Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA13787; Fri, 1 Jun 90 11:26:42 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA20527; Fri, 1 Jun 90 11:26:38 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA00318; Fri, 1 Jun 90 11:26:01 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23090; 1 Jun 90 16:01 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Fri, 01 Jun 90 16:05:32 BST Message-Id: <$TGTWCZCFFBQH at UMPA> Subject: Virus-L vol 0 issue #0502 Virus-L Digest Mon, 2 May 88, Volume 0 : Issue #0502 Today's Topics Viruses: another perspective "Write-protection" for hard disks ** no subject, date = Mon, 2 May 88 09:32:17 EDT ** no subject, date = Mon, 2 May 88 09:34:43 EDT (old) Amiga virus information, for what it's worth... anti-virus program request procedures The Israeli viruses The Israeli viruses Miami computer virus infection Re: (old) Amiga virus information, for what it's worth... A request for virus info Re: (old) Amiga virus information, for what it's worth... ------------------------------ Date: Mon, 2 May 88 08:05:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Resent-From: "Kenneth R. van Wyk" Comments: Originally-From: WHMurray@DOCKMASTER.ARPA From: "Kenneth R. van Wyk" Subject: Viruses: another perspective Here's a VIRUS-L submission that was forwarded to me: Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- - --------------------------Original message---------------------------- One should not be surprised that the discussion of viruses by computer users should focus on how to protect their own systems. However, as I read RISKS I become concerned that is how the problem is perceived. A virus is a special case. It is a social disease. It attacks not only a target system, but a population of systems, and social order all at the same time. I am sure that if you have imported one into your system and if it does something destructive, you will see primarily in terms of the destruction that it does. However, similar damage could have been done by any Trojan Horse or even by your own error. The problem with the virus is not in the damage that it does to one system, but with the damage that it does to a population and to the fabric of trust that is essential to the sharing of programs and other data and to commerce in general. Suppose that viruses become so pervasive that even those who have never seen one become afraid to use any program that they did not write themselves. Suppose that because of the publicity received by viruses, the public at large were to loose confidence in all computers, in the information they generate, and in information in general. If you think that that is far-fetched, then I ask you to think back to the panic that followed the Tylenol contamination. In a society in which 1500 hundred people a year die early because of the use of asbestos, another 15000 from the use of fossil fuels, 40,000 from the use of the automobile and 200,000 from the use of tobacco, the level of concern was out of any realistic proportion to the number of deaths. But it was not out of proportion to the effect of the loss of confidence in the medicine supply or even of the food supply. I suggest that it was the unconscious concern for the effects of the potential loss of confidence that caused the panic. The perpetrators of the virus know very well how it will behave in the target system, but they have no idea how it will behave in the population. The XMASCARD program did not do any damage in the user's machine, but it brought a multi-million dollar network to its knees. The scope and sensitivity of that network was not only beyond the perpetrator's knowledge, but it was beyond his comprehension. The perpetrators of these toys are, like the sorcerors apprentice, playing with powers far beyond their knowledge or control. The potential for damage is far beyond their puny powers to predict, skills, motives, or their intent. They are toying with the mechanisms of cooperation and coordination that characterize humanity. They are to be pitied for their ignorance, but they are not to be tolerated, much less admired or emulated. A society that depends for its own proper functioning upon any mechanism, dare not tolerate any interference with the intended operation of that mechanism. Bill Murray WHMurray at DOCKMASTER -------------------- Date: Mon, 2 May 88 08:05:47 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Resent-From: "Kenneth R. van Wyk" Comments: Originally-From: WHMurray@DOCKMASTER.ARPA From: "Kenneth R. van Wyk" Subject: "Write-protection" for hard disks And another forwarded submission: Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- - --------------------------Original message---------------------------- On April 22, 1988 I received two back issues of a newsletter entitled "Computer Virology" along with a product description for the Disk Defender (tm). "Computer Virology is published in Evanston, Illinois by Director Technologies, Inc. Director Technologies is the manufacturer of DISK DEFENDER, a product which write protects in hardware all or part of a personal computer hard disk. It is our belief that hardware write protection is the only 100% reliable virus protection for the operating system and commonly used programs." If you have any comments, questions, suggestions or article submissions, please address them to:" Director Technologies, Inc. Technology Innovation Center 906 University Place Evanston, IL 60201 312-491-2334 [Quoted without permission from the masthead of the newsletter. I am in no way associated with this firm. This is not a recommendation or endorsement of their product.] The product appears to be a half-card that installs between the drive and the hard disk drive controller card. It can make a portion of the or all the hard disk "write-protected." It has an outboard component with a 3-position switch which permits you to select between "full|zone|none." The outboard switch can be removed in order to remove the discretion from the user. In other words, it is a hardware write-protect tab for a hard drive zone. The size of the zone appears to be chosen by setting dip-switches on the card itself. To suggest that it is 100% effective against a virus is to overstate. Studies in biology suggest that a virus can thrive even in a population in which a large percentage of the members are immune, if a there is sufficient commerce among the non-immune members. This is not an argument against vaccines but only a caution about the limits of their effectiveness. Depending upon design of the virus, the target system and population, and the chosen distribution vector, the effectiveness of this mechanism against the spread of the virus might vary from high to none at all. Good hygiene is the general defense against viruses, but there are limits to how effective it can be. Nonetheless, the individual can and should protect himself within those limits. Page 1 -------------------- Date: Mon, 2 May 88 09:32:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Eshleman >Date: Tue, 26 Apr 88 09:39:51 CDT >From: Frank Peters >Subject: MacIntosh Virus Information Request >To: Hello, We are interested in obtaining information about virus programs (both causes and cures) on the Apple MacIntosh. There seems to be information available on IBM PC problems but very information about the Mac. Is this because there are fewer virus programs for the Mac or because of smaller interest in the mac? Thanks Frank Peters Mississippi State Computer Center Jim Eshleman Lehigh University Computing Center -------------------- Date: Mon, 2 May 88 09:34:43 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Eshleman >From: "John D. Abolins" >To: Virus Discussion List Subject: LaSalle talk of 288 April 88 concerning the "viruses" I did go to the lecture at LaSalle yesterday. I am still working on translating my quick notes into readable text. This should ready some time next week. Overall, the lecture was excellent and thourough without giving too much detail (to any unscruplous people in the audience.) After the talks by the panalists, MS-DOS anti-virus program disks were made available to the public. The disks contain public domsain and share ware software plus general virus text files. Three of the panalists work with companies which produce virus detection software. More on this later. Incidentally, if anyone on this forum is interested in any printed items from the forum or elsewhere, please leave me note. I can arrange for copies of much of these items. J. D. Abolins Jim Eshleman Lehigh University Computing Center -------------------- Date: Mon, 2 May 88 15:12:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: (old) Amiga virus information, for what it's worth... I just found some information that I had sitting around concerning an Amiga virus. It's kind of old, but it could be interesting to some people, so here it is: - ------- From: bill@cbmvax.UUCP (Bill Koester CATS) Newsgroups: comp.sys.amiga Subject: Amiga VIRUS Date: 13 Nov 87 19:32:05 GMT Organization: Commodore Technology, West Chester, PA THE AMIGA VIRUS - Bill Koester (CATS) When I first got a copy of the Amiga VIRUS I was interested to see how such a program worked. I dissassembled the code to a disk file and hand commented it. This article will try to pass on some of the things I have learned through my efforts. 1) Definition. 2) Dangers. 3) Mechanics 4) Prevention 1. - Definition. The Amiga VIRUS is simply a modification of the boot block of an existing DOS boot disk. Any disk that can be used to boot the Amiga (ie workbench) has a reserved area called the boot block. On an Amiga floppy the bootblock consists of the first two sectors on the disk. Each sector is 512 bytes long so the boot block contains 1024 bytes. When KickStart is bringing up the system the disk in drive 0 is checked to see if it is a valid DOS boot disk. If it is, the first two sectors on the disk are loaded into memory and executed. The boot block normally contains a small bit of code that loads and initializes the DOS. If not for this BOOT CODE you would never see the initial CLI. The normal BOOT CODE is very small and does nothing but call the DOS initialization. Therefore, on a normal DOS boot disk there is plenty of room left unused in the BOOT BLOCK. The VIRUS is a replacement for the normal DOS BOOT CODE. In addition to performing the normal DOS startup the VIRUS contains code for displaying the VIRUS message and infecting other disks. Once the machine is booted from an infected disk the VIRUS remains in memory even after a warm start. Once the VIRUS is memory resident the warm start routine is affected, instead of going through the normal startup the VIRUS checks the boot disk in drive 0 for itself. If the VIRUS in memory sees that the boot block is not infected it copies itself into the boot block overwriting any code that was there before. It is in this manner that the VIRUS propagates from one disk to another. After a certain number of disks have been infected the VIRUS will print a message telling you that Something wonderful has happened. 2. - Dangers. When the VIRUS infects a disk the existing boot block is overwritten. Since some commercial software packages and especially games store special information in the boot block the VIRUS could damage these disks. When the boot block is written with the VIRUS, any special information is lost forever. If it was your only copy of the game then you are out of luck and probably quite angry!! 3. - Mechanics. Here is a more detailed description of what the virus does. This is intended to be used for learning and understanding ONLY!! It is not the authors intention that this description be used to create any new strains of the VIRUS. What may have once been an innocent hack has turned into a destructive pain in the #$@ for many people. Lets not make it any worse!! a.) Infiltration. This is the first stage of viral infection. The machine is brought up normally by reading the boot block into memory. When control is transferred to the boot block code, the virus code immediately copies the entire boot block to $7EC00, it then JSR's to the copied code to wedge into the CoolCapture vector. Once wedged in, control returns to the loaded boot block which performs the normal dos initialization. Control is then returned to the system. b.) Hiding Out. At this point the system CoolCapture vector has been replaced and points to code within the virus. When control is routed through the CoolCapture vector the virus first checks for the left mouse button, if it is down the virus clears the CoolCapture wedge and returns to the system. If the left mouse button is not pressed the virus replaces the DoIO code with its own version of DoIO and returns to the system. c.) Spreading. The code so far has been concerned only with making sure that at any given time the DoIO vector points to virus code. This is where the real action takes place. On every call to DoIO the virus checks the io_Length field of the IOB if this length is equal to 1024 bytes then it could possibly be a request to read the boot block. If the io_Data field and A4 point to the same address then we know we are in the strap code and this is a boot block read request. If this is not a boot block read the normal DoIO vector is executed as if the virus was not installed. If we are reading the boot block we JSR to the old DoIO code to read the boot block and then control returns to us. After reading, the checksum for the virus boot block is compared to the checksum for the block just read in. If they are equal this disk is already infected so just return. If they are not equal a counter is incremented and the copy of the virus at $7EC00 is written to the boot block on the disk. If the counter ANDed with $F is equal to 0 then a rastport and bitmap are constructed and the message is displayed. d.) Ha Ha. < Something wonderful has happened > < Your AMIGA is alive!!! > < and even better > < Some of your disks are infected by a VIRUS > < Another masterpiece of the Mega-Mighty SCA > 4. - Prevention. How do you protect yourself from the virus? 1) Never warm start the machine, always power down first. (works but not to practical!) 2) Always hold down the left mouse button when rebooting. (Also works, but only because the VIRUS code checks for this special case. Future VIRUS's may not!) 3) Obtain a copy of VCheck1.1 and check all disks before use. If any new virus's appear this program will be updated and released into the public domain. VCheck1.1 was posted to usnet and will also be posted to BIX. ( Just like the real thing the best course of action is education and prevention!) Bill Koester -- CBM >>Amiga Technical Support<< UUCP ...{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill PHONE (215) 431-9355 - ---------------------------------------------------------------------- = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: = This just in: = = BITNET: = Humptey Dumptey was pushed! = - ---------------------------------------------------------------------- -------------------- Date: Mon, 2 May 88 16:19:14 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim <15360JIM@MSU> Subject: anti-virus program request procedures I tried to get the lastest version of FLUSHOT, the anti-Virus/anti-Trojan progr an for MSDOS. If anyone knows the exact procedures to download that, please write to me at 15360jim@msu. Thank you! -------------------- Date: Mon, 2 May 88 17:23:14 +0300 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: The Israeli viruses Loren Keim writes (25 Apr): > Israeli Virus: Not much is known. It apparently attaches itself > to all executable files, appending itself to the end of the file. > Watch for growing files. I must admit I find Loren's first sentence rather surprising. The one thing that spreads faster than a virus is news *about* the virus. And since the rather detailed report which I wrote on the Israeli virus for the Info-IBMPC digest has apparently been reprinted in about a dozen other digests and news- letters, I thought that as much was known about our virus as about others. But I guess I was wrong, so here are the details: It works in two stages: When you execute an infected EXE or COM file the first time after booting, the virus captures interrupt 21h and inserts its own code. After this has been done, every time any EXE file is executed, the virus code is written to the end of that file, increasing its size by 1808 bytes. COM files are also affected, but the 1808 bytes are written to the beginning of the file, another 5 bytes (the string "MsDos") are written to the end, and this extension occurs only once. Symptoms: (1) Because of this continual increase in the size of EXE files (apparently a bug), such programs eventually become too large to be loaded into memory or there is insufficient room on the disk (hard disk or diskette) for further extension. (2) After a certain interval of time (apparently 30 minutes after infection of memory), delays are inserted so that execution of programs takes up to 5 times as long. Also, some weird things happen on the screen. (3) If memory becomes infected when the date is set to a Friday the 13th (the next such date being May 13, 1988), any program file which is subsequently executed on that date (without rebooting first) gets deleted. (Other files may also be affected.) Note that this virus infects even read-only files, that it does not change the date and time of the files which it infects, and that while the virus cannot infect a write-protected diskette, you get no clue that an attempt has been made by a "Write protect error" message since the possibility of writing is checked before an actual attempt to write is made. Actually, this is only one of four viruses which have been discovered by us so far, although the others are apparently only annoying, not destructive. One of them is but a slight variant of the above virus; it behaves the same with respect to (1), the 30 minutes in (2) is only 30 seconds, and the erasure in (3) does not succeed, due to a bug. It is probably an earlier version of the above virus. There are several things you can do to detect, prevent, and/or eradicate this virus even without any special software. Detection: Choose one of your EXE files (preferably your most frequently executed one), note its length, and execute it twice. If it does not grow, it is not infected by this virus. If it does, the present file is infected, and so, probably, are some of your other files. (Another way of detecting this virus is to look for the string "sUMsDos" starting in the 4th byte of COM files or about 1800 bytes before the end of EXE files; however, this method is less reliable since this string can be altered without attenuating the virus. In the variant, the corresponding string is "sURIV 3.00".) Prevention: In addition to the usual general precautions, avoid running programs on any Friday the 13th. Of course, you can fake the date. But if your computer has been set to Friday the 13th by a clock-calendar card and one of the programs in your AUTOEXEC.BAT file is infected, it will be too late to change the date after completion of AUTOEXEC. Cure for infected files: Replace each infected file by a healthy copy (if you have one). However, note that even if you succeed in replacing all infected files, the virus will recur if memory remains infected, so re-boot immediately after replacement. The two other viruses have April 1 as their target date. One of them affects only COM files while the other affects only EXE files. If the date has been set to April 1, they display the message "APRIL 1ST HA HA HA YOU HAVE A VIRUS". In the EXE version this happens as soon as any infected EXE file is executed, whereas in the COM version it happens only after (1) an infected COM file is executed, thereby infecting memory, and (2) any other COM file is executed. In either case they lock up, forcing you to cold boot. Moreover in the EXE version there is also a lockup, without any message, one hour after infection of memory on any day on which you use the default date of 1-1-80. However, to the best of our knowledge they do not destroy any information. In both versions the file is extended only once. The main identifying string (corresponding to "sUMsDos" in the Friday the 13th virus) is "sURIV 1.01" in the COM version and "sURIV 2.01" in the EXE version. As a curiosity, all three viruses which attack EXE files write the year "1984" into the 19th and 20th bytes of each EXE file which they infect (in the form 84h 19h), replacing the checksum which normally appears there. I hadn't heard of any occurrence of these four viruses outside of Israel until I read (in Joseph Beckman's message of 29 April) that Fred Cohen stated that the Hebrew U. virus (presumably meaning the original Friday the 13th virus) has spread to the U. S. Automatic detection, prevention and cure: A pair of programs has been developed for these viruses by Yuval Rakavy, a student in our Computer Science Dept., and Omri Mann. One of them, UNVIRUS, cures already infected files by removing the virus code; it is specific to these four viruses. The other one, IMMUNE (a RAM-resident program), prevents future infection of memory and dis- plays a message when there is any attempt to infect it; it may also be useful against some other viruses. There are, of course, general-purpose programs which prevent file infection by preventing writing and formatting of disks when such protection is desired. I guess BOMBSQAD is sufficiently well known that I don't have to describe it. Another program, PROTECT, prevents writing onto specific drives (e.g. C:). (I have a slightly improved version of the program which first appeared in the Jan. 13, 1987 issue of PC Magazine.) The protection is easily toggled on and off (even when you're not on the DOS command level if you've got something like HOT-DOS available). The weakness of programs such as these is that a virus or Trojan horse could issue a write or format command directly to the controller of a hard disk. A more secure protection would be a hardware device placed between the controller and the drive. I am familiar with one such device, called Disk Defender. It involves dividing the hard disk into two logical drives in any desired size ratio, one of which is protected against *all* writes, while the other is unprotected. (You can easily unprotect the protected drive temporarily in order to transfer files to it.) The trouble with this system is its initial incon- venience: it requires a complete reorganization of your hard disk (moving all files and subdirectories into two separate directories according to whether they are to be protected or not), followed (and preferably also preceded) by a complete backup of the disk, followed by a re-format of the disk and restoration of its contents. * * * * * The above-mentioned authors of the Israeli anti-viral software have now developed a program which can detect infection of a file by *any* virus. Probably most of you don't believe that such a thing is possible. But this report is already getting too long, so I'll leave the description of that program to a subsequent report. Y. Radai Computation Center Hebrew Univ. of Jerusalem RADAI1@HBUNOS.BITNET -------------------- Date: Mon, 2 May 88 16:48:11 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: The Israeli viruses > (Other files may also be affected.) Do you have anything in particular in mind when you say that? I've heard from people who have done quite a bit of work disassembling the creature that only EXE and COM files are altered. Have you heard of it changing any others? DC -------------------- Date: Mon, 2 May 88 15:34:39 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Simpson Subject: Miami computer virus infection THIS IS A FIRST DRAFT OF A POSTING TO THE VIRUS-L LISTSERV GROUP. PLEASE RESPOND WITH EDITORIAL COMMENTS. MIAMI UNIVERSITY WAS HIT BY AN OUTBREAK OF MS-DOS AND MACINTOSH VIRUS APPROXIMATELY 10 DAYS BEFORE THE END OF SEMESTER. VIRUS APPEARED IN VIRTUALLY EVERY MICRO LAB ON CAMPUS WITHIN 2 DAYS OF FIRST NOTICE. THE IBM VIRUS APPEARED TO BE A VARIANT OF BRAIN. THE MAC VIRUSES APPEARED TO BE IDIOT AND SCORES. SCREENING PROCEDURES WERE INSTITUTED IN THE LABS TO DETECT AND QUASH VIRUS INFECTED DISKETTES. DETECTION BECAME MORE ACCURATE OVER TIME. THE PROCEDURE USED TO DISINFECT DISKETTES IS: 1) COPY DATA FILES (WP, SPREADSHEET, DATABASE) TO "CLEAN MEDIA" 2) FORMAT INFECTED DISKETTE ABANDONING ANY DOS AND OTHER EXECUTABLE FILES. 3) COPY DATA FILES BACK ONTO THE USER DISKETTE. THERE IS SOME REASON TO BELIEVE THAT THIS PROCEDURE IS OVERLY CAUTIOUS. IN THE MS-DOS WORLD: SCREENING PROCEDURES STARTED WITH LOOKING FOR THE WORD "BRAIN" IN THE DISKETTE LABEL. NOW WE LOOK FOR THREE OR MORE CONTIGUOUS BAD SECTORS USING SOMETHING LIKE THE NORTON UTILITIES. A STUDENT HAS WRITTEN A PROGRAM TO LOOK FOR VIRUS IN RAM. THE SAME STUDENT IS ATTEMPTING TO REVERSE ENGINEER A SOLUTION. FRED COHEN FROM UNIV. CINN. HAS BEEN UP TO ASSIST US AND WOULD PROBABLY HAVE GOOD INFORMATION ON THE VIRUS IF HE HADN'T CONTRACTED ONE OF THE HUMAN VARIETY LAST NIGHT. INFECTED DISKETTES HAVE BEEN POSTED TO BOWLING GREEN FOR STUDY (AND OF COURSE TO FRED). AT THIS POINT WE ARE NOT SURE HOW LONG THE DORMANT PHASE OF THIS VIRUS WAS. IT MAY HAVE BEEN SEVERAL MONTHS. SUBJECT TO FRED'S AND THE STUDENT'S NEW INFORMATION HERE IS WHAT WE BELIEVE ABOUT THE MS-DOS VIRUS. IT IS A VERSION OF PAKISTANI BRAIN. IT PROBABLY CANNOT INFECT A HARD DISK. MORE ON THIS WHEN WE REALLY KNOW. PROPERLY INSTALLED LAN'S APPEAR TO OFFER PROTECTION(BECASE OF THE ABOVE?) IT LIVES IN THREE CONTIGUOUS CLUSTERS (FIVE SECTORS) MARKED BAD IN THE FAT. THE VIRUS INSTALLS IN HIGH RAM AND CAN BE DETECTED THERE USING STANDARD DOS CALLS. WE HAVE DISASSEMBLED APPROXIMATELY 1/3RD OF THE CODE. IT MAY INFECT THE FOLLOWING FILES: COMMAND.COM, PRINT.COM, FORMAT.COM. FRED HAS A CHECKSUM PROGRAM THAT WE USED TO DIAGNOSE THIS BEHAVIOR. WE HAVEN'T FOUND THE CODE THAT DOES THIS. IT DOES ALTER THE BOOT RECORD ON BOTH SYSTEM DISKETTES AND DATA DISKETTES. BOOTING, EVEN WITH A DATA DISKETTE! LOADS BRAIN INTO RAM TO SPREAD INFECTION. DAVID KARIPEDES HAS DISASSEMBLED APPROXIMATELY ONE THIRD OF THE VIRUS AND HAS COME TO THE FOLLOWING CONCLUSIONS: 1. WHEN AN INFECTED BOOT SECTOR IS PROCESSED, BRAIN LOADS IN TO 7 K AT HIGH RAM. 3K OF PROGRAM, THE BRAIN BOOT BLOCK, AND THE ORIGIONAL BOOT BLOCK ARE LOADED WITH 2 I/O BUFFERS. 2. BRAIN POINTS THE $13 DISK INTERRUPT TO ITSELF AND MEDIATES ALL DISK I/O VIA AN INTERRUPT IT INSTALLS AT $6D. BRAIN ONLY ACTS AGAINST DISK READS. PROBABLY USING A COUNTDOWN TIMER IT CHECKS THE BOOT RECORD OF THE DISKETTE WITH POSTED I/O FOR INFECTION IF NOT INFECTED IT INFECTS FLOPPIES. 3. BRAIN CHECKS THE DL REGISTER ON READS AND ONLY INTERVENES IF 0,1, OR 2. THUS, IT PROBABLY CANNOT INFECT A HARD DISK. 4. THE INFECTED BOOT RECORD LOADS BRAIN FROM THREE CONSECUTIVE SECTORS THAT ARE MARKED BAD IN THE FAT. FIVE SECTORS ARE ACTUALLY USED, 3 FOR THE EXECUTABLE CODE, ONE FOR BRAINS BOOT RECORD, AND ONE FOR THE ORIGIONAL BOOT RECORD. 5. IF RAM IS INFECTED, EVEN USING LOW LEVEL DISK UTILITIES BRAIN WILL FEED YOU THE FALSE (ORIGONAL) BOOT RECORD! 6. AT PRESENT YOU MUST COMMUNICATE WITH DAVID VIA MY BITNET ACCOUNT. 7. A STAFF MEMBER IS WRITING A DISKETTE SANITIZING PROGRAM WHICH WE WILL POST TO VIRUS-L. THE VIRUS WILL PLACE BRAIN IN THE DISKETTE VOLUME LABEL AND REMOVE IT PERIODICALLY. THUS, ABSCENCE OF BRAIN IS NOT ASSURANCE OF A CLEAN DISKETTE. SOME OF THE THINGS THAT THE PRUDENT COMPUTER USER SHOULD DO IN THE COMPUTER AGE (SAGE WISDOM SUBJECT TO FREQUENT REVISION): USE ATTRIB TO MAKE COMMAND.COM AND MANY OTHER FILES READ ONLY. THIS LIST SHOULD PROBABLY INCLUDE PROGRAMS. BACKUP, BACKUP, BACKUP, BACKUP. I KEEP A 3 WEEK ROLLING BACKUP TO PROTECT MYSELF FROM DORMANT PHASE VIRUSES AS OBSERVED IN THE MAC WORLD. WRITE PROTECT ALL ORIGIONAL DISKETTES WITHIN SECONDS OF OPENING THE SHRINK WRAP. WHEN TRANSFERRING INFORMATION BETWEEN COMPUTERS USE DISKETTES THAT CONTAIN NO EXECUTABLES (SYSTEM AND APPLICATIONS SOFTWARE). WHERE POSSIBLE BOOT FLOPPIES SHOULD BE WRITE PROTECTED. IT IS NOT KNOWN AT THIS TIME WHETHER WRITE PROTECTION IS HARDWARE OR SOFTWARE MEDIATED. WE ARE FOLLOWING UP WITH IBM. IN THE MACINTOSH WORLD WE SUSPECT THAT WE WERE INFECTED BY SCORES AND IDIOT. MAC USERS ARE MUCH MORE ATONOMOUS AND OUR INFORMATION IS NOT AS GOOD. WE ARE STILL TRYING TO OBTAIN COPIES OF INFECTED MACINTOSH DISKETTES. IN THE MEAN TIME WE ARE DISTRIBUTING KILLVIRUS, VACCINE, AND FERRET 1.1. DIAGNOSIS RELIES UPON FINDING CHARACTERISTIC SIGNATURE FILES. PRESENT RECOMMENDATIONS FOR PREVENTION INCLUDE ALL OF THE ABOVE RECOMMENDATIONS FOR THE MS-DOS WORLD PLUS RUNNING KILLVIRUS OR VACCINE. SOME THINGS WE ARE CONSIDERING FOR NEXT YEAR. ENCOURAGE STUDENTS TO EXCHANGE INFORMATION ON DATA DISKETTES THAT DO NOT INCLUDE EXECUTABLES. MORE WRITE PROTECTION AT DOS ATTRIB LEVEL AND HARDWARE LEVEL. INVESTIGATE VIRUS PROTECTION SOFTWARE. IN THE MAC WORLD WE ARE USING VACCINE AND LOOKING AT VIRUSDETECTIVE AND KILLVIRUS. INVESTIGATE VIRUS PROTECTION IN THE MS-DOS WORLD? USE LOCAL HACKS TO PERIODICALLY LOOK FOR RAM RESIDENT SOFTWARE THAT SHOULDN'T BE THERE? -------------------- Date: Mon, 2 May 88 16:54:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Peter G. Neumann" Subject: Re: (old) Amiga virus information, for what it's worth... In-Reply-To: <8805022025.AA21543@csl.sri.com> Gee, That was in RISKS-5.71, 7 December 1987! But thanks anyway. And many thanks for VIRUS-L. Should be lively for you to keep track of everything. Should I mention it in RISKS, or would that FLOOD YOU with overhead? Maintaining mailing lists is a bear, even with LISTSERVE! P. - ----- -------------------- Date: Mon, 2 May 88 17:16:32 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Subject: A request for virus info In a recent issue of RISKS, a Congressional aide asked for information concerning computer viruses and their possible impact on national security. If you have input concerning this subject, you can contact- Herb Lin House Armed Services Committee 2120 Rayburn House Office Building Washington, DC 20515 (215) 951-1255 J.D. Abolins -------------------- Date: Mon, 2 May 88 17:18:35 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Peter G. Neumann" Subject: Re: (old) Amiga virus information, for what it's worth... In-Reply-To: <8805022025.AA21543@csl.sri.com> Terrrific. I have your contribution about VIRUS-L and will post it. By the way, is it not Humpty Dumpty? P. - -----