VIRUS-L Digest Friday, 16 Jun 1989 Volume 2 : Issue 139 Today's Topics: Virus threats to mainframes Re: Forward of Virus Warning recieved from PCSUPT List Network nasties or tough micro restrictions RE: no viruses from software companies Flushot+ query (PC) Addendum to Previous Note re: WP virus (PC) WordPerfect Virus (PC) Wordperfect Virus and a Solution (PC) Possible PC Virus? --------------------------------------------------------------------------- Date: Thu, 15 Jun 89 15:48 CDT From: Ken De Cruyenaere Subject: Virus threats to mainframes In tune with our moderator's interest in expanding the discussion on viruses, here is some food for thought, from the June 1989 issue of Canadian Datasystems: VIRUSES POSE INCREASING MENACE TO MAINFRAMES Viruses represent a growing, unrecognized menace to large systems, virus experts told a Canadian Information Processing (CIPS) security seminar in Toronto recently. Security consultant Peter Kingston of Kingston Goulborn & Assoc., Don Mills, Ontario, said DP professionals badly under estimate their exposure to viruses. He said the threat is greater than most people realized on mainframes. Midrange systems were even more vulnerable. Dr. Harold Highland, editor of computer security journals in the US and UK and coordinator of an international study on virus filters, said a lack of publicity did not mean mainframes had not yet been attacked by viruses. He said firms tend to cover up such breaches of security, much as they do cases of embezzlement. They don't want to proscecute violators or make the incidents known. He had not officially heard of any viruses infiltrating mainframes, he said. But he had learned unofficially of viral assaults on mainframes from vendors who sold security packages for large systems. Awareness would remain low until some reporter dug out the facts and revealed what has been happening. He said the extent of the threat was difficult to fathom because of corporate secrecy and the fact many computer foulups mimic viral intrusions. A lot of suspected viruses turn out to be simply human errors, he said. For example, someone may try to run a communications program on an incompatible operating system and blame the resulting disruption on a virus. He indicated large systems could be infected more easily than was commonly believed. In particular, he said a glaring weakness existed in Communications Monitoring System (CMS) version 4 for IBM's MVS operating system where a dangerous virus could be introduced by simply programming 16 lines of code. Networks are also highly vulnerable to infection, said Mr. Kingston. He said LAN security depended a great deal on protecting file servers, and monitoring gateways and passwords. User and message authentication was lacking at LAN front ends. He said a lot more encryption techniques and control of LAN administrators were needed to forestall future trouble. Dr. Highland demonstrated several different types of common PC viruses. One invaded spreadsheets and made incorrect adjustments to a few figures in only one column of a worksheet every time the program was activated. For some software filters to work, users must indicate precisely what files they want protected, he said. Some filters take 4 to 6 hours to install on each PC. This could translate into substantial time and expense for corporations with thousands of micros. Dr. Highland said no foolproof measures existed for safeguarding data. He frequently advised people to go "to your church, synagogue, mosque or whatever your place of worship and pray". - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada Bitnet: KDC@CCM.UManitoba.CA (204)474-8340 ------------------------------ Date: Thu, 15 Jun 89 12:51:52 PDT From: rmorey@ORION.CF.UCI.EDU Subject: Re: Forward of Virus Warning recieved from PCSUPT List Organization: University of California, Irvine RE: Word Perfect viruses Hi, The only time I have ever had a Word Perfect problem like that was when someone was running TUTOR.COM and did not have WP.EXE in the TUTOR subdirectory (WP Corp. instructs people to create a separate subdirectory for TUTOR). By making a copy of WP.EXE to the TUTOR directory or by copying all the Tutor files into the WP directory, this error would no longer occur. Also, Word Perfect 5.0 had a series of bugs on its first release which I contacted the company about--we received two updates. I wasn't into Word Perfect when version 4.2 came out but I wouldn't be surprized that the earlier releases had some bizarre bugs too. Have you contacted the Word Perfect Corporation? Hope this helps, Robert J. Morey ------------------------------ Date: 16-JUN-1989 13:25:58 GMT From: ZDEE699@ELM.CC.KCL.AC.UK Subject: Network nasties or tough micro restrictions In VIRUS-L Digest V2 #137, 14 Jun 89, Kenneth van Wyk writes: >The change has made me curious about the future of VIRUS-L/comp.virus. >I will, as promised, continue to moderate, but where is the group >heading? At the SEI, my project is very Internet related. I'd like >to see some of the discussions here on VIRUS-L touch on network >security issues. I'd also like to see more discussions on >non-microcomputers. (This doesn't mean that we're abandoning micros >by any means, merely that I'd like to see the group branch into other >areas as well.) I agree with Ken that there should be more discussions on network security issues. I joined the discussion list in November 88, on the exact day when the RTM virus struck the internet community, and most of the talk was about networks. Nowadays, it looks like the list has gone to microcomputer-based viruses discussions... We have had few problems with these types of nasties in King's, simply because restrictions on running software are followed carefully. I mean that nobody is allowed to bring his/her own software and run it on the machines. There is a strict registration scheme for use of PC's and Macs, and whenever a machine is infected, it is possible to trace the culprit (who often didn't even know that his floppy was infected) and ban him from using the facilities. Machines are checked for viruses every morning using available checking programs, and any infection is immediately dealed with. If anyone wants to run their own software they must first submit it to the computer centre who will check it carefully on a separate machine... etc. etc. This might sound rather strict to some people, and others might think that it is a great waste of time, but it's a choice. As a result, we haven't had *any* cases when all machines are infected, loss of valuable information and so on. Coming back to network security, here is the question: " Would another major disaster like the November 1988 Internet Worm be possible now, more than 6 months later ? " Feedback welcomed - Usual disclaimers apply... O. Crepin-Leblond - Computer Systems & Electronics 2 Electrical & Electronics Engineering King's College London, UK ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |Olivier M.J. Crepin-Leblond |- If no-one can do it| |JANET : | then do it yourself| |BITNET : |- If you can't do it,| |INTERNET:|then P A N I C !!| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: 16-JUN-1989 13:50:21 GMT From: ZDEE699@ELM.CC.KCL.AC.UK Subject: RE: no viruses from software companies In VIRUS-L Digest, Thursday, 8 Jun 1989, Volume 2 : Issue 132: odawa@well.sf.ca.us (Michael Odawa) writes: > Let us set the record straight on this subject: > No known software publisher has ever intentionally released a virus > into circulation, nor is it likely that any would do so, as it would > be contrary to their interests. Viruses threaten the entire software > industry and expose the releasing party to an enormous legal > liability. Mr. Odawa might speak for U.S. software distributors, but surely not for foreign publishers... however small they are. The Alvi brothers in Pakistan made a small software company, and included viruses and bugs in their programs so as to get customers to pay them when something was going wrong. It might be an isolated case, but then Mr. Odawa cannot certify that "No known software publisher has ever intentionally released a virus into circulation". Feedback, Flames, etc. welcomed... to a certain extent... O. Crepin-Leblond, Comp. Sys. & Electronics, Electrical & Electronic Engineering, King's College London, UK Disclaimers etc. apply... ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |Olivier M.J. Crepin-Leblond |- If no-one can do it| |JANET : | then do it yourself| |BITNET : |- If you can't do it,| |INTERNET:|then P A N I C !!| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: Fri, 16 Jun 89 09:55 EST From: Paul Subject: Flushot+ query (PC) Hi all: Does anybody know the company name that makes Flushot + ??? Thanks /paul [Ed. FluShot+ was written by Ross Greenberg - he can be reached by email at .] ------------------------------ Date: Fri, 16 Jun 89 09:37:00 PAC Sender: Virus Alert List From: Bill Pyle Subject: Addendum to Previous Note re: WP virus (PC) I forgot to add at the bottom that it is necessary to tell WordPerfect 5.0 through SETUP that the printer files are on the C-disk. We put the .PRS files on the ramdisk to save room on our second diskette. This method would probably work with WP 4.2, but I think the printer file would have to be on the A-drive with your WordPerfect program. The ramdisk could be made a bit smaller in that case. ------------------------------ Date: Fri, 16 Jun 89 08:55:00 PAC Sender: Virus Alert List From: Bill Pyle Subject: WordPerfect Virus (PC) I noted Jenny Wirtschafter's comments about the WordPerfect virus and in particular the comment that the WordPerfect disk must be used without a write protect tab. We run WordPerfect 5.0 in our labs with write protect tabs. In fact, we have converted to notchless diskettes in our lab. This was prompted by the presence of the Alameda and Pakistan viruses on our campus. The Method: We use two diskettes to load WordPerfect. The boot diskette has DOS AUTOEXEC.BAT CONFIG.SYS WP.EXE WP{WP}.SET All .PRS files to support our printers. RAMDISK.SYS for 5 1/4" diskettes or VDISK.SYS for 3 1/2" The second diskette has WP.FIL WP.MRS WPSMALL.DRS KEYS.MRS (on 3 1/2") WPHELP files (on 3 1/2") .LEX file (on 3 1/2") The CONFIG.SYS file has FILES=20 BUFFERS=15 DEVICE=RAMDISK.SYS 48 (for 5 1/4") DEVICE=VDISK.SYS 48 512 16 (for 3 1/2) The AUTOEXEC.BAT file has COPY A:*.PRS C: COPY A:*.SET C: B: SET WP=/D-C A:WP A: CLS The CONFIG.SYS DEVICE= statement creates a 48K ramdisk (C-drive). The AUTOEXEC.BAT file statements copy the printer resource files (.PRS) and the WP{WP}.SET file to the ramdisk. The /D-C option on the WP command (specified in the SET command), causes WordPerfect to look at the C-drive for the SET file and it also uses the C-drive for the overflow files. The SET file and the overflow files are the only ones requiring write access. The also lets the user change the printer settings through PRINT or other settings through SETUP, but it won't mess up the next user, since the original version of the SET file will be copied out to the ramdisk the next time WordPerfect is loaded. This allows for guaranteeing that WordPerfect will always look the same for each user. Actually, we block out the SETUP command by redefining the keyboard in a STARTUP macro, but it really isn't necessary and will probably change that when we convert our whole lab to 3 1/2" drives. At that point, we may start popping out the slide that allows the user to control read/write access on 3 1/2" diskettes. Not as nice a notchless diskettes. Bill Pyle Manager, User Services University of Idaho Moscow, ID 83843 (208) 882-8872 BITNET: BILLP@IDUI1 ------------------------------ Date: Fri, 16 Jun 89 14:32:00 EST Sender: Virus Alert List From: Ron Kiener Subject: Wordperfect Virus and a Solution (PC) I transmitted the original posting to friends at Tel Aviv University who claim that the virus has been with them for 6 months or so. A program was developed in Israel called UNVIRUS (freeware) which fixes the problem. I have yet to download and decode the UNVIRUS program, but I will do so soon. Since I use 5.0, I have not experienced this problem, and I cannot test for the accuracy or reliability of the program. I will be happy to post the UNVIRUS program in UUE format if people want it. Ronald Kiener RKIENER@TRINCC.BITNET Trinity College ------------------------------ Date: Fri, 16 Jun 1989 14:19 EDT From: David W. Loveless Subject: Possible PC Virus? I've been asked to help with a possible virus PC infestation at another institution, in our area. If this virus is confirmed, as far as I know it would be the first PC virus found in our locale (London, Ontario, CANADA). MAC viruses have hit our university at least once, though. Currently, this virus seems to be restricted to just one PC, as far as we know, anyway. The Symptoms: (1) When running Fastback-Plus to backup the 20 meg hard disk more than 100 floppies were needed (2) A second directory named CS was found on the hard disk. It had never knowingly been setup by the user. It contents seemed to reference files referenced in other directories. (3) When this CS directory was removed - none of the files it had referenced could be accessed even though they were still in existing directories. Some thoughts: (1) Some people have suggested that Norton Utilities might setup a second directory to protect the hard disk. The Norton Utilities are on the hard disk but the user doesn't think this feature (if it exists) was ever activated. (2) The makers of Fastback Plus were contacted and have said that their product does not create any "mirror-image-like" directory. Some questions: (1) I'm aware of virus-protection software like FLU-SHOT+ and CHECKUP for PCs. Is there any virus-detection and identification software for PCs? Something we could use to isolate, identify and remove the virus, we are facing. (2) Has anyone seen a virus like this? If you have, what is it and how do you get rid of it. (3) Is there some other explanation for the symptoms? ie. - we don't really have a virus? Thanks in advance for your help. ********************************* David W. Loveless * Today's Question... * Technical Support Analyst * * The University of Western Ontario * How do I know what virus I * Computing and Communications Services * have? Is there a cure? * Administrative Systems Support * * Room #16, Stevenson-Lawson Building ********************************* London, Ontario E-Mail: CANADA N6A 5B8 CCSDWL@UWOCC1.UWO.CA PHONE: (519) 661-2111 EXT: 5993 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253