VIRUS-L Digest Friday, 19 Jan 1990 Volume 3 : Issue 15 Today's Topics: Academic Press makes good! (PC) Hard Drive Overlord (PC) Re: Spool... Bug or Virus, what is more harmful Re: Shrink-Wrapped Software Re: Internet worm writer stands trial (Internet) Re: Internet worm writer stands trial (Internet) Ethical Judgement of the Internet Worm fractal disk infection (PC) WDEF at University of Oregon (Mac) New anti-virals uploaded to SIMTEL20 (PC) McAfee Included in top 100 Re: virus scanning Re: Some more thoughts on shrink-wrapped software... Shrink-wrapped SW VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 18 Jan 90 13:33:40 -0500 From: IRMSS100@SIVM.BITNET Subject: Academic Press makes good! (PC) Well, Academic Press finally came through! You will recall that the Barnsley DESKTOP FRACTAL DESIGN SYSTEM, sold through Academic Press, was infected with a virus named "1813". At the time I reported this to Academic Press's Customer Service department, they knew about the problem. Yesterday I received a letter from them dated January 12 (about 2 days after I reported the virus) noting that some copies of the program are "suspected of carrying a computer virus." The letter directs purchasers to call the Customer Service Department to order a clean copy and get directions for how to clean up your system. I'm not sure why it took them so long, but at least AP is taking responsibility. I imagine their senior executives are holding their aching heads and wondering why they decided to enter the software publishing business. Books never require product recalls. +-----------------------------------+---------------------------+ | ___ | Barbara Weitbrecht | | (__ \ / \ | Computer Specialist | | ___)EAL\/\/ YF >-===-:} | Smithsonian Institution | | / | IRMSS100 @ SIVM | +-----------------------------------+---------------------------+ | The Sealwyf is a shape-shifter -- a woman in a seal's skin. | +---------------------------------------------------------------+ ------------------------------ Date: Thu, 18 Jan 90 13:04:21 -0500 From: Jim Kenyon Subject: Hard Drive Overlord (PC) I am trying to get information on a programme called Hard Drive Overlord which is published by A.B. Data Sales, Inc. of Saskatoon, Saskatchewan, Canada. It comes with five modules and seems to be similar to GateKeeper (Mac) in function. With all the discussion on the list about software, it's hard to imagine why this one hasn't been mentioned before. Please reply directly to me and I'll post a summary back. Jim Kenyon NetNorth: tghvet@vm.utcs.utoronto.ca Director, Veterinary Services CONNECT: Macvet The Toronto Hospital Toronto, Ontario, Canada (416) 340-4652 ------------------------------ Date: Thu, 18 Jan 90 08:40:03 -0500 From: Geraldo Xexeo Subject: Re: Spool... Bug or Virus, what is more harmful Some Digests ago there was a message saying that our errors are more dangerous than virus. Could both of them be viewed in the same perspective? Could "vaccines" be developed for both? Second Point: Lately I receiving lots of RETURNED NETWORK from LISTSERVERS. I think that it could cause, in extreme case, a traffic so large in the net that it would collapse. Question: In this case, the LISTSERV will be considered a Virus (expecting to get active)? Or the users that don't disconnect itself from servers are guilty of bad use (non-ethical) of a computer program? Although it is not the place, I suggest that LISTSERVERs receive an ANTI-MESSAGE protection to solve this specific problem, but I'm worried with the generalization of this question. Geraldo Xexeo COS20001@UFRJ.BITNET [Ed. Believe it or not, LISTSERVs actually attempt to parse incoming mail to determine whether it is a bounced error message (in which case the mail gets forwarded to me...) or a legitimate posting. Unfortunately, postmasters and sites don't use any standard format error message, and the LISTSERV occasionally is "tricked" into believing that an error is actually a message for the list. Instant loop, just add water. Those of you on VALERT-L may be relieved to know that I *think* that the problem is fixed. I know, I know - famous last words... :-)] ------------------------------ Date: 18 Jan 90 20:58:44 +0000 From: Bernie Cosell Subject: Re: Shrink-Wrapped Software ensys.ensys.com!silvlis.com!msm@sgi.sgi.com (Michael S. Maiten) writes: }WHMurray@DOCKMASTER.ARPA writes: }> Users can protect themselves }> and discourage this risky practice by refusing to deal with retailers }> that offer them the right to return. }Stores that offer return policies are exactly the ones with whom I do }deal, since it is almost impossible to see if the software will meet }my needs by reading the box or trying out the store demonstration }copy. What they should do is to be more careful when accepting the }returned items (check for missing materials, and check for infection }of the disks) before returning the person's money. Actually, isn't this almost totally trivial for the store --- all they need to is, before they re-shrink-wrap, do a sector-by-sector, byte-by-byte comparsion of the *entire* disk(s) that were returned against a master set the store keeps. It doesn't seem hard, and surely cannot take long, and far as I can tell totally elminates the problems. /Bernie\ ------------------------------ Date: Thu, 18 Jan 90 17:57:47 +0000 From: "Ralph Treitz" Subject: Re: Internet worm writer stands trial (Internet) It was interesting to hear about the sequel of the Internet-worm-story. For our newspapers didn't mention anything about the trial, I'd like to hear in this newsgroup, what's going on, and what will happen to Mr. Morris. Thanks. +----------------------------------+----------------------------------------+ ! Ralph Treitz ! Phone: +49 6227 - 34 - 1641 ! ! S.A.P. AG ! Fax: +49 6227 - 34 - 1282 ! ! SAA-C ! Telex: 466 004 sap d ! ! Max-Planck-Str. 8 ! ! ! D-6909 Walldorf/Baden ! E-Mail: rt@sapwdf.uucp ! ! West-Germany ( F.R.G. ) ! ...uunet!unido!sapwdf!rt ! +----------------------------------+----------------------------------------+ ------------------------------ Date: 18 Jan 90 22:34:50 +0000 From: rubinoff@linc.cis.upenn.edu (Robert Rubinoff) Subject: Re: Internet worm writer stands trial (Internet) biar!trebor@uunet.uu.net (Robert J Woodhead) writes: > [...] In my circle of admittedly bright and educated friends, not >a single one has, to my knowledge, ever been accepted for jury duty. Well, I've never met RJW, so I don't qualify as a friend of his, but I'm a PhD student in Computer Science at Penn, so I'm definitely educated and presumably bright as well (at least I like to thing so). I was just selected to serve on a jury even though I mentioned during the selection process that I was a PhD student. So I guess it's not impossible. Robert ------------------------------ Date: Thu, 18 Jan 90 15:07:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: Ethical Judgement of the Internet Worm >From VIRUS-L: >My point is, this trial don't eliminates the necessity of a >ethical judgement. Maybe what he did is not a crime, but is clearly >a violation of ethical aspects of computer use. I suspect the conclusion of the authorities at Cornell that young Morris acted with "reckless disregard" for the consequences is the closest that we will ever get to an ethical judgement about his actions. >I suggest that a ethical code, similar to the ethical code in >medicine should be developed. I suppose that ACM has one, but is not >the same. ACM didn't control the exercise of the computer activities. Of course the ACM does have such a code, and it is likely that young Morris has or would subscribe to it. However, it did not deter him. Since his lawyer plans for him to testify, we will likely get to hear his rationale for his behavior. However, I doubt that he seriously considered the ethics of his actions until confronted with the consequences. Had he done so, I am not sure that it would have altered his behavior. Like many of his defenders in the net, I suspect that he would have seen as ethical, or as not an ethical issue. There does not seem to be a concensus among his contemporaries that that kind of behavior is reprehensible. Neither does there appear to be a concensus among them that they have an interest in an orderly playground. Note that though Morris aspires to be a professional in the field, and is, therefore, subject to professional sanctions, most of his contemporaries who use computers have no such aspirations and are not subject to such sanctions. It seems equally clear that this profession does not have sufficient integrity to inoke such sanctions. Though Cornell concluded that he did it (and he does not deny it), they have said that he is eligible to re-apply for admission to continue his studies. Other "responsible" members of the profession have been willing to employ him. Thus his contemporaries could conclude that, while such actions might be in technical violation of the ACM's code, they are not in violation of community standards. If the profession and society are to be protected from such impolite, disorderly, and destructive behavior, then we must reach a collective conviction we are prepared to consistently support in both voice and action. In the absence of such a concensus, we can expect more of the same. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Thu, 18 Jan 90 19:49:49 -0000 From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: fractal disk infection (PC) TO ANYBODY FIGHTING THE JERUSALEM/1813 VIRUS ON THE "DESKTOP FRACTAL DISK" There are two articles which explain the action of the virus and give details of anti-viral programs to eradicate it: Joe Hirst Getting inside PC viruses. Tech PC User may 1989 v1 n9 p22(5) Powis, Kevin Programs to fight viruses. Tech PC User May 1989 v1 n9 p31(3) The program to fight Jerusalem/1813 is called 1813BR, it's PD and you can get it from the CoTRA conference on CIX Rgds, Iain Noble ------------------------------ Date: Thu, 18 Jan 90 13:44:00 -0800 From: "Hervey Allen" Subject: WDEF at University of Oregon (Mac) Since people seem to be reporting occurrences of the WDEF virus, hopefully to track its spread, I will throw in my two cents worth. The WDEF virus was reported in the student computer lounge around January 8th. The virus was removed using Disinfectant 1.5. The computer lounge has a voluntary virus check station. The WDEF virus has been detected and removed a number of times since the 8th. I am writing from the University of Oregon Academic Computing Center. We have not seen the WDEF virus yet. We scan numerous disks that are brought into our public printing and public domain (both for Macintosh) stations. We have exclusively seen Nvir A and B. I informally track virus reports from around the city (Eugene, Oregon) and have only received reports of Nvir A and B. On the PC side I have dealt with the Jerusalem virus once, and the Ping- Pong virus once. The Jerusalem virus was spread from a BBS in Portland, Oregon. No other PC viruses have been reported to our center. Obviously, we have been lucky, so far. One of my duties is virus removal and prevention for PC and Macintosh at our center. I receive numerous calls for information and help from the campus community and the community in general. Hervey Allen | Unversity of Oregon Student Programmer | Academic Computing | HALLEN@Oregon.uoregon.edu (internet) | HALLEN@OREGON.Bitnet (Bitnet) ------------------------------ Date: Thu, 18 Jan 90 21:06:00 -0700 From: Keith Petersen Subject: New anti-virals uploaded to SIMTEL20 (PC) I have uploaded the following files to SIMTEL20: pd1: CLEANP55.ARC Universal Virus disinfector, heals/removes SCANV55.ARC VirusScan, scans disk files for 60 viruses These programs where downloaded from the Homebase BBS. - - - --Keith Petersen Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.arpa BITNET: w8sdz@NDSUVM1 Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: Thu, 18 Jan 90 16:05:33 -0800 From: Alan_J_Roberts@cup.portal.com Subject: McAfee Included in top 100 The Microtimes third annual selection of the 100 most influential leaders in the computer industry (published in the January 22 edition) includes John McAfee for his work in the computer virus field. To see a virus researcher included with such luminaries as Steven Jobs, Bill Gates, Mitch Kapor, Peter Norton, John Akers (Chairman of the Board of IBM), Phillipe Kahn etc. implies that the establishment has finally taken the virus issue seriously. It's even more interesting when you consider that Steve Wozniak, Brian Carlson, the Chairmen of ICL, Intel, Olivetti, and the presidents of dozens of major computer manufacturers were turned down for inclusion. I say hats off to a hard working representative of the antivirus league and congratulations -- in spite of John's self deprecating attitude (He claims that they confused him with someone else and that his inclusion and description of his deeds can be attributed to an editorial oversight). Alan Roberts [Ed. Congratulations, John!] ------------------------------ Date: Thu, 18 Jan 90 09:46:10 -0700 From: mummy!dave@asuvax.eas.asu.edu (Dave Myers) Subject: Re: virus scanning >> I am told that in the November '89 issue of the American Mathematical >> Monthly, to the effect that no completely safe computer virus test is >> possible. The proof is suppose to be short, and along the lines of >> the various proofs of the Halting problem. > >Yes, the problem whether a program is a virus or not, is in general >undecidable. The (informal) proof follows: > >Let's define a virus as a program which can infect other programs. (For a >more complete definition, see [1].) Let A(P) be an algorithm which applied >to the program P returns a boolean value (true when P is a virus and false >if it isn't). Now we can construct the program P1 in the following way: > > program P1; > begin > if A(P1) > then (* do nothing *) > else infect_other_programs; > end. > >In other words, if A reports that P1 is a virus, then P1 does not infect >programs, i.e. is not a virus. Otherwise (if A reports that P1 is not a >virus), P1 infects programs, i.e. it is a virus. > >Therefore, A cannot decide whether P1 is a virus or not. > Q.E.D. > > Vesselin I may be missing something, but it seems the above program makes the assumption that A cannot detect some virus. If A can detect all virisus then P1 will in fact be unable to infect another program and is thus not a virus. dave ------------------------------ Date: 17 Jan 90 19:03:01 +0000 From: woody@rpp386.cactus.org (Woodrow Baker) Subject: Re: Some more thoughts on shrink-wrapped software... dmg@retina.mitre.org (David Gursky) writes: > What is really most amazing about the problem of a potential vandal infecting > a commercial application, and returning it to an unsuspecting vendor is the > ease with which the vendor can detect the problem. Why not just run a good virus checker on returned software before rewrapping? Cheers Woody ------------------------------ Date: Thu, 18 Jan 90 10:16:57 +0100 From: iaoobel!xof%apatix.iao.fhg.de@uunet.UU.NET (Christof Ullwer) Subject: Shrink-wrapped SW In V3#12 Brian Piersel writes: >Another way vendors can help is to sell software on write-protected >diskettes. And len@csd4.csd.uwm.edu (Leonard P Levine) writes: >Many vendors are now selling software on un-notched disks. My most >recent copy of wordstar, my copy of spinrite and even one shareware >product have come to me on disks that cannot be written to except with >modified computer hardware. IMO, if someone evilminded really intends to infect a disk will succeed even on write protected disks. On the other hand, verifying a returned disk with a master copy as dmg@retina.mitre.org (David Gursky) suggests is time intensive and annoys the customers. Vendors should put a new media i.e. a copy from a clean master diskette into the box and then shrink-wrap it. Christof (xof%apatix.IAO.FhG.de@iaoobel.UUCP) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253