (For some >... >Keep a master bootable disc from each version, and when it comes time >to distribute, DISKCOPY it to a distribution master, install the >anti-viral software on that, and DISKCOPY it to the distribution discs. >Unfortunantly, DISKCOPY doesn't have a multiple-output option, so it's >not necessarily the fastest method, but it'll work. You might want to look at the DOS copyright before doing this. Unlike the Mac operating system, which is copyable, DOS is commercial software, packaged and sold separately from the hardware. Distributing it in this manner is most likely illegal. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Libbie Counselman libbie@pucc.bitnet Computing and Information Technologies libbie@pucc.princeton.edu Princeton University libbie@phoenix.princton.edu - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Date: Wed, 25 Mar 92 12:18:00 +0200 From: Y. Radai Subject: Re: Which Package is Best? (PC) (Clarification) Yesterday I posted a contribution on "Which Package is Best", but when I read the published result today, I discovered that a couple of important words had been omitted. So (hopefully) before someone at- tacks what appeared there, allow me to make the following clarifica- tion: My criterion (end of second paragraph after first quotation) was not use of the fastest mode per se, but use of the fastest *practically secure* mode. Of course, that criterion is subject to the objection that it is by no means clear when a given algorithm is "practically secure" (e.g. if I were to claim that IM's "quick update" is not practically secure while UT's is, I'm sure Wolfgang would jump all over me). So I would now prefer to simply concede to Donny and Wolfgang that I should have omitted the claim that UT is faster than IM. The points I was/am trying to make were: (1) my abridgment of the original three timings to the two quickest ones was in accordance with the above criterion (given my ignorance of the existence of IM's quick check and my belief that UT's quick check is practically secure) and (2) whatever weakness there may be in the criterion, I don't think it's correct to say that it's intrinsically *unfair*. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Tue, 24 Mar 92 23:25:17 +0000 From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) Subject: Re: Mardi Bros (PC) PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: >BRENT@morekypr.BITNET writes: >> Can someone tell me what Mardi Bros does? F-Prot is sketchy and will > >McAfee's SCAN calls this DenZuk; I don't know why F-Prot calls it F-prot is making a false identification. F-prot 2.02d calls my sample of ohio (denzuk varient) mardi bros just as BRENT@morekypr says. Mardi Bros is not an alternate name - it is a differnt virus. older versions of f-prot (i just tried 1.16) correctly identify it as ohio and should be able to disinfect it. I think Mr Skulason will see this post and probabaly be able to correct it soon. ------------------------------ Date: Wed, 25 Mar 92 01:16:33 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: Victor Charlie program (PC) Victor Charlie has a fairly unique method of change detection. The original program was primarily effective against file infecting viri, but it now has additional modules to protect system areas as well. There is a review of it, under the filename PCVC.RVW at cert.sei.cmu.edu among others. ============= Vancouver | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User CyberStore Dpac 85301030 | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ------------------------------ Date: Wed, 25 Mar 92 16:04:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: F-PROT warning: false positive? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > 0004839378@mcimail.com (Joshua Proschan) writes: >> A related question: f-prot identifies nearly all the Norton Utilities >> programs and several Microsoft Word programs as exhibiting virus-like >> behavior, when the heuristic scan is used. Is this also a false >> positive? > > Yes, it's a false positive. > In general: the heuristic analysers (F-Prot's analyser, > CHECKOUT/BOOTID) are wonderful tools for the anti-virus researchers > ... but they MUST NOT be used by the average users in their dayly > scan procedures. Yes, but there's also a risk that viruses will escape undetected. It isn't an easy problem to answer, since most people quickly get put off by false positives, and people trying to encourage others in their organisation to use anti-virus measures (or trying to sell such programs) have to pass more stringent acceptance tests than the viruses! What is the solution? Maybe after time the rate of false positives from heuristic scanners will be as low as conventional ones - providing they are given the chance to evolve, of course. But even that might not be good enough. There seems to be a lack of tolerance of one or two false positives (from heuristic techniques or from plain string scanners), which is understandable, but a problem. A better solution is AI scanners (perhaps not the best term, though). Instead of looking for fragments of known viruses (with all the problems that entails), or looking for "things viruses tend to do", it is possible for a program to look at a boot sector and categorically say if it is a genuine DOS boot sector or a virus. It is a bit harder on hard disks, where there are all manner of utilities (like asking which partition to boot from) available, but still at least theoretically possible. Unfortunately, I doubt if such a program could tell if an average executable is a virus or not, since (for one thing) you don't know exactly what the program is supposed to do. (Grander discussions may bring in Turing's halting problem and so forth, for my bit, I'll just say I'm only running a 25MHz 386 and leave it at that!) I'm not sure if people are talking of heuristic methods and "generic disinfectors" as being part of the "next generation" or anti-viral software. If so, then AI (what's a better description?) should be the generation after that. I'd still back good heuristic methods as being right a VERY high percentage of the time with boot sector infectors, but nothing can compare with a solid yes/no answer which the generation after that can give. I might be sounding too optimistic about the capabilities of such software... if anyone is interested feel free to e-mail me. Obviously it is hard to explain everything about it here. A quick summary would be: if the boot sector is supposed to do particular things, and not others, and occupy a particular spot, then trace it through, and see what it does do. If it departs from the specifications nail it, if possible saying what it does do. It is a lot like what a person does when properly reverse-engineering a virus. It is possible (I know it is, since I've partially done it!) to get a program to work out what register contents are when an interrupt is called, etc. So *how* teh program does what it does doesb't matter; it can use a far jump at the start, it can be self-modifying, etc. But if it stays in memory, writes to a disk, changes vectors, etc...! Mark Aitchison, Physics, University of Canterbury, New Zealand. ------------------------------ Date: Tue, 24 Mar 92 23:06:35 -0600 From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant 2.7 Withdrawn (Mac) I made a very stupid mistake in Disinfectant 2.7 which can cause crashes during or after scans. I have had to withdraw it. I hope to have a fixed version 2.7.1 released very soon. I apologize for the inconvenience. John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ Date: Wed, 25 Mar 92 11:42:37 -0600 From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant 2.7.1 (Mac) Disinfectant 2.7.1 March 25, 1992 Disinfectant 2.7.1 is a new release of our free Macintosh anti-viral utility. Version 2.7.1 corrects a stupid mistake in version 2.7 which could cause crashes during or after disk scans. The only change in version 2.7.1 is to the Disinfectant program itself. The version 2.7.1 protection INIT is identical to the version 2.7 INIT, except for the new version number. You should go ahead and install the 2.7.1 INIT anyway, to avoid the alert the program presents telling you that "an old version is installed." My thanks to the dozen or so people who promptly reported the problem with version 2.7 and were kind enough to test the fix for me. [A note to Mac C programmers: Assigning a pointer to a Boolean variable is rarely useful. Releasing your own CODE resources is also a bad thing to do.] The rest of this announcement is a slightly edited copy of the version 2.7 announcement. Version 2.7.1 detects the new INIT 1984 virus. The INIT 1984 virus was discovered in the Netherlands and in several locations in the USA in March, 1992. INIT 1984 is a malicious virus. It is designed to trigger if an infected system is restarted on any Friday the 13th in 1991 or later years. The virus damages a large number of folders and files. File and folder names are changed to random 1-8 character strings. File creators and file types are changed to random 4 character strings. This changes the icons associated with the files and destroys the relationships between programs and their documents. Creation and modification dates are changed to Jan. 1, 1904. In addition, the virus can delete a small percentage (<2%) of files. The virus caused significant damage to the hard drives of several users on Friday, March 13, 1992. Because only a relatively small number of reports of damage were received, we hope that the virus is not widespread. The virus only infects INITs (also known as startup documents or system extensions). It does not infect the System file, desktop files, control panel files, applications, or document files. Because INIT files are shared less frequently than are programs, the INIT 1984 virus does not spread as rapidly as most other viruses. The virus spreads from INIT to INIT at startup time. The virus affects all types of Macintoshes. It spreads and causes damage under both System 6 and System 7. On very old Macintoshes (the Mac 128K, 512K, and XL), the virus will cause a crash at startup. If you have an INIT file which is infected by the INIT 1984 virus, when the virus attacks during startup, the Disinfectant 2.7.1 INIT beeps ten times, and an alert is presented at the end of the startup sequence. The virus is neutralized and does not spread or cause any damage, but the non-viral part of the infected INIT runs as usual. In order to properly detect and block the INIT 1984 virus, we had to make an important change to the way the Disinfectant protection INIT works. In previous versions of Disinfectant, the protection INIT always had to load last. Under System 7, the protection INIT had to be located in the System folder proper, not in the Extensions folder. These rules have been turned upside down. Starting with version 2.7, the protection INIT now must load first, before any other INITs. Under System 7, the protection INIT must be located in the Extensions folder, not in the System folder proper. The "Install Protection INIT" command in version 2.7.1 installs the new protection INIT in the proper location. When version 2.7.1 is run, it checks to see if an older version of the protection INIT has been installed in either the System folder or the Extensions folder. If it locates such an older version, it presents an alert asking if you want to install the new version. If you click on the "Install" button, the old version is removed and the new version is installed. In previous versions, several users reported "Unexpected error -194" errors when trying to install or save the protection INIT. We were finally able to reproduce this problem and find its cause. Version 2.7.1 fixes the error. Many users have had problems trying to build a System 6 Virus Tools disk because they could not fit System, Finder, and Disinfectant on a single 800K floppy. We now recommend building this disk without a copy of Finder and making Disinfectant the startup program. This should solve the problem. See the "Quick Start" section of the 2.7.1 online manual for details. We have added a new "Known Problems" section to the document. This section lists in one location all of the known problems with Disinfectant and all of the known incompatibilities between Disinfectant and other software. Disinfectant 2.7.1 is available now via anonymous FTP from site ftp.acns.nwu.edu [129.105.113.52]. It will also be available soon on sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac, America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom, AppleLink, and other popular sources of free and shareware software. Macintosh users who do not have access to electronic sources of free and shareware software may obtain a copy of Disinfectant by sending a self- addressed stamped envelope and an 800K floppy disk to the author at the address given below. People outside the US may send an international postal reply coupon instead of US stamps (available from any post office). Please use sturdy envelopes, preferably cardboard disk mailers. People in Western Europe may obtain a copy of the latest version of Disinfectant by sending a self-addressed disk mailer and an 800K floppy disk to macclub benelux. Stamps are not required. The address is: macclub benelux Disinfectant Update Wirtzfeld Valley 140 B-4761 Bullingen Belgium John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 USA Internet: j-norstad@nwu.edu John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ Date: 24 Mar 92 12:48:37 -0500 From: "David.M.Chess" Subject: re: Network Viruses (not just PC) > From: suresh@iss.nus.sg (Suresh Thennarangam - Research Scholar) > > 1> Is it possible to bypass the read-only file-locking mechanism > provided by ? > ... > > Technically, there ought to be a low-level hack way to achieve > both, but has anyone come across a virus that does this ? Actually, there should *not* be a low-level way to achieve this. More specifically, if the network-server software is well-written, *nothing* that a client machine can send to it across the wire (regardless of whether that client is running DOS or any other operating system) should be able to cause alterations in files on the server that that client is not authorized to alter. This is the great advantage of having important files on a server: whereas a typical single-user micro operating system offers no real protection to a user against nefarious actions of a program that she runs (any program running on the machine can alter any file on the machine), a network server can and should provide *unbeatable* protection to the files it owns. Since a program on a client machine can do no more than send bits to the server across the LAN, the program that processes those bits has complete control over what happens at the server end. There's no equivalent of "bypassing DOS" or "talking directly to the disk controller" when you're dealing with files on a network server. Of course, I don't know whether the particular systems mentioned, or any other brands of server software, are in fact free of holes or back doors. But the key point is that true protection *is* possible in this environment... DC ------------------------------ Date: Wed, 25 Mar 92 09:19:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: What does "Reverse Engineering" include? I've noticed that some software agreements have prohibitions on reverse engineering. How does this affect people looking at a program to see if it has a virus, or using a program that contains heuristic or AI techniques to do pretty much the same thing?? Mark Aitchison. ------------------------------ Date: Tue, 24 Mar 92 18:12:00 +0100 From: "Olivier M.J. Crepin-Leblond" Subject: Re: Origins of viruses >Date: Thu, 19 Mar 92 09:19:58 +0000 >From: markf@syma.sussex.ac.uk (Mark Foster) >The very first virus that I ever saw or heard of was the SCA >(Scandinavian Cracking Association) virus for the Commodore Amiga. >Obviously inspired by the film 2010 approx 4-5 years ago and all in < >1k. >Can someone confirm or deny if this was indeed the one that started it >all. No, not really. The Amiga is a recent machine and virus writing couldn't have started on that. I recall coming across the LOAD RUNNER virus on the Apple II in the early eighties. Writing-up of self-replicating/destruction code has been a hobby of *some* programmers for a long time. In the early seventies, software programmers at NASA used to play a game called COREWARS where each player can write some viral code in assembly language and then release it in a specified area of memory, to fight against similar programs released by other players. The winner was the owner of the process filling-up the whole area of memory, thus killing all other processes. There are a number of COREWARS simulators available on the PC, each with its own little assembly code (called REDCODE). Once you have written your "warrior", you can test it against other warriors from other players. Since you see a map of the memory, it's fun to see how your code can replicate, avoid traps, and kill other programs. COREWARS is actually available from anonymous FTP (check-out wsmr-simtel20 & mirrors), and I wish that potential virus-writers would play around with that instead of doing it for real. Cheers, Olivier M.J. Crepin-Leblond, Comms and Signal Proc., Elec. Eng. Dept., Imperial College of Science, Technology and Medicine, London, UK. ------------------------------ Date: Wed, 25 Mar 92 00:28:00 +0000 From: rmg53668@uxa.cso.uiuc.edu (Ryan M. Grant) Subject: CRCs- How do they work? I have a question regarding the popular use of CRCs to guarantee file integrity and even help restore damaged files. In my understanding CRCs add up the bytes of a file with certain significance added to each byte (very fuzzy here). The question is, if a CRC can guarantee unique files with one whatever-byte number, why cant the file just be stored as its CRC? If not, I suspect that it WOULD be possible to get two files with the same CRC...and if this is the case, how can anyone be sure when they restore a damaged file through the use of a CRC? I'm sure that if PART of the file were damaged, the CRC could fill in the blanks, because the other proposed file with the same CRC would probably be radically different. Where am I right and where am I completely lost in this post? Thanks for any replies, Ryan Grant ------------------------------ Date: Tue, 24 Mar 92 20:40:50 -0500 From: James Klingler Subject: Doing research for speech on viruses greets all, I have decided to do a persuasive speech on the importance of computer virus awareness. I generally want to show that computer viruses affect everyone in some way or another. If anyone has any info which may help me with this please send E-mail. Also, as viruses have implications in computer security, I will also touch on this subject. Any info appreciated. Thanks, Jim Klingler(jrk123@psuvm.psu.edu) ------------------------------ Date: Tue, 24 Mar 92 20:12:40 -0600 From: Subject: Re: Origins of viruses bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) says: > >Wrong. The first Bulgarian virus (Old Yankee) was written in November >1988 (I personally know the person who wrote it). Please, tell us who these people are. I'm sure many virus authors are known. Let's expose them, and treat them to the scorn and derision they deserve. And, where appropriate, let the victims band together and sue the originators for the damage they have caused. As long as the perpetrators go unpunished, or worse, are treated as folk heros, there will be no end to these problems. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 75] *****************************************