VIRUS-L Digest Thursday, 21 Dec 1989 Volume 2 : Issue 266 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: AIDS Fix - phone no. Trojan AIDS: the AIDS program (PC) Re: AIDS disk (PC) AIDS Information Disk Technical Analysis available Re: Gatekeeper and Gatekeeper Aid (Mac) Holiday VIRUS-L/comp.virus interruption Authentication Invisible INITs - Don't (Mac) Re: Gatekeeper and Gatekeeper Aid (Mac) Artificial Life Workshop - final announcement! Another AIDS disk recipient (PC) Flu virus (PC) --------------------------------------------------------------------------- Date: 20 Dec 89 17:07:18 +0000 From: G.Toal@edinburgh.ac.uk Subject: AIDS Fix - phone no. The following has been sent to me for forwarding. The AIDS disk that my colleague received was 2.00 and arrived when all the others did. I have no other information about the AIDS Version 1.0 diskette. Sam Wilson Network Planning, Edinburgh University Computing Service - --- Forwarded message: Subject: AIDS Fix - phone no. From: G.Toal @ uk.ac.edinburgh Date: 20 Dec 89 16:00:54 gmt >From Frank J Leonhardt. fjl@cix aka uab1018@dircon.UUCP Here is some information about the Aids disc, gleaned from research done in London, which, judging from messages taken from the network and passed on to me from the Edinburgh Virus BB, you may not be aware of. There are indeed two versions of the disc. There were a few, sent out about a month ago, labelled as version 1.0. Most of them are labelled 2.0. The two versions are different. There is a complete fix program available, which will totally un- scramble you disc even if the trojan has done it's stuff. Not easy when you consider how the encryption key was made up (i.e. out of free memory, date, MS-DOS version and so on). If you need this program you can get hold of it by 'phoning 01-831 9252 (PCBW offices) and ask for it. PCBW can also be found in the basement of 99 Grey's Inn Road, London, and would love some more copies of the discs, especially version 1.0. The program to restore a smashed disc is called CLEARAIDS and will soon be available on "cix" in the conference "virus/files". CIX is a commercial system which us poor non-academics have to use instead of Janet. [OK Frank - I'll get you an ID. GToal] Thanks for gtoal@uk.ac.ed for getting stuff on and off Janet for this. Frank J Leonhardt. fjl@cix aka uab1018@dircon.UUCP - --- End of forwarded message ------------------------------ Date: 20 Dec 89 16:36:00 +0100 From: Klaus Brunnstein Subject: Trojan AIDS: the AIDS program (PC) The AIDS diskette contains 2 programs, INSTALL.EXE 146.188 Bytes 9-28-89 4:28p AIDS. EXE 172.562 Bytes 8-07-89 10:28p the first of which is described by J.McAfee and others (INSTALL.EXE and it's installed versions REM,SHARE) in VIRUS-L; this is the Trojan horse. The AIDS-program itself contains a question/answering session with AIDS- related question, where a `risk' (on 7 levels) is computed for the specific answers. While most other groups are analysing the INSTALLed Trojan horse, one group at Virus Test Center Hamburg actually analyses the AIDS program. We have run several sessions, and we regard the program as *not very intelligent* from the Informatics standpoint, and *not highly reliable* from the medical standpoint (we will prove this with some medical experts; we received 4 copies from specialists in immunology, and 3 more copies from banks etc). The AIDS program works rather linearly; the dialogue is done with simple multiple choices, where the 1st option is alwys HELP-text. If you analyse the HELP texts, they are not very specific (many of them may have been generated from an ordinary lexikon). In section 1, BACKGROUND INFORMATION is gathered, e.g. residence country, sex, age (in 9 clusters), ancestors origin continent, sexual behaviour (heterosexual, no sexual experience, homosexual or bisexual), and number of sex partners since 1980 (in 8 clusters from 0 to 100+)are asked. In section 2, MEDICAL HISTORY is examined, e.g. how many blood transfusions since 1980, active tuberculosis, drug injection, sexually transmitted diseases, sexual habits (use of condom..). For some positive answers, there may be additional details asked for. No mechanism is visible whcih safeguards the extensive personal data; on the other side, no data are gathered which may be used to authenticate a person and relate their name with the data gathered. After an evaluation procedure (less than 1 minute on an AT), `you' are assigned to one of seven Levels of AIDS Risk (`no risk, very low risk, low risk, medium risk, high risk, very high risk, extremely high risk). Depending on the list of answers, a PERSONAL ADVICE is given, e.g. stating `Your risk of exposure to the AIDS virus is low but presently increasing..', suggesting to use condoms, etc. Finally, you are asked to input YOUR COMMENTS (`Use the computer like a typewriter. Type anything that comes to your mind ... The computer will then analyze your remarks and respond to you with further comments..'). The answers are rather unspecific. Based on some experiments (with more systematic testing to be done after having reverse-engineered the code), my best estimation is, that the question-answering is done in typical BASIC style, and that the risk evaluation function is only very rudimentary (we received a 'low risk' for a young female drug addict). The personal advice seems to be programmed from a few types of answers, and the analysis of Your Comments fails with even simple, AIDS-related questions. The 'loose' relation between INSTALL/REM/SHARE and AIDS (probably influencing the catastrophic counter, evidently initialised at 90 and decremented during bootup) will very probably allow to use the INSTALL process also *in connection with other 'interesting programs'*. With so may diskettes distributed, we may face similar (and maybe more serious) threats. I therefore appreciate J.McAfee's remark that he has included his ANTI-Trojan in his ANTIVIRUS tool. Though mixing up an Antivirus Tool with Anti-Trojan functions may produce new problems (e.g. misunderstanding the respective threats and the limitations of such tools), I suggest that also other antivirus tools should contain a diagnostic featrue for Trojan AIDS. Evaluating the given situation, I conclude that the business procedure (the e.g. distribution of diskettes) was professional, and that the Trojan horses mechanisms were rather intelligent, though some parts of the INSTALL/REM/SHARE are primitively linear programmed, e.g. the `encryption' part. The AIDS program is of neither good programming nor medical standard. Klaus Brunnstein - ----------------------------------------------------------------------- PostAdress: Prof.Dr. Klaus Brunnstein Faculty for Informatics, Univ.Hamburg Schlueterstr.70 D 2000 Hamburg 13 Tel: (40) 4123-4158 / -4162 Secr. ElMailAdr: Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de FromINTERNET:Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@Relay.CS.Net FromBITNET: Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@DFNGate.Bitnet FromUUCP: brunnstein%rz.informatik.uni-hamburg.dbp.de@unido.uucp - ----------------------------------------------------------------------- ------------------------------ Date: Wed, 20 Dec 89 18:33:56 +0000 From: Phil OKunewick Subject: Re: AIDS disk (PC) attcan!ram@uunet.UU.NET (Richard Meesters) writes: >martin@EASBY.DURHAM.AC.UK (Martin Ward) writes: >> I feel that I should point out that the effects of this disk are >> entirely in accordance with the standard warrenty used by most >> commercial software developers... > >...Warranty implies that the >product was purchased and you are following the terms of the purchase >agreement. The trojan runs for a time and then demands that you pay >for the product... > ...kidnaps your data and holds it for ransom. > >Illegal, or at least extremely Immoral (presumably the former). Illegal in the United States, which may be why they didn't try to spread it here. According to the regulations of the U.S. Postal Service, if you receive something through the mail which you have not ordered, then you automatically own it. If this were not enforced, then many of these annoying organizations that send us ads for junk products would instead be sending us the junk products, along with a bill for their trash. Does the U.K. have a similar law? - -- ---Phil (erutangis. ruoy naht daer ot redrah si erutangis. yM) ------------------------------ Date: Mon, 18 Dec 89 11:14:02 +0000 From: Alan Jay Subject: AIDS Information Disk Technical Analysis available The following Article was submitted by Alan Solomon for distribution on CONNECT and USENET. It relates to the AIDS Information Disk and gives extensive technical details of the disk and the AIDS program. This article is 1800 lines long. Dr Alan Solomon is Chairman of the IBM PC User Group, London. Alan Jay -- The IBM PC User Group -- PO Box 360, HARROW HA1 4LQ -- 01-863 1191 [Ed. Due to its length, the document has been forwarded to the comp.virus documentation archive sites.] ------------------------------ Date: Wed, 20 Dec 89 16:30:16 -0500 From: dmg%retina.mitre.org@IBM1.CC.Lehigh.Edu (David Gursky) Subject: Re: Gatekeeper and Gatekeeper Aid (Mac) In VIRUS-L Digest V2 #265, "Carl_A.Fassbender" was asking why the Gatekeeper & Gatekeeper Aid icon did not show up after he made the files invisible. The Mac OS does not load INITs that are part of files with the Invisible bit set. [Editorial comment: Hey Apple! Why?????] If you want to have Gatekeeper active, you must have the file visible on the desktop. ------------------------------ Date: Wed, 20 Dec 89 16:26:53 -0500 From: Kenneth R. van Wyk Subject: Holiday VIRUS-L/comp.virus interruption With the Holiday season approaching, VIRUS-L/comp.virus will be rather intermittent during the next week. I will be in the office until Friday, December 22 and out for the entire next week. However, I will be logging in from home periodically and sending out the occasional digest (as demand dictates). Remember that urgent messages, as always, can be sent to VALERT-L@IBM1.CC.LEHIGH.EDU. Please do not use VALERT-L for discussion - VALERT-L was created due to requests from people who wish to keep up with virus activity only, not discussions. All followup and subsequent discussions should be sent to VIRUS-L/comp.virus. Also, the Computer Emergency Response Team (CERT) can be reached via email (monitored daily) at cert@sei.cmu.edu or (for more urgent problems) at 24 hours a day at (412) 268-7090 for Internet related security incidents. Holiday Cheers and Best Wishes to all! Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@SEI.CMU.EDU (412) 268-7090 (24 hour hotline) ------------------------------ Date: Wed, 20 Dec 00 19:89:52 +0000 From: greenber@utoday.UU.NET (Ross M. Greenberg) Subject: Authentication Bob Bosen, of Enigma, comments in VL V2#265 further about the need for X9.9 as the level of sophistication required of an authentication scheme. I'm not sure he's right. Let's look at two different usages for authentication schemes: one, to determine if a program is what you expect it to be during a "global" scan, one to determine if the program is what you expect it to be immediately before it is run. A subset of the second portion above is whether a program can contain a self-checker -- a portion that checks itself when it is run. I propose that self-checkers, while useful, are meaningless: by the time a self-checker's checking code is run, the virus or trojan's damage is already done. Additionally, what prevents the virus/trojan from removing itself from the host file and/or memory before the self-checker runs? Therefore, self-checking programs are not realy worthy of further comment. Case 1, above, when a scanning program checks a file's signature against a supposed signature is good stuff. Yet, you must prepare yourself for a long initial time to build the original authentication database -- the more complex the scheme, the longer such a check will take. There's a commercial anti-virus program out there already that does some sort of authentication check on every executable on your disk (PC-based). On a full disk, it can take something like three hours to run on an XT machine. X9.9 might be a good approach, but if it takes even that longer and not longer, you simply won;t get people using it -- regardless of how wonderful it is. If I have to run such a beast each morning, I'll pass. I think most commercial users would bypass a long wait -- they do, after all, have some work to do. What about a checker that checks only that a file you're about to run is what you expect, then? This *may* be worthy of comment (heck, my own code does that! :-) ), but it depends on how long it takes. If it takes me ten minutes to load Word Perfect on my trusty 4.77MHz, run asophisticated authentication check against it and then finally get to run it, well, my boss is not going to be too happy. So, the more sophisticated the algorithm, the less likely it is to be used. I know this from my own beta testers for a new release of my own product: they felt that the more sophisticated checker, although nice and more trustworthy, simply took too long to run. Given a choice, and they make their choices known with their payments, they opt for one that's "good enough". What's a programmer to do, then? My suggestion is easy: forget those who claim that sophisticated checkers are what we need -- they may be right, but there are many drawbacks to them, and we all still have work to do! Forget those who claim that their solution is the only solution. But, I'd rather have two unrelated and unsophisticated algorithms that the "bad guy" knows nothing about, then one "unbeatable" algorithm that goes unused. Since there are umpteen different ways that such checkers could be written, the odds of two such routines generating the same results given a change in the source is pretty darned small. And, if you're still in doubt, then run a third or forth or 20th checker..... Ross M. Greenberg Ross M. Greenberg, Technology Editor, UNIX Today! greenber@utoday.UUCP 594 Third Avenue, New York, New York, 10016 Voice:(212)-889-6431 BIX: greenber MCI: greenber CIS: 72461,3212 To subscribe, send mail to circ@utoday.UUCP with "Subject: Request" ------------------------------ Date: Wed, 20 Dec 89 16:51:15 -0500 From: Joe McMahon Subject: Invisible INITs - Don't (Mac) Any file which is invisible will not bec checked for INIT resources. This means that GateKeeper and GateKeeper Aid are *not working* because they have not gotten to install their hooks. System 6.0.2 (I think) was the first System to add this check to the INIT mechanism; this was done to help combat the Scores virus's famous invisible "Desktop" and "Scores" files, which contained INITs. Summary: Make INITs and cdev's invisible, and any INITs they install won't work. --- Joe M. ------------------------------ Date: 20 Dec 89 22:34:09 +0000 From: coherent!dplatt@ames.arc.nasa.gov (Dave Platt) Subject: Re: Gatekeeper and Gatekeeper Aid (Mac) YOOPER@MSU.BITNET (Carl_A.Fassbender) writes: > In Michigan State University's public laboratory, we have run into > many viruses including the WDEF virus. We decided to put Gatekeeper > and Gatekeeper aid on our system disks. To protect these files from > being erased, they were made invisible using MacTools. Now in the > control panel, the Gatekeeper icon does not show up. Question: Does > this mean that Gatekeeper is not active? What about Gatekeeper Aid? Apple's System 6.0 and later will not execute INIT resources which reside in invisible files. This was done to prevent viruses (e.g. SCORES) from dropping invisible INIT files into the System folder. By making the Gatekeeper and Gatekeeper Aid files invisible, you've rendered them inoperative. You can, if you wish, make the whole System folder invisible; this won't prevent the system from booting and won't prevent Gatekeeper etc. from installing themselves. For lab machines, this is often a reasonable approach. - -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 ------------------------------ Date: 20 Dec 89 22:29:59 +0000 From: cgl@lanl.gov (C G Langton) Subject: Artificial Life Workshop - final announcement! FINAL ANNOUNCEMENT !!!! ARTIFICIAL LIFE --------------- A workshop on the synthesis of living and evolving artifacts. February 5-9, 1990 Santa Fe, New Mexico Sponsored by ------------ The Center for Nonlinear Studies, LANL and The Santa Fe Institute Self-Organizers --------------- Doyne Farmer Chris Langton Steen Rasmussen Charles Taylor Artificial Life has only recently emerged as a coherent field of scientific research. Its primary methodological approach is to study life and evolution by attempting to actually create living and/or evolving processes within computers, beakers, or other ``artificial'' media. Its primary goal is to abstract the ``logical form'' of life from its material basis - and to construct a truly general theory of living systems, one which will be capable of treating life wherever it is found in the universe and whatever it is made of. ``Artificial'' Life can contribute to the study of ``real'' life by helping to locate life-as-we-know-it within the larger context of life-as-it-could-be, in any of its possible incarnations. This will be the second workshop on the topic of Artificial Life. The workshop will include invited and contributed talks, demonstrations, and discussions on the many scientific, technical, philosophical, and moral issues surrounding the increasing attempts to synthesize life artificially. We will also have an artificial ``4H show'' with prizes for the best artificial life-forms. Specific investigations in the field of Artificial Life include attempts to synthesize, simulate, or otherwise recreate the following: - the emergence of autocatalytic sets within soups of artificial polymers; - the evolution of strings of code using Genetic Algorithms; - self-reproducing bit-strings, clay-crystals, RNA molecules, or LEGO-robots ; - the emergence of cooperativity, colonial organization, multi-cellularity, and hierarchical organization; - the embryological processes of growth, development, and differentiation; - the emergence of social behavior in populations of artificial insects; - the emulation of population and ecosystem dynamics; - the implementation of artificial environments, logical universes, or ``virtual realities'' sufficiently rich to support the open-ended evolution of embedded ``organisms''; - cultural evolution, including the origin and evolution of socio- cultural institutions, and the evolution of natural language in its role as a vehicle for cultural inheritance; - the dynamics of self-propagating information structures such as biological and computer viruses; Many of the investigations mentioned above will be reported on or discussed at the workshop. We expect that there will also be plenty of debate on the question of whether or not symbolic processes within computers can be considered ``alive'' in principle, or whether they could be capable of participating in anything like truly open-ended evolution. These debates will probably parallel to a large extent the debates in the AI community on whether processes within computers can considered to be ``intelligent'' or ``conscious.'' We are also encouraging presentations and/or debates on the moral and social consequences of achieving the capability to create living things. The mastery of the technology of life will easily overshadow any of our previous technological accomplishments - even our mastery of the technology of death - in terms of the burden of responsibility which it places on our shoulders. As was the case for the mastery of atomic fission and fusion, the potential abuses are directly proportional to the potential benefits. Once again, we are in a position where our technical understanding of nature is far in advance of our understanding of the potential consequences of mastering or deploying the technology. This is not an enterprise to be undertaken lightly, or to be pursued in the cause of such shortsighted goals as fleeting military advantage. The increasing spread and sophistication of computer viruses is evidence both of the imminence of this new era in the history of life, and of the complexity of the problems and issues that will be facing all of us in the not-too-distant future. We welcome your presence and contribution on any aspect of Artificial Life that you consider worth presenting or discussing with others who are interested in such issues. Whether you are a scientist, an engineer, a philosopher, an artist, or just a concerned citizen, we feel that ALL points of view need to be aired at this early stage in the evolution of Artificial Life. For further information and/or registration materials, contact: Andi Sutherland The Santa Fe Institute 1120 Canyon Rd. Santa Fe, New Mexico 87501 505-984-8800 andi@sfi.santafe.edu The deadline for contributions is Dec. 31, 1989. Registrations for the workshop will be accepted right up to the date of the workshop. Some limited financial assistance will be available for the truly needy. The proceedings of the first Artificial Life Workshop, held at the Center for Nonlinear Studies, Los Alamos, New Mexico in 1987, are available from Addison Wesley: "Artificial Life: The proceedings of an interdisciplinary workshop on the synthesis and simulation of living systems", edited by Christopher G. Langton, Volume #6 in Addison Wesley's `Santa Fe Institute Studies in the Sciences of Complexity' series. They can be ordered toll free by calling 800-447-2226. The order codes are: Hardback (about $40) ISBN 0-201-09346-4 Paperback (about $20) ISBN 0-201-09356-1 ------------------------------ Date: Thu, 21 Dec 89 02:36:00 +0700 From: MARCO VAN DEN BERG / IRRI Subject: Another AIDS disk recipient (PC) Just to complete the picture : at our institute here in the Philippines we have so far received two copies of the AIDS disk as well, but neither of them was installed on a user's machine (thanks to the warnings from this (now) esteemed forum). Please note that it is extremely likely that many folks in international organizations (UN, World Bank, etc.) will be sent this disk when they have ever dropped a business card at some computer show. By the way, I *really* think the US reaction is a little overdone, I'm sure that Noriega doesn't even know a keyboard from an M16... Marco van den Berg International Rice Research Institute Los Banos The Philippines CGI402%NSFMAIL@INTERMAIL.ISI.EDU or BROERS@RCL.WAU.NL ------------------------------ Date: Thu, 21 Dec 89 10:46:26 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Flu virus (PC) I just received a message from Australia, describing "Flu", a new virus, that uses a good deal of self-modifying code. Does anyone have more information ? - -frisk ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253