Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04486; Wed, 20 Jun 90 17:21:24 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA06967; Wed, 20 Jun 90 17:21:24 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23123; Wed, 20 Jun 90 17:21:12 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa22992; 20 Jun 90 16:17 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:30:56 BST Message-Id: <$TGWGCZNQBTNK at UMPA> Subject: Virus-L vol 0 issue #1012 Virus-L Digest Wed, 12 Oct 88, Volume 0 : Issue #1012 Today's Topics Re: c Help with Brain virus wanted Announce w/o Panic ** no subject, date = Wed, 12 Oct 88 10:10:00 EDT nVir? Re: NY student Macintosh viruses and countermeasures Bostb be Evill Re: Brain virus! HELP! Re: NY student Brain virus help.... Re: Bostb be Evill Thanx and one more question... Global Board Re: Global Board The "Brain" virus from an ARC file re: re: NY Student Re: Global Board Re: NY student Conference Attendance networks ------------------------------ Date: Wed, 12 Oct 88 08:50:51 EDT From: Ken van Wyk Subject: Re: c In-Reply-To: Your message of Tue, 11 Oct 88 15:07:00 EDT > We are wondering how to inform the user-community without panic. Any ideas? Assuming that you have a fix for the virus, then you could start by placing warning messages and signs on any/all of your mainframes (system bulletins) and in all of your public micro labs. The signs should inform the users that there is a virus, what harm (if any) the virus can do, and how to get rid of it. Then, make the fix readily available to all of your users. That's basically what we did here at Lehigh after some of our student consultants discovered a virus last Fall. System bulletins were issued on all the mainframes, and large, bright signs were placed in prominent places in all of the microlabs. A program to remove the virus was distributed to all of the labs, and made available for download on all of the mainframes. Users who were unsure how to get/run the fix program were told to bring their floppy disks to one of our sites, where a student consultant would run the fix program for them, and show them how to run it on their hard drives. Finally, I sent a message out on the ADVISE-L forum warning other sites about the virus, in case it were to spread outside of Lehigh. Any other ideas or suggestions? Ken Kenneth R. van Wyk Calvin: I can't stop this bike, help! User Services Senior Consultant Hobbes: Turn into a gravel driveway and Lehigh University Computing Center fall! Quick! Internet: Calvin: Screeeech! Boom! :-( BITNET: Hobbes: I didn't think you'd listen to me! -------------------- Date: Wed, 12 Oct 88 08:26:00 EDT From: the Preserver Subject: Help with Brain virus wanted EDU%"luken@SPOT.CC.LEHIGH.EDU" "Ken van Wyk" writes: >> An original (unmutated) Brain virus either disassembled or on disk. >> Any mutated forms of the above mentioned virus, disassembled or on disk. >> Any noted behaviors of the Brain virus and its progeny. >> Any suggestions on possible remedies. >There were some pretty good descriptions (etc.) of the Brain here on >VIRUS-L over the summer (May and/or June, if memory serves me >correctly). You might want to start by perusing through the archives. I am already doing that. However, we here at CIRCA do not want to spend time reinventing the wheel while this (supposedly) benign virus sweeps over campus. In order to minimize the damage done, we would greatly appreciate anyone sharing their previous work with us. >I don't recall hearing anything about PKARC being a carrier of the >Brain virus (which only infects boot sectors). Unless anyone else has >more info on this, I assume that it's an unfounded rumor. Please, >lets not turn VIRUS-L into a place to (even accidentally) start >rumors. Ken What I meant to say is this. The virus spread to us from a local BBS which had an arced file which when unarced released the initial Trojan that set the Brain up. Anyone else heard of this? Or are we the victims of a local virus hacker? (not suprising) Les Hill vishnu@ufpine.bitnet postmast@ufpine.bitnet vishnu@pine.circa.ufl.edu postmaster@pine.circa.ufl.edu CIRCA consulting, UF -------------------- Date: Wed, 12 Oct 88 09:59:54 EDT From: Joe McMahon Subject: Announce w/o Panic Since the nVIR virus is a Mac virus, I suggest you also provide Vaccine to the persons involved and make up a big poster showing the Vaccine dialog with a message reading "HAVE YOU SEEN THIS DIALOG?" along with what to do, who to see, and assurances that it is (relatively) easy to fix. --- Joe M. -------------------- Date: Wed, 12 Oct 88 10:10:00 EDT From: "Shawn V. Hernan" Hello, Just yesterday we discovered 'nVIR' here, and now we have something I've never heard of. Does this look familiar to anyone: We used Virus Rx to check a program for the nVIR virus and found this: _________________________ Invisible files and INITs embedded in system files @#$% FILE----Bostb Be Evill--------: ________________________________________ Warning: Files are too new. * ZSYS MACS--------System----------: ________________________________________ SUMMARRY: Invisible Files & Questionable INITs: 1 *One or more questionable files were found. * *These don't seem to be of immediate concern. * *You may wish to check their resource forks. * *Relax for now but run this program again later. * The file 'Bostb Be Evill' has us somewhat concerned. Anyone know what this might be? Shawn Hernan, Valentin@pittvms, University of Pittsburg -------------------- Date: Wed, 12 Oct 88 10:43:00 EDT From: Mann muss immer alles umkehren Subject: nVir? So what's the nVIR virus? -------------------- Date: Wed, 12 Oct 88 10:59:00 EDT From: Hugh Pritchard/Catholic U of America Computer Ctr Subject: Re: NY student Bernie writes, jocularly, > Ps. The admin. at Albany should have hired that student as a security > consultant! :-) . People who stumble upon holes in security, or who malevolently take advantage of other users' naivete, gullibility, or trust HAVE BY NO MEANS displayed any qualifications as any sort of "security consultant". /Hugh Pritchard, |on BITNET: PRITCHARD@CUA Senior Systems Programmer |on INTERNET: PRITCHARD%CUAVAX.DNET@NETCON.CUA.EDU | or PRITCHARD%CUA.BITNET@CUNYVM.CUNY.EDU The Catholic University of America Computer Center (202) 635-5373 Washington, DC 20064, USA Disclaimer: My views aren't necessarily those of the Pope. -------------------- Date: Wed, 12 Oct 88 11:56:26 EST From: Joe Simpson Subject: Macintosh viruses and countermeasures There is an excellent article on the common macintosh viruses, including detailed descriptions of how they work, can be identified, and can be eradicated. The article also attempts to put the virus issue into appropriate perspective and , in my opinion, succeedes. As a bonus social and legal issues are covered. My congratulations to a remarkable author! MacWorld, November 1988, "Mad Macs", Suzanne Stefanac, ppg 93-101. -------------------- Date: Wed, 12 Oct 88 13:14:06 EDT From: me! Jefferson Ogata Subject: Bostb be Evill About 2 months ago there was an outbreak of this sort elsewhere. I don't recall where, but it's in the VIRUS-L archives. Which brings me to a question: How do you grab VIRUS-L archives? - Jeff Ogata -------------------- Date: Wed, 12 Oct 88 11:23:27 CDT From: Len Levine Subject: Re: Brain virus! HELP! In-Reply-To: Message from "the Preserver" of Oct 11, 88 at 1:28 pm >Hi guys. Guess what? You guessed! >UF has finally contracted a PC virus. >I would like to ask the readers of this list to please send any useful Ok I give up. Who or what is UF? We must all be aware that this is a global board, and that not all of us are on the same campus, or even in the same country. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Wed, 12 Oct 88 13:18:12 EDT From: Ed Nilges Subject: Re: NY student In-Reply-To: Message of Wed, 12 Oct 88 10:59:00 EDT from >Bernie writes, jocularly, >> Ps. The admin. at Albany should have hired that student as a security >> consultant! :-) . >People who stumble upon holes in security, or who malevolently take >advantage of other users' naivete, gullibility, or trust HAVE BY NO >MEANS displayed any qualifications as any sort of "security consultant". I heartily agree, yet in spite of Mr. Chi's recent posting on this brouhaha, I still believe that the student's punishment was cruel and unusual. Mr. Chi revealed that the student's primary concern seemed to be that his own directory was threatened by the virus. However, the student doubtless knew that if he revealed his behavior to the systems manager, he would probably lose the account anyway. The wording of his confession "something terrible has happened" reveals, to this writer, an honest remorse and desire to fix the problem. No, the student should NOT be hired as a security consultant. But neither is it ethical or fair to make him a nonperson. Community service, and a course in business and scientific ethics, seem to be the ticket here. It still appears that the student's case appeared at exactly the wrong time, right after a TIME magazine article which, although reasonably accurate and well-researched, spread fear among non-programming computer users as to the safety of their files. The case also sets a bad precedent, for real programmers will be at risk if ethics and law do not discriminate between honest mistakes, negligence, and malice. Imagine losing your job over a bug...who said it, in Shakespeare's King Lear, "use every man according to his deserts, and who should 'scape whipping?"? Disclaimer: these views are mine, and do not represent those of my employer. -------------------- Date: Wed, 12 Oct 88 14:04:00 EDT From: the Preserver Subject: Brain virus help.... I thought everyone knew, UF is the University of Florida :-> Les vishnu@ufpine.bitnet -------------------- Date: Wed, 12 Oct 88 14:17:58 EDT From: Ken van Wyk Subject: Re: Bostb be Evill In-Reply-To: Your message of Wed, 12 Oct 88 13:14:06 EDT > How do you grab VIRUS-L archives? As described in my monthly announcement, you can get the archives by sending mail to LISTSERV@LEHIIBM1. Please do *not* send this to VIRUS-L@LEHIIBM1! In the message, put any of the following commands: HELP - gives you some info on using the LISTSERV. INDEX VIRUS-L - lists the files available on the LISTSERV. GET filename filetype - sends the requested file to you via e-mail. The archive files are in the following format: VIRUS-L LOGyymmw where yy is the year (88), mm is the month (05, 06, ...), and w is the week (A, B,...). For example, VIRUS-L LOG8809A contains the first week's worth of conversations in September, 1988. Note that there's a space between the filename and filetype, not a period like in most operating systems. Ken Kenneth R. van Wyk Calvin: I can't stop this bike, help! User Services Senior Consultant Hobbes: Turn into a gravel driveway and Lehigh University Computing Center fall! Quick! Internet: Calvin: Screeeech! Boom! :-( BITNET: Hobbes: I didn't think you'd listen to me! -------------------- Date: Wed, 12 Oct 88 14:42:00 EST From: ACS045@GMUVAX Subject: Thanx and one more question... Thanx to all of you who sent me the Conference info....now if you'll indulge me one more question...how close is the Allentown Holiday Inn to all of this?? I couldn't afford the Sheraton and wasn't willing to take a chance on any of the local hostelries so thats where I'm going to be. Also, if there's anybody else from Virginia going drop me a mail message...my ride just pulled out from going and so I'm trying to work out alternate transportation,etc. (I'll be there on Friday...I've put too much aggravation into this to give up now :>) ---Steve -------------------- Date: Wed, 12 Oct 88 13:28:00 CDT From: Ken De Cruyenaere 204-474-8340 Subject: Global Board >Ok I give up. Who or what is UF? We must all be aware that this is a >global board, and that not all of us are on the same campus, or even >in the same country. Good point! While we"re at it, who or what is UTEP?? Ken De Cruyenaere Computer Security Coordinator University of Manitoba - Winnipeg, Manitoba, Canada -------------------- Date: Wed, 12 Oct 88 15:34:41 EDT From: "Mark F. Haven" Subject: Re: Global Board >Date: Wed, 12 Oct 88 13:28:00 CDT >From: Ken De Cruyenaere 204-474-8340 >Subject: Global Board > >>Ok I give up. Who or what is UF? We must all be aware that this is a >>global board, and that not all of us are on the same campus, or even >>in the same country. >Good point! While we"re at it, who or what is UTEP ?? UTEP is a BITNET address for the University of Texas at El Paso Computer Center. UF is a common abbreviation for the University of Florida. Given that this is a very international board it would be helpful if we avoid abbreviations, no matter how common we think they are. -------------------- Date: Wed, 12 Oct 88 16:21:44 EDT From: "David M. Chess" Subject: The "Brain" virus from an ARC file That's very interesting! I've never heard of anyone getting it that way before. Are you sure that's what happened? There is an ARC file going around the boards that contains a binary dump of the "Brain", but you'd have to take rather sophisticated conscious action to produce an infected diskette from it. If there's really an executable (EXE or COM or...) going around that puts the "Brain" onto a diskette, I think we'd all like to hear about it. Please go on! Dave Chess, Watson Research -------------------- Date: Wed, 12 Oct 88 16:46:00 CDT From: GREENY Subject: re: re: NY Student >> P.S. The admin. at Albany should have hired that student as a security >> Consultant :-). > People who stumble upon holes in security, or who malevolently take > advantage of other users' naivete, gullibility, or trust HAVE BY NO > MEANS displayed any qualifications as any sort of "security consultant". > /Hugh Prichard Personally, I think that they would ahve been much better off to simply put the student on Disciplinary Probation, and then given him a job in the computing center as a consultant. That is probably what the student was looking for in the first place, and by his own admission that he wrote a virus which escaped -- he proved that he does have some responsible bones in his body. If he didnt, then he could have simply claimed that a rogue hacker got into his account, and proliferated a viral program to get him into trouble -- and no one would have probably been able to prove a thing. Several years ago, I was introduced to the UNIX system here at my campus and quickly grew to love it -- the brevity of the commands made it a dream for someone like me who despises "user friendly" interfaces who assume that you really don't want to do something that you went to the trouble to key in.. UNIX doesn't bug ya with annoying messages. Also, it is very secure if set up in the proper manner....however, several years ago, I accidently discovered a bug one day when I performed a shell escape from MAIL and created a temporary message to send to a collegue....the file I created was owned by ROOT (not my account...) and from this it was relatively easy to obtain superuser status on the machine. I went to the system admin. and informed him of this bug. We quickly became friends as he saw that I was a responsible individual, and he made the offer to me that "if I ever wanted superuser status for *ANY* reason, that he would give it to me...", but that he would appreciate it "if I were to ask for it, and not simply take it, because if someone got into my account, then it could create havoc...". This request was simple, and I have lived with it for a long time. We are still friends, and when I come across a bug or a sec. hole, I tell him. But if I had been fined $2K, suspended, and whatever else, then you can bet that the university would be having some severe problems with getting me to stop spreading information about all of the bugs.....First Amendment rights would probably protect me enough so that I could produce a "For Informational Purposes Only" newsletter about the computing bugs....and as we all are well aware of -- accounts are VERY easy to come by. - -- Moral of this dialogue?: Simple really, when you find a hacker -- befriend him/her/it and try to use it to *YOUR* advantage. Besides, if the hacker could program well enough to get in, why not hire the hacker...the hacker has proven his/her/its capabilities already, and to not utilize them to the fullest would be foolish... ....*flame off* -- mellow out and give the guy a second chance... Bye for now but not for long Greeny Bitnet: miss026@ecncdc Internet: miss026%ecncdc.bitnet@cunyvm.cuny.edu Disclaimer: #include P.s. I definately know what school I'm *NOT* going to continue my graduate studies at... :-> -------------------- Date: Wed, 12 Oct 88 16:04:09 EDT From: Jim Marks Subject: Re: Global Board In-Reply-To: Message of Wed, 12 Oct 88 13:28:00 CDT from In reply to question about UTEP... How did that come up? Anyway, UTEP stands for University of Texas at El Paso (I guess that's what you mean). This is as opposed to the University of Texas at Austin, or UT for short, which is also short for University of Tennessee (at Knoxville). Which is probably why what Ken said makes a lot of sense. After all, here in the Southeast, USC often means Univ. of South Carolina, while in California it means something else. We're quite often overassuming (is that a word?) on here. If in the slightest doubt (and this doesn't just go for college names), spell it out. Jim Marks Georgia Tech Research Institute (GTRI) Georgia Institute of Technology (GIT or GT...) -------------------- Date: Wed, 12 Oct 88 14:43:52 MDT From: Douglas James Martin Subject: Re: NY student > The wording of his confession "something terrible has happened" > reveals, to this writer, an honest remorse and desire to fix the problem. Maybe I misunderstood the previous postings, but it sounded to me like the virus 'got away' while evidence of the author remained in it. On that basis my immediate suspicion would be that the author knew he would be caught and hoped that by coming forward he might reduce the unavoidable consequences. It doesn't sound to me like there was any "honest mistake" involved; he WAS working on a Trojan Horse (at least, according to these postings), which just happened to go off before he planned it to. I don't have the information to say whether I'd be in favour of indefinite suspension, since there isn't enough detail given about what the Trojan Horse did to its "recipients", but I'd almost certainly be in favour of cutting off the guy's computing access. -------------------- Date: Wed, 12 Oct 88 17:22:00 MDT From: LYPOWY@UNCAMULT Subject: Conference Attendance Is there anyone else out there from Canada planning Is there anyone else (on this list) from Canada who is planning on attending the upcoming virus conference? (Send me E-Mail...don't reply to this message or the list will be full of mail that not everyone needs to wade through :-) ). Greg Lypowy (LYPOWY.UNCAMULT.BITNET) P.S. I'm just curious really! -------------------- Date: Wed, 12 Oct 88 22:06:00 EDT From: "Shawn V. Hernan" Subject: networks Does anyone know for sure whether the 'nVir' virus can spread over a network? Specifically appleshare and TOPS? That is, if I'm running an application from a file server, is the floppy in my machine at risk. I suspect yes, but some MacIntosh folx I know think otherwise. (they are not familiar with viruses at all). Any help is appreciated. Shawn V. Hernan, Valentin@pittvms, University of Pittsburgh -------------------- *** end of Virus-L issue ***