VIRUS-L Digest Thursday, 3 Oct 1991 Volume 4 : Issue 178 Today's Topics: Virus protection hardware Help with STONED 16 virus (PC) New NOVELL virus? (NOVELL) (PC) RE: Mac Puke INIT (Belch Virus??) (Mac) Re: F-Prot 2.0 (PC) Re: Heuristic analysis? Re: New Virus Warning (PC) Fred Cohen's contest Artificial Life III: Call for Papers VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 30 Sep 91 16:19:45 -0400 >From: ctraynor@attccs1.attmail.com Subject: Virus protection hardware All: I am looking for any articles or adds for virus protection hardware, (ie. PC boards) for some machines here on our network. Could anyone knowing about an article or ad in a magazine or journal please Email me soon so I can evaluate them... Thanks in advance.... Chris ------------------------------ Date: Mon, 30 Sep 91 17:49:00 -0400 >From: "George Russ" Subject: Help with STONED 16 virus (PC) We are currently encountering the virus STONED and have a few questions we hoped you could answer. How exactly does this virus infect? What is the best protection to load at boot up? (We are currently using Fprot ver20 [Virstop in config.sys]) Can the virus STONED get past Virstop? We are using the disk lockdown program Disk Manager could this type of protection prevent a Virus driver from being 100% effective? Thanks in advance, your help will be most appreciated! ___________________________________________________________________________ George Russ Bitnet : RUSSG@CITADEL.BITNET IRM/Network Support Services Internet: soon The Citadel Military College Voice : 803-792-6817 Charleston SC 29409 - --------------------------------------------------------------------------- ------------------------------ Date: Mon, 30 Sep 91 18:32:00 -0500 >From: RONNIE@ECUAFUN.BITNET Subject: New NOVELL virus? (NOVELL) (PC) Today, a network under NOVELL 3.11, was hit by a unknown virus, at least in our environment, the virus only affects the server, when you issue the command "load monitor", few minutes later, the screen clears and a worm composed by block characters showing different levels of gray begins to run across the screen, the creature disappears when you press the ESC key. We're checked the server under DOS with CPAV v 1.0, and installed the VSAFE.SYS program in memory, then run the program SERVER.EXE, issue the "load monitor" command, and few minutes later, the worm appears on the screen, and the VSAFE program says nothing, the CPAV program doesn't say anything, and the worm continue to run across the screen. If anybody out there has the answer, please reply ASAP! Ronnie Nader Catholic Universityof Ecuador at Guayaquil System Engeneering Faculty Pacific National Bank Special Projects dept. Guayaquil - Ecuador BITNET: RONNIE@ECUAFUN.BITNET ------------------------------ Date: Mon, 30 Sep 91 23:09:16 -0600 >From: Diskmuncher Subject: RE: Mac Puke INIT (Belch Virus??) (Mac) >From: Al Boulley <32DD3BN%CMUVM.BITNET@VM1.gatech.edu> >I don't believe that MacPuke.init could be causing this because the >sound occurs only upon ejection of a disk. Also, this would show up >in a system folder, hidden or not. Anything else is beyond me. > Al Boulley Are you using System 7.0? If so, it would be in the Extensions folder ("underneath" the System Folder). It's also possible that someone renamed Mac Puke to something else. They might have even changed the Get Info information (ResEdit Puke ID=0). My solution would be the following: Use ResEdit's GetInfo on suspicious files and look for a creator type of PUKE. Alternately (if you have ResEdit 2.1) load suspicious files into ResEdit and play the Sound Resource(s) in each file. There are other programs which can play Sound Resources, but they may or may not "see" hidden files. I'll bet $$ it is the Mac Puke INIT...just cleverly disguised. Mac Puke (to my knowledge and experience) only activates *WHEN* a disk is ejected. John-David Childs Consultant, University of Montana con_jdc@lewis.umt.edu P.S. ResEdit 2.1 can probably be obtained from any Mac dealer in your area. ------------------------------ Date: 01 Oct 91 10:23:10 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: F-Prot 2.0 (PC) Michael_Kessler.Hum@mailgate.sfsu.edu writes: > asking for a boot disk, and leaves them more room in memory. With > F-Prot 1.6, I simply installed F- DRIVER.SYS on each start volume of > the network (I use about 5 different start volumes, depending on > classes, accounts, etc.). So far it worked, although I understand > that the lack of infections may have been pure luck. Anyway, do I > understand the new directions correctly: Load VIRSTOP.EXE in the > AUTOEXEC.BAT file of the server(s) to protect the entire system? Or > should I again load VIRSTOP.EXE on each start volume (3Com 3+Share > system)? How about trying to INSTALL it from CONFIG.SYS (if you run DOS 4.x or higher)? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN Bontchev@Informatik.Uni-Hamburg.de Schlueterstrasse 70, D-2000 Hamburg 13 New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 01 Oct 91 10:46:29 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Heuristic analysis? turtle@darkside.com (Fred Waller) writes: > As an example of this difficulty, I will describe the action of T. > Matsumoto's data compressor called DIET v1.10a, (c) 1991. Previous [description of Diet deleted] > DIET's compression efficiency is quite good, often better than PKLITE > and comparable to that of conventional compressors. But to achieve > its good effect, the program must break "good" rules that a heuristic > virus analyzer author might consider sacred: Yes, Diet is a wonderful example of a "bad" program from the anti-virus point of view... However, note that it does not HAVE TO behave like that. There is a program, called STACKER, which performs exactly the same task (and even much better), without doing any dirty tricks. It is installed as a device driver and emulates a disk in a some kind of large archive. The fact that the author of Diet used the "bad" approach does not mean that the same cannot be achieved in a "cleaner" way. And, of course, it does not mean that the Diet program is bad per se (I personally like it), it just means that it does not perform correctly from the virus protection point of view. Nevertheless, the users will continue to write and use such programs, that's why the suggested conception to write only "good" programs is doomed. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN Bontchev@Informatik.Uni-Hamburg.de Schlueterstrasse 70, D-2000 Hamburg 13 New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 01 Oct 91 11:04:15 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Virus Warning (PC) mcafee@netcom.com (McAfee Associates) writes: > A new, fast moving, and very destructive virus has been Please note, that the virus is not destructive per se. It has no destructive payload. Usually the damage is caused by an incompetent user, trying to fix the problems with CHKDSK/F or Norton Disk Doctor. One of my colleages proposed to call it "Do it yourself" virus, because the damege is cased by the victim... :-) > A disruptive characteristic of this virus is that if an infected > system is booted from a clean floppy, none of the executable files > can be copied from the system. Neither can they be backed up. If > the system is not booted from a clean floppy, then the files can > be copied and backed up, but the virus will copied along with the > programs. It's a catch 22 situation. Additionally, if an infected > system is booted from a clean floppy, and then a CHKDSK /F > is run, then all executable files in the system will be destroyed. This (and any other fully stealth virus) can be removed very easily, without any anti-virus programs. Just make sure that the virus -IS- active in memory. Then copy all executable files to non-executable extensions (i.e., COPY FILENAME.COM FILENAME.VIR). Then delete all executable files, reboot from a clean disk and rename the files back to their executable extensions. Instead copying, you can also archive them. Especially the ARJ archiver is very convenient, since it allows the creation of multi-volume archives. Just have in mind that the virus will overwite the last cluster of the disk, so tell the archiver not to use all of the diskette space for the archive (ARJ has such option). Afterwards, you should boot from a non-infected disk, delete the executables, and then restore them from the archive. > The Virus has been named DIR-2. It has been reported at numerous Please, use the name Dir II, if possible. Also other known aliases are MG series II and Creeping Death. The first was used by the person who first discovered and reported the virus (Nikolay Spahiev) and the last is used by the virus authors. I find it extremely inappropriate - the virus does not "creep" - it "flies", and "death" is also inapropriate, since it's not intentionally destructive. > sites in Bulgaria, Poland, Yugoslavia and Hungary. We received our > copy for analysis from Tamas Szalay in Budapest. The Polish anti-virus researcher Marek Sell claims that he has found it on a vrite-protected diskette which came from Taiwan. Also, I have some reports about Norway. I would appreciate if the readers of this newsgroup report this virus when they encounter it. I would like to see how it will spread around the world. > We are currently re-writing our SCAN and CLEAN programs to deal > with this virus, as are most other anti-virus suppliers. A beta > version of both programs will be available September 26th. Anyone > reporting symptoms similar to the above described, please > contact us. To those that do not understand why all disinfectors have to be rewritten. Since the virus does not infect neither the boot sector, not the files, a new loop must be implemented is the disinfector, to make to search the directory entries too. And now some symptomes for this virus, that I forgot to describe in my previous message: 1) Backups and/or archives that use the whole disk space on the diskette suddenly become corrupted. 2) After formatting a diskette and looking at the disk usage map with PC Tools (or something similar), you notice that the last sector is marked as used. That's right, used, not bad. 3) The two copies of the FAT do not match. This can be observed only if the virus is not active in memory. 4) When you copy files from an infected media (without the virus being active), only one cluser (or 1024 bytes, whichever is larger) is copied. 5) When you run a file from an infected diskette, it just exits to the DOS prompt. At this time you're already badly infected. Running the file for the second time will make it running, though. 6) CHKDSK (DON'T USE THE /F OPTION!!!) or Norton Disk Doctor (or an equvalent disk repairing program) reports a lot (a huge number of) cross-linked files and lost file chains. All files are cross-linked to the last cluster of the disk. This is cluster 355 for 360 Kb floppies. If you encounter the above problems, for goodness sake, don't try to repair the problem yourselves!!! You are risking to lose all your executables. Contact a person, who is qualified in anti-virus research as soon as possible! Hope that the above will not be of any use to you, but just in case... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN Bontchev@Informatik.Uni-Hamburg.de Schlueterstrasse 70, D-2000 Hamburg 13 New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 30 Sep 91 17:17:13 -0500 >From: spaf@cs.purdue.edu (Gene Spafford) Subject: Fred Cohen's contest The September/October issue of "The Sciences," published by the New York Academy of Sciences, had an article by Fred Cohen. In it, he tried to make a case for the existence of "good" viruses, and he pulled out a number of supporting examples that really weren't viruses or weren't clearly done well by viruses. He concluded the article with an announcement of a contest. His publishing company, ASP (which may be run by Fred for all I know) will award $1000 for the best "good" virus as per vague rules laid down by Fred in the article. I was quite upset by the article, and especially the contest, because I think it quite unethical to encourage the writing of viruses as he is doing. I also think there is a very clear and significant conflict of interest for him and/or ASP to be encouraging such a contest. I wrote a letter of response to the editor a few weeks ago, and I have spent the time since then thinking about it. The toned-down letter that I actually sent is reproduced below, minus some italics and bold-facing. Whether you agree or disagree with my comments, if you wish to make your own comments to the editor, his address is below; his fax number is 212-260-1356. I doubt I am the only person with an opinion on this matter. (Naturally, I could be the lone voice of dissent; I hope not, but it may be the case.) I thought you might be interested. If not, never mind. Cheers, - --spaf Mr. Peter G. Brown, Editor The Sciences 622 Broadway New York, NY 10012 Dear Mr. Brown: I began to read the recent article by Dr. Fred Cohen [1] with considerable interest. Dr. Cohen is a pioneer in the field of computer virus research, and I have found many of his writings quite thought-provoking. Unfortunately, by the time I finished his article, I was quite dismayed. I believe that Dr. Cohen has failed to adequately consider both the practicality and the ethics of his proposal. First of all, I believe that there is an obvious conflict of interest involved when the vendor of a computer virus prevention product sponsors a contest soliciting the development of new viruses. I am further troubled by the lack of a list of the judges of the contest and the criteria for winning. I will not discuss these points further, however, as they are minor matters compared with my main concern: I believe that the writing of computer viruses is unethical, [2--3] and to encourage their development in an unsupervised manner is likewise unethical. Computer viruses spread without the informed consent of the owner of the software (``host'') they ``infect,'' and they are usually not limited in their spread, in time or space. If scientists were to experiment with organic viruses capable of infecting humans and possessing these same properties, we would likely be taking vigilante action against them, contest or no. Encouraging the general populace to develop organic viruses would bring about widespread condemnation; yet, oddly, encouraging the development of computer viruses leads to publication in a journal. To his credit, Dr. Cohen explicitly prohibits viruses that exhibit the above two dangerous properties from being eligible for his contest. However, many viruses cause damage because of flaws within the code, or unexpected properties of their target computing environment; examples include the ``Stoned'' virus for IBM PCs, and the ``WDEF'' virus for Apple Macintoshes (cf., [3--5]). What will be the attitude of the community as a whole if a new destructive virus appears on the scene because of a bug in the software meant to contain it? What if something similar to Robert T. Morris's Internet Worm were to be discovered and explained as a buggy test version intended for Cohen's contest? This brings me to another argument with Dr. Cohen's article: we disagree about the definition of the term ``computer virus.'' Cohen describes Morris's Internet program as a ``virus,'' while I (and others) would define it as a ``worm.'' [6--7] Morris's program did not alter existing software to include a copy of itself as do viruses. His program was no more a virus than is a compiler (suggesting an interesting class of potential submissions to the contest). In fact, if we intuit a definition of ``contest-acceptable virus'' from Cohen's article to be something that spreads from system to system, that requires permission to install itself, and has limited potential for spread (like the Worm), it is no longer clear we are speaking about viruses at all! Harold Thimbleby of Stirling University, Scotland and Ian Witten of Calgary University, Canada have done extensive work on software that would meet the above intuited definition of a computer virus. They have developed some very sophisticated self-propagating applications, including self-updating databases with window-based interfaces. [8--9] It is not at all clear that the community recognizes these as viruses. Professor Thimbleby himself has chosen to call them ``liveware'' to make the distinction clear. I am surprised that Dr. Cohen is unfamiliar with their work and did not cite it in his Sciences article; it would be a clear favorite if it were to be entered in the ASP contest. However, it also serves to illustrate how something that might win the contest is not likely to be viewed as a ``virus'' by the community of researchers. This brings me to the second of my two major objections to Cohen's article and contest. I believe that his underlying thesis is flawed: I do not believe that there are any practical ``good'' viruses. During the Second Conference on Artificial Life, held in Santa Fe in 1990 (cf. [10]), I was on a panel discussing computer viruses. Russell Brand, another panelist, made the observation that there is nothing that can be done by a computer virus that cannot be done more efficiently and generally by other means. This observation was debated by the panel, and discussed extensively by others since that time. To my knowledge, everyone involved in these discussions now believes that is a true statement. Consider that a computer virus is nothing other than a program coupled with code to transport and install itself as part of existing software. It will be more difficult (or impossible) than a stand-alone program to update for new releases, customize, and maintain. A virus will also be more difficult to write and test for correctness than will a stand-alone program because of its interaction with its environment. Viruses are simply not the most practical or efficient approach to any particular task. His example in the article of the billing system demonstrates an inadequacy in the data model used and tools available, and not the superiority of using a quasi-virus. Even the example Cohen gave in his PhD dissertation of a compression virus would be better served by a well-written stand-alone program over which the user has more control. I believe that any attempt made to promote ``useful'' viruses involves a contradiction of the word ``useful,'' assuming that ``useful'' does not also imply ``malicious.'' To return to my first fundamental objection (and the one I feel most strongly about) -- the impropriety of encouraging virus authorship. We have been battling computer viruses for five years now, and the indications are that the problem is growing exponentially (cf. [11--12]). Computer viruses --- even those intended to be harmless, and limited in scope and duration --- continue to cause untold amounts of damage to computer systems. For someone of Dr. Cohen's reputation within the field to actually promote the uncontrolled writing of any kind of virus, even with his stated stipulations, is to act irresponsibly and immorally. To act in such a manner is likely to encourage the development of yet more viruses ``in the wild'' by muddling the ethics and dangers involved. It will reinforce the attitude that there may be some benefit to be gained from writing viruses (when there is as yet absolutely no clear indication that such is the case), and may encourage people to begin uncontrolled experiments with viruses they might not otherwise have undertaken. We have seen cases already where well-trained virus researchers have accidentally released experimental computer viruses into the population; to encourage amateurs to also engage in risky behavior that may lead to similar or worse results is quite appalling. It is my fond hope that no one attempts to enter Dr. Cohen's contest, and that he quickly recognizes the dangers and cancels it. A few decades ago, physicists talked about peaceful uses of atomic weapons, such as blasting out canals and destroying threatening icebergs. They were attempting, in good faith, to put a better moral cast on their research. Thankfully, none of them offered money in a contest for the best demonstration of such an application! Alfred Nobel, horrified at the use to which his invention of stabilized explosives were being put, did not establish a contest for the best peaceful use of dynamite. Instead, he established world-reknowned awards for research in peaceful pursuits, funded by the income from his discovery. It is quite unfortunate that ASP and Dr. Cohen could not have taken a similar approach with their $1000 prize. They could have made a powerful statement about responsible behavior, but instead have increased the danger to the community and generated doubts about their own motivations. Eugene H. Spafford, PhD References [1] Friendly Contagion: Harnessing the Subtle Power of Computer Viruses, by Fred Cohen, The Sciences, Sep/Oct 1991, pp. 22--28. [2] Computer Viruses and Ethics, by Eugene H. Spafford, in Collegiate Microcomputer, special issue on the Rose-Hullman/GTE Computing and Ethics Seminars, to appear, 1992. [3] Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats, by Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, ADAPSO, 1989. [4] Rogue Programs: Viruses, Worms, and Trojan Horses, edited by Lance J. Hoffman, Van Nostrand Reinhold, 1990. [5] Computers Under Attack: Intruders, Worms and Viruses, edited by Peter J. Denning, ACM Press/Addison-Wesley, 1990. [6] What is A Computer Virus?, by Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, Chapter 2 in [4]. [7] An Analysis of the Internet Worm, by Eugene H. Spafford, in Lecture Notes in Computer Science 387, Springer-Verlag, 1989. [8] Bugs, Viruses and Liveware: Collected Papers by Harold Thimbleby, technical report of the Department of Computer Science, Stirling University, Scotland, 1990. [9] Liveware: A New Approach to Sharing Data in Social Networks, by I. H. Witten, H. W. Thimbleby, G. F. Coulouris, and S. Greenberg, in International Journal of Man-Machine Studies, 1990. [10] Artificial Life II, Studies in the Sciences of Complexity, Volume XII, edited by D. Farmer, C. Langton, S. Rasmussen, and C. Taylor, Addison-Wesley, 1992. [11] Virus Trends: Up, Up, Up by David Stang in National Computer Security Association News, 2(2), March/April 1991. [12] The Kinetics of Computer Virus Replication by Peter S. Tippet in Proceedings of the Fourth Annual DPMA Computer Virus Security Conference, New York, March 1991. ------------------------------ Date: Thu, 03 Oct 91 08:45:51 +0000 >From: cgl@beta.lanl.gov (C G Langton) Subject: Artificial Life III: Call for Papers Artificial Life III June 15-19, 1992 Santa Fe, NM CALL FOR PAPERS We are happy to invite contributions for the Third Artificial Life Workshop, to be held in Santa Fe, New Mexico, June 15-19, 1992. Artificial Life complements the traditional Biological sciences, concerned with the analysis of living organisms, by attempting to synthesize behaviors normally associated with natural living systems within computers and other "artificial" media. By extending the empirical foundation upon which the science of Biology rests beyond the carbon-chain based life that has evolved on Earth, Artificial Life can contribute to Theoretical Biology by locating "life-as-we-know-it" within the larger context of "life-as-it-could-be." Contributions may be submitted in the following categories: TALK (please specify a 20 or a 45 minute talk); POSTER, which may include a computer display (BYOC); DEMONSTRATION, which includes computer demos and/or videos (please give time estimate); or OTHER (please specify). Authors should send an abstract (5 pages at most) to the address below by January 15, 1992. DO NOT WAIT UNTIL JAN. 14!!! Please try to get your abstract in early. Authors will be notified of the status of their contributions by March 15, 1992. Proceedings of the first two Artificial Life Workshops are now available from Addison Wesley Publishers (1-800-447-2226 to order). The proceedings of the second workshop also include a videotape. We intend to emphasize visualization in the third workshop as well, and encourage contributions based on working mobile robots. Contributions to the workshop will automatically be considered for inclusion in the proceedings. Papers for the proceedings will be due at the workshop, and papers may be submitted then which were not submitted as contributions to the workshop itself. The end of the workshop is the deadline for submission of papers for the proceedings. All papers received by the end of the workshop will be sent out for review and authors notified by the end of August. We will also be holding a greatly expanded "Artificial 4H Show," involving exhibits of, judging among, and contests between, various software and hardware artificial life forms. People who wish to enter their artificial organisms in the "Artificial 4H Show" should send a description of what they plan to exhibit to the address below. We will be announcing a series of contests and challenges for robots, genetic algorithms, and software life forms soon. Some of these will carry cash-prizes. All contests and challenges will be carried out during the workshop. Abstracts should be sent to: AlifeIII Program Committee Santa Fe Institute 1660 Old Pecos Trail Santa Fe, NM 87501 alife@sfi.santafe.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 178] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253