VIRUS-L Digest Friday, 29 Jun 1990 Volume 3 : Issue 118 Today's Topics: I'm bummed. (re BITFTP access to Scandanavia) query - virus software licensing The Worm That Turned Warning - Jerusalem B from mail-order company. (PC) Mainframe attacks F-FCHK.ZIP update (PC) Hacking Virus on Startup Screen? (MAC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 27 Jun 90 17:07:32 From: (Steven W. Smith) Subject: I'm bummed. (re BITFTP access to Scandanavia) Hello, all. After seeing the following: > From: hv@uwasa.fi (Harri Valkama LAKE) > Subject: fprot111.zip (PC) > Fridrik Skulason has uploaded his latest version of F-PROT (heavy > package of virus protection utils) to chyde.uwasa.fi (128.214.12.3) I tried to access chyde.uwasa.fi via BITFTP@PUCC.BITNET and received not fprot111.zip, but: > 19:50:36 > FTP chyde.uwasa.fi UUENCODE > 19:50:36 > USER anonymous > 19:50:36 >>>> Access to the Scandinavian nodes has been > 19:50:36 >>>> discontinued, due to the slowness > 19:50:36 >>>> and unreliability of the network connections. > 19:50:36 >>>> Please try to confine your BITFTP requests > 19:50:37 >>>> to North American nodes. Thank you. Any suggestions? Maybe a North American site with fprot111.zip, although I'd prefer an alternative to BITFTP (short of going Unix, that is)... Many thanks _,_/| \o.O; Steven W. Smith, Programmer/Analyst =(___)= Glendale Community College, Glendale Az. USA U SMITH_S@GC.BITNET ------------------------------ Date: 27 Jun 90 14:30:22 +0000 From: jon@gpu.utcs.utoronto.ca (Jon Alexander) Subject: query - virus software licensing In the Macintosh world, we have available a number of anti-virus software utilties that are free or minimal in cost (e.g. Disinfectant, GateKeeper programs). In the PC-DOS and compatible world, we have found no such software. (Note: we have downloaded a copy of F-PROT, but we have no experience with it, and we've seen very little discussion of it, up to now). We are currently looking at several options, including a SITE LICENCE for the McAfee suite of anti-virus tools. To all readers: Does your organization have any experience with site-licensing PC anti-virus software? Specifically, we are wondering how much hassle sites have encountered with administering this kind of licence. Jon Alexander University of Toronto Computing Services Toronto, Ontario, CANADA PHONE: +1-416-978-6230 E-MAIL: jon@utcs.utoronto.ca ------------------------------ Date: Thu, 28 Jun 90 12:12:37 +0100 From: LBA002@PRIME-A.TEES-POLY.AC.UK Subject: The Worm That Turned Article in the UK magazine Personal Computer World July 1990 p.202-206 "The Worm That Turned" by Ian Witten and Harold Thimbleton. Describes how they have utilised the same mechanism that a virus employs to spread itself to create dtabases that automatically update themselves. They call their software "liveware." Some definitions: Liveware - a hypertext (or other) database that updates itself automatically whenever the occasion arises. Enliven - to innoculate a person's computer with a Liveware information owner an owner of one or more cards in the database, and the only person permitted to change them. Database owner - the person responsible for the Liveware database as a whole. They are not empowered to alter information belonging to others. Signature - a code identifying an owner including their full name and perhaps an encrypted secret password that only they can generate. Livestamp - the Liveware information recorded on each card; signature information and time stamp. Merge - the joining of two Liveware databases together so that both contain the most recent information. Thimbleby works at Stirling University, Scotland. Witten is with the Department of Computer Science, University of Calgary, Canada. Rgds, Iain Noble Teesside Polytechnic Library, UK - ----------------------------------------------------------------------------- Iain Noble | LBA002@pa.tp.ac.uk | Post: Main Site Library, JANET: LBA002@uk.ac.tp.pa | Teesside Polytechnic, EARN/BITNET: LBA002%pa.tp.ac.uk@UKACRL | Middlesbrough, INTERNET: LBA002%pa.tp.ac.uk@cunyvm.cuny.edu | Cleveland, UK, TS1 3BA UUCP: LBA002%tp-pa.ac.uk@ukc.uucp | Phone: +44 642 218121 x 4371 - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 28 Jun 90 02:50:00 -0400 From: ajpoulias@miavx1.acs.muohio.edu Subject: Warning - Jerusalem B from mail-order company. (PC) I'm new to this group, but I thought I'd put the word out so others don't get their computers infected. I recently bought a I/O - floppy drive controller card (SUPER MULTI I/O) from Jems Computers in San Jose, California. Along with it came a floppy with the setup programs for the clock/cal. It turns out that it was infected with the Jerusalm-B virus. Unfortunately, I didn't find out until it had infected about 40% of my .EXE and .COM files. I called them and they said that the disk came with the card from the manufactuer. I would be VERY careful with any software that comes from there...mind you I'm not saying not to buy from there (the card and the 1.44M drive I recieved are excellent) but just check out the software extra carefully. We now return you to the regularly scheduled programming. FF ******************************************************************************* A. Poulias *"And you run and you run to catch up with the sun, but it's sinking MIAMI U. * And racing around to come up behind you again Oxford, OH * The sun is the same in the relative way, but you're older * Shorter of breath and one day closer to death ************** - Pink Floyd Time - The Dark Side of the Moon AJPOULIAS@MIAVX1.BITNET * AP38PHYW@MIAMIU.BITNET ******************************************************* ************************* B-T-W, I was able to remove the virus with CLEANUP from McAffee Associates. If anyone from there is reading this, my registration is on the way. ------------------------------ Date: Thu, 28 Jun 90 14:17:05 -0500 From: m19940@mwvm.mitre.org (Emily H. Lonsford) Subject: Mainframe attacks Chuck Hoffman of GTE Laboratories, Inc., writes: " That also was about two years before the time that the Security group at SHARE formed, which developed the specifications for the product which became ACF2 in 1978. Simultaneously, IBM was secretly developing RACF." My recollection is that RACF came before ACF2. David Chess can probably clarify the exact date. Barry Schrager of SKK (the original developers of ACF2) was a member of the SHARE committee that wrote the first security white paper, on what an access control system should do. IBM's response, RACF, fell far short of the mark - for one thing, in early releases it protected BY EXCEPTION rather than BY DEFAULT. SKK decided they could do a better job, and went off and wrote ACF2 on London Life's computer in Toronto. I did a survey of the two packages in the 78-79 time frame and ended up choosing ACF2 for my employer, an energy company. "it became much more difficult for hackers who were not in the systems programming groups to make significant intrusions into MVS systems. " I think you meant to say that it requires knowledge of MVS. True, the controls are there with ACF2, RACF and TopSecret to prevent non-sysprogs from hacking into MVS. but how _well_ are they implemented? All it takes is one privileged ID with a trivial password, or one unprotected APF library, installation ID with the default password, etc. etc. And you have to be cautious about the sysprogs. They have the knowledge and the power to do lots of damage, just by accident. "Computer Associates is in the process of raising the rating of ACF2 and Top Secret from C2 to B1." Is that what CA is telling you? I just looked in my April 1990 "Information Systems Security Products and Services Catalog", a government publication, and CA is not in the list of vendors in the evaluation process. The process normally takes at least 2 years. Interestingly enough, IBM _is_ listed in the evaluation process for MVS-ESA/RACF, aiming at a B level evaluation. Currently MVS/XA with RACF, ACF2 or TopSecret is rated at C2. You might want to get a copy of the catalog from your local GPO Bookstore. It has some interesting information in it about lots of security products. And just because the OS is evaluated at B1 doesn't mean _in your implemen- tation_ that it's B1 secure. For one thing, any OS modifications (SVCs exits etc.) invalidate the rating. Can you imagine MVS without add-ons? "On Digital VAXs, the VMS system technically is C2, but in my opinion the architecture is so cumbersome that systems managers have somejustification when they say that you need system privileges all the time just to do a job. Yes, it's C2, but so many people end up with privileges that it hardly matters." I agree that it's difficult to manage the privileges on VAX/VMS. But at least DEC included C2 level protection in the OS, rather than making the user buy an ADD-ON package to get security. Let's face it: without ACF2, RACF or TopSecret, "MVS security" is an oxymoron. To me, the worst problem is with UNIX's root account; there it's all or nothing when it comes to privileges. There's no such thing as "separation of duties." And so far the "more secure" versions of UNIX really haven't addressed that. As always, my opinions are my own, not necessarily those of my employer. * Emily H. Lonsford * MITRE - Houston W123 (713) 333-0922 ------------------------------ Date: Thu, 28 Jun 90 13:05:25 -0500 From: James Ford Subject: F-FCHK.ZIP update (PC) An update to FProtects F-FCHK has been added to MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) in the directory pub/ibm-antivirus. (again, thanks to Jim Wright). FPROT110.ZIP - Origional ZIP file of FProtect F-FCHK.ZIP - one file (f-fchk.exe) FPROT110A.ZIP - FProtect package with updated F-FCHK.EXE file. Note that the name is *not* standard DOS (9 characters instead of 8). - ( I don't think this will be a problem but if it is, then let me know..JF) - - ---------- Life is what goes by while you are watching television. - ---------- James Ford - JFORD@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa, Alabama USA) ------------------------------ Date: 29 Jun 90 12:21:22 +0100 From: P.A.Taylor@edinburgh.ac.uk Subject: Hacking Hi, I'm a PhD student doing a thesis on the phenomena of hacking and viruses I'd really appreciate any information that people come across that might be of use to me,especially stuff from "The Whole Earth Review" and "2600" which I'm having difficulty getting access to here in the U.K.. Please E-mail me or my postal address is, The Politics Dept., 31 Buccleuch Place, Edinburgh, EH8 9JT. Thanks very much in advance, Paul A.Taylor. ------------------------------ Date: Thu, 28 Jun 90 16:48:11 -0400 From: barnett@unclejack.crd.ge.com (Bruce Barnett) Subject: Virus on Startup Screen? (MAC) We have been having problems with MacIIci and Microsoft mail. I suspect a new type of virus. The Mac crashes when clicking "SETUP" in the chooser when selecting a mail server. The Mac also crashes when opening the Microsoft Mail DA. I have replaced the entire system folder, and re-installed TOPS, etc. If I put back the start-up screen in the system folder, Microsoft Mail crashes. (System error 12, or the screen freezes.) When I move the start-up screen to a new place and restart the Mac, everything works fine. This is repeatable. The start-up screen seems to be infected. This problem has happened on several new Mac's (all MacIIci's) in far ends of the building. OS 6.0.4 and 6.0.5. But not every MacIIci crashes. I haven't narrowed it down to an exact combination of what must be replaced when this crash occurs. But replacing (not updating) the system, re-installing TOP and Microsoft mail, and deleting the start-up screen seem like the best solution we have right now. This corrupted "system" problem has been ten times harder to fix than any virus we have seen. We use SAM 2.0 and Disinfectant 1.8, and they find nothing wrong with the startup screen. Can the startup screen contain a virus? - -- Bruce G. Barnett barnett@crd.ge.com uunet!crdgw1!barnett ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 118] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253