Return-Path: Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by csrc.ncsl.nist.gov (4.1/NIST) id AA02706; Fri, 9 Oct 92 10:10:57 EDT Posted-Date: Fri, 9 Oct 1992 09:17:11 -0400 Received-Date: Fri, 9 Oct 92 10:10:57 EDT Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA01467; Fri, 9 Oct 92 10:05:37 EDT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA21970 (5.65c/IDA-1.4.4); Fri, 9 Oct 1992 09:17:11 -0400 Date: Fri, 9 Oct 1992 09:17:11 -0400 Message-Id: <9210091201.AA28919@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #161 Status: RO VIRUS-L Digest Friday, 9 Oct 1992 Volume 5 : Issue 161 Today's Topics: report on virus detection (PC) Re: VIRSCAN detects Yankee-Doodle 2885 (PC) Question:NOVI anti virus (PC) Re: Re[2]: NAVSCAN (PC) CPAV false positives (was FLIP) (PC) Re: Recent IBM Virus List? (PC) Re: FLIP (PC) Virus Scanner Comparisons (PC) Brazil Virus! (PC) Virus alert: "Larry on a Screen" (PC) How trojans work. (PC) Re: FLIP (PC) FileSize Checking Program (PC) OS/2 version of Integrity Toolkit (OS/2) A less virus prone architecture driver's licence Re: network security Re: The Harmless Virus Re: MacMag, the original data virus! (CVP) Re: The Hacker Files (Vol 5 #156) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 04 Oct 92 18:18:08 -0400 >From: MIN@rulcri.LeidenUniv.nl Subject: report on virus detection (PC) Hello everybody, August this year I completed a report on virus detection. This report was the result of my traineeship at the Dutch National Criminal Intelligence Center (CRI). The abstract of the report reads as follows: An evaluation of different techniques for virus detection. The discussion is sufficiently general to be applicable to a substantial number of computing platforms. All mentioned practical issues concern the MS DOS operating system. Improvement of the operating system is presented as the most fundamental and therefore effective way to tackle the virus problem. I have produced an ASCII version of the report, which should now be available for interested readers, through anonymous ftp at ftp.informatik.uni-hamburg.de, in the directory pub/virus/texts/viruses The filename is virusdet.zip. Any constructive criticism concerning the contents of the report is welcome at my e-mail address. Patrick Min Leiden University min@rulcri.leidenuniv.nl ------------------------------ Date: 05 Oct 92 13:48:32 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VIRSCAN detects Yankee-Doodle 2885 (PC) chess@watson.ibm.com (David M. Chess) writes: > I think F-Prot calls it "Yankee (TP-44)". Not too atrociously > different! *8) It's not a fascinating virus; it infects COM and EXE > files, and sometimes plays the tune Yankee Doodle at 5pm. It also Well, the understanding of the word "fascinating virus" is subjective, of course, but for me this virus has one very interesting property - it is able to repair itself from random errors, using a Hamming self-correcting code. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 05 Oct 92 19:19:48 -0500 >From: x90mahdiarwi@gw.wmich.edu Subject: Question:NOVI anti virus (PC) Hi there, I do not know if this newsgroup is the right one for my posting. but anyway, I got together with a couple of friend last weekend, after a long talk, mostly about computer. We came across to the virus topic. One of them mention about this anti virus program called 'NOVI anti virus', this one suppose need no upgrage, because the program can upgrade themself. in other term, NOVI can find a new viruses and kill it. Out from my curiosity, I would like to know, if this anti virus program really work. If anybody know, or use it before. Please e-mail. thanks in advance. - -Oemar- x90mahdiarwi@gw.wmich.edu ------------------------------ Date: Tue, 06 Oct 92 14:40:57 +0000 >From: ede140r@monu6.cc.monash.edu.au (N. Michelis) Subject: Re: Re[2]: NAVSCAN (PC) pd@nwavbbs.demon.co.uk (Peter Duffield) writes: >cjkuo@ccmail.norton.com writes: >>Robert Slade reports: >>>> Where can i get NAVSCAN? or When its gonna be out? >> >>It is on Compuserve in the following locations: NORUTL, VIRUS, IBMSYS, >>and UKFORUM. It is available from the Symantec BBSs: 2400: >>408-973-9598, 9600: 408-973-9834. >You will also find it for anonymous ftp on wuarchive.wustl.edu in the >directory /pub/MSDOS_UPLOADS What version is this. Nav has released an upgrade for 2.0. Nav 2.1 is available and scan 1400+ virus It costs $30 (AUS) for the upgrade plus postage. Ring symantec for more details. ------------------------------ Date: Tue, 06 Oct 92 18:01:53 +0000 >From: rslade@sfu.ca (Robert Slade) Subject: CPAV false positives (was FLIP) (PC) Unfortunately this is a fairly well known false positive. Central Point does not encrypt their signature search strings, either on disk or in memory. Therefore, wherever CPAV uses the same search string as other scanners (as in the case of FLIP), CPAV will be identified as being infected. If you run the TSR scanner portion of CPAV and then use another scanner, you will also find the "infection" in memory. Incidentally, further to Microsoft's inclusion of portions of CPAV in MS-DOS version 6, someone who has seen a beta copy indicates that VSAFE will be included. Fortunately, VSAFE is the activity monitor portion, and does not do any signature scanning. ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: Tue, 06 Oct 92 18:17:31 +0000 >From: mechalas@mentor.cc.purdue.edu (John Mechalas) Subject: Re: Recent IBM Virus List? (PC) frisk@complex.is (Fridrik Skulason) writes: >mechalas@mentor.cc.purdue.edu (John Mechalas) writes: > >>Where can I find a current list of known IBM viruses that is in the >>public domain? > >If you find one, let me know :-) I will. I promise. :) >Seriously, there is no list that is 100% up to date - with several new >viruses arriving every day it is not possible. You can get a >reasonably good list from several sources, but no 100% complete. Obviously there won't be a 100% complete. :) But, according to the FAQ for this group, for instance, it says that the catalogs at informatik.de are incomplete for the IBM listings...is there a more complete version? Your F-Prot database, for instance, is pretty close to what I am looking for, but in a public-domain listing. > I am looking for > > virus name: Yeah, me too :-) ....unfortunately, there is still a lot of > naming confusion in this field. Understood. > > type: I assume you mean "Reasident/Non-resident" and what it infects, > right ? Exactly. > > disinfectant method: I am not sure what you mean by this - I don't > any publically avalible virus list described the method to > disinfect them. I realized afterwords that this was not really a good question, but it was too late to edit the article after I sent it. :) I meant, can it be removed by disinfectant software, or must it be replaced? This is, however, essentially irrelevant, since the best "cure" for an infection is to *always* replace the offending files with clean backups. So just ignore this one. :) - -- John Mechalas [This space intentionally left blank] mechalas@mentor.cc.purdue.edu Purdue University Computing Center Help put a ban on censorship General Consulting #include disclaimer.h ------------------------------ Date: 06 Oct 92 20:16:41 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: FLIP (PC) 2007do@ankara2.af.mil (CS/DO;675-3254) writes: >Vivek Swarup of moh.gov.on.ca writes: >>On 1 of our PCs CPAV detected some virus but could not tell us which >>one. We obtained a copy of f-prot V2.02 which indicated this system >>had a FLIP Virus. We obtained a new version of f-port (v2.05) which >>indicated the PC has the TELECOM Virus. Both are wrong - What F-PROT is really detecting are virus signatures left in memory by the Central Point programs. The same applies to several other anti-virus programs - they produce false alarms on the Central Point anti- virus software. PLEASE, PLEASE read the CPAV manual. It specifically states that CPAV is not compatible with other anti-virus programs. The problem is really that CPAV contains various virus signatures, and unlike any decent anti-virus program, it does not bother to encrypt them. If you use CPAV, don't use any other anti-virus program. (or better....don't use CPAV :-)....) - -frisk ------------------------------ Date: Tue, 06 Oct 92 17:35:00 -0500 >From: Subject: Virus Scanner Comparisons (PC) Some time back, virus scanner comparison data was posted to this newsgroup. I thought I saved a copy of it, but apparently I was halucinating. I would really appreciate it if some kind soul would either re-post it or point me to an ftp site containing the information. Our department is in the process of choosing a scanner or scanners for internal use. Post or E-mail, whichever you prefer. - -- Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.cr.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Tue, 06 Oct 92 19:27:44 -0400 >From: ARTHUR@brfuel.bitnet Subject: Brazil Virus! (PC) I want to thank Brian Seborg, Vesselin Bontchev, McAfee, and Fridrick Skulasson, who answered my request on Brazil Virus! I've summarized the answers to the list where I read the report about the virus. But I have not an infected copy. LUIZ ARTHUR PAGANI DEPARTAMENTO DE LETRAS VERNACULAS E CLASSICAS CENTRO DE LETRAS E CIENCIAS HUMANAS UNIVERSIDADE ESTADUAL DE LONDRINA LONDRINA - PARANA' - BRASIL CAIXA POSTAL 6001 - CEP 86051-970 TEL: (0432) 21-2000 RAMAL 428 FAX: (0432) 27-6932 E-MAIL: ARTHUR@BRFUEL.BITNET RESIDENCIA: R. PARANAGUA', NO. 2035, APT. 203 - CENTRO - LONDRINA CEP: 86.015-030 TEL: (0432) 23-9956 ------------------------------ Date: Wed, 07 Oct 92 02:05:17 +0000 >From: brian@probitas.cs.utas.edu.au (Brian Marriott) Subject: Virus alert: "Larry on a Screen" (PC) A virus has shown up in Tasmania, Australia, which we haven't seen reported before, and which isn't known by name to F-Prot 205 or TBScan 43 (although they both pick it up by heuristics). We have only analysed it far enough to get its name and an ID string; we don't know potential damage. Name: Larry on a Screen Infects: .EXE & .COM files (at least) .COM files grow by 491 bytes, .EXE files by 403 bytes (or so it seems on samples of one of each) Signature strings: "Larry on a Screen" Hex"50cbbf00018b750181c6d90257b90500fcf3a481" Further information may be obtainable from: Russell Twining (R.Twining@eee.utas.edu.au) Brian Marriott (B.W.Marriott@cs.utas.edu.au) - ----------------------------------------------------------------------- Brian Marriott, Department of Computer Science, University of Tasmania Mail: GPO Box 252C, Hobart, Tasmania 7001, AUSTRALIA. Ph: +61-02-202929 Internet: B.W.Marriott@cs.utas.edu.au Fax: +61-02-202913 ------------------------------ Date: Tue, 06 Oct 92 22:10:30 -0400 >From: FIRED UP...ALL FIRED UP...PRG 2026 Subject: How trojans work. (PC) Hello, My name is Andy Hardison and I am a BBS sysop with a problem. I was notified by a user of a program that scanned clean, but when run, caused a Michaelangelo infection. Here is what I was told, Xyphr.zip was unzipped to form the game files, Xyphr.exe, .dat, etc. When trying to run Xyphr, the computer would hang. My user rebooted the computer with a CTRL-ALT-DEL. Since he thought it was a memory problem, he ran Quarterdecks Manifest, mft. He thought he was running MFT.exe, but there was a 300 or so byte MFT.com file present. He typed in MFT and his computer locked up again. Upon a second reboot, with an actual powerdown, the computer lost some files. He scanned with Fprot and McAfee. Both reported Michaelangelo in the boot track. Could someone out there explain to me how Michaelangelo could have gotten onto the system via this method of infection. My user is more paranoid about virii than I am (I scan all incoming files, but do not run the executables). He did not have an infected computer before running Xyphr, but did after the above mentioned sequence of events. Any help would be appreciated. andy hardison Ahardison@intel9.intel.com ------------------------------ Date: Wed, 07 Oct 92 02:12:43 -0400 >From: HIIND@delphi.com Subject: Re: FLIP (PC) Vivek Swarup of moh.gov.on.ca writes: >On 1 of our PCs CPAV detected some virus but could not tell us which >one. We obtained a copy of F-Prot V2.02 which indicated this system >had a FLIP Virus. We obtained a new version of F-Prot V2.05 which >indicated the PC has the TELECOM Virus. Shortly there after we had The explaination of the FLIP report by Henry Tindall of ankar2.af.mil was an excellent example of conflicts between different Anti-Viral products when cross testing files although other conflicts arise when different Anti-Viral products are run consecutively due to testing residue in system memory of which we believe to be the case in the TELECOM report by F-Prot which led us to the discovery of these residue conflicts. The following are the results of the testing of a Norton Disk Doctor undo file from the removal of the STONED virus from a floppy disk. Similar results can be achieved using any file and various products run consecutively without cold rebooting to a clean dos between tests. Norton Anti-Virus Nothing Virex Possible Stoned Dropper ViruScan Nothing Central Point Anti-Virus Nothing F-Prot Signs of Cascade in Memory F-Prot Signs of Telecom in Memory Integrity Master P1 active in Memory Virex Stoned Active in Memory Scan Nothing The initial Virex result is a correct result, although the others are semi-correct in their own ways. Since it is almost impossible for Anti-Virus developers to test for these types of inconsistancies it makes it very important to cold boot between Anti-Virus Tests. I hope to have full testing results available within the next month for all interested parties. H. I. Marc Alon-Tolbert Industries Internet: HIIND@Delphi.com ------------------------------ Date: Wed, 07 Oct 92 14:16:35 +0000 >From: u906271@bruny.cc.utas.edu.au (Blow Me Down) Subject: FileSize Checking Program (PC) Hi all, I'm looking for a program that saves a checksum of files on the PC and later checks for files changes automatically. I'm after a program that does something like CPAV (Central Point Anti- Virus). But I not using the virus checker. Does anyone know of such a program? If so, please E-mail me. Thanks in Advance... Chris E-Mail : u906271@postoffice.utas.edu.au - -------------------------------------------------------------------------- Chris Chew Hong Gunn | A Signature? B.Sc/B.E (Third Year) | I'll have to think about it... University of Tasmania | Email: u906271@postoffice.utas.edu.au Australia | u906271@bruny.cc.utas.edu.au - -------------------------------------------------------------------------- ------------------------------ Date: Mon, 05 Oct 92 02:46:23 -0400 >From: fc@turing.duq.edu (Fred Cohen) Subject: OS/2 version of Integrity Toolkit (OS/2) Yes Vess, there is a Santa Clause Integrity Toolkit for OS/2 is called the Protection Toolkit, and provides most of the current features of Integrity Tookit. Soon, it will exceed IT. P.T. currently includes login by user ID w/password, integrity shell and snapshot under DOS box, known virus scanner, crypto-checksum, DOS box trap mechanisms, and the nice management tool. As soon as IBM sends us the driver information (which they seem to want to withold untill other vendors have a 6 month lead on us), we will have disk-wide encryption using DES, ANSI standard, and other user settable algorithms, full OS/2 integrity shells, OS2 based access controls, network access controls, and lots of other good stuf. - Thanks for the plug :)(:))=-_)* - how do you do that thing? FC ------------------------------ Date: Mon, 05 Oct 92 00:54:24 +0000 >From: rjk@world.std.com (robert j kolker) Subject: A less virus prone architecture I was reading a book on the Babbage analytica engine the other day, and it occurred to me that a Babbage machine may be less virus prone, then a Von Neuman machine. A Babbage machine differs from a Von Neuman machine, in that its program is external stored on a medium separate from the data store of the machine. Thus the operands of a program are in store, but the program that transforms them is not. The Babbage analytic engine was patterned after the Jacquard Loom. The question I put is this. Is a computer, in which the program is stored in a totally separate memory space from data, less prone to virus attack or not. I would appreciate your opinions on this question. Conan the Libertarian rjk@world.std.com "If you can't love the Constitution, at least hate the Government" [Moderator's note: Pardon my ignorance on this, but wasn't the Babbage machine a 19th century mechanical computing device, and isn't there an effort under way to implement (again, in hardware) one of his later machines? Are there any software implementations of his designs?] ------------------------------ Date: 05 Oct 92 03:53:35 +0000 >From: tyu@ecst.csuchico.edu ( ) Subject: driver's licence I just got my California driver's licence, the new one with the magnetic stripe on the back where an officer of the law can see my whole life story in one stroke. Strictly for information purpose only, is their any viruses out there, that could infect the magnetic stripe on my CA. licence? I could build a 'magnetic stripe read and write head.' as long as it is legal in my state to do so. ps. I have no intention of breaking the law, state or fed. nor do I advocate any body breaking law This is for INFORMATION PURPOSE ONLY AND NOTHING ELES!! ------------------------------ Date: 05 Oct 92 12:13:14 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: network security seborg@csrc.ncsl.nist.gov (Brian Seborg) writes: > surprised that the virus was different. As for 1963 having > "nothing in common" with the Dark_Avenger virus, I will leave you > to argue this out with Patricia since she seems to disagree with > you here. I have myself disassembled 1963 completely. Simultaneously, in my contacts with Patricia Hoffman I came into conclusion that she is not able even to -read- the well-commented virus disassemblies sent to her, let alone to disassemble a virus herself. Sorry, but I will even not argue with her on this subject. > my posting!?! I am not sure why you wasted the band width to > revisit this since it was obvious to any reader that no definitive > answer was being provided. Because I saw a claim which I knew was wrong, so I decided to post a correction, in order to prevent the readers from getting false knowledge about this particular virus. I definitively do not consider this a "wasted bandwidth". > While I must agree that VSUM does have its share of errors, and > provides little in the way of "down and dirty" technical > information, I still believe it is a good reference for ball- > parking whether you have a particular virus or not. I have to No, this exactly what it does not provide. It might have been useful when SCAN used to identify viruses better, since then VSUM contained the name that SCAN gave to the particular virus. Nowadays SCAN is completely useless for virus identification and the virus names in VSUM do not have even this value. There is nothing in VSUM that really helps you identify which virus you have. No virus maps for exact identification. No cross-reference between the names that the different products use. No correct technical information. Even such basic information, as the virus infective length is sometimes wrong. Several of the listed viruses do not exist (I know, I have the files appropriate files from Patti's collection). Several viruses are listed twice or more times, under different names - and curiously - with different properties. For most viruses it is said "It is not know what the virus does besides replicate" - even for those viruses, for which the name suggests what they are doing... My (wild) guess is that the information in VSUM is a combination of what Mrs. Hoffman has been told about the virus and what she has observed when running the virus on a sacrificial system. > admit that I prefer the descriptions put out by Brunnestein's > students (including you) for accuracy, although the user- > friendliness of the lists containing these descriptions leaves > something to be desired.:-) I know, I know... :-) We are working on the subject... > >Astra viruses infect only device drivers. Some viruses (Tequila > >and StarShip, I think) will not > Wrong about Tequila, it infects just fine. Well, I wrote "I think", didn't I? I was not sure, because I didn't have the disassembly of the virus in front of me. > Remember, it is a multi-partite virus and it does go TSR. So is StarShip, yet it works exactly in the way I described. And I don't just "think" this time - I -know- it. > >infect, if you don't have a hard disk - because they don't go > >resident when you run an infected file, but only modify the MBR > >and wait until the user reboot... There are some other pitfalls. > > We have a huge amount of files here, about which we cannot easily > >decide whether they are viruses, trojans, buggy programs, or just > >innocent tools. They all refuse to replicate on the systems we > >have tested them, but this does not imply that they will not > >replicate on some other > But this does imply that they are unlikely to represent a threat > since there survival is unlikely. Huh, as far as I remember, the question what exactly represents a threat has not been mentioned neither in your message, nor in my reply. You were just listing a few methods how to determine whether what you have is really a virus or not, and I pointed out that in some cases it doesn't work. That's all. > >systems. The only way to solve the problem is to disassemble each > >one of them and see what it does. And this is a LOT of work... > No disagreement here. Disassembly is obviously the best solution, > however, many users are not assembly programmers, and are unlikely > to be able to dis-assemble the virus. Also, in cases where the In this case I am not speaking about the users - they don't have to bother with all those "unknown" files from our collection. I am speaking about us, and we -are- both good assembly language programmers and able to disassemble a virus. Gosh, we are doing this all the time; we are even teaching the students how to do it... My point was that it is a lot of work - for us - to disassemble all those files. And this work is low-priority, because we have to deal with lots of viruses every day that -do- replicate perfectly... > user notices changes in files (like the one we are speaking of) my > suggested technique works well. I never said that it was "the only Your suggested technique sounded (to me, at least) as a general approach for dealing with viruses. It is indeed useful as such, it just needs to be updated and refined, what I believed to do with my message. Sorry for any misunderstanding. > virus. Also, continually bringing up viruses which have "new" and > "different" techniques that have often never been seen "in the > wild", or which are only the product of an active imagination may > be a useful academic exercise, but let's put some statistics next > to these viruses you have noted. I strongly disagree with you here. To constantly bring up new "research" techniques here definitively has a beneficial effect. Here is one example. The Dir_II virus is -extremely- spread in Bulgaria. More than 90% of the requests for help to my Lab there are for this virus - they have documented statistics about this. Yet, I made a lot of fuss about this virus here, so now most of the popular scanners are able to detect it (McAfee's CLEAN can even remove it), and we succeeded to prevent the wide spread of this virus in the West. Second example. I made a lot of fuss about the MtE, so not several scanners are able to detect it. When I was in Bulgaria this summer, I met a virus writer and asked him whether he intends to use the MtE. The answer was "Why bother, even McAfee can detect it!". The truth is that SCAN does not detect the MtE reliably, but so what... The important thing is that we prevented a wave of MtE-based viruses. > Have they infected any computers > at all other than in the lab? Let's be reasonable!?! I act as the > CERT for a network with over 350 servers, and 10,000 nodes. In > addition, we have over 3000 lap-tops. If I were "fishing" for My Lab in Bulgaria is basically the only official anti-virus supporting team in Bulgaria and they have almost half a million of PCs in that country. This, combined with the fact that several people consider writing and/or releasing a virus there to be some kind of entertainment, leads to some unexpected results... For instance, I have seen myself Anti-Pascal.605 in the wild - combined with Cascade. If you have ever disassembled this extremely stupid virus, you'll understand my surprise. Also, can you believe that I spent almost a week hunting for Kamikaze - - a silly overwriting virus that should never spread at all? (I finally nailed it using an integrity checker, but this is another story, which I could tell you if you are interested.) > a virus. I think it's time we started being realistic about the > actual threat from these viruses. No disagreement here, although we probably interpret the above sentence differently... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 05 Oct 92 13:43:11 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The Harmless Virus WHMurray@DOCKMASTER.NCSC.MIL writes: > This is a simple oversight, but writing the perfectly harmless virus > requires this knowledge plus perfect knowledge of all other relevant > factors about every system in the population. Such perfect knowledge > is impossible. The above is, of course, true, but it also holds for any program, not just for viruses. It is not possible to write a perfect program, which will not damage anything in any conditions, just because of the reasons that you are listing. Some such "imperfect" programs are significantly more widespread that some of the "research" viruses. :-) The only advantage is that they don't replicate by themselves and do not try to run on your computer without your permission... (Note: I am not advocating the writing of "harmless" viruses, I am just observing a fact.) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 06 Oct 92 14:50:42 -0400 >From: xrjdm@calvin.gsfc.nasa.gov (Joseph D. McMahon) Subject: Re: MacMag, the original data virus! (CVP) rslade@sfu.ca writes: > > Semantics aside, how could a data file affect the system at all? > > Well, more and more programs have "macro", "script" or interpreter > capability. Thus the distinction between data and program blurs. > Hypercard stacks have "commands" as well as data associated with > them. Generally, these commands only govern the ability to "flip" > from one "card" to another. However, an extended command set, XCMD, > allowed for additional functions beyond those normally available in > Hypercard. This was used to affect the system changes. Calling MagMac a "data virus" disturbs me. I thought that the definition of a data virus was a virus which is transported as a non-executable and which is then transformed into an executable virus when the file is used. This is a bit of a semantic clash, as I understand the definition vs. the actual XCMD mechanism. HyperCard XCMDs are executable resources of arbitrary function written by a programmer in C or Pascal (masochists may use assembler, if they wish). They are installed as XCMD resources into a stack and provide an extension to the normal command set provided in HyperCard "scripts". The phrase "arbitrary function" is the key here. The XCMD can provide any function that a Macintosh application can; the viral XCMD was simply a section of code which added another executable resource to the System file. There was no transformation of data into program; all viral code was present inside the XCMD itself. Any HyperCard stack containing the XCMD could have been used to spread the virus, simply by invoking the XCMD by name. I speculate that the stack was used as a vector because it took less time to throw a "teaser" Trojan stack together that it would have to make a throw-away application which would have been sufficiently tantalizing to get people to download it. Now, there have been true HyperTalk viruses, in which HyperCard scripts were written to infect other stacks with the viral script, but this really isn't a data virus either, because the virus is still an executable program of sorts. The closest thing I've seen to a real "data virus" were the "implied loader" viruses, which subverted a Finder datafile into becoming a means of replacing part of the System simply because the Finder opened them. But this still required an executable resource be present. I don't think we've really seen a virus which transforms itself from the executable to the non-executable realm yet. I emphasize "yet". --- Joe M. ------------------------------ Date: Tue, 06 Oct 92 23:31:16 +0000 >From: smd@hrt216.brooks.af.mil (Sten M. Drescher) Subject: Re: The Hacker Files (Vol 5 #156) ZMUDZINSKIT@uvax6.disa.mil (zmudzinski, thomas) writes: > ps would send a copy of this to DC Comics but no E-Mail address was given. > In issue #1 on the second page of "usr/hacker/mail" (what becomes > the letters section in later issues), in the upper right-hand corner, > Lewis Shiner (the creator of "THE HACKER FILES") says: > Because THE HACKER FILES is spe- > cial, you have an alternative. I am in > the process of setting up on-line letter > columns on both the GEnie and > CompuServe bulletin boards. The > Mr. Shiner must have been at least half-way successful as three of the > letters in issue #4 were posted through GEnie. Try there. OK, but I have neither a CI$ nor a GEnie account. I would LIKE to have seen an email address to use. - -------------------------------+--------------------------------------------- Sten Drescher | There are men who seem like more than men. AL/HRTI | Living examples of what we could be if we Brooks AFB, TX 78235 | tried. They are men of courage, compassion, - -------------------------------+ and justice. On the other hand, there are sdrescher@animal.brooks.af.mil | presidential candidates. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 161] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253