Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25997; Tue, 12 Jun 90 07:15:22 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA13098; Tue, 12 Jun 90 07:15:18 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04484; Tue, 12 Jun 90 07:14:51 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa10540; 12 Jun 90 11:31 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:09:00 BST Message-Id: <$TGVTCZHTCBVZ at UMPA> Subject: Virus-L vol 0 issue #0817 Virus-L Digest Wed, 17 Aug 88, Volume 0 : Issue #0817 Today's Topics Dr. Cohen's Dissertation re: VIRUS-L TOPICS COMMAND.COM and viruses Re: Virus-L Topics Amendmend from a REXXpert (or a would-rather-be-REXXpert :-) re: VIRUS-L TOPICS Where in the heck are those Papers? Cohen thesis Re: AT configuration More on command.com Re: More on command.com Re:re:command.com "Computers and Security" How to subscribe to _Computers and Security_ Re:re:command.com RE: Re:re:command.com Command.com again System Generality Conference Speaches viruses ------------------------------ Date: Wed, 17 Aug 88 12:19:32 SST Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Date: 8-17-88 12:16pm Comments: From: anyone:Staff:ISS Comments: To: {virus-l@lehiibm1}:bitnet Comments: cc: Jim Comments: Subj: Dr. Cohen's Dissertation From: Jim Crooks Subject: Dr. Cohen's Dissertation Is Dr. Cohen's Dissertation available anywhere (for $$$)? Anyone know how to go about getting a copy? Thanks, James W. Crooks Member, Advanced Technology Application Staff Telebox(DIALCOM): 12:GVT331 ATTN:((JIM)) BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 -------------------- Date: Wed, 17 Aug 88 12:19:23 SST Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Date: 8-17-88 12:15pm Comments: From: anyone:Staff:ISS Comments: To: {virus-l@lehiibm1}:bitnet Comments: cc: Jim Comments: Subj: re: VIRUS-L TOPICS From: Jim Crooks Subject: re: VIRUS-L TOPICS In Reply To: Loren K Keim -- Lehigh University Tue 16 Aug 88 > Generally, > if you want to learn about various subjects, get articles > on them, there are many published. Agreed - I think that we could further the aims of this list if there was a compiled bibliography of "Computer Virology". In fact I'd be willing to compile one for submission to Ken van Wyk to be put up as a listserv file, if all you VIRUS-L'ers will send references to me... %please to my personal id: jim@iss.nus.ac.sg the id on the envelope is a distribution system| > Problems sometimes result from the fact that their are some > people on this list (William Murray, Joseph Beckman and others) > who truely do know something about viruses and security > problems, and there are others who really don't. I > think its often hard to discuss things. Discuss already - the novices will just have to read the message logs and literature references to get up to speed. Discuss the *REAL* issues and problems at hand on the list. That is one of the known problems of discussion lists; some noise in the signal. > One of the things I like the most about having a virus conference > is that we will be given the chance to exchange ideas and if anyone > wants to learn something, its much easier to discuss ideas and > theories in person rather than over a list. I agree that face-to-face discussion is "easier" than phone or message, but some of us who won't be able to get to the conference have to make do with what is available. James W. Crooks Member, Advanced Technology Application Staff Telebox(DIALCOM): 12:GVT331 ATTN:((JIM)) BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 -------------------- Date: Wed, 17 Aug 88 03:29:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: COMMAND.COM and viruses Two people have recently mentioned how they protect COMMAND.COM from infection by virus. While their system may (and may not) protect them against today's viruses, they are not a significant barrier to even fairly "stupid" viruses. First of all, running your CLI out of a ramdisk is not going to fool most viruses. Unfortunately, MS-DOS makes it easy for viruses to spot what is most likely to be your real CLI- C:\COMMAND.COM It would probably protect you much more to partition your disk so that you have a 1 MB C: partition and the rest of your disk in D:. Boot up with the COMSPEC set to D:COMMAND.COM. This will give better results. Of course, while experts can get their disk to have any name they like, most users will always be running out of the C: device. Too bad. File systems with named devices would eliminate this problem. (Mac HFS, for example) Secondly, this again brings up the topic of disguised viruses. Someone (Art Lakey?) said that a virus would not be likely to use device drivers as a vector since he would notice the difference. In fact, this is one of the more trivial types of disguise a virus might use- just make sure that any references to the CONFIG.SYS file don't show the line, make sure updates don't clobber the line, and hide the driver in the way discussed in my previous article on camouflaged viruses. Actually, that's not so trivial... but compared to some of the horror-story viruses being discussed recently, it's pretty tame. /a -------------------- Date: Wed, 17 Aug 88 11:40:37 IST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Yosi Subject: Re: Virus-L Topics In-Reply-To: Message of Tue, 16 Aug 88 11:29:21 EDT from Hello there, Reading the mail in the list teaches me a lot. I live far away so no chance that I come to the conference. Starting to keep subjects out of range for this list - save them for the conference - will harm these that will not go there. It will be nice to know that subjects raised in the conference - will be summerized here. To the discussion started by Loren K Keim - It is important to read summerized 'lectures' as well as techniques to prevent viruses : mixing theory with practice. Yosi ||||||||||||||||||||| - ---------------------------- | YOSI ALMOG PHONE: WORK - 972-(0)4-292173 | USER SERVICES CONSULTANT * TECHNION - ISRAEL INSTITUTE OF TECHNOLOGY * TAUB COMPUTER CENTER * ARPANET : CCAYOSI@TECHNION.BITNET@CUNYVM.CUNY.EDU * DOMAIN : CCAYOSI@TECHNION.TECHNION.AC.IL * BITNET: CCAYOSI@TECHNION -------------------- Date: Wed, 17 Aug 88 07:18:36 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: In-Reply-To: Poster of 16 Aug 88 09:54:00 EDT from WHMurray at DOCKMASTER.ARPA From: Otto Stolz +49 7531 88 2645 Subject: Amendmend from a REXXpert (or a would-rather-be-REXXpert :-) > If it does not know its own name, a condition equally easily met, ... No, because every REXX program knows its own name by means of the PARSE SOURCE statement. Btw, every REXX program knows its own source code by means of the sourceline function, which makes virus-writing easier. > ... it is not totally environment independent. > ... it is difficult to write a REXX script that will run across > environments. Yes, and to the extend that the very statements a bacterium or virus would use to propagate (e.g. COPYFILE) are *not* part of the REXX language (at least not of every implementation) but rather of the environment. Regrettably, this constraint is relaxed by two mechanisms: 1. every REXX program knows the environment it's running in (PARSE SOURCE and PARSE VERSION); 2. REXX can be used to program the XEDIT editor (available on CMS and PC -- I don't know about TSO/E) which constitutes a much more versatile and compatible environment. Best wishes Otto -------------------- Date: Wed, 17 Aug 88 07:54:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: re: VIRUS-L TOPICS In-Reply-To: Your message of Wed, 17 Aug 88 12:19:23 SST > Agreed - I think that we could further the aims of this list if > there was a compiled bibliography of "Computer Virology". In fact > I'd be willing to compile one for submission to Ken van Wyk to be > put up as a listserv file, if all you VIRUS-L'ers will send > references to me... please to my personal id: jim@iss.nus.ac.sg > the id on the envelope is a distribution system| Great idea! I've had a number of requests for good references and where to get them. It would be very worthwhile having a bibliography (of sorts) here on the LISTSERV. Jim, send me what you have, and I'll put it up. Thanks! Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant Lehigh University Computing Center You kids are great! Internet: - Max Yasger, the man who owned the BITNET: farm on which Woodstock was held. -------------------- Date: Wed, 17 Aug 88 09:25:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: the Preserver Subject: Where in the heck are those Papers? Recently on this list, some people have advocated that in general the members of this list should go out and read some references. Agreed, but where are they? I believe someone came up with the idea of making a VIRUS-L bibliography, an idea I laud, however, I have noticed that certain people even when they do give references (which is almost never) do not give complete or correct references. As to Mr. Cohen's dissertation, I recently called USC and tried to get a copy of it, and I was told that the author had pulled it from circulation, apparently so he could publish a book. I would like to borrow someones copy to read, since I am sure the book will be out RSN. A final request, could someone send me information on how to subscribe to Computers and Security. Thanks Les vishnu@pine.circa.ufl.edu vishnu@ufpine -------------------- Date: Wed, 17 Aug 88 09:59:55 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: Cohen thesis This may or not be the case with Fred's thesis, but most universities require that theses be published by having them filed on microfilm by University Microfilms in Ann Arbor, Michegan. Some helpful soul might want to contact them to see if it is available there. Art Larky -------------------- Date: Wed, 17 Aug 88 09:03:40 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: AT configuration In-Reply-To: Message from "Kenneth R. van Wyk" of Aug 15, 88 at 4:03 pm >>I can run a program that permits me to tell the battery operated RAM >>package that I have one of 45 or so different hard disks, or by >>putting a zero in some location tell it that I have no hard disk. Can >>a virus guess what sort of disk I have? [..] > Also, chances are >pretty good that a virus wouldn't try to assume that you have a hard disk >if DOS says that there is none present - it would be shooting into the >dark so to speak. > >Ken > That was just my point. At least for the next little while, we can expect that virus codes will not look for hard disks on systems that show none. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Wed, 17 Aug 88 10:15:11 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: More on command.com Amanda B Rosen writes: >First of all, running your CLI out of a ramdisk is not going > to fool most >viruses. Unfortunately, MS-DOS makes it easy for viruses to >spot what is >most likely to be your real CLI- C:\COMMAND.COM My suggestion was to get rid of C:\COMMAND.COM entirely by re-naming the file to something personal (LEHIGH7.COM, for example) and changing the name in IO.SYS. Then the only place where the file exists as COMMAND.COM is on ram disk. The virus will have no problem finding it there since that is what comspec will point to; however, that's an expendible version. Of course, the virus could look in IO.SYS for the real name, but it has to do that after boot-up and after the clean command.com and autoexec have had a chance to run and look for trouble. Hopefully, the virus will be content to feast on easier pickings! Art Larky -------------------- Date: Wed, 17 Aug 88 10:26:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: More on command.com In-Reply-To: Your message of Wed, 17 Aug 88 10:15:11 EDT > My suggestion was to get rid of C:\COMMAND.COM entirely by > re-naming the file to something personal (LEHIGH7.COM, for > example) and changing the name in IO.SYS. I believe that it's even easier than that; you can put a SHELL=C:\LEHIGH7.COM statement in your CONFIG.SYS file. Of course, a virus *could* parse the CONFIG.SYS for a SHELL statement... Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant Lehigh University Computing Center You kids are great! Internet: - Max Yasger, the man who owned the BITNET: farm on which Woodstock was held. -------------------- Date: Wed, 17 Aug 88 12:28:58 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: Re:re:command.com >> My suggestion was to get rid of C:\COMMAND.COM entirely by >> re-naming the file to something personal (LEHIGH7.COM, for >> example) and changing the name in IO.SYS. >I believe that it's even easier than that; you can put a >SHELL=C:\LEHIGH7.COM statement in your CONFIG.SYS file. Of course, a >virus *could* parse the CONFIG.SYS for a SHELL statement... >Ken True, I guess I feel better having the file name buried in autoexec, particularly since I could have autoexec execute some program with an innocuous name that, in fact, was copying my 'LEHIGH7.COM' to ram under the command.com name. Now the virus has to examine everything that autoexec executes looking for my copy program. I could encode the file names in that program so they would not be recognizable and could not be parsed by the virus. As I said before, go pick onn a smaller guy, Mr Virus. Art Larky -------------------- Date: Wed, 17 Aug 88 14:03:47 LCL Reply-To: Virus Discussion List Sender: Virus Discussion List From: Scott C Crumpton Subject: "Computers and Security" Would someone please post an address and subscription info for "Computers and Security". Thanks. - -Scott. * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * | Scott C. Crumpton | Bitnet: nescc@nervm | | MVS Systems Programmer | Internet: nescc%nervm.bitnet | | NE Regional Data Center | Voice: 904-392-4601 | | 233 Space Sci. Research Bldg. * - * - * - * - * - * - * - * - * - * | University of Florida | If you want an offical opinion, | | Gainesville, FL 32611 USA | ask my cat. That's his job. | * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * -------------------- Date: Wed, 17 Aug 88 14:29:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: the Preserver Subject: How to subscribe to _Computers and Security_ Many thanks to Ken for providing me with a lead. To get a complimentary copy of _Computers and Security_ send a letter requesting such to Computers and Security c/o Dr. Highland 562 Croydon Road Elmont, NY 11003 Please include your name, organization (if any), and mailing address. The complimentary copy will arrive in about 4-6 weeks, and (I guess?) subscription information will be inside it. Les vishnu@pine.circa.ufl.edu vishnu@ufpine -------------------- Date: Wed, 17 Aug 88 13:47:16 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re:re:command.com In-Reply-To: Message from "Art Larky" of Aug 17, 88 at 12:28 (noon) > >>> My suggestion was to get rid of C:\COMMAND.COM entirely by >>> re-naming the file to something personal (LEHIGH7.COM, for >>> example) and changing the name in IO.SYS. > > >True, I guess I feel better having the file name buried in autoexec, >particularly since I could have autoexec execute some program with >an innocuous name that, in fact, was copying my 'LEHIGH7.COM' to ram >under the command.com name. Now the virus has to examine everything >that autoexec executes looking for my copy program. I could encode >the file names in that program so they would not be recognizable >and could not be parsed by the virus. As I said before, go pick on >a smaller guy, Mr Virus. > Art Larky > I truly do not understand how you can use autoexec.bat for protection. That program gets run very late in the boot process. As I understand it, the boot examines config.sys to see what is to be established as a part of the io and msdos resident portions of the code, and only then brings up command.com (or its alias) and finally after command.com is loaded, it is executed with autoexec running as the first job. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Wed, 17 Aug 88 15:38:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re:re:command.com For *most* Command.com viruses, isn't it better to get rid of the virus as soon as possible (using autoexec.bat techniques such as Art Larky and I have suggested) than not protecting in such a manner at all? The less time the virus is around, the better a computer's chances for survival, I think. Mr. Levine: What method do you use in protecting from this strain of virus? /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ -------------------- Date: Wed, 17 Aug 88 17:24:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: Command.com again Len Levine says: >I truly do not understand how you can use autoexec.bat for protection. >That program gets run very late in the boot process. As I understand >it, the boot examines config.sys to see what is to be established as a >part of the io and msdos resident portions of the code, and only then >brings up command.com (or its alias) and finally after command.com is >loaded, it is executed with autoexec running as the first job. I'm assuming that you have been able to defend yourself enough so that you are starting out with a clean copy of the re-named command.com and have not yet been infected. Then everything is under your control through the boot process and you are working with a benign, healthy, un-adulterated command.com. If you have checked and medically certified your autoexec.bat, then you are starting up your system cleanly. Autoexec can contain the code to make the temporary copy of command.com in ram disk (from hidden sources and using encripted file names) and can run your CRC checkers and set up Flushot or whatever to watch over what you do after that. If, despite your precautions, command.com gets infected, its the only the ram copy and that goes away when you reboot. If you want to be safe truly, don't let anyone near your machine and don't ever run anyone else's software or anyone else's disks. What I hope I am suggesting is a method of making infecting my command.com hard enough that the virus will not get a good toe-hold on my system. Keep the comments coming - as long as I can argue them down, we have a viable possibility for protection. Art Larky Professor, CSEE, Lehigh University -------------------- Date: Wed, 17 Aug 88 19:20:14 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: System Generality Since it was brought up, Computer Generality basically means that a computer is designed for one function, unlike an IBM PC which can be used for many many functions. Fred Cohen has stated in the past that we should limit a machine's usefulness in order to prevent viral spread. I'm not sure that is the answer. Agreed that if a computer cannot produce multiple functions, its very difficult, if not impossible, to propogate a virus through that particular system. Unfortunately, the machines that are most at risk from damage from computer viruses are government computers, banking computers and so on. If we make these machines specific to a purpose (ie: have a database program in ROM and allow no other program to run), then we limit our ability to climb the technological ladder. As we design faster and better systems, we have to replace everything we have. If we do not have these machines as specific purpose machines, then they are still in almost as great a risk group as before. Lorne -------------------- Date: Wed, 17 Aug 88 19:24:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Speaches For the many, many people who sent me letters asking if they could get "minutes" from this conference: I will try to compile copies of all the speaches made at this conference and have someone take notes on panel discussions. We will then make this available to those who cannot make the meeting. The book which we will be distributing at the conference will also be available. We will probably charge for the book, to handle printing costs and shipping costs, but I think it will be well worth it. Incidently, we've had a lot of talk about protecting command. com on MS-DOS micros. And we've had quite a few good comments. One thing I should point out though is that command.com viruses are a small portion of the types of viruses out there that hide themselves in the boot sector, Bios, Io, executables, command files, in memory, and even between sectors (theoretical, I haven't seen one myself). Protecting command.com helps to protect your system, but the system must be protected as a whole, which is more difficult. Loren -------------------- Date: Wed, 17 Aug 88 22:05:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: viruses Loren Keim states: >Agreed that if a computer cannot produce multiple functions, >its very difficult, if not impossible, to propogate a virus >through that particular system. Doesn't the very definition of a "computer" mean that it can perform various functions? Otherwise what would the use of one be besides a paperweight? Loren continues: >> Unfortunately, the machines that are most at risk from damage from computer viruses are government computers, banking computers and so on. If we make these machines specific to a purpose (ie: have a database program in ROM and allow no other program to run), then we limit our ability to climb the technological ladder. As we design faster and better systems, we have to replace everything we have. If we do not have these machines as specific purpose machines, then they are still in almost as great a risk group as before. Lorne >>endquote What reasons do you have that banks and government systems are more infested with viruses??? Although it must be a hard statistic to find, since most humans don't know what a computer virus is even if it were to kill their main-frame or PC, I would think that the major virus attack is on such computers as PC labs, university systems, (and other "public sites" that can't monitor most users of the system.) On a banking system, for all our monies sake, I would hope that 1) only authorized administrators use the computer, and 2) none of them want to kill their bank's files. (The ssame reasoning goes with the government.) David A. Bader DAB3@LEHIGH -------------------- *** end of Virus-L issue ***