VIRUS-L Digest Wednesday, 18 Jan 1989 Volume 2 : Issue 17 Today's Topics: Re: Encrypted/Decrypted viruses Re: Friday 13th / Israel Virus Re: Meaning of "CYBER" Computer Virus Industry Assc. ? Reality Hackers WordPerfect Access to Drive A (PC) Internet worm report available in Gemany & Switzerland Re: INIT 29 Virus (Mac) More VIRUS seminars... Virus created by software copying company? encryption Reply to Salzmann question about possible Word Perfect virus (PC) --------------------------------------------------------------------------- Date: Mon, 16 Jan 89 20:23:46 -0500 (EST) From: Michael Francis Polis Subject: Re: Encrypted/Decrypted viruses Such an encryption system would only be useful if it were not standard. If it became standard, or at least widely distributed, viruses would work their way around it by calling whatever interrupt did the encryption on themselves before they became part of your favorite program. Even individual keys would not protect against this. ------------------------------ Date: 17 January 1989, 09:40:32 MEZ From: Christoph Fischer Subject: Re: Friday 13th / Israel Virus I am a consultant at the computing center of the University of Karlsruhe West-Germany. We were asked to assist the people at the University of Hohenheim West-Germany. They found a virus spreading in their public PC-pool. We identified the virus as the Israel type on wednesday afternoon. The people at Hohenheim had just one day to go through their PCs and remove the virus with the help of H&B EDVXs Anti Virus software (it had some trouble and didn't restore all files to their original function, but the author of the program will check if the virus is a mutant and will update the software) The viruses destructive action on friday was tested on one PC: it destroyed all executable files on the first attempt to run them. They didn't experience any low-level format (only possible on PC-XT controllers and a few AT contollers) maybe there is another threshold for that action or it is a pure rumor. The virus reappeared after friday since the students brought executable files on their disks. Larry Lover (well known game) was pinpointed as virus infected and a major source of the trouble since everyone copied this sw. Chris (Christoph Fischer / University of Karlsruhe West-Germany / Computing Center ) ( D-7500 Karlsruhe 1 / Zirkel 2 / Rechenzentrum / Tel. +721 608 2997 ) ( RY15 at DKAUNI11.BITNET ) ------------------------------ Date: Tue, 17 Jan 89 09:19:51 EST From: Joe McMahon Subject: Re: Meaning of "CYBER" To: Virus Discussion List CYBER comes from cybernetics, a word invented by Norbert Weiner. Its root is from the Greek Cybernos, the steersman. Weiner's original application of it was in self-controlling systems. - --- Joe M. ------------------------------ Date: Tue, 17 Jan 89 09:46:53 EST From: "John P. McNeely" Subject: Computer Virus Industry Assc. ? Has anyone out there ever heard of the 'Computer Virus Industry Association' ? If so, what functions does it perform? If you have any information about the organization, I would appreciate a reply either directly to me or to the list. Thanks, John P. McNeely UT-Chattanooga (No, where not the Vols.) ------------------------------ Date: Tue, 17 Jan 89 10:52:20 EST From: "Homer W. Smith" Subject: Reality Hackers I have been flooded with requests concerning the article in Reality Hackers on computer viri. As I can not possibly xerox and send a copy of it to every one of you, I herewith post the name and address where you can get a copy for yourself. It is on the news stands, some of them at least. High Frontiers/Reality Hackers PO 40271 Berkeley, CA 94704 415 845-9018 Winter issue number 6. 'Cyber Terrorists/Viral Hitmen' For those of you who I have already promised to send a xerox, they will soon be on their way. ------------------------------ Date: Tue, 17 Jan 89 10:01 MDT From: "Craig M." Subject: WordPerfect Access to Drive A (PC) The vanilla version of WordPerfect (as it comes from the box) uses the default directory/drive for temporary files (it creates several of them: a printer queue, backup files, timed backup files, and a couple of others). If you are using a version of WP that has previously been configured for use from a floppy drive but copied and executed from a hard disk, these parameters will still be in the setup file (something like {WP}WP.SET). These setup parameters can be changed by running WP with a /S switch from the DOS command line for version 4.2, or by pressing SHIFT-F1 in WordPerfect for version 5.0. In either case, it's under the section of 'location of auxiliary files'. Check these values to make sure someone hasn't changed the values. Another way to ensure the setup values are not wrong is by recopying the master (the ones with the original WP label) diskettes. Another possibility I just thought of: If you boot from a floppy and do not have a statement SET COMSPEC=C:COMMAND.COM, the computer will look on the A (or whatever drive you booted from) for COMMAND. If you try shelling out to DOS from WordPerfect (CTRL-F1), the version of COMMAND.COM that was on the boot drive will be loaded. We have several thousand versions of WordPerfect (4.1/4.2/5.0) on our campus, and have not had any trouble with viruses--at least that haven't been openly publicized or reported. Some kind of WP virus certainly could easily wipe us out; or at least bring us to our knees. ------------------------------ Date: 17 January 89, 16:46:39 +0100 (MEZ) From: Otto Stolz +49 7531 88 2645 RZOTTO at DKNKURZ1 Rechenzentrum der Universit2t Postfach 5560 D-7750 Konstanz 1 Subject: Internet worm report available in Gemany & Switzerland Hi gang, finally, I've got my Xmas present, directly from Bethlehem (it was posted on 4th Jan by Air Mail: those reindeers seem not to be very fast whith that sledge on their way across the ocean :-) Thanks to Ken, I have now two reports on floppy disk: 1. Eugene H. Spafford: "The Internet Worm Program: An Analysis", Purdue Technical Report CSD-TR-823, available as Postscript File (neatly printing!) and as pure ASCII file. 2. Don Seeley: "A Tour of the Worm", Dept. Comp. Sci. Univ. Utah; this report is available with some SCRIPT-like markup and as a pure ASCII text, interspersed with many, many blank spaces. I didn't find a way to print or display this one neatly, or even legibly :-( Eugene Spafford handles the topic (in 107 kByte) thoroughly and clearly. Large parts of the paper are comprehensable even to non-Unix-connaisseurs like me; appendices present detailed descriptions of worm-internals and fixes to Unix. Also, a one-page bibliography is given. Don Seeley gives in (73 kByte) a nearly equally complete description of the worms functioning, which can serve as a supplement to Stafford (I'm somewhat biased here by the difficulty to read it from an badly arranged screen). Stafford grants permission to make copies of his work, without charge, solely for the purposes of instruction and research. I didn't see any Copyright note in Seeley's report. I volunteer as a sub-distributor of these two reports for the Federal Republic and Switzerland, under the following conditions: 1. Both reports on floppy disks: Send me one 5.25", 1.2 MByte disk or one 3.50", 0.7 MByte disk or two 5.25", 0.4 MByte disks formatted for MS-DOS (cf. postal address in the header of this note). Enclose a stamped (German or Swiss stamps acceptable), self-addressed envelope. I'll copy the 4 files to your disk(s) and post it in the envelope you provided. I'll post envelops with Swiss stamps in Switzerland, others in Germany. I'll add no stamps, no stable envelope, I'll make no corrections to the address. 2. Stafford's report only, in print: Send me one stamped (allow for 204 g + weight of your envelope), self- addressed envelope and 4 DM or 3.50 sFr for printing costs. I'll print the report for you (worth 4.10 DM) on my private account and post it in the envelope provided, as above. I hope everybody interested in the two reports will be able to agree with this proviso, which is designed to save me a lot of unneccessary work. If anybody in Europe, but outside Germany and Switzerland, is still interested in the reports, please drop me a note to my EARN/BITNET address, and I'll try to make some suitable arrangement. But be prepared to act as a sub-distributor for your country, then! Best wishes Otto [Ed. Thanks Otto! That second report, TOUR.N, was written in nroff, I believe. It also comes with a file called TOUR.CRT which was formatted for CRT viewing. Printing that file on a printer which obeys backspaces and underlines will work just fine; that's what I did. Anyone more fluent in nroff than I (read: at all fluent in...) might be able to format TOUR.N for another output device. Thanks again.] ------------------------------ Date: Tue, 17 Jan 89 14:08:39 EST From: Joe McMahon Subject: Re: INIT 29 Virus (Mac) To: Virus Discussion List Can anyone give me further information on this virus? Is it the "hPAT" variation of nVIR, or is it another virus altogether? I have seen mention of articles in comp.sys.mac, but that's not available to me here on BITNet. Thanks for anything which you might find. - --- Joe M. ------------------------------ Date: Tue, 17 Jan 89 15:47 CST From: Ken De Cruyenaere 204-474-8340 Subject: More VIRUS seminars... MIS Training Institute announces: AN EMERGENCY BRIEFING ON ON COMPUTER VIRUSES UNDERSTANDING THE PROBLEM AND IMPLEMENTING THE SOLUTION The material is 8 pages long but the key points are: Cost: $590 dates/locations: February 28 Chicago March 1 Dallas March 7 NewYork March 8 Atlanta March 14 Washington D.C. March 16 San Francisco Dr. Fred Cohen is the "briefing leader". "Two special features: 1. You will see demonstrations showing live computer viruses actually damage systems. 2. As a participant you will receive diskettes containing over 20 programs for viral defense product lines that you can try on your own computer. Researched, compiled, and explained for you, the value of these sample evaluation copies alone far exceeed the cost of the Briefing." To register: call Pamela Bissett at 508-879-7999 MIS Training Institute, 498 Concord Street, Framingham, MA 01701 - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada Bitnet: KDC@CCM.UManitoba.CA (204)474-8340 ------------------------------ Date: Tue, 17 Jan 89 20:44:22 EDT From: Subject: Virus created by software copying company? It seems from reading the last several digests that a certain company who produces Word Processing software, has yet another virus to contend with? In all fairness, since the company does not (I think) produce the disks they sell perhaps they should look at the company who does their production runs? I could easily see a virus sitting in a duplicator passing itself on to each disk that runs through the duplicator. [Ed. Don't mass-copiers essentially do a sector-for-sector diskcopy from an original? Does anyone have any more info on this?] ------------------------------ Date: Tue, 17 Jan 89 17:05:58 EST From: Jefferson Ogata (me!) Subject: encryption There is a bit of discussion on the subject of program encryption for virus prevention in back issues of VIRUS-L (I think maybe around July or August of last year). The two major glaring flaws in the idea are that it takes time to decrypt the programs before you run them, and that the encryption/decryption program itself could become infected, since it clearly cannot be stored in an encrypted format. Also, program encryption cannot easily protect the operating system, since that also cannot be encrypted, so boot block viruses and the like are still pretty pervasive. The second problem is not easily dealt with, but here is a bit of elaboration on the first: If a virus is out to beat an encryption scheme, then it probably doesn't make much difference which one is being used; even if some- thing pretty hairy like DES encryption is being used, the virus can intercept keyboard input and wait for the key to be entered. Any encryption scheme can be circumvented fairly easily by a virus designed with that in mind. However, using encryption of any kind would provide excellent protection from most other types of virus. Since the actual algorithm doesn't matter as much as the encryption itself, a very simple algorithm would achieve largely the same results as a complicated one. Therefore, the problem of time consumption can be fairly eradicated by using a fast, simple algorithm (e.g. a single cipher). Keep in mind that even a simple virus like Brain will spread regard- less of program encryption, because it attaches to code that could not be stored encrypted. - - Jeff Ogata ------------------------------ Date: Tue, 17 Jan 89 16:04 PST From: Larry Cobb 63898 Subject: Reply to Salzmann question about possible Word Perfect virus (PC) A reply to the WP part of the following message: >Date: Mon, 16 Jan 89 16:33:29 IST >From: "Eldad Salzmann (+972)-3-494520" >Subject: Any connection between the ping-pong virus and WordPerfect? (PC) >... Was WordPerfect infected by the omnipotent virus? >... A WordPerfect which was till then working quite smoothly from >the HD, sud- denly began to look at drive A: for its WP.exe file, ... I've had similar problems occasionally with Word Perfect 4.2. I've not had any such with WP 5.0, but then I've been using WP 5.0 only a while. Those problems were traced to various possible causes, *none* of them viruses. Yes, WP sets up working and backup files for itself, usually in the default directory unless you specify otherwise when you do WP setup. You could have lost or damaged your setup file (named {WP}SYS.FIL ). I think I've established that too little RAM also allows WP to start but soon do silly things. Have you added drivers, memory resident software, or anything else that may reduce RAM? Lastly, WP sometimes looses control of itself when I ask it to load document files from another word processor or files it created but were munched by a hapless user. This latter possibility is corrected by rebooting and not loading those files; the first two would stay with you until they're corrected. Larry Cobb, UCLA School of Nursing, ILZ1LFC@UCLAMVS or ILZ1LFC@OAC.UCLA.EDU 213-206-3898 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253