Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04476; Wed, 20 Jun 90 17:20:54 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA06959; Wed, 20 Jun 90 17:20:51 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23104; Wed, 20 Jun 90 17:20:36 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa22983; 20 Jun 90 16:17 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:30:32 BST Message-Id: <$TGWGCZNQBTNG at UMPA> Subject: Virus-L vol 0 issue #1011 Virus-L Digest Tue, 11 Oct 88, Volume 0 : Issue #1011 Today's Topics Policy on Informants Re: Scores?? Re: Sneak virus DCL viri Brain virus! HELP! Re: Policy on Informants Re: Brain virus! HELP! c VIRUSCON HELP Cursor virus? Re: Policy on Informants *NY Student Caught Re: Cursor virus? RE: Cursor virus? RE: Cursor virus? ------------------------------ Date: Tue, 11 Oct 88 07:22:14 GMT Comments: Warning -- original Sender: tag was JANET@BRIGHTON.AC.UK From: JANET@VMS.BRIGHTON.AC.UK Subject: Policy on Informants I've just read Bennett Todd's msg (Fri 07 Oct 88 18:42) regarding the handling of the NY student. My personal opinion is to totally agree. Several years ago, some teenagers from a local school found a bug in the HP 2000 BASIC. Some fool(s) thought it was fun to crash the system every night 10 minutes before shutdown, and we couldn't trace who caused it. We were grateful when we were told what was believed to cause it, and once confirmed, HP fixed their bug, happiness returned. No action. Some staff here don't believe the students really *do* have enquiring minds and *can* find holes. Those who believe, tend to have a more open attitude, and a colleague has "tame" ones checking out particular areas. They report on their findings, and he watches in case they go off track. By all means, hit the *real destructive* types, but fine a *well meaning* informant and you've built a big wall. Then they do their best to keep their activities under a smoke screen on their side, and you're on a losing streak. Peter Morgan. [ I think my boss agrees with me, but I could be wrong! :-) ] -------------------- Date: Tue, 11 Oct 88 10:02:48 EDT From: Joe McMahon Subject: Re: Scores?? In-Reply-To: Scores?? (Mac) Scores is a highly infective Mac virus supposedly created as a "killer" of applications with types "ERIC" or "VULT". It infects applications and system files and spreads very rapidly. It can be removed either through some fiddly ResEdit hacking or through the use of KillScores (recommended) or Ferret (not so recommended). Both of these are available from LISTSERV at SCFVM. --- Joe M. -------------------- Date: Tue, 11 Oct 88 09:56:17 EDT From: Joe McMahon Subject: Re: Sneak virus In-Reply-To: Message of Fri, 7 Oct 88 18:43:00 EDT from I sent private mail about this to some one who asked about it (sorry, I've forgotten who) ... "SNEAK" detection by Interferon before version 3.1 (now available at LISTSERV at SCFVM) will detect the LaserWriter and LaserPrep files in release 6.0 as possibly being infected. THEY ARE NOT INFECTED !!!!!! Apple made a change to these files so that they would have new and different icons. I can explain about all the bizarre things which the DeskTop file forces you to do when you are changing ICN# resources if anyone is interested, but it's simply that Apple decided to play some fun resource games. The new version of Interferon knows about this. As a note, Interferon is up to version 3.2 (I believe the version being used by the previous poster was 2.0). - - Joe M. -------------------- Date: Tue, 11 Oct 88 12:50:00 EST From: "Brian D. McMahon" Subject: DCL viri Commenting on the Albany DCL virus incident, Les Hill writes: > Possible solutions for VAX managers facing a large community with potential > malcontents include making the default root directory protection no world > read, setting up a dead account to hold utilities submitted by users, and > informing those who do write public utilities to keep the public copy > with the write access disabled. May I add to the list of (very sensible) suggestions two more: BE CAREFUL WHEN YOU EXECUTE A COMMAND PROCEDURE THAT DOES NOT LIVE IN A TRUSTED ACCOUNT! (See below) NEVER, *EVER* EXECUTE A COMMAND PROCEDURE THAT (A) IS NOT IN A SYSTEM ACCOUNT AND (B) YOU CANNOT READ, ONLY EXECUTE. Ask yourself what the author is hiding by setting access to execute-only. By "trusted", I mean either a system account or one belonging to a competent, known, and trusted individual; furthermore, as Les points out, it behooves the system manager to make sure such trusted accounts are protected against unauthorized modifications. As was pointed out earlier, yes, DCL procedures *are* essentially plain text, so protecting yourself against this sort of virus is easy, *IF* you follow a few simple rules, such as looking at the code before executing it. The sad thing is, few people do so. Just remember CHRISTMA EXEC (similar in that it was a command-procedure sort of thing, only on IBM systems and propagating over the network) of last year ... Brian McMahon -------------------- Date: Tue, 11 Oct 88 13:28:00 EDT From: the Preserver Subject: Brain virus! HELP! Hi guys. Guess what? You guessed! UF has finally contracted a PC virus. I would like to ask the readers of this list to please send any useful information on getting rid of and preventing the spread of what is now called the Pakistani (or (c) Brain) virus. We are particularly interested in:- An original (unmutated) Brain virus either disassembled or on disk. Any mutated forms of the above mentioned virus, disassembled or on disk. Any noted behaviors of the Brain virus and its progeny. Any suggestions on possible remedies. Any known carriers, eg PKARC Any and all help is appreciated, Les vishnu@ufpine.bitnet postmast@ufpine.bitnet vishnu@pine.circa.ufl.edu postmaster@pine.circa.ufl.edu CIRCA consulting, UF -------------------- Date: Tue, 11 Oct 88 16:14:29 EDT From: "Mark F. Haven" Subject: Re: Policy on Informants The punishment of the Albany student was way out of line - a 2K fine and booting him out of school for a dumb mistake which he immediately tried to rectify? When I was in college a few friends found a way to lock up a 360 system from APL. Sure we had a little fun with a systems manager who got bent out of shape but as quickly as he cooled down, and a few laughs were shared, the code was revealed and everyone learned something. Experimenting is how we learn and in a youthful university environment safeguards must be put in place so that "creative computing" won't cause harm to needed functions. Proactive security by management will be far more likely to effectively protect than heavy-handed punishments. Besides, what 19 or 20 year old really expects themself to get caught no matter how many severe punishments they might hear of... -------------------- Date: Tue, 11 Oct 88 16:58:12 EDT From: Ken van Wyk Subject: Re: Brain virus! HELP! In-Reply-To: Your message of Tue, 11 Oct 88 13:28:00 EDT > An original (unmutated) Brain virus either disassembled or on disk. > Any mutated forms of the above mentioned virus, disassembled or on disk. > Any noted behaviors of the Brain virus and its progeny. > Any suggestions on possible remedies. There were some pretty good descriptions (etc.) of the Brain here on VIRUS-L over the summer (May and/or June, if memory serves me correctly). You might want to start by perusing through the archives. > Any known carriers, eg PKARC I don't recall hearing anything about PKARC being a carrier of the Brain virus (which only infects boot sectors). Unless anyone else has more info on this, I assume that it's an unfounded rumor. Please, lets not turn VIRUS-L into a place to (even accidentally) start rumors. Ken Kenneth R. van Wyk Calvin: I can't stop this bike, help! User Services Senior Consultant Hobbes: Turn into a gravel driveway and Lehigh University Computing Center fall! Quick! Internet: Calvin: Screeeech! Boom! :-( BITNET: Hobbes: I didn't think you'd listen to me! -------------------- Date: Tue, 11 Oct 88 15:07:00 EDT From: "Shawn V. Hernan" Subject: c Hello, Recently here at the University of Pittsburgh we were infected with the 'nVIR' virus. It was detected with interferon version 3.00 and is currently being eradicated. It was first noticed on a MAC II w/80 meg hard disk. It is known to be in at least 3 of the public labs where macs are available. Also, it has infected some of the evaluation-only machines available to faculty members. It is assumed that they have carried the virus back to their machines. Also, we are checking an evaluation library of about 150 macintosh packages for infection. We are wondering how to inform the user-community without panic. Any ideas? Shawn Hernan, Academic Computing, University of Pittsburgh -------------------- Date: Tue, 11 Oct 88 17:57:00 EST From: ACS045@GMUVAX Subject: VIRUSCON HELP Hi, I'm wondering if somebody out there in netland can give me a hand with obtaining some more up-to-date info on the VIRUS-CON. I sent in my registration back in September and haven't heard nary a word from anybody since August seeing as how we lost our BITNET connection for most of September and had to sign off VIRUS-L in August since our accounts were supposed to undergo a name change that never happened. According to the info I received from a friend before we got cut off from the net, I was supposed to receive a information packet through the mail detailing such things as hotel accomodations, a Conference Schedule, exact location of the Conference, etc. And at this point, 10 days before its supposed to start, I 'm basically one step short of panic with nothing in hand and no answer to any of the mail I've sent to the coordinators. If some kind soul could PLEEZ email me any sort of up-to-date info (Like if it's still going on :> ) I would be greatly appreciative. Thanx, Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source. -------------------- Date: Tue, 11 Oct 88 12:43:00 CDT From: Gordon Meyer Subject: Cursor virus? Recent reports on a local BBS indicate that there may be a MS-DOS virus that insists on changing the cursor to a "-" character at random times throughout a session. This is unconfirmed, and so far only one user has reported such a thing. I'm in no way "up" on the current MS-DOS virii (owning an ST myself) so this may be a symptom of an old virus that I'm just not aware of. Can anybody clarify ? *IF* this is a virus, does it appear to be a new strain? Cheers... -=->G<-=- -------------------- Date: Tue, 11 Oct 88 15:16:00 MDT From: Bernie Subject: Re: Policy on Informants In-Reply-To: Message of 11 Oct 88 14:14 MDT from "Mark F. Haven" How can anyone defend this student when we don't know what his intentions were? I agree, the steps taken were drastic, but if virus writing is an ethical question then why was he writing one in the first place? Curiosity is the first thing that comes to mind. Now... If it is curiosity, then by "hacking" he is learning about something that he would never be taught in school. Remember the Cohen experiment. Instead of delving further into research of viruses the admin. clamped down immediately. Over reaction I say, because of fear. Fear that in their high positions they may get their privs. reduced, not really that it may GET OUT. I don't know of any virus which can tell what machine it is on and reproduce accordingly. I would imagine if such a thing were ever written that it would defeat the purpose of virus being small so they can hide. Anyhow, Greg, why do people write viruses etc? Curiosity is one. Media hype is two. Revenge is three. (Vague as always, BSW) Ps. The admin. at Albany should have hired that student as a security consultant! :-) . -------------------- Date: Tue, 11 Oct 88 16:45:31 EDT From: Ben Chi Subject: *NY Student Caught The last few days have seen some discussion on this list of the "Albany incident" which occurred at our site. Not being a VMS heavy myself, I've asked my VMS Systems Manager to address some of the specific issues raised by various correspondents. She writes: / --------------------------------------------------------------- First, / Bennett Todd (bet@orion.mc.duke.edu) is very sure our virus contaminator / had good intentions because he came to my office to let me know that the / virus had "got away". Detailed examination of the code showed that he / was specifically targetting certain usernames (hard coded in) for / contamination, and that the main reason he hastened to let me know was / that his id and home directory were still hardcoded into the com file / which "got away" prematurely, but was always meant to get away. The / system manager for this node would have been -- and remains -- / interested in a serious security analysis by a serious student. / She is not interested in lending credibility to students who write / Trojan Horse programs -- in poor DCL at that -- to trip up their / unsuspecting friends. / ---------------------------------------------------------------------- / Now regarding the message from XRAYSROK@SBCCVM: / 1) Com files are indeed readable ascii files which are coded in DCL / (very much like REXX). As such they are indeed easy to check to see if / they contain the lines of code that betray the virus. That is, ONE com / file is easy to check, 4.000 megabytes of files are another matter. The / systems people did run a global search thru the filesystem for the tell / tale code. These sanitary measures of course stole cpu and disk from the / users. Part of the payment was to cover such costs. / / 2) Our "virus" was really a TROJAN HORSE: many users who were in the / habit of using this nasty customer's com files spread the infection to / all the files they had WRITE access to (not exe files, the virus just / looked for com files, and specifically looked FIRST for the login.com in / each user's default directory.) In fact, as XRAYSROK shrewdly suspects, / a bboard (not the one sponsored by the Center, but a student's / personal board) was used to spread the virus code. / / 3) Our systems staff are trained to use only code they have checked and / tested. No one with "privs" used the virus com file or the independent / board, and so no public files that the Center is responsible for were / infected. No system files were infected. / / 4) About the reason the student came forward, see my reply to previous / letter. What my systems manager does not mention is that all students here are provided computing access as an entitlement, and in accepting it, agree not to use it for counterproductive purposes. Specifically, a student agrees not to (among other things) not to * attempt to interfere with the performance of the system; * interfere with the legitimate work of another user; * attempt to circumvent system security. He signs a statement acknowledging that he understands these points and that nonadherence may result in penalties. We regard inpenetrable system security as both an unattainable and a wasteful goal and refuse to use it as a playing field on which to engage malicious or even curious students. We simply do not have the resources to play these games. We provide students with computer access, BITNET access, b-boards, and all manner of other amenities. If they don't wish to play by our (very reasonable) rules, they can go play somewhere else. _._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. Benjamin E. Chi BEC@ALBNYVM1.BITNET Director of Technical and Network Services or BEC@UACSC1.ALBANY.EDU Computing Services Center fax available but unlisted The University at Albany, Albany NY 12222 USA vox (518)442-3702 -------------------- Date: Tue, 11 Oct 88 18:31:35 EDT From: "Christian J. Haller" Subject: Re: Cursor virus? In-Reply-To: Message of Tue, 11 Oct 88 12:43:00 CDT from "Recent reports on a local BBS indicate that there may be a MS-DOS virus that insists on changing the cursor to a "-" character at random times throughout a session. This is unconfirmed, and so far only one user has reported such a thing. I'm in no way "up" on the current MS-DOS virii (owning an ST myself) so this may be a symptom of an old virus that I'm just not aware of. Can anybody clarify ? *IF* this is a virus, does it appear to be a new strain? Cheers... -=->G<-=-":- I doubt that this is the result of a virus attack, but I suppose anything is possible. The shape of the cursor is something an application may change, through documented system calls. Many applications display the cursor as a block for insert mode, and an underline for overstrike mode. Other configurations are possible, even a split cursor with a gap through the middle. I recall the cursor being affected sometimes when an application bombed, especially in BASIC, and once in awhile the system didn't freeze up right away. "Normal behavior" for this very unusual household appliance. -Chris Haller, Cornell University -------------------- Date: Tue, 11 Oct 88 19:46:00 EDT From: "Damnation, all that fuss over two pounds of Earthling brain." Subject: RE: Cursor virus? I don't know about a virus doing this, but running a CGA program when one's graphics card is set to monochrome will have the cursor show up like that A>-. A program using sloppy procedures could conceivably cause this without being a virus. -------------------- Date: Tue, 11 Oct 88 22:23:00 EST From: Chris Bracy Subject: RE: Cursor virus? >Recent reports on a local BBS indicate that there may be a >MS-DOS virus that insists on changing the cursor to a "-" >character at random times throughout a session. This is >unconfirmed, and so far only one user has reported such a thing. I've worked on a turbo-xt that changes the cursor according to the speed setting. Some software can't deal with this and screws up the cursor up on exit. Chris. *==============================*======================================* | Chris A. Bracy | Student Consultant | | (215) 758-4141 | Lehigh University Computing Center | | Kcabrac@Vax1.cc.Lehigh.Edu | Fairchild Martindale Bldg. 8B | | Kcabrac@LehiCDC1.Bitnet | Lehigh University | | CAB4@Lehigh.Bitnet | Bethlehem, PA 18015 | *==============================*======================================* -------------------- *** end of Virus-L issue ***