From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #9 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 15 Jan 1992 Volume 5 : Issue 9 Today's Topics: Re: More Stoned virus questions (PC) Dir-II/Other Stuff (PC) Information on the 109 Virus (PC) Making DIR of a contaminated floppy (PC) Re: Looking for info on "Friday the 13th" virus (PC) Re: 1575/1591 Virus (PC) Re: VIRUS at AT286 in SCAN85 (PC) Re: Joshi Virus and IDE Hard Drives (PC) VSHIELD and MS WORD - incompatible ??? (PC) re: DOS Virus Infects UNIX box (PC) (UNIX) Re: New Antivirus Organization Announced Re: New to the forum - question Re: Gulf War "virus" updated version of Padget's FixMBR (PC) Report: 8th Chaos Computer Congress VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 15 Jan 92 15:30:00 +1300 From: "Nick FitzGerald" Subject: Re: More Stoned virus questions (PC) JGUNDERSON@cudnvr.denver.colorado.edu writes: > > Another quick Stoned 3 question. At the University of Colorado > (Denver) we got hit hard by the inadvertant mass release of the FORM virus > last year. I found myself spearheading the process of cleaning up and > hardening the defenses of one of our computer labs. I would like to be > ahead of the game if the Stoned 3 release hits us. > We have been relying on Simon McAuliffe's NoStone as an ongoing > defense against Stoned, however I notice that the Stoned 3 variant is > listed a stealthed variety. Does anyone know if NoStone v4.1 (released > June 1990) will do any good? Can't say for sure, but I suspect not. As several better-qualified than I have already mentioned, what McAfee calls Stoned-III, others know as the NoINT virus. A further word of warning about NoStone - if you are at all likely to run up against a virus from the Empire family, be very cautious in your use of NoStone. In my tests with Empire A, NoStone reports a Stoned-II infection. If you tell NoStone to disinfect it writes Empire's "encrypted" message to your HD's MBR sector (Empire stores original MBR at 0,0,6 and message at 0,0,7 - Stoned puts MBR at 0,0,7). Similar problems occur with NoStone and Empire A on floppies. Other members of Empire family _may_ have similar effects. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: Tue, 14 Jan 92 22:41:00 -0500 From: Subject: Dir-II/Other Stuff (PC) For those of you still attempting to track the spread of the DIR-II, I had a configmed report yesterday of a single machine infected in the country of Jordan. The actual path of infection is unknown at this time. As most should know by now, DIR-II is not at all dangerous ( (relatively), but does spread rapidly and is a bit of a curiosity. Removal is simple using only DOS commands.... In other news, the National Computer Security Association (NCSA) BBS is now fully operational with 5 lines up and running. Number is (202) 364-1304, with the first four lines 9600 V.32, fifth at 2400 MNP. On-line is virus and security info of all types, latest copies of anti-virus sharware and P/D software, info on NCSA and other anti-virus organizations, etc. {In the interest of full disclosure, I should mention that I've been working on the BBS for NCSA for several weeks now and pouring blood, sweat, and tears into it :) } Is anyone out there using a disassembler other than sourcer which you feel is superior in some way? If so, how about passing along some info?ou feel Charles *************************************************************************** Rutstein@HWS.BITNET (Charles Rutstein) **************************************************************************** ------------------------------ Date: Sat, 11 Oct 80 06:50:11 -0800 From: Oliver.Steudler@p109.f121.n7102.z5.fidonet.org (Oliver Steudler) Subject: Information on the 109 Virus (PC) Virus Name : 109 Virus Aliases : None Discovery : January 1992 Type : File Virus Origin : Unknown General Comments : The 109 Virus is a non-resident, direct action .COM file infector isolated by the Virus Resource Centre in January 1992. It contains no text or payload and is a simple, yet very effective replicater. Infection : When an infected program is executed, the 109 virus will infect all .COM files in the current directory (this may include COMMAND.COM), that meet the following conditions, adding 109 bytes to the beginning of infected programs. a) The file must be a .COM file with a file size between 2 bytes and 64 Kb. b) If the 1st byte is BEh,assume that the file is already infected and proceed with the next file. c) The file must has normal attributes,so if it is marked hidden or read-only, the virus will not infect the program. No critical error handling is done and the file time and date stamps will be changed when the virus infects the program. Damage : The 109 virus contains no malicious code and was designed as a simple replicater. The virus may however do damage to a program that is larger than 65427 bytes. Because the infected program would then be larger than 64 Kb, the end of the infected program will be lost. Detection : The 109 virus can be found using a simple hex signature string : BE 00 01 56 8C C8 80 C4 10 8E C0 33 FF Oliver Steudler, Virus Resource Centre (CT) Mail : P.O.Box 4397, Cape Town, 8000, South Africa Internet : Oliver.Steudler@p109.f121.n7102.z5.fidonet.org Fidonet : 5:7102/121.109 Phone : +27 (021) 24-9504 (GMT +2) Fax : +27 (021) 26-1911 Peter Stoffberg, Virus Resource Centre (JHB) Mail : P.O.Box 1081, Northriding, 2162, South Africa Fidonet : 5:7101/32 Phone : +27 (011) 787-7521 (GMT +2) - -- uucp: uunet!m2xenix!puddle!5!7102!121.109!Oliver.Steudler Internet: Oliver.Steudler@p109.f121.n7102.z5.fidonet.org ------------------------------ Date: Wed, 15 Jan 92 11:26:50 +0700 From: Josep Fortiana Gregori Subject: Making DIR of a contaminated floppy (PC) Can someone explain the following sequence of events: 1. Boot from a clean write-protected floppy 2. SCAN C:\ /m /chkhi >> No viruses found 3. SCAN B:\ >> Found Anti-Tel Virus A-Vir! in boot sector 4. DIR B: 5. SCAN C:\ /m /chkhi >> Found Anti-Tel Virus A-Vir! active in memory My conjecture is that the boot sector is read in one of the DOS buffers, so that the virus is present in memory as data, not code (so it is not active). Is that correct? Josep ...................................................................... Josep Fortiana Departament d'Estadistica (Facultat de Biologia) Phone : 34 - 3 - 4021561 Universitat de Barcelona E-mail: ubaesq01@ebcesca1.bitnet Av. Diagonal 645 08028 - Barcelona (also ubaesq01@puigmal.cesca.es) SPAIN ------------------------------ Date: 15 Jan 92 09:10:39 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Looking for info on "Friday the 13th" virus (PC) frisk@complex.is (Fridrik Skulason) writes: > There are around 20 viruses which activate on Friday the 13th, such as > "South African" (which may not be South African at all), Jerusalem (with a > bunch of variants), Datacrime (well, sort of...), Relzfu (Fake-VirX), > Monxla, Leningrad and Omega. > Unfortunately the available information is not specific enough to determine > which virus is the cause in this case. Yes, but the original poster said that his disk was formatted on 13-Dec-1991. This excludes the Jerusalems and the South Africans, and also Datacrime. If I remember correctly, Monxla, Leningrad, and Omega do not format the disk... Or am I wrong? Does any of it at least overwrite it? Maybe this has been misinterpretted as formatting... And I can't remember what Relzfu does when it activates... :-( Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 15 Jan 92 11:20:06 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 1575/1591 Virus (PC) harvey@oasys.dt.navy.mil (Betty Harvey) writes: > QUESTION: Does anyone have any information on this virus? I am interested > in finding more about this virus since the odds are I will see > this little green fellow again. Thanks! The virus is a resident COM and EXE files infector. When an infected file is run, the virus in it first checks for a file, named C:\COMMAND.COM and if it exists, infects it. (If the file does not exist, the computer just hangs.) Once the virus is resident in memory, it infects on FindFirstFCB and FindNextFCB (INT 21h/AH=11h, INT 21h/AH=12h) functions. Therefore, it infects file during the DIR command. Only files in the directory being examined are infected. The executable files and their types (COM or EXE) are recognized by their extensions, and not by the magic number in the first two bytes (MZ or ZM for EXE files, anything else means a COM file). The files that are already infected have the last two bytes equal to 0Ch, 0Ah. The "show" with the green caterpillar is activated when a file which has been infected for over two months is run, COMMAND.COM is already infected, and there is a copy of the virus already resident in memory. Some infected EXE files may refuse to run due to a bug in the virus. There are 6-7 variants of this virus, but they are essentially the same. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 15 Jan 92 11:49:58 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VIRUS at AT286 in SCAN85 (PC) DVORACEK@CSEARN.BITNET (Jarda Dvoracek) writes: > In Czechoslovakia, I got some new virus with the SCANV85.ZIP from some > BBS. It makes all .COM, .EXE and .ASM files 10 bytes longer, the first > 6 bytes are: > F0 FD C5 AA FF F0 > No antivirus program has i detected, except from those watching files' > length. :-))) C'mon, calm down, it's not a virus! Just you (or somebody else) are running SCAN with the /AV switch. This means to add checksum information to the files and the F0FDC5AAFFF0 is just the identifier that SCAN usues to tell whether the file is already "certified" or not. You can remove those by running SCAN again, this time with the /RV switch instead. To the McAfee people: I have always said that messing with other people's files is a VERY BAD idea! Don't touch them! (And, of course, don't create hundreds of tiny hidden files, as Norton's anti-virus does...) The checksums MUST be kept separately in a database, the name of which must be selectable by the user. > During 3 days it has infected all files but COMMAND.COM, some of them Yeah, I think that SCAN is "clever enough" not to touch this file... > worked normally, several terminated just after calling them. Ha, this is not normal. They should run (unless they perform some kind of self-check themselves, but I don'T believe that this is your case). Maybe they are damaged by something else. Anyway, the problem that you are reporting, is caused by SCAN, not by a virus. > It is possible that it writes in FAT1 - into last sectors. Well, at least SCAN doesn't... :-) Check it's validation codes to make sure that it has not been tampered with (although not modified validation codes does not prove anything). Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 15 Jan 92 08:13:55 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Joshi Virus and IDE Hard Drives (PC) mcafee@netcom.netcom.com (McAfee Associates) writes: > In any case, if CLEAN-UP says that a virus cannot safely be removed from > the partition table, you have several options available to you other > then doing a low-level format. > 1. If you're so inclined, you can copy the partition table off of > an identically partitioned hard disk and copy it over the PT of > the infected hard disk. Don't do that, unless you perfectly know what you are doing! It is dangerous; you can destroy all your information on the disk. The keyword here is "identically". If the other disk is not really IDENTICALLY partitioned (and with the same size/type/etc.), then copying it's partition table may have unpredictable rezults. The problem is that you might not recognize that the partition is not perfectly identical if you are not knowledgeable enough, so better don't try it! > 2. If you have MS-DOS 5.00, you can run the DOS FDISK command with > the /MBR option. This is an undocumented switch in the FDISK > command that replaces the Master Boot Record code (alias partition > table) while leaving the data portion intact. This is the best solution. However, it requires a DOS 5.0 system diskette. > 3. Use a sector editor to change the last two bytes of the partition > table, which are "55 AA" to anything else. This will invalidate > the partition table information, and you can then re-FDISK and > FORMAT the disk. This is no better than low-level formatting the disk - you'll still lose the whole information on it. An alternative is to use a sector editor (like Norton Utitlities), to look at track 0, side 0, sector 9 (this is where Joshi stores the original master boot sector), and if it contains a valid partition table and a master boot program, to copy it over track 0, side 0, sector 1. Again, this is dangerous and should be done ONLY if you know what you are doing! Of course, all this must be done ONLY after booting from a non-infected, write-protected system diskette, since Joshi is a stealth virus. > Naturally, there is always a small amount of risk in doing any of this, so One can argue about the actual amount of risk, but as you say > it's always a good idea to make a backup of the hard disk before proceeding. This is really a good idea. > Another possibility is that you do not have the virus at all and instead are > experiencing a "ghost" effect, that is, when a fragment of viral code is left > at the end of a file somewhere on the disk that is loaded into memory with > the file and causes a false alarm. This can be fixed by running a disk > optimizing program to defragment the disk, or there's a program somwhere in > the simtel archives called COVERUP or COVERUP1 that will null-out the ends > of files. Wait Aryeh, the original poster speaks about Joshi! And Joshi is a master boot sector infector, so how can a ghost false positive be fixed by optimizing the disk?! The ghost (the small amount of inactive code which was left after the disinfection) resides in the partition table, not in the files! BTW, when CLEAN disinfects the hard disk, does it overwrite the whole virus or does it just write a valid master boot program on it? Maybe this is what is causing the ghost alert? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 15 Jan 92 15:26:52 +0700 From: "Christian Fritze ( 'WonkoTheSane' )" Subject: VSHIELD and MS WORD - incompatible ??? (PC) Hi to everybody! I'm posting the following for a friend who has no net access. (I think this is not *quite* a virus problem but related closely enough...) Virtually yours, Christian Fritze ( 'WonkoTheSane' ) addresses: ofritze@nyx.cs.du.edu and wonko@m-net.ann-arbor.mi.us until (and including) feb '92 on ckvb33@ddohrz11.bitnet as well ********************** Original MSG follows ********************** We have problems with McAffee's VSHIELD and Microsoft Word 5.0(german) while using the mouse. When the mouse cursor is moved rapidly, the system hangs, except for the mouse cursor. We tried on different computers (286 and 386, both with AMI-BIOS), with different mouse-drivers (MS 6.25Z/7.04/8.10), different DOS Versions (MS 3.30/5.00) and with Word 5.0 installed from different sets of installation disks. Using DOS 5.00 and MS-mousedriver 8.10 loaded high we at least get the error-message "Speicherzuordnungsfehler, Command kann nicht geladen werden, System angehalten", (in english probably: memory usage-error, command cannot be loaded, system halted). Our actual Version of vshield is 4.3V84, but the problem appeared also using V82. Starting parameters are /cv /chkhi /contact. Trying to remove vshield in a batch and then starting word is possible, vshield gets inactive, but it's not removed completely. Using mem /c one can see a 34kByte area of free memory which formerly belonged to vshield. Does anybody know the reason for this and/or a way to get around it? Thanx in advance ------------------------------ Date: Wed, 15 Jan 92 08:31:11 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: DOS Virus Infects UNIX box (PC) (UNIX) >From: bear@fsl.noaa.gov (Bear Giles 271 X-6076) >Unfortunately, that system had been infected with the 'Stoned' virus. >This virus overwrote the UNIX BOOT TRACK when the infected DOS was >booted. >Result -- no more SVR5. We will probably have to perform a low-level >format of the disk and rebuild the UNIX from original media. I posted an in-depth reply to RISKs so will not bother to do so again since everyone here knows the difference between file infectors and MBR infectors (besides I deleted the reply being chronically short of disk space). In short, while certainly STONED can damage an intel-based UNIX machine using an IBM-type (what is the proper term anyway ?) BIOS, it cannot per se infect it since the machine cannot boot properly & so cannot spread. Whether repair is as simple as booting with DOS and running my FixMBR (which should be compatable as should SafeMBR) depends on whether or not there was anything important in absolute sector seven just like a DOS Stoned recovery depends on the type of FDISK used to format the disk. The real message though is that while a DOS MBR or BR infector could DAMAGE SOME intel-based UNIX boxes, at least at the moment, these are no DOS/Unix viruses that I know of. Cooly (43 this morning) Padgett ------------------------------ Date: 15 Jan 92 09:15:14 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Antivirus Organization Announced RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes: > Virus Busters Join Hands -- The Antivirus Methods Congress, a > newly formed organization to combat computer viruses, was announced > last week with the goal of bringing users, vendors and researchers > together to tackle virus attacks on networks in the private and > government sectors. > Dick Lefkon, associate professor at New York University and chair- > man of the new group, said the organization already has 50 members, > including representatives from Martin Marietta Corp., the > insurance industry, the state of Arizona's legal department, Well, I see that they have already got the users... :-) > Northern Telecom, Inc. and universities in Hamburg, Germany, and > Iceland. Aha, here are some researchers... :-) > Any typos are without a doubt mine! (BTW, anyone have a list/whatever of > existing antivirus orgs? Just curious.) Well, to be honest, I have never heard about that. But, I can speak only about myself; I'll ask Prof. Brunnstein whether he knows something on the subject (he is the head of the Virus Test Center at the Hamburg University) and will inform you. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 15 Jan 92 16:11:21 +0000 From: geoffb@coos.dartmouth.edu (Geoff Bronner) Subject: Re: New to the forum - question LUSTIG@wsmc-mis.af.mil (LUSTIG, ROB L.) writes: >Greetings, I am new to this area and wonder how often people actually >come across virui? I have found only a couple per year crop up and >haven't had one actually do any real damage (except to people's egos). This is something that varies from site to site, I'm sure. Dartmouth is a site that is very prone to viruses, we have many inexperienced mac users on the campus who have the ability to share files all the time. Viruses get here very quickly on visitors disks or via ftp and spread rapidly once they do arrive. How often you find them depends. I would say that the avergage user here who is running Disinfectant INIT (most do) sees viri very rarely. A couple times a year maybe. Since I run a cluster and support dozens of macs and ibms directly I see them more often. Even so, things are better. 3 or 4 years ago I could expect to see an infected disk or hard disk every day. After several years of spreading inits like Disinfectant INIT and Gatekeeper Aid around I see an infected disk maybe once a week. Usually on the anti-viral scanning station at the entrance to the cluster I run. - -Geoff - -- geoffb@Dartmouth.EDU - Computing Support Technician, Tuck School of Business "The powers not delegated to the United States by the Consititution, nor prohibited by it to the States, are reserved to the States respectively, or the people." - United States Constitution, Amendment X. ------------------------------ Date: Wed, 15 Jan 92 00:04:45 +0000 From: mcafee@netcom.netcom.com (McAfee Associates) Subject: Re: Gulf War "virus" fstuart@eng.auburn.edu (Frank Stuart) writes: >CNN is reporting that a computer "virus" was used during the Gulf War. >Reportedly, the virus was used to blank the screens of Iraq's air >defense computers. The alleged virus was supposed to have been hidden >in a printer chip that was smuggled in from Jordan. I (and many >others, I'm sure) would be very interested if anyone has further >information. Hi Frank, The original "source" of this virus is an article that appeared in the April 1st, 1991 (April Fools' Day) issue of InfoWorld Magazine as a gag. Maybe a reporter or some other person came across the article and thought it was serious. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator Santa Clara, California | BBS (408) 988-4004 | farm..." 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Tue, 14 Jan 92 19:12:00 -0500 From: HAYES@urvax.urich.edu Subject: updated version of Padget's FixMBR (PC) Hello. just received and will make available tonight the new version of A. Padgett Peterson FixMBR. The archive file is FIXMBR22.ZIP. As usual, the file will be located in: Site: urvax.urich.edu, IP# 141.166.1.6 Directory: msdos.anonymous User: anonymous Password: your_email_address. As usual, once logged on, the user will be in the anonymous directory. TYping cd msdos.antivirus should move you in the directory where FIXMBR22 resides. Thanks to Padgett for another very useful utility. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Tue, 14 Jan 92 06:27:31 -0800 From: Eric_Florack.Wbst311@xerox.com Subject: Report: 8th Chaos Computer Congress The following message was copied from RISKS-L. Of particular interest to VIRUS-L reader will be where the writer inserts 'comment #1'. That such gatherings are becoming more sparsely populated is a positive step. But is it, perhaps, time for people such as the UN , or perhaps the ITU, to invoke sanctions against countries that allow such groups to thrive? ( Comments are my own....I don't expect anyone else to have the guts to agree with me. ) (Grin) - -=-=-=--=-=-= Date: 9 Jan 92 16:37 +0100 From: Klaus Brunnstein Subject: Chaos Congress 91 Report Report: 8th Chaos Computer Congress On occasion of the 10th anniversary of its foundation, Chaos Computer Club (CCC) organised its 8th Congress in Hamburg (Dec.27-29, 1991). To more than 400 participants (largest participation ever, with growing number of students rather than teen-age scholars), a rich diversity of PC and network related themes was offered, with significantly less sessions than before devoted to critical themes, such as phreaking, hacking or malware construction. Changes in the European hacker scene became evident as only few people from Netherlands (see: Hacktick) and Italy had come to this former hackers' Mecca. Consequently, Congress news are only documented in German. As CCC's founding members develop in age and experience, reflection of CCC's role and growing diversity (and sometimes visible alienity between leading members) of opinions indicates that teen-age CCC may produce less spectacular events than ever before. This year's dominating theme covered presentations of communication techniques for PCs, Ataris, Amigas and Unix, the development of a local net (mousenet.txt: 6.9 kByte) as well as description of regional (e.g. CCC's ZERBERUS; zerberus.txt: 3.9 kByte) and international networks (internet.txt: 5.4 kBytes), including a survey (netzwerk.txt: 53.9 kByte). In comparison, CCC'90 documents are more detailed on architectures while sessions and demonstrations in CCC'91 (in "Hacker Center" and other rooms) were more concerned with practical navigation in such nets. Phreaking was covered by the Dutch group HACKTIC which updated its CCC'90 presentation of how to "minimize expenditures for telephone conversations" by using "blue" boxes (simulating specific sounds used in phone systems to transmit switching commands) and "red" boxes (using telecom-internal commands for testing purposes), and describing available software and recent events. Detailed information on phreaking methods in soecific countries and bugs in some telecom systems were discussed (phreaking.txt: 7.3 kByte). More information (in Dutch) was available, including charts of electronic circuits, in several volumes of Dutch "HACKTIC: Tidschrift voor Techno-Anarchisten" (=news for techno-anarchists). Remark #1: recent events (e.g. "Gulf hacks") and material presen ted on Chaos Congress '91 indicate that Netherland emerges as a new European center of malicious attacks on systems and networks. Among other potentially harmful information, HACKTIC #14/15 publishes code of computer viruses (a BAT-virus which does not work properly; "world's shortest virus" of 110 bytes, a primitive non-resident virus significantly longer than the shortest resident Bulgarian virus: 94 Bytes). While many errors in the analysis show that the authors lack deeper insigth into malware technologies (which may change), their criminal energy in publishing such code evidently is related to the fact that Netherland has no adequate computer crime legislation. In contrast, the advent of German computer crime legislation (1989) may be one reason for CCC's less devotion to potentially harmful themes. Remark #2: while few Netherland universities devote research and teaching to in/security, Delft university at least offers introductory courses into data protection (an issue of large public interest in NL) and security. Professors Herschberg and Aalders also analyse the "robustness" of networks and systems, in the sense that students may try to access connected systems if the adressed organisations agree. According to Prof. Aalders (in a recent telephone conversation), they never encourage students to attack systems but they also do not punish students who report on such attacks which they undertook on their own. (Herschberg and Alpers deliberately have no email connection.) Different from recent years, a seminar on Computer viruses (presented by Morton Swimmer of Virus Test Center, Univ. Hamburg) as deliberately devoted to disseminate non-destructive information (avoiding any presentation of virus programming). A survey of legal aspects of inadequate software quality (including viruses and program errors) was presented by lawyer Freiherr von Gravenreuth (fehlvir.txt: 5.6 kByte). Some public attention was drawn to the fact that the "city-call" telephone system radio-transmits information essentially as ASCII. A demonstration proved that such transmitted texts may easily be intercepted, analysed and even manipulated on a PC. CCC publicly warned that "profiles" of such texts (and those adressed) may easily be collected, and asked Telecom to inform users about this insecurity (radioarm.txt: 1.6 kByte); German Telecom did not follow this advice. Besides discussions of emerging voice mailboxes (voicebox.txt: 2.8 kBytes), an interesting session presented a C64-based chipcard analysis systems (chipcard.txt: 3.3 kBytes). Two students have built a simple mechanism to analyse (from systematic IO analysis) the protocol of a German telephone card communicating with the public telephone box; they described, in some detail (including an elctronmicroscopic photo) the architecture and the system behaviour, including 100 bytes of communication data stored (for each call, for 80 days!) in a central German Telecom computer. Asked for legal implications of their work, they argued that they just wanted to understand this technology, and they were not aware of any legal constraint. They have not analysed possibilities to reload the telephone account (which is generally possible, due to the architecture), and they didnot analyse architectures or procedures of other chipcards (bank cards etc). Following CCC's (10-year old charta), essential discussions were devoted to social themes. The "Feminine computer handling" workshop deliberately excluded men (about 25 women participating), to avoid last year's experience of male dominancy in related discussions (femin.txt: 4.2 kBytes). A session (mainly attended by informatics students) was devoted to "Informatics and Ethics" (ethik.txt: 3.7 kByte), introducing the international state-of-discussion, and discussing the value of professional standards in the German case. A discussion about "techno-terrorism" became somewhat symptomatic for CCC's actual state. While external participants (von Gravenreuth, Brunnstein) were invited to this theme, CCC-internal controversies presented the panel discussion under the technical title "definition questions". While one fraction (Wernery, Wieckmann/terror.txt: 7.2 kByte) wanted to discuss possibilities, examples and dangers of techno-terrorism openly, others (CCC "ol'man" Wau Holland) wanted to generally define "terrori Downloaded From P-80 International Information Systems 304-744-2253