VIRUS-L Digest Tuesday, 13 Mar 1990 Volume 3 : Issue 57 Today's Topics: Re: Contest announcement Re: Scanning MAC diskettes on a PC Better name for the "VCOMM" (reply to frisk) Need info on worms & net security Re: virus symptoms (Amiga) re: Viruses using Hamming (PC) Tying SCAN and CLEAN together (PC) DPMA Virus Workshop in NYC Virus Reporting Virus-L Index of V3 #1 to #55 (PC & Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 09 Mar 90 18:01:20 +0000 From: decwrl!well.sf.ca.us!well!rsa@ucbvax.Berkeley.EDU (RSA Data Security) Subject: Revised MD4 signature documentation ___________________________________________________________________ License to copy and use this document and the software described herein is granted provided it is identified as the "RSA Data Security, Inc. MD4 Message Digest Algorithm" in all materials mentioning or referencing this software, function, or document. License is also granted to make derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD4 Message Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning the merchantability of this algorithm or software or their suitability for any specific purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. The MD4 Message Digest Algorithm -------------------------------- by Ronald L. Rivest MIT Laboratory for Computer Science, Cambridge, Mass. 02139 and RSA Data Security, Inc., Redwood City, California 94065 Copyright 1989,90 Ronald L. Rivest (Version 2/14/90) (Revised) Abstract: - --------- This note describes the MD4 message digest algorithm. The algorithm takes as input an input message of arbitrary length and produces as output a 128-bit ``fingerprint'' or ``message digest'' of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD4 algorithm is thus ideal for digital signature applications, where a large file must be ``compressed'' in a secure manner before being signed with the RSA public-key cryptosystem. The MD4 algorithm is designed to be quite fast on 32-bit machines. On a SUN Sparc station, it runs at 1,066,000 bytes/second. On a DEC MicroVax II, it runs at 70,000 bytes/second. In addition, the MD4 algorithm does not require any large substitution tables; the algorithm can be coded quite compactly. [Ed. The remainder of this revised document is available via anonymous FTP from cert.sei.cmu.edu in pub/virus-l/docs/md4.rsa.paper] ------------------------------ Date: Fri, 09 Mar 90 16:02:52 -0600 From: Robert Minich Subject: Re: Scanning MAC diskettes on a PC > I thought the Mac's floppy drive used a software lock. I just looked in > IM, but could not find the answer. Can anyone remember? > > James Gallagher > jimg@cs.uri.edu *************************************** Well, there IS in fact a software lock on Mac floppies, but it is not the one I referred to. This "is it hard or soft" issue was answered definitively (well, good enough for me...) by someone at apple.com who said that the interlock for the write protect tabs is in fact hardware based. This is the way it should be, of course, but I'm happy Apple did it right way back in 1984 because thats were my Mac originated! So, if the tab is set to lock, don't worry about anything malicious, unless someone before you was eating a particularly messy sandwich that might leave, for example, jelly in your drive. Other than that, your safe. ------------------------------ Date: 08 Mar 90 00:00:00 -0500 From: "David.M..Chess" Subject: Better name for the "VCOMM" (reply to frisk) Oh, is *that* where the name came from? We could certainly use a better one. "Polish", or even "Polish EXE", is likely to be confusing before too long (more than one virus may come from that area). How about using the virus length (or the minimum number of bytes it will add to an EXE file)? I think that's a decent nomenclature, especially for these viruses that are, and are likely to remain, very rare... DC ------------------------------ Date: Mon, 12 Mar 90 15:32:18 +0500 From: Esra Delen - NAD Subject: Need info on worms & net security Hello.. I need your help. I am trying to write a paper on Security on Computer Networks. I would like to know more about Worms, incidents about Worms and main security leakages in Networks. Also I want to know how security is established in different nets (BITNET, ARPA Internet, NetNorth, etc..) Any help would be GREATLY appreciated. I would more appreciate it if it will be quick.. You can write to my own account ESRA@TREARN.. Many thanks in advance.. Esra ------------------------------ Date: Mon, 12 Mar 90 19:18:36 -0400 From: Ken Bell Subject: Re: virus symptoms (Amiga) > I have a game called Hybris. After playing this for a while, the > screen will "fuzz", what I mean is that the graphics seem to get > confused and all I see is one big blur on the screen. I have > tried this with two independent disks of the game (ie: I borrowed > them from two different people). This may or may not have anything > to do with the blanking. I'm not familiar with the Amiga, but it is known that some programs that directly program the video hardware do so incorrectly, leaving the video signal in an "undefined" or "marginal" state. This could cause problems of the sort that you describe (by the way, this could also lead to permanent damage of the monitor). Acknowledge-To: ------------------------------ Date: 12 Mar 90 00:00:00 -0500 From: "David.M..Chess" Subject: re: Viruses using Hamming (PC) I'm not entirely sure why anyone should be worried by the fact that some viruses are using error-correcting codes; to my knowledge, none of the Bulgarian viruses use them for anything very interesting, at least from the point of view of protection. Perhaps I've missed something key: does the use of Hamming codes by these viruses somehow make them harder to detect, remove, or otherwise protect oneself against? DC ------------------------------ Date: Mon, 12 Mar 90 17:56:00 -0400 From: Subject: Tying SCAN and CLEAN together (PC) I have an idea that may or may not be taken into consideration. I was wondering if one could SCAN and if present, CLEAN a virus in the same batch file. It is not possible unless you CLEAN all known viruses (that takes a little time :-)). It occurred to me that if SCAN returned ERRORLEVEL codes when completed (a different ERRORLEVEL code for each virus) then through a batch file any known viruses could removed. The batch file would only contain known viruses in the area. It would really be helpful and I'm sure many would appreciate this feature if implemented. Of course, it's only a thought. I was also wondering if an ERRORLEVEL code could be included that handles disks that are not in the drive to be scanned. These, of course, are only suggestions. Thanks for ypour time. =============================================================================== = Santo Nucifora = Disclaimer: These are my thoughts and no one elses. = =============================================================================== ------------------------------ Date: 13 Mar 90 14:50:00 +0100 From: Morton Swimmer Subject: DPMA Virus Workshop in NYC When was this announced? I only just heard of it a few days ago. Had I known of such an event much earlier, I may have been able to go, but this way..... Perhaps someone (Ken?) could summerize what was said and post it in this forum. Cheers, Morton Virus Test Center, University of Hamburg [Ed. The workshop was announced at least a week or so ago here on VIRUS-L. I'm only attending for one (of two) day, but I'll send in a summary of day one. Anyone want to summarize day two?] ------------------------------ Date: Mon, 12 Mar 90 18:23:21 +0000 From: Alan Thew Subject: Virus Reporting >Date: 07 Mar 90 12:13:43 -0500 >From: Pat Ralston >Subject: Many WDEF reports --Why? > [ initial part deleted ] I am confused. I really want to help. I will report any >(first occurrence) of a virus here on my campus if you-all >want me to, and if it IS indeed helpful. I will stay off the >electrons and not clog up the list with needless reports if that >is more helpful. > >Of course, any one on this list can (and will) respond to my >query but PLEASE IDENTIFY yourself. If you are a REAL virus >tracker please say so...If you aren't please note that also. Why not create a second list, comp.virus.reports (and something like vrepor-l for bitnet users) so that those who want to monitor/report virus spread can do so, and others can chose not to read it? Alan Thew University of Liverpool Computer Laboratory Bitnet/Earn: QQ11@LIVERPOOL.AC.UK UUCP: ....!mcsun!ukc!liv!qq11 Internet: QQ11@LIVERPOOL.AC.UK or QQ11%LIVERPOOL.AC.UK @ NSFNET-RELAY.AC.UK [Ed. That's pretty much what VALERT-L is for. It is not directly cross-posted to a newsgroup, however, although I do re-post relevant VALERT-L mail on VIRUS-L/comp.virus.] ------------------------------ Date: Fri, 09 Mar 90 11:07:48 +0000 From: Anthony Appleyard Subject: Virus-L Index of V3 #1 to #55 (PC & Mac) -- (and see ) Driver Disk shipped with a Wise Data Systems PC has Stoned virus 10 Possible virus warning - text strings contain copyright messages for Compac Computer Corp 14 US Gov't printing office Census disk has Jerusalem B [library virus] 26 Virus-laden Census Disks (US census disks have Jerusalem virus) (longish)38 new trojan [Twelve Tricks Trojan] 38 Virus posted to VALERT-L (description of new virus)(named the 1559 virus)44 Will only delete the infected file, not disinfect it. [RE:YANKEE DOODLE] 31 Re last moan: Hang on, I'll get round to it! [Yankee Doodle Virus] 32 [Ed. I removed the remaining 23k worth of index information, due to length. The index files (PC and Mac) are available by anonymous FTP from cert.sei.cmu.edu (IP number 128.237.253.5) in pub/virus-l/archives/index.v3i1-55.appleyard.[pc|mac]. Thank you for your efforts, Dr. Appleyard!] ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253