VIRUS-L Digest Monday, 5 Feb 1990 Volume 3 : Issue 31 Today's Topics: Included privileges with programs Re: Virus Modeling Help with Using Clean! (PC) WDEF-A report (Mac) Re: The Ultimate Anti-Viral Solution? Virus detection through change detection / authorization RE:YANKEE DOODLE (PC) Viral Help (PC) F-PROT and Virus Buster (PC) WDEF on campus (Mac) Re: 4096 and 1260 Viruses (PC) Re: Universal virus detector Re: Statistical Distribution of Viruses WDEF A at the USC (Mac) AIDS Trojan - the Police charge a US Citizen Re: Gatekeeper veto: Normal behavior or virus attack? (Mac) Universal virus detectors: Once more with feeling AIDS Virus Suspect Arrested Near Cleveland, Ohio Washington Post story on Joseph Popp; FYI VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 02 Feb 90 09:56:13 -0500 From: V2002A@TEMPLEVM.BITNET Subject: Included privileges with programs Hi, Ben Smith had an idea to monitor actions taken by programs and compare those actions with what the vendor says the program needs to do in order to function. I hate to shoot this down but consider this hypothetical case: "PC-DOS V8.0" includes a security monitor with a list of privileges for "Norton Super Utilities V6". This list has "modify memory" and "write boot sector" listed for Norton. Now suppose that a virus instead of trying to modify the boot sector by itself, modifies Norton Disk Doctor to do the dirty work? The monitor program would allow the Disk Doctor full access to the boot sector and not know that it was really a corrupted Disk Doctor actually writing viral code to the boot sector instead of making repairs like the Disk Doctor normally does. My point is that even if a program is allowed to perform some action, how is the monitor supposed to know whether that action is legitimate or not? Andy Wing Senior Analyst Temple University School of Medicine ------------------------------ Date: 02 Feb 90 15:46:01 +0000 From: gnf3e@uvacs.cs.Virginia.EDU (Greg Fife) Subject: Re: Virus Modeling RWALLACE@vax1.tcd.ie writes: > As someone pointed out, a real >computer isn't a finite state machine because it includes the person >operating it A human being may or may not be a finite state machine, but the effect he he has on a computer system is merely to add a finite number of transitions to the computer. (Striking one of the finite number of keys changes the interrupt state on a PC, putting in a new disk changes many of the bits on that mass storage device). You can't model exactly which inputs the human will provide, but you can reason about behavior under any possible set of inputs. In effect, a person at a computer is running a huge finite automata through an input string consisting of his actions. Take the initial state to be one of the finite number of states which represents the introduction of the virus into the system. Mark the finite number of states which represent "infection" as final states. The question: "can infection occur" is merely the question "does this FA have a nonempty language." That question can be settled in finite time by testing the FA on every input string of length less than or equal to the number of states in the FA. Do this once for every initial "infection" state, and the result follows. :-) You may need to add a few more states to better model the input devices and the clock. >(well the whole universe has a finite number of states >but we're getting way beyond anything of practical use). Yep. Greg Fife gnf3e@virginia.edu , virginia.bitnet uunet!virginia!uvacs!gnf3e ------------------------------ Date: Fri, 02 Feb 90 12:41:00 -0400 From: Michael Greve Subject: Help with Using Clean! (PC) I tried using M-Jruslm on a .exe file. After it was finally done disinfecting the file it would no longer work. When trying to run the .exe file my machine froze. I have downloaded CLEANP57 and tried running it but have been unsucessful. I'm following the directions that come with the program but I'm still having problems. I'm typing the following: CLEAN A:\FILE.EXE [JERUSALEM B] When I try it this way I get "Sorry I don't know anything about [Jerusalem B]. When I try: CLEAN A:\FILE.EXE JERUSALEM B it comes back with the instructions again. Nothing happens. I know I'm not using this correctly. Can anybody help with the proper syntax. When it asks for the "virus name", what do I type in for Jerusalem B. Do I use the [] brackets. Do I have the correct version. I am running CLEAN 2.7V57. When I run it, I do get a message saying "This program may not be used in a business, corporation, organization, government or agency environment without a negotiated site license." I'm not sure if this is the problem or not. If I have a bad version, where could I get the correct one. I've tried getting onto Simtel but either cannot its very busy or I end up downloading unusable or corrupted files. I got this from the "130.160.20.80" list. Does anybody know of others I can use?? I'm new to all this so please bear with me. Thanks for any assistance. I really want to get rid of this virus. Michael Greve University of Pa. Wharton Computing greve@wharton.upenn.edu ------------------------------ Date: Fri, 02 Feb 90 10:11:00 -0500 From: "Anne Harwell/Technology Resources Ops. Mgr." Subject: WDEF-A report (Mac) For those of you keeping track, WDEF-A has arrived in south Texas at University of Tecas - Pan American. I had not heard of it getting this far south until yesterday, when a routine virus inspection of the Mac lab revelaed WDEF-A. The infection has been disinfected and I am sure that it will recur next week, because many of the students in the lab had infected floppies. Anne Harwell Technology Resources University of Texas Pan American AH491D@PANAM ------------------------------ Date: 02 Feb 90 19:13:16 +0000 From: vronay%castor.usc.edu@usc.edu (David Vronay) Subject: Re: The Ultimate Anti-Viral Solution? Well, the idea of programs containing descriptions of their own activity is nice, but doesn't really solve the problem. After all, all an infecting virus has to do is change these permission files. Or better yet, the virus could patch the code that did these checks so that the code would let this particular virus go through. If we think about how current virus detection programs "work", they basically do exactly what you described (only, instead of each manufacturing describing the program's behaviour, the burden is on the user). Take SAM, for instance, which can keep track of legal and illegal activities on an application-by-application basis. When it detects illegal activity, it brings up a dialog box that says "Allow" "Deny" and "Learn" (or three similar options). Clicking on "Learn" will change SAM's description of that program to allow that potentially-illegal action in the future. Now, that information is stored in SAM somewhere, where any moderately clever virus could find it and modify it. Now, let's go one one step further and pretend that Symantech made it impossible (via some yet-undiscovered hardware scheme) for SAM to be modified. Now our virus would be forced to use the following piece of pseudo-code: Step 1: Set the window-manager's port 16,000 pixels to the left Step 2: Set up dialog-box sniffer code that works at _vblank time. Step 3: Do illegal virus activity Step 4: SAM brings up its dialog box, which now appears about 16 feet off the screen due to step 1. Step 5: The dialog sniffer from step 2 "sees" the dialog and generates a mouse-down event over the "Learn" button. Step 6: SAM writes the new exception to its special harware Step 7: Restore the window-manager's port to its old position. We have now successfully infected, despite all of super-SAM's harware whatever. Let's face it. There is NO WAY WHATSOEVER to make a computer virus-proof, because there is no way that a computer can determine the true intentions of a piece of code. (which, in tern, is due to the fact that code doesn't HAVE intentions, only the programmer who wrote it has intentions, and guess what? They don't make it through the compile! :-) We should concentrate our efforts on education, not complex software solutions. After all, computer virii seem more a social problem than a technological one. - - ice ================== email replies to: iceman@applelink.apple.com DISCLAIMER: Not even I subscribe to everything I say ================== ------------------------------ Date: Fri, 02 Feb 90 14:07:03 -0500 From: "David W. Levine" Subject: Virus detection through change detection / authorization When we try to evaluate schemes for detecting and preventing the spread of viruses, it's important to remember that a virus uses those operations a user normally does to spread. If a virus only infects programs when you do something to modify an executable program, you now have to determine that the modification that was made was the one you desired. That's a correctness problem, which we know is undecidable. Determining what's executable, on modern day systems, is also a very hard problem. Any systems that have shell languages, or interpreters complicate this task immeasurably. What does a shell script look like? A text file. What does a hyper-text stack look like? While the current generation of micro-computer viruses live mostly in program images, there is no requirement that this be true in the future. We can slow down the spread of viruses through lots of different mechanisms, but each of these mechanisms reduces the utility of computers. As long as we want our computers to be general purpose machines, with lots of flexibility, the virus writers will be able to exploit a programs legitimate capabilities to spread viruses. Distinguishing between normal, legitimate, change and illicit change is a very difficult problem. - David W. Levine ------------------------------ Date: Fri, 02 Feb 90 17:07:19 +0000 From: ousama@compsci.bristol.ac.uk Subject: RE:YANKEE DOODLE (PC) Hi, A few weeks ago, I asked about info and disinfector for the Yankee doodle virus on a PC. It seems nobody knows anything about it, since I haven't got any answer, so anybody out there has any idea !! Last week, I downloaded "CLEAN UP" from Simtel, which claims to cure many strains including Yankee Doodle, But the only thing it manages to do is to offer deleting the infected file. I don't want to be rude, but what's wrong with the good old DOS ">DEL file.ext" ?. Why to bother writing code to do what DOS can do. O. FADEL - ------------------------------------------------------------------------------ Research student | JANET : ousama@uk.ac.bris.cs Computer Science Dept. | ARPANET : ousama@cs.bris.ac.uk Bristol University | BITNET : ousama%uk.ac.bris.cs@ukacrl.bitnet BRISTOL, UK | UUCP : ... !mcvax!ukc!csisles!ousama BS8 1TR | - ------------------------------------------------------------------------------ ------------------------------ Date: 02 Feb 90 20:02:02 +0000 From: James Kolasa Subject: Viral Help (PC) I've been having some problems with some PC's at the college where I teach. The evidence points to a virus. Someone from IBM ran a virus scanner on a couple PC's and got the following message: Found signature in (master boot record of drive 80) at offset 21 (15H): 1E5080FC02721780FC047312AD2750E33C08ED8A03F04A8017503E80700 A boot record of this disk may be infected with the Stoned virus. Does "Stoned virus" ring a bell with anyone. Could someone give me some backgroud info? References to past messages will be appreciated also. Thanx, jk - -- - -- James Kolasa | "Computers are so naughty, -- - -- 121 Moloney, L.C.C. | I could just pinch them" -- - -- Lexington, Ky. 40506-0235 | -The Martian -- - -- jkolasa@ms.uky.edu {rutgers,uunet}!ukma!jkolasa jkolasa@UKMA.BITNET -- ------------------------------ Date: Fri, 02 Feb 90 17:15:10 +0000 From: ousama@compsci.bristol.ac.uk Subject: F-PROT and Virus Buster (PC) Hi, I tried to use VB_110.ARC to disinfect some files infected with Vienna Virus, it works on some and leaves few without even sensing that the virus is still exist, anybody has the same experience?? Another point, Running F-FCHK.EXE on a disk containing VB.EXE it gives the message: VB.EXE suspected virus Alabama. While SCAN does not detect anything wrong, any suggestion ?? O. FADEL - ------------------------------------------------------------------------------ Research student | JANET : ousama@uk.ac.bris.cs Computer Science Dept. | ARPANET : ousama@cs.bris.ac.uk Bristol University | BITNET : ousama%uk.ac.bris.cs@ukacrl.bitnet BRISTOL, UK | UUCP : ... !mcvax!ukc!csisles!ousama BS8 1TR | - ------------------------------------------------------------------------------ ------------------------------ Date: Fri, 02 Feb 90 15:38:00 -0600 From: MONCRIEF@TCUAVMS.BITNET Subject: WDEF on campus (Mac) FYI The WDEF virus has reached us here at Texas Christian University. A student came into our User Services area to obtain virus software and one of his disks was infected. Luckily I had installed GateKeeper Aid the day it came out. I just wanted the list to know how far this thing has spread. Karen Moncrief Sr User Services Consultant Texas Christian University Fort Worth, Texas 76129 AppleLink: U1069 Bitnet: MONCRIEF@TCUAVMS ------------------------------ Date: Fri, 02 Feb 90 23:19:13 +0000 From: ddb@ns.network.com (David Dyer-Bennet) Subject: Re: 4096 and 1260 Viruses (PC) John McAfee writes: : The strangest part of the virus is that it is also able to :trap all other disk reads and writes, and whenever an infected file is :accessed by any program, the virus performs a disinfection of the :program on the fly. ^^^^^^^ infected file? As a BBS sysop, I find this a particularly amusing feature: it assures my users that anything downloaded from my BBS is not infected with this class of virus! The concept of BBS's as *the safest* source of software (at least in this one regard) is rather amusing. - -- David Dyer-Bennet, ddb@terrabit.fidonet.org or ddb@network.com or Fidonet 1:282/341.0, (612) 721-8967 9600hst/2400/1200/300 or terrabit!ddb@Lynx.MN.Org, ...{amdahl,hpda}!bungia!viper!terrabit!ddb ------------------------------ Date: Fri, 02 Feb 90 16:53:56 +0000 From: peter@ficc.uu.net (Peter da Silva) Subject: Re: Universal virus detector > For example, you can add a > hardware-enforced switch which when in the OFF position makes it > impossible to set the "is executable" bit at all. So far so good. > In this mode, you > can't do program development, install new executables, or even copy > executable files - Pretty much so. > but you absolutely can't be infected either. Not true. What constitutes an "executable file"? Is a BASIC program one? You can write a virus in BASIC. How about Postscript? You can hide a virus in Postscript. You can't turn off your BASIC or Postscript interpreters... This is the basic sort of protection used by old Burroughs computers: only the compilers could create executable files, and they were trusted programs. They had no memory protection hardware at all. - -- _--_|\ Peter da Silva. +1 713 274 5180. . / \ \_.--._/ Xenix Support -- it's not just a job, it's an adventure! v "Have you hugged your wolf today?" `-_-' ------------------------------ Date: Fri, 02 Feb 90 22:14:19 +0000 From: peter@ficc.uu.net (Peter da Silva) Subject: Re: Statistical Distribution of Viruses WHMurray@DOCKMASTER.ARPA writes: > I have never been innoculated against Polio-myelitis. > We no longer innoculate against Small-pox. The two cases are not equivalent. Smallpox doesn't have a non-human vector. Polio does... in fact I believe that stagnant water can serve as a reservior for Polio. So we can't "eradicate" Polio the way we have (almost) Smallpox. Now I'll leave it up to you folks to decide which of these should serve as a paradigm for Viruses. - -- _--_|\ Peter da Silva. +1 713 274 5180. . / \ \_.--._/ Xenix Support -- it's not just a job, it's an adventure! v "Have you hugged your wolf today?" `-_-' ------------------------------ Date: Fri, 02 Feb 90 23:08:54 -0500 From: "Gregory E. Gilbert" Subject: WDEF A at the USC (Mac) Guess that says it all. So far we have seen two (2) infected disks at the computer center Mac lab. However, there are numerous other Mac labs that are not as concerned about viruses as we are. I assume we will see more infected disks. Greg. Postal address: Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: Fri, 02 Feb 90 07:53:00 -0700 From: alanj@ibmpcug.co.uk (Alan Jay) Subject: AIDS Trojan - the Police charge a US Citizen Yesterday afternoon in Clevland Ohio the FBI arrested a man on blackmail charges relating to the AIDS trojan program sent out from the UK in December. The suspect, Dr Popp aged 39, was arrested at his parents residence. He will appear in court today on the blackmail charge and extradition procedures are under way. ========================================================================= I wonder if anybody out there knows anything more about the gentelman concerned with this event. If so please email me and I will summarise. Alan Jay PS I think it is interesting that unlike the recent 'internet' case that the charge is blackmail. I suspect that this is due to the current state of UK law. - -- Alan Jay - Editor Connectivity The IBM PC User Group, PO Box 360, Tel. 01-863 1191 Fax: 01-863 6095 Harrow HA1 4LQ, ENGLAND Email: alanj@ibmpcug.CO.UK Path: ..!ukc!ibmpcug!alanj *** For all users of IBM PC & ALL Compatibles *** (+ Standard Disclaimer) ------------------------------ Date: Sat, 03 Feb 90 15:17:36 -0600 From: alexis@rascal.ics.utexas.edu (Alexis Rosen) Subject: Re: Gatekeeper veto: Normal behavior or virus attack? (Mac) swenson@pythagoras.Stanford.EDU (Norman Swenson) writes: >I have noticed something suspiciously virus-like on my Mac II. I was First the good news. This is almost certainly not a virus. To make sure, find out if the file signature of ADoBe Separator is ADBS. If it is, you're fine. Otherwise, you might have a problem. >getting a "Serious disk error" message from Microsoft Word and garbage >in my files when using the editor in TeXtures. Fearing an imminent >disk crash, I backed up my hard disk to another. While the files were >copying over. I got a veto message from Gatekeeper (ver 1.1.1, w >Gatekeeper Aid). I decided to check my disk using Disinfectant 1.5... > ...However, whenever I try to open the Illustrator folder on the backup >disk, I get the following veto message: 'Gatekeeper has vetoed an >attempt by Finder to violate "Res(other)" privileges against Desktop. >[AddResource(ADBS,0)]'. I have isolated the behavior to the Adobe >Separator 2.0 program. When I remove it from that folder, I do not >get the message. When I put it back, I don't get the message the >first time I open the folder, but I do every time after that. I made >a copy of the folder on another disk, and at first I got the same >behavior, but after I rebooted it went away on the second disk. I >looked at both desktop files using resedit; one had the ADBS resource >in it, the other did not. Is this normal behavior, or could it be due >to a virus that Disinfectant 1.5 is not catching? Why would opening a >folder require adding a resource to the desktop file? And why did >Gatekeeper veto it on one disk, but not the other? I've seen this coming ever since the GK-Aid INIT was released- but then again, I anticipated WDEF in a message about seven months ago, and all of this revolves around one concept- file signatures that look like code, and vice versa (I can't claim any great genius on this, though- I got the idea from seeing C. Weber's FKEY Manager program cause crashes on Cmd-Shift-0... anyone else remember that?). To answer your questions (as best as I can from your description), the Adobe Separator utility has a file signature which happens to have the exact same four bytes as a type of executable resource that lives in the system file. Now while I've never seen the GateKeeper-Aid, I'm pretty certain I know exactly what it does- it prevents any resource which looks like executable code to the Mac OS from going into the Mac desktop. This is a well-defined list which includes (not surprisingly) WDEF. So what happened was, when Separator was put on your hard disk, you didn't have GK-Aid, and so the Separator bundle (signature ADBS) was added to your desktop (as it should have been). When you tried to open the folder containing Separator for the first time, on your other disk, you were running GK-Aid. At that point, the Finder wanted to add the bundle resource 'ADBS' to the second disk's Desktop file, and GateKeeper vetoed it. In summary, everything is OK (as long as I'm right that Separator's signature is 'ADBS'). GK and the Finder are both behaving as they should. The folks at Adobe get the programming-fools-of-the-week award for picking such a bad signature. Nothing to shoot them over, though. If you just override GK long enough for the signature to get into the desktop file, it will stop bothering you (the Finder only adds a bundle once). Hope this helps (and I _really_ hope it's right)-- Alexis Rosen alexis@panix.uucp {apple,cmcl2}!panix!alexis DISCLAIMER: IF A NEW VIRUS TRASHES YOUR DISK, DON'T BLAME ME. ------------------------------ Date: Sat, 03 Feb 90 18:17:00 -0500 From: Leichter-Jerry@CS.YALE.EDU Subject: Universal virus detectors: Once more with feeling David Chess continues, in essense, to complain about the user interface. He says that determining which changes to executables were deliberate and which not is too hard, etc. This again misses my point. I was not trying to sell anyone on a "solution to the virus problem". I was trying to point out that the apparent THEORETICAL impediments to virus DETECTION were in no sense basic, but were side-effects of the particular ways we have chosen to build our hardware and our mathematical models. We can make other choices if we wish. He also asks: Or it could create the object that it wanted, and call the copy utility. Or is it impossible for a program to copy a non-executable thing to an executable thing? That would help a little, but would also make the system less convenient to use. How do you get a new copy of the linker? How do you write a patch program? No, on such a system you could not copy a non-executable thing to an executable, unless you chose to have a copy routine which was marked "may set the 'executable' bit". Most people do not need patch programs - most people are not programmers. Those who need a patch program can give it the appropriate rights. You create a new linker by linking one with the old one, if you are in the business of creating new linkers. Or you install one, already marked as executable, from a binary disk you got from a trusted source. Russell Wallace has two complaints: That this technique only catches viruses at run-time, rather than by examining the code, and that various things he does on his Amiga, like patching code, would become impossible. For the first, I suggest that *I* examine code by running it on my CPU - it's much better at looking closely at things than I am. Today, that's a dangerous thing to do, since the act of examination may let a virus do damage. On a properly built system, I would be told if the code tried to do anything to any of my executables. As for patching and such: The machines I described are perfectly capable of doing anything any current machine can do. If you give a patch program the right to create executable code, it will work just as it does today. Of course, in the process you give up some of your protection. Hey, if you release the safety on a gun, you could accidentally shoot yourself. Imagine that! Arthur Larky writes: "Perhaps I'm Missing Something" and points out that an MS/DOS timestamp is worthless. Yes, he did miss something - my article which talked about where these timestamps come from. Sorry, not from MS/DOS or any existing software or hardware.... He also says: But that's what I do for a living: "program development, install new executables, etc." Oh, well, one can always retire to something less challenging such as urban warfare. Welcome to the real world. Only a minority of us do program development, a minority that is growing smaller every day. While most owners of PC's have to install executables, that involves a minute fraction of the time they spend using their systems. If a system protected them, it would be well worth building. As to the developers - - they are inherently doing something riskier, and will have to watch their systems more carefully. With the "no new executables" switch off, they can develop - and be infected - as always. They still get the hardware modification log if they want it. I translate this to mean "find something other than a PC or a MAC on which to do your computing." True, but it doesn't solve the current problem for most of us. You bet. But, to repeat myself, I wasn't TRYING to solve anyone's current problems - I was trying to show that a solution is POSSIBLE, if we decide it is worth the costs. The problems involved are monetary/political/organizational, NOT technical. -- Jerry ------------------------------ Date: 03 Feb 90 17:57:50 +0000 From: nitrex!rbl@uunet.UU.NET ( Dr. Robin Lake ) Subject: AIDS Virus Suspect Arrested Near Cleveland, Ohio COMPUTER BLACKMAIL ALLEGED Lake [County] man held on British counts For those of you who don't find the Cleveland Plain Dealer on your doorstep or bushes each morning ---- >From Page 1 of The Plain Dealer, Cleveland, OH, Saturday, February 3 By META McMILLAN, Staff Writer " A Willowick man is being held without bond on a federal fugitive warrant, pending extradition to England to face blackmail and extortion charges in connection with a computer disk that scrambled and stymied computer systems across Europe and Africa. Joseph L. Popp Jr., 39, of W. Willowick Dr., was brought before U.S. Magistrate Joseph W. Bartunek yesterday morning, complaining of mental illness, to face charges that the disk he allegedly created and mailed to as many as 26,000 businesses and hospitals was part of an elaborate blackmail scheme. Authorities in England are seeking to extradite Popp under the terms of a 1972 treaty with the United States. Bartunek delayed the extradition hearing until after he can review two psychiatric evaluations of Popp. The magistrate ordered the examinations --- one by a court-appointed psychiatrist and the other by Popp's doctor --- after Popp's lawyer told the judge his client was suffering from mental illness and was on medication. Bartunek said he expected the psychiatric reports to be available within 10 days, after which he will determine whether a competency hearing is needed before an extradition hearing is scheduled. Popp was arrested Thursday without incident by FBI agents and Willowick police at the home he shared with is parents. A warrant for his arrest was issued Jan. 18 by a London magistrate. A sealed U.S. warrant was issued Jan. 24 by U.S. District Judge Ann Aldrich. Scotland Yard charges that about Dec. 11, while he was in London, Popp mailed 20,000 to 26,000 IBM data disks to hospitals, insurance companies and major corporations. The disks purportedly provided information on what individuals could do to reduce their chances of catching acquired immune deficiency syndrome. After some computers became infected by the program, word of the potentially destructive disks spread within days, and AIDS researches in the United States were put on alert. Companies in African nations, England, Belgium, Denmark, Holland and Australia received the disks, London officials said. Investigators believe no disks were mailed to the United States or Canada. The packages containing the disks bore a printed warning that users would be billed up to $378 for use of the disk. Payments were to be sent to PC Cyborg Corp., whose address is a post office box in Panama. Gary Arbeznik, an assistant U.S. attorney, said that London authorities had told U.S. investigators that "when the disk was used in a computer, an AIDS program was generated. At the end of that program, the screen would go blank, except for an invoice, which said "if you wish to use this computer," up to $378 must be paid to an address in Panama. "When the money was paid, an antidote would be sent," Arbeznik said, "Until then, the machine was unusable." Popp is believed to have used the mailing list from PC Business World, a London computer publication, to target recipients of the disks. Officials of PC BUsiness World said a man identifying himself as "Ketema," an African businessman, contacted the magazine's circulation department in October about purchasing part of its mailing list. He paid more than $1,000 for 7,000 names, the magazine said. About 1,200 of those PC users were hit with the virus; the rest were warned in time, said senior reporter Mark Hamilton. PC Business World said Cyborg also used other mailing lists. Cyborg's directors are listed as Kitain Mekonen, Asrat Wakjira and Fantu Mekease. The suit for extradition said Popp began planning the scheme in February 1989, when he set up the Panama firm. FBI spokesman Bob Hawk said the bureau had information that Popp was prepared to mail out an additional 2 million disks. Popp, soft-spoken with dark hair and flecks of gray in his dark beard, was handcuffed as he appeared in the courtroom. He was dressed in loafers, faded blue jeans and a multicolored sweater. His eyes at time darted anxiously toward the few spectators in the courtroom. He was rushed in and out of the federal courtroom through back entrances. Popp is a zoologist and anthropologist who has conducted animal behavior research for several international health agencies, including UNICEF and the World Health ORganization. He said he was under psychiatric care and taking medication for a mental illness. Twice during the morning hearing, he said he was not clear about proceedings. Bartunek ordered the courtroom cleared so Popp could consult with his lawyer, John Kilroy, who practices in Euclid [Ohio]. The meeting lasted several minutes, after which Bartunek again apprised Popp of the charges. Popp said he understood what they involved but added "I do not understand how it applies to my case." Kilroy unsuccessfully asked that Popp be held in a psychiatric hospital rather than in jail. Kilroy described Popp, and Ohio State University graduate [1972, biological science] with a doctorate in anthropology from Harvard University [1979], as a respected anthropologist being unfairly painted as a criminal. Popp left the World Health Organization, a special agency of the United Nations, a few weeks before Christmas and returned to his parents' home, Kilroy said. Popp received no money in his endeavor to market the flawed disk, Kilroy said, but had hoped to generate money to conduct research on the AIDS virus. Kilroy said he did not have enough information to explain why the disks apparently had shut down computer systems across two continents and in some cases destroyed the information those systems contained. He said he had had only two brief interviews with Popp since his arrest. John Austen, an investigator with the computer crimes division of New Scotland Yard, said Popp's actions were motivated by money and that Popp could face up to 10 years in prison for each count of blackmail. He declined comment on whether investigators believe Popp acted alone, but a recent article in the Times of London referred to an investigation seeking four men in connection with the virus. Popp was moved after the hearing to an undisclosed jail. Bartunek told Kilroy to make a list of medications Popp required so federal marshals could ensure that he received them. Popp has complained to Bartunek that while he was held at the Lake County Jail after his arrest Thursday, he as not given proper medication. "I am deeply disturbed at times," he told Bartunek, "and one day in custody ... can be a day of disorientation." " Staff writers Eric Stringfellow and Rebecca Yerak contributed to this article. " [Sidebar articles include a diagram of a PC with a Computer Virus Glossary: "Time bomb, Logic bomb, Trojan horse, Vaccine"; and "Neighbors express surprise at arrest". Summary: "Quiet, Intelligent, Outstanding young man. He was a real smart kid ... we didn't socialize that much, but I always figured he would end up being a CPA. I remember him as a real gentleman.] ------------------------------ Date: Sun, 04 Feb 90 09:39:00 -0500 From: Subject: Washington Post story on Joseph Popp; FYI From: The Washington Post, February 4, 1990. Page 18. Byline Reuter. "Cleveland, [Ohio] Feb. 3 -- An anthropologist accused of international computer fraud involving information about AIDS and a possible computer virus was held without bail while a judge considered reports on his sanity, authorities said today." "Joseph Popp, 39, appeared before a U. S. magistrate to face charges that the computer disk he created was part of an international blackmail scheme, said Assistant U.S. Attorney Gary Arbeznik." "The Cleveland Plain Dealer said that Popp, while in England, mail the IBM data disks to as many as 26,000 hospitals, businesses and government agencies worldwide." "The disks claimed to provide information on AIDS prevention but at the end of the computer program Popp allegedly said a computer virus would be unleashed unless $378 was sent to a post office box in Panama." ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253