VIRUS-L Digest Friday, 10 Feb 1989 Volume 2 : Issue 44 Today's Topics: Write protected disk (Mac + PC) Virus detection Virus Broadcast in Austria Wide area network worms --------------------------------------------------------------------------- Date: 10 Feb 89 17:31 +0100 From: Markus Mueller Subject: Write protected disk (Mac + PC) Recently a virus (nVIR) has shown up on one of my disks for a Macintosh although the floppy had been write protected at the time virus got onto it. Therefore I would like to know: 1. Can the write protection mechanism on a Mac be overrided by software as it is the case for an IBM PC (controller PD765)? 2. Are any viruses (nVIR or other) around that exploit this? 3. Same questions, but for IBP PC and clones (including those that use the FE2100 floppy disk controller) Thanks for your responses; I will post a summary. Markus Mueller Communication Systems Group ETH Zurich Switzerland markus.mueller@inf.ethz.ch markus.mueller%inf.ethz.ch@csnet-relay.arpa ------------------------------ Date: Fri, 10 Feb 89 10:46:21 PST From: PJS%naif.JPL.NASA.GOV@Hamlet.Bitnet Subject: Virus detection A little future speculation here... currently we seem to be fighting a losing battle against virus detection and as viruses improve it's unlikely that that will change. If we want the capability to download shareware, etc, from bulletin boards, etc, then we must assume that we cannot check the software for a virus with 100% success before running it. In general, you can't know the output of a program given the input without running it, except in special cases. We can check for *known* viruses; but how long before shape-changing and mutating viruses hit the scene that defeat all practical recognition techniques? Maybe the quarantine approach is better. Postulate a separate computer for checking viruses on (perhaps some kind of virtual machine). This computer runs a meta-program that automatically runs new programs with as many different environments and inputs as possible (teaching the meta-program how to use the new program is left as an exercise to the reader). The system clock runs 1000 times faster than normal to check for delayed-action viruses. Comments, anyone? Peter Scott (pjs@grouch.jpl.nasa.gov) ------------------------------ Date: Fri, 10 Feb 89 21:06:59 MEZ From: Konrad Neuwirth Subject: Virus Broadcast in Austria We had a "virus-special" on the news today, and I wanted to tell you some "new things" i "learned" from that programme. They showed a "virus" (nobodyt who talks about viri publicly does understand the difference virus-worm-trojan) that ate all the . (full stop) symbols from the screen with a face. I can't type the IBM-PC Ascii's face here, but i am sure you all know what I mean. It looked like: blablabla. O (comment: approaching face). Then, they showed one of the most harmful computer viri ever: face.com. I am sure every user, especially those who read computer magazines, will run to the virus-specialist immediatly if they see that program on their screen. Then they said that because of a computer, you have to "re-install the computer". Hmm, that is really new to me. I only re-installed the software when I was bitten. Now here is the most important thing about viri: why they were invented. I quote (translated): "We find the roots of that problem some years back. Hackers broke into big computer systems via phone, outsmarted electronic barriers and cracked the copy-portection of programs. The marketplace got flooded by illegal copies and the salesmen couldn't sell their original ones. Loss was millions high. During the years, copying has become more difficult. The hackers' answer: if not crakcing, at least disturbing. That's why they invented viri." Ain't that nice? Another quote:"One way is via phone. A hacker dials into a net and copies his virus into it. The other partner sees his screen melting.." and they showed a amiga-screen melting. They showed almost only amiga screens with well known "gadgets" which are by no way viri, but can be found on every better public domain collection. Yeah, they showed one interesting virus: A> (typetypetype) Oh no! A> (typetypetype) You again! A> (typetypetype) Go to hell! That is a really nice virus, isn't it? Has anyone ever seen a good programme about viri which only said true things???????? btw: we have an austrian virus already. it was written here in vienna and is known as the "falling letter" virus. When it is active, all letters fall down to the last line. Has it been seen in the US already or is it only in europe? (I can't send it, as I don't have it). - -konrad ------------------------------ From: David.J.Ferbrache Date: Fri, 10 Feb 89 11:45:37 GMT Subject: Wide area network worms Re: the recent request for information on wide area network worms and other infections. The three major cases which jump to mind are: 1. The internet worm - for which the main reference must be Gene Spafford's report "The Internet Worm Program: an analysis", which is available from Purdue University, Technical report CSD-TR-823, No 1988. 2. The decnet worm - which affected the NASA SPAN/HEPNET network in December 1988, which contained sufficient safeguards to ensure that it did not cause the same crippling load problems evidenced by the Internet worm. The best reference for this is the DDN Management bulletin, No 50 23 Dec 1988, available from the SRI-NIC host usinf ftp login=anonymous, password=guest. Pathname DDN-NEWS:DDN-MGT-BULLETIN-50.TXT 3. The BITNET Christmas chain letter - the source of this chain letter has now been published actually in the recently cited "Computer Viruses- a high-tech disease" book. The source is on page 193. For those who haven't yet found it, and on the basis that a number of persons have already mentioned it existence, the citation is: Computer viruses, a high-tech disease R.Burger Published by Abacus, 5370 52nd Street SE, Grand Rapids, MI 49508 ISBN 1-55755-043-3 Priced at Seventeen pound,45 pence in the UK A passing comment must be that the book provides an in depth review of the Vienna virus, plus a number of the viruses developed by the Chaos Computer club. I suspect that the book will become a reference for Hackers and Administrators alike within a very short time, and hence all I can suggest is that administrators make very certain that their systems are innoculated against the Vienna virus strain. Unfortunately, with the publication of virus source it is certain that we can expect a large number of variant strains to appear within a very short time. The existing approach of signature recognition is unlikely to be satisfactory. I believe that both the Italian and Vienna viruses have now been published in source form, and hence the degree of expertise required to re-engineer the virus by modifying the manipulation task must be recognised as being comparitively small. The modification of an existing virus to incorporate a long term delay (such as 6 months or even a year) coupled with a totally destructive manipulation task (such as a FAT, Boot sector scribble followed by a complete format) is a fairly simple task. Such an action would convert even a crude virus strain such as the Lehigh 1 virus into a devistating strain. (Eg the comment by Ken that the modified version of the Lehigh virus is now far more dangerous due to modification of the delay in activation of its manipulation task). Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253