VIRUS-L Digest Tuesday, 23 Jan 1990 Volume 3 : Issue 19 Today's Topics: UNCONFIRMED Virus on VAX (VAX/VMS) Re: theoretical virus scanning Re: Internet worm writer to go to trial Jan 16th. (Internet) BITFTP files also on SIMTEL20 Requests/Questions (PC) The universal virus scanner Eradicat'Em 1.0. Is is safe?? (Mac) WDEF infection (Mac) Warning of WDEF A Infection... (Mac) WDEF A infection followup (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 22 Jan 90 10:16:00 -0400 From: The Man with the Plan Subject: UNCONFIRMED Virus on VAX (VAX/VMS) >From: IN%"UMNEWS@MAINE.BITNET" "Vax discussion" 21-JAN-1990 23:11:59.77 >Subj: Virus on VAX >From: 7811100@TWNCTU01.BITNET > Hi! > Dose anyone have a idea about VAX Virus? Or interesting on > it? I think the most difficult point is how to spread it > out. So if someone has any bright idea, contact with me. > James Huang Here is a message from UMNews's Vax discussion list. I thought the list should know about this. The node is Taiwanese. ------------------------------ Date: 22 Jan 90 00:00:00 +0000 From: "David.M..Chess" Subject: Re: theoretical virus scanning kelly@uts.amdahl.com (Kelly Goen) writes: > All proofs aside on a practical level... it is possible with memory > protection architectures to defend totally(well at least 99% of the > time) against intrusion by infectious processes...I speak from > REAL-LIFE experience here... But when you speak from "REAL-LIFE experience", all you can talk about is experience with the viruses that have been written so far, yes? The viruses we've seen so far are, compared to what's possible, awfully simple. I'd suggest being a tad less confident, myself! Surely you can think of a virus or worm that could sneak past your defenses? (As an aside, I'm not sure I understand the reference to "memory protection architectures"; even the current virus technology doesn't have to rely on unprotected *memory* (although some viruses do). The thing that would help most against the current sorts of viruses, it seems to me, is better file-access-control. Of course, to implement that reliably, you do need memory protection, but memory protection by itself doesn't buy you much, anti-virus wise.) On the other hand, I do agree that the theoretical proof is of limited interest. It shows that you can't detect viruses with 100% accuracy. But the interesting question is "can we detect them with -acceptable- accuracy, and if so, how much will it cost?" DC ------------------------------ Date: 23 Jan 90 17:28:23 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Re: Internet worm writer to go to trial Jan 16th. (Internet) Sigh. I mistyped. My apologies. spaf@cs.purdue.edu (Gene Spafford) writes: >A jury of his peers would be 12 careless hackers with little concern >for other people's ownership of their machines and software. (Okay, >so we can have a jury of OSF hackers. :-) I meant FSF, not OSF. Repeat after me, OSF is not FSF OSF is not FSF BTW, at 9:30 pm last night the jury returned a guilty verdict against young Mr. Morris. The sentencing hearing is Feb. 27. Federal sentencing guidelines would dictate a mandatory jail sentence of (as I remember) 12 months. The judge in the case has a reputation of going light on "white-collar" crime sentencing, however, and I suspect we will see a fine, probation, and a suspended sentence. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: Mon, 22 Jan 90 14:52:24 -0500 From: Peter Jones Subject: BITFTP files also on SIMTEL20 On Fri, 19 Jan 90 15:38:07 EST The Moderator Kenneth R. van Wyk said: >VIRUS-L Digest Friday, 19 Jan 1990 Volume 3 : Issue 16 >BitNet *can* FTP now..... >Internet Worm Trial >------------------------------ > >Date: Fri, 19 Jan 90 10:28:53 -0600 >From: James Ford >Subject: New files (PC) > >The following files have been added to MIBSRV.MIB.ENG.UA.EDU >(130.160.20.80): [text deleted] > >James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU > University of Alabama in Tuscaloosa. The same files are available from SIMTEL20. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-) ------------------------------ Date: Tue, 23 Jan 90 00:21:04 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Requests/Questions (PC) Nothing important this time...just a few virus-related items. 1) I found this text inside the W13 virus. Can anybody translate it ? Please send the translation to me (frisk@rhi.hi.is), not to the list. Program typu COM nie robi?cy absolutnie nic. Jego przeznaczeniem jest; wystawianie si? na wabia wirusom. 2) The "Palette" virus has been reported to be 1538 bytes long. Can anybody confirm that ? The reported identification string matches my copy of "Zero Bug" which has an infective length of 1536 bytes. Either we have two variants or the "1538" may just be an error. Besides - 1536 is a much nicer number - it turns out as 11000000000 in binary.... :-) 3) I have found two (very minor) bugs in my F-PROT package - one program does not display a start up message and another may display a help message in Icelandic instead of English. I will correct this in the next release. 4) And yes, if Roy Silvernail happens to read this - could you please E-Mail me again - I lost your original message before I could reply. - -frisk ------------------------------ Date: Tue, 23 Jan 90 10:25:04 +0000 From: "Dr. A. Wood" Subject: The universal virus scanner A contribution to the universal virus scanner controversy. On 17 Jan 90 15:07:00 +0700, T762102@DM0LRZ01.BITNET wrote: "Construct the program Q thus: program Q; begin if is_a_virus(Q) then (* do nothing *) else infect_other_programs; end. On 19 Jan 90 19:56:06 -0400, GEORGE SVETLICHNY wrote:- "The same type of informal proof can be used to show the impossibility of an algorithm to say if a program will stop or not. Write the program program R; begin if will_stop(R) repeat while TRUE else exit; end A very simple argument and very powerful.". These are versions of the ancient paradox which comes in various forms:- (1) Statement (1) is untrue. (2) Jack said "Everything I say is a lie.". (3) The set of all (sets which are not members of themselves): is it a member of itself? What will probably happen will be that program Q or R will # examine itself by going through all its code, including the instruction to examine itself - repeat from # forever. Probably both Q and R will get into infinite recursion when used to examine themselves, but may well behave correctly when examining ordinary programs which are not themselves program-checkers. When examining themselves, Q and R yield neither YES nor NO, but simply crash. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 23 Jan 90 09:36:12 GMT ------------------------------ Date: Tue, 23 Jan 90 14:20:36 +0000 From: gphg1125@uxa.cso.uiuc.edu (Glenn P Hoetker) Subject: Eradicat'Em 1.0. Is is safe?? (Mac) I remember, dimly, seeing warnings right after WDEF surfaced about the Eradicat'Em Init, mainly that it was unstable. Now that I have that init and am responsible for protecting two public Macs, I can't find those articles, of course. So, with apologies for bringing it up again, is Eradicat'Em 1.0 a safe, stable, and effective way to combat WDEF? Please e-mail versus cluttering the board with old news. Thank you much in advance. Glenn Hoetker (g-hoetker@uiuc.edu) Macintosh Resource Person GSLIS/LRL University of Illinois - -- Glenn Hoetker University of Illinois, Graduate School of Library and Information Science g-hoetker@uiuc.edu -or- ghoetker@UIUCVMD ------------------------------ Date: Tue, 23 Jan 90 11:20:00 -0600 From: Ken De Cruyenaere 204-474-8340 Subject: WDEF infection (Mac) Reports of WDEF infections on our campus are coming in. Gatekeeper aid is being used to fight it. - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N 2 Bitnet: KDC@CCM.UManitoba.CA (204)474-8340 ------------------------------ Date: Sat, 20 Jan 90 23:37:37 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: Warning of WDEF A Infection... (Mac) [Ed. From VALERT-L - see related message (below).] There is a new Macintosh application coming on the market now, called Grammitik. I understand from a friend of mine who works at a local outlet of Egghead Software that the copies they received have been infected with WDEF A. I have not confirmed this myself, but I have the utmost faith in Andy's ability and believe the report to be accurate. By the same token, neither Andy or I believe this is a deliberate attempt by the publishers of Grammatik to infect computers, but simply an error. If you buy or have bought a copy of Grammatik, use Disinfectant, SAM, or any of a number of known applications that can removed WDEF, on the Master Disk to sanitize the disk. Andy's original message has been forwarded to Virus-L. Any information in it supersede's what I have written here, from memory. David Gursky ------------------------------ Date: Fri, 19 Jan 90 17:35:38 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: WDEF A infection followup (Mac) Given all the messages regarding shrink-wrapped virus, I thought the following message would be of interest to readers: [From the Twilight Clone BBS in Washington DC.] From: ANDREW SOLMSSEN Sent: 01-18-90 23:37 To: PAUL COZZA Rcvd: -NO- Re: SHRINKWRAPPED VIRUSES Paul, this might interest you: The first shipment of a new package for the Mac, Grammatik Mac, that we received at Egghead last week was infected with WDEF A. SAM 1.4 had no trouble in in identifying and eradicating the infection. I did not get a chance to try Intercept, but the Clinic performed admirably. Thought the notion of shrinkwrapped viruses might interest you. [End of Twilight Clone message.] Needless to say, this type of infection would be immune to the type of protection scheme I suggested several days ago. Also needless to say, this type of infection would be immune to the counter-proposals had it occured two months ago, before WDEF was isolated. Also, this type of infection would be immune to the type of proposal Bill Murray made several days ago. In short, there is no single solution to the problem of shrink-wrapped viruses, no "magic bullet". Until systems are introduced that are explicitly user hostile to viruses (and those systems may be a long way off), (1) the problem of shrink-wrapped viruses is here and here to stay and (2) the procedures needed to combat it are time-consuming and expensive. If you cut corners, you increase the risk of spreading a virus through shrink-wrapped software. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253