VIRUS-L Digest Monday, 6 Feb 1989 Volume 2 : Issue 36 Today's Topics: re: Malicious program classification Locking out floppy drive boot (PC) RE: floppy boot (PC) courses in viruses re: Hardware lock (PC) Re: Mac Gatekeeper problems Virus Attack (PC) INIT 29 Virus (Mac) Sneak Virus (Mac) (c) Brain Virus (PC) --------------------------------------------------------------------------- Date: 3 February 89, 12:15:38 +0100 (MEZ) From: Otto Stolz Subject: re: Malicious program classification Hello fellow-huntsmen, > A kind of "standard notation" [...] in a single sequence of characters. We should definitely use consistent terminology, but let it not be too terse. You should be able to understand a program-description without referring to some "code-book". > three kinds of programs - Trojans, worms, and viruses [...] > CHRISTMA.EXEC would be a fWOR (as far as I know) under this notation. The term "worm" is widely used (as far as I'm aware) for a program that spreads over a network without human intervention, using the RJE services of the network. (The Internet-worm exploited a bug in the "fingerd" program, and a backdoor in the "sendmail" program, both providing unauthorized, RJE-like services.) CHRISTMA EXEC was definitely not a worm, but something which doesn't fall within one of Ken H's categories: It was a Trojan horse whose unexpected action involved sending copies of itself all around the network; hence, it depended on human intervention, as any virus or Trojan. Supposedly, the term "rabbit" I read recently in a survey was meant to apply to this sort of beast? (Btw: I'm still waiting, eagerly, for the results of that survey to be published in VIRUS-L ...) Hence, we should adopt a more complete terminology for our zoo! > three methods of activity - hardware, error, and feature exploitation As to my opinion, this distinction is not so important for (short-range) virus/worm/&c defeating; it bears more on (long-term) strategies for systems-architecture developping. Moreover, most virus strains do not fall neatly within one of these categories. (Somehow, the hardware is exploited by every piece of code, isn't it? :-) Hence, I'd drop this issue for virus catalogues, alerts and the like. However, Ken H has not mentioned a much more important distinction in the modes of operation. If we adopt some formalism, we definitely should include this one: Link-virus vs. System-Virus. This distinction only applies to viruses, dividing them into two sub- categories. - -- A link virus incorporates itself into application-programs or system parts wich are invoked like application-programs (e.g COM, EXE, and OVL files in MS-DOS; MODULEs in CMS). If some virus only incorporates itself into application-programs of some particular form, this behavi- our should be accounted for in the term (e.g. Blackjack is a COM-virus for MS-DOS). - -- A system virus incorporates itself into a part of the operating system that is invoked in some particular way (e.g. a Boot-Sector Virus, a COMMAND.COM-Virus, or a KEYB.COM-Virus in MS-DOS). Maybe, there are similar distinctions to be drawn in other areas, e.g. for worms. Opinions? Btw, a German group around Prof. Klaus Brunnstein at Hamburg is currently evaluating a sample of various virus strains for Amiga, MacIntosh, Atari, and MS-DOS systems (about two dozen, altogether) and of anti-virus soft- ware. They have started compiling two catalogues (virus/antivirus) and publishing them on a BB in Germany. The distinction between "link" and "system" virus stems from them. They also have started translating their catalogue to English. I suppose, they are currently checking with Ken [vW, this time], whether it can be made available on LISTSERV at LEHIIBM. We'll probably read more of this endeveaour, shortly. Good hunting| Otto ------------------------------ Date: Fri, 3 Feb 89 09:49:24 EST From: "Bret Ingerman 315-443-1865" Subject: Locking out floppy drive boot (PC) James Ford asks about locking a hard disk to always boot from drive C: but still have drive A: available. It depends on the type of computer. We have a Zenith AT that can easily be set up to do this. By pressing "ALT-CTRL-INS" a configuration menu pops up. You can then specify what drive to boot from. You can specify always boot from drive A:, always from C:, or to try A: first and then C: Hop this helps. Bret Ingerman INGERMAN@SUVM.bitnet Syracuse University ------------------------------ Date: Fri, 3 Feb 89 09:50 MST From: GORDON_A%CUBLDR@VAXF.COLORADO.EDU Subject: RE: floppy boot (PC) re: computers booting from drive C instead of Drive A: I presume that you have some sort of IBM PC compatible system. The boot process is controlled by the BIOS which is on a ROM chip on the motherboard. In older PC's and for example the old COMPAQ portables, the BIOS was not written to recognize a hard drive. Thus an upgrade is required. That is you need to purchase a new version of the BIOS. In the old COMPAQ portables, this costs about $50. In addition, you may need to replace the power supply as well Allen Gordon ------------------------------ Date: Fri, 3 Feb 89 14:00 EST From: Les Gotch Subject: courses in viruses In reply to Stan Horowitz's question about COMPUSEC courses at universities on December 16, 1988: The Information Security Education Office of the National Security Agency has worked with members of the academic community and developed several Computer Security Education Modules. They were designed for inclusion in college curricula and range from lower undergraduate courses through graduate level. The undergraduate modules can be incorporated into an existing course structure of a computer science, engineering, business, or an information science department curricula. The following Computer Security undergraduate modules are intended to be used in either a computer science or engineering curricula. They are entitled: Introduction to Information Protection, Database System Security, Network Security, Formal Specification and Verification, Operating Systems Security, and Risk Analysis. These modules are available for any university or college upon request. In addition, there are seven Information Security undergraduate modules designed to stand alone as a course or comprise part of a business or information science curriculum. The modules include: PC/Workstation Security, Security Fundamentals, Introduction to Information Protection, Information Security Legislation and Liability, System Security, Communications Security, and Corporate Security Management. The University of Maryland's Engineering Department is offering, during the spring 1989 semester, four computer security graduate courses. These courses are the first four of nine to be developed that permit a student to plan a degree program with a concentration in the area of computer security. They are entitled: ENEE 748A Architecture for Secure Systems, ENEE 748B Networking and Network Security, ENEE 748F Theoretical Foundations of Computer Security, and ENEE 748G Operating System Security. Janet Meeks, (301) 859-4477 ------------------------------ Date: 3 February 89, 20:11:49 +0100 (MEZ) From: Otto Stolz Subject: re: Hardware lock (PC) > is there any way to (hardware) fix drive "A" so that the computer will > ... boot from C always, read/write from A and C ? We use the "SafeGuard Plus" card for this purpose. It'll also fix drive B the same way. We never have experienced any boot-virus :-) Otto ------------------------------ Date: Fri, 3 Feb 89 21:37 GMT From: Danny Schwendener Subject: Re: Mac Gatekeeper problems >Observed Problems: > 1. Gatekeeper *DOES NOT* register inside the Control Panel You need to reboot the system first. Apparently, the Gatekeeper cdev appears only if the INIT has been executed. At least, I had the same symptoms, which disappeared when I rebooted my system. > - ID = 02 > - ID = 03 > - ID = 22 > - ID = 15 Once you get it to work, Gatekeeper prevents any non-authorised program from copying resources or/and changing file information. It just returns an error status code. It's up to the application to perform a correct error handling. Unfortunately, many application programmers don't care a bit about error handling. They don't check if the things have been done as expected. In some cases, this will cause the application to crash. Gatekeeper prevents efficiently abuses of the resource manager calls by any programs (including viruses). Programmers will find it extremely useful, because you can configure it to give full access of the resource manager to *some* programs, like compilers. HOWEVER it takes much more time to have it tuned correctly. I recommend Gatekeeper to those it was written for, Programmers. Other people should stick to the Vaccine CDEV. - -- Danny Schwendener - -- ETH Macintosh Support, ETH-Zentrum m/s PL, CH-8092 Zuerich - -- Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman - -- Ean : macman@ifi.ethz.ch Voice : yodel three times ------------------------------ Date: Fri 03 Feb 1989 17:12 CDT From: GREENY Subject: Virus Attack (PC) A virus which is purported to be of the BRAIN type has supposedly just hit EIU (Eastern Illinois University). Has anyone got any info on how to eradicate the bugger? I usually specialize in Mac stuff, but my school (WIU) and EIU are on the same network so they asked for help via a local Bulletin Board. Any info will be appreciated. Also, I already told them to snag a copy of NOBRAIN.C from the server... Bye for now but not for long Greeny BITNET: miss026@ecncdc Internet: miss026%ecncdc.bitnet@cunyvm.cuny.edu Disclaimer: I only repeat what I hear that ain't classified! ------------------------------ Date: 03 FEB 89 21:12:33 CST From: RBCSCG05 Subject: INIT 29 Virus (Mac) This "new" virus (to me at least) seems to be the most dangerous so far -- attacking even data files ! Gone are the days of restoring applications only. Nevertheless, nothing may be available now to immunize against it or remove it, but I think it can be "easierly" detected then through RESEDIT and the like (especially since that is a dangerous application to pry through your disk and programs, even knowing what you are doing). Yes, I may be overly cautious, but you can never be when it comes to viruses. A program called VCHECK creates checksums of your applications and creates a corresponding report with can be easily printed. After the first checksums are done, subsequent ones will use the previous one to see if anything has changed -- this includes if the applications may have been moved, renamed or duplicated. You will be shown those that may have changed. VCHECK by Albert Lunde at Northwestern University. The version I have is 1.3 (7/5/1988). I believe it is available at the VIRUS-L archive on the network BITNET. I do not remember where I got my from, but I know it was off the BITNET network. After a SCORES virus hit me, I searched for any and all anti-viral software. If you use a checksum method, keep the checksum document on a separate disk so it will not be possibly corrupted (viruses or otherwise). Chris Osterheld ------------------------------ Date: Fri, 03 Feb 89 19:27:29 PST From: Sam Cropsey Subject: Sneak Virus (Mac) Has anyone dealt with the sneak virus? Well we have it and I sure do not want it. If anyone has some info...please send it to me at: SAM@POMONA or SCROPSEY@PCMATH. Thanks... ------------------------------ Date: Fri, 03 Feb 89 19:34:31 PST From: "Sam Cropsey (Micro Coord. Pomona College)" Subject: (c) Brain Virus (PC) I know much has been written concerning the Brain virus on PC's. However, I do not get the chance to read all that is published on this service. If anyone has some useful info on combatting the Brain, I would greatly appreciate the help. My address is SAM@POMONA OR SCROPSEY@PCMATH. Thanks for your help... ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253