Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA21811; Thu, 7 Jun 90 18:26:08 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA16580; Thu, 7 Jun 90 18:26:07 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA15192; Thu, 7 Jun 90 18:26:00 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa28881; 7 Jun 90 20:31 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Thu, 07 Jun 90 15:34:56 BST Message-Id: <$TGVGDBVHFKVR at UMPA> Subject: Virus-L vol 0 issue #0719 Virus-L Digest Tue, 19 Jul 88, Volume 0 : Issue #0719 Today's Topics Forwarded virus hype editorial, and some random comments RE: VMS ZOO VIRSIM Re: Forwarded virus hype editorial, and some random comments ------------------------------ Date: Tue, 19 Jul 88 12:52:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Forwarded virus hype editorial, and some random comments Greetings, First of all, I've noticed that VIRUS-L has gained many subscribers in the past week or so since it was announced in the NETMONTH newsletter here on BITNET; welcome all! Around the end of this month, I'll be sending out my monthly info sheet which should clear up some questions which you may have, such as, "how do I get files from this LISTSERV?". Secondly, a number of people have noted that VIRUS-L traffic has subsided quite a bit. I'd imagine that this is partly due to the fact that many university students have gone home for the summer, but perhaps not. I don't think that the subject has been exhausted by any means. We'll see... Let's see some participation out there! Finally, this next item is a editorial comment from an anti-software vendor. The editorial was distributed via Compuserve, and forwarded to me verbatim. Note that it is not an endorsement, merely an opinion from the vendor. Ken van Wyk - ------ begin editorial --------- CompuServe IBMSW IBM Software Forum Forum Menu #: 197283 S9/Hot Topic (S) 09-Jul-88 16:53:51 Sb: #Virus Hype Fm: rg software 70701,2561 To: ALL VIRUS HYPE Since I'm a new participant in this forum group, I'd like to introduce myself: Raymond M. Glath, President, RG Software Systems, Inc., 2300 Computer Ave., Willow Grove, PA 19090 , (215) 659-5300 We are a 4 year old developer/publisher. Our products are "DISK WATCHER" which includes anti-virus logic among its many features, and the "PC TRACKER" systems for managing pc resources. Between various articles in INFOWORLD and discussions in CIS forums, Steve Gibson has heartily promoted: The C-4 product from Interpath (according to Steve, "the only product to beat all viruses known to the NBBS"); The "not-for-profit" "National Bulletin Board Society" with its Virus Simulator, VIRSIM; and in a recent message to Thomas Thornbury of Software Directions, the "industry-wide coalition of independent anti-viral software publishers", information on which may be obtained from the individual Steve referenced at the NBBS. Some interesting facts that we've discovered: 1. The 1st time we ever saw the NBBS referenced in print was in an editorial column in PC WEEK approximately 1 month after Interpath announced their anti-virus product. This editorial stated that the NBBS was selling a virus simulator product for $79.95. 2. Interpath and the NBBS co-incidentally share the exact same address, however published reports never seem to link these two? groups in any way other than Steve Gibson's report that C-4 is the only product that defeats ALL the viruses on the NBBS. 3. One of our customers had contacted the NBBS and received a disk from them which contained: the virus simulator... VIRSIM; an actual working virus that attacks COM files; and two dis-assembled/commented virus programs... The BRAIN and the ISRAELI viruses. #: 197284 S9/Hot Topic (S) 09-Jul-88 16:56:49 Sb: #Virus Hype Fm: rg software 70701,2561 To: ALL (Continuation from 197283) 4. Upon request from our customer, we analyzed the VIRSIM simulator product and discovered that VIRSIM makes a number of erroneous assumptions when performing its "virus attacks". To wit: a. It considers the mere OPENing of a COM, EXE, or SYS file to be a virus attack. The fact that a file is OPENed doesn't change the file in any way. You must WRITE TO THE FILE TO CHANGE IT. WRITING to one of these files would indicate a valid virus attack condition. OPENing, without ever WRITING is not a virus attack condition, but rather a "false alarm". b. During several VIRSIM "attacks", VIRSIM does not check the error return conditions properly after the "attack", and therefore erroneously reports successful attacks that have, in reality, failed. 5. Steve also told Thomas Thornbury to contact an individual at the NBBS for information on the newly formed "industry-wide coalition of independent anti-viral software publishers". In fact, the president of INTERPATH phoned our company stating that HE was forming this group and solicited our membership. Due to the conditions outlined above, we have chosen to NOT AFFILIATE with this "coalition", and must question whether or not its formation is just another form of hype to keep the virus fuel burning in the pressrooms. Viruses are real. The threat is there. The extent of the threat is totally unknown at this time. It may get serious and it may not. We need more substance and less hype in the press. If the world must have a virus simulator to evaluate anti-virus products, then lets have one developed by someone totally isolated from anti-virus publishers; lets have it certified by a professional software evaluation company; and lets insure that it is neither able to be easily turned into a real virus, nor documented to a level that it becomes a "how to" guide for virus writers. Comments welcome... Ray Glath -------------------- Date: Tue, 19 Jul 88 13:21:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: GILL@QUCDNAST Subject: RE: VMS ZOO John Lundin writes >A version of ZOO for VAX/VMS arrived over the net yesterday on Info-VAX.. an >executable image, UUENCODEd. ZOO is an archiver program. Considering the >number of bad PKARC versions that are out there, can anyone vouch for this? >Anyone have source? >A quick check shows that it was probably written in C, and has many plausible- >sounding error messages near the beginning. Our system guru downloaded this file yesterday and found out that it did not work - the resulting file had the wrong format for our uVAX to recognize. He theorizes that this may have something to do with the fact that we have no C or C libraries on our machine, but isn't positive. It is not a virus as far we know - it just doesn't work. If anyone gets a ZOO for the VAX up and running, e-mail me. We will be interested. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Arnold Gill | If you don't complain to those who | Queen's University at Kingston | implemented the problem, you have | gill @ qucdnast.bitnet | no right to complain at all ! | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------------- Date: Tue, 19 Jul 88 10:38:44 PLT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Andrew Vaught <29284843@WSUVM1> Subject: VIRSIM I think that the idea of keeping a "Virus Simulator" around is a pretty useless idea since having your virus-detector program `discover' VIRSIM's `attacks' only give a false sense of security. A genuine virus would probably much trickier. This makes me wonder-- have we seen any viruses yet that are designed to fools any of the popular packages around? It would seem to me that a virus has to be small enough to hide somewhere, and this would prevent esoteric anti-detection detection countermeasures. As for VIRSIM, shelve it. It is useless. Andy -------------------- Date: Tue, 19 Jul 88 19:27:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Forwarded virus hype editorial, and some random comments In-Reply-To: Message of 19 Jul 88 12:52 EDT from "Kenneth R. van Wyk" >Since I'm a new participant in this forum group, I'd like to introduce >myself: > > Raymond M. Glath > President > RG Software Systems, Inc. > 2300 Computer Ave. > Willow Grove, PA 19090 Nice; courteous; however, we have already met. > a. It considers the mere OPENing of a COM, EXE, or SYS file to be a > virus attack. The fact that a file is OPENed doesn't change the > file in any way. > You must WRITE TO THE FILE TO CHANGE IT. True. However, a simulator need not do everything that the real thing must do. Flight Simulator does not fly either, but it does simulate the externals. A virus simulator need not necessarily infect. If it would present the same results to a virus protection program that a virus would, then it has probably met the requirement for such a program. >Due to the conditions outlined above, we have chosen to NOT AFFILIATE >with this "coalition", and must question whether or not its formation is just >another form of hype to keep the virus fuel burning in the pressrooms. More basic, it seems to me, is whether or not there is any requirement for such an organization. Even if "caveat emptor" did not apply here, there does not appear to be much evidence that people are being ripped off. It seems a little early to declare the market full and all of the invention done. >If the world must have a virus simulator to evaluate anti-virus >products, then lets have one developed by someone totally isolated from >anti-virus publishers; lets have it certified by a professional software >evaluation company; and lets insure that it is neither able to be easily >turned into a real virus, nor documented to a level that it becomes a >"how to" guide for virus writers. Certainly, we should avoid conflict of interest. It is useful to have a forum such as this to publicize any potential ones that we identify. That having been said, we can likely afford what we have seen to date. Still, there does seem to be some unseemly haste here somewhere. Regards, Bill William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- *** end of Virus-L issue *** Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25787; Tue, 12 Jun 90 06:26:55 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12888; Tue, 12 Jun 90 06:26:52 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04006; Tue, 12 Jun 90 06:26:33 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09124; 12 Jun 90 11:00 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:03:12 BST Message-Id: <$TGVTCZHTCBQF at UMPA> Subject: Virus-L vol 0 issue #0719 Virus-L Digest Tue, 19 Jul 88, Volume 0 : Issue #0719 Today's Topics Forwarded virus hype editorial, and some random comments RE: VMS ZOO VIRSIM Re: Forwarded virus hype editorial, and some random comments ------------------------------ Date: Tue, 19 Jul 88 12:52:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Forwarded virus hype editorial, and some random comments Greetings, First of all, I've noticed that VIRUS-L has gained many subscribers in the past week or so since it was announced in the NETMONTH newsletter here on BITNET; welcome all! Around the end of this month, I'll be sending out my monthly info sheet which should clear up some questions which you may have, such as, "how do I get files from this LISTSERV?". Secondly, a number of people have noted that VIRUS-L traffic has subsided quite a bit. I'd imagine that this is partly due to the fact that many university students have gone home for the summer, but perhaps not. I don't think that the subject has been exhausted by any means. We'll see... Let's see some participation out there! Finally, this next item is a editorial comment from an anti-software vendor. The editorial was distributed via Compuserve, and forwarded to me verbatim. Note that it is not an endorsement, merely an opinion from the vendor. Ken van Wyk - ------ begin editorial --------- CompuServe IBMSW IBM Software Forum Forum Menu #: 197283 S9/Hot Topic (S) 09-Jul-88 16:53:51 Sb: #Virus Hype Fm: rg software 70701,2561 To: ALL VIRUS HYPE Since I'm a new participant in this forum group, I'd like to introduce myself: Raymond M. Glath, President, RG Software Systems, Inc., 2300 Computer Ave., Willow Grove, PA 19090 , (215) 659-5300 We are a 4 year old developer/publisher. Our products are "DISK WATCHER" which includes anti-virus logic among its many features, and the "PC TRACKER" systems for managing pc resources. Between various articles in INFOWORLD and discussions in CIS forums, Steve Gibson has heartily promoted: The C-4 product from Interpath (according to Steve, "the only product to beat all viruses known to the NBBS"); The "not-for-profit" "National Bulletin Board Society" with its Virus Simulator, VIRSIM; and in a recent message to Thomas Thornbury of Software Directions, the "industry-wide coalition of independent anti-viral software publishers", information on which may be obtained from the individual Steve referenced at the NBBS. Some interesting facts that we've discovered: 1. The 1st time we ever saw the NBBS referenced in print was in an editorial column in PC WEEK approximately 1 month after Interpath announced their anti-virus product. This editorial stated that the NBBS was selling a virus simulator product for $79.95. 2. Interpath and the NBBS co-incidentally share the exact same address, however published reports never seem to link these two? groups in any way other than Steve Gibson's report that C-4 is the only product that defeats ALL the viruses on the NBBS. 3. One of our customers had contacted the NBBS and received a disk from them which contained: the virus simulator... VIRSIM; an actual working virus that attacks COM files; and two dis-assembled/commented virus programs... The BRAIN and the ISRAELI viruses. #: 197284 S9/Hot Topic (S) 09-Jul-88 16:56:49 Sb: #Virus Hype Fm: rg software 70701,2561 To: ALL (Continuation from 197283) 4. Upon request from our customer, we analyzed the VIRSIM simulator product and discovered that VIRSIM makes a number of erroneous assumptions when performing its "virus attacks". To wit: a. It considers the mere OPENing of a COM, EXE, or SYS file to be a virus attack. The fact that a file is OPENed doesn't change the file in any way. You must WRITE TO THE FILE TO CHANGE IT. WRITING to one of these files would indicate a valid virus attack condition. OPENing, without ever WRITING is not a virus attack condition, but rather a "false alarm". b. During several VIRSIM "attacks", VIRSIM does not check the error return conditions properly after the "attack", and therefore erroneously reports successful attacks that have, in reality, failed. 5. Steve also told Thomas Thornbury to contact an individual at the NBBS for information on the newly formed "industry-wide coalition of independent anti-viral software publishers". In fact, the president of INTERPATH phoned our company stating that HE was forming this group and solicited our membership. Due to the conditions outlined above, we have chosen to NOT AFFILIATE with this "coalition", and must question whether or not its formation is just another form of hype to keep the virus fuel burning in the pressrooms. Viruses are real. The threat is there. The extent of the threat is totally unknown at this time. It may get serious and it may not. We need more substance and less hype in the press. If the world must have a virus simulator to evaluate anti-virus products, then lets have one developed by someone totally isolated from anti-virus publishers; lets have it certified by a professional software evaluation company; and lets insure that it is neither able to be easily turned into a real virus, nor documented to a level that it becomes a "how to" guide for virus writers. Comments welcome... Ray Glath -------------------- Date: Tue, 19 Jul 88 13:21:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: GILL@QUCDNAST Subject: RE: VMS ZOO John Lundin writes >A version of ZOO for VAX/VMS arrived over the net yesterday on Info-VAX.. an >executable image, UUENCODEd. ZOO is an archiver program. Considering the >number of bad PKARC versions that are out there, can anyone vouch for this? >Anyone have source? >A quick check shows that it was probably written in C, and has many plausible- >sounding error messages near the beginning. Our system guru downloaded this file yesterday and found out that it did not work - the resulting file had the wrong format for our uVAX to recognize. He theorizes that this may have something to do with the fact that we have no C or C libraries on our machine, but isn't positive. It is not a virus as far we know - it just doesn't work. If anyone gets a ZOO for the VAX up and running, e-mail me. We will be interested. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Arnold Gill | If you don't complain to those who | Queen's University at Kingston | implemented the problem, you have | gill @ qucdnast.bitnet | no right to complain at all ! | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------------- Date: Tue, 19 Jul 88 10:38:44 PLT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Andrew Vaught <29284843@WSUVM1> Subject: VIRSIM I think that the idea of keeping a "Virus Simulator" around is a pretty useless idea since having your virus-detector program `discover' VIRSIM's `attacks' only give a false sense of security. A genuine virus would probably much trickier. This makes me wonder-- have we seen any viruses yet that are designed to fools any of the popular packages around? It would seem to me that a virus has to be small enough to hide somewhere, and this would prevent esoteric anti-detection detection countermeasures. As for VIRSIM, shelve it. It is useless. Andy -------------------- Date: Tue, 19 Jul 88 19:27:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Forwarded virus hype editorial, and some random comments In-Reply-To: Message of 19 Jul 88 12:52 EDT from "Kenneth R. van Wyk" >Since I'm a new participant in this forum group, I'd like to introduce >myself: > > Raymond M. Glath > President > RG Software Systems, Inc. > 2300 Computer Ave. > Willow Grove, PA 19090 Nice; courteous; however, we have already met. > a. It considers the mere OPENing of a COM, EXE, or SYS file to be a > virus attack. The fact that a file is OPENed doesn't change the > file in any way. > You must WRITE TO THE FILE TO CHANGE IT. True. However, a simulator need not do everything that the real thing must do. Flight Simulator does not fly either, but it does simulate the externals. A virus simulator need not necessarily infect. If it would present the same results to a virus protection program that a virus would, then it has probably met the requirement for such a program. >Due to the conditions outlined above, we have chosen to NOT AFFILIATE >with this "coalition", and must question whether or not its formation is just >another form of hype to keep the virus fuel burning in the pressrooms. More basic, it seems to me, is whether or not there is any requirement for such an organization. Even if "caveat emptor" did not apply here, there does not appear to be much evidence that people are being ripped off. It seems a little early to declare the market full and all of the invention done. >If the world must have a virus simulator to evaluate anti-virus >products, then lets have one developed by someone totally isolated from >anti-virus publishers; lets have it certified by a professional software >evaluation company; and lets insure that it is neither able to be easily >turned into a real virus, nor documented to a level that it becomes a >"how to" guide for virus writers. Certainly, we should avoid conflict of interest. It is useful to have a forum such as this to publicize any potential ones that we identify. That having been said, we can likely afford what we have seen to date. Still, there does seem to be some unseemly haste here somewhere. Regards, Bill William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- *** end of Virus-L issue ***