========================================================================= Date: Thu, 1 Sep 88 08:05:02 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Dup Mail In-Reply-To: Your message of Wed, 31 Aug 88 18:49:20 EDT I received the mail about FluShot complaints twice. Once I'd deleted it, then it was there the next day... Frank ========================================================================= Date: Thu, 1 Sep 88 09:19:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Monthly info from Ken [ Last modified 29-July-88 - Ken van Wyk ] Welcome! This is the monthly introduction posting for VIRUS-L, primarily for the benefit of any newcomers. Apologies to all subscribers who've already read this in the past (you'll only have to see it once a month and you can, if you're quick, press the purge key...:-). What is VIRUS-L? It is an electronic mail discussion forum for sharing information about computer viruses. Discussions should include (but not necessarily be limited to): current events (virus sightings), virus prevention (practical and theoretical), and virus questions/answers. The list is non-moderated and non-digested. That means that any message coming in goes out immediately. Weekly logs of submissions are kept for those people who prefer digest format lists (see below for details on how to get them). What isn't VIRUS-L? A place to spread hype about computer viruses; we already have the Press for that. :-) A place to sell things, to panhandle, or to flame other subscribers. If anyone *REALLY* feels the need to flame someone else for something that they may have said, then the flame should be sent directly to that person and/or to the list moderator (that'd be me, ). How do I get on the mailing list? Well, if you're reading this, chances are *real good* that you're already on the list. However, perhaps this document was given to you by a friend or colleague... So, to get onto the VIRUS-L mailing list, send a mail message to . In the body of the message, say nothing more than SUB VIRUS-L your name. LISTSERV is a program which automates mailing lists such as VIRUS-L. As long as you're either on BITNET, or any network accessible to BITNET via gateway, this should work. Within a short time, you will be placed on the mailing list, and you will get confirmation via e-mail. How do I get OFF of the list? If, in the unlikely event, you should happen to want to be removed from the VIRUS-L discussion list, just send mail to saying SIGNOFF VIRUS-L. People, such as students, whose accounts are going to be closed (like over the summer...) - PLEASE signoff of the list before you leave. Also, be sure to send your signoff request to the LISTSERV and not to the list itself. Note that the appropriate node name is LEHIIBM1, not LEHIGH; we have a node called LEHIGH, but they are *NOT* one and the same. How do I send a message to the list? Just send electronic mail to and it will automatically be redistributed to everyone on the mailing list. By default, you will NOT receive a copy of your own letters. If you wish to, send mail to saying SET VIRUS-L REPRO I can't submit anything to the list - what's wrong? There have been a few cases where people found that they were unable to send anything in to VIRUS-L even though they were registered subscribers (only subscribers can participate). Let me try to explain. The LISTSERV program differentiates lowercase from UPPERCASE. So, if you've subscribed to the list as (for example) OPUS@BLOOM.COUNTY.EDU and your mail is actually coming through as Opus@Bloom.County.EDU, then the LISTSERV will think that you're not subscribed to the list. BITNET usernames and node names are automatically uppercased by the LISTSERV, but other network addresses are not. If your site (or you) should happen to make a change to, say, the system mailer such that it changes the case of your mail, there will be problems. If you're having problems submitting (you'll know this because the LISTSERV will say "Not authorized to send to VIRUS-L..."), try unsubscribing and re-subscribing. If that doesn't work, send me mail (LUKEN@LEHIIBM1.BITNET), and I'll try to fix things up. What does VIRUS-L have to offer? All submissions to VIRUS-L are stored in weekly log files which can be downloaded by any user on (or off) the mailing list; readers who prefer digest format lists should read only the weekly logs. There is also a small archive of some of the public anti-virus programs which are currently available. This archive, too, can be accessed by any user. All of this is handled automatically by the LISTSERV here at Lehigh University (). How do I get files from the LISTSERV? Well, you'll first want to know what files are available on the LISTSERV. To do this, send mail to saying INDEX VIRUS-L. Note that filenames/extensions are separated by a space, and not by a period. Once you've decided which file(s) you want, send mail to saying GET filename filetype. For example, GET VIRUS-L LOG8804 would get the file called VIRUS-L LOG8804 (which happens to be the monthly log of all messages sent to VIRUS-L during April, 1988). Note that, starting June 6, 1988, the logs are weekly. The new file format is VIRUS-L LOGyymmx where yy is the year (88, 89, etc.), mm is the month, and x is the week (A, B, etc.). Readers who prefer digest format lists should read the weekly logs and sign off of the list itself. Subsequent submissions to the list should be sent to me for forwarding. Also available is a LISTSERV at SCFVM which contains more anti-virus software. This LISTSERV can be accessed in the same manner as outlined above, with the exceptions that the address is and that the commands to use are INDEX PUBLIC and GET filename filetype PUBLIC. What is uuencode/uudecode, and why do I need them? Uuencode and uudecode are two programs which convert binary files into text (ASCII) files and back again. This is so binary files can be easily transferred via electronic mail. Many of the files on this LISTSERV are binary files which are stored in uuencoded format (the file types will be UUE). Both uuencode and uudecode are available from the LISTSERV. Uudecode is available in BASIC and in Turbo Pascal here. Uuencode is available in Turbo Pascal. Also, there is a very good binary-only uuencode/uudecode package on the LISTSERV which is stored in uuencoded format. Why have posting guidelines? To keep the discussions on-track with what the list is intended to be; a vehicle for virus discussions. This will keep the network traffic to a minimum and, hopefully, the quality of the content of the mail to a maximum. No one wants to read personal flames ad nausium, or discussions about the pros and cons of digest-format mailing lists, etc. What are the guidelines? As already stated, there will be no flames on the list. Anyone sending flames to the entire list must do so knowing that he/she will be removed from the list immediately. Same goes for any commercial plugs or panhandling. Submissions should be directly or indirectly related to the subject of computer viruses. Responses to queries should be sent to the author of the query, not to the entire list. The author should then send a summary of his/her responses to the list at a later date. "Automatic answering machine" programs (the ones which reply to e-mail for you when you're gone) should be set to *NOT* reply to VIRUS-L. Such responses sent to the entire list are very rude and will be treated as such. When sending in a submission, try to see whether or not someone else may have just said the same thing. This is particularly important when responding to someone else's posting (which should be sent to that person *anyway*). It's very easy to get multiple messages saying the exact same thing. No one wants this to happen. Thank-you for your time and for your adherance to these guidelines. Comments and suggestions, as always, are invited. Please address them to me, or . Ken van Wyk Kenneth R. van Wyk Calvin: Where do we keep the chainsaws? User Services Senior Consultant Mom: We don't have any! Lehigh University Computing Center Calvin: None?! Mom: None at all! Internet: Calvin: Then how am I supposed to learn BITNET: how to juggle?! ========================================================================= Date: Thu, 1 Sep 88 09:38:49 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Dup Mail In-Reply-To: Your message of Thu, 1 Sep 88 08:05:02 CDT > I received the mail about FluShot complaints twice. Once I'd > deleted it, then it was there the next day... Lets please keep any reports of duplicate mail off of the list. If anyone is having mail problems, please report them to me directly at either LUKEN@LEHIIBM1.BITNET or luken@Spot.CC.Lehigh.EDU. Thanks! Ken Kenneth R. van Wyk Calvin: Where do we keep the chainsaws? User Services Senior Consultant Mom: We don't have any! Lehigh University Computing Center Calvin: None?! Mom: None at all! Internet: Calvin: Then how am I supposed to learn BITNET: how to juggle?! ========================================================================= Date: Thu, 1 Sep 88 13:18:11 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David Ascher Unsubscribe me. Thank you. ========================================================================= Date: Thu, 1 Sep 88 13:06:47 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel In-Reply-To: Your message of Thu, 1 Sep 88 13:18:11 EDT For what? ========================================================================= Date: Fri, 2 Sep 88 10:20:13 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Otto Stolz +49 7531 88 2645 Subject: MS-DOS: new strain of virus? Hello experts, last night one of our staff members detected evidence of a virus that has infected every puplicly accessible AT or compatible at our department (computing center of an university), and more than 50% of the ATs used by staff persons only. Meanwhile, I think I know how this virus spreads. So far, it has not done any harm, but I do not know what it will do to the befallen in future. Please find details below. Has anybody seen this particular strain of virus before? If so, what do we have to expect, if we do not succeed in destroying all copies? Please answer privatly to me to avoid unneces- sary network traffic; I'll summarize to The List. If this is a new strain, somebody (me?) will probably have to dis- assemble it to find out, what threat it contains. This will probably last for a couple of weeks, so do not expect quick results. For this task, I'll probably need a dis-assembler and a compare-program. Who can me tell, where to obtain such tools? Thanks for your time, and best regards Otto -------------- Symptoms: 1. Apparently, the virus makes itself core-resident and waits for some .COM or .EXE file to be started. 2. When a .COM or .EXE is started, the virus inserts itself into that very program, making it exactly 1704 Bytes longer, according to the DIR command. If the program resides on a write-protected disk, the virus will cause a write-protect error, instead. No program is infected twice. I tried it with a pseudo program of 4 bytes (my 1st name), and found that after the infection these 4 bytes had apparently been over- written (visual inspection with TYPE only -- we'll use some suitable editor after des-infection). A .COM and an .EXE file with the same file name and the same 4 bytes content yielded apparently identical infected files (visual inspection with TYPE only -- no comparison pro- gram run, so far), while another test case with a different file name and different contents (5 Bytes) showed a slight difference in the infected file. Astonishingly, even these pseudo programs are termi- nated without any error message from DOS. 3. When you run the infected program on another computer, it will continue to infect every .COM or .EXE file started there. Recovery: We've begun to re-install software on the infected disks, proceeding thus (thanks to VIRUS-L for many hints during the last couple of months): 1. On dedicated computers, backup the important data files. Be sure not to backup any .COM or .EXE file. Skip this step on public computers. (BTW, an incredibly stupid notion, a "contradictio in adjecto": these "public Personal Computers", we were forced to install on account of decisions by our government! Now, we're experiencing the consequences of this oddity.) 2. Switch off the Computer. 3. Switch it on again, booting from a write-protected, original system disk. Install the software again from write-protected originally vendor-supplied disks. On one computer, test for presence of the virus after installation of every software component, to make sure the virus doesn't come from a software package (vendors aren't immune, are they?? :-) On the publicly accessible computers, this step involves removing the SafeGuard Cards, installed therein. We can't distribute the repaired software through the PC-Network, as this would require at least one .COM or .EXE file on the receiving side. All we can do to save some labour, is installing the DOS and networking component on every com- puter, install the other components only on the server and re-distri- bute them from it. (Again, you see the advantage of a host, where software is maintained only in 1 copy, over a pool of PCs!) 4. On dedicated computers, restore the backed-up files. Apparently, we are facing pretty much labour to re-install everything properly. 5. Try to develop some virus-recognizing program to avoid future infection from the same strain. Still unsolved problem: how can we force every user to apply this program to her disks, before starting any .COM or .EXE??? Suggestions welcome! ========================================================================= Date: Fri, 2 Sep 88 13:57:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "M. Smith" Subject: A Modest Proposal With the mess that the nets are in right now, an idea that Info-Micro went to on the Arpa side is due. Info-Micro distributes unmoderated Digests at a once per day rate. The Digests may be sent twice on occasion, but as they are numbered and dated, it is easy to eliminate substitutes and trail down evil mailers in the net (not as much of a problem on ARPA/MILNET since the topology is point to point. *FAILED* mail is the big problem, as the mailer retries for three days and sends a copy of the failed mail to EVERY MEMBER OF THE LIST _E_A_C_H_ _D_A_Y_ !!!) Unattended operation might make many people happier, but semi-automatic operation is probably safer, although I would rather get digests regularly, than one behemoth when the digester has been away for two weeks. I will post any comments/flames I get, but you can send mail directly to Ken (see his monthly blurb for his address) if you like this idea. Send all disagreements to /dev/null ;-) Thank you for your attention, Mark L. Smith mlsmith@nadc.ARPA ========================================================================= Date: Fri, 2 Sep 88 14:38:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: A Modest Proposal In-Reply-To: Your message of Fri, 2 Sep 88 13:57:20 EDT > With the mess that the nets are in right now, an idea that Info-Micro > ... > idea. Send all disagreements to /dev/null ;-) That's a suggestion that I'd considered a while ago, and I put it up to a vote. The bottom line was that most people preferred running VIRUS-L undigested and unmoderated. You can, of course, unsubscribe and read just the weekly logs if you wish. That's a pseudo-digest list. That's what the majority wanted. Let's *please* not get into a debate about the pros and cons of digest/non-digest. I went with the majority vote. Enough said about digesting, ok? Thanks, Ken Kenneth R. van Wyk Calvin's mom running a bath for Calvin... User Services Senior Consultant Calvin: It's too cold! Lehigh University Computing Center Calvin: Now it's too hot! Internet: Calvin: Now it's too cold! BITNET: Calvin: Now it's too deep! ========================================================================= Date: Fri, 2 Sep 88 14:50:00 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: conni annable Subject: SCORES spread question Yesterday, we discovered that the MAC network in our Library was infected with the SCORES virus. This was identified by INTERFERON V3.0. This morning FERRET V1.1 was used to clean up the hard disks and the Library folks will now go through their application diskettes and clean them up as well. A major problem is that the network is publicly available (bring your own diskettes). FERRET reported the infection dates - the earliest one was May 23, 1988. We seem to see some evidence that the virus has been spread through data files. Does anyone know if this is possible? The other possibility is that these (not extremely computer literate) users are not remembering everything quite correctly, but we have at least one who clains to have taken a disk containing "just the data I wanted to print" to this network to use the laser printer, then contaminating a stand-alone MAC in another location later with that disk. Thoughts? Thanks, Conni Annable Network Manager and Virus Information Coordinator (whatever that means) University of Texas Health Science Center at San Antonio All opinions stated are entirely my own. ========================================================================= Date: Fri, 2 Sep 88 16:35:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Chris Bracy Subject: Yale Virus Info I have noe dissabled the Yale virus entirely. Here are some specifics... There is a format table set up to format the 40th track for 8 sectors /track. The final bios is call is missing however so the format is never done. The virus copies itself to high memory and reduces the MS-DOS memory count by 1K. It then reads the original boot sector which was kept on track 40, sector 8, which is then executed. This virus takes over two vectors: int 9 and Int 19. Int 19 is the reboot vector. Int 9 is the keyboard vector. The Virus only spreads on reboot. If an infected disk was booted and you do a warm boot (Ctrl-Alt-Del) it will infect the new disk. The keyboard handler has the logic to watch for this reboot. The keyboard handler also has a hook for Ctrl-Alt-i. If pressed the virus copies it generation count to 40:72. If I remember correctly, (I cant figure out where I saw this originally) this location is checked on reboot for 1234H. If found it does a quick boot. It is possible that the writer wanted to make this a key for dont infect, but on all machines I have access to, this isnt the case. The virus resets the screen by putting a byte in memory. This method doesnt work correctly on new machines. Instead of clearing the screen, it converts it to 40 column mode. (This is how it was noticed) This virus keeps a generation count. It doesnt appear to use this count for anything (except as mentioned above). The version I got had a generation number 14h. The virus will jump to ROM basic if ti cannot load the original boot sector. I beleive this is either and old virus or written by someone with an old machine. The format is 8 tracks instead of the current 9. The jump for ROM basic is in. The screen clear is done with a poke (this does clear the screen on an original PC but not on newer machines.) etc... The virus infects almost any diskette, but it must be in drive A: (eliminating hard drives). It will only boot PC(XT) compatibles. I could not get it to boot an AT (I tried Zenith 248 and 286). It will also infect almost any version of DOS. I have tried DOS 1.0 thru 3.3. The virus has no harmful effects except for writing onto track 40. Even on high density drives where this is in the middle of the disk. If track 40 is written to after it is infected, it will cause the disk to become unbootable. If anyone has seen this virus, or has any questions, please drop me a line. Chris. *==============================*======================================* | Chris A. Bracy | Student Consultant | | (215) 758-4141 | Lehigh University Computing Center | | Kcabrac@Vax1.cc.Lehigh.Edu | Fairchild Martindale Bldg. 8B | | Kcabrac@LehiCDC1.Bitnet | Lehigh University | | CAB4@Lehigh.Bitnet | Bethlehem, PA 18015 | *==============================*======================================* ========================================================================= Date: Fri, 2 Sep 88 16:32:12 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: SCORES spread question In-Reply-To: Message of Fri, 2 Sep 88 14:50:00 CST from >FERRET V1.1 was used to clean up the hard disks.... Uh, I'd REALLY want to check over those files again if I were you; Ferret 1.1 doesn't always clean up Scores completely...! Try KillScores instead (available from our LISTSERV). >We seem to see some evidence that the virus has been spread through data >files. Does anyone know if this is possible? No. Scores ONLY affects files which contain executable (CODE) resources; details notwithstanding, unless you have VERY peculiar data files (with CODE in them? Wow), you can't catch Scores from a data file. Just as a thought -- Lightspeed C project files have code added to them; this couldn't be the case here, could it? Also, get Vaccine on ALL of your public machines, and teach the users that the Vaccine dialog means biiiiiiiiig trouble. "Wanted" posters, e.g., "Has you seen this dialog?", are a good way to do this. Vaccine is also available from LISTSERV@SCFVM; please e-mail me directly if you'd like some help. --- Joe M. ========================================================================= Date: Fri, 2 Sep 88 16:42:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA In-Reply-To: Message of 30 Aug 88 09:10 EDT from "Frank San Miguel" Frank San Miguel asks: >That brings me to another point, if a war should take place >(sensibilities forbiding), how prominently would viruses be used as a >means of attacking an enemy? This sounds like the plot of a cheesy >film. I certainly prefer them to hydrogen bombs. During the second world war, the US authorities used a different currency in Hawaii than they did on the continent. This was a defense against counterfeit currency attacks. Note that counterfeiting is difficult except with the resources of a sovereign power. There are both a cheesy film and a cheesy tv series based upon the premise that Nazi Germany had attempted to de-stabilize Great Britain by debasing its currency with counterfeit. (Both of these include a line about the conscription of felons to help carry out the attack.) To the best of my knowledge there was never such an attack, even against the notoriously easy to counterfeit US currency. While such attacks make great fantasy, they do not make very good warfare. Both the US and Great Britain were very busy debasing their own currency. They did not need any help from the Axis powers. While colorful, these attacks are not nearly so damaging as bombs or artillery, even though they may be cheaper. the use of criminals also suggests that, even in wartime, there are limits beyond which noble people do not go. Counterfeiting and forgery are the tactics of criminals. Even spying has a taint to it. Saboteurs are dealt with much more severely than soldiers. Viruses are the tools of the immature, the sneaks, and the cowards; not those of the hero. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Fri, 2 Sep 88 09:57:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: KEENAN@UNCAMULT Subject: Re: Pc-Lock In-Reply-To: Message of 31 Aug 88 13:52 MDT from "James Ford" I saw one case (a large government installation here in Calgary) in which the user changed his CONFIG.SYS file (which the Pc-lock documentation warns you not to do..who reads documentation? :-) and was then unable to access anything. The remedy involved pulling the power to the card I believe. Tom Keenan Associate Professor Dept. of Computer Science The University of Calgary ========================================================================= Date: Fri, 2 Sep 88 18:51:38 +0300 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: CRC vs. encryption schemes Jerry Leichter writes: > Suppose I know how your polynomial generator works, and have a copy >of ONE file with your checksum for it. I proceed to compute the checksum of >the file with all 70 million possible polynomials, comparing the results to >the known checksum. Even if it takes a second to compute, I can expect a >match in a little over a year. I have three replies to this: (1) Just where do you expect to get the checksum, relative to the generating polynomial which I use for detection of viral infection, of even ONE file of mine? I'm certainly not going to publish one. Are you going to get onto my computer and peek at the files on my hard disk, hoping to find my checksum base and hoping that the data isn't stored in encrypted form? (If you should by some chance succeed, you'll find my polynomial there too, without your even having to compute it!) Well, if my files were sufficiently important (or if I were suf- ficiently paranoid) to think that someone would be willing to devote a year of computer time for them, I would certainly keep my checksum base (and checksum program) offline, on a diskette which I would keep locked up and which I would insert into my computer only during the time I check my CRCs. (2) Assuming you have somehow managed to get ahold of one of my checksums, by the time you come up with my polynomial after a full year (!!), I will have changed my generator several times, and you will have spent an awful lot of computer time for nothing! Okay, for sake of argument let's suppose you pull our your checkbook and purchase a real fast computer with parallel processors, like the Cray 3 (*) if you can hold out another year until it's available. Then you could do it much faster, before I get a chance to change my generator. But again, if my files are sufficiently important, I will checksum each of them not once, but twice or more, each time using a different generator. So you got *one* of my polynomials; so what? (3) Let's suppose for sake of argument that (a) I'm important enough for you to devote all this computation time or power, (b) I use only one generator, (c) I hand you one of my checksums, and (d) I haven't had time to change my generator by the time you've computed it. When all is said and done, you've got a weapon only against *MY* files. Now if you're interested in attacking other people who use a personal/random CRC, you're going to have to go through all that again for each and every one of them. If, on the other hand, you're inte- rested in attacking only me, you hardly need a virus; a simple immediate-acting Trojan will do. And in that case, *no* checksum program will help, no matter how sophisticated or secure! So tell me: Why bother calculating my polynomial at all?? >Today, it is extremely naive. The world is full of failed cryptosystems >which people relied on because "no one could demonstrate a method" of breaking >them. Given advances in the field, the burden of proof should be - and, among >people who work on these issues, IS - entirely on the PROPOSER of a system to >show that his system is secure, in some sense. In what *practical* sense have DES and RSA been shown to be appreciably more secure than a Rabin-type CRC? What I know is that RSA can be broken if someone should find a reasonably quick way of factoring very large numbers. I don't seem to recall that the proposers of RSA have shown that to be impossible. As for DES (here I am relying mainly on an article by Tom Athanasiou in the Risks Digest): (1) It was created essentially by modifying IBM's LUCIFER. How- ever the modifications seem to have been all in the direction of *weakening* it. And the reason was evidently so that the code-breaking department of the NSA would be able to *break* it when used by others. Thus the key size was reduced from 128 to 56 bits. (2) Changes were also made in the S-boxes. It has been rumored that the NSA inserted a "trapdoor" into them in order to make the system vulnerable; in any case, mathematicians have demonstrated the possibility of weakening the cipher by introducing hidden regularities into the S-boxes. (3) In 1985, the NSA abandoned DES. At that time its deputy director for commu- nications security was quoted as saying that he "wouldn't bet a plugged nickel on the Soviet Union not breaking [DES]". So whatever theoretical criteria DES may satisfy, its proposers have not only not shown the system to be secure in practice, but they have even abandoned it on grounds of its being *in*secure. Of course, you might reply, there's no *absolute* guarantee of security with *any* system. Well, it seems to me that the difference between our views lies in where to draw the line between the insufficiently secure and the (apparently) sufficiently secure. The brute force scheme which you describe may be worth- while if you're trying to *break a cipher* of some important intelligence or military agency. (The fact that you refer me to Kahn's book strongly suggests that that's the application you have in mind.) But we here on the list are concerned only with virusbusting. Of course, cryptographic techniques are welcome for that purpose. But one has to keep a proper sense of proportion. It's straining the imagination to suppose that the ordinary type of virus creator would spend over a year of computer time to break a CRC checker used for viral detection purposes by ordinary individuals or institutions, and *that* is the community *I* am concerned with. These people need a *fast* algorithm with *reasonably* high degree of security, and (present-day) cryptosystems simply can't meet the first of these two requirements. Your standards concerning security are presumably much higher than mine, while the increased execution time demanded by cryptosystems doesn't seem to play the slightest part in your considerations. Hence you apparently draw the line I mentioned above somewhere between a 31-bit CRC and DES. But for the purposes I have described, it suffices to draw it between a fixed-generator CRC and a personal/random one. Besides, by emphasizing brute-force methods of breaking schemes, you miss the *real* danger; "real" because it's *MUCH* more likely to be employed by a virus creator than a brute-force method. As I said in my posting of Aug. 29, that comes from certain *loopholes* which must be blocked by the program utilizing the checksum algorithm. Without such blocking, *no* checksum algorithm, no matter how sophisticated, can provide dependable detection of viral detection. My program has them. Does yours....?? Y. Radai Hebrew Univ. of Jerusalem (*) For those unfamiliar with the Cray 3, they say it's so fast, it can complete an infinite loop in six minutes. ========================================================================= Date: Sun, 4 Sep 88 17:05:04 +0200 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Y. Radai" Subject: Re: MS-DOS: new strain of virus? Otto, The virus you describe seems to be similar, in general terms, to the Israeli virus (which was described in VIRUS-L several months ago), although the details seem to be slightly different. I'm sending you a separate file containing a program IMMUNE (in uuencoded form). Execute that, and if your virus is similar enough to ours (captures int 21h to control program execution), IMMUNE should prevent future infection and warn you each time an attempt is made. If you want further help, send me a copy of a small COM file and a small EXE file which are infected by your virus (actual programs, please; no psuedos). If all goes well, we'll be able to modify our program for removing the virused portion of infected files so that it works on your virus too, avoiding the need for you to perform the re-installation procedure you described. Y. Radai Hebrew Univ. of Jerusalem ========================================================================= Date: Mon, 5 Sep 88 11:50:00 URZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: BG0@DHDURZ2 Subject: DES security (was: DES vs. CRC) Hi folks, some people mentioned that the DES is insecure because it only allows a 56 bit key. That's not correct: DES allows a 768 (!!!!) bit key! How to use this key length? Skip the key schedule routine and fill in your own 16 48-bit-keys K1,...,K16. Going this way, you have 16 times 48-bit = 768 bits. I really believe that the NSA, sorry the NBS dropped DES not because of its insecurity but because its *too* secure (you know what I mean :-) The NSA declared to develop its own encryption standard without help from firm outside (like IBM in the case of DES). So nobody will be able to have a look on the algorithms. So the NSA can do what she want.... for example to make sure that they can read everything they want to read.... All the best, Bernd. ........................................................................ +----------------------------------------------------------------------+ | Bernd Fix | EARN: BG0@DHDURZ2 or BG0@DHDURZ1 | | Bergheimer Str.105 | UUCP: ...!pyramid!altger!doitcr!rnihd!bernd | | 6900 Heidelberg | ...!unido!tmpmbx!/ | | West Germany | (from BITNET): bernd%rnihd%tmpmbx@DB0TUI6 | | | VNET (VoiceNET): +49 6221 164196 | +----------------------------------------------------------------------+ | " ... 10010010011010100100110100100100101001110110100101101010 ... | | This doesn't look like a cry for help, more like a warning! " | | From ALIEN, part I | +----------------------------------------------------------------------+ ========================================================================= Date: Tue, 6 Sep 88 02:35:59 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Re: SCORES spread question In-Reply-To: Your message of Fri, 2 Sep 88 14:50:00 CST Re: The library infected with scores- If this is the SCORES virus that we've seen before, there is NO CHANCE that a data file can carry this virus. There is the minute possibility that somebody has modified the virus. I hope not, it was pretty nasty already... /a ========================================================================= Date: Mon, 29 Aug 88 14:12:12 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: GUYDOSRM@SNYPLABA With regard to sending a virus for study... I presume that the terms sterilize, disable, kill, destroy, etc., may not be synonyms. What's the difference, if any? Are there any more-or-less agreed on definitions? Ray Guydosh - State Univ of NY @ Plattsburgh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ========================================================================= Date: Tue, 6 Sep 88 12:45:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA In-Reply-To: Message of 29 Aug 88 15:12 EDT from "GUYDOSRM%SNYPLABA.BITNET at CUNYVM.CUNY.EDU" I use "sterilize" and "disable" to convey the notion of preventing reproductive behavior while preserving other information and perhaps even other behavior. I use "kill" and "destroy" both in the sense of destroy; i.e., erase, delete, and overwrite. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Tue, 6 Sep 88 10:19:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: PETCHER%eg.csc.ti.com@RELAY.CS.NET Subject: Virus wars > From: WHMurray%DOCKMASTER.ARPA@cunyvm.cuny.edu > > Viruses are the tools of the immature, the sneaks, and the cowards; not > those of the hero. That could be said of the atom bomb, too, but when the time came it was used, it worked, and it probably saved countless lives. I don't intend to spend my time writing viri, but if my country is threatened and a virus is what it takes to alleviate the threat, you're going to see me crank out a virus so fast it makes your head spin! Malcolm Petcher Texas Instruments, Inc. ========================================================================= Date: Tue, 6 Sep 88 16:48:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- RSCS tag indicates an origin of SMTPUSER@OBERLIN From: "$CAROL@OBERLIN (BITNET)" <$CAROL@OBERLIN> Subject: hypercard virus question My colleague (bitnet address PRUSSELL@OBERLIN) asks: Does anyone know if Hypercard stacks are capable of carrying Macintsosh viruses? Are they considered applications or data? Thanks much. | Carol Conti-Entin (216) 775-8290 | $carol@oberlin -or- pconti@oberlin (BITNET) | Academic Computing Consultant | Houck Computing Center | Oberlin College | Oberlin, OH 44074 ========================================================================= Date: Wed, 7 Sep 88 09:14:36 SET Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Reichetzeder" Subject: Re: Virus wars In-Reply-To: Message of Tue, 6 Sep 88 10:19:00 CDT from >> From: WHMurray%DOCKMASTER.ARPA@cunyvm.cuny.edu >> >> Viruses are the tools of the immature, the sneaks, and the cowards; not >> those of the hero. > >That could be said of the atom bomb, too, but when the time came it was used, >it worked, and it probably saved countless lives. I don't intend to spend my >time writing viri, but if my country is threatened and a virus is what it >takes to alleviate the threat, you're going to see me crank out a virus so >fast it makes your head spin! > >Malcolm Petcher >Texas Instruments, Inc. It did save lives, yeah? Even it did it did so only because no one else had it. If the Japanese would've had it then ... And if "your country" - as you want to see it - is threatened (by "someone elses country", I assume) and you decide to release a virus I feel you are threatening my country also (or can you guarantee that "my country" is spared?) and I will not hesitate to take appropriate counter-action and ... you see where this leads to. And maybe I should start right now - my country is threatened by atom bombs since they were invented. So all countries with ICBMs and nuclear warheads watch out! *flame off* Christian ========================================================================= Date: Wed, 7 Sep 88 08:24:07 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Simpson Subject: Hypercard as a virus vector The famous "birthday" virus is reported to have been introduced into a hypercard stack loaded onto compuserve. As a general answer, hypercard is a fertile medium for virus infestations. HyperTalk itself contains many commands supportive of this end and there are publicly available extensions as XCFN's and XCMD's that will finish the job. ========================================================================= Date: Wed, 7 Sep 88 10:16:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: OJA@NCCIBM1 In an earlier posting warning about human frailities and computer security, it seems that the intense dramitic scenario touched off a discussion about viruses in warfare. Fascinating exchange of comments but I should put an important comment here... The scenarios were extreme case. The depiction of viruses used for "political" reasons was intended to be depicted as being sought by groups more used to working outside of the regular conventions of law, and other social constraints. Most likely candidates if this were ever to happen would be terrorist groups which are already oriented to working outside of normal bounds. Besides this orientation, another factor enters- the difference in perspective from that of governmennts. Many governments would be far more cautious realizing that they have much to lose and that they have a "return address" should some crazy "viruses war" scheme be attempted and discovered. They also know, hopefully, the danger of things getting out of control when the modes of C3I - communications, command, control, and intelligence - get severely disrupted. Such disruption rather than leading to miltary or political success could, in this age, lead to a lethal panic. So, I doubt that as a form of "warfare" viruses would be serious considered by most countries. For "outsider" groups, the changes are higher. But still very low, except for small scale harrassment. I have gotten reports on some groups using variety of computer means to harrass opposing groups. But these have very localized and very temporary. (And quite illegal.) The overall picture of terrorism and computers is that if terrorist want to disrupt a computer center, they used more crude, physical means- arson, explosives, etc. To date, there has been no substantiated report of computer viruses used for political / terroristic motives. (The Hebrew University case was reported in some articles in US papers as a politically motivated viruses. That was an erroneous report. The allegation may have happened from the combination of "excitment" on the part of the writers and from an easy misunder- standing or misrendition of the Hebrew word Mechabel (can mean eith either sabateur or a terrorist.)) So this picture of "virus wars" is mentioned as possibilty among many others, but a low probability one. The biggest threat of viruses still remains the "hackers" and the innocent vectors. As for the specific targetted use of viruses, the greater likelihood would be "insiders" seeking revenge or some other self-oriented goal. ========================================================================= Date: Wed, 7 Sep 88 10:56:18 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "James N. Bradley" Subject: Re: Virus wars In-Reply-To: Your message of Wed, 7 Sep 88 09:14:36 SET Gentlemen, Gentlemen... War is not an instance of rational minds at work. Rather, it is the failure of rational minds. Viruses also might be considered a failure of an otherwise rational mind. Regardless, in the event of a war, I think we can assume that both sides will be doing whatever they can to disrupt whatever they can. I think the question should be something on the order of "Will the exchange of computer viruses be so detrimental that no one will instigate it?" This is approximately the situation with nuclear weapons. As with nuclear weapons, both sides may seek the capacity to win with a first strike, but neither is likely to achieve that capacity given the "roughly" equal resources. This presumes of course, that this warrants further discussion on this list. JB ========================================================================= Date: Wed, 7 Sep 88 10:55:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bernie Subject: Legality If you get infected by an original piece of software straight from the manufacturer, can you sue the software company in question for damages? ========================================================================= Date: Wed, 7 Sep 88 10:54:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bernie Subject: Virus vs. Virus Since many of the virus out there have been identified, why doesn't someone write a "good" virus which can hunt them down and remove them? Fight fire with fire. I was recently hit by a virus on an SE which blasted the hard drive. Lots of work down the tubes by a worm I've never seen before. ========================================================================= Date: Wed, 7 Sep 88 19:01:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Daniel M. Greenberg" Subject: Virus Legislation I'm not going to go on a long strung lecture about this, but I don't feel that viruses should be illegal to write for several reasons. First of all, it would be virtually impossible to monitor this to the extent necessary for it to be taken seriously and obeyed. Take software piracy- illegal, unmonitored, and rampant - nobody is afraid of being prosecuted for copying a piece of software because it doesnt happen. Second of, its a matter of freedom. Many anti-porn people think that all pornography should be taken off the newsstands and not allowed to be sold. That in itself would be a crime- to take away one's freedom of choice. Nobody is forcing a person to buy such reading material if they don't want it. What I write as a programmer sould be my own business! Many viruses are contracted by people that download unknown software from bulletin boards. If they didn't down- load it, it wouldn't have propegated in their system. Every time you download something- you take a risk that it has a nasty virus. If you go to a store and buy a program, you can expect it to be "clean". I believe that the concept should be something like this: It should be illegal to write or distribute software that is intentionally made to destroy information of any sort - unless that is the intention of the software, and quite clearly stated so. One purpose of a virus could be: a small company doesnt want any of its employees stealing its confidential database/software/etc- so they install a time-bomb, and keep resetting it periodically, but if an emmployee were to steal the disk, they wouldn't know how to reset it, and it would self-destruct. Also, any software written out of malace to intentionally destroy information should be anywhere from a misdemeanor to a felony depending on the scope of the damage/criminal record/etc. I believe that the most important area to focus on at first is the corporate/ university level. This is where the most dammage can be caused. Viruses entering corporations/schools have been known to have devistating damage- and thus should be dealt with very strictly. Basically, what I'm saying is that one should be able to write whatever one wants to- consider it freedom of the press, supression is not the american way, however if one actually uses a virus- then action should be taken. Remember: you can talk about shooting the president, there's nothing illegal about that, but if you actually do so: then you are legally liable. You have the freedom to make your own decisions and then decide the consequences. Box # 1026 Daniel M. Greenberg 25 Andrews Memorial Drive Rochester Institute of Technology Rochester, NY 14623 Computer Engineering Technology '92 BITNET : DMG4449@RITVAX INTERNET : dmg4449%ritvax.bitnet@CORNELLC.CCS.CORNELL.EDU UUCP : {psuvax1,mcvax}!ritvax.bitnet!dmg4449 Compuserve : 71641,1311 GEnie: D.GREENBERG2 PHONENET : [716] 475-4295 "The answer is 42." "I hate quotations." (Deep Thought) (Ralph Waldo Emerson) ========================================================================= Date: Wed, 7 Sep 88 19:05:23 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: ENGNBSC@BUACCA Subject: Re: Virus vs. Virus In-Reply-To: Message of Wed, 7 Sep 88 10:54:00 MDT Re: "Good" virus Hmmm - sounds like some genetic research controversies lately... Actually, I would rather blow away the infected files and go to my most recent backup then risk putting a virus in - What if the "good" virus gets perverted? (could be almost as fun as the micro copy protection battles...) Besides, why do with a virus what can be done with a normal program? For the Apple //s, there are a number of programs that look for symptoms of known viruses and inform you of their presence - the same task I take it that your "good" virus would perform. The added risk of a virus just doesn't justify to me the risks involved. just doesn't justify to me the risks involved when all I need to do is run a virus detector on any executable additions to my system, and every once in a while to catch any requiring an incubation period. ========================================================================= Date: Wed, 7 Sep 88 20:22:31 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Hypercard as a virus vector In-Reply-To: What is Hypercard? Is it a command language like REXX, or what? __________________________________ | | David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | |__________________________________| ========================================================================= Date: Wed, 7 Sep 88 20:28:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Different Operating Systems I was just wondering what the relatvie susceptibility of each available operating system on the market was, in terms of security from viruses and other nasties. We can tell that IBM and PC/MS-DOS are fairly leaky just from reading this discussion. What about the operating systems of Ataris, Amigas, Macintoshes? Do they all share the same kind of open environment that DOS possesses? Is anyone more/less susceptible to viruses? Are any of them harder/easier to write viruses for? Are any of them harder/easier to protect? I suspect the answer is that they are all equally vulnerable, but curiosity demands that I ask. From previous items, I know that mainframes and such are the hardest to infect, so I won't ask about them here. __________________________________ | | David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | |__________________________________| ========================================================================= Date: Wed, 7 Sep 88 21:54:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: EAE114@URIMVS Subject: Suits for Viruses + If you get infected by an origional piece of software strait from the + Manufacturer, can you sue the software company .... ? - Yes. You'd probably even win. You MIGHT even get compensation beyond the cost of the sofware and clean-up, but I doubt it. - You can sue anybody for anything. Winning the suit is sometimes based on precedent, sometimes on who spends the most money, and frequently on random chance... ========================================================================= Date: Wed, 7 Sep 88 22:05:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: EAE114@URIMVS Subject: 'Good' Viruses ... Why [not] write a "good" virus which can hunt them [bad viruses] down and remove them? - 1: Its hard enough to predict what a program is going to do on YOUR system. What it does on someone elses, and the systemic behavior as it propagates is REALLY hard to predict. - 2: It is even easier to modify an existing virus that used to be 'good' than it is to write a 'bad' virus. (not that either one is hard...) - 3: In order for your 'GOOD' virus to survive, you must leave holes in your security. These holes are available to 'bad' viruses as well as yours. - 4: There is no need for a virus killer to be self-propagating. People are perfectly willing to run the virus-killers by themselves. Inserting the virus-killing code INTO other programs serves no purpose. - > (Eristic: EAE114@URIMVS) X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X