Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA13750; Fri, 1 Jun 90 11:17:13 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA20349; Fri, 1 Jun 90 11:17:09 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA29626; Fri, 1 Jun 90 11:17:00 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa22908; 1 Jun 90 15:56 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Fri, 01 Jun 90 16:06:12 BST Message-Id: <$TGTWCZCFFBQQ at UMPA> Subject: Virus-L vol 0 issue #0506 Virus-L Digest Fri, 6 May 88, Volume 0 : Issue #0506 Today's Topics Re: A thought... A reader's description of LaSalle talk. Re: The Shockwave Rider. Re: Virus Construction Set files ** no subject, date = Fri, 6 May 88 14:12:40 EDT RE: Re: Virus Construction Set re: hardware damage Re: RE: Re: Virus Construction Set ** no subject, date = Fri, 6 May 88 14:52:38 edt ** no subject, date = Fri, 6 May 88 14:56:50 EDT How can we protect programs from viruses? Flushot-Plus version 1.2 now available from SIMTEL20 ------------------------------ Date: Fri, 6 May 88 12:31:00 LCL Reply-To: Virus Discussion List Sender: Virus Discussion List From: Michael Wagner new! +49 228 8199645 Subject: Re: A thought... A number of things were said in this posting that were addressed by others, so I won't repeat it, but one bears comment still: > From: GREENY > > ...we all must work together in the eradication of ...(viruses)... > You don't see the US government saying "well AIDS is pretty nasty > stuff, no one can touch it but us, and we'll get back to ya with > our results later..." Actually, that is exactly what I saw the US government doing for the longest time. In fact, for several years, the government solution to AIDS was 'a hope and a prayer'. Stop promiscuity and AIDS will go away by itself. And besides, AIDS only strikes people who are non-white, or homosexual or drug abusers. Nothing there for decent people to worry about. Why should we research the thing? Why should we provide care for the afflicted? Nobody we care about is affected! > --- EVERYONE IS WORKING TOGETHER on the eradication of that deadly > disease and it should also be such with computer viruses.... This is a relatively new phenomenon that real research is being done on AIDS, and recent studies have shown that the delay will be responsible for untold deaths. The stakes are clearly different with computers, but the idea isn't much different. Work done now to understand and limit virus spread will save much pain later. Michael -------------------- Date: Fri, 6 May 88 08:42:58 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: A reader's description of LaSalle talk. I just got this description of the LaSalle virus seminar from J.D. Abolins - thanks J.D.! Ken - --------------- Computer Virus Seminar at La Salle University reported by J.D. Abolins OVERVIEW (Philadelphia,PA) On Thursday, 28 April 1988, the Philadelphia Area Computer Society (PACS) and La Salle University Academic Computing presented a seminar on computer viruses. The panelists for the seminar were- - John Hagman, a Personal Computer (PC) Support Analyst with the Phildelphia Electric Company (PEC) - Donald Montabana, a MacIntosh and PC support specialist at the University of Pennsylvania - Steve Weissman, vice-president of PACS and a systems operator (sysop) for one of PACS bulletin borard system's (BBS) sections. - Raymond Glath, president of RG Software Systems, Inc. - Pam Kane and Andy Hopkins, both from Panda Systems. Steve Longo, the president of PACS and the director of La Salle University Academic Computing, moderated the seminar. The panelists took turns speaking, Instead of using a rigid, subject-based outline for the presentations, the presentations focused on the speakers' own experiences and viewpoints. At certain points, the audience was given a chance to ask questions and to make comments. The audience participation was lively. (15 minutes before the seminar began, there were only a few people in the audience but by the time the seminar got under way, the room was filled.) After the seminar, copies of virus literature was distributed. PACS had an anti-virus/anti-Trojan programs disk available for purchase. THE PRESENTATIONS RAY GLATH: Ray Glath, the first speaker, told how when he started working with computers over 20 years ago, there were some cases of malicious programs. But in those days, those programs did not go far. Today, several factors have contributed to the ability of such programs to move rapidly. First is the proliferation of the microcomputers; in short, there are far more computers than in 1964. The other factor is the "pass around" attitude towards software along with a casual attitude towards software piracy. Mr. Glath described shareware and freeware as good marketing approaches but warned that there are some nasty people who modify good programs, making harmful copies of them. A virus, as defined by Mr. Glath, is "a nasty" that replicates itself. But whether the nasty program is a virus or a Trojan Horse, it all boils down to computer sabotage. He outlined the types of nasty programs- - MASSIVE DESTRUCTIVE which destroy the whole computer system. - PARTIAL DESTRUCTIVE which may attack the File Allocation Table (FAT) or the boot sector of a hard disk. - SELECTIVE ATTACK which attacks specific files (eg.; COMMAND.COM or .EXE files.) - RANDOM ATTACK which are elusive. They have no easily discerned mode of attack and, thus, escape detection for a long time. - NON_DESTRUCTIVE which are annoyances. They usually produce messages or modify disk labels. Mr. Glath closed his presentation by noting that the virus proliferation is a real trend that is getting considerable attention, but one will be quite safe if one takes precautions. DONALD MONTABANA: Mr. Montabana reviewed his experiences with computer viruses at the University of Pennsylvania. Since January 1988, the number of virus incidents had not been severe. On average day, he would get five to seven calls about possible virus attacks; most of them were false alarms. On the University's campus, only 10% or less of the calls are actual virus attacks. Most of the recent cases involve ASHAR, BRAIN, or their variants. These types have been prevalent on several other campus as well. These programs will modify disk volume labels; some of them are quite destructive. They get their names from the names they will put into the volume labels. Mr. Montabana noted that the BRAIN virus will infect only the 360K format disks. Other formats, such as the 720K and 1.44M, are immune to the current version of BRAIN. He noted that BRAIN, unfortunately, can eat away at the FAT and that it resides on the boot sector of a hard disk. Mr. Montabana also described some of the precautions used at the University for "safe computing". Certain of the Local Area Networks (LAN's) are isolated. Their users are restricted in what diskettes they can use on these systems. Even blank, formatted diskettes are off-limits. Only unformatted diskettes are allowed to be brought in; they are formatted on these "clean" computers. The arrogance of some virus writers was noted by Mr. Montabana when he told about the threats by virus writers aimed at Tom Brown, the author of VACCINE for the MacIntosh. The virus writers threaten to unleash nastier programs that will circumvent VACCINE's defenses if Tom Brown continues developing anti- virus programs. He noted that the National Computer Security division of the National Security Agency (NSA) is tracking down the perpetrators, intending to prosecute them. Mr. Montabana, along with the other panelists, hope that the sucessful prosecution of virus writers will deter future virus makers. Also, he forsees specific anti-virus legislation down the line. JOHN HAGMAN: Mr. Hagman explained how he became interested in malicious programs after several "hard cards" (hard disks mounted on a card) crashed within weeks of installation at his office. The disks had their boot sectors wiped out. Although the cause of these crashes is still unknown, the incidents perked his curiousity. PEC asked Mr. Hagman to research available defenses against viruses and other malicious programs. So he looked into the various commercial and non-commercial programs. He commented, "There is no piece of software that is going to be the answer." The most popular of these program protect the operating system by checking it periodically against a backup or by using numeric checksum methods. Others look for direct reads and writes to disks. Besides anti-virus software, Mr. Hagman mentioned several other safeguards. Write-protect one's original DOS diskette. Periodically, re- install the systems files on one's hard disk. Computer installations may consider the policy used by PEC- no unauthorized software on the company's machines. STEVE WEISSMAN: He started his presentation by saying that he himself has not seen a virus and that he is somewhat of a "doubting Thomas". He proceeded to describe his experience as a computer systems administrator for a large company and as one of the sysops for the PACS BBS. In both areas, he has not encountered a virus. Mr. Weissman described several factors that has kept his section of the PACS BBS virus-free. The first safeguard is that PACS gets its public domain/shareware software from large software distributors which, for their own protection, check the software. Second, the PAC BBS is a closed BBS; only PACS members can get access. Each uploaded file can be traced back to the person who uploaded it. During the seminar, Mr. Weissman emphasized, "Backup. Backup. Backup," ones data. Regarding the future of the viruses, he said that he does not know but he hopes that well-publicized prosecutions will stop the trend. PAM KANE: The two represenatives from Panda Systems covered separate aspects of the virus problems. Ms. Kane dealt with them from the human resources aspect while Mr. Hopkins covered the technical aspects. Ms. Kane expressed her concern that "BBS's and shareware are getting the image of being the 'public baths' of the computer world." She admonished computerists not to panic but, rather, to take wise precautions. Comparing the viruses to the AIDS situation, she advised that if one is "monogamous" with one's computer, one will be quite safe. She also noted that main mode of virus infection is through innocent spreading by people who are unaware of the viruses. Two of the most prominant categories of innocent carriers are 1) the people who take computer work home with them, and 2) the people who do not have a computer at home and are using their office computers for computer course homework. Both of these categories represent some of the most valuable workers in a corporation. Ms. Kane mentioned some of the precautions to prevent virus spread. One of these methods is to boot from floppy when preparing to call a BBS to download files. The files should be downloaded to a floppy, not to the hard disk. If one does get a virus, remember to use low-level format when cleaning up the hard disk. She emphasized the importance of keeping aware of the files on one's hard disk- "Be in touch with your hard drive." ANDY HOPKINS: Mr. Hopkins told how the popular Trojan Horse and virus detctor programs CHK4BOMB and BOMBSQAD were both unauthorized releases of software developed by Panda Systems. Some versions of these programs, he warns, have been modified and made into destructive programs. He explained how the Doctor Panda Utilities ultilize the methods similar to the two programs, but with additional features. The Utilities have a three-part approach- - PHYSICAL which creates a "clean model" of the computer system and uses the "model" to check for abnormal alterations of systems files and any other files specified by the user. - LABTEST which reads a specified file, checks for commands bypassing DOS, and displays any embedded ASCII characters. - MONITOR which loads into the memory and monitors for specified types of disk activity, stopping the system if any are encountered. CONCLUSION From the presentations and the discussions, one could glean much information about computer viruses. While the speakers agreed that nobody can be sure about the future, they agreed that computerists are reasonably safe if they take reasonable precautions. The seminar was well worth the time and effort to get there. As I am writing the finish to this article, I am reminded of a concern expressed by many of the panelists. They were alarmed by the irresponsible computer journalists who have gone beyond informing the public about the viruses by giving "how-to" guides for writing viruses. It is a phenomenon that is especially prevalent in the MacIntosh field. (Perhaps because it appears to be easier to write a MacIntosh virus than a MSDOS one.) This is valid one, since it is important to inform computerists but there is no need to give aspiring virus writers their start. - ---------------------------------------------------------------------- = Kenneth R. van Wyk = _ /| = = User Services Senior Consultant = Ack Thippfft! \'o.O` = = Lehigh University Computing Center = =(___)= = = Internet: = U = = BITNET: = Bill 'n Opus in '88! = - ---------------------------------------------------------------------- -------------------- Date: Fri, 6 May 88 08:24:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Frost Subject: Re: The Shockwave Rider. |As a "literary" note on viruses [...] Intrepid readers might like the book "P1" which is probably the first book dealing withh the topic ofviruses/worms. I've also read "Valentina" but the former is much better. Now back to your regularly scheduled virus reports.... jim frost madd@bu-it.bu.edu -------------------- Date: Fri, 6 May 88 08:32:11 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Frost Subject: Re: Virus Construction Set |bad news from Germany. I have forgotten to tell you something in my |last message: Not all people concerned with computer viruses (esp. |virus programmers) over here are aware of what they are doing. In April |this year a unbelievable program called "VIRUS CONSTRUCTION SET (VCS)" |was released at the Hannover computer faire CeBIT. I don't know about in Germany, but it's my bet that anyone releasing such a beast in the United States would get a handful of lawsuits. I'd be in on sueing the hell out of them! What would prompt someone to write such a damaging "utility"? jim frost madd@bu-it.bu.edu -------------------- Date: Fri, 6 May 88 09:37:19 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: files A couple people have made some great suggestions for improving the uuencoding/uudecoding process here on VIRUS-L. So, I've included a BASIC version of uudecode (filename UUDECODE BAS) as well as a new improved uuencode/uudecode package called uu213 (filename UU213 UUE). The BASIC uudecoder will work with any GW-BASIC compatible BASIC interpreter...slowly. It is *not* ...er...shall I say, fast. But, for those of you who don't have Turbo Pascal, you can get the BASIC uudecoder, and the UU213 package. UU213, by the way, is a uuencoded ARC file containing a very fast uuencode and uudecode in executable form. Both of these files were obtained from the MS-DOS archives on SIMTEL20.ARPA. Thanks to all who sent in these suggestions and files! Hopefully, this will be the uuencode/uudecode to end all uuencode/uudecode's. :-) Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = _ /| = = User Services Senior Consultant = Ack Thippfft! \'o.O` = = Lehigh University Computing Center = =(___)= = = Internet: = U = = BITNET: = Bill 'n Opus in '88! = - ---------------------------------------------------------------------- -------------------- Date: Fri, 6 May 88 14:12:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 One of the things mentioned in the discussions during the La Salle virus seminar was the existence of malicious program that would rewrite or erase firmware but rapid reads and writes which would heat up the EPROMs and erase them. I haven't heard of this before so I am putting out for comments, etc. The only form of hardward damage from a malicious program that I know of is an old Trojan Horse for the early Commodore PETs. It would burn out their monitors if allowed to run for a while. Just a quirk of the beastie. J. D. Abolins -------------------- Date: Fri, 6 May 88 13:59:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mitchel Ludwig Subject: RE: Re: Virus Construction Set >|bad news from Germany. I have forgotten to tell you something in my >|last message: Not all people concerned with computer viruses (esp. >|virus programmers) over here are aware of what they are doing. In April >|this year a unbelievable program called "VIRUS CONSTRUCTION SET (VCS)" >|was released at the Hannover computer faire CeBIT. > >I don't know about in Germany, but it's my bet that anyone releasing >such a beast in the United States would get a handful of lawsuits. >I'd be in on sueing the hell out of them! > >What would prompt someone to write such a damaging "utility"? Jim, Not that you (or anyone for that matter) will want to hear this, but chances are good that anyone wishing to market such a program in the U.S. will have no problem doing so. It's probably comparable to those selling the copy boards and such which would seem to be in direct violation of the shrink wrap laws (are those the correct laws?) Unfortunately, as I see it, the free speech laws (of the press... etc) allow such programs to be sold... We don't have to like it... But we do have to deal with it... Mitch Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 -------------------- Date: Fri, 6 May 88 13:30:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GREENY Subject: re: hardware damage > The only form of hardward [sic] damage from a malicious program that I know of > is an old Trojan Horse for the early Commodore PETs... Hmmm....I seem to remember a program for the Commodore VIC 20's that would fry out a ROM or two. Also the old tale from the days of core memory, of a nutty programmer that continually accessed a location in memory until the core that represented this memory location heated up. The core was directly over an overheat sensor. When the core got hot enuf, the sensor tripped, and the machine shut down. Good thing we don't use core memory anymore! Bye for now but not for long... Greeny Bitnet: MISS026@ECNCDC Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU Disclaimer: What?? Who? Me? Nope...not me! It's that guy over there! -------------------- Date: Fri, 6 May 88 14:28:03 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Frost Subject: Re: |The only form of hardward damage from a malicious program that I know of | is an old Trojan Horse for the early Commodore PETs. It would burn out |their monitors if allowed to run for a while. Another such problem exists with the old monochrome boards for PC's. I haven't heard of any trojan horses/viruses which take advantage of it, but it exists. jim -------------------- Date: Fri, 6 May 88 14:39:22 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Frost Subject: RE: Re: Virus Construction Set |>What would prompt someone to write such a damaging "utility"? | Not that you (or anyone for that matter) will want to hear |this, but chances are good that anyone wishing to market such a |program in the U.S. will have no problem doing so. It's probably |comparable to those selling the copy boards and such which would seem |to be in direct violation of the shrink wrap laws (are those the |correct laws?) It's not the same thing. You have a right to archive programs for your own use, which is why the copy people haven't been knocked out of business. Copying something does no harm to another person, unless it's illegal copying and there are laws against that. A virus can (is supposed to?) cause harm. The question isn't whether or not someone can be sued for it, but rather who gets sued. Should it be the person that sent out the virus, or should it be the company that made the virus creation program? In any case, the company has aided in the crime and may be at fault (although it might be possible to use a "people kill with guns but gun companies aren't held responsible" argument to get around this). I guess we'll never know until it happens. jim -------------------- Date: Fri, 6 May 88 14:52:38 edt Reply-To: Virus Discussion List Sender: Virus Discussion List From: Travis Lee Winfrey In-Reply-To: OJA%NCCIBM1.BITNET@cuvma.columbia.edu's message of Fri, 6 May 88 14:12:40 EDT <8805061822.AA00632@columbia.edu> Hi all; I'm new to this list. A few questions which may have been answered before: Is there a list anywhere of known viruses, malicious or otherwise? or of hardware/software combinations for which virus programs exist? Also, is there a list of antibody- and immunization-type programs, including those like chk4bomb that have been tampered with and re-released? it would be useful to have checksums published with these programs, although I suppose a virus writer wouldn't be too troubled to make a checksum balance out. perhaps multiple checksums could be used to foil simple padding. based on what has been discovered so far, does anyone have any feel for the percentages of malicious vs. nonmalicious/humorous/political viruses out there? can anyone recommend a beginning text on epidemiological analysis? :-), but I would really be interested in such a book. t -------------------- Date: Fri, 6 May 88 14:56:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" In-Reply-To: Message of Fri, 6 May 88 14:52:38 edt from >Is there a list anywhere of known viruses, malicious or otherwise? or of >hardware/software combinations for which virus programs exist? Wouldn't be too bad to start with DIRTY DOZEN, available here on VIRUS-L. It seems to be *reasonably* thorough. If you don't know how to get files from here, e-mail me directly and I'll let you know. Ken - ---------------------------------------------------------------------- = Kenneth R. van Wyk = _ /| = = User Services Senior Consultant = Ack Thippfft! \'o.O` = = Lehigh University Computing Center = =(___)= = = Internet: = U = = BITNET: = Bill 'n Opus in '88! = - ---------------------------------------------------------------------- -------------------- Date: Fri, 6 May 88 13:10:00 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: LOWEY@SASK Subject: How can we protect programs from viruses? Hi, I have written a number of utilities and programs which I put into the public domain. Usually they are written in Turbo Pascal, and the source code is distributed as well. One thought I had was include a CRC check in the program. Randomly throughout the code, the program would do a CRC check on its .EXE or .COM file (or optionally the executing image). If it didn't pass the test, then it would display a message that the program was tampered with and exit. I think Lotus 1-2-3 does this as part of its copy protection scheme. If something like this was added to the MS-DOS utilities and public domain programs, it could stop the spread of some viruses. For instance, if COMMAND.COM had such a check, it would be much harder for a hacker to patch a virus into it. Does anyone know of any method that protects your programs even if the hacker knows the method used to do the protection? In otherwords, a hacker can know how it was done, but not how to defeat it? Thanks, Kevin Lowey -- University of Saskatchewan Computing Services -------------------- Date: Fri, 6 May 88 19:38:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- original Sender: tag was KPETERSEN@SIMTEL20.ARPA From: Keith Petersen Subject: Flushot-Plus version 1.2 now available from SIMTEL20 The latest version of FLUSHOT, the anti-Virus/anti-Trojan program for MSDOS, is available via standard anonymous FTP from SIMTEL20 as... Filename Type Bytes CRC Directory PD1: FSP_12.ARC.1 BINARY 45646 2AD5H This is Flushot-Plus, version 1.2. It was obtained directly from the author, Ross Greenberg, to assure its validity. --Keith Petersen Maintainer of the MSDOS archives at SIMTEL20.ARPA