========================================================================= Date: Fri, 8 Jul 88 11:37:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Scores Arrest - Hold It! *** ATTENTION ALL READERS! MUCHO IMPORTANTE! *** After some phone calls here and there, and some background checking by Mark Trumbull of the Christian Science Monitor, we have found that, yes, Mr. Burleson was arrested on charges of computer sabotage and burglary. He was NOT, however, the perpetrator of the Scores virus. A Wall Street Journal article (page 1, Friday, June 17), detailed that he was accused of the above in connection with a company called USPA&IRA. Not EDS, not Scores, something else entirely. See what I get for jumping off a cliff with a single source? PLEASE tell everyone you have told that the arrest was, alas, a rumor. It's probably spread faster than the virus itself! --- Joe M. ========================================================================= Date: Mon, 11 Jul 88 09:49:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Question about virus simulator As mentioned here some time back, the National Bulletin Board Society has a product called a virus simulator. They also, by the way, market an anti-virus program, but its name escapes me at the moment. Does anyone have any experience with their virus simulator that you could relate to VIRUS-L readers? It's supposed to test an anti-virus package against most of the current known virus infiltration methods. I've heard some conflicting messages about its usefulness, though. For example, it is alleged to come up with erroneous reports against some of the current crop of anti-virus products by reporting that a particular virus would be able to infect the system, when the opposite has been proven to be true. It would be interesting to hear some independent evaluation(s) of this product. Any comments on this sort of testing scheme? Ken Kenneth R. van Wyk Hobbes: Wow, buried treasure right User Services Senior Consultant where you said it'd be! A Lehigh University Computing Center wallet full of money! Internet: Calvin: Yeah, it's Dad's. I buried it BITNET: here last week! ========================================================================= Date: Mon, 11 Jul 88 11:34:26 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: New version of PKARC on-line I finally got around to updating the PKARC program that's on-line here at Lehigh for VIRUS-L readers. I now have the file PK36 UUE available on the LISTSERV. The file was downloaded directly (by me) from SIMTEL20.ARPA. Keith Peterson got the version on SIMTEL20.ARPA directly from Phil Katz's bboard. As with all of the binaries on the LISTSERV, PK36 is distributed as a uuencoded file. See the monthly announcement message for instructions on how to uudecode this file back into a binary file. Ken Kenneth R. van Wyk Hobbes: Wow, buried treasure right User Services Senior Consultant where you said it'd be! A Lehigh University Computing Center wallet full of money! Internet: Calvin: Yeah, it's Dad's. I buried it BITNET: here last week! ========================================================================= Date: Mon, 11 Jul 88 12:40:53 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: possible virus? I heard just yesterday that one of my friends was having trouble with a copy of Norton Utilities version 3.00. He pointed out that the copy which he runs from a protected floppy disk works well, but when he loads that copy onto his hard disk, it fails. He also noted that the copy from the protected disk showed differences between itself and the hard disk copy he had just made. The problem repeated several times. No other symptoms. Any ideas? I have not tried to copy this material to my machine, I have not asked about the date signature on the copies, or about the sizes of the files. len@evax.milw.wisc.edu ========================================================================= Date: Tue, 12 Jul 88 15:17:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded virus seminar announcement Date: 12 July 1988, 13:10:34 EDT From: Nick Simicich NJS at YKTVMH 8/863-7033 (914) 789-7033 T.J. Watson Research Center Yorktown Heights, New York To: VIRUS-L at LEHIIBM1 SRWHITE at YKTVMH The following seminar is open to the public, but attendance space is limited. Those of you who are interested in attending should call Steve R. White at (914) 789-7368. Nick Simicich Subject: Seminar by Fred Cohen Date : 20 Jul 1988 Time : 2:00 - 3:00 Place : IBM Research, Hawthorne NY, Room H1-E53 Host : Steve R. White (SRWHITE at YKTVMH) Models of Practical Defenses Against Computer Viruses Fred Cohen University of Cincinnati Computer viruses are pieces of programs that attach themselves to other executable programs. When that executable program is run, the virus searches for yet another executable program and infects it with the virus. Besides spreading the infection, a virus can perform malicious actions like erasing files or randomly changing data. In this talk, we describe a way to detect computer viruses and prevent them from spreading before they cause significant damage. We show how this method can be used to protect information in both trusted and untrusted computing bases, show the optimality of this technique, and present the results of experimental trials in two computing environments. Kenneth R. van Wyk Hobbes: Wow, buried treasure right User Services Senior Consultant where you said it'd be! A Lehigh University Computing Center wallet full of money! Internet: Calvin: Yeah, it's Dad's. I buried it BITNET: here last week! ========================================================================= Date: Tue, 12 Jul 88 18:18:35 -0900 Reply-To: FSFSW@ALASKA Sender: Virus Discussion List From: FREDERICK S WELDON SENDME DIRTY DOZEN ========================================================================= Date: Tue, 12 Jul 88 20:48:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Jim Shaffer, Jr." Subject: An error in the new NetMonth Due to an error on the part of Rich Zellich, the Internet maintainer of the List of Mailing Lists, I am incorrectly listed in the new issue of NetMonth as the owner of Virus-L. I notified Rich of his mistake as soon as I received his update list, several weeks ago, but he apparently couldn't correct it in time to prevent the error in NetMonth. I have notified Chris Condon of the error. _______________________________________________________________________________ | James M. Shaffer, Jr. | Bitnet: shafferj@bknlvms CIS: 72750,2335 | | P.O. Box C-2658 | Internet: shafferj%bknlvms.bitnet@cunyvm.cuny.edu| | Bucknell University | UUCP: ...!psuvax1!bknlvms.bitnet!shafferj | | Lewisburg, PA USA 17837 | CSNet: shafferj%bknlvms.bitnet@relay.cs.net | ------------------------------------------------------------------------------- | "He's old enough to know what's right and young enough not to choose it; | | He's noble enough to win the world but fool enough to lose it." | | -- Rush, "New World Man", on _Signals_ | ------------------------------------------------------------------------------- ========================================================================= Date: Wed, 13 Jul 88 09:41:52 IST Reply-To: Virus Discussion List Sender: Virus Discussion List From: CCAYOSI@TECHNION Subject: Re: forwarded virus seminar announcement In-Reply-To: Message of Tue, 12 Jul 88 15:17:51 EDT from ========================================================================= Date: Wed, 13 Jul 88 15:14:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: John Lundin Jr Subject: VMS ZOO ok? A version of ZOO for VAX/VMS arrived over the net yesterday on Info-VAX.. an executable image, UUENCODEd. ZOO is an archiver program. Considering the number of bad PKARC versions that are out there, can anyone vouch for this? Anyone have source? A quick check shows that it was probably written in C, and has many plausible- sounding error messages near the beginning. Here's the header info preceeding the uuencoded material: >From: BITNET%VTVM2::MAILER 11-JUL-1988 16:17 >To: LUNDIN >Subj: > >Received: From VTVM2(MAILER) by URVAX with Jnet id 8344 > for LUNDIN@URVAX; Mon, 11 Jul 88 16:17 EDT >Received: by VTVM2 (Mailer X1.25) id 8320; Mon, 11 Jul 88 16:07:31 EDT >Date: Mon, 4 Jul 88 15:30:43 MDT >Reply-To: INFO-VAX@KL.SRI.COM >Sender: INFO-VAX Discussion >Comments: W: Invalid RFC822 field -- ".EDU". Rest of header > flushed. >From: ewilts%Ins.MRC.AdhocNet.CA%Stasis.MRC.AdhocNet.CA%UNCAEDU. > @CORNELLC.CCS.CORNELL >To: 'John Lundin Jr' > >As per the recent request for ZOO for VMS, I am including the following >UUENCODED file of ZOO.EXE. > >[ actual file omitted ] Thanks! -john - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - John Lundin, Jr. VAX785::LUNDIN (UR/MCV Decnet) Academic Computing LUNDIN @ URVAX (BITNET) University of Richmond lundin%urvax.bitnet@cunyvm.cuny.edu (Internet) Richmond, VA 23173 ...!rutgers{!psuvax1}!urvax.bitnet!lundin (UUCP) ========================================================================= Date: Wed, 13 Jul 88 08:38:10 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Simpson Subject: Final (I hope) posting on Miami U. spring epidemic In two earlier postings I described what we thought we knew about an MS-DOS based virus epidemic at Miami. We were afflicted with the standard (non destructive) version of Brain with numerous complaints of lost data. As part of our early response we used rather draconian measures to copy (some) user data from affected diskettes to clean media. We kept many of the origionals that were reported as defective. These diskettes were sorted into categories, probably using Norton utilities. A stratified sample was then subjected to more detailed analysis with the following results: 1. Some media were physically defective. 2. Brain existed on some diskettes. No mutated version of Brian was found using byte level comparision with a known standard Brain. Conclusion: There is no reproducible evidence that Miami was visited by a virus that deliberately attemped to alter or destroy user data. Fred Cohen spent a morning with us at the height of our confusion and suspected a mutated Brain. We have been unable to corroborate this. Critique of our performance: 1. The draconian measures we took in the early days resulted in loss of user data. Lack of a formal coordinating body and ignorance of the topic of computer viruses caused us to continue these measures longer than was desirable. 2. Lack of awareness of the problem probably caused us to ignore very early warning signs resulting in the crisus occuring at our busiest time of year. 3. Our efforts at communicating information about the virus were as accurate as practical, but most reports did not accurately describe the situation as currently understood. Reporters made best efforts to be factual, but (at least in my opinion) were intimidated by the word "computer". This is very puzzeling. If you remove the word computer, they are more competent than most computer professionals to communicate public health information. 4. In retrospect, it is easy to see that modification of "nominal" behavior at Miami before the epidemic would have severely reduced the cost. In particular our habit of initializing with DOS provided the perfect "media" for Brain. Notes: 1. We were visited by two destructive viruses in the Mac world. 2. There is some Mac software offering partial protection (Vaccine cdev) without seriously affecting the working environment (except for programmers). There are also several programs designed to detect (obvious) viruses including virus detective and RX. These are cheap! 3. We have yet to find anything good in the MS-DOS world, either to provide protection or diagnosis. 4. Our Novel server based laboratories had very few internal problems. Whether this is due to lack of archetecture in MS-DOS or due to the characteristics of Brain is hard to ascertain. ========================================================================= Date: Thu, 14 Jul 88 07:36:26 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: VMS ZOO ok? In-Reply-To: Message of Wed, 13 Jul 88 15:14:00 EDT from >A version of ZOO for VAX/VMS arrived over the net yesterday on Info-VAX.. an >executable image, UUENCODEd. ZOO is an archiver program. Considering the >number of bad PKARC versions that are out there, can anyone vouch for this? It's not usually considered wise to accept (blindly) any executable image from an unfamiliar (untrusted) source. At the very least, follow up with the people who posted the file to find out where they got it, and try to obtain an original copy directly from the author. Of course, this is just my opinion... Ken Disclaimer: I don't know what a disclaimer is, and I don't claim to either. Kenneth R. van Wyk Hobbes: Wow, buried treasure right User Services Senior Consultant where you said it'd be! A Lehigh University Computing Center wallet full of money! Internet: Calvin: Yeah, it's Dad's. I buried it BITNET: here last week! ========================================================================= Date: Thu, 14 Jul 88 09:05:57 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: Posting from Joe Simpson on Miami U. spring epidemic > 3. We have yet to find anything good in the MS-DOS world, either to > provide protection or diagnosis. Have you examined/tried things and found them wanting? If so, it might be interesting/informative to post something like mini-reviews to the list. I'm sure lots of other folk are on the same quest... DC * Disclaimer: Who, me? X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X