From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: DAVIDF@cs.heriot-watt.ac.uk
Date:         Wed, 20 Jun 90 16:31:16 BST 
Message-Id:   <$TGWGCZNQBTNQ at UMPA>
Subject:      Virus-L vol 0 issue #1013


Virus-L Digest Thu, 13 Oct 88, Volume 0 : Issue #1013

Today's Topics

Re: networks
Wang/VS Virus
(Mac) Networks and Virus Spread
Help!
RE: NY Student
RE: NY Student
Re: networks
RE: NY Student
Bank Street Righter

------------------------------

Date:         Thu, 13 Oct 88 08:59:46 EDT
From:         Joe McMahon <XRJDM@SCFVM>
Subject:      Re: networks
In-Reply-To:  Message of Wed, 12 Oct 88 22:06:00 EDT from <VALENTIN@PITTVMS>

None of the Mac viruses now known can actively transfer across  a  network.
If you run a program on a server which is infected, that program can infect
your  machine.  However,  if your machine is infected, it cannot infect the
server. The program MUST be run on the target system to infect  it.  Clear?
:-) ---Joe M.

--------------------

Date:         Thu, 13 Oct 88 13:51:13 EST
From:         Neil Goldman <NG44SPEL@MIAMIU>
Subject:      Wang/VS Virus

No, I am  not  currently  aware  of  any  Wang/VS  viruses,  however  I  am
interested to know if anyone has seen or heard of any. Thanks.
Neil A. Goldman                        NG44SPEL@MIAMIU.BITNET
Replies, Concerns, Disagreements, and Flames expected.
Mastercard, Visa, and American Express not accepted.

--------------------

Date:         Thu, 13 Oct 88 16:04:01 EDT
From:         Joe McMahon <XRJDM@SCFVM>
Subject:      (Mac) Networks and Virus Spread

Gene Lott <GENEL@UNMB> has pointed out to me how a file server could infect
a number of other machines. He is absolutely correct - an  infected  server
will  allow  you  to  infect your machine if you run any of its software on
yours. Also, if a user with write access to the  server  is  infected,  the
server can become infected.

The AppleTalk networks I was thinking of  were  in  general  simpler  ones,
without  file  sharing  or  servers  - a typical two-Macs-and-a-LaserWriter
setup. In this case, the known viruses will  not  spread  from  machine  to
machine, because they are unable to use AppleTalk themselves to propagate -
they must be carried by driver (vector? :-) ) software.
- - Joe M.

--------------------

Date:         Thu, 13 Oct 88 17:46:00 EST
From:         The CAEC managers <CAEC@VUVAXCOM>
Subject:      Help!

To Everyone: Help! My name is Tom Kurke, and I am a consulant at  Villanova
University...  apparantly  we  have  been  infected by some kind of "virus"
"trojan-horse" or something.... Let me give you the information that I know
now. Apparently, when using Bank Street Righter, (in our micro-labs,  using
floppy disks with hard disk access... dos is on the hard disk), Bank Street
Righter corrupts the information on the data disk- namely, all of the files
are  still  on  the disk (they haven't been written over), but there are no
directory enteries for them. Stranger than that, if you use Norton to  peek
at the FAT sectors and the DIR sectors, you find that in almost all cases a
file  has  been  saved  in  the DIR area, either in sector 12 or sector 14,
areas reserved specifically for directory information. Also, when trying to
call the files up using Bank Street Righter, an "@" appears  in  the  upper
right  hand  corner,  or  a date like 6/11/88. Any information that you can
provide me about this would be greatly appreciated. I am not one who  knows
much about Bank Street Righter- nor how it saves files, but does this sound
like  a viral attack or just a hacker doing something to corrupt our copies
of Bank Street Righter? Any information that you can provide me  with  will
be greatly appreciated... thank you!
Sincerely,
       +               +            *  Tom Kurke
       |               |      V     *  Consultant
      | |      +      | |     I U   *  Computer Aided Engineering Center (CAEC)
      | |      |      | |     L N   *  College of Engineering
     |   |    / \    |   |    L I   *  Villanova University
     |   |    | |    |   |    A V   *  Villanova PA, 19085
     |   |   /   \   |   |    N E   *
    I-----I /     \ I-----I   O R   *  NuclearTHREATNet:  Villanova.Bomb
    |     |/       \|     |   V S   *  Bitnet: CAEC@VUVAXCOM
    |     |---------|     |   A I   *  UUCP: ...!vu-vlsi!excalibur!CAEC
    |     |         |     |     T   *  MA-BellNet: (215) 645-7360
    |     |         |     |     Y   *  Home of the Wildcats!
    |     |         |     |         *
    |     |         |     |         *  A standard disclaimer applies to anything
    -----------------------         *  that I may have blabbed about above-- the
                                    *  views I have expressed are soley mine,
UNIVERSITY COMPUTING                *  not the University's... come to think of
           AND                      *  it,if that EVER happened that would be a
        INFORMATION SERVICES        *  strange coincidence indeed!!!  ;-)

--------------------

Date:         Thu, 13 Oct 88 16:43:29 CDT
From:         Kevin Trojanowski <troj@UMAXC.WEEG.UIOWA.EDU>
Subject:      RE: NY Student

I agree that the punishment in this case WAS a bit severe. But, by the same
token, to give the student a job as a consultant, or security person  would
do  nothing  but  encourage  this kind of activity. Anyone wanting a job in
such a position would have to do nothing but hack their way into the system
somehow, and create a virus, or trojan horse. Far from productive, I think.
-Kevin Trojanowski
 troj@umaxc.weeg.uiowa.edu

--------------------

Date:         Thu, 13 Oct 88 18:22:09 CDT
From:         GARY SAMEK <C133GES@UTARLVM1>
Subject:      RE: NY Student
In-Reply-To:  Message of Thu,
              13 Oct 88 16:43:29 CDT from <troj@UMAXC.WEEG.UIOWA.EDU>

I would like to share a similiar situation, as far as hiring a student  who
is  known  to have done questionable activities on a computer. Back when we
had a dec 2060, a high school student discovered that he could  advise  the
operator  console  from  a batch file, an obvious security problem. He then
used the operator privs to discover the passwords for all of the priveleged
accounts. We decided that the best move was to reset all of  the  passwords
for  all of the accounts which became a very uncomfortable situation on the
entire campus. We were finally able to catch  this  individual  the  second
time  he  tried  the  same trick. Our user services manager had a talk with
this individual and felt that this person could be  trusted  since  he  was
only  experimenting  with a main frame. This manager hired the student when
he began to attend classes at this university. The student was hired on  as
a  user  assistant,  a student worker who is available outside the hours of
8-5 for students unfamiliar with the use of computers.  With  this  job  he
given  an  account  with  few resource restrictions, but no privs (at least
some intelligence had been shown up to this point). When  the  student  was
promoted  a  year  later  to  problem analyst, which is essentially a first
defense for staff members, he gained access  to  an  account  with  limited
privs.  The  student  then used these privs to begin to learn how to bypass
accounting records of his activities. The first time he caught doing  this,
this institution gave him a verbal slap on the hands, yet continued to show
their good will and trust by letting the situation end at that. The student
was  again caught doing the activities as before when he had unsuccessfully
attempted to update his accounting records on all three of the main  frames
we  had  at  the time. Finally, the student was brought before a university
review board and suspended for one year from this university.

In summation, it has been my experience that once someone is  let  off  too
easily  from a major offense, that this individual will be unable to find a
reason to discontinue his activities. He will only feel  that  it  is  more
exiting,  and  that  he  only  needs to be a little more careful next time.
Thus, a feeble attempt in discipline may only lead to a potentially greater
risk in the future.

I apologize for the long letter, but this is a very  embarassing  situation
for  the  university  and  those  of  us who maintain the computers for the
academic environment.

Disclaimer: These views are entirely from  my  own  viewpoint  and  no  one
else's.  At  the  time  of these activites, I was in no way responsible for
hiring and firing, nor I was I responsible for the security or maintainance
of these mainframes.

Gary Samek
  Bitnet  C133GES@UTARLVM1
  Telnet  C133GES@UTARLG
  Arpanet C133GES@UTARLG.ARLINGTON.TEXAS.EDU

--------------------

Date:         Thu, 13 Oct 88 19:10:52 CDT
From:         Len Levine <len@EVAX.MILW.WISC.EDU>
Subject:      Re: networks
In-Reply-To:  Message from "Joe McMahon" of Oct 13, 88 at 8:59 am

>None of the Mac viruses now known can actively transfer across a network.
>If you run a program on a server which is infected, that program can
>infect your machine. However, if your machine is infected, it cannot
>infect the server. The program MUST be run on the target system to
>infect it. Clear? :-)

That seems strange to me. It seems  that  in  any  system,  if  a  file  is
writable,  then a virus can write to it. Of course, if read-only status can
be enforced, then infection of the file can be prevented. Thus, only  if  a
server file is read-only, and NO code in the local machine can write to the
server, is the obove true. Any comments?
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| Leonard P. Levine               e-mail len@evax.milw.wisc.edu |
| Professor, Computer Science             Office (414) 229-5170 |
| University of Wisconsin-Milwaukee       Home   (414) 962-4719 |
| Milwaukee, WI 53201 U.S.A.              Modem  (414) 962-6228 |
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

--------------------

Date:         Thu, 13 Oct 88 21:12:00 EDT
From:         "Daniel M. Greenberg" <DMG4449@RITVAX>
Subject:      RE: NY Student

Gary Samek (C133GES@UTARLVM1) writes:

    > In summation, it has been my experience that once someone is let off too
    > easily from a major offense, that this individual will be unable to find
    > a reason to discontinue his activities.  He will only feel that it is more
    > exiting, and that he only needs to be a little more careful next time.
    > Thus, a feeble attempt in discipline may only lead to a potentially
    > greater risk in the future.

That is quite a strong generalization. Your experience with just one person
has condemned all. This might even be correct in a majority of  cases,  but
not always. Some people do learn from their mistakes. Oh, and by the way, I
think  the  fault  when  when the University didn't do anything to make him
realize it was serious the first time he tampered with the accounting. Just
in case you don't know, many past hackers work for  large  corporations  or
the government as informants on with security.
Daniel

--------------------

Date:         Thu, 13 Oct 88 21:04:03 PDT
From:         portal!cup.portal.com!dan-hankins@SUN.COM
Subject:      Bank Street Righter

Are you sure that's not Bank Street Writer? Anyway, it sounds to me like  a
perfectly  ordinary  bug  in the program. Contact the author or get another
copy of the program from a completely different source  (like  the  author)
and see if the two programs are the same size and behave the same way. Do a
DIFF  on  the two programs. If they are identical and both corrupt data, it
is most likely a bug. If they are different, than one of three  things  has
happened:  you  have  a  buggy  file,  a  file  which  was corrupted during
transmission by line noise or a file which has been  deliberately  modified
to  be  hostile.  The  last of those is the least likely, and the first the
most likely. Most programs that trash data have bugs. Dan Hankins

--------------------

*** end of Virus-L issue ***