VIRUS-L Digest Thursday, 7 Sep 1989 Volume 2 : Issue 187 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Appleshare and viruses Aborting a write to a write-protected disk (PC) Rumored October 12/13 virus attacks Can a PC Virus get into VMS via VAXPC? --------------------------------------------------------------------------- Date: Wed, 06 Sep 89 11:54:00 -0400 From: Peter W. Day Subject: Re: Appleshare and viruses >Date: 04 Sep 89 01:18:53 +0000 >From: gilbertd@silver.bacs.indiana.edu (Don Gilbert) >Subject: Appleshare and viruses ? > >What are the conditions under which current Mac viruses can >infect files on Appleshare volumes? I have not attempted to infect any files with a virus, whether on an AppleShare volume or otherwise, but based on what I know about Macintosh, AppleShare and viruses, here is what I think is true. A Mac virus can infect a file only if it can write to the file, no matter where the file is located. A micro cannot access an AppleShare volume directly: it must ask the server to access the AppleShare volume on its behalf. As a result, the server can enforce access privileges. Access privileges apply only to FOLDERS. For the benefit of other readers, the privileges are See Files, See folders and Make Changes. They apply individually to the owner, a group, and everyone. I experimented writing directly to files and folders on an AppleShare volume using Microsoft Word, typing the explicit file path in a Save As... dialog box. For a file to be changeable, the volume and folders in the file path must have See Folders privilege, and the final folder must have See Files and Make Changes privilege. The virus would probably need to search for files to infect, and would only find files along paths with See Folders privs for the volume and folders in the path, and See Files in the final folder. Macintoshes used with shared files are subject to trojans, and the trojan could be infected with a virus. Consider the following scenario: A user has a private folder on a volume shared with others using (say) AppleShare. The volume has a folder containing a shared application named, say, Prog1, and the folder has everyone See Files and See Folders but not Make Changes (i.e. it is read-only). The user makes a private copy of Prog1, and later runs a virus-infected program locally while the shared volume is mounted, and the copy of Prog1 becomes infected. The user now makes his AppleShare folder sharable (See Files, See Folders) to everyone (so that someone can copy a file he has, say). Another user double-clicks on a document created by Prog1, and the Mac Finder happens to find the infected copy of Prog1 before finding the other copy. As a result, the second user's files become infected. Thus I recommend that private folders be readable only by the owner as a matter of policy. Allowing everyone Make Changes creates drop folders so that users can exchange files. Drop Folders are safe enough in that AppleShare does not allow you to overwrite a file when you only have Make Changes priv. However, users should be told to run a virus check on any files that others drop in their folders. ------------------------------ Date: Wed, 06 Sep 89 17:23:34 -0400 From: Bruce_Burrell@um.cc.umich.edu Subject: Aborting a write to a write-protected disk (PC) Several respondants to the "Abort, Retry, Ignore" message have suggested using Abort. I disagree strongly: if you do that, usually you get kicked out to DOS, so e.g. all your current session editing changes are lost. What should be done is to remove the write-protection, and retry. If there's not enough space, most programs will take control and allow a graceful exit. If it fits, but you want it on another disk, so what? Just save again. DONT Abort unless you don't care about the current changes. [Ed. This is probably a better topic for a group like comp.sys.ibmpc since it isn't directly virus related. Nonetheless, it's a fairly fitting end to this subject (right?).] ------------------------------ Date: Wed, 06 Sep 89 16:58:34 -0500 From: IRMSS907%SIVM.BITNET@IBM1.CC.Lehigh.Edu Subject: Rumored October 12/13 virus attacks About the OCT 12/13 rumored virus attack...an article in the Aug 28th issue of Federal Computer Week reports "Sobczak said candidates for the intrusion so far include the following viruses: DATACRIME, a virus that wipes out data by modifying .COM files, alleged to be planed for execution Oct 12 or 13. A West German virus, apparently discussed at a hacker's convention in Amsterdam earlier this month, to be introduced through BITNET. An enhanced version of an earlier Icelandic virus rewritten to avoid detection by constantly changing its location in memory." [Ed. I saw that too (thanks for the FAX, Bruce!) - does anyone have any info about this alleged Icelandic variant?] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Mignon Erixon-Stanford, PROFS Administrator Smithsonian Institution (Washington, D.C.) / Second Office of Information Resource Management \ thoughts Bitnet: IRMSS907 @ SIVM (or SYSADMIN @ SIVM) / are USUALLY Phone : (202) 357-4243 \ wiser. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Date: Thu, 07 Sep 89 10:24:00 -0100 From: "Christof Ullwer" Subject: Can a PC Virus get into VMS via VAXPC? We have this PC emulation VAXPC V1.0 running under VMS V5.1-1 with DECwindows. Is it possible that PC viruses have the same or at least a similar effect on this emulation i.e. deleting/altering files stored on the virtual disk? Or are there any known viruses that jump out of the emulation and affect files under VMS? Sounds stupid but ifever anyone out there in netland has made bad experiences let me know. - -- ullwer@ds0iff5.bitnet alias Christof Ullwer (xof) Voice (if neccessary) +49-711-6868-6879 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253