VIRUS-L Digest   Tuesday, 12 Dec 1989    Volume 2 : Issue 258

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
 - Ken van Wyk

Today's Topics:

WDEF virus questions (Mac)
new anti-virals (IBMPC)
Re: WDEF Virus (Mac)
Poland Viruses/Oropax (PC)
Experimental one-way hash function

---------------------------------------------------------------------------

Date:    11 Dec 89 08:56:28 +0000
From:    f3aml@fyvax2.fy.chalmers.se (MATS LEJON)
Subject: WDEF virus questions (Mac)

In the message WDEF Virus Alert (MAC) John Norstad writes

>Unfortunately, the virus manages to avoid detection by all of the
>popular protection INITs, including Vaccine 1.0.1, GateKeeper
>1.1.1, SAM Intercept 1.10, and Virex INIT 1.12.

What about the RWatcher INIT? It would be no problem to configure it
to look for a WDEF resource, but this would of course be of no use
if the WDEF virus uses a system call to propagate whitch RWatcher
does not watch for. Does anyone have any more info about the virus,
its size for example, or how it is possible that a resource with the name
WDEF gets executed, I guess it must contain executable code to
propagate itself?

                   Mats Lejon, Chalmers Univ. Tech. Sweden.

------------------------------

Date:    Mon, 11 Dec 89 11:43:26 -0600
From:    jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: new anti-virals (IBMPC)

Recent submissions for the IBMPC anti-viral archives sent to me.

killer.arc      Detects and removes Stoned virus
        No source code, no documentation, author unknown.  Use
        at your own risk.

pill.arc        Detects and removes Stoned virus
        No source code, no documentation, author unknown.  Use
        at your own risk.  I have included a rudimentary disassembly
        for your viewing pleasure.

vkill10.arc     Detects and removes Jerusalem virus
        Source (TurboC) for program to detect and remove Jerusalem
        virus.  No separate docs provided--read the code.  No
        executable provided.

Jim

------------------------------

Date:    Mon, 11 Dec 89 11:25:26 -0800
From:    dplatt@coherent.com
Subject: Re: WDEF Virus (Mac)

> "Jeff Shulman, the author of Virus Detective 3.1, recommends adding the
> following search string to detect the virus:
>
> CREATOR=ERIK & Resource WDEF & Any
>
> Virus Detective can also be used to remove the virus ......"
>
> Where or to what do we add the "following search string".  Please
> pardon my ignorance.

Assuming that you have a relatively recent version of VirusDetective,
you can open the desk accessory, click the "Modify Search Strings"
button (or enter command-M), type the above string into the one-line
field near the bottom of the search-string dialog box, click the "Add"
button to add the string to the working search criteria, and then
click the "Save" button to record the new criteria in the desk
accessory's long-term memory (in the System file).

You can then search disks, or individual Desktop files, using the
buttons in the desk accessory's main window.

If you're hunting for the WDEF virus, you should _not_ do so under
MultiFinder... run in the "uni-Finder" environment, launch an
application program (almost any will do), and then invoke
VirusDetective from within that application.  You should _not_ be
running the Finder (multi- or uni-) if you wish to remove the WDEF
virus from your Desktop file.

Disinfectant 1.4 is now available, by the way... it, also, can find
and eliminate WDEF.
- --
Dave Platt                                             VOICE: (415) 493-8805
  UUCP: ...!{ames,apple,uunet}!coherent!dplatt   DOMAIN: dplatt@coherent.com
  INTERNET:       coherent!dplatt@ames.arpa,  ...@uunet.uu.net
  USNAIL: Coherent Thought Inc.  3350 West Bayshore #205  Palo Alto CA 94303

------------------------------

Date:    Mon, 11 Dec 89 08:56:54 -0800
From:    Alan_J_Roberts@cup.portal.com
Subject: Poland Viruses/Oropax (PC)

        One of the five viruses submitted to McAfee by Andrzej Kadlof
appears to be the long-lost Oropax virus, at least according to Dave
Chess at IBM.  The virus matches the original descriptions exactly,
including length, infection mechanism, self identification technique,
host class and activation function. The Homebase group has always
considered the virus to be either extinct or a hoax, but Kadlof
insists it is active and common in the Eastern Bloc.  If this is true,
then it raises some interesting points about the epidemiology of
computer viruses.  How for example, can the Ping Pong virus be common
in Austria, but unknown in Checkoslovakia, a{nd the Oropax be common
in Checkoslovakia but unknown in Austria, while the Jerusalem is
rampant in both countries? (These two countries do, I Believe, share a
common border - if not forgive my geographic ignorance).
        Any information about the occurance of the Oropax in Europe or
the U.S. would be appreciated by the way.
Alan

------------------------------

Date:    11 Dec 89 11:36:35 -0800
From:    merkle.pa@Xerox.COM
Subject: Experimental one-way hash function

The one-way hash function, Snefru version 2.0, has been released for
general use.  It generates either a 128 bit or 256 bit output.

Previous discussions in this group have mentioned the X9.9 MAC
(Message Authentication Code) that involves a secret key.  Snefru is a
one-way hash function, and therefore does not use or require any
secret information.  Further, Snefru has substantially better
performance than any DES based system.

One-way hash functions have the property that it is computationally
infeasible to find two inputs that produce the same output.  Thus, if
I can authenticate the (128 or 256 bit) output, then I can
authenticate the large (perhaps megabytes) input that produced that
output.

The method of authenticating the output and the method of insuring the
integrity of the program computing the one-way hash function are
separate issues, not addressed by Snefru.

The C source for Snefru version 2.0 is available to anyone who wants a
copy via anonymous FTP from "arisia.xerox.com" (a Unix system at Xerox
PARC in Palo Alto, CA) in directory "/pub/hash".  The source files
are: hash2.0.c, standardSBoxes2.c, and testSBoxes.c.

An assembly language version written for the Sun SPARCstation 1 can
hash large files at a speed slightly faster than 8 megabits per
second.  This includes CPU time (as measured by the "time" command)
and excludes disk transfer time etc.

Snefru version 2.0 is still preliminary.  It has received only modest
security review.  It would seem prudent to use it only for
experimental or research purposes until it has received more
widespread scrutiny.  A significant purpose of this posting is to
invite such scrutiny.

     Cheers!
       Ralph C. Merkle
       Xerox PARC
       3333 Coyote Hill Road
       Palo Alto, CA 94304
       merkle@xerox.com

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253