VIRUS-L Digest Monday, 29 Jan 1990 Volume 3 : Issue 23 Today's Topics: Re: Internet Worm RE: Virus request Another WDEF infection (Mac) Re: WDEF at University of Oregon (Mac) WDEF A infection (Mac) Re: Trial & Double Standard Re: theoretical virus scanning New virus? (Mac) Virus Modeling Virus Info Request (PC) W13 Polish text (PC) WDEF in public places (Mac) Re: Practical a-priori viruscan? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 24 Jan 90 18:29:14 +0000 From: geof@aurora.com (Geoffrey H. Cooper) Subject: Re: Internet Worm I agree, Morris acted irresponsibly. He did something he knew was wrong and thought to be a minor annoyance to the world; then it blew up in his face. That is certainly puts his actions within the realm of criminal activity, in the same way as someone who deliberately runs a red light and accidentally hurts someone. One thing that makes me wonder: A newspaper article claims that Morris wanted to stop the worm when it started to get out of control, and decided that he wasn't able to. When the Internet group started to try and control it, why didn't he offer to help? At least a copy of the source code would have been of great assistance. Instead, he hides and waits for the FBI to find him. Would not this have been his best opportunity to show his benign intentions? Or perhaps he was advised not to help by someone. Did anyone hear anything about this from the trial? - - Geof - -- geof@aurora.com / aurora!geof@decwrl.dec.com / geof%aurora.com@decwrl.dec.com ------------------------------ Date: Thu, 25 Jan 90 12:08:35 -0500 From: woodb!scsmo1!don@cs.UMD.EDU Subject: RE: Virus request > >From: IN%"UMNEWS@MAINE.BITNET" "Vax discussion" 21-JAN-1990 23:11:59.77 > >Subj: Virus on VAX > >From: 7811100@TWNCTU01.BITNET > > > Hi! > > > Dose anyone have a idea about VAX Virus? Or interesting on > > it? I think the most difficult point is how to spread it > > out. So if someone has any bright idea, contact with me. > > > James Huang > > Here is a message from UMNews's Vax discussion list. I > thought the list should know about this. The node is Taiwanese. This is insane. Obviously this particular Taiwanese knows little about VAX networking and uses of viruses(worms) in those networking facilities. He will probably get a few replies as well as some sources. What as a whole can the computer industry do to help prevent individuals like this from the potential releasing of these viruses(viri?) into the vast networks?? Should it be illegal to own or transmit virus source (for non-security personnel)?? Also, should there be an international watchdog agency set up to investigate such requests?? Should the CIA/FBI/FCC be involved in cooperation with IBM/DEC/AT&T/etc.. to form a task force along with our list's virus expert? Has anyone contacted this person's administration along with MAINE's and BITNIC/BITNET administration? Right now, its up to us to report these requests and its the responsibility of MAINE to act on requests submitted via UMNEWS. Can we make it illegal to have virus sources without stomping on our constitutional rights?? What about other countries?? - -- DON INGLI-United States Department of Agriculture - Soil Conservation Service INTERNET: scsmo1!don@uunet.uu.net PHONEnet: 314!875!5344 UUCP(short): uunet!scsmo1!don UUCP(long): uunet!mimsy!woodb!scsmo1!don These are my opinions. I represent myself. Who do you think you are, Bjorn Nitmo(sp)? David Letterman '90 Catch Phrase ------------------------------ Date: Thu, 25 Jan 90 14:30:35 +0000 From: DEL2%phoenix.cambridge.ac.uk@NSFnet-Relay.AC.UK Subject: Another WDEF infection (Mac) Just for the record, since I haven't seen any other report of it here, Cambridge public user area Macintoshes were hit with WDEF A on or about 22 January. Disinfectant 1.5 was recommended to deal with it. Douglas de Lacey ------------------------------ Date: 23 Jan 90 15:34:12 +0000 From: jsaker@zeus.unl.edu ( Jamie Saker -- Student, UNO) Subject: Re: WDEF at University of Oregon (Mac) HALLEN@oregon.uoregon.edu (Hervey Allen) writes: > Since people seem to be reporting occurrences of the WDEF virus, hopefully > to track its spread, I will throw in my two cents worth. I'll add my two cents worth too. At the Univ. Nebraska Omaha, on 16 January, we had an outbreak of WDEF virus on 10 machines (SEs). After installing anti WDEF software (all servers also have Disinfectant eliminate infected disks) the probablem has been eliminated. So now we only have occasional Scores problems to worry about:) _____________________________________________________________________________ / Jamie Saker Editor-in-Chief Monitor Month jsaker@zeus.unl.edu \ ------------------------------ Date: Thu, 25 Jan 90 16:26:46 +0700 From: Chuck Martin Subject: WDEF A infection (Mac) So that it can be tracked, I'm reporting that our office Mac was infected by WDEF A. Disinfectant 1.5 removed it and we have implemented tighter security. I don't know if any of the other Macs on campus are infected. - ------------------------------------------------------------------------------- Chuck Martin, Consultant Computer Information Center, Washington State University MARTINCH @ WSUVM1.BITNET (509) 335-0411 - ------------------------------------------------------------------------------- Beam me up Scotty. There's no intelligent life here. - ------------------------------------------------------------------------------- ------------------------------ Date: 26 Jan 90 01:33:04 +0000 From: Bernie Cosell Subject: Re: Trial & Double Standard 71435.1777@CompuServe.COM (Bob Bosen) writes: }Why don't bankers abandon the use of credit cards, photo IDs and }signatures and just debit our bank accounts whenever a merchant }tells them our passwords? It would be a lot easier. For good or ill, we already have done just that. The entire phone-in-credit-purchase industry is built around _precisely_ that functionality. And even on in-person sales, the dial-in authentication codes have nothing to do with any actual 'identification' [although they do require the shopkeeper to actually have your card [or a facsimile!] in his hand]. Similarly, with ATM cards, the primary 'line of defense' is some security-by-obscurity encoding on the card and a three-digit password [which, I think, is also encoded on the card]. Banks do not verify signatures on checks that they honor. The only line of defense here is the individual patron verifying his own checks when they come in at the end of the month. If you think the bank's have people actually comparing signatures on the zillions of checks that come in, you're wrong. This is not to excuse the almost-total lack of true security [and audit trails and such] in most of our computer systems, BUT.... it just isn't as much of a "double standard" as you paint it to be. And this is pretty funny: } Dear esteemed depositor: } As you know, for the past 15 years, you have been entrusted with } our bank card, and have used it in your banking transactions. We } are replacing your bank card with a password. You will no longer } have to carry your bank card. Your new password is "FRED". Please } keep it secret. Whenever you want to withdraw funds or make } credit card purchases, just write FRED at the bottom of the } invoice and we'll take care of the rest. If you ever suspect } that anybody has found out your password, please drop drop us a } post card with "FRED" crossed out in red pen and a new password } of your choice written in blue ink. It is your responsibility to } keep your password secret. You will be held accountable for any } and all banking transactions that say FRED on them, including } questionable or illegal transactions, for which you will be } prosecuted to the full extent of the law. That is almost exactly what my bank said when I got my ATM card and I had to select a "PIN" [except for the bit at the end about liability for misuse of my card]. Is your bank different? /Bernie\ ------------------------------ Date: Thu, 25 Jan 90 16:22:14 +0000 From: peter@ficc.uu.net (Peter da Silva) Subject: Re: theoretical virus scanning The fact that the halting problem is not applicable to FSMs isn't relevant, because it's not known that part of the system involved is a FSM. The person operating the computer is part of the system. For example, if you run your virus in the halting machine and discover it in an infinite loop polling the keyboard you'll decide it's not going to infect the machine (halt). Actually it's waiting on a keystroke. - -- _--_|\ Peter da Silva. +1 713 274 5180. . / \ \_.--._/ Xenix Support -- it's not just a job, it's an adventure! v "Have you hugged your wolf today?" `-_-' ------------------------------ Date: 26 Jan 90 13:28:33 +0000 From: mmccann@hubcap.clemson.edu (Mike McCann) Subject: New virus? (Mac) Posted for someone else: We've had a report in our department (MatSci) of a new n-vir-like virus. The latest version of Virex is able to detect it, but cannot identify it, nor can it repair infected applications. Disinfectant 1.5 does not find it. Upon examining several infected applications with ResEdit, they all have a spurious resource "fuck". Has anyone encountered this strain before? If so, how can we repair infected files, and configure other virus-detecting programs to recognize it? D. Daniel Sternbergh ddaniel@lindy.stanford.edu Mike McCann (803) 656-3714 Internet = mmccann@hubcap.clemson.edu Poole Computer Center (Box P-21) Bitnet = mmccann@clemson.bitnet Clemson University Clemson, S.C. 29634-2803 DISCLAIMER = I speak only for myself. ------------------------------ Date: Fri, 26 Jan 90 08:31:00 -0500 From: Opitz@DOCKMASTER.ARPA Subject: Virus Modeling A co-worker of mine wrote: One way to characterize a Trojan Horse or a virus is to build mathematical, abstract models of them. Such a model may be an n-tuple of interrelated subjects, objects, and operations. Thereafter, abstracted audit data and host machine characteristics can be organized to find if all the components of such an n-tuple are present. My assignment was to help with the research in attempting to come up with such a model. Now, from what I have been reading on the Virus forum, I am wondering if this task is even possible. A proof was offered that stated that it was not possible to come up with an algorithm that could find all viruses. Then, this proof was refuted based on the fact that a computer is a finite state machine. Based on this, it was also stated that a theoretical universal virus dectector does exist for every real machine, however making one would not be practical. One theoretical universal virus detector would be to compare the state of the computer against a list of what is and what is not a virus. This is a task too large to attempt. However, if someone were to be able to come up with the distinguishing characteristics of a virus, what sets it apart from other programs, how humans can tell when they look at a program if it is a virus or not, then maybe an algorithm could be developed. One that could catch viruses by comparing the state of the computer against the model, and the characteristics of a virus. Is it possible to come up with such a model? Is it possible to list ALL of the characteristics of a virus? If so, what might these characteristics be? If not, why not? David T. Opitz - NSCS ------------------------------ Date: Fri, 26 Jan 90 12:30:20 +0000 From: Dr. P. R. Fielden Subject: Virus Info Request (PC) Our dept. has just been hit by the STONED virus and I've found PING PONG and PING PONG B on a local public access cluster on the same floor as our dept so I suppose I'll be finding them soon. I've been asked to produce a document about viruses for all staff and students, I'm sure somebody must of already of done this. I would appreciate it if anybody that has would send me a copy. Also what is the best way to protect a public access cluster. The following ideas have been put forward. 1. Install SCANRES and keep everybody informed. 2. Buy diskless computers. 3. Manually disconnect the floppy drive cable. 4. Install either software or hardware security system. 5. Try something like Flushot. 6. Do nothing - it'll go away !! <- Not my suggestion. Any comments please. Reply to the list or to A.PACKHAM@UK.AC.UMIST (Janet) - the domain is reversed for the rest of the world. Thanks in advance, Andy Packham. Peter Fielden (P.Fielden@uk.ac.umist) ------------------------------ Date: Fri, 26 Jan 90 09:02:00 -0500 From: DGStewart@DOCKMASTER.ARPA Subject: W13 Polish text (PC) The translation of the Polish text in the W13 virus is: "The COM type program does absolutely nothing. It is designed to be a decoy for the virus." I know it was requested that it be sent to the requestor, not to the network, but unless it is posted on the network, there will be duplication of effort. On another matter, there is a simple procedure which can be used to check for most viruses and other forms of corrupt code. It is this: All viruses have to be in some executable file in order to act. Usually insertion of a virus either changes an existing executable file or creates a new one. The new executable file may be apparent or hidden, and if hidden may be a hidden file per se or may disguise itself as a bad sector. Therefore a simple program which compares the size of all executable files with a known good standard, and then compares the size of hidden files and bad sectors with a known good standard, will check for most viruses. Even if it is hidden in the idle space of an executable file, thus not changing its size - and this is rare - it will be detected as soon as it propagates to any other executable file. If anyone is interested, I will post a sample program which does this and also allows for updates as new known executable files are put on line. The program can be placed in the autoexec.bat or hello type bootstrap files for automatic execution whenever the machine is turned on or invoked at any time. In the bootstrap file it adds about 35 seconds to boot time to the average system. Of course it is possible to design viruses to get around this, but it adds more work to the attacker, at little cost to the defender. One final note: All of the 45 books I have read on computer security that have said anything about viruses claim that you have to delete everything once your system is infected. Not so. Text files cannot propagate a virus and should not be deleted unless they have already been trashed by the corrupt code. Nor is there any need to delete executable files which have not been corrupted, although they are generally easier to replace since most people's executable files represent commercial software while their text files represent custom made files. DGStewart NCSC ------------------------------ Date: 26 Jan 90 16:56:37 +0000 From: cradens@uceng.UC.EDU (carl radens) Subject: WDEF in public places (Mac) One aspect of the computer virus discussion which bears consideration is the "public health" policy question. Commercial and public Mac and IBMPC services such as laser printing stations and other graphics services are potential infection sources; they may also be subject to government regulation and legal action. In this location, we've twice found the WDEF on disks used at a popular national copy center chain which also offers MAC laser printing services. We found the WDEF at a university bookstore MAC store back at the beginning of December. These are places where a large volume of disks pass each day, and where (presumedly) professional services are rendered on a retail commercial basis. What is the professional responsibility in cases where a customer informs the merchant of a viral infection, and the merchant does not remedy the situation on their own machine ? The WDEF virus appears to be benign; no data was lost and Gatekeeper Aid removed the infection in each case. The Nationally known copy center was informed of the problem, and several weeks later a WDEF infection was again obtained from their machine. This time no damage was inflicted. Its only a matter of time before a more serious virus appears, and I wonder if these commercial places are just going to be sitting on their cans when it happens. Is there any legal precedent for this type of situation ? - -Carl Radens, Cincinnati cradens@uceng.uc.edu ------------------------------ Date: Fri, 26 Jan 90 13:05:44 -0500 From: Peter Jones Subject: Re: Practical a-priori viruscan? >From: GEORGE SVETLICHNY >Subject: Practical a-priori viruscan? > >There is a biological analog to the "second byte" situation above. >Some genes overlap with others, that is, a base-pair sequence I'm reminded of a few LP records with more than one groove on them, that will play one of several programs, depending on where the needle happens to land. Monty Python, among others, has porduced such a record. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-) ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253