========================================================================= Date: Thu, 22 Sep 88 00:27:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Dimitri Vulis Subject: Viruses and media In one of the first paragraphs, the TIME story describes the user struck by a virus seeking through all 360 concentric circles of data on the disk (very near quotation from memory). Apparently, the writer confused a kilobyte (as in 360K) with a track (as in 96tpi). Also today, NY times ran a story (discussed here previously) about a guy convicted of planting a time bomb, except it called it a virus. This is actually an AP story, so it's mpt surprising: AP style manual has a section called 'computer terms' which defined 'disk operating system' as a collection of disks and disk drives to read them. However, I'd expect that Time magazine would let someone who knows the difference between a track and a Kbyte read the story before printing it. I think it's highly irresponsible on the part of the media to write about things they don't understand and to confuse the public. Explaining the need for security to the users is hard enough without it. Dimitri Vulis, CUNY Math Department P.S. My wife and I wrote a letter to AP about their Style manual listing something like 50 inaccuracies in the computer section, mosr of them quite funny; I can email a copy to interested parties, although it has little direct bearing on the virus topic. ========================================================================= Date: Thu, 22 Sep 88 09:21:38 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Time article bashes the media... The cover story in the September 26, 1988, seems to be pretty interesting reading for the most part. Most of the facts are clearly stated, albeit in flashy jargon. At times, the jargon seems to border on sensationization, in my opinion. They do, however, go on to bash the media for its coverage of viruses by saying, "... On the other is the computer press, a collection of highly competitive weekly tabloids that have seized on the story like pit bulls, covering every outbreak with breathless copy and splashy headlines." I thought this was amusing... Ken Kenneth R. van Wyk Calvin: Here, try this new cereal, User Services Senior Consultant Chocolate Frosted Sugar Bombs. Lehigh University Computing Center Hobbes: Gack! Ptui! :-( Internet: Calvin: Yeah, they're a bit bland until BITNET: you scoop some sugar on them. ========================================================================= Date: Fri, 23 Sep 88 16:49:26 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: 2 years probation In-Reply-To: Message received on Thu, 22 Sep 88 11:15:03 EDT >It's fascinating that there has actually been a conviction, but I must >say two years probation is not likely to serve as the least deterrant >to future virus attacks. Probation is a breeze. >- Jeff Ogata Is that from personal experience ?? ========================================================================= Date: Sun, 25 Sep 88 22:58:09 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bill Harris Subject: Computer Virus and System Security Conference This is to inform you that to the best of my knowledge, the "Computer Virus and System Security Conference" is not sponsored by Lehigh University. In addition, I do not know if it is being held, October 21 - 23, as indicated in a message from Loren Keim in August. Telephone Number Bill Harris, Director 215-758-3830 Computing Center EWFM 8B Lehigh University Bethlehem, PA. 18015 ========================================================================= Date: Fri, 23 Sep 88 06:49:48 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Robert Slade Subject: Media misunderstandings Pursuant to the problems of Time and other media, I have seen a number of articles in the same vein as the one recently distributed here which a) didn't know the difference between a virus, time bomb or trojan b) thought there was only one virus These articles give the impression that there is *one* program doing the rounds that will do everything nasty that's ever happened to computers. (It must be a super-virus. It even infects mainframes and *all* makes of micros! :-) ========================================================================= Date: Fri, 23 Sep 88 11:27:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bernie Subject: Back a bit... In response to putting viri on sectors out of the normal range OR bad sectors... If the person in question has a knowledge of direct disk control, then it wouldn't be hard to have his viri be in two steps. The first visible part would be a custom read routine to get the information on non-standard formatted sectors. The data on those would be the main viral code. This way, bad sectors would look bad to any program checking if they are formatted normally. However, any copy program would skip this stuff (unless its a nibble copier) so the viri would have to bhave write routines to format itself whenever a new disk is detected... On nice way to work would be to make the sync bytes into viral code. But all this is too much work for your fiddling hack, and would have to be done by someone seriously determined to evade. Anyone who has written a good protection scheme for any system could hide such a viri, because essentially the creator is "protecting" his virus. (Simple example of such is EPYX's current protection scheme. You can copy it with anything but there are 8 tricky bytes on track 0 which the program uses to decode the OS. This is Apple//, but I've seen the same on other machines.) ========================================================================= Date: Fri, 23 Sep 88 09:17:27 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Claudia Lynch Subject: Re: 2 years probation In-Reply-To: Message of Wed, 21 Sep 88 12:46:00 EDT from I agree, that 2 years probation doesn't seem like a big deal, but just think of the PROFESSIONAL ramifications of the conviction. How could he ever get another job in the computing industry? He would have to change his entire identity. Not impossible, but not easy either. Claudia Lynch Academic Computing Services University of North Texas Denton, Texas ========================================================================= Date: Fri, 23 Sep 88 08:22:13 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Viruses and media In-Reply-To: Message from "Dimitri Vulis" of Sep 22, 88 at 12:27 (midnight) >Dimitri Vulis, CUNY Math Department > >P.S. My wife and I wrote a letter to AP about their Style manual listing >something like 50 inaccuracies in the computer section, mosr of them >quite funny; I can email a copy to interested parties, although it has >little direct bearing on the virus topic. > I have no way of reaching Dr. Vulis, but would like a copy sent to me. Perhaps it is worth a posting. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 22 Sep 88 23:11:05 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: HDSENTRY.ARC Hello again. A while (ok, a GREAT while) back I asked if anyone had ever used HDSENTRY.COM. I had been used it once, with some strange effects. >First off, I'm using an IBM PS/2 M30 w/20M h-drive. I backed up my harddisk >and then ran the program. I changed into a subdirectory and did a DEL *.* >on it. The program gave the warning <> DESTRUCTIVE CALL BEING PREVENTED >and didn't allow it. Well, when I did a directory, it showed nothing. BUT, >after doing a warm boot, all files reappeared and ran fine. After posting the above note, I asked if anyone would like to look at the ASM file on it to (maybe) try and correct the above problem. A couple of people answered, but I couldn't locate the file. NOW, I have the file. Anyone interested in doing a little debugging? I would, but I don't know anything about assembly. James ========================================================================= Date: Fri, 23 Sep 88 15:57:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: "Virus Guide" from software vendor In a recent (June or July?) issue of The Chronicle Of Higher Education, there was a computer virus article in which an anti-virus software vendor, RG Software Systems, offered to send anyone who asked a free copy of a virus guide which they had written. So, I requested a copy of it on disk. Here then, is the article (in the interest of fairness, I did edit out some advertising information at the end of the article): COMPUTER VIRUSES: A RATIONAL VIEW by: Raymond M. Glath President RG Software Systems, Inc. 2300 Computer Ave. Suite I-51 Willow Grove, PA 19090 (215) 659-5300 April 14, 1988 WHAT ARE COMPUTER VIRUSES? (a.k.a. Trojan Horses, Worms, Time Bombs, Sabotage) Any software that has been developed specifically for the purpose of interfering with a computer's normal operations. WHAT DO THEY DO? There are two major categories of viruses. Destructive viruses, that cause: Massive destruction... ie: Low level format of disk(s), whereby any programs and data on the disk are not recoverable. Partial destruction... ie: Erasure or modification of a portion of a disk. Selective destruction... ie: Erasure or modification of specific files or file groups. Random havoc... The most insidious form of all. ie: Randomly changing data on disk or in RAM during normal program applications, or changing keystroke values, or data from other input/output devices, with the result being an inordinate amount of time to discover and repair the problem, and damage that may never be known about. Non-Destructive viruses, intended to cause attention to the author or to harass the end user. a. Annoyances... ie: Displaying a message, changing display colors, changing keystroke values such as reversing the effect of the Shift and Unshift keys, etc. WHAT IS THE IMPACT OF A VIRUS ATTACK BEYOND THE OBVIOUS? Lost productivity time !!! In addition to the time and skills required to re-construct damaged data files, viruses can waste a lot of time in many other ways. With either type of virus, the person subjected to the attack as well as many support personnel from the attacked site and from various suppliers, will sacrifice many hours of otherwise productive time: Time to determine the cause of the attack. The removal of the virus code from the system. The recovery of lost data. The detective work required to locate the original source of the virus code. Then, there's the management time required to determine how this will be prevented in the future. WHO DEVELOPS VIRUSES? This individual, regardless of his specific motivation, will most probably want to see some form of publicity resulting from his handiwork. Anywhere from a "Gotcha" message appearing on the computer's screen after the attack, to major press coverage of that particular virus' spread and wake of damage. Some of the reasons for someone to spend their time developing a virus program are: A practical joke. A personal vendetta against a company or another person. ie: a disgruntled employee. The computer-literate political terrorist. Someone trying to gain publicity for some cause or product. The bored, un-noticed "genius," who wants attention. The mentally disturbed sociopath. IS THE THREAT REAL? Yes, however thus far the destructive ones have primarily been in the Academic environment. Several attacks have been documented by the press, and, from first hand experience, I can attest to the fact that those reported do exist. We have seen some of them and successfully tested our Disk Watcher product against them. Reputable individuals have reported additional viruses to us, but these have not reached the scale of distribution achieved by the now infamous "Lehigh," "Brain," "Israeli," and "MacIntosh" viruses. We do expect the situation to worsen due to the attention it's received. Taking simple lessons from history, a new phenomenon, once given attention, will be replicated by individuals who otherwise have no opportunity for personal attention. Now that there are products for defense from viruses, the virus writers have been given a challenge; and for those people who have always wanted to anonymously strike out at someone but didn't know of a method to do so, the coverage has provided a "How To" guide. HOW DOES A VIRUS GET INTO YOUR COMPUTER SYSTEM? A virus may be entered into a system by an unsuspecting user who has been duped by the virus creator (Covert entry), or it may be entered directly by the creator. (Overt entry.) Examples of Covert entry of a virus into a computer system. A "carrier" program such as a "pirate" copy of a commercial package that has been tampered with, is utilized by the un-suspecting user, and thus enters the virus code into the system. Other types of carriers could be programs from Bulletin Boards that have been either tampered with or specifically designed as viruses, but disguised as useful programs. There has even been a destructive virus disguised as a "virus protection" program on a BBS. The user unknowingly acquires an "infected" disk and uses it to boot the system. The virus has been hidden in the system files and then hides itself in system RAM or other system files in order to reproduce, and later, attack. Examples of Overt entry into a computer system. An individual bent on harassing the user or sabotaging the computer system, modifies an existing program on that computer or copies a virus program onto someone's disk during their absence from their work station. HOW DOES A VIRUS SPREAD? A virus may reproduce itself by delaying its attack until it has made copies of itself onto other disks (Active reproduction,) or it may depend entirely on unsuspecting users to make copies of it and pass them around (Passive reproduction). It may also use a combination of these methods. WHAT TRIGGERS THE VIRUS ATTACK? Attacks begin upon the occurrence of a certain event, such as: On a certain date. At a certain time of day. When a certain job is run. After "cloning" itself n times. When a certain combination of keystrokes occurs. When the computer is restarted. One way or another, the virus code must put itself into a position to either start itself when the computer is turned on, or when a specific program is run. HOW DOES ONE DISTINGUISH A VIRUS FROM A "BUG" IN A PROGRAM OR A HARDWARE MALFUNCTION? This can be a tough one. With the publicity surrounding viruses, many people are ready to believe that any strange occurrence while computing may have been caused by a virus, when it could simply be an operational error, hardware component failure, or a software "bug." While most commercial software developers test their products exhaustively, there is always the possibility that some combination of hardware; mix of installed TSR's; user actions; or slight incompatibilities with "compatible" or "clone" machines or components; can cause a problem to surface. We need to remember some key points here: 1. Examine the probabilities of your having contacted a virus. 2. Don't just assume that you've been attacked by a virus and abandon your normal troubleshooting techniques or those recommended by the product manufacturers. 3. When in doubt contact your supplier or the manufacturer for tech support. 4. Having an effective "Virus Protection" system installed may help you determine the cause of the problem. HOW CAN YOU AVOID COMING IN CONTACT WITH VIRUSES? 1. Know and be comfortable with the source of your software acquisitions. If you use a BBS (Bulletin Board,) verify that the BBS is reputable and that it has satisfactory procedures in place to check out its software as well as provisions to prevent that software from being modified. Do not use illegitimate copies of software. Be sure that the developer of the software you're using is a professional. Note that many "Shareware" products are professionally produced. You needn't stop using them. Just be sure that you have a legitimate copy of the program if you choose to use these products. Don't accept free software that looks too good to be true. 2. Install a professional virus protection package on your computer that will alert you to any strange goings on. 3. Provide physical security for your computers. ie: Locked rooms; locks on the computers; etc. 4. If you're unsure of a disk or a specific program, run it in an isolated environment where it will not be able to do any damage. ie: Run the program on a "diskette only" computer, and keep a write-protect tab on your "System Disk." Run the program with "Virus Protection" software installed. 5. Establish and maintain a sound Back-Up policy. DO NOT USE ONLY ONE SET OF BACK-UP DISKS THAT ARE CONTINUOUSLY WRITTEN OVER. Use at least three complete sets of back-up disks that are rotated in a regular cycle. DO YOU NEED SOME FORM OF PROTECTION FROM VIRUSES? It couldn't hurt !!! You do lock the door to your home when you go out, right? Plan in advance the methods you'll use to ward off virus attacks. It's a far more effective use of management time to establish preventative measures in a calm environment instead of making panic decisions after a virus attack has occurred. IS THERE ANY SOLUTION AVAILABLE THAT'S ABSOLUTELY FOOLPROOF? No !!! Any security system can be broken by someone dedicated and knowledgeable enough to put forth the effort to break the system. WHAT LEVEL OF PROTECTION DO YOU NEED? This of course depends on many factors, such as: 1. The sensitivity of the data on your PC's. 2. The number of personnel having access to your PC's. 3. The security awareness of computing personnel. 4. The skill levels of computing personnel. 5. Attitudes, ethics, and morale of computing personnel. A key point of consideration is the threshold for the amount of security you can use versus its impact on normal productivity. Human nature must also be considered. If you were to install 10 locks on your front door and it cost you 5 minutes each time you enter your home, I'll bet that the first time that it's raining... and you have 3 bags of groceries... you'll go back to using the one lock you always used. HOW CAN A SOFTWARE PRODUCT PROTECT AGAINST VIRUSES? There are several approaches that have been developed. One form is an "inoculation" or "signature" process, whereby the key files on a disk are marked in a special way and periodically checked to see if the files have been changed. Depending on the way in which this is implemented, this method can actually interfere with programs that have built-in integrity checks. Another method is to "Write Protect" specific key areas of the disk so that no software is permitted to change the data in those places. We at RG Software Systems, Inc. believe that preventative measures are the most effective. The Disk Watcher system provides multiple lines of defense: A "Batch" type program automatically checks all active disk drives for the presence of certain hidden virus characteristics when the computer is started, and a TSR (Terminate and Stay Resident) program monitors ongoing disk activity throughout all processing. The "Batch" program can also be run on demand at any time to check the disk in a specific drive. The TSR program, in addition to its other "Disaster Prevention" features, contains a series of proprietary algorithms that detect the behavior characteristics of a myriad of virus programs, and yet produce minimal overhead in processing time and "false alarm" reports. Disk Watcher is uniquely able to tell the difference between legitimate IO activity and the IO activity of a virus program. When an action occurs indicative of a virus attempting to reproduce itself; alter another program; set itself up to be automatically run the next time the system is started; or attempting to perform a massively damaging act; Disk Watcher will automatically "pop up." The user will then have several options, one of which is to immediately stop the computer before any damage can be done. Detection occurs BEFORE the action takes place. Other options allow the user to tell Disk Watcher to continue the application program and remember that this program is permitted to perform the action that triggered the "pop up." Some very important features of Disk Watcher are: Whenever the user selects the "Stop the Computer" option, the Application screen image and the Disk Watcher screen image will be sent to the system printer before the machine is stopped, so that an effective analysis of the problem may be done. Disk Watcher performs an integrity check on itself whenever it runs. The "Destructive" viruses that produce "selective" file destruction or "Random Havoc" are the most difficult to defend against. The best measures are to prevent them from getting into the system in the first place. WHICH VIRUS PROTECTION PACKAGE IS RIGHT FOR YOU? Since the first reports of virus attacks appeared in the press, a number of "Virus Prevention" products have quickly appeared on the market, produced by companies wishing to take advantage of a unique market opportunity. This is to be expected. RG Software Systems, Inc. is one of them with our Disk Watcher product. It should be pointed out, however, that as of this writing, only a little over 2 months has transpired since the first major stories appeared. Those companies that have had to build a product from scratch during this limited amount of time have had to design the defensive system, write the program code, write the user's manual, design the packaging, "Alpha" test, "Beta" test, and bring their product through manufacturing to market. A monumental task in a miraculously short period of time. Companies that have had products on the market that include virus protection, or products that were enhanced to include virus protection, such as Disk Watcher, have had extra time and field experience for the stabilization of their products. As a professional in this industry, I sincerely hope that the quickly developed products are stable in their released form. The evaluation points listed below are usually applied as a standard for all types of software products: *Price *Performance *Ease of Use *Ease of Learning *Ease of Installation *Documentation *Copy Protection *Support A "Virus Protection" package, like a security system for your home, requires a close scrutiny. You want the system to do the job unobtrusively, and yet be effective. TWELVE SPECIAL CONSIDERATIONS FOR VIRUS PROTECTION PACKAGES: 1. Amount of impact the package may have on your computer's performance. If the package is "RAM Resident," does it noticeably slow down your machine's operations? If so, with what type of operation? Are program start- ups slowed? Are database operations slowed? 2. Level of dependency on operator intervention. Does the package require the operator to perform certain tasks on a regular basis in order for it to be effective? (Such as only checking for virus conditions on command.) Does the package require much time to install and keep operational? ie: Each time any new software is installed on the system, must the protection package be used? 3. Impact on productivity... Annoyance level. Does the package periodically stop processing and/or require the operator to take some action. If so, does the package have any capability to learn its environment and stop its interference? 4. False alarms. How does the package handle situations that appear to be viruses but are legitimate actions made by legitimate programs? Are there situations where legitimate jobs will have to be re-run or the system re-booted because of the protection package? How frequently will this occur? How much additional end-user support will the package require? 5. The probability that the package will remain in use? Will there be any interference or usage requirements that will discourage the user from keeping the package active? (It won't be effective if they quickly desire to de-install it and perhaps only pretend they are using it when management is present.) 6. Level of effectiveness it provides in combatting viruses. Will it be effective against viruses produced by someone with an experience level of: Level 1 - "Typical End User"? (Basic knowledge of using applications and DOS commands.) Level 2 - "Power User"? (Knowledge of DOS Command processor, Hardware functions, BASIC programming, etc.) Level 3 - "Applications Programmer"? (Knowledge of programming languages and DOS service calls.) Level 4 - "Systems Engineer"? (Knowledge of DOS and Hardware internal functions.) Level 5 - "Computer Science Professor that develops viruses for research purposes"? Which types of intrusion will it be effective against? "Covert Entry"? "Overt Entry"? Does it detect a virus attempting to spread or "clone" itself? Does it detect a virus attempting to place itself into a position to be automatically run? If a virus gets into the computer, which types of virus damage will it detect? "Massive Destruction" "Partial Destruction" "Selective Destruction" "Random Havoc Destruction" "Annoyance" Does the software detect a virus before or after it has infected a program or made its attack? Does the publisher claim total protection from all viruses? 7. Does the software provide any assistance for "post mortem" analysis of suspected problems? ie: If a virus symptom is detected and the computer is brought to a halt, is there any supporting information for analyzing the problem other than the operator's recall of events? 8. Impact on your machine's resources. How much RAM is used? Is any special hardware required? 9. Is the product compatible with: Your hardware configuration. Your Operating system version. Your network. Other software that you use, especially TSR's. 10. Can the package be used by current computing personnel without substantial training? What type of computing experience is required to install the package? 11. Background of the publisher. References... Who is using this or other products from this publisher? How is this company perceived by its customers? The press? How long has the publisher been in business? Was the product Beta Tested?... By valid, well-known organizations or by friends of the company's owner? Was the product tested against any known viruses? Successfully? What about on-going support? In what form? At what cost? Does the company plan to upgrade its product periodically? What is the upgrade policy? Expected costs? 12. Does the package provide any other useful benefits to the user besides virus protection? ========================================================================= Date: Mon, 26 Sep 88 00:20:37 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Concerns Its been a long and bloody war. Originally, I was told that an organization (ANY ORGANIZATION) at Lehigh could aquire rooms to hold seminars. This fact is true, and in following such procedures, I proceeded to aquire rooms with the okay of two campus organizations. The Lehigh University Computing Center Staff complained about this little conference. I am told by people that specific members of this list complained that such a conference would make Lehigh look bad and the only purpose of the conference is simply to show off my product. I sincerely resent that. I also resent the fact that I applied through the CSEE department after concerns were lodged that the CSEE department might sponsor the conference. Bill Harris has stated that Lehigh is not sponsoring it. That has not yet been decided, I simply have not asked the computing center to sponsor it. I dislike the ideology of the center and have disagreed with it publically on too many occations. At this point in time, we are being asked to postpone the conference for 8 months to a year. We are being asked to postpone it because Lehigh feels that the conference was rushed and would make Lehigh look bad. I disagree because we had a slate of great people coming to discuss the problems. One of the conditions of the conference taking place has also been that I do not participate in the organization several people have told me. In light of this, I have contacted all but two people who sent checks to me and told them not to make any plane reservations. Anyone who has not heard from me, please send me mail. HOWEVER, since an overwhelming voice to continue the conference elsewhere has been heard, we looked for an alternate place to hold one. Since all the hotels have been booked up, I am volunteering one of my offices. Since we won't have room for speaches, and I suspect people will not want to come because of these facts, I don't think we will have any speakers. HOWEVER, since we do seem to have a good number of "experts" coming, we have decided to have some meetings and get togethers concerning the dangers of viruses to Banking systems and secure systems, we would like to review the pro's and con's of Fred Cohen's Complexity Based Security, several people's CRC / encryption / and signature schemes, and I'd like people to look over my own Separation Schematics if they would like. I will post a list of who is coming later this week. We will be getting together Friday night and Saturday of the same weekend. As I hear who still wants to come, this week I will be sending out maps and hotel information (if anyone needs it) to those interested at MY COST. I will be returning those people's checks who sent them. If anyone wants to donate their checks to defer the cost of mailing out maps and hotel info, as well as coffee and donuts, that is fine, but it is completely unnecessary. I would like to greatly thank those people who have helped so much with this project, they have been a great support team. I know we will already have a decent gathering of minds that weekend, and I sincerely hope something comes out of the meetings, whether that be some new security designs, some new ideas, a new way of looking at the problem or anything. Notes from the conference will be distributed to whoever might want them, at cost of postage to sent them. Again, thanks to all those people who have been a help in getting this together. Even we have been pushed off by the Lehigh University Computing Center, I still think we will do fine. Thank you, Comments please forward to LKK0@LEHIGH. Loren K Keim ========================================================================= Date: Mon, 26 Sep 88 00:28:47 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Continued A couple more items I seem to have missed looking at my notes. As for those people who claimed I was setting this up for my own benefit: I don't want anyone to be unnerved by that. We invited 4 other anti-viral software firms to send people, and did not plan on showing our wares. I'd also like to thank Dennis Director of Director Technologies (Disk Defender) for volunteering his services. I have been receiving a constant barrage of questions recently, and I am very sorry if I missed replying to some. Some I had trouble getting to particular arpanet addresses, and some I just didn't have time for, its been very hectic on this end. For those two people I could not get in touch with (you know who you are) that sent me checks for the conference. I was unable to contact each of you because I didn't receive a bitnet address with your checks to my knowledge. Likewise, since Ken has elected to keep this a closed list, we can't get a listing of those people on the list, something I personally dislike. Please contact me as soon as possible. Anyone who received mail and hasn't gotten back to me, I could really use replies from you. Loren Keim ========================================================================= Date: Sat, 24 Sep 88 10:00:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Virus Conference I realize that this message doesn't necessarily belong here, but I was unsure as to who I should be contacting, so this seemed like an efficient way of finding out. It looks as if I am going to be able to make it to the Virus Conference after all (because I am an undergraduate, I was forced to find the funds for the trip on my own, and they appear to be coming through). What I need to know is the following: i) Am I too late? Is it still possible for me to make the required arrangements (I have flights booked, and my travel agent is looking into accomodation as we speak). ii) What exactly is the final schedule? I am basing my plans on an earlier version of the schedule. iii) Who should I be contacting with regards to more information on this conference? (E-Mail that is, I have Ken's address around here somewhere). Thanks for any help you can offer! Greg Lypowy. ========================================================================= Date: Mon, 26 Sep 88 09:18:03 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Virus Conference - Good News! Well Folks, Looks like some of my comments were a bit premature. As the majority of people writing to me have stated, they want the conference to go on, full strength, as I would. I was very afraid that we could not hold a full conference, particularly having speakers for possibly as few as 20-25 people. (We may have more, but this is our current count). Everyone else seems to think otherwise. The general concensis is that the fewer people that attend, the more dedicated the group, and the easier it may be for people to make their oppinions known and discuss the topics completely and possibly come up with something. Some people suggested (something I hadn't thought of) that we would also be a planning group for future conferences in other parts of the country. Its a good idea. Most of the conferences I've been to have been held for computer hacks and others who know little to nothing about security systems or virii other than what they've read in the trade magazines. In addition, we have located a country club we can rent rooms from, and two schools have offered us some help, so I honestly believr we will have room for speakers. With this short a number of people, I don't believe we'll be able to pay for two of our possible speakers, BUT we have had a number of volunteers. We have had a great deal of help from people and I thank you all very much. Especially I'd like to point out Joseph Sieczkowski, (Did I spell it correctly?), Chris A. Bracy, William A. Bader, and J.D. Abolins for their help and suggestions. There are quite a few others but I can't remember names off the top of my head. We will be sending a full outline of the conference to the list this afternoon. (I have meetings all day and have some changes I would like to make). Those people who have already sent me checks: Tell me whether or not you are still coming. If you are, I will be using those checks to pay for rooms, the book which we have just about completed putting together for the conference, and coffee/donuts. We should still have money left over and it will be refunded OR we can take the group out to dinner. I will be sending out hotel info and maps tommorrow morning to those who are coming. If you haven't sent me a check and you want to attend. Please notify me at LKK0@LEHIGH.Bitnet that you wish to attend the conference (I'd like to get an exact head count as early as possible), and send a check for $50.00 to Computer Virus Conference, c/o Loren K Keim PO Box 2423 Lehigh Valley, Pa. 18001 Again, a full outline to be sent probably about 6:00 or 6:30 tonight. That's Eastern time. Loren K Keim ========================================================================= Date: Mon, 26 Sep 88 16:37:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: Conference Continued In-Reply-To: Message received on Mon, 26 Sep 88 09:40:04 EDT >since Ken has elected to keep this a closed list, we can't >get a listing of those people on the list, something I >personally dislike. >Loren Keim I am glad it is closed! I would be very upset if my name appeared on a junk mailing list. ========================================================================= Date: Tue, 27 Sep 88 01:21:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: Re: 2 years probation >>Probation is a breeze. >Is that from personal experience? heh heh. yup. of course, you knew that, Eric. By the way, I think it will be easy for Burleson to find another job, as long as his name is not too widely publicized. Of course, this depends on whether the conviction is a felony conviction or a misdemeanor conviction. With a sentence like two years probation, it sounds like a misdemeanor. Most employers are not very concerned about misdemeanor convictions. - Jeff Ogata ========================================================================= Date: Tue, 27 Sep 88 08:29:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Conference Continued In-Reply-To: Your message of Mon, 26 Sep 88 16:37:30 EDT > I am glad it is closed! I would be very upset if my name appeared on > a junk mailing list. Actually, the list is quite open; anyone who wants to be on the list can be on the list (as long as they abide by the guidelines). The list of subscribers, however, is not available for public perusal, for just the reason mentioned above. Regarding the Burleson case, I believe that the AP article said that he was convicted of a third degree felony. I'd imagine that would make it at least a bit difficult for him to get a job with a reputable firm. Ken Kenneth R. van Wyk Calvin: I'm gonna learn to ride this bike User Services Senior Consultant if it kills me! ... AAAAAUUUGGGHHH!!! Lehigh University Computing Center Hobbes: Did it kill you?! Internet: Calvin: No, it decided to maim me first. BITNET: ========================================================================= Date: Tue, 27 Sep 88 14:39:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Pennsylvania Legislative virus recommendations I just received a copy of the Pennsylvania Legislative Budget and Finance Committee's paper, "Study of Computer 'Viruses' and Their Potential for Infecting Commonwealth Computer Systems", which was released on September 21, 1988. While I haven't had too much time to read it thoroughly yet, it seems as though the Committe spent a lot of time on it, and that it could be of value. The report starts by defining what a virus is and how a virus can spread. It then categorizes the different types of known viruses and discusses methods for prevention, detection, and recovery from viruses. Next, it analyzes what the Commonwealth (of PA) is currently doing to prevent, detect, and recover from a virus. Finally, it presents additional action that may be warranted to prevent, detect, and recover from viruses. To summarize the conclusions of the Committee: 1) They recommend that "All Commonwealth agencies which utilize computer systems such as personal computers, minicomputers, and mainframe computers should formally assess the risk of each computer system against the infection from computer viruses." 2) "All Commonwealth agencies utilizing any form of electronic data processing (EDP), including personal computers, minicomputers, and mainframe computers, should establish routine backup procedures (at least on a weekly basis) for all active files and programs. Backup copies of the agency's files and programs should be maintained in a secure location for several months since a virus could lay dormant for an extended period of time." 3) "The Commonwealth, through the Bureau of EDP/Telecommunications Technology, should establish formally written policies on obtaining and using computer software." These include guidelines for software sharing and copying (including via modem), "restrictions on obtaining software from unknown or secondary sources, such as associates, peers, or in the mail through an unfamiliar vendor", restrictions on the use of electronic bulletin boards, and "strict internal controls over access to computer programs and files by EDP users." 4) "Commonwealth agencies using computer systems should conduct computer security awareness training for EDP users." 5) "Commonwealth agencies should also establish a formal procedure for testing existing computer files and programs for the presence of computer viruses using methods as anti-virus software, using 'checksums' prior to running a program, and developing in-house programs to check for unexpected access to programs and files." 6) "Commonwealth agencies which have identified highly sensitive data should explore the feasibility of using encryption to protect against virus infection." They include in this encryption of binaries such that "any unauthorized changes to the program would result in it being unusable." 7) Revisions should be made to "Disaster Recover Plans for Commonwealth agencies to include provisions for the recovery from the infection of a computer virus." 8) "Since computer viruses are not specifically defined in the PA computer crime statue, the General Assembly should consider amending state law to specifically define each type of action which would be considered a computer crime and also amend the statute to directly relate the penalty imposed to the damaged suffered as a result of the computer crime." 9) "The General Assembly should consider enactment of legislation to require and encourage state agencies to develop and implement effective computer security plans and procedures." Any opinions? Ken Kenneth R. van Wyk Calvin: I'm gonna learn to ride this bike User Services Senior Consultant if it kills me! ... AAAAAUUUGGGHHH!!! Lehigh University Computing Center Hobbes: Did it kill you?! Internet: Calvin: No, it decided to maim me first. BITNET: ========================================================================= Date: Tue, 27 Sep 88 15:24:00 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: Virus strikes Tuscaloosa. Well gentlemen (and women), it seems that a virus has struck Tucsaloosa and I've been called on to try and help. I haven't seen the infected computers yet, but here is a discription of what I do know. 1) The FAT that points to valid data space corrupted. It shows one giant corrupted file. 2) All data has been overwritten with FF(hex) The computers are backed up once a week, so there is a copy of the data that was lost. However, transactions since then are not recorded. Is there any way to recover the corrupted data? (I believe that they were using COMPRESS, MIRROR and PCBACKUP to back up the files...) Any hints on what this problem might be? Its rather important to find out, since the affected facility is in the health field. Any comments/hints/suggestions would be appreciated. James ========================================================================= Date: Tue, 27 Sep 88 21:42:39 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Speaches Outlined Here's a quick outline of the speaches to be held at the conference. Any questions or suggestions (as we've had several people ask to discuss telecommunications concerns and ATM concerns) we'll review and try to accomodate. SPEACHES -------- What are Viruses? ----------------- What are viruses? Where do they come from? Reviews of different forms they take, including Boot Sector Viruses, .EXE viruses, Unix and VMS viruses. Reviewing the Lehigh, Yale, Brain, Christmas, and Israeli viruses. Tracking Computer Viruses ------------------------- How several organizations track virus writers. Computer TapeWorms ------------------ Reviewing the Xerox research on Computer Worms and their dangers. Computer Security Concerns I ---------------------------- Are schools in real danger of losing research? How can we protect businesses and colleges from the dangers? Computer Security Concerns II ----------------------------- System Integrety in large networked environments. Government security systems, banking systems, and virus defense designs. Included will be Limited Transitivity models, Limited Functionality ideas, the Bell-LaPadula Model, the Biba Model, and the Complexity Based Functionality Model. Future concerns will be discussed. Future Virus Concerns --------------------- The ease in which a complicated virus could attack our banking systems and major industries. How we will stop these happenings. AT&T's new defense models and other companies packaging software protections with their programs. PANEL DISCUSSIONS ----------------- Panel Discussion on Current University Computer Concerns -------------------------------------------------------- Several panelists from different anti-viral companies will be discussing this. Suggested: --------- Panel discussion on ATM networks and telecomunications. DEMONSTRATIONS: -------------- Demonstration of the various anti-virus program by their respective companies will take place. A demonstration of a tape worm will be performed. A demonstration of Unix System viruses will be performed. ROUND TABLE DISCUSSIONS: ----------------------- People would be free to discuss viruses and computer security concerns with each other, and freely introduce themselves. We've also been asked to hold sessions concerning banking systems and the danger to ATM networks, and the danger to networking in general and telecommunications. PAPERS: ------ A variety of papers and books will be available for free and for sale. BOOK: ---- A book with copies of some of the speaches given, and several articles on viruses, computer security, encryption schemes, and computer law will be printed and distributed to those who show up. We will include a paper on worms, a paper on virus-like games, a detailed look at security models / their uses and limitations, a full listing of known viruses / psuedocode breakdowns / possible defenses. ========================================================================= Date: Wed, 28 Sep 88 01:07:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Time Magazine article The story on viruses in the latest issue of Time Magazine has spurred a LOT of conversation on this local area's Bulletin Board Systems. Of the half-dozen that I have been logged into tonight, MOST have had conversation regarding the integrity of their files, and also different scare stories of "other viruses." David A. Bader DAB3@LEHIGH ========================================================================= Date: Wed, 28 Sep 88 09:39:26 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Conrad Jacoby (DC)" Subject: Book from virus conference Hi there!! Is there any way that the book mentioned in Loren's description of the upcoming virus convention could be made available to the more general public? I and the people I work for would be very interested in such a volume. And obviously, we'd pay money for it. ------------------------------------------------------------------------------- Conrad J. Jacoby P.O. Box 3805 Yale Station Yale University New Haven, CT 06520 Sterling Memorial Library (203) 436-1402 "Generalist at Large" Jacoby@YaleVm.Bitnet ------------------------------------------------------------------------------- ========================================================================= Date: Wed, 28 Sep 88 08:47:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David D. Grisham" Subject: Real (Conference Proceedings) Sorry for the last piece of unintended mail. (a stuck buffer) Anyway- I personally would like to place a request early, for the "book" of papers, etc. that Loren referred to in her last letter. I imagine that I am not the only one who does not have the travel funds, but can spring for the proceedings. Dave ========================================================================= Date: Wed, 28 Sep 88 15:49:43 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David Voss >Well gentlemen (and women), it seems that a virus has struck >Tucsaloosa and >I've been called on to try and help. I haven't seen the infected >computers yet, but here is a discription of what I do know. > > 1) The FAT that points to valid data space > corrupted. > It shows one giant corrupted file. > 2) All data has been overwritten with FF(hex) > >The computers are backed up once a week, so there is a copy of the >data >that was lost. However, transactions since then are not recorded. Is >there any way to recover the corrupted data? (I believe that they >were using COMPRESS, MIRROR and PCBACKUP to back up the files...) > >Any hints on what this problem might be? Its rather important to >find out, since the affected facility is in the health field. By 'corrupted data' do you mean FAT data? Your note is a bit ambiguous. Is it the FAT that has been overwritten with FF hex? If just the FAT (file allocation table, of which DOS maintains two copies, by the way) is destroyed, you can use CHKDSK to collect the data into a series of files (named FILExxxx.CHK, where xxxx is a sequential number) that can then be scanned with something like the Norton Utilities. This only is effective with clear ASCII text, not compressed files. The data can be recovered, but it takes work. If, however, the data has been overwritten there is no hope of recovery. Data entered after the last backup is gone. The problem could be a virus, or it could be something else. It's important to isolate the software that was being used during the crash and check against master copies. -- David Voss [fb.dfv@stanford] ========================================================================= Date: Wed, 28 Sep 88 20:20:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Santanu Sircar Subject: FSP_12 Does anyone have an ARC-ed version of Flu-Shot v1.2? I was not able to correctly decode FSP_12.UUE which I received from LISTSERV@LEHIIBM1. Thanks. -Santanu Sircar- (SSIRCAR@UMAECS) ========================================================================= Date: Wed, 28 Sep 88 20:27:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: FSP_12 FSP_12 IS VERY BUGGY. WHY NOT TRY FSP_14? -David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X