Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25921; Tue, 12 Jun 90 06:54:08 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA13014; Tue, 12 Jun 90 06:54:02 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04336; Tue, 12 Jun 90 06:53:32 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa10502; 12 Jun 90 11:30 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:10:36 BST Message-Id: <$TGVTCZHTCBWJ at UMPA> Subject: Virus-L vol 0 issue #0824 Virus-L Digest Wed, 24 Aug 88, Volume 0 : Issue #0824 Today's Topics Computer Virus Research RE: Re: Virus Immunizer Add RE: Controlled Study of Viruses RE: Computer Virus Research Question Re: Question Re: Virus Immunizer Add Re: Question copies Dup Mail More administravia (re: duplicate mail) RE: Re: Virus Immunizer Add Re: Openness; Viruses and Software Companies; Insurance Re: copies virus chronology Re: More administravia ... Re: distribution Computer Virus Research Questions Re: Virus Immunizer Add Dualing Viruses Accidently Releasing Viruses Re: More administravia (re: duplicate mail) update on mail duplication woes... :-( NETiquette Hard Disks Re: Controlled Study of Viruses Re: Openness; Viruses and Software Companies; Insurance a new virus: ------------------------------ Date: Wed, 24 Aug 88 00:30:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Computer Virus Research Is the academic based research of computer viruses a big thing in the States? In Canada? Anywhere? By "academic based", I mean is there a specific portion of a university computing science department devoted to unravelling the code of these things, inventing security measures to prevent their spread, hiring graduate students to write/examine them, applying to major industries for grants to combat them, and so on. Just curious. If this violates national security or something, then you don't have to tell me. Is Lehigh like this? All the contributors have obviously been exposed to the Lehigh virus or know of it. David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | -------------------- Date: Wed, 24 Aug 88 01:36:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re: Virus Immunizer Add When you discuss a package such as the IMMUNIZER for a hundred bucks, how can it have as much sophistication and road testing as FluShot (for free)??? And we *know* how many problems Ross Greenberg has had with getting FSP to work with ALL types of systems... David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ -------------------- Date: Wed, 24 Aug 88 01:42:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Controlled Study of Viruses Loren, You seem fine with a word processor, but how do people *really* know that what you say is true and that you would *never* spread a virus??? I mean sending an unknown person a lot of viruses is a potential for danger. I know you and know that you would never release a virus on any system, but can you see the situation that would arise if someone else out there also got a copy of the viruses "to study" but instead had other plans for them! As it stands, sending you viruses HAS to be a weak link in security because I doubt that most of the places sending to you have even met you in person. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ -------------------- Date: Wed, 24 Aug 88 01:49:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Computer Virus Research >Just curious. If this violates national security or something, then >you don't have to tell me. Is Lehigh like this? All the contributors >have obviously been exposed to the Lehigh virus or know of it. I assume that most of the Lehigh students, graduates, and staff members at Lehigh University who subscribe here are interested in the Lehigh virus because it was a new curiosity for us to explore. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ -------------------- Date: Wed, 24 Aug 88 14:04:06 MEZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: Konrad Neuwirth Subject: Question i have a question just out of curiosity. Whaat happens if i have a virus (not knowing it), and a secund virus comes to infect the system, too ? Do I get virus wars? Does one kill the other ? do both work on my system and kill it? Do both write themselves on new disks? thank you /konrad -------------------- Date: Wed, 24 Aug 88 08:19:54 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Question In-Reply-To: Your message of Wed, 24 Aug 88 14:04:06 MEZ > i have a question just out of curiosity. > Whaat happens if i have a virus (not knowing it), and a secund virus comes > to infect the system, too ? Do I get virus wars? Does one kill the other ? > do both work on my system and kill it? Do both write themselves on new disks? That all depends on how the two viruses function. For example, if one of the two viruses infects the boot track and another appends itself onto executable files, then it's certainly possible to have two active viruses on one system. Each one would act independently of the other. If they both infect the boot track, however, then the results would depend on how "well" each virus is written. That is, if they go to great extremes to make sure that the existing boot track is stored in an unused place, and that it gets executed normally, then it's possible that both would function normally. It would seem more likely, however, that the end result would be a no-longer-bootable disk... The bottom line is that it depends on how the two viruses were written. Ken Kenneth R. van Wyk Calvin: Lets see what happens if we cook User Services Senior Consultant popcorn without a lid! (POP!) Lehigh University Computing Center Calvin: Wow, that's more fun than Internet: exploding a potato in the microwave! BITNET: Hobbes: Lets do some more! -------------------- Date: Wed, 24 Aug 88 09:49:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Virus Immunizer Add In-Reply-To: Message of Tue, 23 Aug 88 18:13:04 EDT from > ... ANY security scheme can be broken with enough effort. About the only >ABSOLUTE security (if there is such a thing) would be physical security of >the system... Laugh if you wish, but in this month's MacUser, I saw an ad for something that locks down over the floppy slot on a Mac SE to keep people from putting potentially nasty diskettes into it. I suppose if you unplug the modem and are sure the hard disk is clean, it'll stay clean, but it still gives me a bit of a chuckle...Rampant paranoia, anyone? I can see some poor sucker whose boss has started seesing viruses crawling out from under the furniture getting one and refusing to take it off... :-). - - Joe M. -------------------- Date: Wed, 24 Aug 88 10:04:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Question In-Reply-To: Message of Wed, 24 Aug 88 14:04:06 MEZ from >Whaat happens if i have a virus (not knowing it), and a secund virus comes >to infect the system, too ? Do I get virus wars? Does one kill the other ? >do both work on my system and kill it? Do both write themselves on new disks? I can't say anything about PC viruses, but the Mac viruses I know about would have no trouble with such a situation. The cleanup programs might, though! - - Joe M. -------------------- Date: Wed, 24 Aug 88 08:40:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Shawn V. Hernan" Subject: copies Why am I getting *two* copies of all the virus-l postings? Shawn Hernan valentin@pittvms.bitnet -------------------- Date: Wed, 24 Aug 88 10:27:54 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bill MacDonald Subject: Dup Mail I have also been recieving the same mail 2 to 3 times. -------------------- Date: Wed, 24 Aug 88 10:35:26 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: More administravia (re: duplicate mail) Heavy sigh! After much experimentation, I've been able to definitively isolate the mail duplication gnome to be hiding between here and the BITNET/ARPANET gateway. It does, however, appear to have been fixed. Please let me know if anyone gets a duplicate of *this* particular message. For anyone who's interested - I tried sending mail directly from LEHIIBM1 (where VIRUS-L originates) to my own Internet account on spot.cc.lehigh.edu. I found that one message was being sent. Also, my own account was only receiving one copy of all VIRUS-L mail. So, the duplication was happening somewhere in BITNET. Next, I received several headers from people receiving duplicate mail (thank you all!) and saw that the headers were all identical. More importantly, though, all of the affected people had similar mail paths. One person told me that mail from other sites was not being duplicated. Since we're on a small "leg" off of the BITNET, chances were pretty good that the problem was somewhere there... Finally, I sent myself mail on my Internet account, but I directed it through the INTERBIT (INTERNET/BITNET) gateway at CUNY. I received a duplicate copy of my own mail. I *suspect* that it was the CUNYVM mailer that was doing it, but I could be wrong. It has been having other problems lately, I'm told. When I again tried my loopback test this morning, I got no duplicate mail, and the mail went through CUNY in a matter of seconds. I believe that the problem is fixed. Once again, I apologize to all who were inconvenienced by this. I hope that we've seen the end of it. Ken Kenneth R. van Wyk Calvin: Lets see what happens if we cook User Services Senior Consultant popcorn without a lid! (POP!) Lehigh University Computing Center Calvin: Wow, that's more fun than Internet: exploding a potato in the microwave! BITNET: Hobbes: Lets do some more! -------------------- Date: Wed, 24 Aug 88 10:38:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re: Virus Immunizer Add > >> ... ANY security scheme can be broken with enough effort. About the only >>ABSOLUTE security (if there is such a thing) would be physical security of >>the system... >Laugh if you wish, but in this month's MacUser, I saw an ad for something >that locks down over the floppy slot on a Mac SE to keep people from putting >potentially nasty diskettes into it. I suppose if you unplug the modem and >are sure the hard disk is clean, it'll stay clean, but it still gives me >a bit of a chuckle...Rampant paranoia, anyone? I can see some poor sucker >whose boss has started seesing viruses crawling out from under the furniture >getting one and refusing to take it off... :-).> > >--- Joe M. Putting locks on a floppy drive can be sensible in a "big business" type situation to make sure that unauthorized I/O access is disallowed. This security is kind of mirrored in some brands of PCs that have key locks on their frames that won't allow bootup with being "unlocked" first or physically can't be opened (without total destruction of the hardware) without the key. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ -------------------- Date: Wed, 24 Aug 88 10:00:30 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 21:07:02 EDT I'd always thought that such a proposition would be a bit preposterous, but in these times, anything goes. You've got a good point. -------------------- Date: Wed, 24 Aug 88 10:49:15 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: copies In-Reply-To: Your message of Wed, 24 Aug 88 08:40:00 EDT You too? In a few cases, I'm getting three of four. -------------------- Date: Wed, 24 Aug 88 10:42:37 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: virus chronology I'm working on a chronology of the virus from John Von Neumann's conception of them in 1948 to the present. I would like to hear from anyone who has any dates, references, or comments concerning this compliation. All submissions are greatly appreciated Frank San Miguel(acs1s@uhupvm1.bitnet) -------------------- Date: Wed, 24 Aug 88 10:52:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Gordon Keegan Subject: Re: More administravia ... Ken, I just got 2 copies of your message on trying to isolate the source of the duplicate mailings. Sorry about posting to the list but my mailer won't send directly to you. Gordon Keegan c145gmk@utarlg.bitnet University of Texas, Arlington << standard unclaimer >> (I always was getting my prefixes mixed up...) -------------------- Date: Wed, 24 Aug 88 17:39:04 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: DECLAN DELAMERE Subject: Re: distribution In-Reply-To: Message of Mon, 22 Aug 88 07:54:16 EDT from Ogata et al.: One gets used to receiving messages completely out of sequence when one subscribes to trans-atlantic distribution lists from European nodes!!! :-( D -------------------- Date: Wed, 24 Aug 88 12:44:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Computer Virus Research Questions David Slonosky: > Is the academic based research of computer viruses a big thing > in the States? In Canada? Anywhere? > By "academic based", I mean is there a specific portion of a > university computer science department devoted to unravelling the > code of these things, ... The group of us that study viruses at Lehigh University are not a section of the computer science department. In the general sense, we have been working in the field as consultants for a number of years. Some of our clients include government bodies. When such a large security problem as the "virus" makes itself known, we have to study it in order to come up with some effective way of combatting it. Its very important that we CAN combat it. David Bader: > I assume that most of the Lehigh students, graduates, and > staff members at Lehigh University who subscribe here are > interested in the Lehigh virus because it was a new curiosity > for us to explore. I highly doubt it. When Chris Bracy, Joe Sieczkowski, Mitch Ludwig and I ran around Lehigh campus for 48 hours trying desperately to stop the virus from spreading (it spread at an incredible rate), we were, as was the Computer Center Staff, more worried about the danger to research at Lehigh. Most of the follow up interest in the virus was money or recognition. Several people came to Lehigh to find out about the Lehigh virus so they could make money from anti virus programs. Several others became involved because of the publicity that came out of the virus. Viruses are a curiosity, but I would rather find a way to stop the curiosity that play with it. As for some questions about national security. We are prohibited by law of giving out certain viruses. We are not allowed to distribute the Lehigh Virus without the "ok" of the government as I am told. I spent some time on the phone quite a while ago with different agencies and that was the general idea. Loren -------------------- Date: Wed, 24 Aug 88 12:49:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Re: Virus Immunizer Add > When you discuss a package such as the IMMUNIZER for a hundred > bucks, how can it have as much sophistication and road testing > as FluShot (for free)??? Well David, There are quite a few anti-virus programs which sell for 200-400 dollars. The reason some sell for so much is that they are worth more. I believe Ross Greenberg's FluShot is shareware, so I believe he asks you to send in some sum of money. I don't recall it being free. But even if it is, is it worth trying a package that has failed so often before? FS is an interesting package, but it isn't all that powerful in comparison with some of the packages on the market. For a corporate market, often they might want a shell of some kind to make sure nothing comes through. There are packages that have had extensive testing by the NSC I'm told, there are packages that utilize DER encryption schemes which is much better than trying a simple CRC. I would pay at least 5 times as much for a DER encryption than for a CRC scheme. You have to realize that the value of the product is worth what was put into it. Loren -------------------- Date: Wed, 24 Aug 88 12:54:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Dualing Viruses Konrad, You raised a very interesting question with two viruses on the same machine. Several people, I believe, have already answered the question, but I'd like to point out that the game Corewars is an example of what you are talking about in some ways. For anyone who hasn't played the game Corewars, or seen its write-up a few years back in Scientific American, the idea is to write assembly-like programs which look for other programs and destroy them. People can have programs dual and destroy each other. Its a very interesting and challenging game to come up with the perfect program. Loren Keim -------------------- Date: Wed, 24 Aug 88 13:00:31 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Accidently Releasing Viruses > As it stands, sending you viruses HAS to be a weak link > in security because I doubt that most of the places sending > you have even met you in person. If you are so worried about me leaking viruses, please keep your distance. In point of fact, as I said just two days ago, it is unwise to send viruses around. I said that I didn't appreciate the one virus I received in a brown wrapper with no letter and no disk label. This annoyed me. I didn't say "Send me all your viruses". Please look at the context of my letters before you critisize. (I'm taking complaints on my replies to you!) If you don't trust me to handle viruses, that is just fine and isn't the point. I have been called upon to handle viruses in the past, and I was called by one person today who had a problem and I will continue to deal with these viruses. I understand the security risks associated with giving out viruses, that is why people generally send viruses to Fred Cohen or Chris Bracy or me or someone who has dealt with virus problems in the past. Loren -------------------- Date: Wed, 24 Aug 88 11:44:51 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "James N.Bradley" Subject: Re: More administravia (re: duplicate mail) In-Reply-To: Your message of Wed, 24 Aug 88 10:35:26 EDT I got two copies. Jim Bradley -------------------- Date: Wed, 24 Aug 88 13:28:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: update on mail duplication woes... :-( Well, it turns out that I jumped the gun a bit when I said that all was fixed. But, then, that's quite apparent by now... It also turns out that several lists are experiencing the same problem right now (according to a LISTSERV group of list maintainers), and no one really knows what the cause is. That doesn't explain why some of my personal mail has been getting duplicated, however... So, until the problem gets fixed (it's quite out of my hands I'm afraid), lets please just try to bear with it. Discussing it on the list only adds insult to injury. Thanks again to everyone who's been sending me headers and additional info! Ken Kenneth R. van Wyk Mom: *RISE AND SHINE, CALVIN!* User Services Senior Consultant Calvin: Mbbgglkjsfdfy! Lehigh University Computing Center Mom: The early bird catches the worm! Internet: Calvin: Great incentive! BITNET: -------------------- Date: Wed, 24 Aug 88 14:06:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Otto Stolz +49 7531 88 2645 Subject: NETiquette Hello everybody, from all the lists I've subscribed, VIRUS-L delivers by far the most messages per day, and it takes considerable time to keep in pace. Please help all make browsing through all this mail a bit easier and faster. 1. Please discuss technical matters, as distributing problems, privately with the list owner -- Ken Van Wyk and perhaps Jim Eshleman , in this case -- and do NOT bother every subscriber with it. When Ken needs evidence from other sub- scribers, he will certainly tell us so (that makes one note instead of a dozen). 2. Please use the subject field sensibly. When you report/discuss details prevalent to a specific brand of hardware or software, please indicate so in the Subject field. In many cases, I could figure out this indispensible bit of information hardly, or even not at all. You could do it e.g. in this way: > Subject: Super-duper Virus Killer available (MS-DOS) So all Mac userers could discard this one, immediately. (I'd appreciate especially, if this scheme worked the other way :-) Please keep discussion on this (technical) suggestion at a minimum, and no flames, please. Thanks! Otto Stolz -------------------- Date: Wed, 24 Aug 88 13:42:34 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: Hard Disks I have questions (gee..what a suprise!) If you formatted your hard disk into several partitions, and had one partition just for COMMAND.COM, IBMBIOS.COM, IBMDOS.COM, CONFIG.SYS, etc...., how effective would that be in slowing down the spread of virii? If you ran MIRROR (or something similar) for your extended DOS partition (which is logical drive "D" now), how effective would this be for restoring any data that was destroyed? If you ran MAPMEM (which shows hooked vectors), could you see what vectors a virus might have hooked for itself? Could you then free up that portion by using RELEASE on it? (assuming you ran MARK first.....) Ken, I am still receiving 2 of every file....however, the time interval has increased from seconds to around 35 minutes between each file. James Ford Suggestive maintance: JFORD1@UA1VM "Gee, I wish it would work...." -------------------- Date: Wed, 24 Aug 88 13:31:20 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Controlled Study of Viruses In-Reply-To: Message from "Loren K Keim -- Lehigh University" of Aug 23, 88 at 7:58 pm >> Living in the same city as you, it scares me, and the rest >> of the computer vicinity, that these viruses are being so >> uncarefully handled. > >I am very offended. We take the utmost care in isolating >...(material deleted) > >Please forgive the rather angry tone, I don't like being >accused of viral propogation... at least not after all the >work I have gone through to make certain nothing propogates. > >Loren > Do not be offended, I also wondered how I could become government approved in order to receive copies of these viruses. Who is in charge? Why? If you want to hold these viruses close to your chest, then just say so. I have no problem with that. However do not imply that there is some sort of agency that you are connected with that checks up to see who is worthy. There is no such agency. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Wed, 24 Aug 88 15:34:39 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 21:07:02 EDT Don't know if you heard this one, but here is something that sounds like what you were saying. Softgaurd Corp. was caught distributing a virus called SUG. SUG was advertised as a copy-protection breaker of Softguard products. Instead, the program scrambled FATs in an IBM; from drive A to the highest drive. Softguard claimed that since users trying out the program were breaking a licensing agreement, the company had the right to destroy data. Softgaurd's going to court. Frank San Miguel(acs1s@uhupvm1) -------------------- Date: Wed, 24 Aug 88 17:14:48 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Mathiesen Subject: a new virus: I got this off the MacIntosh distribution list and know nothing else about it -- but I am curious if anybody here has heard of it or has any additional info. - --- - ---forwarded msg----- From: C20254 @ UK.AC.PLYMOUTH.PRIME-B Date: 11-JUL-1988 20:52 Subj: Macintosh Infection at Seale-Hayne College >From : Joe Evison Micro Support Computing Service Plymouth Polytechnic Phone : (0752) 221312 Exn. 5441 Email : C20254@UK.AC.PLYM.B I have been asked to forward the following article on to you, in the hope that someone may be able to offer advice and/or assistance. The report concerns a recent outbreak of a Macintosh virus at Seale-Hayne College. We have been in touch with the local Apple Centre in Bristol, who in turn have contacted Apple UK's technical people, and it would appear that this particular virus is unknown to them. If anyone does have any information regarding this virus, could they mail either myself or Adrian Vranch at Seale-Hayne - his address is given in the report. Thank you, Joe Evison ----------------------------------------------------------------------------- Macintosh Infection at Seale-Hayne College Tsunami Virus Dr Adrian T Vranch Head of Computer Unit Seale-Hayne College, Newton Abbot, Devon TQ12 6NQ. England Tel: 0626 52323 ext 271 Email : P30414@UK.AC.PLYM.A 8th July 1988 Introduction The following notes describe the recent events leading up to the discovery of what appears to be a "virus" of some form which is present in the Macintosh Plus computers in use at Seale-Hayne College. This virus was discovered completely by accident on Wednesday 29th June 1988 and appears to have been present,but undetected, for at least six months prior to that date on a Macintosh network running under MacServe. This network has been accessed by over 150 staff and student users in that time. These notes are intended to help all Macintosh users by providing information about this virus in terms of: how users can determine if it is present what effects it appears to have how to get rid of it. Discovery of the Virus - The Story So Far The first clue to the presence of the virus came as a complete accident while using Apple File Exchange on a Mac Plus with external 20 Mbyte hard disk. Along with the Desktop file ( which is normally invisible ), System File and other files shown in the scroll window was a new, invisible file called Bostb be Evill. At the time I thought that this was rather strange but did nothing whatsoever on that day. Due to the unfriendly ring to the name of this file, my suspicions were aroused and the next day I ran the Ferret v1.0 program to check for Scores Virus. Vaccine had been installed and running for two weeks on this system. Ferret identified two files that were infected on the hard disk system: the main System file in the System Folder and a second System file ( used to create MacServe floppies ) in another folder called MacServe Folder. No changes to the Scrapbook or Note Pad icons had taken place, as discussed in the Scores Virus article by Howard Upchurch. However, following the advice in Howard's notes I checked for additional INIT resources in the infected System files using ResEdit. Sure enough, both contained an extra INIT with i.d.of 6 "LoadAT" ID=6 Howard suggests in his notes that INIT resources with i.d. of 6, 10 or 17 in a System file show that the file is infected. No extra Desktop file was found in the System Folder as described by Howard Upchurch in his notes relating to Scores Virus. Using the Repair option in Ferret, at the stage where infection was identified in the message box, removed the INIT resource with i.d. of 6. Subsequent runs of Ferret gave a clean bill of health for the whole disk, including these two System files. I later established that deleting the INIT i.d.of 6 resources using ResEdit would also remove "infection"as detected by Ferret. At this stage I deleted the Bostb be Evill file using ResEdit. I have never seen this file on any Macintosh since. My attention turned next to the College network of five Macintosh Plus computers sharing a 20 Mbyte hard disk and two Imagewriters. Since the MacServe System file on the separate Macintosh Plus had been infected I thought it likely that the System files on the network hard disk would be similarly infected. This proved to be true, again with the same INIT resource with i.d. of 6, again in the main System file and in the System file in the MacServe volume containing a System Folder for creating MacServe floppies for users. The infection dates given by Ferret were particularly interesting: main System file - Wed 29th June 1988 at 21:15 MacServe folder System file - Fri Dec 18th 1987 09:30. Assuming that these dates are correct, this shows that the virus had been present on this shared hard disk for at least six months, but had only transferred to the main System file itself the day before. As far as verifying the time is concerned, it is possible that someone was using the network at 21:15 hours ,as the room was open to users then. It is certain that the network was running at that time. At this stage, no files similar to the Bostb be Evill file were found on the MacServe network hard disk. The infection date of December 18th for the System file used to create MacServe floppies suggested that all such floppies created after that date would also be infected. On checking, I found that all MacServe floppies have an infected System file with the added "LoadAT" INIT resource, i.d.of 6. All users of these floppies have been notified of the problem. It would appear that the virus was first introduced to the MacServe network and that it was transferred in the MacServe folder copied to the separate Macintosh Plus with hard disk. From the MacServe folder on this separate Mac, the infection then spread to the main System file in this computer. The date when the Bostb be Evill file appeared is not known but I believe that this file appeared after the MacServe System file with the INIT resource "LoadAT" i.d.6 had been copied to the separate Macintosh and this belief is based on what happened next with the MacServe network system. On returning to the MacServe network and switching on to run Ferret again , no virus was found on the disk. However, ResEdit showed the existence of a new invisible file with a four character name of box symbols. The system was switched off then restarted the following day. Again, Ferret detected no virus but a further two invisible files had been added to the desktop and were shown using ResEdit. One had the same four character name of boxes and the other was called Tsunami. Apparently, this is the name of a Japanese tidal wave which starts in a small way and grows rapidly to engulf everything in its path - again not a very friendly name for an invisible file on disk ! I assumed that these three files were similar to the original Bostb be Evill file found on the other Macintosh but rather than delete them, I decided to use ResEdit to investigate. The results were very interesting: all three files had no apparent type or creator all three were locked, invisible,Bozo and File Protect selected all three had the same resource fork size of 286 bytes all three had the same data fork size of 512 bytes . Furthermore, all three showed a blank window when opened from the first ResEdit window. In other words, although they contained data and resources, ResEdit could not show them up. Effects of the Infection At first, it appeared that there were no specific problems caused by the infection. Examination of application CODE resources as described in the Scores Virus notes did not show any evidence of the added codes with i.d. numbers two greater than the next value, as described by Howard Upchurch. However, it has now become clear that this infection does appear to cause problems and several examples which may be caused by the virus are worth a mention: Macintosh Network Problems The MacServe system Imagewriter file became corrupted such that the Chooser could not see it as a printer option. Examination using ResEdit showed that the file had been significantly reduced in size ( Resource fork 3336 bytes ) compared with an uncorrupted file ( Resource fork 40246 bytes ). MacPaint document icons on MacServe volumes sometimes appeared as generic (i.e. blank) document icons, although this was only seen on a few occasions. Problems with the Separate Macintosh Plus System After "deleting" the Bostb be Evill file on the separate Macintosh Plus, many problems began to happen on that system: The System Bomb, ID 2 message appeared very frequently when opening a variety of applications. Previously, this has happened only rarely. During a session using MacWrite v5.0, part of the ruler would suddenly be corrupted, for example, the black background of the icon for "centre justified text" selected would suddenly be displaced a few millimetres to the left of the rest of the icon. When printing from MacWrite v5.0, the whole system would crash completely and the screen would be reduced to a white background with thin vertical lines. The MacWrite application itself became corrupted, such that attempting to open a MacWrite document caused the Finder to display a message that the Application was damaged. Examination with ResEdit caused an "Error opening a resource file" message [39] to appear. Running Ferret on this obviously sick Mac produced a clean bill of health, indicating that Ferret is perhaps limiting its examination to INIT resources with suspicious i.d. numbers. The System Folder on the separate Macintosh Plus was completely replaced two days ago and no problems were experienced in using that computer until yesterday. While using MacTerminal to receive E-MAIL and to send a copy of this document to Plymouth Polytechnic, I found that using the "Save As" option my filename was corrupted to four box symbol characters. I could not change these characters. The document appeared to be saved intact with this unwanted filename. This MacTerminal document is certainly corrupted but is it infected as well ? Removing the Infection Do not rely on Ferret or Vaccine to protect your files. They may not be able to detect all infections or corruptions. Do not assume that only System files can become infected. Do not assume that Applications files cannot be infected. They can certainly be corrupted. Do not assume that Document files cannot be infected. They can certainly be corrupted. To remove infection with confidence, replace ALL files on an infected disk with copies from uninfected backup floppies, with the write-protect tab open. In other words, start again completely and do not assume any file is safe from infection. The Current Situation at Seale-Hayne College The MacServe network hard disk and Macintosh server have now been isolated from the network itself. The additional invisible files, including Tsunami, have not been deleted and, as yet, have not been joined by any more colleagues. The MacServe volume on the network hard disk has been supplied with a System file which still contained the "LoadAT" INIT resource with i.d. of 6. This has been done as an experiment to see if this INIT resource transfers itself to the main System file on that hard disk. This system will be monitored closely for the next week or so. A virus-free Macintosh Plus with 20 Mbyte hard disk is now being installed in the Computer Unit, from which new systems will be issued. All Macintosh hard disks in College will be erased completely and fresh files re-installed from uninfected floppies. A new College policy is being introduced to minimise the risk of introducing or spreading any type of virus infection to College computers by screening all disks before they are allowed to be used. This will apply to IBM PCs and compatibles as well as Macintoshes and will be strictly enforced with no exceptions in terms of staff or student users. Conclusions I hope that the account of how I have approached my investigation into this infection is of help to other Macintosh users. Clearly, there may be many types of virus infecting our software and the details of how to find out if they are present or what they do may also vary. Nevertheless, by using a combination of ResEdit and Ferret and other products, it is possible to uncover infection. By replacing all files on an infected disk and by a sensible approach to keeping backups, it should be possible to get rid of this problem so that we can all get back to a normal working situation. *** These notes are intended for the widest circulation possible to Macintosh users. Please make as many copies as you wish and circulate them freely, on the one condition that the contents of this document may only be copied in full, with no additions or deletions. *** If you wish, please feel free to contact me, using my postal address or telephone number or E-MAIL address given at the beginning of this document. I am very keen to contact anyone who can help me overcome the problems caused by this sort of infection. -------------------- *** end of Virus-L issue ***