FOR IMMEDIATE RELEASE:                       Jan Kosko

Sept. 22, 1989                               301/975-2762



                                             TN-XXXX





             COMPUTER SECURITY EXPERTS ADVISE STEPS

               TO REDUCE THE RISK OF VIRUS ATTACKS



     To reduce the risk of damage from potentially serious

computer viruses, including one called "Columbus Day," experts at

the National Institute of Standards and Technology (NIST), the

National Computer Security Center (NCSC), and the Software

Engineering Institute (SEI) are recommending several measures plus

commonsense computing practices.   



     "This advice is being offered to encourage effective yet calm

response to recent reports of a new variety of computer virus,"

says Dennis Steinauer, manager of the computer security management

and evaluation group at NIST. 



     While incidents of malicious software attacks are relatively

few, they have been increasing.  Most recently, a potentially

serious personal computer virus has been reported.  The virus is

known by several names, including "Columbus Day," Datacrime and

"Friday the 13th."  In infected machines it is designed to attack

the hard-disk data-storage devices of IBM-compatible personal

computers on or after October 13.   The virus is designed to

destroy disk file directory information, making the disk's

contents inaccessible.  (A fact sheet on this virus is attached

and includes precautionary measures to help prevent damage.) 



     While the Columbus Day virus has been identified in both the

United States and Europe, there is no evidence that it has spread

extensively in this country or that it is inherently any more

threatening than other viruses, say the computer security experts. 



     "Computer virus" is a term often used to indicate any self-

replicating software that can, under certain circumstances,

destroy information in computers or disrupt networks.  Other

examples of malicious software are "Trojan horses" and "network

worms."  Viruses can spread quickly and can cause extensive

damage.  They pose a larger risk for personal computers which tend

to have fewer protection features and are often used by non-

technically-oriented people.  Viruses often are written to

masquerade as useful programs so that users are duped into copying

them and sharing them with friends and work colleagues.  



     Routinely using good computing practices can reduce the

likelihood of contracting and spreading any virus and can minimize

its effects if one does strike.  Advice from the experts includes:



*    Make frequent backups of your data, and keep several

     versions.



*    Use only software obtained from reputable and reliable

     sources.  Be very cautious of software from public sources,

     such as software bulletin boards, or sent across personal

     computer networks.            



*    Don't let others use your computer without your consent.     



*    Use care when exchanging software between computers at work

     or between your home computer and your office computer.



*    Back up new software immediately after installation and use

     the backup copy whenever you need to restore.  Retain

     original distribution diskettes in a safe location.



*    Learn about your computer and the software you use and be

     able to distinguish between normal and abnormal system

     activity.



*    If you suspect your system contains a virus, stop using it

     and get assistance from a knowledgeable individual.



     In general, educating users is one of the best, most cost-

effective steps to take, says Steinauer.  Users should know about

malicious software in general and the risks that it poses, how to

use technical controls, monitor their systems and software for

abnormal activity, and what to do to contain a problem or recover

from an attack.  "An educated user is the best defense most

organizations have," he says. 



     A number of commercial organizations sell software or

services that may help detect or remove some types of viruses,

including the Columbus Day virus.  But, says Steinauer, there are

many types of viruses, and new ones can appear at any time.  "No

product can guarantee to identify all viruses," he adds.



     To help deal with various types of computer security threats,

including malicious software, NIST and others are forming a

network of computer security response and information centers. 

These centers are being modeled after the SEI's Computer Emergency

Response Team Coordination Center, often called CERT, established

by the Defense Advanced Research Projects Agency (DARPA).  The

centers will serve as sources of information and guidance on

viruses and related threats and will respond to computer security

incidents.



     In addition, NIST recently has issued guidelines for

controlling viruses in various computer environments including

personal computers and networks. 



     NIST develops security standards for federal agencies and

security guidelines for unclassified computer systems.  NCSC, a

component of the National Security Agency, develops guidelines for

protecting classified (national security) systems.  SEI, a

research organization funded by DARPA, is located at Carnegie

Mellon University in Pittsburgh.







NOTE:  Computer Viruses and Related Threats:  A Management Guide

(NIST Special Publication 500-166) is available from

Superintendent of Documents, U.S. Government Printing Office,

Washington, D.C. 20402.  Order by stock no. 003-003-02955-6 for

$2.50 prepaid. Editors and reporters can get a copy from the NIST

Public Information Division, 301/975-2762.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Sept. 22, 1989



                           FACT SHEET



                   Columbus Day Computer Virus



Several reports of a new computer virus recently have been

published in the media and throughout the data processing

community.  This virus has been referred to as "Columbus Day,"

"Friday the 13th," as well as "Datacrime I" or "Datacrime II." It

attacks IBM-compatible personal computers running the MS-DOS/PC-

DOS operating system.  If activated, the virus will destroy disk

file directory information, making files and their contents

inaccessible. The following information has been compiled by

NIST, NCSC, and SEI from several sources and is being made

available for system managers to use in taking precautionary

measures.



NOTE: As with many viruses, there may be other, yet unidentified,

variants with different characteristics.  Therefore, this

information is not guaranteed to be complete and accurate for all

possible variants.



NAMES OF VIRUS:  Columbus Day, Friday the 13th, Datacrime I/II

EFFECT: Performs a low-level format of cylinder zero of the

hard disk on the target machine, thereby destroying the boot

sector and File Allocation Table (FAT) information.  Upon

activation it may display a message similar to the following:

DATACRIME VIRUS  RELEASED:1 MARCH 1989



TRIGGER: The virus is triggered by a system date 13 October or

later.  (Note that 13 October 1989 is a Friday.)



CHARACTERISTICS: Several characteristics have been identified:.



1.  The virus, depending on its variant, appends itself to .COM

files (except for COMMAND.COM), increasing the .COM file by

either 1168 or 1280 bytes.  In addition, the Datacrime II variant

can infect .EXE files, increasing their size by 1514 bytes.



2.  The 1168 byte version contains the hex string EB00B40ECD21B4.



3.  The 1280 byte version contains the hex string

00568DB43005CD21.



This virus reportedly was released on 1 March 1989 in Europe.  It

is unlikely that significant propagation could occur between the

release date and mid-October; therefore, U.S. systems should be

at a low risk for infection.  If safe computing practices have

been followed, the risk should be practically nil.  However,

managers believing their site may be at risk should consider

taking precautionary measures, including one or more of the

following actions:



1.  Take full back-ups of all hard disks.  If the disks are later

found to have been infected and attacked by the virus, lost data

can be recovered from the back-ups.  Operating system and

application software can be restored from original media.  A full

low-level disk format should be performed on the infected hard

disk prior to restoration procedures.



2.  Consider using a commercial utility that can assist in

restoration of a disk directory and recovery of data.  There are

a number of such utilities on the market.  Note that these

utilities normally must be run prior to data loss to enable disk

and file restoration.



3.  Avoid setting the system date to 13 October or later until

the systems have been checked for virus presence.



4.  Attempt to determine if the virus is present in one or more

files through one of the following techniques:



     a.   If original file sizes are known, check for increased

          sizes as noted above.



     b.   Use DEBUG or other utility to scan .COM and .EXE files

          for the characteristic hexadecimal strings noted

          earlier.



     c.   Copy all software to an isolated system and set the

          system date to 13 October or later and run several

          programs to see if the virus is triggered.  If

          activation occurs, all other systems will require virus

          identification and removal.



     d.   Use a virus-detection tool to determine if this (or

          another) virus is present.



Commercial products intended to detect or remove various computer

viruses are available from several sources.  However, these

products are not formally reviewed or evaluated; thus, they are

not listed here.  The decision to use such products is the

responsibility of each user or organization.



                             - 30 -

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++A

Suggested Readings List for Computer Viruses and Related

Problems:



Prepared by:   John Wack

               National Institute of Standards and Technology



               September 22, 1989





                            ABSTRACT





This document provides a list of suggested readings for obtaining

information about computer viruses and other related threats to

computer security.  The primary intended audience is management

as well as other technically-oriented individuals who wish to

learn more about the nature of computer viruses and techniques

that can be used to reduce their potential threat.  The suggested

readings may range from general discussions on the nature of

viruses and related threats, to technical articles which explore

the details of various viruses, the mechanisms they attack, and

methods for controlling these threats to computer security.



BASIC TERMS





The following list provides general definitions for basic terms

that are commonly used throughout the applicable literature. 

Some of the terms are relatively new and their definitions are

not widely agreed upon, thus they may be used differently

elsewhere.





Computer Virus:  A name for a class of programs that contain

software that has been written to cause some form(s) of damage to

a computing system's integrity, confidentiality, or availability. 

Computer viruses typically copy their instructions to other

programs; the other programs may continue to copy the

instructions to more programs.  Depending on the author's

motives, the instructions may cause many different forms of

damage, such as deleting files or crashing the system.  Computer

viruses are so named because of their functional similarity to

biological viruses, in that they can spread rapidly throughout a

system.  The term is sometimes used in a general sense to cover 

many different types of harmful software, such as trojan horses

or network worms.



Network Worm:  A name for a program or command file that uses a

computer network as a means for adversely affecting a system's

integrity, reliability, or availability.  From one system, a

network worm may attack a second system by first establishing a

network connection with the second system.  The worm may then

spread to other systems in the same manner.  A network worm is

similar to a computer virus in that its instructions can cause

many different forms of damage.  However a worm is generally a

self-contained program that spreads to other systems, as opposed

to other files. 



Malicious Software:  A general term for computer viruses, network

worms, trojan horses, and other software designed to deliberately

circumvent established security mechanisms or codes of ethical

conduct or both, to adversely affect the confidentiality,

integrity, and availability of computer systems and networks. 

The software may be composed of machine-language executable

instructions, or could be in the form of command files.



Unauthorized User(s):  A user who knowingly uses a system in a

non-legitimate manner.  The user may or may not be an authorized

user of the system.  

The actions of the user violate established security mechanisms

or policies, or codes of ethical conduct, or both.







Trojan Horse:  A name for a program that disguises its harmful

intent by purporting to accomplish some harmless and possibly

useful function.  For example, a trojan horse program could be

advertised as a calculator, but it may actually perform some

other function when executed such as modifying files or security

mechanisms.  A computer virus could be one form of a trojan

horse.



Back Door:  An entry point to a program or system that is hidden

or disguised, often created by the software's author for

maintenance or other convenience reasons.  For example, an

operating system's password mechanism may contain a back door

such that a certain sequence of control characters may permit

access to the system manager account.  Once a back door becomes

known, it can be used by unauthorized users or malicious software

to gain entry and cause damage.



Time Bomb, Logic Bomb:  Mechanisms used by some examples of

malicious software to cause damage after a predetermined event. 

In the case of a time bomb, the event is a certain system date,

whereas for a logic bomb, the event may vary.  For example, a

computer virus may infect other programs, yet cause no other

immediate damage.  If the virus contains a time bomb mechanism,

the infected programs would routinely check the system date or

time and compare it with a preset value.  When the actual date or

time matches the preset value,  the destructive aspects of the

virus code would be executed.  If the virus contains a logic

bomb, the triggering event may be a certain sequence of key

strokes, or the value of a counter.



Anti-Virus Software:  Software designed to detect the occurrence

of a virus.  Often sold as commercial products, anti-virus

programs generally monitor a system's behavior and raise alarms

when activity occurs that is typical of certain types of computer

viruses.



Isolated System:  A system that has been specially configured for

determining whether applicable programs contain viruses or other

types of malicious software.  The system is generally

disconnected from any computer networks or linked systems, and

contains test data or data that can be restored if damaged.  The

system may use anti-virus or other monitoring software to detect

the presence of malicious software.  



Computer Security:  The technological safeguards and management

procedures that can be applied to computer hardware, programs,

data, and facilities to assure the availability, integrity, and

confidentiality of computer based resources and to assure that

intended functions are performed without harmful side effects.



                       SUGGESTED READINGS







Brenner, Aaron; LAN Security; LAN Magazine, Aug 1989.



Bunzel, Rick; Flu Season; Connect, Summer 1988.



Cohen, Fred; Computer Viruses, Theory and Experiments; 7th

Security Conference, DOD/NBS Sept 1984.



Computer Viruses - Proceedings of an Invitational Symposium, Oct

10/11, 1988; Deloitte, Haskins, and Sells; 1989



Denning, Peter J.; Computer Viruses; American Scientist, Vol 76,

May-June, 1988.



Denning, Peter J.; The Internet Worm; American Scientist, Vol 77,

March-April, 1989.



Dvorak, John; Virus Wars: A Serious Warning; PC Magazine; Feb 29,

1988. 



Federal Information Processing Standards Publication 83,

Guideline on User Authentication Techniques for Computer Network

Access Control; National Bureau of Standards, Sept, 1980.



Federal Information Processing Standards Publication 73,

Guidelines for Security of Computer Applications; National Bureau

of Standards, June, 1980.



Federal Information Processing Standards Publication 112,

Password Usage; National Bureau of Standards, May, 1985.



Federal Information Processing Standards Publication 87,

Guidelines for ADP Contingency Planning; National Bureau of

Standards, March, 1981.



Fiedler, David and Hunter, Bruce M.; Unix System Administration;

Hayden Books, 1987



Fitzgerald, Jerry; Business Data Communications: Basic Concepts,

Security, and Design; John Wiley and Sons, Inc., 1984



Gasser, Morrie; Building a Secure Computer System; Van Nostrand

Reinhold, New York, 1988.



Grampp, F. T. and Morris, R. H.; UNIX Operating System Security;

AT&T Bell Laboratories Technical Journal, Oct 1984. 





Highland, Harold J.; From the Editor -- Computer Viruses;

Computers & Security; Aug 1987. 



Longley, Dennis and Shain, Michael; Data and Computer Security



McAfee, John; The Virus Cure; Datamation, Feb 15, 1989.



NBS Special Publication 500-120; Security of Personal Computer

Systems: A Management Guide; National Bureau of Standards, Jan

1985.



NIST Special Publication 500-166; Computer Viruses and Related

Threats: A Management Guide; National Institute of Standards and

Technology, Aug 1989.



Parker, T.; Public domain software review: Trojans revisited,

CROBOTS, and ATC; Computer Language; April 1987. 



Schnaidt, Patricia; Fasten Your Safety Belt; LAN Magazine, Oct

1987.



Shoch, J. F. and Hupp, J. A.; The Worm Programs: Early Experience

with a Distributed Computation; Comm of ACM, Mar 1982.



Spafford, Eugene H.; The Internet Worm Program: An Analysis;

Purdue Technical Report CSD-TR-823, Nov 28, 1988.



Thompson, Ken; Reflections on Trusting Trust (Deliberate Software

Bugs); Communications of the ACM, Vol 27, Aug 1984.



Tinto, Mario; Computer Viruses: Prevention, Detection, and

Treatment; National Computer Security Center C1 Tech. Rpt. C1-

001-89, June 1989.



White, Stephen and Chess, David; Coping with Computer Viruses and

Related Problems; IBM Research Report RC 14405 (#64367), Jan

1989.



Witten, I. H.; Computer (In)security: infiltrating open systems;

Abacus (USA) Summer 1987.





Downloaded From P-80 International Information Systems 304-744-2253
