========================================================================= Date: Mon, 1 Aug 88 01:19:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: S9RR@MCGILLB Subject: PERFECT VIRUS Just a hunch I had about that note threatening the advent of the PERFECT virus: might this be about a virus targetting the new WordPerfect 5.0? It seems to me that WP 5.0 is going to be spread around quickly and widely, furnishing a powerful vehicle for a virus. Sound plausible? ========================================================================= Date: Mon, 1 Aug 88 07:59:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: "Bug" in mailer? In-Reply-To: Message of Sat, 30 Jul 88 00:51:49 CST from > Well folks, I'm not sure who to send this to, but since it was to >Loren (LKK0 at LEHIIBM1) this list seems to be as good as any. Apparently, Loren forgot what his e-mail address is when he broadcast it to this list. Loren Keim's address is , not ..@LEHIIBM1. LEHIIBM1 is a CMS system for staff use only here at Lehigh; Loren's account is on LEHIGH since he is not a member of the LUCC staff. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Mon, 1 Aug 88 10:08:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: interesting statistic In-Reply-To: Message of Fri, 29 Jul 88 17:29:00 EDT from > ... says there have already been 250,000 outbreaks. He estimates that >40 of the nation's largest industrial companies have been infected..." Gee, did everybody call? :-) --- Joe M. ========================================================================= Date: Mon, 1 Aug 88 10:17:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Time Bomb Carrier Programs... In-Reply-To: Message of Sat, 30 Jul 88 18:45:27 EDT from > ... does anyone know of any viruses which are embedded in a program >and are dormant until the program is run (like a trojan horse) or >perhaps are dormant until after a certain date and the program has been >spread around? A malicious virus which does not actively spread until >after a certain date could be really dangerous couldn't it? If the >carrier program were highly desirable (except for the dormant virus), >individuals could spread the virus without knowing it, and it would be >IMPOSSIBLE to detect the dormant virus before the activation date >without actually dissecting the carrier program. Hence the virus >could be passively and undetectably distributed until some date, and >then it could begin to spread actively (and simulataneously) from all >the copies of program wherever they might be. And it would be a while >before the carrier program would be incriminated, because of the delay >between "innoculation" and full-blown infection (like AIDS). Congratulations! You have just described the "incubation period" that the Mac's SCORES virus has :-). It sits around for 4 days before starting to infect applications, and THEN waits another 2 before doing its nasties to the VULT and ERIC applications. --- Joe M. ========================================================================= Date: Mon, 1 Aug 88 10:27:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Legal implications In-Reply-To: Message of 31 Jul 88 23:10 EDT from "Robert Newberry" Robert Newberry asks: 1. If it is actually legal to start spreading computer diseases. 2. Court decisons on computer disease related cases. Can a victim sue the creator of a virus for loss of important data. In general under common law, that which is not explicitly forbidden is implicilty permitted. Even lying is permitted up to a point. One limit is lying in an attempt to defraud. However, except when it is explicitly restricted in such a way, there is no generic law that could be expected to cover all viruses. I am not aware of any applicable litigation. One should assume that he can be sued for anything. However, the burden of proof is usually on the one bringing suit. He must be able to prove that he was damaged, by the act of another, and that that act was deliberate or, at least, negligent. The proof must be "by a preponderance of the evidence." Proving any of these things by such a test is always difficult. In the case of a virus, it would be very difficult at best. (This information is intended as general information; proper legal counsel should be used to evaluate any case or instance or to guide your behavior.) William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 1 Aug 88 10:32:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Resent-From: WHMurray@DOCKMASTER.ARPA Comments: Originally-From: WHMurray@DOCKMASTER.ARPA From: WHMurray@DOCKMASTER.ARPA Subject: "2600" Quarterly, Summer, 1988 The current issue of 2600 carries a lengthy article by Ross Greenberg on viruses and FLUSHOT. In it, he uses very colorful language (much of it ripped off from "Dirty Harry" by Ronbo) to describe those who would perpetrate viruses. Of interest is that this article was published by 2600, "The Hacker Quarterly." This publication has promoted its anti-establishment (not to say anarchist) bias and origins. Does their publication of Ross' article suggest that they are maturing and becoming memebers of the establishment that they have so long opposed? Or, does it suggest that hackers are beginning to recognize that they, perhaps more than others, have an interest in honest labelling of programs? Bill William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 1 Aug 88 11:15:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: interesting statistic In-Reply-To: Message of 29 Jul 88 17:29 EDT from Woody "No one knows how many viruses have been planted. But John D. McAfee, a virus expert at InterPath Corp., a security consulting firm in Santa Clara, Calif., says there have already been 250,000 outbreaks. He estimates that 40 of the nation's largest industrial companies have been infected..." Another quote that I am glad was not attributed to me. He must be counting every execution as an "outbreak." ( I like F. Cohen's 10K estimate better.) I might agree that "low tens" of "institutions" "may have seen" a virus but "40 of the nation's largest industrial companies have been infected..." seems a little strong. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 1 Aug 88 11:04:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Late Comments Re: previous response to why COMMAND.COM was padded with zeros and the answer was to protect from shipping damage!?? A case for linguistic determinism? I don't think media damage would confine itself to that last portion of the program as if treating the zeros as bubble insulates or was that humor? Or is this humor? Tactics... A relatively effective software strategy for an anti-viral program might be to use the timer interrupt. It is done by installing a TSR which implements two functions: 1- When loaded, it intercepts the timer interrupt vector. It then times its own execution and stores this duration with a checksum. This prevents its interrupt from being preempted by using timing dependencies. 2- At 18 times per second, it compares interrupt vectors for modifications, these are flagged and, if restricted, they are disabled. The resolution is somewhat coarse considering the number of machine instructions that can execute between intervals, but it can effectively arrest the destruction of data. *-----------------------------------------------------------------------* | Kent Cearley | "All truth contains its own | | Management Systems | contradiction" | | University of Colorado | | *-----------------------------------------------------------------------* ========================================================================= Date: Mon, 1 Aug 88 13:16:33 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Robert, I've been looking for laws concerning viruses for some time, and havn't found any. I have located three laws which I will summarize when I have them in front of me. They basically state that it is illegal to enter a computer system that is not their own or that they don't rightly have access to because its a form of breaking an enterring ... fi their computer enters it, they are responsible, or if some program they wrote enters it, they are responsible. It is also illegal to read other people 's mail on the system, even if it is your own companies system. And its illegal to change anything on a system which you were not specidfically asked to change by the user, fi I remember correctly. As for a Wrod Perfect virus. I hadn't considered the implications of the word PERFECT (no pun intended). As I remember, some school had writtena letter to this listserv back in Frebrauary (please excuse my typing ... my terminal will not backspace with this machine), about a word perfect virus (Miami?). They were complaining about it being a varient for m of the brain which would attack the program Word Perfect if memory serves. I'll have to look back through my files for it. Also, 250,000 outbreaks is a bit high. If therey are counting number of disks infected, that might be a little low. We had around 600 disk infected at Lehigh alone with the first outbreak of a virus here. Figures of the Israeli virus put it at around 18000 copies found (althou that number counldn't be backed up by anytone.) Loren ========================================================================= Date: Mon, 1 Aug 88 13:20:13 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Kent, The idea you present makes the microcomputer unusable unless it has multiple motherchips. (Actually, a TSR chip can be added which works like any chip run on interrupts). You cannot implement you idea in software. ========================================================================= Date: Tue, 2 Aug 88 09:08:00 U Reply-To: Virus Discussion List Sender: Virus Discussion List From: KAICHEON@ITIVAX Subject: ERIC NEWHOUSE'S BITNET ADDRESS ? Does anybody know how can someone contact Eric Newhouse of DIRTY DOZEN over bitnet? Thanks in advance! ========================================================================= Date: Mon, 1 Aug 88 22:45:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Re: "2600" Quarterly, Summer, 1988 In-Reply-To: Message of 1 Aug 88 08:32 MDT from "WHMurray at DOCKMASTER.ARPA" I am sending this here because I don't believe I can send mail to WHMurray from here. Could someone please send me some info on 2600 Magazine (in particular subscription information and/or some address where I can request such information). Thanks! Greg Lypowy ========================================================================= Date: Tue, 2 Aug 88 01:31:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University A few days ago, I mentioned the possibility of having a conference for the group of us at some time in the future. We have had about forty people say they were interested in such a thing from several areas of the country. We have a few people who wish to discuss various security topics and so on. I believe that if we set a date and place for such a conference, we will get quite a few more responses. I have some comments on the idea: 1) I would like to open it to the press. We could bill it as a big meeting of the minds on virus-theory and how we might be able to stop these destructive programs. 2) I would be happy to set it up, would anyone else like to volunteer to help? 3) I'd like some ideas on how long such a conference would last ... the problem is that some people may end up coming from great distances for it. 4) I prefer to hold such a meeting in the Lehigh Valley area (Allentown/Bethlehem Pa) which is less than an hour from Philadelphia, less than 2 hours from New York City, 5 hours from Boston, and 5 from Washington DC. Its a centralized location with quite a bit of access. If there are any great reservations about this area, we can consider something else. We may be able to get a group together on the East Coast and one together a bit later on the West Coast. If we do this, I'd like to attend both, and I wouldn't mind organizing both. 5) Since we did have some enthusiastic replies to the idea, I believe we can get a decent group together to work on the theories of computer viruses, protection schemes, future computer security and so on. Comments? Loren Keim ========================================================================= Date: Tue, 2 Aug 88 01:44:02 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Alright, to answer further questions about a virus seminar: 1) Will it cost money? I don't know yet, we're just considering it. I imagine that if we want to make up a booklet for the meeting, we might ask for a donation, or perhaps some of the colleges and companies out there might donate a small amount of money with the promise of us putting an add for them in the package. We may also need to rent some conference rooms, although I think I can get some. And if the group is small (although I doubt it will be) we might hold a dinner of some sort. 2) When will it be? Again, we're just discussing the idea. Unfortunately, for college professors and associates, school is starting shortly and I doubt we'll get something in before it starts, but I don't think we'll have a problem if its early in the semester. What would you think of the second weekend in September? Earlier, later? 3) How far is the Lehigh Valley from Trenton, Princeton, and Pittsburg. Ugh! Its on the map. The Allentown area is about an hour and a quarter from Trenton if memory serves, I have't been there since the Trenton Computer Faire. I have't the slightest idea how far it is from Trenton, I haven't been there in a while. But for the New Jersey people, its an hour from Morristown, 3 hours from Atlantic City (max, some people make it in less), and an hour and a quarter to a half from Camden. You can figure out the rest. Its about 4 1/2 - 6 hours from Pittsburg. I've gotten all sorts of conflicting times on that. It takes me 4 1/2 hours, you slow drivers may take a bit longer. Its an hour and a half from Harrisburg, an hour and a half from Lancaster. People who are farther than Pittsburg may want to fly. I think its a 15 minute hop from Chicago for only 35 bucks. And no, Karen, we are not a "hick town". The Valley has 700,000 people in it. Granted, we're not New York City, but we hold our own in terms of metropolitan areas. Incidently, we have 3 sky scrapers (wow!). We're also home to AT&T research (Bell Labs and several other AT&T plants), Air Products, Bethlehem Steel, Mack Trucks and Union Pacific. Its a very nice area to live. Loren ========================================================================= Date: Tue, 2 Aug 88 08:38:22 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message from "Chris Bracy" of Jul 31, 88 at 12:32 (midnight) >GARY SAMEK writes: > >> When a virus gets into command.com, it is very difficult to stop it from >>spreading if it is well written. > >I dont see why a virus in command.com is any harder to trap than a virus >in any other program. Command.com is just a .com file like any other .com >file except in purpose. Its structure is similar, and (theoretically) only >makes its calls thru dos. The Int 21 handlers are NOT part of command.com. > > No casual test of the date of creation, or even the file size will trap the inclusion of a virus into command.com. The 4000 byte space left at the end of that program allows for room to enter a sizable virus. Even my favorite scheme of checking the CRC can easily be defeated if the virus writer knows what CRC formula I use by the simple addition of 2 bytes of non-executable code to fix the CRC and return it to its original value. Even if there were not room for a sizable virus, the scheme (already used) of putting a program onto disk and marking that disk area as bad in the FAT, and then linking that area into your code can would afford all of the space needed. Watching command.com and other files that matter with a CRC formula that is different from that others use is one of the best ways I know to detect infection (albeit after it happens). + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 2 Aug 88 13:07:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Alright, alright, The people from the West Coast say there are more people working on viruses on that coast, so we should start there. The people from the East Coast agree that it should be here. The people from the middle states tell us that we should have a nationally centralized location. Eep. I didn't mean to start a war. I'd like people who are interested in such a conference to reply to me as to where they wouldn't mind traveling for the conference. Would they mind coming to the East Coast, would they mind meeting somewhere in the middle states, and so on. Reply to LKK0@LEHIGH.Bitnet (excuse my last letter which incorrectly stated where I was). Loren ========================================================================= Date: Tue, 2 Aug 88 15:28:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: Trapping Disk Calls You won't catch my virus by watching for DOS calls, because I won't use them. You won't catch my virus by watching for BIOS calls, because I won't use them. Since every one knows where DOS and BIOS keep the information about your hard disk and everyone knows what port addresses do what on a PC compatible, I'll just access the hardware directly. It may be more trouble, but its also a sure-fire way to eat your FAT tables and/or insert myself into any program I wish. Face it - the IBM 'open architecture' was a great idea for clone manufacturers; but now everyone uses the same BIOS data areas and the same port addresses in the interests of compatibility, so there is no mystery about how to get your hands on the hardware. Command.com is a great place to hide a virus, not only because it has room for it, but also because it gets executed immediately after your autoexec, so your chances of catching the virus depend upon what you do in autoexec. Also, everyone has command.com and everyone uses it all the time, so it has lots of chances of spreading an infection. The AIDS slogan is safe sex or no sex. Apply the same or greater caution to your computer! Art ========================================================================= Date: Tue, 2 Aug 88 15:37:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded comments on VIRSIM program Here are some comments on the VIRSIM package, from Jim Crooks: Ken From: Jim Crooks Subject: RE: VIRSIM In Reply To: message from of 7-20-88, (Andrew Vaught <29284843@wsuvm1>) In some ways, a program like VIRSIM is a good idea *IF* it is well written and *IF* it is updated frequently to reflect the leading edge of virology. At least it would provide a benchmark against which we could measure the masses of anti-viral software that have been appearing lately. If one can incorporate all known threats in the test, then at least we will know what protection we are buying (or not buying) with a package. Since a recycled known virus can cause as much grief as new one if it finds a loophole in your defenses. The risks are as follows: - new methods of attack will be developed to circumvent current defense mechanisms - as has been stated previously, a simulator will give a false sense of security - a well documented simulator will unfortunately provide a source of viral techniques for the bad guys. The only way to do a better job of anti-virus work is to actively research it - but then the fellow who taught VIRUS-101 caught a lot of flack didn't he, so it would be a fairly dicey process to say the least... Can someone send me the address of NBBS or Interpath - tnx. James W. Crooks Member, Advanced Technology Application Staff Telebox(DIALCOM): 12:GVT331 ATTN:((JIM)) BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Tue, 2 Aug 88 15:39:27 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Forwarded legal comments from J.D. Abolins I received this file which was sent to VIRUS-L from OJA@NCCIBM1 : [Note J.D. - you can't send files to the list, only mail. Ken] >Robert, I've been looking for laws concerning viruses for >some time, and havn't found any. I have located three laws >which I will summarize when I have them in front of me. >They basically state that it is illegal to enter a computer >system that is not their own or that they don't rightly >have access to because its a form of breaking an enterring >... fi their computer enters it, they are responsible, or >if some program they wrote enters it, they are responsible. >It is also illegal to read other people 's mail on the >system, even if it is your own companies system. And >its illegal to change anything on a system which you were >not specidfically asked to change by the user, fi I remember >correctly. The three legal points are pretty the basic tools for dealing with computer crime. Here's the listing of the legal action from what I have seen-- 1) Breaking and Entering variants, including illegal systems access 2) Fraud. This is evident for computer acts which produce a financial benefit to the perpretrator. (This has not been seen in any viruses to date.) In the case of the British Telecomm hackers, a fraud law was used to bring the fellows to trial for hacking into Prince Charles's e-mail. 3) Sabotage and it's variants. (If the malicious program was shown to be delieberately used against am installation.) 4) Electronic Communications Privacy Act (ECPA) regarding e-mail privacy. (I'll send up a rought text and analysis soon.) 5) The various state laws regarding computers. Computer law is in its infancy. Most attempts to prosecute are based upon existing laws. >Also, 250,000 outbreaks is a bit high. If therey are counting number >of disks infected, that might be a little low. We had around 600 disk >infected at Lehigh alone with the first outbreak of a virus here. >Figures of the Israeli virus put it at around 18000 copies found (althou >that number counldn't be backed up by anytone.) About the counts, it does depend upon what was counted- installations, computers, disks, potentially affected disks, people affected by the affected disks, etc. Also, about the counts of the typeso f viruses, there is a major problem- lack of nomeclature (naming) conventions. This is compunded by the rapid stream of virus reports. Many times, the reports may change the name of case and future article writers get the impression that it is a new case. This happened with the Hebrew University case; it has been called "Hebrew University virus", "Israeli virus", "PLO virus", "Friday the 13th virus", etc. From writing articles about viruses and other things, I have seen how easy it easy for jumbling of facts, especially if only secondary and tertiary sources are used. Finally, the fact that the viruses are codes that are embedded in files complicate identification. (This makes the "Dirty Dozen listing" approach more difficult. Rather than giving a common file name of the malicious program (which is helpful for trojan horses, until someone changes the filename), the viruses need to be described by mode of transmission, attack, symptoms, etc. J. D. Abolins Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Tue, 2 Aug 88 22:16:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Virus/Computer Security Conference results Wow! We've have quite a few comments, questions and preferences come in today. I'll give you a quick run down and try to answer some of the overlapping questions. We've had 18 votes for the East Coast, 2 votes for the middle states, 3 people who said they didn't care because they'd have to fly over the ocean to get here anyway and NO votes for the West Coast (surprize!). I would like you to keep sending me mail and suggestions, we'll see how the majority of people feel, but we'll need to know quickly if we want to set this up. Most people believe we should have a weekend-long conference, rather than a day because some are willing to fly in for it and because we have so many people interested in the subject. I agree. I'd like to thank Craig Pepmiller for his suggestions, and his "sample weekend" which outlays a set of possible conferences. I also that all the people who had suggestions for specific people to speak. The names to come up the most were: Several people for Y. Radai, several people for Fred Cohen, several people for me (honest, I didn't say a thing!), and one person who asked for a member of Panda systems to speak. As well we had two people ask if we could get Robert Slade to bring his material on viruses down, 3 people who wanted to know where they could get copies of Fred Cohen's booklets (I have some material, but not all), and if they could get copies of my book (It ISN'T published yet!) We had questions about hotel accomodations and expenses. I think we will have to end up charging something so we can have food at the conference, coffee, donuts, and so on. It will be a non-profit conference however. Also, for overnight guests, we'll need hotel accomodations. If any companies are interested in donations??? We were asked whether or not this would be an "official" conference, so it could be university sponsored by different universities. Yes, I don't see a problem with that. I also see no problem with sending personal invitations to help get colleges to pay for certain people's trips to the conference. Craig also suggested that for people who cannot get to the conference, have it video taped. I like that idea. If anyone has suggestions for topics, please send them. As well, several people suggested that we have the speeches published and sent out to whoever wants them and can't make it. I see no problem with that, but we'll probably have to charge a small fee for it. I was incorrect on my time from Chicago to ABE airport. It is not 15 minutes, it is more like an hour. Prices are still in question however, I will check them. Prof. Larky also points out that ABE is serviced by United, USAir, Northwest, Eastern and several regional airports. For people who asked whether the Lehigh Valley has any computer significance... BITE YOUR TONGUE! Charles Brown (anyone remember him) was out here a while back to give a speech. He told us that the Lehigh Valley was the original, the one and ONLY silicon valley. The Valley, he said, is where the computer was conceived and where the microchip was first invented. We also have Bell Labs here, AT&T solid state labs, AT&T, Bell Atlantic, a small IBM outpost, Unisys, Digital servicing, Lehigh University, Homer Research Labs, and quite a few other little places. (We don't have HP or Epson out here, and that has always depressed me.) That is all for now, I'll have more as it developes. Keep the comments coming in, and I will set up a definitive date, a definite place and schedule it. Again, we had one volunteer to work on the conference and three others that hinted at it. Anyone interested on helping? Thank you, Loren Keim Also, for the person who mentioned that I don't have headers and that makes life difficult, I am sorry, I'll try to remember to put headers on from now on. We are using IBM equipment though, so instead of Digital equipment asking for a header, we must physically tab to the header field and insert one (Horrors, a machine that doesn't do it for me!) ========================================================================= Date: Tue, 2 Aug 88 22:26:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Notes Another quick note: Some questions came up from various people that I neglected to answer. WHEN would we have such a conference. If we hold it too soon, people won't have time to plan it into their schedules, but if we have it this year yet and after mid October, we're running the risk of hitting Prof's midterms and finals. I'm leaning towards the second weekend in October. I'd also like to know if enough people would be interested in attending. We've had around 60 replies, but that doesn't mean they are definitely coming. I'd like to know who is seriously interested in such a conference so we can plan ahead. I don't see a serious problem because we are said to have around 6000 people on this listserv (this is an unsupported number because this is a closed listserv and we cannot ask it who is on or how many). We've also gotten some final comments asking "Oh Where Oh Where is David Slade?" Loren Keim ========================================================================= Date: Wed, 3 Aug 88 10:27:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Conference Notes In-Reply-To: Message of Tue, 2 Aug 88 22:26:50 EDT from Loren states that there are 6000 people on this forum. Loren, I don't know where you got that number but, for the record, there are approximately 450 current subscribers to the list, including about 15 to 20 redistribution points with an unknown number of readers at each. Just thought that I'd clear that up... Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Wed, 3 Aug 88 10:56:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 Re; occaision requests for means of contacting Eric Newhouse Since this request pops up about every couple of months, I'll leave the answer on the list.... Eric Newhouse has no BitNet access at this time. He can be accessed though the BBS he runs- The Crest BBS in Los Angeles, CA. : (213) 471-2518 His mailing address is Eric Newhouse 1834 Old Orchard Rd. Los Angeles, CA 90049 USA If anyone wants to relay messages to him, I am willing to do it since I call him on the BBS twice a month at least. (Do I ever need PC Pursuit! :-) No ad intended, just a comment on modem weary phone bill.) In a few months, a couple of the BBS systems that I work with are seeking to add the capability to connect to USENET. Maybe with a more "PC-ready" access, Eric Newhouse can have a BITNET link. Thank you. PS: Ken, my apologies for the file slipping through. Still experimenting with the various TRANSMIT options that are supposed to turn files into messages. If any is using TRANSMIT on a MVS / TSO system, please let me know how you do it. Thank you. ========================================================================= Date: Wed, 3 Aug 88 12:32:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Notes First, thanks Ken for clearing up the number of people on the list. I thought my information was a bit nhigh. (Shame, Chris, Shame). Second, we've gotten quite a few interesting comments on speakers. We've gotten more people asking for speakers. The only new addition is Dr. Highland. I am unfamiliar with him, or perhaps I'm not putting him in the right context. The majority of people who wrote asked about panel conferences. To tell the truth, I would rather have a few speeches given, and have some roundtable discussion groups. I'm sure some would be interested in listending to lectures, but I think we'd bget a bit more out of some discussion groups as well. We had two people also ask that the conference be located near Philadelpihia. Again, if we hold it in the Valley or at Lehigh, we are 45 minutes up route 309 (Broad St Philly)... provided you don't hit too many lights. Or an hour and 15 min up the turnpike. I'd still klike to hear from people interested in the conference and I'd like to know if the second weekend in October is stoo early. I am sure I can set up a good conference by that time, I'm more worried about people working it into their schedules. Regarding Hotels, we have quite a variety orf them. The range is 28 dollars a night up to 115 dollars a night. You can get very nice accomodations here for around 35 a night, or even nice accomodations for a little less. The total conference cost (without hotel) we could probably squeeze in for around 25.00 including a dinner. I have checked and we can hold a nice banquet for about 35 a person, and we can add on another 5-15 for snacks at the conference, booklets to go lalong withthe conference. Any preference? Loren ========================================================================= Date: Wed, 3 Aug 88 12:38:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Speakers Aha! Dr. highland is editor of Computers and Security. We have also had two suggestions to add a bit onto the pricetag of the conference inorder to help pad the trips of keynote speakers to the conference. Suggestions? Loren Keim ========================================================================= Date: Wed, 3 Aug 88 16:44:27 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Naama Zahavi-Ely Subject: Virus outbreak -- Brain type? Hello! We seem to have a small outbreak of a virus here at Yale University. The virus resides on the boot sector of any diskette (DSDD or DSHD -- we did not try any 3.5" disks). It does not seem to infect hard disks. Typically, somebody would try to start a computer with an infected disk and get only a blinking cursor. When the computer would not start normally, the user would get some other system disk and do a warm boot. At this stage, if the new system disk is not write-protected, the viral code gets written onto its boot sector and the user still has a blinking cursor only. If the new system disk is write-protected, the machine seems to start normally; however, the virus code is still in memory and any subsequent warm boot with a non-write-protected disk infects that disk. Any other disk accesses -- format, copy, dir, del, cd -- do not seem to spread this virus. As far as I can tell, this seems to be a variant of the Brain virus; however, there is no Brain or brain signature anywhere in it (or any other recognizable text, for that matter). The obvious solution would be to educate users to use write-protected boot disks and to cold-boot the computer whenever they start a session. Is there anything else we should watch out for? Doe anybody have any experience with this specific virus? We'll be glad for any help! Thank you in advance, Naama Zahavi-Ely Staff Resource Specialist Project ELI Yale University (203) 432-6600 ext.341 ========================================================================= Date: Wed, 3 Aug 88 14:03:54 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: Flushot3 WARNING! A hacked program called (oddly enough) FLUSHOT3 is on the loose. This program is apparently a true virus. People interested in this should contact: Tom Sobczak 2580 Grand Av. Baldwin NY 11510 (516) 867-3550 The program was found infecting the computers of a well known communications company. I do not personally know this person, but he is looking for info on virii (basically, re-occuring infection patterns, etc). He would like any/all information, and will exchange with you whatever information he has. James ========================================================================= Date: Thu, 4 Aug 88 18:18:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: John Stewart Subject: RE: Campus virus letter To the group: (especially Len Levine) I reviewed your virus letter that you put on the list last Wednesday, and I found it to be very useful. I am in the process of researching, and preparing much the same type of paper for our university. I do have a couple of suggestions that you may find useful, and then again you may not.... I agree with the earlier posting (I forgot who it was), which criticized the grave tone of a good bit of the paper. I don't know about your university, but I don't feel that we are in that deep of a threat of our own students inventing such beastly programs. I say this because I myself am a student, and I know the majority of the Computer Science types on the campus. I simply don't feel that anyone here has that much knowledge and capability. (You must realize that I attend a smaller university than most... we average 13,000 students in the Fall over the past couple of years). What I do fear is the HIGH probability that these students have been in contact with some of the other students at other universities and will, either on accident or on purpose, return with some sort of Virus program in their software. You mentioned in your posting that 'your audience will be faculty and staff who are reasonable, but do not understand computers or computering'. I feel that this is a good estimate of my intentions for my audience. With this in mind I feel that the material needs to be explained a little better. Not even ALL of our Computer Science majors know what a Virus is, I surely don't expect a chemistry professor to deduce my meaning of a VIRUS in the context of the article. With this in mind I have decided to begin my article with a definition or two, positively to include that of a VIRUS. THIS IS WHERE I WOULD LIKE SOME HELP FROM 'THE GROUP'. Below I will _attempt_ to derive some sort of definition, and would greatly appreciate any and all criticism and suggestions! Computer Virus - A program which poisons ones computer software. A program which is usually capable of attaching itself to other programs upon the execution of any number of DOS commands. Usually written with malicious intent, capable of performing any task from displaying a simple message, to destroying hardware AND software. These programs can be made to execute their mailicous acts upon any pre-determined sequence of events, such as a certain keystroke or at a specified date and time. These programs usually are not visible by the simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. ..well? Please, I make no attempt at declaring myself to be a VIRUS expert, or even extensively knowledgeable of them. I merely do the best I can. I would appreciate any hints, revisions, advice, etc. Finally, thank you Len for providing the article to base our defenses upon. +------------------------------------------------------------------------------+ : John Stewart Net Address jstewart@sfaustin.BITNET : : Technical/Academic Support Programmer Office (409) 568-1020 : : Stephen F. Austin State University Modem (409) 568-1334 : : Nacogdoches, Tx 75962 (U.S.A.) : +------------------------------------------------------------------------------+ ========================================================================= Date: Thu, 4 Aug 88 17:59:20 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: MESSAGE AGENT Subject: Re: Flushot3 Dear Virus Discussion List, This is an automatic reply. Feel free to send additional mail, as only this one notice will be generated. The following is a prerecorded message, sent for Stephen D. Franklin I'm away from e-mail until 11 August. -- sdf ========================================================================= Date: Fri, 5 Aug 88 07:48:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: RE: Campus virus letter In-Reply-To: Message of Thu, 4 Aug 88 18:18:00 CDT from > I say this because I myself am a student, and >I know the majority of the Computer Science types on the campus. I simply >don't >feel that anyone here has that much knowledge and capability. You'd be surprised... The sad fact is that writing a relatively simple virus does not require all that much knowledge and/or capability. The average CS student (particularly one who's done some 8088) could write a PC virus in very little time. All it takes is the inclination to do so. I'm sure that none of your university's students are ever disgruntled for one reason or another...? >realize >that I attend a smaller university than most... we average 13,000 students in >the Fall over the past couple of years). Lehigh has about 6000 (4000 undergrad, 2000 grad)... >What I do fear is the HIGH >probability >that these students have been in contact with some of the other students at >other universities... That's definitely a real threat, but don't write off an inside job. >Computer Virus - A program which poisons ones computer software. A program >which is usually capable of attaching itself to other programs upon the >execution of any number of DOS commands. Usually written with malicious >intent, >capable of performing any task from displaying a simple message, to destroying >hardware AND software. These programs can be made to execute their mailicous >acts upon any pre-determined sequence of events, such as a certain keystroke or >at a specified date and time. These programs usually are not visible by the >simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. Sounds a little like terror tactics, imho. Fred Cohen's definition of a virus goes something like - A program which attaches itself to another program and, upon interpretation, copies (a possibly evolved version of) itself to other program(s). (This isn't verbatim, but the jist of it is pretty much the same...) Perhaps if you start by just defining a virus for what it is, and point out that a virus can also carry a Trojan horse which can be triggered to be activated sometime in the future. It's probably not a good idea to hype up the idea of a virus; just treat it as a program like any other program. My opinion... Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Fri, 5 Aug 88 09:30:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Russell Nelson Subject: How to convince I'm Clarkson's micro wizard. If we get hit with a virus, everyone will turn to me to fix it. I'm the recognized expert. However, when I cry "virus coming", no one believes me. They all believe in the ostrich theory of virus prevention--don't talk about it and the students won't write/import them. Fortunately, they do think that people should be warned to reboot before using a public machine. Is there any validity to their point or *should* we tell the students about viruses? -russ ========================================================================= Date: Fri, 5 Aug 88 10:20:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: How to convince In-Reply-To: Message of Fri, 5 Aug 88 09:30:16 EDT from >Is there any validity to their point or *should* we tell the students >about viruses? I think that our case, here at Lehigh, shoots their "ostrich theory" down the tubes; we didn't tell our students about viruses, and we did get infected by a virus. Prior to the attack, there was little in the way of virus education, with the notable exception of Dr. Cohen's course in Computer Security. It's possible that one of his students learned about viruses from his course...but that is largely a moot point now with all of the publicity that viruses have received in the last 8 months or so. My feeling is that *not* telling them about viruses, at this point, is the danger; they've probably already heard about them, and may even feel like experimenting now. The reason that it is dangerous to not tell them is that they (currently) have no way of knowing what dangers exist other than what they may have read in the press... Tell/warn them about viruses and they might a) be more careful in sharing programs, b) make safe backups to protect themselves, c) try to write their own. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Fri, 5 Aug 88 10:09:17 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Naama Zahavi-Ely Subject: Re: How to convince In-Reply-To: Message of Fri, 5 Aug 88 09:30:16 EDT from I am not sure that detailed warnings about viruses are necessary (there are so many rumors about them anyway). I do think one should warn users to take the following precautions: 1. Use a write-protected system disk whenever possible. 2. When you start using a public machine, TURN IT OFF first, then turn it on with your system disk in drive A. Just booting (warm booting) would not be enough -- we had a virus that spread itself that way. Naama Zahavi-Ely Yale University ========================================================================= Date: Fri, 5 Aug 88 12:47:19 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Viruses - The Unspoken Word Russ, I think we've had quite a few of these arguments before about teaching fviruses. I don't think it was the oworldn't (Again please excuse my typing, this modem program hates my backspace), I don't think it wwas the swiftest idea in the world to publicly announce how to defeat systems, but then didn't popular Mechanics tell us how to create an atomic bomb? Ken, I hate to correct you, but Fred taugh t a feull course on computer security, he went over viruses in detail and he taught quite a few seminars on the theory, if I remembr correctly. He also ha gave out copies of his theisis on viruses and asked several students to write viruses for him including John Hunt I f memory serves. He also wenet over his articles and they were posted on bulletin boards. To me that is teaching viruses, and I honestly think that because he tautght them, we received one. Someone tells me that he weven went over command com viruses as an example one time. Now, Fred tells us that we are lucky he discovered viruses before someone else did. He might be right. But the people from University of California and people from the AI systems here at Lehigh tell me that all he did was create waves and destory machines. Whether or not he himself did damage, 3 differenct colleges tell me hie did. Is this proliferation of viruses do to his talks and papers? Or would it have eventually come anyway? Teh flipside is that many people calim viruses have been with us since 1972, but they were small and didn't hit very hard because all systems were unconnected and in the hands of computer experts, where now we have large noetworks and eveybody has a computer ]and doesn't know much abou tit. At this point itn time, we've had afar too many problems to try to quiet the subject. If students don't hear it forom you, they will hear it elsewhere. I think it ifs a good idea to wram (arn ... WARN) people of the potential problems. (That's it, I'm going out and getting a new modem program. Or a copy of Kermit would do it). Loren ========================================================================= Date: Fri, 5 Aug 88 14:36:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Viruses - The Unspoken Word In-Reply-To: Message of Fri, 5 Aug 88 12:47:19 EDT from >Ken, I hate to correct you, but Fred taugh t a feull course >... >bulletin boards. True. I should have been more specific, and I did say that Dr. Cohen's course was a notable exception. What I meant was that we, the Computing Center, didn't educate our computer users, as a whole, on viruses. Yes, many students took Dr. Cohen's course, and they should've been knowledgable on viruses, but I did mean the computing community, as a whole. As for whether teaching about viruses catalyzes the problem or not, I still feel that it largely a moot point since the cat *is* out of the bag, so to speak. The best that we can do at this point is to warn our users of the potential for disaster. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Fri, 5 Aug 88 13:27:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Timer TSR's >You cannot implement this idea in software. Loren - Its actually not as hard as I made it sound(?). The 8253 timer chip on the PC (8254 on the AT) invokes IRQ 8 18.2 times per second by default. This interrupt can be trapped by the TSR. 18.2 is not etched in silicon, channel 0 of this chip can be modified for faster intervals. This technique allows a simple method for multi-tasking PC applications and can be employed to implement the strategy I discussed. >The idea you present makes the microcomputer unusable unless it >has multiple motherchips. This occurs transparently to any application currently executing in the PC. *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | "All truth contains its own | | Campus Box 50 | contradiction" | | Boulder, CO 80309 | | | | | *-----------------------------------------------------------------------* ========================================================================= Date: Fri, 5 Aug 88 15:36:01 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Campus virus letter In-Reply-To: Message from "John Stewart" of Aug 4, 88 at 6:18 pm > >To the group: (especially Len Levine) > > I reviewed your virus letter that you put on the list last Wednesday, >and I found it to be very useful. I am in the process of researching, and >preparing much the same type of paper for our university. I do have a couple o f >suggestions that you may find useful, and then again you may not.... > I agree with the earlier posting (I forgot who it was), which criticized >the grave tone of a good bit of the paper. I don't know about your university, >but I don't feel that we are in that deep of a threat of our own students >inventing such beastly programs. I say this because I myself am a student, and >I know the majority of the Computer Science types on the campus. I simply don' t >feel that anyone here has that much knowledge and capability. (You must realiz e >that I attend a smaller university than most... we average 13,000 students in >the Fall over the past couple of years). What I do fear is the HIGH probabilit y >that these students have been in contact with some of the other students at >other universities and will, either on accident or on purpose, return with some >sort of Virus program in their software. > You mentioned in your posting that 'your audience will be faculty and staf f >who are reasonable, but do not understand computers or computering'. I feel >that this is a good estimate of my intentions for my audience. With this in >mind I feel that the material needs to be explained a little better. Not even >ALL of our Computer Science majors know what a Virus is, I surely don't expect >a chemistry professor to deduce my meaning of a VIRUS in the context of the >article. With this in mind I have decided to begin my article with a definitio n >or two, positively to include that of a VIRUS. THIS IS WHERE I WOULD LIKE SOME >HELP FROM 'THE GROUP'. Below I will _attempt_ to derive some sort of >definition, and would greatly appreciate any and all criticism and suggestions! > >Computer Virus - A program which poisons ones computer software. A program >which is usually capable of attaching itself to other programs upon the >execution of any number of DOS commands. Usually written with malicious intent , >capable of performing any task from displaying a simple message, to destroying >hardware AND software. These programs can be made to execute their mailicous >acts upon any pre-determined sequence of events, such as a certain keystroke or >at a specified date and time. These programs usually are not visible by the >simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. > >..well? Please, I make no attempt at declaring myself to be a VIRUS expert, or >even extensively knowledgeable of them. I merely do the best I can. I would >appreciate any hints, revisions, advice, etc. > > Finally, thank you Len for providing the article to base our defenses upon. I received several letters like this, and will rewrite the first sections of the memo to reflect this. Thanks. I will send the final copy to this net and expect that people will steal freely from it. thanks for the help. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Fri, 5 Aug 88 18:11:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: Timer Ticks >>You cannot implement this idea in software. >Loren - Its actually not as hard as I made it sound(?). The 8253 > timer chip on the PC (8254 on the AT) invokes IRQ 8 > 18.2 times per second by default. This interrupt can be > trapped by the TSR. 18.2 is not etched in silicon, channel > 0 of this chip can be modified for faster intervals. > This technique allows a simple method for multi-tasking > PC applications and can be employed to implement the strategy > I discussed. It's not all that easy. DOS (and BIOS) are not re-entrant, so you would not be able to use any DOS or BIOS calls in your program since you would not know who was doing what where when you got the tick. Of course, like all other TSR's you'd have contention problems with the timer tick. What about all the other people (including DOS) who expect that tick to be at 18.2? Art Larky CSEE Dept Lehigh Univ BBS: (215) 974-4068 >>The idea you present makes the microcomputer unusable unless it >>has multiple motherchips. > This occurs transparently to any application currently > executing in the PC. > Kent Cearley | CEARLEY_K@COLORADO.BITNET | ========================================================================= Date: Fri, 5 Aug 88 21:22:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Virii and Screen Output Given the open memory of DOS and the fact that (it seems) any program can take over the memory space of any other program, and also the fact that ROM BIOS calls can be used to create screen output, is it possible to create a virus which, after insertion into a program is undetectable by a program like LIST.COM or a sector editor? In other words, once the virus knows that a program is doing a disk read of the section it's hiding in, can this hypothetical virus then fool the system into thinking that the legitimate code is still in place? I think that the capability to examine sectors on a disk is a big help in combatting these things and wonder whether a clever virus could mask its existence in this fashion. ========================================================================= Date: Fri, 5 Aug 88 23:29:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virii and Screen Output In-Reply-To: Message of 5 Aug 88 21:22 EDT from "David.Slonosky%QUEENSU.CA at CUNYVM.CUNY.EDU" >....is it possible to create a virus which, after insertion into a program is >undetectable by a program like LIST.COM or a sector editor? The short, obvious and trivial answer to your question is that if you can conceive it, and if it could be done by any other program, then it can be done by a virus. Bill ========================================================================= Date: Fri, 5 Aug 88 23:44:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: How to convince In-Reply-To: Message of 5 Aug 88 09:30 EDT from "Russell Nelson" >Is there any validity to their point or *should* we tell the students >about viruses? I do not know, but I do think that it is a good idea to teach them good hygiene. We teach small children to wash their hands long before they know about disease or how it is spread. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Sat, 6 Aug 88 07:46:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Gerbil virus? Loren - in reading a previous VIRUS-L posting of yours, I see that you mention having knowledge of a Gerbil virus. Could you please tell us more about that specific virus? Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Sat, 6 Aug 88 10:41:49 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: Viruses and Screen Output David.Slonosky@QUEENSU.CA wonders if a very clever virus couldn't "hide" really well by subverting the output from sector-examiners and things, to lie about the true condition of the disk, and make it look like things are normal (uninfected). As someone else said, the answer is sort of "yes". On the other hand, the simple way to do this (just intercepting the BIOS calls to read the sector of the disk that the virus is on, and returning a false "uninfected" image of the sector to the caller), won't really work for a virus, for the simple and amusing reason that such a virus could hardly spread! When you did a COPY, or a LOAD-AND-EXECUTE, or a boot, or whatever, the system would call BIOS to get the code to execute, the virus would intercept that call and return an uninfected image, the system would then copy (or load, or boot from) that uninfected image, and it would be as though the virus never existed! So it wouldn't spread very well. To make this work, a virus would have to be REAL clever, and present an uninfected image when examination was being done, but an infected image when the data was actually going to be used as code. Sounds sort of hard to do, to say the least... Not to say that it's impossible, of course. But it's not as simple as it might seem. DC X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X