Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA21789; Thu, 7 Jun 90 18:16:54 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA16480; Thu, 7 Jun 90 18:16:50 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA15085; Thu, 7 Jun 90 18:16:18 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa28497; 7 Jun 90 20:24 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Thu, 07 Jun 90 15:37:20 BST Message-Id: <$TGVGDBVHFKWQ at UMPA> Subject: Virus-L vol 0 issue #0728 Virus-L Digest Thu, 28 Jul 88, Volume 0 : Issue #0729 Today's Topics Re: ROM Bios ** no subject, date = Thu, 28 Jul 88 15:20:35 GMT Re: Campus virus letter Re: Trapping Direct Disk Write Calls ** no subject, date = Thu, 28 Jul 88 11:23:01 EDT Re: Trapping Direct Disk Write Calls Re: Trapping Direct Disk Write Calls ** no subject, date = Thu, 28 Jul 88 11:58:24 EDT ** no subject, date = Thu, 28 Jul 88 09:30:31 pdt How many viruses are there? ** no subject, date = Thu, 28 Jul 88 13:58:05 EDT Questions about Brain How many viruses are there? ** no subject, date = Thu, 28 Jul 88 14:41:49 EDT Re: Trapping Direct Disk Write Calls ** no subject, date = Thu, 28 Jul 88 14:33:14 EST Possible Virus ** no subject, date = Thu, 28 Jul 88 15:49:44 EDT ** no subject, date = Thu, 28 Jul 88 15:59:51 EDT ** no subject, date = Thu, 28 Jul 88 16:07:35 EDT How many viruses are there? Re: Questions about Brain ** no subject, date = Thu, 28 Jul 88 16:38:48 EDT ** no subject, date = Thu, 28 Jul 88 15:28:00 MDT Questions about Brain Re: Trapping Direct Disk Write Calls RE: Questions about Brain request for opinions on future... ------------------------------ Date: Thu, 28 Jul 88 12:22:55 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Turgut Kalfaoglu Subject: Re: ROM Bios In-Reply-To: Message of Mon, 25 Jul 88 17:54:59 EDT from >What is ROM Bios? What are legitimate reasons for a program using it/them? >What are illegitimate reasons for the same? Enquiring minds want to know... ROM bios is basically a whole slew of routines that are coded into a chip. They provide all kinds of functions from keyboard, to screen, to disk. BIOS calls, like the ones for the screen, tend to be faster than their counterparts in DOS calls, but your program will only run with a system that has ROM bios. ROM BIOS is also usually the cause for 'incompatible compatible computers.' - since IBM's BIOS chip is (C)opyrighted, and cannot be used by other companies freely. Many companies have developped their own chips to provide similar functions. I hear that the Phoenix BIOS is the most compatible, and that the Award BIOS is another popular one.. Legitimate/Illegitimate: I dunno.. You can use BIOS to write directly to a sector on disk, so a virus could use it to destroy something, or to write itself onto a fresh disk.. Maybe that's what you mean by leg/illeg... -turgut -------------------- Date: Thu, 28 Jul 88 15:20:35 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Turgut Kalfaoglu (51)18-10-80 Ext:244" Here in Izmir, Turkey, we have a BRAIN version 9.0 on our PC lab. We are trying to get more info on it, and trying to analize its behavior. So far, it doesn't seem to like hard drives - we have not been able to locate one on a hard drive. It jumps from diskette to diskette easily, by simply writing itself to the boot track of the new diskette. We found that the best way to find this virus is to look at the FIRST track of the diskette. It has a message there. We use Norton or PCTOOLS to peek at that sector. We are also working on a program that verifies that track, and the checksums/crc's of the three system files.. I think the computer centers/BBS's, and other similar services should record the sources of the obtained software.. This would intimidate the creep (the virus-writer) on distributing the virus-installing software.. -turgut -------------------- Date: Thu, 28 Jul 88 09:34:47 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "James N.Bradley" Subject: Re: Campus virus letter In-Reply-To: Your message of Wed, 27 Jul 88 13:55:29 CDT Leonard - I edit the computing center publications at the University of Houston and we couldn't publish your article as it stands. The use of words like "high probability", virus "attack", and "evasive action" is inflammatory. These words are not going to provoke reasonable reactions from people. You have to be very careful when using powerful and sweeping statements. A better way of beginning your paper would be something like: Some campuses have had problems recently with virus program. A virus program is (etc). There are a number of things you can do to prevent infection...etc If you become infected there are a few things you can do...etc Tone down the dire images unless you know you have a virus on campus. James N. Bradley Information Services Manager University of Houston -------------------- Date: Thu, 28 Jul 88 09:48:11 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GARY SAMEK Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message of Wed, 27 Jul 88 13:30:26 EDT from Hello Net, When a virus gets into command.com, it is very difficult to stop it from spreading if it is well written. It seems that the best way to prevent this type of virus is to keep an eye on the dates on these files. Then, you would probably want a TSR to notify you whenever a DOS/BIOS call to change the date of a file has been requested. This would require a little more attention of the user, but the protection scheme is simpler and fairly reliable. Upon thinking, it would probably be a good idea to keep the output of the DIR command as a disk file, so you could check from time to time, the sizes of the files as they were and as they are now. Anyway, I would like to see a little discussion on a good generic technique on preventing the infection and spread of virus, such as I have given here. Gary Disclaimer - These opinions are my own, and whoever else agrees. -------------------- Date: Thu, 28 Jul 88 11:23:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Ken's request for opinions about future virus activity / and "warning lists" about Trojan Horses and viruses "All the data is not yet in" for the question of future virus activity, but here is my opinion from this vantage point.... Several trends are developing, making the situation a "good news and bad news" one. The good news is that it looks like virus attacks on consumer/hobbyist/small instituation computers is leveling off and will most likely drop, with occaisionally outbreaks. One factor for this is that the "fad" is wearing off for those who write viruses for the "thrill". The other, more significant, reason is that many computerists are becoming much more computer security conscious than ever before. he number of files being transfered an many BBS's that I am on has dropped greatly in the past six months. People are getting more careful, slowing the spread of malicious codes.Many have started using some form of general protective/testing software. (No, they are no absolute garauntees, but it is step up from indiscrimate software exchange.) The degree of complexity and sophistication to make a "successfull" (from the perpetrator's viewpoint) virus is being driven upwards. The bad news is the possibilty of specifically targetted virus will increase as various people are seeing the potentials and dangers of this electronic parallel to nanotechnology. This is a concern that the institutions that would be possible targets are already building more secure systems. There is possibility of "spillovers" to the general computing community from any attempted attackes. (In the case of targetted attacks, the result does not need to destroyed files, wrecked boot sectors, and other obvious damage. A subtle data manipultor could do much damage. But enough said for here.) So many institutional computer centers are wise in constantly looking to secure their systems. A related factor in these trends is the matter of accountability and other human factors. Few months ago, Vin McLennen had posted a report in RISKS DIGEST about the various problems with employee accountability in the computer and data management field. This seems to intensified after the US Stock Market plunge last fall; the message given to employees by many companies after thatwas "Produce bottom- line profits or you're out!" (I have seen this message in some of the advertising in computer & telecommunications publications- the appeal to fear.) Even before the virusese, one of the biggest security problems for a company has been disgruntled employees. On a different subject..... Somebody posted a request on this list for information about any "warning lists" of Trojan Horses and viruses. The only one that I know of is the DIRTY DOZEN listing compiled by Eric Newhouse. It is available through LISTSERV@LEHIIBM1 as DIRTY DOZEN. Use the GET command to get it. The latest version is 8b. Eric says that he will coming out will version 9 soon. He will be splitting it up into separate listings for Trojan Horses, Viruses, Pirated and Hacked Programs, etc. The DIRTY DOZEN listings can be obtained also from Eric's BBS - THE CREST BBS in Los Angeles, CA - (213) 471-2518. There is also a message section on the CREST BBS for messages about any newly discovered "bogusware".If neither routes are practical, contact me and I can arrange for a copy (disk or printout) to be sent to interested people by arrangement. J. D. Abolins 301 N. Harrison Str., #197 /Princeton, NJ 08540 (mail only) -------------------- Date: Thu, 28 Jul 88 11:24:22 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message of Thu, 28 Jul 88 09:48:11 CDT from >It seems that the best way to prevent >this type of virus is to keep an eye on the dates on these files. Not at all true; it's all too simple to alter a file without altering the date. *DO NOT* trust the write date as a virus detection scheme. >This would require a little >more attention of the user, but the protection scheme is simpler and fairly >reliable. It would be simpler alright, but also much simpler to get around. > Upon thinking, it would probably be a good idea to keep the output of the >DIR command as a disk file, so you could check from time to time, the sizes >of the files as they were and as they are now. It's also easy to alter a file without changing the file size as well. Particularly in the case of COMMAND.COM, the code need not even be altered on disk at all - it need only be altered within memory, and that can be done by any program at all since a PC's memory is totally unprotected. Once again, a file can contain a virus without any file size or write date change from the original (uninfected) file. >Gary Ken Kenneth R. van Wyk From the Devil's Dictionary: User Services Senior Consultant Barometer - an ingenious device Lehigh University Computing Center designed to inform the user what Internet: the weather is. BITNET: -------------------- Date: Thu, 28 Jul 88 17:05:54 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Turgut Kalfaoglu Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message of Wed, 27 Jul 88 11:55:00 EDT from >Are there a lot of programs that ask for disk writes directly (i.e. not >through DOS)? If not, would it be possible to write a TSR that >differentiates between disk write calls from DOS (making them legal) and >those that are direct (flagging them as suspicious)? Yes, there are many programs that write to screen. Most programs that 'pop' into view are either writing directly to screen, or using a technique called 'page flipping' - which is similar to turning the pages of a book. (Prepare the next page, then flip the pages) For an example of the difference in performance, try invoking the Norton Utilities with the /D1 option or the /D2 option. (Which I believe are BIOS and DOS calls with ANSI, respectively) Trapping such calls would be difficult - you would have to check for every memory access (there are LOTS of them), to see if they fall within a device's area. For example, to write to screen, you simply send a byte to a location in memory, and the character appears.. -turgut -------------------- Date: Thu, 28 Jul 88 11:58:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University A few brief comments on recent activity on this list: Turgut: There are quite a few Brain variations foloating around at this particular moment. We have counted 7. The original Brain Virus ONLY effected floppy 5 1/4 inch disks. And it did no harm. Versions are around that effect hard disks and 3 1/2 inch disks, but they are simply edits of the original. Also damaging versions exixst. One will periodically delete files, the c second will erase your FAST table. (please excuse my typeing, I have no backspace). That should read FAT table. I have now worked on two versions of the Brain virus and am looking for the others. Also, I am curious to nknow who was the first college to dicscover the Brain. I really don't know who isn the US was hit first. Gary: Watching the Dates change means nothing. It is a very simple function to keep the date from changing. The date change was one of the major reasons we caught the Lehigh Virus in the first place. If it hadn't changed, Chris, Joe and I and Mitch probably wouldn't have realized what was going on for a qhile after that. Whoever wrote the Lehigh Virus made a mistake, and I think any new viruses that crop up will not make that same mistake. JD: I have been trying to compiler a list of viruses. This is very difficult. I have sent mail out to just about everyone and no one is keeping one. We have ome across about 70 viruses now including 4 versions of the Israeli and 7 versions of the Brain. If anyone wants to make a short list of the ones they know3 of, please send it to LKK0@LEHIIBM1 and I will include them in my compilerd list. I will post it when I feel it is sufficeintly done. Virus Growth: I expect a virus explosion of GOOD virues on campuses next year. A bank in upper New Jersey (who I am not allowed to mention othe name otf) called me about 3 weeks ago. They were hit pretty basdly by a virus. I honesty see viruses increasing in hostility and in design. The problem is that theyre is so much publicity about viruses right now that we can't handle the problems cropping up. Another problem I will hate to see, but it looks like it is coming is a virus that runs on PC's and attacheds itself to mainframes when the PC conects to them. It will themn "worm" its way through the mainframes. We've been doing research on this type of virus for a while, and a small one was located in Harrisburg I'm told. I cannot describe it I'm osorry to say. Evey time we do something, we're told to keep quite and not fuel the scare. About not being able to trap diredct disk writes without trapping DOS calls. OUr package ,... first let me say that I am NOT trying to sell it over Bitnet, I just want to point out that our package from Lehigh Valley Innovative Technologies, does just that. And it does it well. We do trap disk calls and check to see whether they came from DOS or directly from the program. And believe me, it works, and it would be very hard for someone to mess with it, unless they want ot disassemble all our code and try to figure out how everything works. One other thing: James Bradley, your english is much better than mine, but I'm afraid there is a VERY high probability of ANY college with PC sites to be hit by a virus. Protect yourselves NOW! Loren Keim Lehigh University Provost Staff -------------------- Date: Thu, 28 Jul 88 09:30:31 pdt Reply-To: Virus Discussion List Sender: Virus Discussion List From: isbalkits@UCDAVIS Devo_Stevo writes: "The scenario could be a mad-hacker, plugging away at a keyboard in the back of a dimly lit office, creating a virus like no virus ever seen before. Viruses are going to be like methods of cheating at cards or on your spouse. The analogy would be having mice evolve into a bigger species to defeat mouse traps - unless the traps are built bigger, the mice will win." Depicting the virus writer as a gothic/romantic figure (like pirates have been, like gangsters have been, like gang members now are) contributes to the problem. If this discussion is to have any value, any impact, it should be to paint the virus writer as he/she truly is: an emotionally-atrophied individual, a product of negative operant conditioning, a human who has lost contact, isolated in a hyperspace of computer an-architecture, where techical wizardry seems to excuse a lack of common ethics or even common sense. Continuing to fictionalize the virus writer as a mad scientist, a Doctor Frankenstein whose genius gives us a secret thrill, whose lawlessness challenges us, is just the wrong way to go. If this forum really exists as a deterrent to the spread of viruses, one of its functions is the demystification of the criminal hacker. Calling her/him a "creep" is not enough. The consciousness in each of us should be raised that we are contributing to the virus writer's self-image as someone "special" whenever we present the problem in adventurous scenerios such as that above. Ivars Balkits Computing Services University of California - Davis ISBALKITS@UCDAVIS -------------------- Date: Thu, 28 Jul 88 12:42:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess 862-2245" Subject: How many viruses are there? Loren K Keim writes > There are quite a few Brain variations foloating around > at this particular moment. We have counted 7. ... > I have now worked on two versions of the Brain virus and > am looking for the others. Does that mean that you've counted 7 rumors, but only really seen two different versions, or that you have good, solid evidence of seven versions, but for some reason only have copies of two? I've seen two versions of the Brain virus (both attack only floppies, and in fact the only difference between them is in the no-op data areas), and heard rumors of lots of others. In every case, though, the rumors seem to have been due to mistakes or confusions, and I wouldn't be at all surprised if there are in fact only two versions out in the world. If you have hard (first-hand) evidence of others, I think we'd all be interested. I have good evidence for only 6 (or 7) viruses for PC-DOS in actual circulation: the Lehigh, the Jerusalem, two "April Fools" viruses which have already passed their setoff dates, the Brain (and its minor variant), and a small COM-file virus that occasionally replaces its victim with a program to reboot the machine (rather than simply infecting it). Anyone who knows first-hand (or from a solid non-rumor source) of more viruses would be doing everyone a great service by posting a detailed description of their symptoms, so we can all tell our users about things to watch out for. (Loren, if any of the seven that I mentioned above are new to you, let me know and I can send you more details; I'd love to see that list of 40, especially if it includes some hint of how sure we really are that each one exists!) All this is not to say that viruses aren't something to worry about! Quite the contrary. But I do tend to think that new rumors tend to appear MUCH faster than new viruses do... DC -------------------- Date: Thu, 28 Jul 88 13:58:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Dave: About rumors versus real versions, I have heard rumors about so many versions of the Brain that it isn't funny. Fred Cohen described the Brain found in Mimi as a varient strain and whent on to explain it. It sould... sounded exactly like the original to me. I have heard of 7 versions from reliable sources. Unfortunately most people won't allow me to have copies of their viruses. The two I have are from California and Boston. People are so afraid of virusses that I am ahaving difficult getting ahold of some strains. I have to get permission sent from the government to these poeple fro them to release copies to me, that is why I only have 2. Its kind of interesting that I travel places to help stop viruses but I can't get ahold of some copies because people don't ... no one trust s anyone else. I have either copies or heard from reliable sources of 4 April Fool's viruses, 7 versions of the Brain, the Lehigh, 4 versions of the Israeli (there are early versions floating around Hebrew U I'm told, presumably written by the culprit who wrote the Israeli), the Playboy, the Brain.. Gerbil I mean, and some minor ones (I do not have a list in front of me, this is from memory). For the Mac, I've seen aa version of the CHRISTA virus (yes, simple damn thing copies itself around your little Mac, its not written in Rex of course), the Phantom, the NASA virus, the Aldus virus, and the VULT virus. The Flushot renegade for the PC was something i should also point out. The CHRISTMA for the CMS machines, a Smiley face virus which was the Chrisma redone . 4 unnamed Unix viruses and I have rumors of more floating around. (one of them is onely a few characters long and is very nasty). That is the start of a list.. oh, yeah, another off the top of may head is a Mac virus which prints a picture of a nude female on the screen while it copies itself to any other disks in your system. And obvious virus but still a virus. I have heard rumors of a similar virus for the PC. Loren Keim Lehigh University -------------------- Date: Thu, 28 Jul 88 14:14:37 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Questions about Brain Actualy, I've been trying to track the Brain Virus for some time. If anyone out there has had any contact with the Brain virus, I would really appreciate some info from you (dates, what it did, what it looks like, how it worked, when it hit, how many people it effected and so on). Also, does anyone know if any research has been done on Worm Theory since the big Xerox worm back in 82? Does anyone have a copy of the Apple version of Core Wars? Does anyone know where Len Adleman is now? (He's the person who first called a computer virus an coputer virus. (if my typing were better) Is it true that University of Penn found a Command Com virus? I'd like to know who all was hit the worst by the Christmas Tree Exec. How far did the Aldus virus get? Can anyone tell me about the NASA virus other than what was in the papers? (NASA claims they didn't have a virus!) Is anyone planning on teaching a virus course in the future? Which colleges teach computer security? Loren -------------------- Date: Thu, 28 Jul 88 14:32:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess 862-2245" Subject: How many viruses are there? The only "Playboy" thing that I've heard of reliably was just a Trojan Horse for the Mac, not a virus for the IBM-PC or compatibles. Similar comment applies to the corrupted flushot thing, I think; it just did nasty things to you when you ran it, but it didn't spread itself to other executables. A list of Trojan Horses would be miles long, but not really relevant to the subject matter of VIRUS-L. I suspect a list of real viruses would be much much shorter. DC -------------------- Date: Thu, 28 Jul 88 14:41:49 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon In-Reply-To: Message of Thu, 28 Jul 88 09:30:31 pdt from >Continuing to fictionalize the virus writer as a mad scientist, a >Doctor Frankenstein whose genius gives us a secret thrill, whose >lawlessness challenges us, is just the wrong way to go... I agree. I find virus writers just about as romantic as a sniper on the freeway. "Oh look, I just killed somebody else." Too bad brainwashing is illegal (don't flame - I'm being VERY sarcastic). - - Joe. -------------------- Date: Thu, 28 Jul 88 13:59:24 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message from "Kenneth R. van Wyk" of Jul 28, 88 at 11:24 am >It's also easy to alter a file without changing the file size as well. >Particularly in the case of COMMAND.COM, the code need not even be >altered on disk at all - it need only be altered within memory, and >that can be done by any program at all since a PC's memory is totally >unprotected. Once again, a file can contain a virus without any file >size or write date change from the original (uninfected) file. Very interesting about command.com. That file, as released in msdos level 3.3 contains a 4000 byte block of zeros at its end, which makes it VERY easy to add code. I cannot fathom why they put that area into the process. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Thu, 28 Jul 88 14:33:14 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Neil Goldman Virus prevention programs (those which claim to stop infection *before* it occurs) typically intercept calls to the DOS (or BIOS) interrupt handlers. If the interrupt request is to write to the disk, the prevention program will notify the user. The general impression I get is that people think that if a program can intercept all potential avenues a virus can take to write to the disk, it would be foolproof (or close to it). However, a clever virus could simply check to see if the interrupt vector is pointing to something other than the DOS/BIOS commands to write to the disk (i.e., the vector would point to the intercepting prevention program). If the virus determines that the vector does not point to DOS/BIOS, it could simply change the vector to do so, replicate itself (infect other programs), and then change the vector pointer back to the "intercepting program". The user would be none the wiser. Comments/technical corrections? Neil A. Goldman Ernst & Whinney National Computer Audit Group -------------------- Date: Thu, 28 Jul 88 14:08:50 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Claudia Lynch Subject: Possible Virus The following message appeared on our campus BBS. If anyone has any pertinent information, please reply. Thanks, Claudia Lynch %We shall work no time, before its nine!| #1791 28-JUL-1988 08:57:33.73 Topic : PUBLIC INFO >From : ALAN MATTHEWS To : ALL Subject : possible virus I've been using the "Master Key" utility by R.P.Gage. For a while and have been having problems with my disk. It is a really nice utility program; it allows you to hide,unhide,delete,and undelete files, look for matching files , and has a hex/ascii sector editor(that's the best way I can describe it) I had, until recently been blowing my FATS sectors. This caused my endless amounts of annoyance as I would get parity errors on my disk drives, and eventually would not be able to load programs. I finally erplaced my motherboard and these problems haven't surfaced again(yet). I'd like to know if anyone has had similar prioblems with this program, or if it was, in fact, just a hardware problem. AM -------------------- Date: Thu, 28 Jul 88 15:49:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University David, When I speak of the Playboy virus, I am referring to one of the many things by that name. I refere to a POC program which was complained about slightly in Main I brelieve tha simply copies itself from disk to disk. It is an executable file that does this. I should not have nmentioned the Flushot thing, I know it is a trojan. When I talk of a certain number of viruses, I ONLY mean viruses. A list of trojan horses would come out with at least several hundred. However, I am counting variations of viruses as viruses themselves. In my posession I have about 15 viruses and about 20 trojan horses, I have a list of about 70 viruses from reliable sources. I also do not include viruses that peop-le wrote themselves to annoy their co-workers. Haggling over the specific number of viruses in the world, however is ridiculous. Incdidently, I received two boot sector viruses in the mail (physical mail) without a return address, and they are viruses I cannot identify as anything in particuloar. Also, is anyone on this list from Alabama or Mississipi? Loren -------------------- Date: Thu, 28 Jul 88 15:59:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Regarding anti-viral programs, I don't think anyof them is the answer. I'm leaning towards hardware protections, and have a few ideas. We really need the hardware to be redesigned. There isn't anything we can do to prevent the spread of viruses. All we can do is make it harder and harder for one to get around. Neil, if you were referring to my comments about the program we've written, we considered what to referred to as taking over the interrupts, but its too shabby a job and isn't the way we do it. We also, of course, watch for interrupt changes. But again this is not the answer to all our problems. Fred Cohen demonstrated up in New York a little program which basically CRC'd everything (it was a powerful check, but still just a file check). And I think that isn't enough either, our program has more than just disk watches, it has the standard CRC's for people who want to use them (one-way increyption) and so on. If enough people use Vaccine and the Innoculator and SDP, and FluShot, then a virus really doesn't stand a chance of getting too far. The more packages out there, the harder a virus is to propogate. Antoher point, something Fred's program does, Vaccine does and our does is have a random key selected which keeps the virus vfrom being able to mimic any CRC. The only thing we can do is make it harder and harder to write a virus which will go through our derfenses, and limit the number of people who CAN write one. Fred, incidently, talked of making the nth level of difficulty in writing a virus, in which case we are safe. I thinkk the world is on the right track. Now we have to convince the world to use the PC condoms that exist (not necessarily anyone's in particular). Loren -------------------- Date: Thu, 28 Jul 88 16:07:35 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University (Heavy mail is BACK on Virus-L!) One more thing Neil, We're more and more referring to Anti-Viral programs as "Virus Detection Systems" not "Virus Prevention". The object t is to detect the virus as early as possible. You can't stop that first infection (primary infection) from someone elses system, but you may be able to stop it from infecting a second file, or from actually doing damage to your system. We're relegated to fighting the symptons rather than the viruses themselves. Loren -------------------- Date: Thu, 28 Jul 88 16:49:06 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess 862-2245" Subject: How many viruses are there? Agreed, I didn't mean to be trying to pin you down to a specific number. I was just surprised to hear a number as high as 70; I guess a lot more has been going on than anyone has mentioned here or in similar places. I'll be eagerly awaiting your posting of your list! I think the point about people using lots of different anti-viral programs is a very good one; this is one field where you don't want your own program to be the One Everyone Uses, because if it is, the virus-writers will target it, take it apart, and design circumventions. Safety in Numbers! DC -------------------- Date: Thu, 28 Jul 88 16:48:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Questions about Brain In-Reply-To: Message of Thu, 28 Jul 88 14:14:37 EDT from >I'd like to know who all was hit the worst by the Christas >Tree Exec. IBM's VNET got it the worst. Most of the users there had literally hundreds of ID's with which they had corresponded, with the result that thousands of copies of the exec got out. They had to disconnect from BITNet for nearly 2 weeks (as I recall). >How far did the Aldus virus get? Not very. Remember, it's a self-limiting virus which burns itself out after a one-time shot. It got into the warehouses, but there's little evidence it actually hit the streets. Richard Brandnow's contention that he did it to prove how much piracy was going on is an unmentionable substance found in pastures. His claim on CompuServe was that he did because he wanted to. (Too bad I can't type this in brimstone-spewing letters). >Can anyone tell me about the NASA virus other than what was in >the papers? (NASA claims they didn't have a virus!) Some people here may have had the Scores virus. I'm watching it here at Goddard; we've got Vaccine to everyone we could find, along with KillScores and Interferon. - - Joe M. -------------------- Date: Thu, 28 Jul 88 16:38:48 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon In-Reply-To: Message of Thu, 28 Jul 88 13:58:05 EDT from > ...For the Mac, I've seen aa version >of the CHRISTA virus (yes, simple damn thing copies itself >around your little Mac, its not written in Rex of course), More information about this, please. I'm building a document about Mac viruses. Resources, symptoms, etc. I can't use rumours. >...the Phantom, the NASA virus, the Aldus virus, and the VULT >virus... The NASA virus and the VULT virus should be the same one, known as "Scores". Is the Phantom a new one I haven't heard of? Symptoms please. What resources are involved? I would appreciate your pointing me to anyone who can prove that either the Phantom or CHRISTMA virus exists. The CHRISTA sounds like it is a nuisance bacterium rather than a viral infection. I need technical data -- resource names/numbers, modifications made by the viruses, etc. >... the top of may head is a Mac virus which prints a picture >of a nude female on the screen while it copies itself to any >other disks in your system... As I recall, this program shows the picture and erases your hard disk; it doesn't propagate itself as a virus. Perhaps you mean a bacterium? - - Joe M. -------------------- Date: Thu, 28 Jul 88 15:28:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: CEARLEY_K%wizard@VAXF.COLORADO.EDU A relatively effective software strategy for an anti-viral program is to use the timer interrupt. It is done by installing a TSR which implements two functions: 1- When loaded, it intercepts the timer interrupt vector. It then times its own execution and stores this duration with a checksum. This prevents its interrupt from being preempted by using timing dependencies. 2- At 18 times per second, it compares interrupt vectors for modifications, these are flagged and, if restricted, they are disabled. The resolution is somewhat coarse considering the number of machine instructions that can execute between intervals, but it can effectively arrest the destruction of data. Kent Cearley, Management Systems, University of Colorado -------------------- Date: Thu, 28 Jul 88 16:55:12 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: Questions about Brain In-Reply-To: Message received on Thu, 28 Jul 88 15:10:07 EDT Here at the University of Maryland the (c) Brain virus was first noticed about year and a half ago. We have several floopy based labs on campus that are run by the business school. Data security at these labs was not the best and eventually all the boot disks were infected. The version of Brain we had was totally benign but a big stink was raised when the Brain virus infected some floopies that had bad physical media. Every one said that the Brain had mutated into a malignant virus! Today, infections by the Brain virus are very rare on campus. We stamped out the virus with a simple three part attack. 1. I down loaded the NOBRAIN.C program from VIRUS-L. With a fair amount of hacking I made it work with the version of Brain we had. I distributed the program to the Lab managers on campus, and for a while they put a command to run the program in AUTOEXEC.BAT. 2. We had an campain to educate users on the importance of write protect tabs. 3. And finally we stoped buying cheap disks. I suspect that in September we will see it again, as students inadvertently bring it back to school. With these simple precautions we should be ready for it. Although I have heard many rumors, I have yet to see any virus on the University of Maryland campus that did any damage. Erik Sherk -------------------- Date: Thu, 28 Jul 88 15:53:01 mdt Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- original Sender: tag was From: Bill Kinnersley Subject: Re: Trapping Direct Disk Write Calls [In "Re: Trapping Direct Disk Write Calls", Len Levine said:] > Very interesting about command.com. That file, as released in > msdos level 3.3 contains a 4000 byte block of zeros at its end, which > makes it VERY easy to add code. > I cannot fathom why they put that area into the process. Perhaps they pad their software with zeroes to avoid possible shipping damage. :-) -------------------- Date: Thu, 28 Jul 88 23:25:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: RE: Questions about Brain >Does anyone have a copy of the Apple version of Core Wars? A Macintosh version of Core Wars can be obtained from LISTSERV@RICE.BITNET by sending the command (in the first line of a MAIL message) $MAC GET DEMO-COREWARS.HQX This will get you the BinHex-ed version of the program, along with the documentation. You'll need BinHex and PackIt (or UnPackIt) (or is it StuffIt; I don't remember, sorry) to recreate the application. If you don't have them, ask around. Someone local should have them. >I'd like to know who all was hit the worst by the Christas Tree Exec. The worst case, based on reports in RISKS TO THE PUBLIC IN THE USE OF COMPUTERS AND OTHER AUTOMATED SYSTEMS (a.k.a. RISKS Digest) would have to be IBM's internal network, called VNET. It slowed it down to such an extent that most of it had to be shut down until the program could be removed from the mail queues. >Can anyone tell me about the NASA virus other than what was in >the papers? (NASA claims they didn't have a virus!) This is a new one to me, I think. SPAN/HEPNet had one H*ll of a case of crackers, though! They almost made VMS Security an oxymoron. >Loren _______________________________________________________________________________ | James M. Shaffer, Jr. | Bitnet: shafferj@bknlvms CIS: 72750,2335 | | P.O. Box C-2658 | Internet: shafferj%bknlvms.bitnet@cunyvm.cuny.edu| | Bucknell University | UUCP: ...!psuvax1!bknlvms.bitnet!shafferj | | Lewisburg, PA USA 17837 | CSNet: shafferj%bknlvms.bitnet@relay.cs.net | - ----------------------------------------------------------------------------- | "He's old enough to know what's right and young enough not to choose it; | | He's noble enough to win the world but fool enough to lose it." | | -- Rush, "New World Man", on _Signals_ | - ----------------------------------------------------------------------------- Disclaimer: I'm not the list owner! (See the last NetMonth.) :-) -------------------- Date: Thu, 28 Jul 88 22:15:00 -0500 Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: converted from NETDATA format at UOFMCC From: Steve Morrison Subject: request for opinions on future... In-Reply-To: <270*b1morri@ccu.UManitoba.CA> The scenario could be a mad-hacker, plugging away at a keyboard in the back of a dimly lit office, creating a virus like no virus ever seen before. Viruses are going to be like methods of cheating at cards or on your spouse. The analogy would be having mice evolve into a bigger species to defeat mouse traps - unless the traps are built bigger, the mice will win. Thoughts from someone who was out in sun today.... Devo_Stevo aka Stephen D. Morrison B1Morri@CCU.UManitoba.CA -------------------- *** end of Virus-L issue *** Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25846; Tue, 12 Jun 90 06:38:45 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12948; Tue, 12 Jun 90 06:38:40 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04200; Tue, 12 Jun 90 06:37:28 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09427; 12 Jun 90 11:06 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:04:48 BST Message-Id: <$TGVTCZHTCBQX at UMPA> Subject: Virus-L vol 0 issue #0728 Virus-L Digest Thu, 28 Jul 88, Volume 0 : Issue #0729 Today's Topics Re: ROM Bios ** no subject, date = Thu, 28 Jul 88 15:20:35 GMT Re: Campus virus letter Re: Trapping Direct Disk Write Calls ** no subject, date = Thu, 28 Jul 88 11:23:01 EDT Re: Trapping Direct Disk Write Calls Re: Trapping Direct Disk Write Calls ** no subject, date = Thu, 28 Jul 88 11:58:24 EDT ** no subject, date = Thu, 28 Jul 88 09:30:31 pdt How many viruses are there? ** no subject, date = Thu, 28 Jul 88 13:58:05 EDT Questions about Brain How many viruses are there? ** no subject, date = Thu, 28 Jul 88 14:41:49 EDT Re: Trapping Direct Disk Write Calls ** no subject, date = Thu, 28 Jul 88 14:33:14 EST Possible Virus ** no subject, date = Thu, 28 Jul 88 15:49:44 EDT ** no subject, date = Thu, 28 Jul 88 15:59:51 EDT ** no subject, date = Thu, 28 Jul 88 16:07:35 EDT How many viruses are there? Re: Questions about Brain ** no subject, date = Thu, 28 Jul 88 16:38:48 EDT ** no subject, date = Thu, 28 Jul 88 15:28:00 MDT Questions about Brain Re: Trapping Direct Disk Write Calls RE: Questions about Brain request for opinions on future... ------------------------------ Date: Thu, 28 Jul 88 12:22:55 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Turgut Kalfaoglu Subject: Re: ROM Bios In-Reply-To: Message of Mon, 25 Jul 88 17:54:59 EDT from >What is ROM Bios? What are legitimate reasons for a program using it/them? >What are illegitimate reasons for the same? Enquiring minds want to know... ROM bios is basically a whole slew of routines that are coded into a chip. They provide all kinds of functions from keyboard, to screen, to disk. BIOS calls, like the ones for the screen, tend to be faster than their counterparts in DOS calls, but your program will only run with a system that has ROM bios. ROM BIOS is also usually the cause for 'incompatible compatible computers.' - since IBM's BIOS chip is (C)opyrighted, and cannot be used by other companies freely. Many companies have developped their own chips to provide similar functions. I hear that the Phoenix BIOS is the most compatible, and that the Award BIOS is another popular one.. Legitimate/Illegitimate: I dunno.. You can use BIOS to write directly to a sector on disk, so a virus could use it to destroy something, or to write itself onto a fresh disk.. Maybe that's what you mean by leg/illeg... -turgut -------------------- Date: Thu, 28 Jul 88 15:20:35 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Turgut Kalfaoglu (51)18-10-80 Ext:244" Here in Izmir, Turkey, we have a BRAIN version 9.0 on our PC lab. We are trying to get more info on it, and trying to analize its behavior. So far, it doesn't seem to like hard drives - we have not been able to locate one on a hard drive. It jumps from diskette to diskette easily, by simply writing itself to the boot track of the new diskette. We found that the best way to find this virus is to look at the FIRST track of the diskette. It has a message there. We use Norton or PCTOOLS to peek at that sector. We are also working on a program that verifies that track, and the checksums/crc's of the three system files.. I think the computer centers/BBS's, and other similar services should record the sources of the obtained software.. This would intimidate the creep (the virus-writer) on distributing the virus-installing software.. -turgut -------------------- Date: Thu, 28 Jul 88 09:34:47 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "James N.Bradley" Subject: Re: Campus virus letter In-Reply-To: Your message of Wed, 27 Jul 88 13:55:29 CDT Leonard - I edit the computing center publications at the University of Houston and we couldn't publish your article as it stands. The use of words like "high probability", virus "attack", and "evasive action" is inflammatory. These words are not going to provoke reasonable reactions from people. You have to be very careful when using powerful and sweeping statements. A better way of beginning your paper would be something like: Some campuses have had problems recently with virus program. A virus program is (etc). There are a number of things you can do to prevent infection...etc If you become infected there are a few things you can do...etc Tone down the dire images unless you know you have a virus on campus. James N. Bradley Information Services Manager University of Houston -------------------- Date: Thu, 28 Jul 88 09:48:11 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GARY SAMEK Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message of Wed, 27 Jul 88 13:30:26 EDT from Hello Net, When a virus gets into command.com, it is very difficult to stop it from spreading if it is well written. It seems that the best way to prevent this type of virus is to keep an eye on the dates on these files. Then, you would probably want a TSR to notify you whenever a DOS/BIOS call to change the date of a file has been requested. This would require a little more attention of the user, but the protection scheme is simpler and fairly reliable. Upon thinking, it would probably be a good idea to keep the output of the DIR command as a disk file, so you could check from time to time, the sizes of the files as they were and as they are now. Anyway, I would like to see a little discussion on a good generic technique on preventing the infection and spread of virus, such as I have given here. Gary Disclaimer - These opinions are my own, and whoever else agrees. -------------------- Date: Thu, 28 Jul 88 11:23:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Ken's request for opinions about future virus activity / and "warning lists" about Trojan Horses and viruses "All the data is not yet in" for the question of future virus activity, but here is my opinion from this vantage point.... Several trends are developing, making the situation a "good news and bad news" one. The good news is that it looks like virus attacks on consumer/hobbyist/small instituation computers is leveling off and will most likely drop, with occaisionally outbreaks. One factor for this is that the "fad" is wearing off for those who write viruses for the "thrill". The other, more significant, reason is that many computerists are becoming much more computer security conscious than ever before. he number of files being transfered an many BBS's that I am on has dropped greatly in the past six months. People are getting more careful, slowing the spread of malicious codes.Many have started using some form of general protective/testing software. (No, they are no absolute garauntees, but it is step up from indiscrimate software exchange.) The degree of complexity and sophistication to make a "successfull" (from the perpetrator's viewpoint) virus is being driven upwards. The bad news is the possibilty of specifically targetted virus will increase as various people are seeing the potentials and dangers of this electronic parallel to nanotechnology. This is a concern that the institutions that would be possible targets are already building more secure systems. There is possibility of "spillovers" to the general computing community from any attempted attackes. (In the case of targetted attacks, the result does not need to destroyed files, wrecked boot sectors, and other obvious damage. A subtle data manipultor could do much damage. But enough said for here.) So many institutional computer centers are wise in constantly looking to secure their systems. A related factor in these trends is the matter of accountability and other human factors. Few months ago, Vin McLennen had posted a report in RISKS DIGEST about the various problems with employee accountability in the computer and data management field. This seems to intensified after the US Stock Market plunge last fall; the message given to employees by many companies after thatwas "Produce bottom- line profits or you're out!" (I have seen this message in some of the advertising in computer & telecommunications publications- the appeal to fear.) Even before the virusese, one of the biggest security problems for a company has been disgruntled employees. On a different subject..... Somebody posted a request on this list for information about any "warning lists" of Trojan Horses and viruses. The only one that I know of is the DIRTY DOZEN listing compiled by Eric Newhouse. It is available through LISTSERV@LEHIIBM1 as DIRTY DOZEN. Use the GET command to get it. The latest version is 8b. Eric says that he will coming out will version 9 soon. He will be splitting it up into separate listings for Trojan Horses, Viruses, Pirated and Hacked Programs, etc. The DIRTY DOZEN listings can be obtained also from Eric's BBS - THE CREST BBS in Los Angeles, CA - (213) 471-2518. There is also a message section on the CREST BBS for messages about any newly discovered "bogusware".If neither routes are practical, contact me and I can arrange for a copy (disk or printout) to be sent to interested people by arrangement. J. D. Abolins 301 N. Harrison Str., #197 /Princeton, NJ 08540 (mail only) -------------------- Date: Thu, 28 Jul 88 11:24:22 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message of Thu, 28 Jul 88 09:48:11 CDT from >It seems that the best way to prevent >this type of virus is to keep an eye on the dates on these files. Not at all true; it's all too simple to alter a file without altering the date. *DO NOT* trust the write date as a virus detection scheme. >This would require a little >more attention of the user, but the protection scheme is simpler and fairly >reliable. It would be simpler alright, but also much simpler to get around. > Upon thinking, it would probably be a good idea to keep the output of the >DIR command as a disk file, so you could check from time to time, the sizes >of the files as they were and as they are now. It's also easy to alter a file without changing the file size as well. Particularly in the case of COMMAND.COM, the code need not even be altered on disk at all - it need only be altered within memory, and that can be done by any program at all since a PC's memory is totally unprotected. Once again, a file can contain a virus without any file size or write date change from the original (uninfected) file. >Gary Ken Kenneth R. van Wyk From the Devil's Dictionary: User Services Senior Consultant Barometer - an ingenious device Lehigh University Computing Center designed to inform the user what Internet: the weather is. BITNET: -------------------- Date: Thu, 28 Jul 88 17:05:54 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Turgut Kalfaoglu Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message of Wed, 27 Jul 88 11:55:00 EDT from >Are there a lot of programs that ask for disk writes directly (i.e. not >through DOS)? If not, would it be possible to write a TSR that >differentiates between disk write calls from DOS (making them legal) and >those that are direct (flagging them as suspicious)? Yes, there are many programs that write to screen. Most programs that 'pop' into view are either writing directly to screen, or using a technique called 'page flipping' - which is similar to turning the pages of a book. (Prepare the next page, then flip the pages) For an example of the difference in performance, try invoking the Norton Utilities with the /D1 option or the /D2 option. (Which I believe are BIOS and DOS calls with ANSI, respectively) Trapping such calls would be difficult - you would have to check for every memory access (there are LOTS of them), to see if they fall within a device's area. For example, to write to screen, you simply send a byte to a location in memory, and the character appears.. -turgut -------------------- Date: Thu, 28 Jul 88 11:58:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University A few brief comments on recent activity on this list: Turgut: There are quite a few Brain variations foloating around at this particular moment. We have counted 7. The original Brain Virus ONLY effected floppy 5 1/4 inch disks. And it did no harm. Versions are around that effect hard disks and 3 1/2 inch disks, but they are simply edits of the original. Also damaging versions exixst. One will periodically delete files, the c second will erase your FAST table. (please excuse my typeing, I have no backspace). That should read FAT table. I have now worked on two versions of the Brain virus and am looking for the others. Also, I am curious to nknow who was the first college to dicscover the Brain. I really don't know who isn the US was hit first. Gary: Watching the Dates change means nothing. It is a very simple function to keep the date from changing. The date change was one of the major reasons we caught the Lehigh Virus in the first place. If it hadn't changed, Chris, Joe and I and Mitch probably wouldn't have realized what was going on for a qhile after that. Whoever wrote the Lehigh Virus made a mistake, and I think any new viruses that crop up will not make that same mistake. JD: I have been trying to compiler a list of viruses. This is very difficult. I have sent mail out to just about everyone and no one is keeping one. We have ome across about 70 viruses now including 4 versions of the Israeli and 7 versions of the Brain. If anyone wants to make a short list of the ones they know3 of, please send it to LKK0@LEHIIBM1 and I will include them in my compilerd list. I will post it when I feel it is sufficeintly done. Virus Growth: I expect a virus explosion of GOOD virues on campuses next year. A bank in upper New Jersey (who I am not allowed to mention othe name otf) called me about 3 weeks ago. They were hit pretty basdly by a virus. I honesty see viruses increasing in hostility and in design. The problem is that theyre is so much publicity about viruses right now that we can't handle the problems cropping up. Another problem I will hate to see, but it looks like it is coming is a virus that runs on PC's and attacheds itself to mainframes when the PC conects to them. It will themn "worm" its way through the mainframes. We've been doing research on this type of virus for a while, and a small one was located in Harrisburg I'm told. I cannot describe it I'm osorry to say. Evey time we do something, we're told to keep quite and not fuel the scare. About not being able to trap diredct disk writes without trapping DOS calls. OUr package ,... first let me say that I am NOT trying to sell it over Bitnet, I just want to point out that our package from Lehigh Valley Innovative Technologies, does just that. And it does it well. We do trap disk calls and check to see whether they came from DOS or directly from the program. And believe me, it works, and it would be very hard for someone to mess with it, unless they want ot disassemble all our code and try to figure out how everything works. One other thing: James Bradley, your english is much better than mine, but I'm afraid there is a VERY high probability of ANY college with PC sites to be hit by a virus. Protect yourselves NOW! Loren Keim Lehigh University Provost Staff -------------------- Date: Thu, 28 Jul 88 09:30:31 pdt Reply-To: Virus Discussion List Sender: Virus Discussion List From: isbalkits@UCDAVIS Devo_Stevo writes: "The scenario could be a mad-hacker, plugging away at a keyboard in the back of a dimly lit office, creating a virus like no virus ever seen before. Viruses are going to be like methods of cheating at cards or on your spouse. The analogy would be having mice evolve into a bigger species to defeat mouse traps - unless the traps are built bigger, the mice will win." Depicting the virus writer as a gothic/romantic figure (like pirates have been, like gangsters have been, like gang members now are) contributes to the problem. If this discussion is to have any value, any impact, it should be to paint the virus writer as he/she truly is: an emotionally-atrophied individual, a product of negative operant conditioning, a human who has lost contact, isolated in a hyperspace of computer an-architecture, where techical wizardry seems to excuse a lack of common ethics or even common sense. Continuing to fictionalize the virus writer as a mad scientist, a Doctor Frankenstein whose genius gives us a secret thrill, whose lawlessness challenges us, is just the wrong way to go. If this forum really exists as a deterrent to the spread of viruses, one of its functions is the demystification of the criminal hacker. Calling her/him a "creep" is not enough. The consciousness in each of us should be raised that we are contributing to the virus writer's self-image as someone "special" whenever we present the problem in adventurous scenerios such as that above. Ivars Balkits Computing Services University of California - Davis ISBALKITS@UCDAVIS -------------------- Date: Thu, 28 Jul 88 12:42:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess 862-2245" Subject: How many viruses are there? Loren K Keim writes > There are quite a few Brain variations foloating around > at this particular moment. We have counted 7. ... > I have now worked on two versions of the Brain virus and > am looking for the others. Does that mean that you've counted 7 rumors, but only really seen two different versions, or that you have good, solid evidence of seven versions, but for some reason only have copies of two? I've seen two versions of the Brain virus (both attack only floppies, and in fact the only difference between them is in the no-op data areas), and heard rumors of lots of others. In every case, though, the rumors seem to have been due to mistakes or confusions, and I wouldn't be at all surprised if there are in fact only two versions out in the world. If you have hard (first-hand) evidence of others, I think we'd all be interested. I have good evidence for only 6 (or 7) viruses for PC-DOS in actual circulation: the Lehigh, the Jerusalem, two "April Fools" viruses which have already passed their setoff dates, the Brain (and its minor variant), and a small COM-file virus that occasionally replaces its victim with a program to reboot the machine (rather than simply infecting it). Anyone who knows first-hand (or from a solid non-rumor source) of more viruses would be doing everyone a great service by posting a detailed description of their symptoms, so we can all tell our users about things to watch out for. (Loren, if any of the seven that I mentioned above are new to you, let me know and I can send you more details; I'd love to see that list of 40, especially if it includes some hint of how sure we really are that each one exists!) All this is not to say that viruses aren't something to worry about! Quite the contrary. But I do tend to think that new rumors tend to appear MUCH faster than new viruses do... DC -------------------- Date: Thu, 28 Jul 88 13:58:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Dave: About rumors versus real versions, I have heard rumors about so many versions of the Brain that it isn't funny. Fred Cohen described the Brain found in Mimi as a varient strain and whent on to explain it. It sould... sounded exactly like the original to me. I have heard of 7 versions from reliable sources. Unfortunately most people won't allow me to have copies of their viruses. The two I have are from California and Boston. People are so afraid of virusses that I am ahaving difficult getting ahold of some strains. I have to get permission sent from the government to these poeple fro them to release copies to me, that is why I only have 2. Its kind of interesting that I travel places to help stop viruses but I can't get ahold of some copies because people don't ... no one trust s anyone else. I have either copies or heard from reliable sources of 4 April Fool's viruses, 7 versions of the Brain, the Lehigh, 4 versions of the Israeli (there are early versions floating around Hebrew U I'm told, presumably written by the culprit who wrote the Israeli), the Playboy, the Brain.. Gerbil I mean, and some minor ones (I do not have a list in front of me, this is from memory). For the Mac, I've seen aa version of the CHRISTA virus (yes, simple damn thing copies itself around your little Mac, its not written in Rex of course), the Phantom, the NASA virus, the Aldus virus, and the VULT virus. The Flushot renegade for the PC was something i should also point out. The CHRISTMA for the CMS machines, a Smiley face virus which was the Chrisma redone . 4 unnamed Unix viruses and I have rumors of more floating around. (one of them is onely a few characters long and is very nasty). That is the start of a list.. oh, yeah, another off the top of may head is a Mac virus which prints a picture of a nude female on the screen while it copies itself to any other disks in your system. And obvious virus but still a virus. I have heard rumors of a similar virus for the PC. Loren Keim Lehigh University -------------------- Date: Thu, 28 Jul 88 14:14:37 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Questions about Brain Actualy, I've been trying to track the Brain Virus for some time. If anyone out there has had any contact with the Brain virus, I would really appreciate some info from you (dates, what it did, what it looks like, how it worked, when it hit, how many people it effected and so on). Also, does anyone know if any research has been done on Worm Theory since the big Xerox worm back in 82? Does anyone have a copy of the Apple version of Core Wars? Does anyone know where Len Adleman is now? (He's the person who first called a computer virus an coputer virus. (if my typing were better) Is it true that University of Penn found a Command Com virus? I'd like to know who all was hit the worst by the Christmas Tree Exec. How far did the Aldus virus get? Can anyone tell me about the NASA virus other than what was in the papers? (NASA claims they didn't have a virus!) Is anyone planning on teaching a virus course in the future? Which colleges teach computer security? Loren -------------------- Date: Thu, 28 Jul 88 14:32:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess 862-2245" Subject: How many viruses are there? The only "Playboy" thing that I've heard of reliably was just a Trojan Horse for the Mac, not a virus for the IBM-PC or compatibles. Similar comment applies to the corrupted flushot thing, I think; it just did nasty things to you when you ran it, but it didn't spread itself to other executables. A list of Trojan Horses would be miles long, but not really relevant to the subject matter of VIRUS-L. I suspect a list of real viruses would be much much shorter. DC -------------------- Date: Thu, 28 Jul 88 14:41:49 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon In-Reply-To: Message of Thu, 28 Jul 88 09:30:31 pdt from >Continuing to fictionalize the virus writer as a mad scientist, a >Doctor Frankenstein whose genius gives us a secret thrill, whose >lawlessness challenges us, is just the wrong way to go... I agree. I find virus writers just about as romantic as a sniper on the freeway. "Oh look, I just killed somebody else." Too bad brainwashing is illegal (don't flame - I'm being VERY sarcastic). - - Joe. -------------------- Date: Thu, 28 Jul 88 13:59:24 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message from "Kenneth R. van Wyk" of Jul 28, 88 at 11:24 am >It's also easy to alter a file without changing the file size as well. >Particularly in the case of COMMAND.COM, the code need not even be >altered on disk at all - it need only be altered within memory, and >that can be done by any program at all since a PC's memory is totally >unprotected. Once again, a file can contain a virus without any file >size or write date change from the original (uninfected) file. Very interesting about command.com. That file, as released in msdos level 3.3 contains a 4000 byte block of zeros at its end, which makes it VERY easy to add code. I cannot fathom why they put that area into the process. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Thu, 28 Jul 88 14:33:14 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Neil Goldman Virus prevention programs (those which claim to stop infection *before* it occurs) typically intercept calls to the DOS (or BIOS) interrupt handlers. If the interrupt request is to write to the disk, the prevention program will notify the user. The general impression I get is that people think that if a program can intercept all potential avenues a virus can take to write to the disk, it would be foolproof (or close to it). However, a clever virus could simply check to see if the interrupt vector is pointing to something other than the DOS/BIOS commands to write to the disk (i.e., the vector would point to the intercepting prevention program). If the virus determines that the vector does not point to DOS/BIOS, it could simply change the vector to do so, replicate itself (infect other programs), and then change the vector pointer back to the "intercepting program". The user would be none the wiser. Comments/technical corrections? Neil A. Goldman Ernst & Whinney National Computer Audit Group -------------------- Date: Thu, 28 Jul 88 14:08:50 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Claudia Lynch Subject: Possible Virus The following message appeared on our campus BBS. If anyone has any pertinent information, please reply. Thanks, Claudia Lynch %We shall work no time, before its nine!| #1791 28-JUL-1988 08:57:33.73 Topic : PUBLIC INFO >From : ALAN MATTHEWS To : ALL Subject : possible virus I've been using the "Master Key" utility by R.P.Gage. For a while and have been having problems with my disk. It is a really nice utility program; it allows you to hide,unhide,delete,and undelete files, look for matching files , and has a hex/ascii sector editor(that's the best way I can describe it) I had, until recently been blowing my FATS sectors. This caused my endless amounts of annoyance as I would get parity errors on my disk drives, and eventually would not be able to load programs. I finally erplaced my motherboard and these problems haven't surfaced again(yet). I'd like to know if anyone has had similar prioblems with this program, or if it was, in fact, just a hardware problem. AM -------------------- Date: Thu, 28 Jul 88 15:49:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University David, When I speak of the Playboy virus, I am referring to one of the many things by that name. I refere to a POC program which was complained about slightly in Main I brelieve tha simply copies itself from disk to disk. It is an executable file that does this. I should not have nmentioned the Flushot thing, I know it is a trojan. When I talk of a certain number of viruses, I ONLY mean viruses. A list of trojan horses would come out with at least several hundred. However, I am counting variations of viruses as viruses themselves. In my posession I have about 15 viruses and about 20 trojan horses, I have a list of about 70 viruses from reliable sources. I also do not include viruses that peop-le wrote themselves to annoy their co-workers. Haggling over the specific number of viruses in the world, however is ridiculous. Incdidently, I received two boot sector viruses in the mail (physical mail) without a return address, and they are viruses I cannot identify as anything in particuloar. Also, is anyone on this list from Alabama or Mississipi? Loren -------------------- Date: Thu, 28 Jul 88 15:59:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Regarding anti-viral programs, I don't think anyof them is the answer. I'm leaning towards hardware protections, and have a few ideas. We really need the hardware to be redesigned. There isn't anything we can do to prevent the spread of viruses. All we can do is make it harder and harder for one to get around. Neil, if you were referring to my comments about the program we've written, we considered what to referred to as taking over the interrupts, but its too shabby a job and isn't the way we do it. We also, of course, watch for interrupt changes. But again this is not the answer to all our problems. Fred Cohen demonstrated up in New York a little program which basically CRC'd everything (it was a powerful check, but still just a file check). And I think that isn't enough either, our program has more than just disk watches, it has the standard CRC's for people who want to use them (one-way increyption) and so on. If enough people use Vaccine and the Innoculator and SDP, and FluShot, then a virus really doesn't stand a chance of getting too far. The more packages out there, the harder a virus is to propogate. Antoher point, something Fred's program does, Vaccine does and our does is have a random key selected which keeps the virus vfrom being able to mimic any CRC. The only thing we can do is make it harder and harder to write a virus which will go through our derfenses, and limit the number of people who CAN write one. Fred, incidently, talked of making the nth level of difficulty in writing a virus, in which case we are safe. I thinkk the world is on the right track. Now we have to convince the world to use the PC condoms that exist (not necessarily anyone's in particular). Loren -------------------- Date: Thu, 28 Jul 88 16:07:35 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University (Heavy mail is BACK on Virus-L!) One more thing Neil, We're more and more referring to Anti-Viral programs as "Virus Detection Systems" not "Virus Prevention". The object t is to detect the virus as early as possible. You can't stop that first infection (primary infection) from someone elses system, but you may be able to stop it from infecting a second file, or from actually doing damage to your system. We're relegated to fighting the symptons rather than the viruses themselves. Loren -------------------- Date: Thu, 28 Jul 88 16:49:06 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess 862-2245" Subject: How many viruses are there? Agreed, I didn't mean to be trying to pin you down to a specific number. I was just surprised to hear a number as high as 70; I guess a lot more has been going on than anyone has mentioned here or in similar places. I'll be eagerly awaiting your posting of your list! I think the point about people using lots of different anti-viral programs is a very good one; this is one field where you don't want your own program to be the One Everyone Uses, because if it is, the virus-writers will target it, take it apart, and design circumventions. Safety in Numbers! DC -------------------- Date: Thu, 28 Jul 88 16:48:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Questions about Brain In-Reply-To: Message of Thu, 28 Jul 88 14:14:37 EDT from >I'd like to know who all was hit the worst by the Christas >Tree Exec. IBM's VNET got it the worst. Most of the users there had literally hundreds of ID's with which they had corresponded, with the result that thousands of copies of the exec got out. They had to disconnect from BITNet for nearly 2 weeks (as I recall). >How far did the Aldus virus get? Not very. Remember, it's a self-limiting virus which burns itself out after a one-time shot. It got into the warehouses, but there's little evidence it actually hit the streets. Richard Brandnow's contention that he did it to prove how much piracy was going on is an unmentionable substance found in pastures. His claim on CompuServe was that he did because he wanted to. (Too bad I can't type this in brimstone-spewing letters). >Can anyone tell me about the NASA virus other than what was in >the papers? (NASA claims they didn't have a virus!) Some people here may have had the Scores virus. I'm watching it here at Goddard; we've got Vaccine to everyone we could find, along with KillScores and Interferon. - - Joe M. -------------------- Date: Thu, 28 Jul 88 16:38:48 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon In-Reply-To: Message of Thu, 28 Jul 88 13:58:05 EDT from > ...For the Mac, I've seen aa version >of the CHRISTA virus (yes, simple damn thing copies itself >around your little Mac, its not written in Rex of course), More information about this, please. I'm building a document about Mac viruses. Resources, symptoms, etc. I can't use rumours. >...the Phantom, the NASA virus, the Aldus virus, and the VULT >virus... The NASA virus and the VULT virus should be the same one, known as "Scores". Is the Phantom a new one I haven't heard of? Symptoms please. What resources are involved? I would appreciate your pointing me to anyone who can prove that either the Phantom or CHRISTMA virus exists. The CHRISTA sounds like it is a nuisance bacterium rather than a viral infection. I need technical data -- resource names/numbers, modifications made by the viruses, etc. >... the top of may head is a Mac virus which prints a picture >of a nude female on the screen while it copies itself to any >other disks in your system... As I recall, this program shows the picture and erases your hard disk; it doesn't propagate itself as a virus. Perhaps you mean a bacterium? - - Joe M. -------------------- Date: Thu, 28 Jul 88 15:28:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: CEARLEY_K%wizard@VAXF.COLORADO.EDU A relatively effective software strategy for an anti-viral program is to use the timer interrupt. It is done by installing a TSR which implements two functions: 1- When loaded, it intercepts the timer interrupt vector. It then times its own execution and stores this duration with a checksum. This prevents its interrupt from being preempted by using timing dependencies. 2- At 18 times per second, it compares interrupt vectors for modifications, these are flagged and, if restricted, they are disabled. The resolution is somewhat coarse considering the number of machine instructions that can execute between intervals, but it can effectively arrest the destruction of data. Kent Cearley, Management Systems, University of Colorado -------------------- Date: Thu, 28 Jul 88 16:55:12 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: Questions about Brain In-Reply-To: Message received on Thu, 28 Jul 88 15:10:07 EDT Here at the University of Maryland the (c) Brain virus was first noticed about year and a half ago. We have several floopy based labs on campus that are run by the business school. Data security at these labs was not the best and eventually all the boot disks were infected. The version of Brain we had was totally benign but a big stink was raised when the Brain virus infected some floopies that had bad physical media. Every one said that the Brain had mutated into a malignant virus! Today, infections by the Brain virus are very rare on campus. We stamped out the virus with a simple three part attack. 1. I down loaded the NOBRAIN.C program from VIRUS-L. With a fair amount of hacking I made it work with the version of Brain we had. I distributed the program to the Lab managers on campus, and for a while they put a command to run the program in AUTOEXEC.BAT. 2. We had an campain to educate users on the importance of write protect tabs. 3. And finally we stoped buying cheap disks. I suspect that in September we will see it again, as students inadvertently bring it back to school. With these simple precautions we should be ready for it. Although I have heard many rumors, I have yet to see any virus on the University of Maryland campus that did any damage. Erik Sherk -------------------- Date: Thu, 28 Jul 88 15:53:01 mdt Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- original Sender: tag was From: Bill Kinnersley Subject: Re: Trapping Direct Disk Write Calls [In "Re: Trapping Direct Disk Write Calls", Len Levine said:] > Very interesting about command.com. That file, as released in > msdos level 3.3 contains a 4000 byte block of zeros at its end, which > makes it VERY easy to add code. > I cannot fathom why they put that area into the process. Perhaps they pad their software with zeroes to avoid possible shipping damage. :-) -------------------- Date: Thu, 28 Jul 88 23:25:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: RE: Questions about Brain >Does anyone have a copy of the Apple version of Core Wars? A Macintosh version of Core Wars can be obtained from LISTSERV@RICE.BITNET by sending the command (in the first line of a MAIL message) $MAC GET DEMO-COREWARS.HQX This will get you the BinHex-ed version of the program, along with the documentation. You'll need BinHex and PackIt (or UnPackIt) (or is it StuffIt; I don't remember, sorry) to recreate the application. If you don't have them, ask around. Someone local should have them. >I'd like to know who all was hit the worst by the Christas Tree Exec. The worst case, based on reports in RISKS TO THE PUBLIC IN THE USE OF COMPUTERS AND OTHER AUTOMATED SYSTEMS (a.k.a. RISKS Digest) would have to be IBM's internal network, called VNET. It slowed it down to such an extent that most of it had to be shut down until the program could be removed from the mail queues. >Can anyone tell me about the NASA virus other than what was in >the papers? (NASA claims they didn't have a virus!) This is a new one to me, I think. SPAN/HEPNet had one H*ll of a case of crackers, though! They almost made VMS Security an oxymoron. >Loren _______________________________________________________________________________ | James M. Shaffer, Jr. | Bitnet: shafferj@bknlvms CIS: 72750,2335 | | P.O. Box C-2658 | Internet: shafferj%bknlvms.bitnet@cunyvm.cuny.edu| | Bucknell University | UUCP: ...!psuvax1!bknlvms.bitnet!shafferj | | Lewisburg, PA USA 17837 | CSNet: shafferj%bknlvms.bitnet@relay.cs.net | - ----------------------------------------------------------------------------- | "He's old enough to know what's right and young enough not to choose it; | | He's noble enough to win the world but fool enough to lose it." | | -- Rush, "New World Man", on _Signals_ | - ----------------------------------------------------------------------------- Disclaimer: I'm not the list owner! (See the last NetMonth.) :-) -------------------- Date: Thu, 28 Jul 88 22:15:00 -0500 Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: converted from NETDATA format at UOFMCC From: Steve Morrison Subject: request for opinions on future... In-Reply-To: <270*b1morri@ccu.UManitoba.CA> The scenario could be a mad-hacker, plugging away at a keyboard in the back of a dimly lit office, creating a virus like no virus ever seen before. Viruses are going to be like methods of cheating at cards or on your spouse. The analogy would be having mice evolve into a bigger species to defeat mouse traps - unless the traps are built bigger, the mice will win. Thoughts from someone who was out in sun today.... Devo_Stevo aka Stephen D. Morrison B1Morri@CCU.UManitoba.CA -------------------- *** end of Virus-L issue ***