Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04619; Wed, 20 Jun 90 17:38:26 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA07282; Wed, 20 Jun 90 17:38:24 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23705; Wed, 20 Jun 90 17:38:05 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23906; 20 Jun 90 16:38 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:38:52 BST Message-Id: <$TGWGCZNQBTVV at UMPA> Subject: Virus-L vol 0 issue #1108 Virus-L Digest Tue, 8 Nov 88, Volume 0 : Issue #1108 Today's Topics VIRUS on ARPA net UK VIRUS Re: nVIR virus Macintosh "worms" Application -- is this a virus? SPELLING ( was Re: Please! ) Re: About the virus notices Re: MILNET/ARPANET Virus TEST RE: TEST RE: TEST Re: About the virus notices Internet Worm Oops! Virus is Latin ARPANET accountability RE: Macintosh "worms" Application -- is this a virus? Re: Please! CVIA ------------------------------ Date: Tue, 8 Nov 88 08:58:00 MET From: GERT LOKHORST Subject: VIRUS on ARPA net Cliff, A final report on the ARPAnet virus is of interest to us all. Do not mail the results of your inquiry to the respondents only. Gert Lokhorst |\ |*| |*| _ BITnet : LOKHORST@HWALHW50 |*| /*\ DECnet : LUWRVD::LOKHORST |*|/* *| PSI/X25 : (0204)18370060638::LOKHORST |***/|*| /\ Phone : (+31)08370-83785 \*/ |*| /*/ Agricultural University, |*|/*/ Wageningen,The Netherlands |***/ \*/ -------------------- Date: Tue, 8 Nov 88 12:13:49 GMT From: ZDEE731@ELM.CC.KCL.AC.UK Subject: UK VIRUS Apart from the PC virii, UK computers seem to be more secure to VIRII due to good housekeeping and minor technical difficulties However this may also be due to the fact that British kids don't have the same intelligence as American ones. -------------------- Date: Tue, 8 Nov 88 08:50:01 EST From: Sean T Montgomery Subject: Re: nVIR virus In-Reply-To: Message of Mon, 7 Nov 88 16:07:53 PST from In reply to Sam Cropsey's questions about nVIR: the strains of nVIR which we've run into here have only infected the System, Finder and application files on an infected Mac, no DA's in the sense that using Font/DA Mover would spread the infection. Someone correct me if I'm wrong. As far as getting rid of nVIR, it's a good deal easier to use the Init known as KillVirus (available in various electronic places, including MACSERVE on BITNET). This Init installs a tiny nVIR resource with ID=10 in the System ( this resource is NOT infectious). The author of nVIR included a back door in the program: if nVIR "sees" the nVIR ID=10 resource, it cleanly removes itself from the infected system or application. This should be easier than the explicit coding, etc. suggested in the MacTutor article, though not as much fun! ;-) Sean -------------------- Date: Tue, 8 Nov 88 10:02:51 -0500 From: bukys@CS.ROCHESTER.EDU Subject: Macintosh "worms" Application -- is this a virus? I am not a Mac user, so please forgive any lapses in terminology. A local Mac user tells me that he recently discovered a new application on his disk, called "worms". Running it pops up a little display with worms crawling around on it. He doesn't know where it came from. He claims that he does not share disks with people. He is connected to an AppleTalk network, which is connected to a FastPath. Now, in light of the Internet Worm, he's feeling suspicious about this Macintosh Worm of unknown origin. Is it possible that it's a virus? Has anyone else seen this application? -------------------- Date: Tue, 8 Nov 88 09:33:58 EST From: Iris Tennenbaum Subject: SPELLING ( was Re: Please! ) In-Reply-To: Message of Mon, 7 Nov 88 09:16:53 EST from >What's all this about virii? "Virii" is the plural of "virius." If you >mean more than one virus, try "viruses" or, if you must, "viri." Viruses is the correct spelling. And viricide or virucide is the correct word for antidotes for viruses. VIRICIDE - an agent that destroys or inactivates viruses VIRUCIDE - spelling variation of viricide. -------------------- Date: Tue, 8 Nov 88 09:22:26 CDT From: Len Levine Subject: Re: About the virus notices In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Nov 7, 88 at 4:23 pm >I must appologize, my message APPEARED later than the rest (at least it >did to me), but I sent it on wednesday or so. I guess the delay in >getting messages from here in Canada down to Bethlehem (Lehigh really) >is greater than from other areas. As far as Risks submissions go, I (as >many of you are I am sure) am a subscriber to the Risks Digest List, and >I would be willing to take on the responsibility of posting anything >from Risks that I feel in some way relates to Virus-L. Big deal, so we saw several copies of the same message during an event that was of significance to us. I would rather see the several copies than have to wait for the "official" copy that would be sent by one person who might be busy or unavailable. If we need organization let us join a political party, I prefer an excess of information. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Tue, 8 Nov 88 09:17:54 CDT From: Len Levine Subject: Re: MILNET/ARPANET Virus In-Reply-To: Message from "Christian J. Haller" of Nov 7, 88 at 11:44 am >anonymous phone calls from his friends.) He is a nice person, we know >from acquaintances: sings in the choir, for example. I suppose the >Cornell administration cannot possibly let him get away without some >kind of official punishment, but I for one don't think he deserves a >very severe one. The cost of restitution alone would be enormous if >he had to reimburse people for some fraction of the time they have spent >cleaning up, not to mention discussing the matter! Of course he should pay the cost of fixing up the mess. If a black kid in the ghetto had painted up some walls, as a means of self expression and to show us all how vulnerable we are, then he would be expected to make restitution, why not this child of education and culture? If he is an adult then he is responsible for what he does, if not then we should put him somewhere where he cannot harm himself or others. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Tue, 8 Nov 88 13:08:19 GMT From: ZDEE731@ELM.CC.KCL.AC.UK Subject: TEST -------------------- Date: Tue, 8 Nov 88 13:13:44 EST From: "David A. Bader" Subject: RE: TEST Excuse me, but would it be too much to ask if you could take your garbage elsewhere? I am sure that most people do not want ascii pictures sent to them through VIRUS-L -David Bader DAB3@LEHIGH -------------------- Date: Tue, 8 Nov 88 13:44:03 EST From: Ken van Wyk Subject: RE: TEST In-Reply-To: Your message of Tue, 8 Nov 88 13:13:44 EST > Excuse me, but would it be too much to ask if you could take your > garbage elsewhere? I am sure that most people do not want ascii > pictures sent to them through VIRUS-L The problem has been taken care of; the user was removed from the list and asked not to return. Please, let's not perpetuate this any further. Thank you all for your cooperation in this. Ken Kenneth R. van Wyk Calvin: (hammer hammer hammer ...) User Services Senior Consultant Mom: Calvin, what are you DOING to the Lehigh University Computing Center coffee table?! Internet: Calvin: Is this some sort of trick BITNET: question? -------------------- Date: Tue, 8 Nov 88 12:34:28 PLT From: Wim Bonner <27313853@WSUVM1> Subject: Re: About the virus notices In-Reply-To: Message of Mon, 7 Nov 88 16:23:00 MST from Actually, Your supposition that if they can find who started the virus, it is a frame job, has got to be incorrect. Very few people have enough control over their ego to keep something that hits the national news a secret, let alone something that crashes the local system. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-= Lemmings never grow old, they just die. =-=-=-=-=-=-= Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat) The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d -------------------- Date: Tue, 8 Nov 88 17:04:44 EST From: Joe Sieczkowski Subject: Internet Worm I've read the various accounts of the internet worm and there is one thing I am having trouble with. The worm took advantage of the fact that when sendmail is put in debug mode a remote shell command could be executed through it. I thought that even if sendmail is compiled with the debug option on, this was only possible if the local machine or user on the local machine knew the remote machines wizard password. Although I haven't analyzed the complete source, a cursory look at the source I have reveals the following lines: (Note: this is an older version, but I presume it's still set up in the same way.) - -------------------------------------------------------------------- char *WizWord; /* the wizard word to compare against*/ if (strcmp(WizWord, crypt(p, seed)) == 0) { IsWiz = TRUE; message("200", "Please pass, oh mighty wizard"); } else message("500", "You are no wizard!"); - -------------------------------------------------------------------- As part of the sendmail configuration file (sendmail.cf), typically you see the following line which is the encrypted password. - -------------------------------------------------------------------- # wizard's password OW* - -------------------------------------------------------------------- Since no encryption yield's "*", there should be nothing to worry about in this case. I have seen many config files that omit this or fail to set it. That could be a problem. According to all accounts though, sendmail in debug mode was letting anyone send a remote shell command. So was there a problem in the source, or was the problem lacking to set a wizard password when debugging was enabled? Joe -------------------- Date: Tue, 8 Nov 88 16:43:00 MST From: LYPOWY@UNCAMULT Subject: Oops! Virus is Latin Hi Gang, I must admit that I did not consult the Latin dictinary in my office before writing that last message. As David Chess astutely reminded me, the word virus is in fact Latin. It can mean either a slimy liquid or poison (especially the poison that comes from snakes). Read into these definitions what you may. A Somewhat red-faced Greg Lypowy -------------------- Date: Tue, 8 Nov 88 20:01:02 ECT From: Ken Hoover Subject: ARPANET accountability The article that went through here last night covering the discovery and exposure of the creator of the ARPANET virus seemed to gloss over, or simply miss, the fact that (according to its own text) this program was not something that turned into a virus and went out on its own at all. The article stated that the programmer's "original vision was to spread a tiny program widely... and have it take up residence in the memory of each computer it encountered" and was supposed to "slowly propogate, always hiding in the background to escape detection". That sure sounds like a virus to me. What this student seemed to be so appalled at was that his program mutated on him (due to an apparent programming error) and changed from a virus to a "bacterium" (to use the term that's been being used around here) and was thus easily seen, but not until it had begun overloading computers nationwide. It seems that, as it was so aptly put, he was playing with fire and got burned. However, on the question of whether to prosecute this person, the article put its head in the sand. The question is not of a program that, by a simple compiler error, went berserk and became a virus by sheer chance. This is an exposure of what was intended to be a virus in the first place, but was rendered VISIBLE by that programming error. We should consider ourselves fortunate that this error was made at all, and that no damage occurred (so far) to databases and stored files. Would we prefer that a virus be created which would take advantage of this same (gaping) hole and use it to (for instance) clog networks by sending all of the files it can reach out the nearest link? Or worse yet, to a specific destination computer, either for plagiaristic use or simple theft of information? I say prosecute. Any others? (get your flamers ready) - Kenneth J. Hoover SUNY-Binghamton Sophomore, T.J. Watson School of Engineering Binghamton, NY. BG1838@BINGVMA -------------------- Date: Tue, 8 Nov 88 10:57:00 EST From: Jim Shaffer Subject: RE: Macintosh "worms" Application -- is this a virus? >I am not a Mac user, so please forgive any lapses in terminology. >A local Mac user tells me that he recently discovered a new application >on his disk, called "worms". Running it pops up a little display with >worms crawling around on it. I don't know about "worms", but I've seen (perfectly harmless) programs for the Mac called "measles" and "crabs," which produce similar screen displays. How the program got onto a disk which he says he's never shared with anyone is another story, though. If this *IS* a virus of some sort, particularly a (ugh!) network virus, please let me know. For the time being, I'm not going to post this to Info-Mac because it doesn't sound suspicious and I don't want to generate pan-network junk mail. But I'll cross-post it if any more evidence turns up. Jim -------------------- Date: Tue, 8 Nov 88 09:16:18 EST From: Peter Murray Subject: Re: Please! In-Reply-To: Message of Mon, 7 Nov 88 23:05:00 MST from >> What's all this about virii? "Virii" is the plural of "virius." If you >> mean more than one virus, try "viruses" or, if you must, "viri." >> On the other hand, we could let >> virii = 2 viruses >> viriii = 3 viruses >> viriv = 4 viruses >> virv = 5 viruses >> etc. >The only proper plural form of the word virus is viruses. Virus is NOT >a Latin word, and hence should not be declined like one. (In fact viri >can be any one of the Genetive singular, Nominative plural, or Vocative >plural forms of the noun man (vir)). >Just so that we can avoid a major bagging session as has occurred on >USENET in the past. :-) I thought it was very humorous: putting the roman numerals on the end as suffixes. Was it intended this way? A little comedy break every now and then lightens the serious mood of this discussion. ]] Peter E. Murray [[ Miami University Oxford, Ohio -------------------- Date: Tue, 8 Nov 88 20:24:00 EST From: Dimitri Vulis Subject: CVIA I though I'd key this in (took me almost an hour!) sorry for the typos. [PC WEEK, Aug. 1, 1988] [Virus Association] You knew it had to happen. With software viruses making headlines everywhere, scads of companies have come up with antivirus programs. Now there are so many that they're forming a trade group. The Computer Virus Industry Association (CVIA) has 10 members, all of whom sell products desgined to wipe out viruses. They said joining the groups lends their products extra credibility, because members' products have to pass a suite of tests to prove they work. That's an important edge in market whose products often get as much respect as weight-loss pills and baldness cures --- and often are about as effective. "It's an environment that's conductive to misinformation and fraud," said John McAfee, president of CVIA. ...................................................................... [PC WEEK, Aug. 15, 1988 (letters)] To the Editor: I'd like to comment on the Aug. 1 Monitor report entitled "Virus association" about the CVIA [Computer Virus Industry Association]. John McAfee, the self-appointed president of the group, sent out a press release announcing the organization of the association. The release claimed that CVIA members have 90 precent of the anti-virus software market. We at WorldWide Data [manufacturer of vaccine 2.0/2.1] decided that to see if CVIA could back up its claims with some solid facts. When I spoke to Mr. McAfee he could not substantiate his 90 percent market claim, nor the credibility of CVIA's members. In fact Mr. McAfee promised to send out a second release to recant these claims by CVIA. Interestingly enough, your article quotes Mr. McAfee as describing the anti-viral marketplace as being "...conductive to misinformation and fraud." This makes us wonder if the CVIA might be a case of having the foxes guard the chicken coop! While we like the idea of "watchdog groups" in general, we're not quite sure what CVIA is up to. As far as market share and product effectiveness are concerned, we think the good old methods suffice: namely, product reviews in the computer press and user references. We proudly stand behind ours. As far as watchdog groupd and associations are concerned, there are plenty of good ones around to keep anyone on their toes, particularly the Computer Security Institute and the NYPC Users Group (Jon David of the Security SIG is very active on the virus-protection issue), as well as other organizations of which we are members. Ron Benvenisti, WorldWide Data Corp, New York, NY ...................................................................... [MIS Week, Aug. 29, 1988] (top, first page) [VIRUS INDUSTRY LEADER ASSAILED] New York --- An association set up to coordinate the activities of antiviral software makers is coming under fire because the intentions of its self-appointed chairman are being questioned. John McAfee, who established the Computer Virus Industry Association (CVIA), heads another organization which has created the tests against which CVIA members' antiviral software are measured. One of the antiviral software packages tested is from McAfee's own company, and it mastered every viral test. In addition, McAfee has refused to submit his antiviral software to testing anywhere else, except at three universities he has chosen, none of which has reputation for expertise in viruses. He has also been accused of using questionable techniques within the CVIA, using unscrupulous methods to attract members, and has been charged with promoting too much hype within the virus community. "I would not call it a scam, but it sure as hell is one of the most unethical things I've withnessed," said Ross Greenberg, an independent consultant here. McAfee established the CVIA, based in Santa Clara, Calif., to standartize marketing and sales terminology as well as to educate computer users about the issues surrounding viruses, he said. Ten companies that merket and develop antiviral software, including McAfee's InterPath Corp., have joined CVIA. In addition to being in charge of CVIA and Interpath, McAfee has also been running the National Bulletin Board Society (NBBS), where viruses are collected, studied and simulated to create and test antiviral software. The test of CVIA members' antiviral software was developed by NBBS using simulated viruses. It came as no surprise, then, when McAfee announced that his antiviral software tested successfully against all 38 strains of simulated viruses from the NBBS, according to Raymond Glath, president of RG Software Systems Inc, Willow Grove, Ps. Glath said InterPath and NBBS have the same address in Santa Clara, which was never made obvious to software consumers. "There seems to be a conflict of interest. They (InterPath) have a virus simulator, as well as antivirus software," said Kenneth van Wyk, user consultant, Lehigh University computing center, Bethlehem, Pa. "It can be tailored so their program comes out smelling like daisies. it is a valid conclusion---it ought to be developed by an independent source." ............... Many professionals in the virus field said an organization composed of antiviral software manufactueres should not be setting the standards of the virus community. Michael S. Riemer, FoundationWare's vice president of marketing, Cleveland, said, "If you want to have a non-biased organization disseminating information on viruses, it should not necessarily be run by the people creating security products." Ron Benvenisti, product manager as WorldWide Data Corp., New York, said "It might be that the fox is guarding the chicken coop. We don't believe in vendors starting watchdog groups." Benvenisti liked the situation to an automobile manufacturer's taking over the department of motor vehicles and then creating the national safety standards to be imposed on cars. ................ McAfee announced that Adelphi Univerity, Pace University and Sarah Lawrence College were selected to perform, jointly, product testing and evaluation of antiviral measures marketed by association members. In addition, John Cordani, assistant professor of management science at Adelphi University in Garden City, will act as chairman of the evaluation program and as liaison between CVIA and the testing labs. "Precise arrangements have yet to be worked out," Cordani said. McAfee said InterPath will continue to do initial, informal testing before the software is sent out to the universities. "Everybody has to test using something. You have to test your software." "We are taking the hands-off approach," he said. "We are not testing our own products. We never had any intention to test our own products We have tried to make this as completely impartial as possible. I don't know how to make it any more impartial," McAfee said. This did not satisfy other members of the antiviral community. Harold Joseph Highland, editor of "Computers & Security," Elmont, NY, said "These are not the major computing institutions in the area. Whether they have any people that know anything about viruses, I do not know. Most schools do not have experienced virus researchers." Similarly, Jon R. David, Systems R & D Inc, Fort Lee, NJ, said there are several very capable schools in the New York metropolitan area that are more attuned to viruses than those selected. And although the specific people chosen to work on the testing may be accomplished in their field, there people are not in the computer science division or the math division but they are in business administration, David said. In addition, he said, the announcement of the universities made little difference because the universities are testing CVIA's antiviral softwae with NBBS's simulator. "When it's your simulator, you know with 100 precent certainty what you were going to be tested against." He likened this to a game of Trivia Pursuit in which you have peeked at the answers. "It's his (McAfeee's) simulator. Conceptually it (using universities) makes it more valid. But you are not letting the industry agency run tests, The agency does not have the ability to design valid tests. You are giving them the testing tool. The results you know ahead of time. It does not seem to be any more valid," David said. McAfee said it was because CVA was adamant about putting all of the software through testing that many vendors refused to join the organization. "A number of people selling antiviral products chose not to be members of the organization. It's the testing of the product that scared many away." He said there were vendors who planned on becoming members until they were told their products would have to be submitted for testing first, and then they had a change of mind. Although McAfee said others were afraid to expose their products for testing, David said McAfee refused to offer his software for testing. David is assisting an international study of antiviral software associated with Highland and his publication "Computers & Security." When David called on McAfee to submit his antiviral software for testing, McAfee refused. "It strikes me as being rather odd. He says (his antiviral software) tests fine with a simulator, but he resuses to have it tested in a real-world environment," David said. "If I were in his position, I would much rather go on luster than performance. "Other members of his group (CVIA) are actively cooperating. Other members seem not to find a real-world test abhorrent," David said. "You can't play games like that. Give me one valid reason for him refusing to send a copy of his software to test. Everybody else is anxious to send their own." Several members of CIA [= Computer Industries Association] have forwarded their software for testing, David said, and a couple of those members indicated they were interested in disassociating themselves from the organization. When questioned about why they chose not to join CVIA, certain members of the antiviral community gave reasons that had nothing to do with having their products tested. Some said they did not like the way McAfee was operating CVIA. "McAfee is distributing viruses by disk and bulletin board, which is a practice which is certainly questionable. The harm (is) letting the little buggers out. If I was selling a bulletproof vest, I would offer to test it in a controlled environment, but I'd be damned to send live ammunition and loaded machine guns through the mail. A virus is a potentially dangerous thing. You want this on a bulletin board? In the mail?" David said. Pamela Kane, president of Panda Systems, Wilmington, Del., said "John's (McAfee) timing was unfortunate and his motives very questionable. Most major developers and industry experts were involved with the PC Expo in New York at the time his plan was hatched. We were told the press release would be scheduled (for release) the following day and our decision to participate had to be made immediately. "In the absence of any information other than the text of the press release, the lack of organizational planning and John's self-appointed chairmanship, none of us were able to makr a business decision to participate." "Interestingly," Kane added, "there was an opportunity for all of us to meet in Boston within the next ten days---to meet among ourselves and to appear before the Boston Computer Society as a concerned group of prefessionals. John refused to meet with us." Several antiviral vendors refused to participate in the organization because they said McAfee had put names on the membership lists before vendors agreed, as a means of enticing others to join. "He played the same game with all of us," Greenberg said. While Glath, Greenberg and Reimer all said this same technique was used with them as a means of having others join the organization, McAfee denied he lured members in this way. Glath said, for example, that McAfee had told at least one vendor that RG Software Systems was a member of CVIA, although Glath never agreed to join. "Since it (CVIA) is headed by a guy who is throwing most of the type out, we said no (to joining McAfee's organization)." Part of the hype that Glath referred to is InterPath's Winnebago that travels from infected site to infected site in the Silicon Valley region of California, "collecting virus residue," McAfee explained. A 27-foot motorhome equipped with special purpose hardware for isolating viruses, the "virus bug buster" loads up with tools and software and drives out to the infected site. A visit from the "mobile lab" is free. -------------------- *** end of Virus-L issue ***