Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04461; Wed, 20 Jun 90 17:18:53 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA06944; Wed, 20 Jun 90 17:18:53 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23043; Wed, 20 Jun 90 17:18:42 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa22836; 20 Jun 90 16:15 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:29:32 BST Message-Id: <$TGWGCZNQBTKN at UMPA> Subject: Virus-L vol 0 issue #1007 Virus-L Digest Fri, 7 Oct 88, Volume 0 : Issue #1007 Today's Topics Slight Conference Correction Sneak virus NY Student caught Scores?? Re: NY Student caught Sneak virus Re: NY Student caught Re: Re: NY student caught Re: NY Student caught ------------------------------ Date: Fri, 7 Oct 88 00:30:03 EDT From: Loren K Keim -- Lehigh University Subject: Slight Conference Correction One slight conference correction: On Sunday, Oct 23rd, I didn't say where the meeting would be held. It is scheduled to be held at Walps, the same place as Saturday morning/afternoon. Loren Keim -------------------- Date: Fri, 7 Oct 88 00:30:03 EDT From: Loren K Keim -- Lehigh University Subject: Sneak virus For some reason, several people have asked me about the "Sneak" virus over the last few days. I may or may not have seen it, I don't recall the title off-hand. Anyone know of this Mac virus? Loren Keim -------------------- Date: Fri, 7 Oct 88 08:53:00 MDT From: "David D. Grisham" Subject: NY Student caught Our campus paper reprinted a story from the Albany Student Press which cited a student suspension. This and a fine of $2000 was for placing a "virus" on the univ's "mainframe" computers. Is this just old news that has been hashed? if so - would someone please send me a short synopsis of the "mainframe" problems and any other pertinent information? We have many VAX and IBM concerns, as well as, for our micro population. On an adjacent note, yesterday's Albq. Journal reported "Virus Invades NMSU Campus". It turned out to be Scores, which has probably bothered us all. NM State is down the road and is this week's 'HIT'. I try to send an e-mail message to our consultant staff once a week announcing the current viral attack on a campus. This is done to make them even more aware - so when it is our turn - there will be less damage. dave ****************************************************************************** * Dave Grisham * * Senior Staff Consultant Phone (505) 277-8148 * * Information Resource Center * * Computer & Information Resources & Technology * * University of New Mexico USENET DAVE@UNMA.UNM.EDU * * Albuquerque, New Mexico 87131 BITNET DAVE@UNMB * ****************************************************************************** -------------------- Date: Fri, 7 Oct 88 12:19:11 EDT From: "Mark F. Haven" Subject: Scores?? > Date: Fri, 7 Oct 88 08:53:00 MDT > From: "David D. Grisham" > Subject: NY Student caught > On an adjacent note, yesterday's Albq. Journal reported "Virus > Invades NMSU Campus". It turned out to be Scores, which has probably > bothered us all. ... What is "Scores"? -------------------- Date: Fri, 7 Oct 88 13:18:27 EDT From: Ben Chi Subject: Re: NY Student caught In-Reply-To: Message of Fri, 7 Oct 88 08:53:00 MDT from >Our campus paper reprinted a story from the Albany Student Press >which sited a student suspension. This and a fine of $2000 was for >placing a "virus" on the univ's "mainmframe" computers. Is this just old >news that has been hashed? if so - would someone please send me a >short synopsis of the "mainframe" problems and any other pertinent >information? Inasmuch as the episode has attracted some national attention via the collegiate press, let me give a brief summary of the facts related to the virus incident that took place early in 1988 at the University at Albany. On February 29 a student came to the office of the VMS systems manager to announce that "a terrible thing happened: I was programming a virus and it got loose and now it is all over the system." The virus's effect was to replicate itself throughout the user's com files, inserting 123 lines of code at the beginning of any previously-uninfected com file. It neither deleted nor replaced existing text. Aside from taking up space in the affected directory, there were no side effects for the user. The virus generated small batch jobs to reproduce itself; these batch jobs run on our VAX 8650 in the background separate from the main terminal interactive jobs. This enabled the infection to be spread to numerous com files without any noticeable time delay for a user at a terminal. At one point the evening shift operator noticed an enormous number of batch jobs being generated. He started deleting them by hand until the systems manager could be notified. She stopped all new batch jobs but, even still, over 5000 batch jobs were executed that evening (200-300 being normal). Following the method the virus used to generate batch jobs, systems staff traced and eradicated the virus using the batch logs. All this took place in early March and at this point we are confident that the virus is completely eradicated and that it did not leak off site. The student was immediately barred from further access to our central computing facilities. Also, a formal complaint was submitted by Computing Services to the University Judicial System concerning the incident on March 30. After deliberation, the Committee on Student Conduct ruled that the student be placed on disciplinary probabion through graduation and directed to make restitution to Computing Services in the amount of $2380 as compensation for technical and administrative personnel resources dissipated in this episode, and that the student's access to computing facilities be strictly limited to those activities directly related to courses in which he was enrolled. Computing Services appealed this ruling as being insufficiently severe and recommended instead restitution and dismissal. Early in June the Vice President for Student Affairs sustained this appeal and the student was suspended without term, but still directed to make restitution. The restitution has been made, the student has left, and that is how matters stand at present. _._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. Benjamin E. Chi BEC@ALBNYVM1.BITNET Director of Technical and Network Services or BEC@UACSC1.ALBANY.EDU Computing Services Center fax available but unlisted The University at Albany, Albany NY 12222 USA vox (518)442-3702 -------------------- Date: Fri, 7 Oct 88 18:43:00 EDT From: portal!cup.portal.com!MacUserLabs@SUN.COM Subject: Sneak virus Sneak is a term devised by the gentleman who did Interferon. It claims to be triggered by common System Folder files that have been turned into INITs, RDEVs etc. Sneak was put in there to try to catch new viruses. If there is someone out there that has something that triggers the Sneak alert, please contact me soonest; we might very well have a new Mac virus on our hands. Stephan <---------------------------------------------------------------> Stephan Somogyi, MacUser Labs, 950 Tower Lane, 18th Floor, Foster City CA 94404, USA ...!sun!cup.portal.com!MacUserLabs or MacUserLabs@cup.portal.com BIX: mulabs MacNET: MULABS (415) 378-5662 -------------------- Date: Fri, 7 Oct 88 20:28:57 EDT From: Ed Nilges Subject: Re: NY Student caught In-Reply-To: Your message of Fri, 7 Oct 88 13:18:27 EDT The punishment of the student sounds Draconian given the fact of his immediate remorse and confession. He was negligent because he was programming a virus on a system on which it could be propagated. He was not criminal, but he is being treated as one. -------------------- Date: Fri, 7 Oct 88 19:56:03 EDT From: Steve Subject: Re: Re: NY student caught In-Reply-To: Message of Fri, 7 Oct 88 13:18:27 EDT from Ben, can you please clarify what you are telling us? I have some questions that maybe you could answer to make sure I understand (plus some remarks): First of all, com files on a VMS system are ASCII command process files which contain DCL (DEC Control Language) and are readable to the human eye. Yes? And as such are very easy to check to see if they are infected (or are you really talking about exe files?). And if the file dates were changed, that would make detection even easier. Secondly, an infected file when run as I understand it will submit a batch job to infect other "com" files (like login.com) on that user's account (and any other directories that user has privilege to write to). Unless this is a very sophisticated "virus", the infection as I understand it does not have the ability to write on just anybody's directory and is therefore limited. If it does have the ability, how did it get privilege to do so? How did it get through the operating systems defenses? Was an infected com file perhaps somehow distributed (like through a bboard) to other users? >From the sound of it (5000+ batch jobs submitted), it would appear that it did somehow get through. Did this person have access to a privileged account? What about the com file dates? Pardon all the questions, but I'm just trying to understand... Did it infect system files? I note that the student had the nerve to confess his/her error. I obviously don't know the circumstances, but it seems to me that harsh punishment (Indefinite suspension seems a bit severe for what could have been an unintentional error and for someone who turned him/herself in) is not in the best interest of any of the parties involved. Admittedly, designing a virus is suspicious, but that doesn't make it criminal any more than core-wars unless you intend to use it. I do think punishment or some sort is in order, but it seems to me that by dealing out too harsh a punishment, you discourage honest people from coming forward when they do make mistakes. I thought the Committee on Student Council ruled justly --- you do damage, you pay for it and you merit watchful eyes (disciplinary probation). Do you think the student came forward only because he/she thought he/she would be caught anyway and was only trying to minimize the damages? What excuse did he student give for writing a virus program? Steven C. Woronick, Physics Dept, SUNY at Stony Brook, New York -------------------- Date: Fri, 7 Oct 88 18:42:17 edt From: Bennett Todd Subject: Re: NY Student caught >On February 29 a student came to the office of the VMS systems manager >to announce that "a terrible thing happened: I was programming a virus >and it got loose and now it is all over the system." The article then went on to explain how the student was immediately restricted, put on probation, and fined 2 grand. That didn't appeal to the comp center, they got him kicked out. Which makes it clear that (1) it doesn't matter what your intentions are, only the results, and (2) having slipped up and let the virus get away, the student shouldn't have reported the problem. I am sure glad I don't go to that school / work in that comp center / have anything to do with that crowd. Malicious vengeance breeds in kind. When I was an undergraduate I and a couple of friends worked many many hours breaking the security of the departmental minicomputer... with the knowledge of the system administrator. On those occasions when we managed to crack it we left a note for the admin somewhere we shouldn't have been able to, and he tried to figure out (with our help where necessary) a way to plug the revealed security hole. That was one of the best-run and well-maintained systems I have ever seen before or since. Now that I am an administrator I would dearly love to have some users who were that interested and who cared that much about the system. -Bennett bet@orion.mc.duke.edu -------------------- *** end of Virus-L issue ***