VIRUS-L Digest Wednesday, 8 Mar 1989 Volume 2 : Issue 60 Today's Topics: Bouncing Ball (PC) Bouncing balls, Falling letters, et cetra... notorizing re: Macs with wills of their own... Re: Macs with wills of their own PC Bouncing Ball virus (or is it?!) [Ed. There's been quite a rash of messages sent to the list lately that were intended for the LISTSERV (e.g., INDEX, LIST VIRUS-L, GET VIRUS-L LOG8811A). This is a reminder to everyone that LISTSERV commands have to be sent to the LISTSERV, not to the list itself. The address of the LISTSERV is LISTSERV@LEHIIBM1.BITNET or LISTSERV@IBM1.CC.LEHIGH.EDU (either will work).] --------------------------------------------------------------------------- Date: 6 March 1989, 16:48:47 EST From: David M. Chess Subject: Bouncing Ball (PC) Well, I've seen a boot-sector virus that did that. It didn't seem to be related to any other virus I've seen (code very different from the Brain and so on). It would infect both hard and floppy disks, and the only obvious effect was the little bouncing face. No EXE or COM file involvement found or suspected. Of course, what you have may be an entirely different virus, with the same screen effect! DC ------------------------------ Date: Mon, 6 Mar 89 17:04 EDT From: Subject: Bouncing balls, Falling letters, et cetra... Joseph asked if the author of the Bouncing Ball virus wrote any new code, or just simply spliced a previously written routine to the (c)Brain virus. Well the bouncing ball routine has been floating around in Public Domain for awhile, and other routines used in viri tend to be culled from similar sources. The falling letter routine, which is also available in the public domain, is another example of public domain code that has been added to viri. The authors of these viri do not even posses the creativity to code their own "joke" routines. A collection of such routines is available on a disk called "Jokes" from Public Brand Software. I am in no way affiliated with PBS, and I am certain many other public domain clearing houses have such a disk, I am just more familiar with PBS's catalogue. Rushdie lives and is hiding in the Mark James Burge Chi Phi Fraternity@OWU MJBURGE@OWUCOMCN.Bitnet ------------------------------ Date: Mon, 6 Mar 89 17:55 EST From: Lambert@DOCKMASTER.ARPA Subject: notorizing Cryptography can provide very strong tools for protecting computer systems from virus attacks. One particularly useful cryptographic tool for eliminating viruses would be "cryptographic notarization". The notorization would provide a strong sealing of the integrity of a file or disk. Software could be notarized by "certification authorities". The certification authorities would be distributed and hierarchical. This would allow every commercial software house to be its own notorizing authority. The notorization would not prevent the distribution of malicious code, but would provide strong integrity and traceability of the code. For example, the integrity of a copy of LETUS-123 could be verified by any user with this scheme. This would provide strong proof of the softwares origin and that it had not been modified. If the LETUS-123 had any flaws or virus within it, it would be traceable to the originating software house. In the ongoing discussion in this forum I have noticed several misconceptions about cryptography. >.................... a simple virus like Brain will spread regard- >less of program encryption, because it attaches to code that could be >stored encrypted. First cryptography is not just encryption. Cryptography is mechanism to provide many "security services" that include - confidentiality, integrity, peer entity authentication, and data origin authentication (see ISO 7498-2). Contrary to the following comment, any mechanism for a cryptographic protection mechanism must be based on standards. >Such an encryption system would only be useful if it were not >standard. If it became standard, or at least widely distributed, >viruses would work their way around it ..... To support the development of real cryptographic devices, standards must be available to ensure interoperability. The issues of a virus working their way around an implementation are not relevant to the development of the standards. Only the local implementation of a verification mechanism must be conserned with these issues. Standards already exist that could be used for these mechanisms. Considerable work is available as a foundation from ISO (DIS 9594-8), ECMA (TR/46), FIPS, ANSI, CCITT, and IEEE (802.10). The challenge at hand is then to integrate these existing mechanisms into a complete system solution. I would strongly recommend as a start for the notorization system the ISO DIS 9594-8 specification, in combination with RSA, and a DES MAC. Paul A. Lambert | Motorola GEG | Secure Network Section | | 8201 E. McDowell | Scottsdale, Az. 85252 | docmaster.arpa | (602) 441-3646 | ------------------------------ Date: Tue, 7 Mar 89 00:03 EST From: Subject: re: Macs with wills of their own... John, You recently asked in the Virus mailing list about Macs throwing things in the trashcan on their own. Farralon Computing (sp?) now has available a product called "Timbuktu" for networked Macs. This lets a user on one Mac watch and/or manipulate any other Mac on the network that is also running Timbuktu. It is a godsend for Mac network managers who have to clean up after people who leave things in disarray, particularly when the Macs are in several buildings. It is a disaster when the users start using it on their own. Passwords are optional. Your reporter may have seen this in use without being aware of it. Selden E. Ball, Jr. (Wilson Lab's network and system manager) Cornell University Voice: +1-607-255-0688 Laboratory of Nuclear Studies FAX: +1-607-255-8062 Wilson Synchrotron Lab BITNET: SYSTEM@CRNLNS Judd Falls & Dryden Road Internet: SYSTEM@LNS61.TN.CORNELL.EDU Ithaca, NY, USA 14853 HEPnet/SPAN: LNS61::SYSTEM = 44283::SYSTEM ------------------------------ Date: Tue, 7 Mar 89 01:42 EST From: "Mark H. Anbinder" Subject: Re: Macs with wills of their own Your description of the Macintosh cursor picking up files and dragging them to the trash with no user action sounds like Timbuktu may be involved. Timbuktu is a program that allows a user on one Macintosh to control ANOTHER Macintosh across a network. If, when this is happening, there is a small "hand" icon in the upper right hand corner of the screen (in the menu bar) then it IS Timbuktu, and someone else on the network is playing a stupid joke. If not, you may have stumbled across an interesting problem. Any chance someone set up a macro that the users are playing back without realizing they're doing it? Mark H. Anbinder Department of Media Services Cornell University ------------------------------ Date: 7-MAR-1989 15:43:42 GMT From: Jason Brown Subject: PC Bouncing Ball virus (or is it?!) I remember a program like this, only it wasn't a virus. (Note that I'm not saying that *this* one isn't a virus!). When the program was run, a smiley face would start bouncing around the screen, rebounding off any text that was displayed. When the screen scrolled, sometimes the face would get stuck between a bunch of letters. By pressing various combinations of keys you could increase or decrease the number of faces. If you got rid of all of the faces, they would come back after a period of activity (about half an hour, I think). I seem to remember that it was supposed to survive a warm reboot, but I can't be certain. This was all a fair while ago. I think the program was called FACE.COM, or something similar. It either came with a small document file describing the various keys used, or it printed them up when the program was run. Sorry I can't be more precise. I still have a copy of the program, but it is at home. If you are still interested, I can check up when I go back in a couple of weeks for Easter. If this is the program you are experiencing, then there is no need to worry - it is not a virus. Turning the machine off will get rid of it. (Check the AUTOEXEC.BAT file to check that it is not loaded when the machine is booted). - -NOTE- The program described in this message may not be the one you are experiencing. Do not relax your security measures. - -- Jason -- +------------------------------------------------------------------------+ |Jason Brown | | JANET : BrownJS@uk.ac.aston.vaxb | | BITNET/EARN : BrownJS@vaxb.aston.ac.uk | | Internet/ARPAnet: BrownJS%vaxb.aston.ac.uk@cunyvm.cuny.edu | | EAN/X400 : BrownJS@vaxb.aston.ac.uk | | uucp : ...psuvax1!cunyvm.bitnet!vaxb.aston.ac.uk!BrownJS | +------------------------------------------------------------------------+ ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253