VIRUS-L Digest Friday, 28 Apr 1989 Volume 2 : Issue 102 Today's Topics: Missouri Virus (PC) Net Hormones Paper by David S. Stodolsky Trojan REXX EXECs (VM/CMS) Problem in BASIC virus related? (PC) --------------------------------------------------------------------------- Date: Thu, 27-Apr-89 13:57:27 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Missouri Virus (PC) The Homebase group has logged over a dozen occurrences of this virus but we have never successfully sampled it. The latest occurrence was notable enough to pass on to Virus-L so that we might get some assistance. The occurance was at the National Security Administration. The virus came into their shop on a disk shipped with the book - "DOS Power Tools", published by Bantam. This was the third report of the virus entering an installation on this book. The virus completely disables writing to the hard disk, but it does allow normal reading of data already stored. Every site that has been hit has destroyed or lost the original source disk, and the target disk. The NSA is no exception. Robert Dimsdale of the NSA in Fort Meade originally reported the virus to the CVIA and he cut the floppy into 8 sections prior to calling. He then disrarded the standard CVIA advice and low level formatted the hard disk. Anyone with any additional information about this virus is invited to share that information with what we already know by contacting the HomeBase board. We know that Missouri is a virus and not a Trojan because we have documented four occurances of its replication. Please do not contact Mr. Dimsdale directly. Serious inquiries should be addressed through Jim Corwell on Homebase. He will pass on your name to the NSA and they will reply. Another report that came in on the same day, co-incidentally, involved another book called - "Using Application Software" from Random House. It was reported at Florida International University, contact name - Mitchel Zidel. We have not yet followed this one up. If any of you folks would like to join the Sleuth Team, contact Jim and sign up for this one. He has the phone number and specifics. P.S. A number of HomeBase users would like to communicate with Virus-L. They are all, however, local BBS users and none (with one or two exceptions) have access to Usenet or Bitnet. How can I go about posting their mail on Virus-L? ------------------------------ Date: Fri, 28 Apr 89 11:59:11 MDT From: Chris McDonald Subject: Net Hormones Paper by David S. Stodolsky I read with interest the subject paper which resulted in some questions. First, if contact tracing is technically possible among hosts and networks, is the proposed "theory of operation" described in paragraph 4 of the paper really practical? Dr. Stodolsky proposes that: "In the event that a system is identified as infected, the transaction codes which could represent transactions during which the agent was transmitted are broadcast to all other computers." The words "which could represent transactions" suggests that an attack which used a delay mechanism or "time bomb" approach would make it extremely difficult to identify suspect transactions in a timely manner. It might also suggest that the historical record of transactions would of necessity be inordinately large and for practical reasons might be difficult to implement. Second, even though Dr. Stodolsky stresses that the contact tracing operation would alert a system to the "possibility" of an agent's presence, does this represent a significant improvement over other more conventional means to broadcast alerts of a potential problem, as is now done over the Internet? For example, if I were running a BSD version of UNIX last November, the tcp-ip broadcast alert--assuming the gateways were still up and functioning--might have been adequate to respond to the Internet Worm. If "contact tracing" had been available, however, would not non-BSD UNIX systems have received "alerts" which would have caused unnecessary concern? Third, if the alert through contact tracing is to "restrict further transmission of the agent," is not cutting off communications among hosts on a network the only practical solution pending further investigation? If so, do we not have the mecahnism to do that now, however imperfectly? Chris McDonald White Sands Missile Range ------------------------------ Date: Fri, 28 Apr 89 15:42:58 EDT From: "Gregory E. Gilbert" Subject: Trojan REXX EXECs (VM/CMS) I have noticed that a number of "mischievious" (? spelling) EXECs (VM/CMS) capture information in the NAMES file on one's disk and forward themselves to users listed in one's names file. Is there any way to prevent this (forwarding) from occuring should, by chance and unknowingly, an EXEC be invoked? [Ed. How about renaming (or encrypting) your names file all the time, except when you're in MAIL or MAILBOOK? Not elegant, perhaps, but probably effective.] ------------------------------ Date: Fri, 28 Apr 89 15:52:35 EST From: Mignon Erixon-Stanford Subject: Problem in BASIC virus related? (PC) One of our guys wrote a BASIC file which reads one ASCII file and writes it out to another ASCII file (just a different arrangement of the data.) The interpreter & compiled versions worked perfectly at our main site (on PS/2 Model 60). Same guy went to outlying research facility. The interpreter version ran fine (on AT machine). Guy did a DIR B: of disk 1 which contained data files. Then Guy did DIR B: of disk 2 (which contained a basic compiler). The FAT of disk 2 got overwritten by ASCII characters of file info about disk 1. We could not recreate the error on the AT nor back at our main site. This sounded like a problem with the buffers, so i Suggested they: increase # files & buffers in CONFIG.SYS; boot from back-up copy of original DOS disk & do a SYS C: ; set file attribute on COMMAND.COM to READ ONLY; check for viruses; have tighter controls on what software is put on machine. But if any of you folks out there have other suggestions, please write me. Thanks. Mignon Erixon-Stanford, Smithsonian Institution otherwise known as IRMSS907 @ SIVM ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253