Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA18333; Tue, 5 Jun 90 14:37:52 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA19064; Tue, 5 Jun 90 14:37:49 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA20685; Tue, 5 Jun 90 14:37:35 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa29680; 5 Jun 90 17:41 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 05 Jun 90 14:03:16 BST Message-Id: <$TGVGDBVHCNXD at UMPA> Subject: Virus-L vol 0 issue #0609 Virus-L Digest Thu, 9 Jun 88, Volume 0 : Issue #0609 Today's Topics Universal Viral Simulator forwarded request for virus program information forwarded comments on MAC hard disk locking RE: Universal Viral Simulator PLAYBOY 'virus' on PCs? PKARC 3.6 -- Is it a VIRUS? wHOOPS! Core Wars Uses of Self-Replicating Code ------------------------------ Date: Thu, 9 Jun 88 07:20:21 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Scott Guthery Subject: Universal Viral Simulator Reprinted without permission from June 1988 IEEE Computer, p.100: "System simulates viral attacks on PCs "The National Bulletin Board Society has developed a computer virus testing system to simulate viral attacks on IBM PCs. The benign pseudo-virus, called Universal Viral Simulator, reportedly uses all known techniques found in live viruses to infect and replicate in host systems. It is based on analyses of live viruses submitted to the BBS Society. "According to the society, the simulator is meant to act as a testing and verification mechanism for antiviral systems under development. The viral simulator is executed after any antiviral systems have been loaded and activated. Each time the antiviral system blocks it, it displays a message naming the replication attempt technique and its failure. If the simulator succeeds in `infecting' the system, it identifies the procedure used. "The Universal Viral Simulator is available from the National BBS Society for $79.95." Anybody know how to contact these folks? -------------------- Date: Thu, 9 Jun 88 09:44:38 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded request for virus program information The following is a forwarded message which was sent to me: I am a student at Miami University currently on an internship with Ernst & Whinney's National Computer Audit Group. I am currently researching computer viruses, trojan horses, and the like. The report which I plan to prepare will include descriptions of various public domain and commercial software which claim to protect from or detect viruses. Some examples of software I am evaluating are: DataPhysician, Triad line, Protec, VI-RAID (commercial), Flushot+, Novirus, Checkup, and CRCDOS (public domain). If anyone is currently using any of these programs, or others like them, I would greatly appreciate your sending me information describing how they are implemented, access controls you have in place, and anything else which you think will be of help. I will be happy to describe the results of my research in this list. . Thanks. Neil Goldman (NG44SPEL at MIAMIU.BITNET) Kenneth R. van Wyk User Services Senior Consultant Steve Dallas: Who's driving?! Lehigh University Computing Center Opus: Oh keep your pants on, Internet: I pressed cruise control. BITNET: -------------------- Date: Thu, 9 Jun 88 09:47:57 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded comments on MAC hard disk locking The following is a forwarded message from abr1@cunixc.cc.columbia.edu: Subject: Protecting your hard disks... don't be misled! Recently, GREENY (MISS026@ECNCDC) wrote: >> hold down the Shift, Option, Command, and Delete keys to boot from a >> floppy....Does this actually prevent the hard drive from working?.... > >Well, that's what it is *supposed* to do for ya. But who knows with Apple? >At any rate, to avoid all of the mangled, popped out of joint fingers >that some people who aren't too limber may get from the above sequence, >just insert a trusted floppy disk into the floppy disk drive with a trusted >system and then open the System folder on it. Hold down the COMMAND and >the OPTION keys while double clicking on the icon of the Finder. This >will force the mac to make use of the system on the floppy drive. After >your finder comes back to life, close the folders, and drag the icon of the >hard drive into the trash can. This will unmount the sucker, thereby >preventing any read/writing from/to it. Wrong... depending on the driver (and possibly other things?) your hard disk will probably auto-remount itself in a matter of seconds. It may take a while if the CPU gets very busy, which could fool you into thinking that you're safe. Anyway, while I've never had occasion to use it, the S-O-C-Del combo is safer. It may in fact make it impossible for ANY software to put your SCSI drive on- line, but I doubt it. I do know (99% sure) that a sufficiently clever virus could find and use even an unmounted hard disk, assuming you can put yours in that state (didn't a fellow named Paul Mercer write a CDEV that could do this?) Therefore, presuming that S-O-C-Del does not unalterably change some state in the SCSI controler (or something like that), it is impossible to guarantee protection to your hard disk without physically cutting off the data (or at least the write) lines between it and the computer. At this point, either solution is probably safe, but they won't be when virus writers start getting a little more sophisticated. He then writes: > Just pray that the virus >doesn't get stored in your parameter ram, or you will be really screwed >because the battery back-up for the SE is *SOLDERED* to the mother >board. Solution to this deal --> Run it on a Mac Plus, and if you suspect >a virus residing in your parm ram, remove the battery from the back via the >battery door. Wait 40 seconds for all to clear and then put it back in. This is nonsense, for several reasons. 1) There isn't enough room in the PRAMs to store even the simplest virus, even on the Mac II. (The others have, I believe, *20 WHOLE BYTES* of which 12 are used.) 2) Even if there were, how would such a virus gain control of the system? Code is never stored in the PRAMs, so nothing there is ever executed. Two gotchas, though: 1) It is possible that a virus could store a counter in the PRAMs, thus enabling a 'time-bomb' effect WITHOUT ever modifying anything in the System or elsewhere. You would never know there was anything wrong, until... 2) I know of one case where a Mac II couldn't even boot off of a FLOPPY. The cause was supposed to be trashed PRAMs. I don't see how this could be, but the person complaining was fairly expert, and they sure as hell didn't miss anything obvious. Furthermore, I think the problem was solved by temporarily shorting the PRAM battery. This was broadcast over USENET some time ago, so if anyone knows better please tell me. If the short did cure the problem, this virtually proves the trashed-PRAM hypothesis. The long and the short of it is that a truly nasty virus _might_ be able to render your Mac II logic board useless (until you short your battery). I don't believe this can happen to an SE, but I don't know for sure. In any event, DON'T short your battery unless you DAMN WELL know EXACTLY what you are doing! Kenneth R. van Wyk User Services Senior Consultant Steve Dallas: Who's driving?! Lehigh University Computing Center Opus: Oh keep your pants on, Internet: I pressed cruise control. BITNET: -------------------- Date: Thu, 9 Jun 88 10:43:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: RE: Universal Viral Simulator >Reprinted without permission from June 1988 IEEE Computer, p.100: >"System simulates viral attacks on PCs >"The National Bulletin Board Society has developed a computer virus testing ------------------------------- WHO??? I've never heard of them. Has anyone? _______________________________________________________________________________ | James M. Shaffer, Jr. | Bitnet: shafferj@bknlvms | | P.O. Box C-2658 | Internet: shafferj%bknlvms.bitnet@cunyvm.cuny.edu| | Bucknell University | UUCP: ...!psuvax1!bknlvms.bitnet!shafferj | | Lewisburg, PA USA 17837 | CSNet: shafferj%bknlvms.bitnet@relay.cs.net | - ----------------------------------------------------------------------------- | "He's old enough to know what's right and young enough not to choose it; | | He's noble enough to win the world but fool enough to lose it." | | -- Rush, "New World Man", on _Signals_ | - ----------------------------------------------------------------------------- -------------------- Date: Thu, 9 Jun 88 11:48:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: PLAYBOY 'virus' on PCs? ACS045 at GMUVAX writes > and the PLAYBOY virus, both of which only affect PCs.... The only thing I know of called "PLAYBOY" was a Trojan horse (i.e. it didn't spread to other executables) that was reported to erase hard disks on Macs. Is this "PLAYBOY" thing on the PC similar, or is it a real spreading virus? Dave Chess T.J.Watson Research Center (Affiliation given for identification purposes at most) -------------------- Date: Thu, 9 Jun 88 12:26:57 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: msmith@topaz.rutgers.edu Subject: PKARC 3.6 -- Is it a VIRUS? Recently a file called PK36.EXE with a size of 118K has appeared on a BBS near me. Is this really a new version of PKARC/PKXARC? Is this a Trojan or virus? Please post your answer so that a warning/verification can reach as far as possible. Mark -- Mark Smith (alias Smitty) "Be careful when looking into the distance, 61 Tenafly Road that you do not miss what is right under your nose." Tenafly, NJ 07670 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu Bill and Opus in '88!!! -------------------- Date: Thu, 9 Jun 88 12:42:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ACS045@GMUVAX Subject: wHOOPS! ACS045 at GMUVAX writes > and the PLAYBOY virus, both of which only affect PCs.... >The only thing I know of called "PLAYBOY" was a Trojan horse >(i.e. it didn't spread to other executables) that was reported >to erase hard disks on Macs. Is this "PLAYBOY" thing on the >PC similar, or is it a real spreading virus? >Dave Chess >T.J.Watson Research Center >(Affiliation given for identification purposes at most) Ok...perhaps I should have been more specific....I guess by PCs I meant (P)ersonal (C)omputers.. e.g. all brands/models/makes... Actually the possibility of misinterpretation struck me after hitting the CTRL-Z to send the sucker, and by that time it was too late --Sorry for any confusion/panic caused.. "call back the bombers, stand down the missiles..."--WarGames Steve Okay(ACS045@GMUVAX) -------------------- Date: Thu, 9 Jun 88 22:26:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: Core Wars Has anyone out there developed a mainframe version of Core Wars that they'd be willing to distribute via the network? _______________________________________________________________________________ | James M. Shaffer, Jr. | Bitnet: shafferj@bknlvms | | P.O. Box C-2658 | Internet: shafferj%bknlvms.bitnet@cunyvm.cuny.edu| | Bucknell University | UUCP: ...!psuvax1!bknlvms.bitnet!shafferj | | Lewisburg, PA USA 17837 | CSNet: shafferj%bknlvms.bitnet@relay.cs.net | - ----------------------------------------------------------------------------- | Changes can open your eyes. | | --Boston, on _Third Stage_ | - ----------------------------------------------------------------------------- P.S. I've notified Rick Zellich, the maintainer of the "List of Lists," of the existance of this list. I tried to make the part about sending subscription requests to the listserv and not to the list clear, and I also included the owner's address in case anyone had any questions. The "List of Lists" is distributed to a far wider field of people than any Bitnet-oriented listserv listings I've seen. It contains listings for Internet lists in addition to listserv lists (some of which it lacks because list owners don't know about it). If anyone wants a copy (it's big, so organizing some system of distribution for multiple people at one site is recommended), it's stored on NICSERVE@BITNIC in fragments. You'll need to get the index to find their names. -------------------- Date: Thu, 9 Jun 88 09:37:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: riacs!ames!hc!csed-1!csed-47!roskos@rutgers.edu Subject: Uses of Self-Replicating Code >There are probably other points, but these will do. Note that this is *not* >a list of the salient points of a virus - I've not mentioned self-replication, >for example, because (correct me if I'm wrong) the skill of writing self- >replicating code is not exactly of general utility (though I'll admit I can't >see into the future). Actually, in the middle '70s, I used a system where self-replicating code in the OS was common; this was in the NCR "B1" Operating System (the name "B1" was apparently derived from the name of the principal designer, John Burnett, and the fact that it was a single-tasking OS. It had nothing to do with the "B1" of computer security). This OS, although slow and primitive, actually had a lot of interesting innovations; one of these was VOSS, the "Variable Overlay Stasher System". Depending on what hardware you had, and what options you wanted, you would set a bitmap indicating which sets of overlays (sort of like current- day "packages" or "modules") you wanted on a given disk. (They were called "overlays" because in fact the OS was one that used overlays, as opposed to virtual memory, to get large programs into a small space. Our machine had only 32K, and the OS took up only a small fraction of that, due to the overlaying, although the overlay swapping made the system enormously slow.) NCR would periodically come out with updates to the OS, which you would install onto your first disk using a utility program. But thereafter, the software update would propagate itself to your other system disks in the same way viruses propagate! Whenever you mounted a new disk (actually, I think whenever you opened a file on a new disk, but I can't remember the details) the OS would check whether the new disk contained an older version of the software than the current one; if the new disk had older software, the OS would copy the overlays you had selected onto the disk, replacing the old version with the new one. In this way, as long as you mounted all your disks eventually, all the disks would automatically be updated once you updated the first one from the distribution disk.* This was more important on that system (the Century 100 Series) than on systems nowadays because, like an old floppy disk microcomputer, the machine only had small (removable) hard disks, and you would frequently have to have a number of copies of the OS around on the different (small) disks you needed to run your various programs. Thus insuring that they were all updated without the help of this self-updating feature would have been difficult: in the installation where I worked, there were around 100 disk packs, of which a significant number had the OS on them. So, the system used the same basic technology as the virus, but for a constructive purpose. I recall that under some circumstances it was possible for this updating to go the wrong way, though; it would replace a newer version of the OS with an older version. I can't remember what caused this, just that the self-updating would sometimes malfunction. *I think it required you to answer "EE" (which meant "Ok") or "CC" (which meant "Cancel") before it would actually update the disk. -------------------- *** end of Virus-L issue ***