VIRUS-L Digest Tuesday, 21 Mar 1989 Volume 2 : Issue 68 Today's Topics: proposed comp.virus newsgroup Viruses and Media nVIR without execution of code? (Mac) POSSIBLE TROJAN HORSE (Mac) Virus Writer Obituary --------------------------------------------------------------------------- From: David.J.Ferbrache Date: Mon, 20 Mar 89 13:32:32 GMT Subject: proposed comp.virus newsgroup As I am sure those of you with access to USENET news are aware, there is currently a discussion under way concerning the formation of a new newsgroup comp.virus. Hopefully the newgroup will be a useful addition to the virus-l mailing list (with which it will be gatewayed). Through the creation of this newsgroup (which Jim Wright is organising), we can increase the level of knowledge of a major part of the community about the dangers of viruses and the measures we can take to control the spread of this menace. I enclose a copy of an article I posted to news.groups, in response to a variety of initial comments to the posting. Anyone with any comments please let Jim have them at jwright@atanasoff.cs.iastate.edu, or post them to the newsgroup news.groups. The discussion period is due to end in about a week, after which there will be a fortnight during which the usenet community will vote on the creation of the group. anyway, to give you a flavour of the discussions under way: To answer a few points concerning the comp.virus discussion underway at the moment, 1. There is a need for comp.virus which misc.security cannot satisfy. The later group is a general discussion forum ranging from Lockpicking to data integrity. Comp.Virus seeks to address one specific area of computer security, namely viruses and other self-replicating programs. By restricting the group specifically to this topic we hope to provide a useful, informed, technical forum providing details of new virus threats; disinfection software; advice on general precautions against viruses and discussion on the social impliations of computer viruses. Computer viruses can directly affect the owners of any of the more popular PCs (IBM, Mac, Apple II, Atari ST and Commodore Amiga). To alleviate this growing problem it is vital that the every owner is aware of the very real problem of viruses together with the measures s/he can take to disinfect the system. Many micro owners are interested in viruses but not in all aspects of computer security. 2. The newsgroup has the potential to help virus-l (the bitnet mailing list) reach a far larger audience, with the dual benefit of increasing the level of knowledge of the community, and (very importantly) reducing the delay between discovery of a new virus strain and its reporting to the groups active in developing disinfection software. 3. This proposal was not made in isolation. Much discussion too place before hand. The group will be gatewayed to virus-l, it will be supported by a network of software archive sites, it will receive regular summaries for new members of known viruses, disinfection software and archive sites. 4. The problem of viruses is not machine specific. While individual virus strains and the associated anti-viral software is machine specific, there are many aspects of viruses which are not. Witness the excellent series of articles published on the comp.sys groups dealing with the operational principles of viruses, and the associated discussion on the ethics of releasing such information (also the discussion that ensued when I posted my original request for information on viruses). Low level DOS viruses do share much in common between the IBM, Atari, Amiga and Apple. Techniques that operate on one machine can be adapted for the others. In summary, Much thought has gone into this proposal. There is both a need and a demand for this group (as I hope the vote will show). A news group will bring timely information on new viruses to the whole community, and hopefully help us to reduce the threat. Thanks for your time. - ---------------------------------------------------------------------------- Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ Date: 20 March 1989, 14:26:47 CDT From: Nicholas Geovanis 312-996-0590 UWC6NTG at UICVMC Subject: Viruses and Media Dimitris Vulis correctly attacks the media for inadequate and misinformed virus reporting. I'm not trying to stray from the subject of this list, but I'd like to mention that, after reading a recent U.S News and World Report, I was shocked by the low quality of the reporting and the mindless over-simplification of issues and events. This is not a problem confined to their reporting of technical issues. If factual reporting of international events is beyond their desire or capability, then it's no wonder that they stumble over technology. Unfortunately, since technology plays an increasingly important role in American society, our citizens are destined to be uninformed and misinformed here also. NickGeovanis-SysProg-AdminCompCtr UnivIllinois-Chicago UWC6NTG at UICVMC ------------------------------ From: Mitchell Perilstein Date: Mon, 20 Mar 89 15:46:37 EST Subject: nVIR without execution of code? (Mac) In reference to Anders Christensen's message about witnessing an nVIR infection by inserting an infected floppy to a clean machine and immediately removing it, I would like to add two thoughts. One is that the nVIR sourcecode was widely posted to European bulletin boards, so a new strain that patched a system to respond to DiskInsert events wouldn't be unreasonable. Second, it may be possible Apple distributed some nVIR by accident. My friend's new SE recently was infected with the nVIR virus, and we are fairly certain it was introduced to the machine via the "Teach Text" application on the System Tools diskette packaged with the machine. The diskette was used to format the SE's new drive, then it was put away and never again touched. Later, when nVIR was found, all my friend's floppies were examined, and the Tools disk, still locked, had the normal nVIR strain in that one application. I emailed to someone at Apple a question about the possibility of this happening, complete with disk serial numbers. They replied that they had done some checking and found nothing, and suggested I see if the machine's dealer had possibly used the diskettes. I trust Apple on this -- their business depends upon it. Mitchell N. Perilstein usenet: {decvax,sun}!cwjcc!alpha!mitch arpa: mitch@alpha.ces.CWRU.edu ------------------------------ Date: Mon, 20 Mar 89 12:05:31 PST From: rogers@cod.nosc.mil (Rollo D. Rogers) Subject: POSSIBLE TROJAN HORSE (Mac) Date: 19 Mar 89 01:21:46 GMT From: bmug@garnet.berkeley.edu (BMUG) Newsgroups: comp.sys.mac Subject: Trojan Horse Warning WARNING: We have discovered the existence of a "Trojan Horse" in a bogus upgrade to Anti-Toxin, a virus-detecting INIT from Mainstay. The INIT, labelled as version 2.0 in the Get Info box, attempts to format your disk and rename it "Scored!". A couple variations of this INIT have been reported. The one we have seen has a size of 2,276 bytes, created Fri, Jan 13, 1989, 3:05PM, and modified Mon, Mar 6,1989, 12:03AM. A quick inspection of the disassembled code of the INIT indicates that it does nothing until the clock time on your mac is after Mar 13, 1989, 5:20PM. The perpetrator obviously wanted the Trojan Horse to lie dormant for a few days, giving it a chance to spread to more users. Although I believe Anti-Toxin is a commercial product, this bogus version has apparently been uploaded to several bulletin boards. Watch out! /\ BMUG ARPA: bmug@garnet.berkeley.EDU A__A 1442A Walnut St., #62 BITNET: bmug@ucbgarnet |()| Berkeley, CA 94709 | | (415) 549-2684 | | - ------- - ------- ------------------------------ Date: MON MAR 20, 1989 21.48.07 EST From: "David A. Bader" Subject: Virus Writer Obituary Copied from the Globe-Times (Bethlehem, Pa), March 17, 1989: Jim Hauser, 39, made first computer virus SAN LUIS OBISPO, Calif. (AP) - Jim Hauser, who took credit for creating the first computer virus, was found dead Tuesday at age 39. Deputy Coroner Ray Connelly said Hauser died following an aneurysm of the brain suffered Sunday night or Monday morning. Hauser said he and one of his students developed the first computer virus in 1982 for the Apple ][ computer, designing it to give users a "guided tour" of the computer's internal programming. Although his program was harmless, he saw the potentially destructive capability of what he also called an "electric hitchhiker" that could attach itself to computer programs. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253