COMPUTER VIRUS PRANKS --------------------- Recently, there have been a few computer virus "rumors" which appear to have been started as pranks. Given the current climate, and almost paranoid fear many computer users have of viruses, trojans horses and other badware, I, for one, don't find such pranks very funny. To save others from having to go through various stages of panic if they come across these "rumors" I have put together a small collection from the BITNET VIRUS-L conference. --SteveClancy, Sysop Wellspring RBBS, 714-856-7996 ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- THE "MODEM" VIRUS ----------------- Date: Mon, 12 Dec 88 22:02 EST From: Subject: more on modem virus A report of the so-called modem virus was posted to a local BBS here in Bloomington, Indiana, about a month ago. I know nothing about sub-carriers on 2400 baud modems, but I found the idea of a virus inhabiting the registers of a modem to be so fantastic that I dismissed the report as nothing more than a prank. Below is a copy of the first message in the report, it was followed by a series of messages as the virus allegedly spread through Washington State. Jon LaCure Indiana University lacurej@iubacs Report: - ---------------------------------------------------------------------------- The following messages were found in the SnoBbs'ers echo Message #21191 "SnoBbs'ers" Date: 06-Oct-88 00:57 From: Tom Cooper To: All Subj: Worlds worst virus I found the following message thread on a Seattle board. Looks like a really bad virus is out now. TC - -------------------------------------------------------------------- a #1153 OF 1165 TIME: TUE 10-04-88 03:17:41 FROM: MIKE ROCHENLE TO: ALL SUBJ: Really nasty virus AREA: GENERAL (1) I've just discovered probably the world's worst computer virus yet. I had just finished a late night session of BBS'ing and file trading when I exited Telix 3 and attempted to run pkxarc to unarc the software I had downloaded. Next thing I knew my hard disk was seeking all over and it was apparantly writing random sectors. Thank god for strong coffee and a recent backup. Everything was back to normal, so I called the BBS again and downloaded a file. When I went to use ddir to list the directory, my hard disk was getting trashed agaion. I tried Procomm Plus TD and also PC Talk 3. Same results every time. Something was up so I hooked up my test equipment and different modems (I do research and development for a local computer telecommunications company and have an in-house lab at my disposal). After another hour of corrupted hard drives I found what I think is the world's worst computer virus yet. The virus distributes itself on the modem sub-carrier present in all 2400 baud and up modems. The sub-carrier is used for ROM and register debugging purposes only, and otherwise serves no othr purpose. The virus sets a bit pattern in one of the internal modem registers, but it seemed to screw up the other registers on my USR. A modem that has been "infected" with this virus will then transmit the virus to other modems that use a subcarrier (I suppose those who use 300 and 1200 baud modems should be immune). The virus then attaches itself to all binary incoming data and infects the host computer's hard disk. The only way to get rid of the virus is to completely reset all the modem registers by hand, but I haven't found a way to vaccinate a modem against the virus, but there is the possibility of building a subcarrier filter. I am calling on a 1200 baud modem to enter this message, and have advised the sysops of the two other boards (names withheld). I don't know how this virus originated, but I'm sure it is the work of someone in the computer telecommunications field such as myself. Probably the best thing to do now is to stick to 1200 baud until we figure this thing out. Mike RoChenle ------------------------------ ------------------------------ Date: Tue, 13 Dec 88 10:29:10 EST From: Don Alvarez Subject: More on modem virus Quoting from issue 44: I've just discovered probably the world's worst computer virus yet. I had just finished a late night session of BBS'ing and file trading when I exited Telix 3 and attempted to run pkxarc to unarc the software I had downloaded. Next thing I knew my hard disk was seeking ...END Quote I'm a Mac user and don't recognize those words. Is the speaker talking IBM-PC words, Amiga words, VMS words, etc. What kind of computer did he have? If the virus is real, it must be writing itself into the on-board storage space used in high-speed modems and then instructing the modem to run that portion of memory (good way to check if this virus is real: Does anyone know if high speed modem chips are designed on Harvard-type architectures (separate Program/Data), I think many DSP chips are now designed that way). If my guess is right, the virus could not propagate on modems with Harvard-Architecture as they would be unlikely to have sufficient "program" memory for a virus (the speaker mentions setting a "bit pattern in an internal modem register," I can't believe that alone is enough to make a hard-disk crashing virus). The reason why I ask what kind of PC the author is using is that it is EXTREMELY unlikely in my opinion that a virus of this sort could infect different kinds of computers... Mac boot blocks dont look anything like PC boot blocks. Also, as I understand it, a good 9600baud modem is completely transparent to the user... once you configure it, it looks like a 9600 baud cable connected to a computer. Sounds to me like this virus must be keyed not only to a specific computer but also to a specific PC based file-capture program, and will probably not propagate if all you do is 9600 baud terminal emulation. - Don Alvarez Disclaimer: "He's not the messiah, he's just a very naughty boy (who of course isn't speaking for himself, his employer, or the local dry-cleaner)." + ----------------------------------------------------------- + | Don Alvarez MIT Center For Space Research | | boomer@SPACE.MIT.EDU 77 Massachusetts Ave 37-618 | | (617) 253-7457 Cambridge, MA 02139 | + ----------------------------------------------------------- + [Ed. I think that the first report of this purported virus was referring to a PC environment.] ------------------------------ ------------------------------ Date: Tue, 13 Dec 88 11:02:52 PST From: Marty Cohen Subject: re: modem virus This really seems implausible! 1. how could all, or even a large number of, higher speed modems be compatible enough so the virus could store itself in them all? 2. Do these modems have enough internal memory to store all the infirmation needed? 3. No mention is made of what computer or operating systems are being used (probably default=ms-dos on a pc clone). Paranoid conjecture: there is >>>no<<< modem virus!!! It is just a rumor being spread by a modem company that either (1) does not sell fast modems or (2) will be coming out shortly with a "virus-proof" modem. Marty Cohen (mcohen@nrtc.northrop.com, 128.99.0.1) ------------------------------ ------------------------------ Date: Wed, 14 Dec 88 14:27:54 CST From: "Rich James" Subject: Re: modem virus It looks to me like the initial announcement of this purported virus was itself a virus attack against human hardware! It cleverly exploits the current pitch of fear about viruses, and has a phenomenal infection rate. Thanks goodness it's relatively benign! Think of it now folks: How could a self replicating virus become embedded in registers which are used to hold data, not program instructions? The only memory used to hold program instuctions in a modem is ROM. Data registers are treated as DATA. Getting a modem to treat a data register as program input would require the exploitation of a known bug in the modem's ROM program. Such ROMs are anything but standard .. they vary between manufacturers and between models and revisions of modems from the same manufacturer. How likely is it that an industry standard modem protocol would have an 'unused bandwidth' sufficient to allow simultaneous transmission of a separate data stream? It wouldn't be much of a protocol if it ignored such potentially useful bandwidth. How could such a virus convince the terminal program running on the computer to modify system files, especially in a user-transparent way? (it's easy enough to clobber a file by writing over it, but patching a machine code file or RAM resident code in a transparent way is pretty non trivial) Remember, incoming modem data is treated as DATA, not program information. Again, this would require exploitation of a known bug common to all or many modem programs, and all or many error correcting protocols. Seems a tad unlikely. Education=immunization. ------------------------------ ------------------------------ From: portal!cup.portal.com!dan-hankins@Sun.COM Subject: Modem virus Date: Wed, 14-Dec-88 18:18:12 PST From the description of the remedies given by the person who purportedly found this alleged virus, I'd have to guess that it could be an attempt to cut down on modem traffic by making people scared to use their modems. I can think of several reasons why someone would want to cut down on transfers of programs and data freely over phone lines. Dan Hankins ------------------------------ ------------------------------ Date: Wed, 21 Dec 1988 9:11:09 EST From: Ken van Wyk Subject: followup on alleged modem virus (PC) It's been brought to my attention that the report of a modem virus here on VIRUS-L a couple weeks ago was a hoax. After looking at the original announcement of the virus, I'm inclined to agree with that. Specifically: > TIME: TUE 10-04-88 03:17:41 > FROM: MIKE ROCHENLE > TO: ALL > SUBJ: Really nasty virus > AREA: GENERAL (1) > > I've just discovered probably the world's worst computer virus yet. > ...[Body of text deleted] > do now is to stick to 1200 baud until we figure this thing out. > > Mike RoChenle In addition to the fact that the reported virus is highly incredible, as was pointed out by several of our readers, it's even more unlikely that someone would have the name Mike RoChenle (read: Micro Channel). Thus, unless someone can come forward with some substantial evidence on this matter, I'd like for everyone to assume that the reported virus was a hoax. Obviously, I can't follow up on every message that gets sent to VIRUS-L, but I would like to ask all persons submitting messages, particularly when forwarding messages from other sources (as was the case here), to confirm their sources of information, within reason. I certainly don't want VIRUS-L to become a source of disinformation, and I'm sure that the readers don't want that either. Thanks in advance for everyone's cooperation on this. Oh, and Happy Holidays to all! Ken --------------------------------------------------------------------------- --------------------------------------------------------------------------- THE "POWER LINE" VIRUS ---------------------- Date: Tue, 10 Jan 89 08:01:13 EST From: msmith@topaz.rutgers.edu (Mark Robert Smith) Subject: A Humorous? Virus Report from Security List [Ed. The following forwarded message is obviously another prank, like the modem virus. I'm including it here because a) it was sent in by a reader, and b) it serves as yet another perfectly good example that we can't trust everything that we read. I suppose the appropriate caveat here is that we have to take *any* report of a virus until it can be verified.] Forwarded from the VirusBoard BBS at (225) 617-0862 [sic] Date: 11-31-88 (24:60) Number: 32769 To: ALL Refer#: NONE From: ROBERT MORRIS III Read: (N/A) Subj: VIRUS ALERT Status: PUBLIC MESSAGE Warning: There's a new virus on the loose that's worse than anything I've seen before! It gets in through the power line, riding on the powerline 60 Hz subcarrier. It works by changing the serial port pinouts, and by reversing the direction one's disks spin. Over 300,000 systems have been hit by it here in Murphy, West Dakota alone! And that's just in the last twelve minutes. It attacks DOS, Unix, TOPS-20, Apple II, VMS, MVS, Multics, Mac, RSX-11, ITS, TRS-80, and VHS systems. To prevent the spread of this dastardly worm: 1) Don't use the powerline. 2) Don't use batteries either, since there are rumors that this virus has invaded most major battery plants and is infecting the positive poles of the batteries. (You might try hooking up just the negative pole.) 3) Don't upload or download files. 4) Don't store files on floppy disks or hard disks. 5) Don't read messages. Not even this one! 6) Don't use serial ports, modems, or phone lines. 7) Don't use keyboards, screens, or printers. 8) Don't use switches, CPUs, memories, microprocessors, or mainframes. 9) Don't use electric lights, electric or gas heat or airconditioning, running water, writing, fire, clothing, or the wheel. I'm sure if we are all careful to follow these 9 easy steps, this virus can be eradicated, and the precious electronic fluids of our computers can be kept pure. - --RTM III ------------------------------