VIRUS-L Digest Wednesday, 15 Feb 1989 Volume 2 : Issue 48 Today's Topics: RE: VT100 emulation (Commodore 64) MIT virus paper available for anonymous ftp (Internet) DECNET VTxxx trojan horse Re: 3M ad Authentication help on VIRUS-L archives --------------------------------------------------------------------------- Date: Tue, 14 Feb 89 17:36 EST From: LEFF@vms.cis.pittsburgh.edu Subject: RE: VT100 emulation (Commodore 64) I am completely familiar with one of the popular VT100/VT102/VT52 emulators for the Commodore 64 (EMULATOR.100, Allegheny Software Works, P.O. 7103, Pgh., PA 15213). This is a standard emulator that follows the DEC manual--there is NO WAY to set the answerback message from the host site. There is also NO WAY to echo text from the screen back to the host--I don't think "send character" and "send line" are part of VT100/VT102 or VT52--don't know about the VT131's though. Also, the function keys/user defined keys can ONLY be programmed from the terminal side. Certainly any emulator that allows the host to reprogram its answerbacks/user defined keys is wide open to attack! ------------------------------ From: Jon Rochlis Date: Tue, 14 Feb 89 18:13:06 EST Subject: MIT virus paper available for anonymous ftp (Internet) The MIT paper on the Internet virus of last Novemember, "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988", is now available via anonymous ftp from either bitsy.mit.edu (18.72.0.3) or athena-dist.mit.edu (18.71.0.38) in the pub/virus directory as mit.PS (and mit.PS.Z). A version of this paper will be presented at the 1989 IEEE Symposium on Research in Security and Privacy. -- Jon Abstract: In early November 1988 the Internet, a collection of networks consisting of 60,000 host computers implementing the TCP/IP protocol suite, was attacked by a virus, a program which broke into computers on the network and which spread from one machine to another. This paper is a detailed analysis of the virus program itself, as well as the reactions of the besieged Internet community. We discuss the structure of the actual program, as well as the strategies the virus used to reproduce itself. We present the chronology of events as seen by our team at MIT, one of a handful of groups around the country working to take apart the virus, in an attempt to discover its secrets and to learn the network's vulnerabilities. We describe the lessons that this incident has taught the Internet community and topics for future consideration and resolution. A detailed routine by routine description of the virus program including the contents of its built in dictionary is provided. ------------------------------ Date: Tue, 14 Feb 89 11:52:15 PST From: PJS%naif.JPL.NASA.GOV@Hamlet.Bitnet Subject: DECNET VTxxx trojan horse Thanks to Jerry for his comprehensive posting. Apologies for an error in mine: I had stated that it was possible to send any control character in a MAIL message. Well, you can, but it won't be displayed on the screen; all are converted to $ signs except for the following: BEL BS HT LF CR FS GS RS US DEL although if you EXTRACT the message all control codes are left intact. Evidently DEC installed the filtering since I last tried sending control characters in MAIL messages, when it *was* possible, for instance, to send a control-S. The worst that appears possible with the above set of codes is that some terminals will enter graphics mode. It is indeed fortunate that ESC cannot be sent, because I just discovered that my VT220 compatible supports commands for both programming and ordering transmission of PF keys! I tried it. It gave me a shudder. There is a SETUP option to lock the PF keys, but it doesn't work. Sigh... Years ago I used a Sigma graphics terminal which was put into graphics mode by the `escape sequence' "+-*/". Fortunately it wasn't possible to do anything other than draw pretty pictures after that point. Peter Scott (pjs@grouch.jpl.nasa.gov) ------------------------------ Date: Tue, 14 Feb 89 18:56 EST From: Subject: Re: 3M ad Neil Goldman writes: >I was just paging through "Business Today", a magazine mailed to >college students around the country, and stumbled upon the following >ad: > >Under a picture of a 3M data cartridge it read: "Until There's a Cure >For Computer Viruses, Take One Of These And Get Back To Work." ... > >It is unfortunate that our counterparts in industry are not assisting >in rectifying the (perhaps unsolvable, yet certainly *not* >unimprovable) problem. Agreed. I for one was particularily disappointed to find that 3M was behind this. Having been acquainted with a number of 3M people over the years, I got the impression that theirs was not a company to advertise or promote themselves in such a way. The thing I find worst about it is that they are not only promoting backups as a cure for virii, but plugging THEIR OWN BRAND as a cure, as if their tapes were somehow virus-proof or immune. While this may sound ridiculous to us, I have worked with enough people who have a hard time knowing what to do with an "OFF" switch to know that some of them are going to think this and interpret the ad that way. I'd just like to see it when they get a call from somebody whose backups got infected and screams "I thought your tapes were immune!". As a matter of personal opinion, I have just about tossed the commercial companies who deal with viruses and prevention on the heap with the media. Most of the good, usable anti-virals I have seen have been shareware or PD utilities done by somebody who was stung themselves and wrote it to protect themselves and help out those in similar straits. Put it another way, they did it to help the problem, not make a buck off it. - --Steve - --------------- Steve Okay ACS045@GMUVAX.BITNET/sokay@gmuvax2.gmu.edu/CSR032 on The Source |____| |____New address, please do not send mail to "acs045@gmuvax2.gmu.edu" that account is dead "Despite Colorization, MSDOS, and lights at Wrigley Field, One can still take comfort in the fact that no one is known to have run COBOL under UNIX" ------------------------------ From: David.J.Ferbrache Date: Tue, 14 Feb 89 14:50:45 GMT Subject: Authentication My recent request for information has raised an interesting problem, basically who on a public list can be trusted with potentially sensitive information concerning the functional principles of known viruses, or indeed for that matter with disassembled or object code versions of the virus. Unfortunately, being a researcher at a UK university precludes most of the traditional techniques such as personal contact at conferences. You try persuading my Department to pay for a trip to the US on a matter unrelated to my full-time job (ie Part time Phd work). Equally, when I complete my report the question of who should I send a potentially useful reference on viruses to. The method suggested by two of my respondents is that of a letter on Departmental notepaper, I suspect that this is not foolproof, and the difficulty involved in either obtaining University notepaper or producing an authentic fake notepaper is comparitively small. The recent case of the Modem virus hoax also points towards the need for a list of recognised researchers in the field. (A recent article in the FIDONET news reviewed at great length the difficulties arising from untrusted software, together with suggestions for digital signatures). So in summary, unless anyone has any good ideas concerning authentication, is there such a thing as a list of active researchers in the field, preferably also indicating their area of specialisation? PS. Thanks to everyone on the list who responded to my original request for information. Since that time I have found another 5 forms of Amiga viruses, and 4 Apple II viruses. Before anyone asks for details of these, I am still waiting on additional information. I think that now makes 37 virus strains and variants for Micros, together with a number of Mainframe system viruses, worm and chain letters. If anyone is in the process of collating a list of extant viruses please get in touch, and we can arrange to pool our information. Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ Date: Wed, 15 Feb 1989 18:22:00 SIN From: Thomas Tong Subject: help on VIRUS-L archives Hi ... I would like to enquire how I can get back-dated issues of the virus-l digests that ( apparently ) were not distributed to the BITNET sites... I checked several nodes ( eg. LEHIIBM1 ) for the archives but there are some issues missing... The latest "missing" issue that I did not receive ( and a whole lot of other people too ) is V2 issue 01... Hope that you can assist me in this matter. Thank you! Thomas Tong tongteck@nusdiscs.bitnet [Ed. VIRUS-L originates on a BITNET/Internet node, IBM1.CC.LEHIGH.EDU (aka LEHIIBM1.BITNET). It is directly distributed to both BITNET and Internet. Thus, all of the back-dated issues were sent to both. There is no V2I1, however. Actually, there is, but it contains one "welcome back from the holidays" message from me - it was sent but never distributed while were were having some LISTSERV related problems. When the problems were fixed, I never re-sent that digest since it contained no useful information. The LISTSERV archives here on LEHIIBM1 contain 100% of the contributions to VIRUS-L - unedited.] ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253