Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA26033; Tue, 12 Jun 90 07:30:45 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA13226; Tue, 12 Jun 90 07:30:39 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04555; Tue, 12 Jun 90 07:30:03 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa11391; 12 Jun 90 11:51 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:11:52 BST Message-Id: <$TGVTCZHTCBXB at UMPA> Subject: Virus-L vol 0 issue #0830 Virus-L Digest Tue, 30 Aug 88, Volume 0 : Issue #0830 Today's Topics Replies to Virus-L Comments conference queries Re: The Adolescence of P1 Re: conference queries ** no subject, date = Tue, 30 Aug 88 11:29:42 EDT Virus Arguements Hit Home CRC vs. encryption schemes ** no subject, date = Tue, 30 Aug 88 08:10:42 CDT A few questions Who's Sponsoring What Re: Outline of Worm Pgms Paper in CACM Virus Conference Concerns Update Re: Outline of Worm Pgms Paper in CACM Re: Virus Arguements Hit Home Re: Outline of Worm Pgms Paper in CACM Assurance Re: CRC vs. encryption schemes RE: CRC vs. encryption schemes Loren's virus conference conference Re: AT configuration Flushot trojan horse ------------------------------ Date: Tue, 30 Aug 88 00:45:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Replies to Virus-L Comments Bernd, I have not heard of the specific incident you cited about a virus attacking a hospital, but have heard of at least 6 more incidents. None of the incidents were very dangerous to patients, but were apparently written to attack a specific hospital system. I think it takes a very sick human being to attack such systems. Jeff, Surprizingly, you are the very first person to ask about the integrity of the individual vs the company. I agree with you, there is very little I can do here to prove that I am being honest and won't run off with your money. I will provide receipts to people along with hotel names and so on (I had already planned on this, and even picked up a receipt book!), and you should write in the Memo section of your check (most checks have these) that it is a registration fee for a virus conference, include a letter and keep a xeroxed copy of it. If you are really worried, then mail yourself a xeroxed copy of the letter the same day you send me a check and don't open the letter. Incidently, an individual is much easier to sue than a company. A company can just dissolve or declare bankrupcy. You can put a lien on my property (THAT IS NOT A SUGGESTION!). And you will get a cancelled check, which is evidence itself. NSC: When I speak of the NSC (which individuals have talked to me and identified themselves as being from this organization), I ASSUME it is the National Security Council (Is that last word Council?) under Pres. Reagan. I am in NO WAY certain this is who I talked to. When I refer to the National Computer Security Center, I am referring to an entirely different group. DES: I MEANT DES, not DER... I make that mistake often. William H. Murray: Thank you, you pointed out a few things that I missed. I neglected to say anything about sterilizing viruses before sending them anywhere. Its common practice, so it was something I overlooked. Bob and others: Wasn't Miami U telling us several months back that they had been hit by a virus which attacked Word Perfect? (Who has a problem with Word Perfect? Its a good and inexpensive word processor!) Thank you, Loren K Keim -------------------- Date: Tue, 30 Aug 88 03:38:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: conference queries Loren: The check to a P.O. box is definitely out of the question, unless you could provide a name of a reputable sponsor of the conference I could contact. Who is sponsoring the conference? I am also curious as to whether there will be profits, and if so, what will become of them. Obviously, you can't give a definite answer as to whether the fifty dollars apiece will be too much or too little at this stage. Have you had any experience organizing conferences? I would like to know what your status is at Lehigh, and to what extent Lehigh University is involved. Also, how many people have sent checks? Perhaps with this information, I would consider attending. - Jeff Ogata -------------------- Date: Tue, 30 Aug 88 03:53:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Re: The Adolescence of P1 In-Reply-To: Your message of Mon, 29 Aug 88 13:23:45 CDT I read that book when it first came out. While the virus stuff is reasonably accurate (the AI part is junk), my impression of the book was that it was badly written and not immensely gripping. Still, it has been ten years or so, so I could be wrong... /a -------------------- Date: Tue, 30 Aug 88 07:56:03 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: conference queries In-Reply-To: Your message of Tue, 30 Aug 88 03:38:07 EDT > Who is sponsoring the conference? Loren is. > I would like to know what your status is at Lehigh, and to what extent > Lehigh University is involved. Loren is an undergraduate student here at Lehigh, in good academic standing I believe. Lehigh University, to the best of my knowledge, is not involved in the conference in any way. At least the Computing Center certainly is not. Ken Kenneth R. van Wyk Calvin: Where do we keep the chainsaws? User Services Senior Consultant Mom: We don't have any! Lehigh University Computing Center Calvin: None?! Mom: None at all! Internet: Calvin: Then how am I supposed to learn BITNET: how to juggle?! -------------------- Date: Tue, 30 Aug 88 11:29:42 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re: Interest in THE ADOLESCENCE OF P1 /Book Search A local used bookstore in my area has a number of slightly used copies of the book. If anyone is interested in obtaining a copy, please contact me by postal mail or telephone to work out arrangements. In general, I believe that the best bet for finding this book will be the used bookstores. Look under Science Fiction. J.D. Abolins 301 N. Harrison Str., #197 (mail only) Princeton, NJ 08540 (609) 292-7023 If anyone has trouble finding John Brunner's SHOCKWAVE RIDER, I believe I have seen in the used bookstores as well. Thank you. -------------------- Date: Tue, 30 Aug 88 11:39:49 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Virus Arguements Hit Home Yesterday, I was calling up this area's local BBS's, when to my surprise, I found a feud going on. One BBS sysop claims that a second sysop is responsible for a virus that he somehow got. Since FluShot gave the receiving sysop an error message (which probably is common, but he doesn't realize that) he feels that the virus can be traced to the host sysop's BBS and therefore is seeking damages.. The host sysop claims that if he is being accused and wrongly slandered that he would consult legal authorities at his business. I am not sure if all the details here are 100% accurate, but I can upload a copy of the messages in the feud here if some people are interested. David A. Bader DAB3@LEHIGH -------------------- Date: Tue, 30 Aug 88 17:20:49 +0300 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: CRC vs. encryption schemes A few comments on Jerry Leichter's reply to my question/challenge: >It may very well be that, given a program P and its CRC C, with an unknown >polynomial, I can find another program P' with the same CRC. Note that this >is a MUCH weaker condition than saying that I can determine the polynomial. Agreed. I never assumed that one had to determine the polynomial in order to forge a CRC. However, it's not enough to say that "it *may* be that ...". If you can't demonstrate a *method* for doing this in general, you won't convince many people. So for sake of argument, I shall assume you have in mind some- thing like the method described by Woody Weaver in his May 17 contribution to VIRUS-L. If so, where do you get the set of polynomials gi(x) from? It would clearly be impractical to take it to be all possible polynomials (even assuming you know the size of the generator). So do you simply choose (say) 100 poly- nomials at random, apply Woody's procedure, and hope for the best? That would take a lot of computation time, which would certainly be noticed. And even if it isn't, if the probability of succeeding isn't sufficiently large, the CRC checker will sometimes notice your attempted forge, tipping off the community to the existence of a virus. Can you supply any assurance that this probability will be large? And if you are thinking of some quite different method of forging the CRC, could you please explain it? > you CANNOT choose any old "random" polynomial - you have to >choose one from an appropriate class. For reasons mentioned above, I think your words "CANNOT" and "have to" are a bit too strong. Anyway, I presume you're referring to a restriction on the set of polynomials (from which the generator is randomly chosen) to the subset of *irreducible* polynomials. The reason I didn't mention this in yesterday's message was that I considered this to be a relatively minor matter compared to the distinction between a fixed generator and a personal/random generator. (Recall that the requirement which you quoted was described by me as the *first* requirement, not the *only* requirement.) Since I may have misunderstood something and this might be a more important point than I thought, it should be mentioned that a CRC checker (the same program which I mentioned in my message yesterday) has been written which makes a random choice among almost 70 million irreducible polynomials. Do you think anyone can forge a checksum on that basis? This program is based essen- tially on Prof. Michael Rabin's "fingerprint" algorithm, and as you yourself admitted in your contribution of May 9, that makes it cryptographically strong despite the fact that it is CRC-based. Perhaps I could rest my case here, but there are a a couple of additional details: > Note that to get reasonable security, you need >a moderately large polynomial, so your software implementation may not be as >fast as you thought it would be. The above program uses a 31-bit generator and is at least as fast as any other checksum program I have tried (except for FluShot+, which probably uses some- thing more primitive than CRC; in any case it doesn't satisfy my "first" re- quirement). > Using CRC, you can NEVER >publish lists of checksums. Since use of a CRC algorithm for the detection of viral infection (which is the only context in which I mentioned CRC) doesn't imply the need for such a list, this remark doesn't seem to me to be relevant to my question. But I'm still curious to know exactly how one would exploit a list of CRC checksums to do something nasty. In short, Jerry, I don't think you've succeeded in supplying any good justifi- cation for the much greater execution time required for DES- and RSA-based algorithms as compared to a Rabin-type CRC algorithm, and unless I've missed some important point, not even compared to an ordinary CRC algorithm satisfying my "first" condition. Y. Radai Hebrew Univ. of Jerusalem -------------------- Date: Tue, 30 Aug 88 08:10:42 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel In-Reply-To: Your message of Mon, 29 Aug 88 10:54:21 EDT Your point is certainly a valid one. Virtually any programmer with ill will toward an organization or institution could formulate a virus in a few hours (or a poorly constructed virus in less time) and crash that system should it have weak defenses. It's distrubing to think that such vengeful persons can easily bring about "viral warfare." That brings me to another point, if a war should take place (sensibilities forbiding), how prominently would viruses be used as a means of attacking an enemy? This sounds like the plot of a cheesy film, but anything's possible. Frank -------------------- Date: Tue, 30 Aug 88 10:48:33 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: A few questions I've got two questions concerning Mac viruses. First, if programs like Ferret and Vaccine are not as dependable as one could hope, how does one search for a viral infection using ResEdit? Also, could someone dig up a copy of Howard Upchurch's article on SCORES and forward it to me? Thanks. Frank -------------------- Date: Tue, 30 Aug 88 13:15:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Who's Sponsoring What Thank you for answering Ken, but please do not answer questions you know little about before consulting me. The conference is sponsored at this time by two organizations within Lehigh, and I am trying to get a department to sponsor the conference. I will be able to tell you later this week who you may contact within Lehigh for information. Agreeing with Ken, I am enrolled in the undergraduate program at Lehigh. I dislike the term undergraduate because I have worked in the field for over 6 years and had taken courses at schools previous to attending Lehigh. Undergraduates, unfortunately, often are thought of as people who don't know anything and haven't spent time working in the real world, so I continue to shy away from that label. If you question my integrety, you can check up on me. I was a member of the Bethlehem Beautification Committee, a part of a group to the Bethlehem Area School District Superintendant Committee, and have served on many non-profit organizations. I was one of the people who started the "Save our Statue" fund about 6 years ago that obtained national status. I am easy to contact through any of the Century 21 Keim Realtor offices in the Lehigh Valley area, Keim Enterprises. While all of this means practically nothing, I like to think I have a decent reputation for being fair and so on. I am using a P.O. Box because it is easier for me to separate mail that way. If you so desire, I live at 1950 Ravenwood Drive in Bethlehem (Zip 18018). Again, its very hard for me to assure you that I am "on the level". I think tommorrow I may be in a better position to discuss it, however. If you have any specific questions, you can direct them to me here at LKK0@LEHIGH. Thank you, Loren K Keim -------------------- Date: Tue, 30 Aug 88 13:13:36 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Steven C. Woronick" Subject: Re: Outline of Worm Pgms Paper in CACMM For the benefit of the non-expert, could I suggest that we spell out certain abbreviations which one would anticipate will elicit questions when they first appear in a message? For example if I mention DES, my first reference to it might appear as "Data Encryption Standard (DES)." (By the way, there is a discussion of DES in the book "Numerical Recipes" - - sorry I don't have it in front of me so I can't tell you the authors). Maybe this is too burdensome to ask? Maybe one us should put together a glossary? Although I have already inferred more or less the meaning of DER and CRC, can somebody please tell me what they stand for? Finally what is the name of the journal CACM spelled out? Steve -------------------- Date: Tue, 30 Aug 88 17:24:37 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Virus Conference Concerns Update To answer some of the concerns people recently had here about the virus conference: As I had said before, we were being sponsored by two Lehigh University organizations but not by the college itself. We are working on trying to get the university to sponsor the conference at this time. We should know in the next few days the answer. The major concern the University seems to have is that Lehigh must maintain the highest possible standard of professionalism at a conference, as any college or university should. If we are sponsored by Lehigh, then those of you who might have had questions about integrety will be able to send a check directly to Lehigh. Other than that, we seem to have a great list of speakers, panelists and others coming representing a wide variety of computer security experts and amatuers. I will keep you informed. Thank you, Loren Keim -------------------- Date: Tue, 30 Aug 88 14:49:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: Re: Outline of Worm Pgms Paper in CACM CRC stands for Cyclic Redundancy Check. CACM is the "Communications of the Association for Computing Machinery." DER, as far as I know, was an error for DES. Don't flame me if I'm wrong; there's getting to be a lot of mail and little time to read it. --Jim -------------------- Date: Tue, 30 Aug 88 12:07:13 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Virus Arguements Hit Home In-Reply-To: Your message of Tue, 30 Aug 88 11:39:49 EDT Dueling Sysops. Sounds like a song subject. Maybe this question has already been brought up but I'm curious what people's thoughts are on the subject. In a recent issue of Computerworld, the subject of viruses and how they fit into insurance costs was raised. On one hand, those paying the insurance feel that they should be compensated for their losses to viruses since they're paying high bills. Insurance companies, though, feel they shouldn't have to pay for another person's behavior. The article listed a few companies that do have provisions for viruses and those who are undertaking the task. I'll put them up if anyone wants them. Frank -------------------- Date: Tue, 30 Aug 88 15:30:11 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Marks Subject: Re: Outline of Worm Pgms Paper in CACM In-Reply-To: Message of Tue, 30 Aug 88 13:13:36 EDT from Steve, Your suggestion about spelling abbreviations on first use is a good one. It is a fairly well recognized standard for reports, etc., and is a good idea for here. Only the most EXTREMELY common abbreviations should not be done this way, at least on the first use. In reply chains, this should probably not be necessary. I, too, am not familiar with all the jargon and abbrev- iations such as DES. I do know what CRC stands for, although I don't know how to use it. By the way, CACM stands for Communications of the Association for Computing Machinery (ACM). This is the primary journal of the ACM. Jim Marks -------------------- Date: Tue, 30 Aug 88 14:22:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: Assurance I really cannot understand all the fuss about whether Loren is on the up and up. There is not a shred of evidence for, and it is ridiculous to suggest, that Loren might perhaps embezzle the funds for the conference and skip town. The conference money is not very much compared to the loss of reputation, risk of a law suit, and other damages certain to be incurred by such a fraud. I would however suggest (Loren probably already knows this) that a bank account be established solely for handling the conference expenses and that Loren obtain and retain all recipts for all conference-related expenditures. This is good insurance against later accusation. The question about left over monies is a good one, but also what about not enough funds? I think Loren deserves to be thanked for his efforts in setting up and running the conference. Unfortunately, I am too busy to attend. Life is full of risks and if you want to live a full and normal life (maybe even otherwise also), you are forced to take at least some risks all the time. So, you take risks you consider to be reasonably safe. It is always possible that your next door neighbor will run you down with his car just for the fun of it the next time he sees you. It is possible that the cashier will pocket the $20 bills you just handed her and claim that you didn't give her anything (and charge you with assault or robbery should you try to get your money back). But life is always forcing these kinds of risks on you and you must evaluate each risk and the motives and psychological make up of the people involved. It has been said that if you don't take risks, you risk not living. I personally think the conference is a pretty good risk. And a cancelled check is a pretty good receipt. Steve -------------------- Date: Tue, 30 Aug 88 16:14:57 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: CRC vs. encryption schemes In-Reply-To: Message from "Y. Radai" of Aug 30, 88 at 5:20 pm > > A few comments on Jerry Leichter's reply to my question/challenge: > >>It may very well be that, given a program P and its CRC C, with an unknown >>polynomial, I can find another program P' with the same CRC. Note that this >>is a MUCH weaker condition than saying that I can determine the polynomial. > >Agreed. I never assumed that one had to determine the polynomial in order to >forge a CRC. However, it's not enough to say that "it *may* be that ...". If >you can't demonstrate a *method* for doing this in general, you won't convince Perhaps we have two different concerns here. One is the problem of determining if a file that was previously clean had become infected. For this one needs only to look for changes. A CRC will do this, unless the infecting agent is 'smart' enough to add a byte or two of checksums that will cause the CRC generator to show the same CRC. No virus writer can do this if he does not know what CRC polynomial you are using. The second problem involves publishing the CRC so that others may know if distributed code had been changed. For this, you must also publish the polynomial so that others can check the code. Clearly here the polynomial is known and the virus writer can take that into account as he writes his mean stuff. Since in the first case speed is of the essence (I run my checker with each bootup and it takes time), and in the second case, it is less so, we have two problems with two solution sets. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Tue, 30 Aug 88 15:06:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: RE: CRC vs. encryption schemes Y. Radai writes: I never assumed that one had to determine the polynomial in order to forge a CRC. However, it's not enough to say that "it *may* be that ...". If you can't demonstrate a *method* for doing this in general, you won't convince many people. If we were living in the 1930's, this statement might have some validity. Today, it is extremely naive. The world is full of failed cryptosystems which people relied on because "no one could demonstrate a method" of breaking them. Given advances in the field, the burden of proof should be - and, among people who work on these issues, IS - entirely on the PROPOSER of a system to show that his system is secure, in some sense. (Absolute proofs of security are still beyond us, but proofs if certain problems which are believed to be very hard are, indeed, very hard are possible.) I suggest you read Kahn's "The Codebreakers" and see if you wish to stand by your statement. Since I may have misunderstood something and this might be a more important point than I thought, it should be mentioned that a CRC checker (the same program which I mentioned in my message yesterday) has been written which makes a random choice among almost 70 million irreducible polynomials. Do you think anyone can forge a checksum on that basis? Yes, easily. A common error in this kind of work is not to understand the power of brute force. Your range of possible polynomials is too small to be secure. Suppose I know how your polynomial generator works, and have a copy of ONE file with your checksum for it. I proceed to compute the checksum of the file with all 70 million possible polynomials, comparing the results to the known checksum. Even if it takes a second to compute, I can expect a match in a little over a year. If I'm serious about the search and willing to make an investment in hardware, I can get a result much faster, since the program parallelizes trivially to arbitrary degree. If I get to chose the file - if, for example, you maintain a BBS and I can convince you to add my file to your files and publish a checksum for it for people to check - I may be able to do better. (At a minimum, I can guarantee that the file is short and so can be checked quickly.) What I get out is the actual polynomial - more than I needed. (There's a chance - about 1 in a 100 - that two polynomials produce the same checksum on the given file. A quick check with another file - if you publish one, you'll publish another - minimizes this.) Go to 48-bit polynomials, and this method becomes impractical. But you don't KNOW that other methods don't make the problem absolutely trivial! This program is based essentially on Prof. Michael Rabin's "fingerprint" algorithm, and as you yourself admitted in your contribution of May 9, that makes it cryptographically strong despite the fact that it is CRC-based. I no longer have a copy of my May 9th contribution - I'm fascinated, and complimented, that anyone thought it interesting enough to save and remember - but the use of "admitted" in this context is suspect. It has nothing to do with proof. Rabin's scheme was based on an idea that is common in much of his work, and actually goes back to basic game theory: Using randomization, choose one path from among many. Your adversary can defeat any particular path you choose, but because he doesn't know which one you will choose, he must defeat all of them at once - which he cannot do. Here, "path" is a particular polynomial. Rabin's scheme fails immediately if your opponent knows the particular polynomial you intend to use. As I recall, I speculated that you could get around this by publishing a list of polynomials, and checksums with respect to ALL of them, with the list so long that the adversary could not compute a falsified value that would satisfy all of them but still have an acceptable length. Then you would check a small, randomly chosen subset of the polynomials. For this to work, a suitable list of polynomials would have to be shown to exist: Long enough that fooling all, or even a signficant fraction, of them simultaneously is impossible; short enough that you would be willing to compute and publish ALL the checksums. I don't know of anyone who has shown that such a list can be constructed; it's an interesting problem. -- Jerry -------------------- Date: Tue, 30 Aug 88 19:32:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: Loren's virus conference Could we please take this debate about the conference elsewhere? I don't know where, maybe a user-run mailing list, but I'm a bit tired of it on Virus-L. Probably Jeff is just being over-cautious, and I can't necessarily blame him. But this debate has gotten annoying. -------------------- Date: Tue, 30 Aug 88 22:06:11 -0700 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Clancy Subject: conference What are the possibilities of publishing some sort of proceedings or recordings of some of the discussions at the upcoming conference for those of us who can't make the trip? -------------------- Date: Tue, 30 Aug 88 22:11:02 -0700 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Clancy Subject: Re: AT configuration In-Reply-To: Your message of Mon, 15 Aug 88 13:37:42 -0500. <8808151311.aa17665@ORION.CF.UCI.EDU> > I wonder what would be the effect of telling my AT, through some > configuration changes that I have no hard disk. > > I can run a program that permits me to tell the battery operated RAM > package that I have one of 45 or so different hard disks, or by > putting a zero in some location tell it that I have no hard disk. Can > a virus guess what sort of disk I have? What would happen if the > virus guesses wrong? > > Interested in some feedback here. > > + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + > | Leonard P. Levine e-mail len@evax.milw.wisc.edu | > | Professor, Computer Science Office (414) 229-5170 | > | University of Wisconsin-Milwaukee Home (414) 962-4719 | > | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | > + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + > There is an interesting program called PC-LOCK which will effectively isolate your hard disk (at least on an XT) from the system. Once installed, if a user attempts a hard disk boot, he/she must supply the proper password to gain access to the HD. If booted by a floppy in the A drive, access is also blocked as the HD does not appear to exist, and the user does not have access. This package is shareware. I would be happy to make it available to all in the conference, but I am not sure how to do so. Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 -------------------- Date: Tue, 30 Aug 88 22:20:49 -0700 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Clancy Subject: Flushot trojan horse I recently came across this message from the author of Flushot. I haven't seen it here, unless I've missed it. Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 **************************************************************************** !!OF VITAL IMPORTANCE!! ATTENTION! There is a trojan program afoot and it's called FLU4TXT.COM! It did not originate from my board, obviously. As of 3/11/88 the most recent release of the Flushot program is 'Flushot3'. The archive contains a number of text files, and FLUSHOT3.COM itself. Legitimate copies of Flushot3 are available on either of the BBS's below, on Genie, on Bix, or from Usenet. ABOUT THE TROJAN FLU4TXT.COM is a text display program which will show you some of the documentation which comes with FLUSHOT3, and will then damage your hard disk when you exit. Additionally, it also plays games with the disk parameter table. Nasty stuff. The writer of the trojan was clever: it is self modifying and self relocating code which will not be found by CHK4BOMB. WHAT TO DO Please be sure to tell any sysop on any board where you see this program (or an archive called FLUSHOT4) that it is a trojan, that it should be removed from their board immediately, and that a warning message should be posted to that effect. Perhaps a copy of this warning bulletin will suffice. !!!DO NOT RUN FLU4TXT.COM!!! IT WILL EAT YOUR HARD DISK *AS*IT*EXITS*!!! Who do I contact? If you have questions about flu4txt.COM or about the legitimate series of Flushot programs, please feel free to leave a message on for me on either of the following BBS systems: RAMNET ((212)-889-6438), NYACC ((718)-539-3338) or on 'BIX' or via 'MCI MAIL' (I'm user 'GREENBER' on both BIX and MCI) FLUSHOT3.ARC is available on those bulletin boards as well as many around you. Before downloading a copy from a trusted BBS, please be sure to ask the sysop if they have actually run the copy they have available for download on their board. It is *your* disk at risk..... Ross M. Greenberg -------------------- *** end of Virus-L issue ***