VIRUS-L Digest Tuesday, 29 Nov 1988 Volume 1 : Issue 23 Today's Topics: More on nVIR (MacIntosh) MORRIS BROKE THE LAW? Local News Program with Loren Keim general virus query Auto-configuring PCs How do you remove nVir from hard disk? (MacIntosh) Warning init available (MacIntosh) --------------------------------------------------------------------------- Date: Fri, 25 Nov 88 08:18 EDT From: "$CAROL@OBERLIN (BITNET)" <$CAROL%OCVAXC@OBERLIN.BITNET> Subject: More on nVIR (MacIntosh) We had a chance to try out various virus detection programs today on an infected SE hard disk. Some expected and unexpected results: VirusRX (Apple's own detection program) does NOT detect the nVIR virus. Interferon 3.0 and VirusDetective both caught it. nVIR Vaccine removed it successfully from an infected MacWrite application, but had no effect on system files. While checking some of the user's floppy disks for infection, I discovered that Interferon is unable to examine MFS disks. Virus Detective gave the same disk a clean bill of health. Should I assume the disk is virus-free? By the way, this virus arrived here via "shared" (read pirated) software from another college. Robin Russell Oberlin College Computing Center prussell@oberlin ------------------------------ Date: Fri, 25 Nov 88 18:39:58 CST From: John Boncek Subject: MORRIS BROKE THE LAW? A number of folks have written in indicating that "MORRIS BROKE THE LAW" by spreading his virus on the internet. some points to consider: (1) the federal government hasn't brought criminal charges against morris yet; the question whether "MORRIS BROKE THE LAW" is open until resolved by a jury! (2) AS I understand the current federal statute, both criminal intent and actual damage must be proved in order to sustain a conviction. It may be difficult for a government prosecutor to prove both beyond a reasonable doubt. (On the issue of "actual damages" ... consider the case where a user inadvertently causes havoc on a system; or the case where the operating system itself is damaged. Doesn't the computer center allocate the same programmer hours and computer cycles to the task of correcting the problem?? What makes the appearance of a virus different from any other problem occurring on a system??) Also remember that the government must prove, beyond a reasonable doubt, that it was MORRIS, and not someone else, who actually committed the acts in question. There is a whole lot of circumstantial evidence .. the FBI has impounded tapes, disks, etc. from CORNELL; a number of morris' friends have been talking to the newspapers .. but no one (as far as I know) actually saw him doing anything...... I strongly suspect that the government will offer morris a deal (e.g. a plea bargain to some misdemeanor) rather than risk having him win an acquittal on the felony charges. (3) As to civil charges....In an action in tort, most american courts allow recovery for damages "proximately caused" by someone's action; intent is generally not an issue. Assuming that someone can prove that it was morris who caused the virus to propagate, and that actual damages occurred, civil damages could be awarded. The more interesting question in the civil case is jurisdiction. Again assuming that Morris propagated the virus: - Morris is a resident of Maryland - Morris was physically present in New York - The virus was apparently propagated from a computer in massachusetts - "damages" occurred in a number of states (New York, New mexico, california, illinois, massachusetts, etc.) Where can an action against morris be brought? Whose law applies? For example, morris was physically present in new york, but propagated apparently propagated the virus from massachusetts. Did his "act" occur in New York or in Massachusetts? Is his "presence" in massachusetts sufficient to give the massachusetts courts jurisdiction? Who has jurisdiction over (say) New mexico damages? Morris' only presence there was by electronic mail! Also consider...let's assume that someone argues that morris "negligently" caused him damage. Can morris counterargue that using Berkeley unix 4.3 with "known security flaws" was also a negligent act, offsetting his liability for damage???? Consider whether researchers can sue their own computer centers for negligence in not protecting their systems from infection from a virus!!!!! Egads! ------------------------------ Date: MON NOV 28, 1988 20.07.09 EST From: "Loren K Keim -- Lehigh University" Subject: Local News Program with Loren Keim Well, Mitch, its quite a while since we last heard from you. Please, please, lets not start annother bitter war of flames back and forth here. Actually, you've either read a LOT into that TV interview, or your read one or two of our reviews in the other magazines I've been in recently. A transcript of the TV interview follows:" Keim: "Well, we've seen a school in Israel lose 7000 hours of research and thats a lot of research, we've seen lots of companies lose money, we've seen a lot of records wiped out, we've seen a company in Germany whose research was actually stolen. The computer actually, the virus attacked, gathered up the research , called up another computer and mailed it out." Reporter: "Computer expert Loren Keim has worked to stop some of the peskiest computer viruses and he thinks that he nad his associates can develop software that will hlep to shield both large and small systems from viruses. Keim: "We figure out how viruses work, how they propagate, how they possibly CAN propagate, and we find any hole s that exist in a companies current computer security program and we plug these holes." Reporter: "Keim is getting ready to market a liine of comprehensive computer antiviral programs. A different program must be written for each system and although, keim says, there are already antiviral programs on the market. Keim: "We have found easy ways around packages that we have s tested so far" Rep: "Oh" Keim: "Our program is written to watch for something to try and get around it, and it will stop tht." Reporter: "Keim says that he and his associates have 5 antivirus programs. They've tested them against many viruses and stopeed them all." - ----- [end] As for our Unix package, it is not currently available, it is in the works. We have two separate Unix ideas we are working on, and I think the second idea is excellent. We discussed it at length at the COmputer Virus conference, since you are local to this area, you should have stopped in. If anyone wishes detailed information about any of our packages (Outlines for PC, Unix, VM/CMS/, VMS, and Mac are availabe upon request), please write to eme. (This is not a sales pitch). But I warn you that I will not go into exacting technical detail as to how certain things work. We like to call them trade secrets, you'll have to completely dissassemble our packages to do that. As for key encoded algorithms. What I simply said (not ot the press you mentioned though) was that our PC version will allow for keys, random keys which will change the program oin some ways from copy to copy. In effect, efvery copy of teh program will be slightly different, thus helping to ensure that the program won't be broken. However, this is just one single level of defense isn a multi level system. I hesitate to saytoo much because I don't wan t to be though of as trying to "sell" m this package on the net. I honestly feel it will be the s best package available. I really do. Its effective, it doesn't clutter up the screen with garbage, it doesn't require a special user interface. Again, please forgive me if this sounds like I'm selling. Loren Keim ------------------------------ Date: Mon, 28 Nov 1988 22:13 EDT From: 34EVEKA@CMUVM Subject: general virus query Hello there, My name is John Lennon (no lie) and I'm a student a Central Michigan Univ. and I have a question about viruses. - ----If I have received a virus by mail how can I receive info about this particular virus.----- ------------------------------ Date: Mon, 28 Nov 88 22:02:49 CST From: James Ford Subject: Auto-configuring PCs Most computers now have auto-configuring at bootup (ie, no more dip switches to set for memory, drives, etc). Can a program change this configuration? If so, what possible hardware damage could a virus or trojan cause to your computer system by changing these values? James ------------------------------ Date: Mon, 28 Nov 88 18:44 EST From: "Back off man, I'm a scientist..." Subject: How do you remove nVir from hard disk? (MacIntosh) Hi y'all, My boss came in the lab a few ago, and said "Hey Frank, you had a virus on your computer last year? How did you fix it?" I told her i did a low-level format on my XT. (At this point a frown came to her face) Anyway, the point of this is that a friend of hers managed to catch nVir on his PC. Of course, he doesn't have any backups, and has four years worth of work that can't be easily replicated. Does anyone know if it is possible to disinfect a hard drive contaminated with nVir? Thanks a lot, Frank Gauthier Academic Computing Serices Loyola College, Baltimore. P.S. This could definitely be worth a serious Christmas bonus. :-) [Ed. Take a look at the next message...] ------------------------------ Date: Mon, 28 Nov 1988 22:06:20 PST From: William Lipa Subject: Warning init available (MacIntosh) I have written an init for use on Macintosh computers which checks for the presence of the nVIR and Scores viruses each time you start the system. If it finds an infected System, the user is presented with an alert which describes the situation. One can Shut Down, Continue, or (eventually) Repair the disk. The program is designed to be transparent in use so that it is suitable for novice users. Just throw it in your System Folder and forget about it (unless you have a virus, that is). It does not yet provide the same level of protection as Vaccine, however. It is for those people who do not want to deal with a more technical defense against viruses but who want some warning before all their applications get infected. I'll send it to whomever requests a copy. Bill Lipa Bitnet: lipa%polya@stanford Arpanet: lipa@polya.stanford.edu ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253