VIRUS-L Digest Monday, 2 Oct 1989 Volume 2 : Issue 208 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: How can I get SCANV3x ??? paper comparing biological and computer viruses MILIVIRUS REPLY Re: MILIVIRUS REPLY Jerusalem virus infection, query (PC New virus? (Mac) Followup on new virus (Mac) Re: F-PROT anti-virus package (PC) Virus Protection Apple II Viruses Flushot+ and Artic speech package (PC) RE: Tiger teams at night RE: Review of NIST anti-virus paper... RE: Tiger Teams --------------------------------------------------------------------------- Date: 28 Sep 89 19:01:39 +0000 From: smg%eedsp@gatech.edu (Steve McGrath) Subject: How can I get SCANV3x ??? Could some kind soul please tell me where I can get a copy of the SCANV program (or send it to me, if, as I believe, it is shareware)? I have been trying to call the BBS at (408)988-4004 with no success, and the more I read about the viri which are out there the more apprehensive I am getting. I don't, by the way, have access to Compuserve. Thanks in advance, Stephen - -- Stephen McGrath Georgia Tech, School of EE, DSP Lab, Atlanta, GA 30332 (404)894-3872 smg@eedsp.gatech.edu ------------------------------ Date: Thu, 28 Sep 89 11:19:13 -0400 From: Peter Jaspers-Fayer Subject: paper comparing biological and computer viruses This is an outline for a semi-serious paper on the similarities between biological and computer viruses, and the efforts to understand and combat them. I present it here in the hopes that others may wish to contribute a paragraph or so (sorry no money, but I'll give credit for any material I receive). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Loosely termed, a virus is a "piece of information" that replicates itself by using it's host's own machinery. Methods of entry into the host system are various. The infection often has a latency period that differs from one species of virus to another. They may, in fact, appear to be entirely benign. Viruses often "hide" in specific parts of the infected system, sometimes multiplying there, sometimes completely dormant, until some external event triggers the onset of the symptoms. Concerning the effort to understand and combat biological and computer viruses; there are also many correspondences between the identification, classification, taxonomy, evolutionary theory and epidemiology of the two disciplines. Often in reading the network discussion list "VIRUS-L", I am struck by the familiarity (my own background is biology) of the arguments that have arisen about: - - How best to identify a new virus, - - What to name it, - - When it started, - - Where it originated, - - It's relation to other viruses, - - The possible evolutionary path, - - What methods of infection there are, - - The ways a virus can combat detection and defences, - - How quickly it spreads, - - The percentage of the host population that is infected, - - What the latency period is, and how the onset of symptoms are triggered. The only absolutely sure way to understand the virus is to dis- assemble it into it's component parts, and read the code. Unfortunately, we are only recently able to disassemble the simplest of the biological virus, and the ability to understand all of the approximately 10K instructions of that simple virus is many years away. What other analogies can you see? Can you expand on any of the above? Stretching things just a little bit further, there are analogies between: Biological Computer - -------------------------------- ----------------------------- Atlanta Center for Disease Control - Computer Virus Industry Association DNA viruses - Boot-Sector Viruses RNA viruses - .EXE, .COM resident viruses AIDS - A (as yet uninvented - I hope) virus that seeks out and destroys only anti-viral programs, leaving you prone to infection by other viruses. I'd like to flesh this out a bit. Suggestions need not be serious, and flights of fancy welcomed. The material may be used in a talk we are giving on computer viruses and other ills. Please reply directly to me at SofPJF@VM.UoGuelph.Ca, or SOFPJF@UOGUELPH.BITNET Thanks. /PJ ------------------------------- First Law of Wing Walking: Never leave hold of what you have got until you have got hold of something else. ------------------------------ Date: Thu, 28 Sep 89 11:06:00 -0500 From: JEWALSH%FORDMURH.BITNET@VMA.CC.CMU.EDU Subject: MILIVIRUS REPLY Although I haven't gotten my feet too wet with the administrative functions of the Army, as far as I can tell: a. In the combat service support branches, e.g.: Adjutant General Finance Corps, etc., the only C.O.A. for dealing with system malfunctions is to call the programmers in. b. On the combat support level, e.g.: branches like Air Defense Artillery may operate with safeguards and procedures when dealing with viruses. Considering that it is equipment that safeguards our nation's defense, one would HOPE that it is resistant to viruses. But, more than anything else, I have a feeling that it's relegated to the knowledgable computer operators to resolve problems with the systems. c. Combat Arms branches, e.g.: Infantry, Artillery, and Armor, don't do a lot with computer systems except on the unit level. (Within individual tanks, or on the platoon level for troop movement, etc.) The level to which it is prone to viruses is, in my estimation, minimal, and the ease by which the components can be replaced takes away the risk. If anyone knows more about the Army's Plan on Viruses, please post! I'd be interested to learn about it. Jeffrey Walsh Fordham University BITNET%"JEWALSH@FORDMURH" ------------------------------ Date: Thu, 28 Sep 89 14:46:25 -0400 From: "Dennis G. Rears (FSAC)" Subject: Re: MILIVIRUS REPLY Jeffrey, you write: > a. In the combat service support branches, e.g.: Adjutant General > Finance Corps, etc., the only C.O.A. for dealing with system > malfunctions is to call the programmers in. Also Ordnance, Transportation, JAG, & Chaplain Corps. > b. On the combat support level, e.g.: branches like Air Defense > Artillery may operate with safeguards and procedures when dealing > with viruses. Considering that it is equipment that safeguards > our nation's defense, one would HOPE that it is resistant to > viruses. But, more than anything else, I have a feeling that > it's relegated to the knowledgable computer operators to resolve > problems with the systems. Air Defense is a combat arms branch. Signal, Military Police, Military Intelligence, and Chemical Corps are service. >If anyone knows more about the Army's Plan on Viruses, please post! I'd be >interested to learn about it. Overall DOD has done little or anything. They were one of the last to know about the worm incident. They care more about administrative security than real security issues. (My opinion only!) Dennis ------------------------------ Date: Fri, 29 Sep 89 08:46:48 -0500 From: Jeff Medcalf Subject: Jerusalem virus infection, query (PC) The PC lab at the Engineering Computer Network, University of Oklahoma, has detected multiple virus infections (mostly Jerusalem virus) on its PCs. The viruses were found and removed with Unvirus, with thanks to its authors. However, I would like to find some programs which would detect and remove more than 7 viruses. Any information regarding anti-viral archive sites, anti-viral programs, and documentation would be greatly appreciated. Also, how many viruses have been identified, and which are the largest threats to security in the United States of America? Thank you ------------------------------ Date: 29 Sep 89 15:02:38 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: New virus? (Mac) We here at the University of Rochester may have discovered a new virus, or a variation on a theme. What it does is infect Macwrite and the Chooser, so that when a document is printed, Macwrite crashes. The virus changes the name to Macwight or Macwite, but this is the only clue so far. I am trying to get more data, more none is forthcoming. I will do what i can today and tommorrow, and give furthr reports. Disinfectant 1.1 doesn't work, so please email me the latest version of disinfectant to try. The sooner the better, because the Vice-Provost's office is infected, and they may lose a 75 page report for the government. (What, no backups? What do you think. Argh.) The Mad Mathematician jap2@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.) ------------------------------ Date: 29 Sep 89 19:22:37 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: Followup on new virus (Mac) This is a followup to my earilier report. I will try to give more details from my and others investigations. The virus definatly attacks Macwrite. It adds a str ID 801 and modifies the icon to say Macwite instead of the standard application icon. The application increases in size by 104 bytes, 56 in the string. they are added in sector 014F, according to Fedit Plus 1.0. It also attacks the system, in an unknown fashion. I was able to induce it to do something by repeated Get Infos. This may be a counter towards a more fatal outcome. Some of the disks have crashed after giving the This is not a Macintosh disk. Shall I initialize it? warning. This happens almost immediatly after attempts to print. The chooser is unable to find printer resources, and claims there are none. When the File locked, Lock, Bozo and File Protect bits are set, the virus apparently cannot infect. It doesn't appear able to attack a disk write protected by the corner tab, either. Tommorrow I will be performing further experimenets, and will upload exact locations for the added code, and probably the string listing, too. No anti-virus program has been able to find it, including Interferon, Virus Rx, Anti-pan, and Disinfectant 1.2. If this is recognized by anyone, please email me ASAP at the address below with devirusing help. If not, I will try to do everything I can. Thank you for your time and effort. The Mad Mathematician jap2@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.) ------------------------------ Date: Fri, 29 Sep 89 17:44:08 -0400 From: dptg!att!ll1a!nesac2!jec@rutgers.edu Subject: Re: F-PROT anti-virus package (PC) Yes, there's probably enough interest to warrant posting the program. But will you be able to keep it current, and get the current version to registered users as fast as the virus? John - --- USnail: John Carter, AT&T, 401 W. Peachtree, FLOC 2932-6, Atlanta GA 30308 Video: ...att!nesac2!jec ...attmail!jecarter Voice: 404+581-6239 The machine belongs to the company. The opinions are mine. ------------------------------ Date: Fri, 29 Sep 89 19:33:00 -0400 From: JHSangster@DOCKMASTER.ARPA Subject: Virus Protection It seems to me that this whole problem will be largely solved when and only when the vendors all start "signing" their software with a digital signature based on public key cryptography. At least then any one who wishes to check a program for authenticity need only check to see that it passes the digital signature check with the alleged vendor's public key. Of course you also have to know that the checking program hasn't been tampered with, the hardware hasn't been tampered with, etc., etc., but at least we would have a starting point for software authentication. The signature approach and the use of signature checking seem to me the only way to make definitive progress against viruses. All other approaches are dependent on details of the viruses code, which as we have seen change with time and with each new virus. Digital signatures will let us check that at least a trusted source has put its signature on the code, and that it has not been altered since then. Software developers will then have to get serious about preventing viruses from creeping in at the factory if they are not already serious. If members of the appropriate software standards body are listening, I hope they give consideration to such a standard ASAP. The standard should allow for both existing and future developers as well as private individuals (hobbyists who may develop freeware) to have a unique public key. Then software users who neglect to check the signature use the software at their own risk, but if they experience damage and can prove it, they will be in a position to apply some heat to the vendor who provided the signed, but infected, software. The ideal way to implement checking would be to build it into the loader. This may become feasible if a worldwide standard is adopted. Meanwhile checking could be implemented in a way which did not require ROM modifications. The standard could provide for inclusion of the vendor's public key and the resulting signature in the format of any loadable file. - -John Sangster SPHINX Technologies, Incorporated (617) 235-8801 / P.O. Box 81287, Wellesley Hills, MA 02181 ------------------------------ Date: Fri, 29 Sep 89 19:48:56 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Apple II Viruses If any readers of VIRUS-L have any information on viruses affecting Apple II series computers I would be very appreciative if they could e-mail it to me. I am especially interested in public domain and shareware antiviral programs. Please note that I have virus information posted in Info-Apple. Thank you. David R. Brierley davidbrierley@lynx.northeastern.edu ------------------------------ Date: Fri, 29 Sep 89 22:54:00 -0400 From: Yahn Zawadzki Subject: Flushot+ and Artic speech package (PC) I am new to this list, and don't know much abot various anti-viral programs for the IBM - but I have run into some problems I think may be caused by one of them. In our labs, I am setting up a workstation for visually impaired - the major role plays there a package called ARTIC - hardware/software driven speech synthesizer. Part of that program is a memory-resident code which can intercept any program, and provide support for ARTIC's hardware from within. This way, one can have the machine read the screen, or just read the key combinations, etc. Now, on the same drive I have installed Flushot+ (students have access to the station). I am not familiar with Flushot or Flushot+, so I can't tell what is happening: at all times, there is a '+' in the top right corner of the screen, and some of the functions of ARTIC are for some reason disabled. I dug through ARTIC's manuals - there is no mention of anything which could explain the situation.. Anyone out there - PLEASE tell me whether it is Flushot intefering with ARTIC here (I suspect '+' signifies something!) or am I looking in the wrong direction... If anyone out there has used ARTIC business version - and knows of an anti-virus which will not react to ARTIC's software - please let me know..! Thanks - Yahn. - ------------------------------------------------------------------------------- Yahn Zawadzki Bitnet: S72UZAW @ TOWSON Student Lab Assistant INET: yahn@towson.edu Towson State Univ. Disclaimer: Any Views Expressed Above Are Those Of Mine And Not Of The Towson State University. A N D Y E S - I A M A M A C P E R S O N !!! - ------------------------------------------------------------------------------- ------------------------------ Date: Sat, 30 Sep 89 09:18:16 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Tiger teams at night In the VIRUS-L Digest V2 #207, cpsolv!rhg@uunet.UU.NET (Richard H. Gumpertz) writes: > Why should such a "tiger team" work under cover of dark? Why not "surprise > inspections"?... Because people use their computers during the day. If the Tiger Team finds the person is following all the proper anti-viral procedures, why should the Tiger Team interrupt the user's normal workday? ------------------------------ Date: Sat, 30 Sep 89 09:30:38 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Review of NIST anti-virus paper... In the VIRUS-L Digest V2 #207, time@oxtrap.oxtrap (Tim Endres) writes: > Sounds like the committee was seated with commercial software vendors! The NIST paper was written by two staff members there, and is not a committee report. I've received some feedback from NIST on my comments to the effect of "Good point. We did not intend the bias towards commercial software, but it is certainly there". ------------------------------ Date: Sat, 30 Sep 89 14:39:00 -0400 From: "Thomas B. Collins, Jr." Subject: RE: Tiger Teams Another thought on the Tiger Teams... It doesn't make much sense to me. If I don't add any new software to my system at work, I'm not going to worry about viruses. Say I get my new system, put all the software on it, and run a few virus scanners that turn up nothing. I then run all applications from my hard drive, and don't use any floppy disks. It wouldn't make sense for me to check my hard drive every day for viruses, because they don't just pop up from nowhere. If I did add software to my system, I would check it for viruses before adding it. I think it would make more sense for the Tiger Teams to come in in the middle of the day, ask you to please save your work, and then run a virus checker on your system. If anything is found, you are "cited" as letting a virus into your system. If you're clean, you go back to work, and the Tiger Team moves on. - ------- Tom "Shark" Collins Since ICS is comprised of 2 people, my views tbc101@psuvm.psu.edu are the opinion of at least 50% of the company. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253