VIRUS-L Digest Wednesday, 1 Feb 1989 Volume 2 : Issue 34 Today's Topics: Re: anti-virus viruses Request for info on possible Mac virus. Re: Origin of the term `virus' Re: "FRG Nazi virus" posting / apology-correction Re: MacWrite bombed by a virus? (from this issue) Malicious program classification MIS "Virus Briefing" FSP_15 (IBM Anti-Viral Software) bug??? (PC) --------------------------------------------------------------------------- Date: Wed, 1 Feb 1989 09:28 EST From: Bruce Ide Subject: Re: anti-virus viruses One of these days I'm going to have to dig up my research paper... Sorry guys, Not yet. Yo! Commander Spock! That's a scary idea you've come up with. Lets not try to spread that one about in case no one has thought of it, ok? Now then, it seems to me that the hardest bit of writing a virus is getting the damn thing to spread. So if you can kill its spread abilities, you've killed the virus. But what if we took a "live" virus, mangled its spread abilities a bit, and then let the thing go with "instructions" to seek other viruses like itself and copy it's spread abilities over their own. Then at a certian date, have the lot of them "kill" themselves? You'd still have a lot of copies out there until the date, maybe doing damage, but if there was no other way to pull it off, you'd have a population control. -Grey Fox [Ed. The idea of using anti-virus viruses (somewhat of an oxymoron) was kicked around some time back; the more-or-less unanimous feeling of VIRUS-L readers at the time was that it is a very bad idea. Aside from setting a bad precedent, it has the distinct possibility of backfiring if someone alters your anti-virus virus to do something that you hadn't intended for it to do. Comments?] ------------------------------ Date: Wed, 1 Feb 89 10:37 EST From: Cincinnati Bengals. Subject: Request for info on possible Mac virus. On a Macintosh we've got here in the Academic computing center at Xavier, we've got Macwrite on a hard-drive. Whenever I've tried to startup Macwrite, I get a system error with the ID of 02. I remember reading in one of the recent digests that there apparently was a virus that caused this to happen. Unfortunately, I deleted those messages from my account concerning that topic. Could anyone please tell me if this is true, and if so, what can be done about it? Thanks, Tom Kummer Acknowledge to: KUMMER@XAVIER.BITNET [Ed. See Joe McMahon's reply later in this issue.] ------------------------------ Date: Wed, 01 Feb 89 08:32:09 -0800 From: James M Galvin Subject: Re: Origin of the term `virus' > I remember 8 years ago coming across the term `worm' for the first > time: it was a program (developed at Xerox, I believe) that soaked up > spare cpu cycles on networked machines to perform some lengthy, > non-critical task (disk defragmentation or computing pi); there was no > derogatory connotation. See Communications of the ACM, March 1982, v25 n3, 'The "Worm" Programs--- Early Experience with a Distributed Computation'. Interestingly, the article is immediately followed by "Self-Assessment Procedure IX", a self-assessment procedure dealing with ethics in computing. Jim ------------------------------ From: J.D. Abolins Date: 1 Feb 89 Subject: Re: "FRG Nazi virus" posting / apology-correction Ken's addition to my posting about the relevance of another posting was appropriate. I rechecked the messages and found that the original posting was citing another writer's usage of the term virus. My apologies about the light flame. Also for any offline e-mail, my BITNET address is OJA @ NCCIBM1. (Since everything is entered manually at the keyboards, I sometimes slip up.) ------------------------------ Date: Wed, 01 Feb 89 11:28:03 EST From: Joe McMahon Subject: Re: MacWrite bombed by a virus? (from this issue) Well, you could possibly have any number of problems, not all of them virus-related. 1) Your hard disk is getting an unreported read error on MacWrite. Duplicate the file and see if the copy will run OK. If so, run your hard disk's diagnostics and see if they come out OK. If not, call your dealer and take the drive in for service. 2) Your copy of MacWrite is bad. Replace it from a LOCKED, KNOWN-CLEAN copy and try it again. 3) Your System file is bad. Replace it in the same way. 4) You have an INIT or CDEV in the System folder which does not let MacWrite initialize properly. Move all of your INIT and CDEV files into a folder inside the System folder called "Disabled INITs" or something like that. If MacWrite runs after you reboot, try taking them out 1 at a time until MacWrite breaks again. 5) You have a known virus. Try running VirusDetective(tm) 2.0 against your hard disk. You will want to create another boot disk by copying a known-clean System to a blank disk and installing VirusDetective there. If you find a known virus, run the proper disinfectant (if one exists) to get rid of it. If it's the INIT 29 virus, VirusDetective will report it, and can remove it from your non-application files. You will have to restore your applications and System from known-clean copies. 6) You have an unknown, new virus. Run Interferon 3.1 or Virus Rx 1.4 to look for possible infections. Then replace the possibly-infected files from known-clean originals. Please drop me a note directly if you get to step 5 without fixing the problem. Also, it would be interesting to know if any of the following things happen: 1) Locked disks, when inserted, get the "This disk needs minor repairs" dialog. If so, you could have the INIT 29 virus, which I think is the one you are thinking about. 2) Printing of large documents fails at irregular intervals. This could be several of the viruses, INIT 29, Scores, Hpat, or nVIR. --- Joe M. ------------------------------ Date: Wed, 01 Feb 89 12:31:42 ECT From: Ken Hoover Subject: Malicious program classification Ken van Wyk has a very good point. The distinction between Error-exploiting, Feature-exploiting, and Hardware-exploiting programs is an important one. A suggestion for virus classification: A kind of "standard notation" should be agreed apon which would tell one the type of program and the way it operates in a single sequence of characters. The basis for such a system could be three kinds of programs - Trojans, worms, and viruses -- standard definitions, nothing new here; and three methods of activity - hardware, error, and feature exploitation, as Ken suggested. If we use a three-letter code for each major type: VIR - Virus WOR - Worm TRO - Trojan Horse program And a single character for the mechanism used: e - error-exploiting f - feature-exploiting h - hardware-exploiting The combination would say a lot more than just "well, it propogates itself through its use of the XXX operating system". Most MS-DOS programs fall into the fVIR or hTRO categories, and CHRISTMA.EXEC would be a fWOR (as far as I know) under this notation. eWOR would quickly describe the RTM worm. This is only a suggested format for such a classification. Unfortunately, the nVIR macintosh virus kind of throws a wrench into the works, and I've left out other aspects that could be covered, such as timed-dormancy, relative nastiness, the type of systems affected, etc. This could, however, be a starting point. - Ken Hoover UG Consultant SUNY-Binghamton Binghamton, NY USA. Disclaimer: The opinions are my own. I don't get paid enough to represent my employers'. ------------------------------ Date: Wed, 1 Feb 89 08:43 MDT From: "David D. Grisham" Subject: MIS "Virus Briefing" Has anyone else planned to attend any of the "virus Briefings" given by MIS, with Dr. Cohen? I'm interested in going to the Dallas presentation if there will be others in the field who can share experiences and knowledge. I doubt that a one day briefing will be that beneficial on it's own. dave *-----------------------------------------------------------------------* | Dave Grisham | | Senior Staff Consultant/Virus Security Phone (505) 277-8148 | | Information Resource Center | | Computer & Information Resources & Technology | | University of New Mexico USENET DAVE@UNMA.UNM.EDU| | Albuquerque, New Mexico 87131 BITNET DAVE@UNMB | *-----------------------------------------------------------------------* ------------------------------ Date: WED FEB 01, 1989 15.21.05 EST From: "David A. Bader" Subject: FSP_15 (IBM Anti-Viral Software) bug??? (PC) I have been using Flu_Shot 1.5 (by Ross Greenberg) and am a lot happier with this version than the previous, 1.4, because the new version doesn't check CMOS ram. However, I have noticed that using DOS 3.3's PRINT command flags as a TSR by FSP_15 and hangs my 286 clone. Anyone else use FSP_15???? - -David Bader DAB3@LEHIGH ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253