VIRUS-L Digest Friday, 11 Oct 1991 Volume 4 : Issue 188 Today's Topics: Virus-writing course for teenagers Classic Theory Dr. Fred's Contest Re: Azusa Virus hits University of Kentucky (PC) Books on viruses? Variations Re: Morris worms through courts Re: disable ctrl/break? (PC) is vshield working? Re: desouza or souza virus (PC) new files; correction Re: OS/2 2.0 (OS/2) Re: SF Worms/Viruses (Re: HW not a solution) DIR-II virus, symptoms ??? (PC) Re: DIR II (Cluster) Virus (PC) Response re DIET (PC) Update on Bontchev paper availability VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 10 Oct 91 14:11:00 +0300 >From: Y. Radai Subject: Virus-writing course for teenagers I was looking through the syllabus of a science-for-youth program which is due to start next month. The courses on computers include: Grades 5-6 Intro. to computers, Logo, Pascal 7-8 Pascal, Assembler, AI, Graphics 9-12 Above four courses plus Data Structures, C, Supercomputers, Defenses against Viruses. Looks pretty good, until you read the description of the course on Assembler. This is a literal translation: You already know Basic? You already know Pascal? What do you still lack in order to analyze the brain of the computer? - Assem- bler. In this language you'll be able to acquire tools for things which cannot be done in any other language, like: how to 'create viruses', how to write protection programs and how to crack them. Needless to say, the matter has been brought to the attention of the program director, and it is expected that the above applications will not actually get mentioned when the course is presented. It has also been suggested that part of each course be devoted to a discussion of computer offenses and rules of ethics. (I would also hope that the instructor who suggested the above applications be replaced, though that's perhaps too much to expect.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Thu, 10 Oct 91 15:10:00 -0500 >From: Subject: Classic Theory I'm a college student who has been studying viruses for several years now. I've now reached the point where I'd like to do some more theoretical work at a high level...does anyone know of a good source of some of the classic papers done in the field (works for Cohen and the like)? I'm looking for a basis for an independant study and perhaps an honors thesis for the future. Thanks! Charles ------------------------------ Date: Thu, 10 Oct 91 15:19:44 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Dr. Fred's Contest I have just had the opportunity to read Dr. Cohen's article from "The Sciences" and have had a glimmer of how such a "benign" virus might operate. The key would be "human permission" and such a methodology might even simplify the "LAN Nightmare" many administrators stay wakeful over: Consider the problem of a LAN with a large number of clients that are not under the control of the administrator. Add in a resident set of antiviral utilities that protect the LAN such as my DiskSecure, which uses stealth and integrity management but loads only on request and which replaces hard and floppy disk boot sectors with itself, but again only on user request. At this point it is a program not a virus since it does not propagate (some like replicate, but propagate is more definative). Now consider that all of the software is site licensed for use on any node on the LAN (no pirates here !). Next, consider that the administrator requires that this software be in use on all PCs connected to the LAN, and goes one step further: uses the LOGIN script file to validate that all clients are running the required software. Still within the realm of common defense measures we have discussed on virus-l. The major diversion occurs if the LOGIN script determines that the required management safeguards are NOT in place on the client requesting connection and the script then gives the client the choice of having the software (which includes a mix of TSRs and replacement MBR and boot records) installed on his/her machine or being denied access. If the INSTALL option is selected, does the subsequent action fulfill the requirements of a "virus" ? e.g. propagation to a platform that was not known at the time the program "set" (executables and script files) was installed. Since the new client then has the ability to make my special "maintenance" disks, unique to his PC, there is at least one following propagation stage. (anyone know where I can get an entry form, the prize would cover a new Bernoulli Transportable & script files are easy to write). Padgett Obviously not any connection with my employer. ------------------------------ Date: Thu, 10 Oct 91 21:40:41 +0000 >From: tanu@beach.csulb.edu (Tanu Kartawiria) Subject: Re: Azusa Virus hits University of Kentucky (PC) morgan@ms.uky.edu (Wes Morgan) writes: >For those who track such things, the Azusa virus was discovered at the >University of Kentucky today (9.24.91). The Azusa virus infects the >boot sector of floppy disks, the partition table of hard disks, and stays >resident in memory. It causes corruption of data files, general system >slowdown, and generally wreaks havoc. > >McAfee SCAN found it, and McAfee CLEAN removed it. However, on several >occasions, the data on the floppies was unrecoverable. The Azusa virus was also found in Long Beach State University Lab, SCAN and CLEAN found it, HOWEVER, VSHIELD doesn't seem to be able to block it. ------------------------------ Date: Thu, 10 Oct 91 21:05:43 -0500 >From: JAC6@ns.cc.lehigh.edu (Joseph Costanzo) Subject: Books on viruses? Surely there must have been a good book published recently about viruses - the basics. I really don't know much about them, but would like to learn. I'm rather new to the world of networks, but I know that I'm hooked for life. I have gathered that the risks of networking can be significant when working on these networks. Anyway, to protect my system, I'd like to know a bit about viruses: how they work, how to protect/defeat them, etc. Any suggestions? Many sincere thanks... JC ------------------------------ Date: Thu, 10 Oct 91 19:20:33 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Variations Writes padgett%tccslr.dnet@mmc.com (A. Padgett Peterson): > Now if everyone used DiskSecure, virus writers could just > target it, however if MicroSoft, Norton, Mace, Central Point, > Digital Research, and all the others came out with similar but > different software, and AMI, Phoenix, Award, and Tandon each > had a different BIOS implementation a generic virus becomes > so difficult to write and would have to be so big to handle all > of the cases the it would become uneconomical... Yes, a single virus would be unwieldy. But should we expect that? Shouldn't we rather expect the prompt appearance of many viruses, each one capable of attacking one of those systems? The net result would be similar to having one virus capable of attacking all of them. Worse actually, since it would require many times the effort to guard against. All our experience shows us that devising virus-specific defenses, or `distributing' defenses in the hope of diluting the effort of virus authors, is ineffective. It only causes proliferation of new `species'. We can't outwrite them. This is one reason why scanners are bad, and this is also why every other taxon-specific approach is bad. Any thinking that aims at resisting viruses by combating them as individual entities, or any measure that aims at creating specific defenses against only one group of viruses, is likely to continue being ineffective. For this reason, the idea that creating many firmware variations will help stop viruses is, in my opinion, also unlikely to work. There will simply be more viruses. If any proof is needed, just look at the field. We have more antivirus utilities than ever. There are more defense variations than ever. There are also more viruses than ever. They infect more machines than ever. Taxon-specific antivirus measures have proven generally ineffective. Such measures are quickly overcome by new, ever more ingenious viruses. What's needed is a general defense. Such a defense can more likely be obtained by pure hardware means than by software means. ------------------------------ Date: Thu, 10 Oct 91 21:06:00 -0600 >From: TODD TURNBLOM Subject: Re: Morris worms through courts spaf@cs.purdue.edu (Gene Spafford) writes: > For those of you who missed it, Morris's appeal to the Supreme Court > was rejected without comment or opinion. Thus, his conviction stands, > and the interpretation of 18 USC 1030 is now known to be that no > intent to damage need be proven in court -- only intent to access. Well, not quite. The Supreme Court has the right to pick and choose the cases that it thinks important enough to spend it's limited time on. There are a lot of cases that ask the Court for consideration and only a very limited number actually get looked at. What you said above only means the Court didn't want to deal with it right now. IMHO this is only because they don't see some computer case as near as important as many of the others. They can decide to hear another computer case in the future and probably will when it appears important. Until then, the only thing that can be said is that the Court hasn't said anything about it. There has been no interpretation because the Court hasn't even looked at it. - -- _______________________________________________________________________________ Todd A. Turnblom | Utah State University | SL4R7@cc.usu.edu or ToddT@cc.usu.edu - ------------------------------------------------------------------------------- "If I had wanted to be a _well-known_ crook, I should have gone into politics." -Guido, 'Colection Specialist', _M.Y.T.H. Inc. in Action_ _______________________________________________________________________________ ------------------------------ Date: 10 Oct 91 23:11:16 -0400 >From: Jon Freivald <70274.666@CompuServe.COM> Subject: Re: disable ctrl/break? (PC) >From: VIRUS-L@mail.crk.umn.edu > >Our lab machines run a virus check at boot and are SUPPOSED to hang >if a virus is found. Unfortunately, our instructors have been saving >time by teaching the students to press Ctrl/Break at boot in order to >skip the test. The result is of course that the lab machines are all >infected. Can this (ctrl/break) be disabled? I've seen a number of TSR's (one I think from PC Magazine?) that allow you to "turn off" Ctrl/break, ctrl/c & ctrl/alt/del. I've also written a shell for McAfee's viruscan that executes it with the "/NOBREAK" parameter the first time it is run on a given day. It's freeware & available on my BBS [(516) 483-5841, N,8,1, 300-2400 + 9600 HST]. I could try to send it UUencoded, but I think it exceeds CompuServe's message size limit. Jon ------------------------------ Date: Fri, 11 Oct 91 01:45:16 -0500 >From: RY01@ns.cc.lehigh.edu (Robert Yung) Subject: is vshield working? Now that I got QEMM 6, I can finally load vshield in UMB (initially needs about 110K, but then goes down to 35K). How do I know that it is working up there without actually getting my system infected??? I wish vshield had some sort of on-line command so I can see if it responds. Does vshield (v82) work right in UMBs? Will a new one come out (to scan DIR II) soon??? /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | Robert 'Bobby' Yung | | That is about as effective as trying | (| RY01@NS.CC.Lehigh.Edu | | to melt an iceberg with a warm stream | | "THE MACHINE!" | | of piss. -Armmstrong | \~~~~~~~~~~~~~~~~~~~~~~~~ |_______________________________________/ ------------------------------ Date: Fri, 11 Oct 91 18:13:00 +0930 >From: Message from The Operator Subject: Re: desouza or souza virus (PC) tneuhaus@uwspmail.uwsp.edu writes: > Two faculty here at UWSP have reported that their home PC's have been > infected with the "desouza" or "souza" virus. I looked through FPROT > 2.0's list of virus information, but could not locate a reference to > either name. > > I have not yet gone to their homes to try to use FPROT 2.0 to clean > their disks. I might find out at that time that these are known > viruses and will be easly cleaned. But, wanted to ask ahead of time > if anyone knows of viruses with these names. Hi Tom! I'm a Computer Operator at the University of South Australia. I think the virus you are looking for is called Azusa. We have just had a huge infection accross the whole of our Underdale campus. The source was traced to a number of high school students illegally playing pirated games in one of the student pools. McAfees latest V82 utilities (available on comp.binaries.ibm.pc) will cope with it. Hope it helps. Cheers, Cameron McConnochie. Ops (CCJCM@levels.unisa.edu.au) ------------------------------ Date: Fri, 11 Oct 91 08:35:00 -0400 >From: HAYES@urvax.urich.edu Subject: new files; correction Hello. 1- Now available from our site: New J. McAfee's programs: CLEAN84.ZIP;1 SCANV84.ZIP;1 VSHLD84.ZIP;1 NETSCAN and VCOPY will be made available as soon as received. The above mentionned files were fetched directly from M. McAfee's BBS. 2- We received a report concerning the access to our site via anonymous FTP. When one logs on, s/he is in the [anonymous] directory. The files are in [anonymous.msdos.antivirus] directory. To change directory one of the following should work: cd .msdos.antivirus cd [anonymous.msdos.antivirus] cd [.msdos.antivirus] Please let us know (our system administrator and myself) if you encounter any problems fetching the files via FTP. Our IP number is 141.166.1.6 user=anonymous, password . Thanks for taking the time of reading this. Regards, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Thu, 10 Oct 91 20:05:22 +0000 >From: d89-zke@nada.kth.se (Zoltan Kelemen) Subject: Re: OS/2 2.0 (OS/2) BARNOLD@YKTVMH.BITNET writes: >We did some limited testing DOS viruses under a widely distributed >July 1991 Beta version of OS/2 2.0 (driver number 6.149, if anybody >cares). The following notes hold *only* for that Beta version; the >ship level version (whenever it happens) may be different in some >particulars. (I'm not in any way affiliated with the OS/2 2.0 >development group, other than working for the same company.) > [some stuff deleted] > >Minuses: >(-)No file-level access controls. (Arggghhh!) It won't take long before somebody makes this extension. With it I think we will be able to get rid of the virus problem on PCs. Not because the system will be completely fool-proof, but the entrance level should be high enough to stop the majority of todays virus writers. ------------------------------ Date: 10 Oct 91 20:37:50 +0000 >From: vail@tegra.com (Johnathan Vail) Subject: Re: SF Worms/Viruses (Re: HW not a solution) jay@markv.com (Jay Skeer) writes: >P.P.S. I got the idea of a computer virus from an old S.F. book. In >the book they actually describe a worm (and called it that) ... >.... This was in 1983 or 4. >Does any one know the name of that book, or of an earlyer reference to >computer viruses? In early 1980 I remember reading about 'worm' research at Xerox PARC. After reading that I went and hacked a couple of (what we now would call boot sector) viruses for an Apple ][. This was in 1980 so certainly the concepts were known and experimented with in the 70's. If anyone has information or references about the PARC work I would be curious to read about it again. PS in an ironic misnomer I called my virus a 'worm' after the PARC ones I was trying to emulate on a personal computer. "Death Machines: they shook hands. I could hear the metal grind as their palms met. Their eyes flickerd. Their mouths opened." -- Henry Rollins about lawyers _____ | | Johnathan Vail | vail@tegra.com |Tegra| Member: LPF | N1DXG@448.625-(WorldNet) ----- (508) 663-7435 | jv@n1dxg.ampr.org ------------------------------ Date: Thu, 10 Oct 91 14:02:58 -0700 >From: Mike Ramey Subject: DIR-II virus, symptoms ??? (PC) How will I know if DIR-II hits my computer lab ??? I'm a computer tech, not a researcher, and would like to know what the symptoms are. Thanks, - -Mike Ramey, Civil Eng, Univ of Wash, Seattle WA 98195- ------------------------------ Date: 10 Oct 91 20:49:08 +0000 >From: vail@tegra.com (Johnathan Vail) Subject: Re: DIR II (Cluster) Virus (PC) A question of terminology follows: In private discussion with turtle (Fred Waller) he raises this point about the DIR 2 virus: It's not a worm, it's not a virus, but it's a virus that is a worm. I think we have to revise definitions, rather than insist that virus writers conform to the definitions that we have accepted . In my collection of terms I define virus and worm thus: virus - a piece of code that is executed as part of another program and can replicate itself in other programs. The analogy to real viruses is pertinent ("a core of nucleic acid, having the ability to reproduce only inside a living cell"). Most viruses on PCs really are viruses. worm - A self-replicating, autonomous program (or set of programs) that can replicate itself, usually over a network. A worm is a complete program by itself unlike a virus which is part of another program. Robert Morris's program, the Internet Worm, is an example of a worm although it has been mistakenly identified in the popular media as a virus. My claim is that DIR 2 can legitimately be called a virus since it is logically still part of another program and relies on a host program being run in order to get an execution thread. Comments and discussion are welcome. jv <- "floor wax or desert topping?" _____ | | Johnathan Vail | vail@tegra.com |Tegra| Member: LPF | N1DXG@448.625-(WorldNet) ----- (508) 663-7435 | jv@n1dxg.ampr.org ------------------------------ Date: Thu, 10 Oct 91 19:22:08 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Response re DIET (PC) I apologize for any `off-topicness'(?) of this post - won't pursue it further. However, some replies were received here regarding a comment I made on DIET, the excutable compressor that uses viral techniques for good purpose, and I'd like to respond briefly: Writes pshuang@athena.mit.edu (Ping Huang): > I find it interesting that DIET has branched out in function as > you have described, thus making it much more like a general- > purpose on-the-fly disk compressor such as Stacker or DoubleDisk, > or, for that matter, a set of utilities (freely distributable but > still copyrighted) published by PC Magazine some years back called > DCOMPRESS. However, the fact that these commercial utilities have > existed for many years negates your claim that DIET is first in > providing this kind of functionality... Well, STACKER and other commercial systems, including the ExpanZ card, etc., encrypt the entire disk volume. They are not equivalent to Matsumoto's DIET v1.10a, which compresses individual files, chosen on the fly by the user, and which can coexist with non- compressed files. DIET files remain DOS files and may be copied, renamed, transferred to another system and decompressed there, etc. Also, DIET has some inherent intelligence and will not try to compress again files that are already compressed, such as archives, or smaller than one disk allocation unit. I wasn't familiar with the DCOMPRESS program, so I went and downloaded its source code before posting this reply. I found that DCOMPRESS is a rather different animal from DIET: it requires that the user prepare ahead of time special ASCII files for each subdirectoruy, listing files to be excluded, requires that a separate utility (PCMANAGE) be used to compress the files also ahead of time, and has other requirements, including the need to change the system date by one week, then run PCMANAGE, then reset the system date back again, etc., which render it much less elegant and more difficult to use than DIET. I intend no offense against DCOMPRESS' author, but DCOMPRESS is not equivalent to DIET v1.10a. Thus, I repeat that the functionality offered by DIET v1.10a is not found in any other program that I know. Its usefulness and functionality are achieved, to an important extent, by the use of what might be termed `virus programming techniques'. Just now, I'm taking a quick first look at v1.20 of DIET, which has even more interesting features. Fred Waller ------------------------------ Date: Fri, 11 Oct 91 09:19:27 -0400 >From: Kenneth R. van Wyk Subject: Update on Bontchev paper availability In VIRUS-L Volume 4 Issue 186, I announced the availability of Vesselin Bontchev's paper, "The Bulgarian and Soviet Virus Factories" in both TeX and ASCII formats on our anonymous FTP archive, cert.sei.cmu.edu. As it turns out, the ASCII version was garbled (due, I'm sure, to my lack of TeXpertise). I've replaced the ASCII file with a PostScript file which appears to be (at least) better, and I removed the ASCII file from the archive. If any avid TeX user out there cares to take the time to properly format the paper into an ASCII document, I would be happy to replace the .doc file. It would be most appreciated! Sorry for any inconvenience. Ken ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 188] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253