Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA21872; Thu, 7 Jun 90 19:55:26 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA16791; Thu, 7 Jun 90 19:55:26 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA15779; Thu, 7 Jun 90 19:55:21 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa02241; 7 Jun 90 22:02 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: DAVIDF@cs.heriot-watt.ac.uk
Date:         Thu, 07 Jun 90 15:33:48 BST 
Message-Id:   <$TGVGDBVHFKVD at UMPA>
Subject:      Virus-L vol 0 issue #0713



Virus-L Digest Wed, 13 Jul 88, Volume 0 : Issue #0713

Today's Topics

VMS ZOO ok?
Final (I hope) posting on Miami U. spring epidemic

------------------------------

Date:         Wed, 13 Jul 88 15:14:00 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         John Lundin Jr <LUNDIN@URVAX>
Subject:      VMS ZOO ok?

A version of ZOO for VAX/VMS arrived over the net yesterday  on  Info-VAX..
an executable image, UUENCODEd. ZOO is an archiver program. Considering the
number of bad PKARC versions that are out there, can anyone vouch for this?
Anyone have source?

A quick check shows that it  was  probably  written  in  C,  and  has  many
plausible-sounding error messages near the beginning.

Here's the header info preceeding the uuencoded material:

>From:  BITNET%VTVM2::MAILER 11-JUL-1988 16:17
>To:    LUNDIN
>Subj:
>
>Received: From VTVM2(MAILER) by URVAX with Jnet id 8344
>          for LUNDIN@URVAX; Mon, 11 Jul 88 16:17 EDT
>Received: by VTVM2 (Mailer X1.25) id 8320; Mon, 11 Jul 88 16:07:31 EDT
>Date:         Mon, 4 Jul 88 15:30:43 MDT
>Reply-To:     INFO-VAX@KL.SRI.COM
>Sender:       INFO-VAX Discussion <INFO-VAX@VTVM2>
>Comments:     <Parser> W: Invalid RFC822 field -- ".EDU". Rest of header
>              flushed.
>From:         ewilts%Ins.MRC.AdhocNet.CA%Stasis.MRC.AdhocNet.CA%UNCAEDU.
>              @CORNELLC.CCS.CORNELL
>To:           'John Lundin Jr' <LUNDIN@URVAX>
>
>As per the recent request for ZOO for VMS, I am including the following
>UUENCODED file of ZOO.EXE.
>
>[ actual file omitted ]

Thanks!                        -john

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
John Lundin, Jr.         VAX785::LUNDIN                     (UR/MCV Decnet)
Academic Computing       LUNDIN @ URVAX                            (BITNET)
University of Richmond   lundin%urvax.bitnet@cunyvm.cuny.edu     (Internet)
Richmond, VA  23173      ...!rutgers{!psuvax1}!urvax.bitnet!lundin   (UUCP)

--------------------

Date:         Wed, 13 Jul 88 08:38:10 EST
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Joe Simpson <JS05STAF@MIAMIU>
Subject:      Final (I hope) posting on Miami U. spring epidemic

In two earlier postings I described what we thought we knew about an MS-DOS
based virus epidemic at Miami. We were afflicted  with  the  standard  (non
destructive)  version  of  Brain  with numerous complaints of lost data. As
part of our early response we used rather draconian measures to copy (some)
user data from affected diskettes to clean  media.  We  kept  many  of  the
origionals  that  were  reported  as defective. These diskettes were sorted
into categories, probably using Norton utilities. A stratified  sample  was
then  subjected  to  more  detailed  analysis  with  the following results:
1.  Some media were physically defective.
2.  Brain existed on some diskettes.  No mutated version of Brian was found
    using byte level comparision with a known standard Brain.

Conclusion: There is no reproducible evidence that Miami was visited  by  a
virus  that deliberately attemped to alter or destroy user data. Fred Cohen
spent a morning with us at the height of  our  confusion  and  suspected  a
mutated Brain. We have been unable to corroborate this.

Critique of our performance:
1. The draconian measures we took in the early days  resulted  in  loss  of
   user data. Lack of a formal coordinating body and ignorance of the topic
   of computer viruses caused us to continue these measures longer than was
   desirable.
2. Lack of awareness of the problem probably caused us to ignore very early
   warning signs resulting in the crisus occuring at our  busiest  time  of
   year.
3. Our efforts  at  communicating  information  about  the  virus  were  as
   accurate  as practical, but most reports did not accurately describe the
   situation as currently understood. Reporters made  best  efforts  to  be
   factual,  but  (at  least  in  my  opinion) were intimidated by the word
   "computer". This is very puzzling. If you remove the word computer, they
   are more competent  than  most  computer  professionals  to  communicate
   public health information.
4. In retrospect, it is easy to see that modification of "nominal" behavior
   at Miami before the epidemic would have severely reduced  the  cost.  In
   particular  our  habit  of  initializing  with  DOS provided the perfect
   "media" for Brain.

Notes:
1.  We were visited by two destructive viruses in the Mac world.
2.  There is some Mac software offering partial protection (Vaccine cdev)
    without seriously affecting the working environment (except for
    programmers).  There are also several programs designed to detect
    (obvious) viruses including virus detective and RX. These are cheap!
3.  We have yet to find anything good in the MS-DOS world, either to
    provide protection or diagnosis.
4.  Our Novel server based laboratories had very few internal problems.
    Whether this is due to lack of archetecture in MS-DOS or due to the
    characteristics of Brain is hard to ascertain.

--------------------

*** end of Virus-L issue ***
Return-Path: XPUM04@prime-a.central-services.umist.ac.uk
Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3)
        id AA25962; Tue, 12 Jun 90 06:59:06 -0400
Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5)
        id AA13045; Tue, 12 Jun 90 06:59:03 -0400
Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3)
        id AA04406; Tue, 12 Jun 90 06:58:54 -0400
Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK 
           via Janet with NIFTP  id aa10030; 12 Jun 90 11:22 BST
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu>
Date:         Tue, 12 Jun 90 11:02:52 BST 
Message-Id:   <$TGVTCZHTCBQB at UMPA>
Subject:      Virus-L vol 0 issue #0713



Virus-L Digest Wed, 13 Jul 88, Volume 0 : Issue #0713

Today's Topics

VMS ZOO ok?
Final (I hope) posting on Miami U. spring epidemic

------------------------------

Date:         Wed, 13 Jul 88 15:14:00 EDT
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         John Lundin Jr <LUNDIN@URVAX>
Subject:      VMS ZOO ok?

A version of ZOO for VAX/VMS arrived over the net yesterday  on  Info-VAX..
an executable image, UUENCODEd. ZOO is an archiver program. Considering the
number of bad PKARC versions that are out there, can anyone vouch for this?
Anyone have source?

A quick check shows that it  was  probably  written  in  C,  and  has  many
plausible-sounding error messages near the beginning.

Here's the header info preceeding the uuencoded material:

>From:  BITNET%VTVM2::MAILER 11-JUL-1988 16:17
>To:    LUNDIN
>Subj:
>
>Received: From VTVM2(MAILER) by URVAX with Jnet id 8344
>          for LUNDIN@URVAX; Mon, 11 Jul 88 16:17 EDT
>Received: by VTVM2 (Mailer X1.25) id 8320; Mon, 11 Jul 88 16:07:31 EDT
>Date:         Mon, 4 Jul 88 15:30:43 MDT
>Reply-To:     INFO-VAX@KL.SRI.COM
>Sender:       INFO-VAX Discussion <INFO-VAX@VTVM2>
>Comments:     <Parser> W: Invalid RFC822 field -- ".EDU". Rest of header
>              flushed.
>From:         ewilts%Ins.MRC.AdhocNet.CA%Stasis.MRC.AdhocNet.CA%UNCAEDU.
>              @CORNELLC.CCS.CORNELL
>To:           'John Lundin Jr' <LUNDIN@URVAX>
>
>As per the recent request for ZOO for VMS, I am including the following
>UUENCODED file of ZOO.EXE.
>
>[ actual file omitted ]

Thanks!                        -john

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
John Lundin, Jr.         VAX785::LUNDIN                     (UR/MCV Decnet)
Academic Computing       LUNDIN @ URVAX                            (BITNET)
University of Richmond   lundin%urvax.bitnet@cunyvm.cuny.edu     (Internet)
Richmond, VA  23173      ...!rutgers{!psuvax1}!urvax.bitnet!lundin   (UUCP)

--------------------

Date:         Wed, 13 Jul 88 08:38:10 EST
Reply-To:     Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender:       Virus Discussion List <VIRUS-L@LEHIIBM1>
From:         Joe Simpson <JS05STAF@MIAMIU>
Subject:      Final (I hope) posting on Miami U. spring epidemic

In two earlier postings I described what we thought we knew about an MS-DOS
based virus epidemic at Miami. We were afflicted  with  the  standard  (non
destructive)  version  of  Brain  with numerous complaints of lost data. As
part of our early response we used rather draconian measures to copy (some)
user data from affected diskettes to clean  media.  We  kept  many  of  the
origionals  that  were  reported  as defective. These diskettes were sorted
into categories, probably using Norton utilities. A stratified  sample  was
then  subjected  to  more  detailed  analysis  with  the following results:
1.  Some media were physically defective.
2.  Brain existed on some diskettes.  No mutated version of Brian was found
    using byte level comparision with a known standard Brain.

Conclusion: There is no reproducible evidence that Miami was visited  by  a
virus  that deliberately attemped to alter or destroy user data. Fred Cohen
spent a morning with us at the height of  our  confusion  and  suspected  a
mutated Brain. We have been unable to corroborate this.

Critique of our performance:
1. The draconian measures we took in the early days  resulted  in  loss  of
   user data. Lack of a formal coordinating body and ignorance of the topic
   of computer viruses caused us to continue these measures longer than was
   desirable.
2. Lack of awareness of the problem probably caused us to ignore very early
   warning signs resulting in the crisus occuring at our  busiest  time  of
   year.
3. Our efforts  at  communicating  information  about  the  virus  were  as
   accurate  as practical, but most reports did not accurately describe the
   situation as currently understood. Reporters made  best  efforts  to  be
   factual,  but  (at  least  in  my  opinion) were intimidated by the word
   "computer". This is very puzzling. If you remove the word computer, they
   are more competent  than  most  computer  professionals  to  communicate
   public health information.
4. In retrospect, it is easy to see that modification of "nominal" behavior
   at Miami before the epidemic would have severely reduced  the  cost.  In
   particular  our  habit  of  initializing  with  DOS provided the perfect
   "media" for Brain.

Notes:
1.  We were visited by two destructive viruses in the Mac world.
2.  There is some Mac software offering partial protection (Vaccine cdev)
    without seriously affecting the working environment (except for
    programmers).  There are also several programs designed to detect
    (obvious) viruses including virus detective and RX. These are cheap!
3.  We have yet to find anything good in the MS-DOS world, either to
    provide protection or diagnosis.
4.  Our Novel server based laboratories had very few internal problems.
    Whether this is due to lack of archetecture in MS-DOS or due to the
    characteristics of Brain is hard to ascertain.

--------------------

*** end of Virus-L issue ***