From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: DAVIDF@cs.heriot-watt.ac.uk
Date:         Wed, 20 Jun 90 16:38:08 BST 
Message-Id:   <$TGWGCZNQBTVK at UMPA>
Subject:      Virus-L vol 0 issue #1106


Virus-L Digest Sun, 6 Nov 88, Volume 0 : Issue #1106

Today's Topics

** no subject, date = Sun, 6 Nov 88 13:18:25 GMT
Getting Debrain.c
About the virus notices
Can the UNIX virus (or worm) spread onto Janet...
re: FTP and BITNET
Arpanet Virus

------------------------------

Date:         Sun, 6 Nov 88 13:18:25 GMT
From:         ZDEE676@OAK.CC.KCL.AC.UK

The unix sendmail virus got several columns in the Sunday  Times  newspaper
here  in  Britain. They claimed that in was caused by a 23 year old student
at Cornell University. They also said  that  the  virus  was  incapable  of
spreading  to  the  janet  network  used  in the UK due to "minor technical
differences". Any comments on the second part?
(John Burton) zdee67oak.cc.kcl.ac.uuk

--------------------

Date:         Sun, 6 Nov 88 13:47:00 CDT
From:         Gordon Keegan <C145GMK@UTARLG>
Subject:      Getting Debrain.c

For those who don't have access to a machine that  can  FTP  the  debrain.c
source,  I  can  send  a  copy  to  those who request it. I can also send a
uuencoded copy of the debrain.exe file if you  can't  compile  the  source.

                                        Gordon Keegan
                                        c145gmk@utarlg.bitnet
                                        University of Texas, Arlington

--------------------

Date:         Sun, 6 Nov 88 17:42:00 EDT
From:         Savior faire is everywhere! <SSIRCAR@UMAECS>
Subject:      About the virus notices

Can we get a little organized around here?  I have just received two messages
containing the same article from RISK.  This is the second or third time this
happenned.  We should just designate one person to forward all messages from
RISK concerning the virus.
                                -Santanu Sircar-

--------------------

Date:         Sun, 6 Nov 88 14:46:51 PST
From:         James Robert Dishaw <2JDISHAW@POMONA>
Subject:      Can the UNIX virus (or worm) spread onto Janet...

It really depends on how Janet is set up and  how  accesible  Janet  is  to
ARPANet.  From my basic understanding (since I haven't seen the source code
of the virus/worm), it could possibly happen. The infection does  not  seem
to  be  entirely  dependent  upon  the  network,  but  rather on the victim
machine. The virus/worm can infect two ways: Guess a password for  a  valid
userid  (in which it is network specific, because it would have to remotely
login) or use the debug hole in SMTP. The second case is pretty independent
from the network. My suggestion would be to make sure that if you are using
SMTP (or something similar) that the debug option is OFF. This might entail
recompiling in order to set the debug option off. -Bob,  Pomona  Consultant

--------------------

Date:         Sun, 6 Nov 88 22:54:00 EST
From:         Jim Shaffer <SHAFFERJ@BKNLVMS>
Subject:      re: FTP and BITNET

When I sent that message about being unable to FTP over Bitnet, I was
aware that there are some Bitnet sites that are also Internet sites, but
I forgot to mention it.

If your Bitnet machine isn't on the Internet also, it can't FTP.

Or have they started implementing TCP/IP over RSCS (as it's rumored that
they will someday), and not told me?  (This is unlikely, but I've learned
never to leave out any possibility.)

Jim

PS:  About TCP/IP over RSCS:  I heard a rumor to that effect back around
the beginning of the year, and I managed to get one or two people who I
believed were in a position to know to admit that it was "under study."
This is all they could tell me, and I've heard nothing since.  Anybody
out there heard anything?  (Note:  This was apparently NOT the "Cypress"
project that they were referring to.  Cypress is/was (I'm not sure on its
status) a proposal to provide NSFNet access from other networks like Bitnet
and CSNet.  Someone please correct me if I'm wrong, because I haven't heard
anything about it lately either.)

PPS:  Let's not keep this up on Virus-L, though.  If there's any substance
to the rumors, it belongs over on Future-L, which was where I was told
that the plans were once discussed.  For the time being, please mail
anything on the subject directly to me.

--------------------

Date:         Sun, 6 Nov 88 18:31:00 EDT
From:         "Daniel M. Greenberg" <DMG4449@RITVAX>
Subject:      Arpanet Virus

Following is an article re-printed from the Rochester Democrat & Chronicle
State/Nation Section A pp.23-24, Sunday, November 6, 1988.

SINGLE PROGRAM ERROR MADE 'VIRUS' MULTIPLY
Big computer jam horrified creator

[The New York Times and The Associated Press]

Robert Tappan Morris  Jr.  spent  many  weeks  painstakingly  creating  the
computer  "virus"  that  beleaguered many of the nation's computer networks
Wednesday night and Thursday.

By all accounts the 23-year-old computer science student intended no  harm.
But  in  the  end, working with great intensity and little sleep, he made a
single programming error that ultimately jammed more than 6,000  computers,
including  some  at  the University of Rochester. That mistake also brought
Morris' life crashing down around him, three friends have told The New York
Times.

He quickly recognized that things had gone terribly wrong and arranged  for
a friend to send out instructions on eradicating the virus to the computers
plagued  by  it.  But  the  instructions  were  electronically  posted in a
bulletin board where few would see them. Then he turned himself in  to  his
father,  Robert  T.  Morris  Sr.,  one  of  the government's top experts on
computer security. The first-year Cornell University graduate  student  was
not available for comment yesterday. But those who knew him as a student at
Harvard,  where  he  earned  his  undergraduate degree in computer science,
paint a picture of a remarkably bright but private  person.  Professors  at
Harvard  and  Cornell  said  Morris  was  not malicious, stressing that the
program could have been easily modified to destroy data.

Morris' father, Robert Morris Sr., 56, worked for many years at AT&T's Bell
Labs in New Jersey. He helped develop the Unix operating system, which  was
the  target  of  his son's virus. Two years ago, the elder Morris left Bell
Labs and went to work as the chief  scientist  for  the  National  Computer
Security  Center, the division of the National Security Agency that focuses
on computer security.

A student who is friends with Morris Jr. said that when he  discovered  the
flaw  that  would  let  him  secretly enter Unix computers connected to the
Arpanet, a Department of Defense  computer  research  network,  he  was  so
excited  that  he  literally  jumped  on the friend's desk. This friend and
others said Morris' original vision was to spread  a  tiny  program  widely
throughout  the United States and internationally and have it secretly take
up residence in the memory of each computer it  entered.  The  program  was
supposed  to  slowly  propagate,  always hiding in the background to escape
detection. However, because  the  young  computer  expert  chose  a  single
incorrect number, and that number bore directly on the rate of replication,
the  virus  instead  sped  madly  out  of  control  creating dozens or even
hundreds of copies on each machine it entered  rather  than  the  one  copy
originally  planned.  Morris  learned  of  his  replication error through a
monitoring mechanism he had built into his  program.  In  trying  to  alert
people  to  the virus after discovering his error, Morris had a friend post
detailed instructions on how to disable it, but  the  electronic  "bulletin
board"  he  chose  for posting was an obscure one, the friend who posted it
said. Yesterday at Harvard, from which Morris graduated  last  spring,  his
professors were shocked that he undertook the project.

"What surprises me about this is that it cuts across the grain of  Robert's
personality,"  said  Mark  Friedell,  the  assistant  professor of computer
science who was the young student's advisor for three years.  "He  probably
got scared and froze; he could have stopped it."

University officials also were  unable  to  contact  him,  Lynn  said.  His
parents  obtained  an  attorney  and was planning to meet shortly with U.S.
Justice Department officials. Cornell officials said they  began  examining
Morris'  computer files Friday night after The Times identified him. Morris
had passwords in his files "for some computers at Cornell and  Stanford  to
which  he  is not entitled," although those could have been placed there by
someone else, Lynn said. A computer file dated Oct. 26 found  in  Cornell's
system  yesterday  is  the  earliest  indication  that Morris may have been
writing the  program  that  spawned  the  virus,  Lynn  said.  The  creator
"apparently  found  a  gaping  hole  in  the  system that I'm amazed no one
exploited before," Cornell instructor Dexter Kozen said. While the loophole
in the  system  was  not  evident  before  the  virus  was  unleashed,  "in
retrospect, it's really quite obvious."

Morris' father, Robert Morris  Sr.,  a  top  government  computer  security
expert,  refused  to comment on whether his son concocted the virus. But he
said the episode may prevent a serious security breach in the future. "It's
going to be remembered for a long  time,"  said  the  elder  Morris,  chief
scientist  at the National Computer Security Center in Bethesda, Md. "And I
think we'll see a substantial improvement in the way computers and networks
are administered." Morris also said he felt ambivalent about the  incident.
"I'm  close to this in two ways," he said. "I myself am a computer user but
I'm also a father. That makes it  difficult  to  separate  the  two  roles,
although,  of  course,  they  have  to  be  separated."  Morris  said he is
convinced the virus was unleashed accidentally.  "It  seems  there  was  no
malicious  intent  involved.  No  harm was intended or actually done in the
host computers, other than overload,  and  that  appears  to  be  a  design
error," he said.
-=-=-
That was the entire article.  I thought you might find it interesting.
Daniel M. Greenberg -=- Rochester Institute of Technology '92
US MAIL    : CPU #1026  25 Andrews Memorial Dr.  Rochester, NY  14623
BITNET     : DMG4449@RITVAX
INTERNET   : dmg4449%ritvax.bitnet@CORNELLC.CCS.CORNELL.EDU
UUCP       : {psuvax1,mcvax}!ritvax.bitnet!dmg4449
Compuserve : 71641,1311 | GEnie : D.GREENBERG2 | PHONE : [716] 475-4295

--------------------

*** end of Virus-L issue ***