VIRUS-L Digest Thursday, 5 Oct 1989 Volume 2 : Issue 213 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Pointer to Cohens publications Re: Followup on new virus (Mac) Re: Why not change OS? About the DH&S proceeding(s)... Re: OGRE virus in Arizona (PC) Increasing rate of virus appearances Binghamton Jerusalem-B virus - The day after. (PC) M-1704 question (PC) WSMR newspaper article on Anti-Virus program --------------------------------------------------------------------------- Date: Wed, 04 Oct 89 19:18:50 -0500 From: Christoph Fischer Subject: Pointer to Cohens publications Hello I need the exact bibliographic data of Fred Cohen's dissertation and publications in the field of computerviruses. If there exists an downloadable printfile with such material I would be very happy about any hints. Thanks Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: 04 Oct 89 18:09:20 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: Followup on new virus (Mac) In article <0004.8910041115.AA07054@ge.sei.cmu.edu> eplrx7!milbouma@uunet.UU.NE T (milbouma) writes: >I can recommend Symantec's new antiviral package, SAM, which will flag >any abnormal writes from an application (like Vaccine if you're >familiar with it, but better than Vaccine). SAM will at least protect >your machines from getting infected and also has a Virus scanner >program that scans for known viruses and can also repair irreplaceable >apps that are infected. Part of the protection init also will ask you >if you want to scan a floppy for known viruses whenever you insert >one. Of course, as an alternative to SAM, you can save yourself a lot of money and go with GateKeeper 1.1.1, which has not only been stopping viruses around the world 6 months longer than SAM (and all the other johnny-come-lately commercial systems), but is completely free. Furthermore, I gather that GateKeeper is significantly more configurable than SAM insofar as it maintains a privilege list which can be easily viewed and edited (I've never used SAM, so I don't speak from first-hand experience on this point, but people assure me that it's a *very* important difference in practice). If you need telephone support, though, SAM is clearly better for you... the closest thing to interactive support available with GateKeeper is email. GateKeeper doesn't provide a virus-scanner, but with Disinfectant available (also for free) it's not much of a problem. One other thing that makes GateKeeper unique in the world of Macintosh anti- virus systems is that it keeps a log file that details exactly what virus related operations have been attempted, when, by whom and against whom. GateKeeper 1.1.1 (as well as Disinfectant) is available from most archive sites, including a local system, ix1.cc.utexas.edu in the microlib/mac/virus directory. Well, happy virus hunting no matter what system you choose, - ----Chris (Johnson) - ----Author of GateKeeper ------------------------------ Date: Wed, 04 Oct 89 17:01:06 -0400 From: Tim Endres Subject: Re: Why not change OS? Better than changing OS to get better virus "resistance", why not encourage the systems designers at Apple and IBM to implement protection in their respective operating systems? An entire document dedicated to stopping virus acitivity at the OS level was mailed to John Sculley at Apple. Yet, to this day, even with an entire new OS release, not one of the suggestions given has been implemented! I am sure that there are many complex issues facing a company such as Apple, with regards to this problem, and changes at the OS level to deal with viruses will, and probably should, be slow. Further, I must give Apple credit for the action they did take when Macintosh viruses first surfaced. In some cases, they sent their own engineers to infected sites for investigation and assistance. They were the first to engage in "Virus Awareness" campaigns. Unfortunately, we have seen no work at the OS level. What users should be doing, is overtly pressuring computer manufacturers to address this need at the OS level, and start buying equipment from vendors who move in that direction. ------------------------------ Date: Wed, 04 Oct 00 19:89:18 +0000 From: utoday!greenber@uunet.UU.NET (Ross M. Greenberg) Subject: About the DH&S proceeding(s)... I wasn't too happy with the end result of what DH&S (Steve Ross works for them) produced. The invitational excluded a number of people (including me, so this might be a biased report). The only person there really familiar with the world of PC and other micro viruses was Pam Kane (Panda Systems & Dr. Panda Utilities - good stuff!). They spent a great deal of time on nomenclature. Something like two days. Very little on practical "how-to's" or anything at all of a technical nature. The conclusion of the report is basically a sales-promo piece on why you should hire DH&S consultants if you have a virus problem or wish to make sure you don;t get one. I consider this mailing list *considerably* more informative, objective, and honest. Note: I ended up attending the symposium, then being asked to leave when I mentioned that it seemed inappropriate to give this little meeting any credibility when only three or four people there, out of the 50 or so who presented, had *ever* seen a virus. To be honest, I was a gate crasher. Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ Date: 04 Oct 89 23:15:47 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: OGRE virus in Arizona (PC) In article <0011.8910041808.AA09177@ge.sei.cmu.edu> WIER@NAUVAX.BITNET writes: | Because the OGRE virus operates at such a "low level," none of the | existing virus detection/elimination programs currently in existence | for the IBM PC will work. | | FUTURE VIRUS DETECTION IDEA | | Checksum the boot blocks. The new program BootChek goes one better than this. It will compare the entire boot block with a secured copy. Since it is small, this comparison is fast, and better than a checksum. If a change is detected, the computer is halted. WARNING: This will detect any *change* in the boot block. If you start with an infected system, this won't help. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Wed, 04 Oct 89 20:39:29 -0400 From: RREINER@YORKVM1.BITNET Subject: Increasing rate of virus appearances It is my impression, judging primarily from reports on VALERT-L, that the rate at which new viruses are appearing has accelerated substantially in recent weeks. There was previously what seemed a stable rate of one new virus every few weeks; this seems now to have become one new virus every few days. Has anyone been keeping more careful records? What is the rate of increase of the rate of increase? Richard J. Reiner BITNET == rreiner@vm1.yorku.ca Internet == grad3077@writer.yorku.ca Compu$erve == 73457,3257 ------------------------------ Date: 05 Oct 89 04:31:42 +0000 From: consp06@bingvaxu.cc.binghamton.edu Subject: Binghamton Jerusalem-B virus - The day after. (PC) Thanks to all of you who responded so quickly to my messages for help. We now have several programs that will arm us in controlling the virus. Any more messages, although appreciated, are unnecessary. It's good to see that people are so eager to help when a crisis occurs. -Robert Konigsberg ------------------------------ Date: Wed, 04 Oct 89 15:07:00 -0400 From: Jim Shanesy Subject: M-1704 question (PC) We (Don Kazem of our Technical Systems group, and myself, a programmer/analyst) have just downloaded M-1704.ARC from the Homebase bulletin board and found upon reading the documentation that SCANV40 is supposed to detect M-1704.EXE as a virus. It does not. We both ran SCANV40 (also obtained from Homebase) on our respective hard disks and SCAN reports them both as clean. Don's machine is a PS/2 Model 70 with ESDI-controlled 120 Meg hard disk, and mine is a PS/2 Model 60 with ESDI-controlled 66 Meg hard drive. We are reluctant to run this program until we verify that it is not indeed infected, since its behavior is different from that described in the documentation. Any comments, Mr. McAfee? [Ed. I believe that the newer ViruScan versions were modified to *not* produce this false alarm; perhaps Mr. McAfee can confirm this.] ********************************************************************** Jim Shanesy JSHANESY@NAS.BITNET Office of Computer and Information Technology National Academy of Sciences 2101 Constitution Ave., NW Washington, DC 20418 (202)-334-3219 ********************************************************************** ------------------------------ Date: Wed, 04 Oct 89 12:58:00 -0600 From: Chris McDonald ASQNC-TWS-RA Subject: WSMR newspaper article on Anti-Virus program THE WSMR ANTI-VIRUS PROGRAM The subject of computer "viruses" has attracted considerable attention in the last three years. The publicity of a Columbus Day virus and the continuing infection rates of several Friday the 13th viruses has pointed out the necessity of ensuring all users are aware of common sense policies and procedures to minimize the threat of viral attacks. This article attempts to describe our virus defense program at the Range. We at White Sands have a unique history in viral research. In the summer of 1984 we at White Sands Missile Range sponsored a computer virus "experiment" by a University of Southern California (USC) undergraduate, Mr. Fred Cohen. Fred went on to obtain his PhD and has written and lectured extensively on the computer virus phenomenon. So we have had some direct experience in the area at a rather early stage. The definition of a "virus" from Dr. Cohen's original research work is short, but extremely important to understand some recent viral attacks. He defined a "virus" as "a computer program that can infect other programs by modifying them to include a possible evolved copy of itself." With the infection property a virus can spread throughout a computer system or network using the authorizations of every user who might use it to infect their own programs. Viruses can spread on personal computers as well as on mainframes. For a variety of reasons we have seen the majority of viruses infecting personal computers. An Israeli researcher has published a catalog of 77 identified MS-DOS viruses, including their variations, as of 2 Oct 89. Other researchers have identified at least 10 Macintosh viruses, including variations, as of 3 Oct 89. "Variations" occur as individuals receive a copy of an original virus and then make some change to it for the purpose of creating a "new" virus. If a "computer virus" is similar to a "biological virus," then could one apply the defenses or at least the methodology used to counter infectious human diseases to the issue of automation security? On the assumption that the comparison holds, then prevention, treatment and education would seem logical control measures. We can limit our exposure to computer viruses by controlling and by monitoring the source of our software. We can "buy" from reputable sources. We can apply the two-person rule to the development and to the review of software which we develop in-house. If we must use public domain and shareware software, then we have an obligation to observe the policies and procedures which our particular organization has for the acquisition, control and testing of such software. Users should also be aware that certain tenant activities at WSMR prohibit the use of public domain software. We have at our disposal both commercial and shareware software products to detect known computer viruses. We have advertised over the Workplace Automation System (WAS) electronic bulletin board the availability of VIRUSCAN which specifically detects several Friday the 13th and Columbus Day viruses identified as the DatacrimeI and DatacrimeII viruses. Users can contact either Bob Rothenbuhler, the installation systems security manager, at 678-4236, or Chris Mc Donald, an ISC information systems management specialist, at 678-4176 for assistance. There are a variety of "disinfectant" programs for the MS-DOS and for the Macintosh worlds which we maintain in the event of a viral outbreak. We also have access to the resources of the National Computer Security Center (NCSC), the Computer Virus Industry Association (CVIA), and the Computer Emergency Response Center (CERT) in the event of viral attacks. While it is impossible to stockpile all possible "treatment" remedies, we have at least a good foundation. Finally, an article such as this serves to "educate" you, the user community, as to the threats and to some of the defenses applicable to the computer virus problem. We have available a briefing on computer viruses entitled "Everything the New England Journal of Medicine will never tell you!" which discusses this subject in some detail. The Information Systems Command has also initiated an eight hour training class, "Protection of Automation Resources", which will address the whole subject of automation security, to include viruses. Both Bob and Chris are always available to answer specific questions and to assist users within their respective fields of interest. While we cannot eliminate computer viruses, we can maintain a program of prevention, detection and education to minimize the possibly negative impact on our computing environment. Using good common sense computing practices can reduce the likelihood of contracting and spreading any virus. - Backup your files periodically - Control access to your PC or terminal and limit use to those people whom you know and trust - Know what software should be on your system and its characteristics - Use only software obtained from reputable and reliable sources - Test public domain, shareware, and freeware software before you use it for production work - If you suspect your PC contains a virus, STOP using it and get assistance ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253