========================================================================= Date: Sun, 9 Oct 88 18:52:56 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "James R. Van Zandt" Subject: disk-wide CRC program I have enhanced Ted H. Emigh's CRC program and posted it at SIMTEL20.ARMY.MIL. Here is the blurb... ---------------------------------------------------------------------- PD1:FILE-CRC.ARC FILECRC calculates CRCs for all files on a disk and records them in a file. COMPARE then compares two such files and reports differences, highlighting suspicious changes (file contents changed but creation date unchanged). Useful for spotting viral reproduction and/or damage. This ARC includes source code, executables, and documentation for both. Written by Ted H. Emigh, translated from Pascal to C and modestly enhanced by James R. Van Zandt . ---------------------------------------------------------------------- FILECRC was originally written to detect damage caused by a program run amok. I wanted to use it to detect intentional changes, so I have enhanced it to defeat some of the simpler antiprotection measures a virus or Trojan horse might attempt. FILECRC now calculates a CRC on its own code to detect possible changes, and calculates CRCs starting at an offset into each file. The offset is defined at compile time so it can be different for each installation. COMPARE reports files deleted as well as altered. SIMTEL20 accepts ANONYMOUS ftp logins with any password. - Jim Van Zandt ========================================================================= Date: Sun, 9 Oct 88 18:52:56 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "James R. Van Zandt" Subject: disk-wide CRC program I have enhanced Ted H. Emigh's CRC program and posted it at SIMTEL20.ARMY.MIL. Here is the blurb... ---------------------------------------------------------------------- PD1:FILE-CRC.ARC FILECRC calculates CRCs for all files on a disk and records them in a file. COMPARE then compares two such files and reports differences, highlighting suspicious changes (file contents changed but creation date unchanged). Useful for spotting viral reproduction and/or damage. This ARC includes source code, executables, and documentation for both. Written by Ted H. Emigh, translated from Pascal to C and modestly enhanced by James R. Van Zandt . ---------------------------------------------------------------------- FILECRC was originally written to detect damage caused by a program run amok. I wanted to use it to detect intentional changes, so I have enhanced it to defeat some of the simpler antiprotection measures a virus or Trojan horse might attempt. FILECRC now calculates a CRC on its own code to detect possible changes, and calculates CRCs starting at an offset into each file. The offset is defined at compile time so it can be different for each installation. COMPARE reports files deleted as well as altered. SIMTEL20 accepts ANONYMOUS ftp logins with any password. - Jim Van Zandt ========================================================================= Date: Mon, 10 Oct 88 00:16:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: The Human End of Computer Viruses (This may be an area that was beaten to death a while ago, so if this is the case please speak up!) Has anyone covered the human end of computer viruses? In particular, what motivates a person to write a virus or Trojan Horse? I realize that challenge and thrill are immediate motivations, but to what extent do they apply? Are they the only thing that keeps 'hackers' going? I have an idea that these motivating forces may just be the stepping stones for an interest, and that once into it, the 'hacker' develops more sophisticated goals to be met, and for reasons that in the past, perhaps, didn't occur or matter. I have yet to see any papers approaching this topic, which tells me that it is either too obvious to spend time on, or too broad to cover as a topic on its own (obviously it would be generalized to cover computer crimes in general, not just virus writing). Greg. ========================================================================= Date: Sat, 8 Oct 88 13:05:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: the Preserver Subject: DCL virus on VMS Someone asked how the Albany student's virus could have spread without any specila priveledges. In any large community of users, a number of them will write their own utilities/programs and share them with other users. An example here at UF, is the various public access login sequences maintained by various students for the benefit of the community as a whole. For the virus to spread rapidly, all that would be necessary would be an infection of one of these utilities used by many members of the community, then as the users executed the utility they would infect all of their own files and presumably any utilities they had written. For anyone familiar with DCL the program should not pose a problem, in fact the quote of 123 lines seems inordinately high for such a program. Possible solutions for VAX managers facing a large community with potential malcontents include making the default root directory protection no world read, setting up a dead account to hold utilities submitted by users, and informing those who do write public utilities to keep the public copy with the write access disabled. Les Hill vishnu@ufpine vishnu@pine.circa.ufl.edu CIRCA consulting, UF ========================================================================= Date: Fri, 7 Oct 88 18:42:17 edt Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bennett Todd Subject: Re: NY Student caught >On February 29 a student came to the office of the VMS systems manager >to announce that "a terrible thing happened: I was programming a virus >and it got loose and now it is all over the system." The article then went on to explain how the student was immediately restricted, put on probation, and fined 2 grand. That didn't appeal to the comp center, they got him kicked out. Which makes it clear that (1) it doesn't matter what your intentions are, only the results, and (2) having slipped up and let the virus get away, the student shouldn't have reported the problem. I am sure glad I don't go to that school/work in that comp center/have anything to do with that crowd. Malicious vengeance breeds in kind. When I was an undergraduate I and a couple of friends worked many many hours breaking the security of the departmental minicomputer... with the knowledge of the system administrator. On those occasions when we managed to crack it we left a note for the admin somewhere we shouldn't have been able to, and he tried to figure out (with our help where necessary) a way to plug the revealed security hole. That was one of the best-run and well-maintained systems I have ever seen before or since. Now that I am an administrator I would dearly love to have some users who were that interested and who cared that much about the system. -Bennett bet@orion.mc.duke.edu ========================================================================= Date: Tue, 11 Oct 88 07:22:14 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Warning -- original Sender: tag was JANET@BRIGHTON.AC.UK From: JANET@VMS.BRIGHTON.AC.UK Subject: Policy on Informants I've just read Bennett Todd's msg (Fri 07 Oct 88 18:42) regarding the handling of the NY student. My personal opinion is to totally agree. Several years ago, some teenagers from a local school found a bug in the HP 2000 BASIC. Some fool(s) thought it was fun to crash the system every night 10 minutes before shutdown, and we couldn't trace who caused it. We were grateful when we were told what was believed to cause it, and once confirmed, HP fixed their bug, happiness returned. No action. Some staff here don't believe the students really *do* have enquiring minds and *can* find holes. Those who believe, tend to have a more open attitude, and a colleague has "tame" ones checking out particular areas. They report on their findings, and he watches in case they go off track. By all means, hit the *real destructive* types, but fine a *well meaning* informant and you've built a big wall. Then they do their best to keep their activities under a smoke screen on their side, and you're on a losing streak. Peter Morgan. [ I think my boss agrees with me, but I could be wrong! :-) ] ========================================================================= Date: Tue, 11 Oct 88 10:02:48 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Scores?? In-Reply-To: Scores?? (Mac) Scores is a highly infective Mac virus supposedly created as a "killer" of applications with types "ERIC" or "VULT". It infects applications and system files and spreads very rapidly. It can be removed either through some fiddly ResEdit hacking or through the use of KillScores (recommended) or Ferret (not so recommended). Both of these are available from LISTSERV at SCFVM. --- Joe M. ========================================================================= Date: Tue, 11 Oct 88 09:56:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Sneak virus In-Reply-To: Message of Fri, 7 Oct 88 18:43:00 EDT from I sent private mail about this to some one who asked about it (sorry, I've forgotten who) ... SNEAK" detection by Interferon before version 3.1 (now available at LISTSERV at SCFVM) will detect the LaserWriter and LaserPrep files in release 6.0 as possibly being infected. THEY ARE NOT INFECTED !!!!!! Apple made a change to these files so that they would have new and different icons. I can explain about all the bizarre things which the DeskTop file forces you to do when you are changing ICN# resources if anyone is interested, but it's simply that Apple decided to play some fun resource games. The new version of Interferon knows about this. As a note, Interferon is up to version 3.2 (I believe the version being used by the previous poster was 2.0). --- Joe M. ========================================================================= Date: Tue, 11 Oct 88 12:50:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Brian D. McMahon" Subject: DCL viri Commenting on the Albany DCL virus incident, Les Hill writes: > Possible solutions for VAX managers facing a large community with potential > malcontents include making the default root directory protection no world > read, setting up a dead account to hold utilities submitted by users, and > informing those who do write public utilities to keep the public copy > with the write access disabled. May I add to the list of (very sensible) suggestions two more: BE CAREFUL WHEN YOU EXECUTE A COMMAND PROCEDURE THAT DOES NOT LIVE IN A TRUSTED ACCOUNT! (See below) NEVER, *EVER* EXECUTE A COMMAND PROCEDURE THAT (A) IS NOT IN A SYSTEM ACCOUNT AND (B) YOU CANNOT READ, ONLY EXECUTE. Ask yourself what the author is hiding by setting access to execute-only. By "trusted", I mean either a system account or one belonging to a competent, known, and trusted individual; furthermore, as Les points out, it behooves the system manager to make sure such trusted accounts are protected against unauthorized modifications. As was pointed out earlier, yes, DCL procedures *are* essentially plain text, so protecting yourself against this sort of virus is easy, *IF* you follow a few simple rules, such as looking at the code before executing it. The sad thing is, few people do so. Just remember CHRISTMA EXEC (similar in that it was a command-procedure sort of thing, only on IBM systems and propagating over the network) of last year ... Brian McMahon ========================================================================= Date: Tue, 11 Oct 88 13:28:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: the Preserver Subject: Brain virus! HELP! Hi guys. Guess what? You guessed! UF has finally contracted a PC virus. I would like to ask the readers of this list to please send any useful information on getting rid of and preventing the spread of what is now called the Pakistani (or (c) Brain) virus. We are particularly interested in An original (unmutated) Brain virus either disassembled or on disk. Any mutated forms of the above mentioned virus, disassembled or on disk. Any noted behaviors of the Brain virus and its progeny. Any suggestions on possible remedies. Any known carriers, eg PKARC Any and all help is appreciated, Les vishnu@ufpine.bitnet postmast@ufpine.bitnet vishnu@pine.circa.ufl.edu postmaster@pine.circa.ufl.edu CIRCA consulting, UF ========================================================================= Date: Tue, 11 Oct 88 16:14:29 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark F. Haven" Subject: Re: Policy on Informants The punishment of the Albany student was way out of line - a 2K fine and booting him out of school for a dumb mistake which he immediately tried to rectify? When I was in college a few friends found a way to lock up a 360 system from APL. Sure we had a little fun with a systems manager who got bent out of shape but as quickly as he cooled down, and a few laughs were shared, the code was revealed and everyone learned something. Experimenting is how we learn and in a youthful university environment safeguards must be put in place so that "creative computing" won't cause harm to needed functions. Proactive security by management will be far more likely to effectively protect than heavy-handed punishments. Besides, what 19 or 20 year old really expects themself to get caught no matter how many severe punishments they might hear of... ========================================================================= Date: Tue, 11 Oct 88 16:58:12 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Brain virus! HELP! In-Reply-To: Your message of Tue, 11 Oct 88 13:28:00 EDT > An original (unmutated) Brain virus either disassembled or on disk. > Any mutated forms of the above mentioned virus, disassembled or on disk. > Any noted behaviors of the Brain virus and its progeny. > Any suggestions on possible remedies. There were some pretty good descriptions (etc.) of the Brain here on VIRUS-L over the summer (May and/or June, if memory serves me correctly). You might want to start by perusing through the archives. > Any known carriers, eg PKARC I don't recall hearing anything about PKARC being a carrier of the Brain virus (which only infects boot sectors). Unless anyone else has more info on this, I assume that it's an unfounded rumor. Please, lets not turn VIRUS-L into a place to (even accidentally) start rumors. Ken Kenneth R. van Wyk Calvin: I can't stop this bike, help! User Services Senior Consultant Hobbes: Turn into a gravel driveway and Lehigh University Computing Center fall! Quick! Internet: Calvin: Screeeech! Boom! :-( BITNET: Hobbes: I didn't think you'd listen to me! ========================================================================= Date: Tue, 11 Oct 88 15:07:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Shawn V. Hernan" Subject: c Hello, Recently here at the University of Pittsburgh we were infected with the 'nVIR' virus. It was detected with interferon version 3.00 and is currently being eradicated. It was first noticed on a MAC II w/80 meg hard disk. It is known to be in at least 3 of the public labs where macs are available. Also, it has infected some of the evaluation-only machines available to faculty members. It is assumed that they have carried the virus back to their machines. Also, we are checking an evaluation library of about 150 macintosh packages for infection. We are wondering how to inform the user-community without panic. Any ideas? Shawn Hernan Academic Computing University of Pittsburgh ========================================================================= Date: Tue, 11 Oct 88 17:57:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ACS045@GMUVAX Subject: VIRUSCON HELP Hi, I'm wondering if somebody out there in netland can give me a hand with obtaining some more up-to-date info on the VIRUS-CON. I sent in my registration back in September and haven't heard nary a word from anybody since August seeing as how we lost our BITNET connection for most of September and had to sign off VIRUS-L in August since our accounts were supposed to undergo a name change that never happened. According to the info I received from a friend before we got cut off from the net, I was supposed to receive a information packet through the mail detailing such things as hotel accomodations, a Conference Schedule, exact location of the Conference, etc. And at this point, 10 days before its supposed to start, I 'm basically one step short of panic with nothing in hand and no answer to any of the mail I've sent to the coordinators. If some kind soul could PLEEZ email me any sort of up-to-date info(Like if its still going on :> ) I would be greatly appreciative. Thanx, Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source. ========================================================================= Date: Tue, 11 Oct 88 12:43:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Gordon Meyer Subject: Cursor virus? Recent reports on a local BBS indicate that there may be a MS-DOS virus that insists on changing the cursor to a "-" character at random times throughout a session. This is unconfirmed, and so far only one user has reported such a thing. I'm in no way "up" on the current MS-DOS virii (owning an ST myself) so this may be a symptom of an old virus that I'm just not aware of. Can anybody clarify ? *IF* this is a virus, does it appear to be a new strain? Cheers... -=->G<-=- ========================================================================= Date: Tue, 11 Oct 88 15:16:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bernie Subject: Re: Policy on Informants In-Reply-To: Message of 11 Oct 88 14:14 MDT from "Mark F. Haven" How can anyone defend this student when we don't know what his intentions were? I agree, the steps taken were drastic, but if virus writing is an ethical question then why was he writing one in the first place? Curiosity is the first thing that comes to mind. Now... If it is curiosity, then by "hacking" he is learning about something that he would never be taught in school. Remember the Cohen experiment. Instead of delving further into research of viruses the admin. clamped down immediately. Over reaction I say, because of fear. Fear that in their high positions they may get their privs. reduced, not really that it may GET OUT. I don't know of any virus which can tell what machine it is on and reproduce accordingly. I would imagine if such a thing were ever written that it would defeat the purpose of virus being small so they can hide. Anyhow, Greg, why do people write viruses etc? Curiosity is one. Media hype is two. Revenge is three. (Vague as always, BSW) Ps. The admin. at Albany should have hired that student as a security consultant! :-) . ========================================================================= Date: Tue, 11 Oct 88 16:45:31 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ben Chi Subject: *NY Student Caught The last few days have seen some discussion on this list of the "Albany incident" which occurred at our site. Not being a VMS heavy myself, I've asked my VMS Systems Manager to address some of the specific issues raised by various correspondents. She writes: / --------------------------------------------------------------- First, / Bennett Todd (bet@orion.mc.duke.edu) is very sure our virus contaminator / had good intentions because he came to my office to let me know that the / virus had "got away". Detailed examination of the code showed that he / was specifically targetting certain usernames (hard coded in) for / contamination, and that the main reason he hastened to let me know was / that his id and home directory were still hardcoded into the com file / which "got away" prematurely, but was always meant to get away. The / system manager for this node would have been -- and remains -- / interested in a serious security analysis by a serious student. / She is not interested in lending credibility to students who write / Trojan Horse programs -- in poor DCL at that -- to trip up their / unsuspecting friends. / / ---------------------------------------------------------------------- / / Now regarding the message from XRAYSROK@SBCCVM: / / 1) Com files are indeed readable ascii files which are coded in DCL / (very much like REXX). As such they are indeed easy to check to see if / they contain the lines of code that betray the virus. That is, ONE com / file is easy to check, 4.000 megabytes of files are another matter. The / systems people did run a global search thru the filesystem for the tell / tale code. These sanitary measures of course stole cpu and disk from the / users. Part of the payment was to cover such costs. / / 2) Our "virus" was really a TROJAN HORSE: many users who were in the / habit of using this nasty customer's com files spread the infection to / all the files they had WRITE access to (not exe files, the virus just / looked for com files, and specifically looked FIRST for the login.com in / each user's default directory.) In fact, as XRAYSROK shrewdly suspects, / a bboard (not the one sponsored by the Center, but a student's / personal board) was used to spread the virus code. / / 3) Our systems staff are trained to use only code they have checked and / tested. No one with "privs" used the virus com file or the independent / board, and so no public files that the Center is responsible for were / infected. No system files were infected. / / 4) About the reason the student came forward, see my reply to previous / letter. What my systems manager does not mention is that all students here are provided computing access as an entitlement, and in accepting it, agree not to use it for counterproductive purposes. Specifically, a student agrees not to (among other things) not to * attempt to interfere with the performance of the system; * interfere with the legitimate work of another user; * attempt to circumvent system security. He signs a statement acknowledging that he understands these points and that nonadherence may result in penalties. We regard inpenetrable system security as both an unattainable and a wasteful goal and refuse to use it as a playing field on which to engage malicious or even curious students. We simply do not have the resources to play these games. We provide students with computer access, BITNET access, b-boards, and all manner of other amenities. If they don't wish to play by our (very reasonable) rules, they can go play somewhere else. _._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._. Benjamin E. Chi BEC@ALBNYVM1.BITNET Director of Technical and Network Services or BEC@UACSC1.ALBANY.EDU Computing Services Center fax available but unlisted The University at Albany, Albany NY 12222 USA vox (518)442-3702 ========================================================================= Date: Tue, 11 Oct 88 18:31:35 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Haller" Subject: Re: Cursor virus? In-Reply-To: Message of Tue, 11 Oct 88 12:43:00 CDT from >Recent reports on a local BBS indicate that there may be a >MS-DOS virus that insists on changing the cursor to a "-" >character at random times throughout a session. This is >unconfirmed, and so far only one user has reported such a >thing. >I'm in no way "up" on the current MS-DOS virii (owning an >ST myself) so this may be a symptom of an old virus that >I'm just not aware of. Can anybody clarify ? *IF* this is >a virus, does it appear to be a new strain? >Cheers... >-=->G<-=- ------------------ I doubt that this is the result of a virus attack, but I suppose anything is possible. The shape of the cursor is something an application may change, through documented system calls. Many applications display the cursor as a block for insert mode, and an underline for overstrike mode. Other configurations are possible, even a split cursor with a gap through the middle. I recall the cursor being affected sometimes when an application bombed, especially in BASIC, and once in awhile the system didn't freeze up right away. "Normal behavior" for this very unusual household appliance. -Chris Haller, Cornell University ========================================================================= Date: Tue, 11 Oct 88 19:46:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Damnation, all that fuss over two pounds of Earthling brain." Subject: RE: Cursor virus? I don't know about a virus doing this, but running a CGA program when one's graphics card is set to monochrome will have the cursor show up like that A>-. A program using sloppy procedures could conceivably cause this without being a virus. ========================================================================= Date: Tue, 11 Oct 88 22:23:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Chris Bracy Subject: RE: Cursor virus? >Recent reports on a local BBS indicate that there may be a >MS-DOS virus that insists on changing the cursor to a "-" >character at random times throughout a session. This is >unconfirmed, and so far only one user has reported such a >thing. I've worked on a turbo-xt that changes the cursor according to the speed setting. Some software can't deal with this and screws up the cursor up on exit. Chris. *==============================*======================================* | Chris A. Bracy | Student Consultant | | (215) 758-4141 | Lehigh University Computing Center | | Kcabrac@Vax1.cc.Lehigh.Edu | Fairchild Martindale Bldg. 8B | | Kcabrac@LehiCDC1.Bitnet | Lehigh University | | CAB4@Lehigh.Bitnet | Bethlehem, PA 18015 | *==============================*======================================* ========================================================================= Date: Wed, 12 Oct 88 08:50:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: c In-Reply-To: Your message of Tue, 11 Oct 88 15:07:00 EDT > We are wondering how to inform the user-community without panic. Any ideas? Assuming that you have a fix for the virus, then you could start by placing warning messages and signs on any/all of your mainframes (system bulletins) and in all of your public micro labs. The signs should inform the users that there is a virus, what harm (if any) the virus can do, and how to get rid of it. Then, make the fix readily available to all of your users. That's basically what we did here at Lehigh after some of our student consultants discovered a virus last Fall. System bulletins were issued on all the mainframes, and large, bright signs were placed in prominent places in all of the microlabs. A program to remove the virus was distributed to all of the labs, and made available for download on all of the mainframes. Users who were unsure how to get/run the fix program were told to bring their floppy disks to one of our sites, where a student consultant would run the fix program for them, and show them how to run it on their hard drives. Finally, I sent a message out on the ADVISE-L forum warning other sites about the virus, in case it were to spread outside of Lehigh. Any other ideas or suggestions? Ken Kenneth R. van Wyk Calvin: I can't stop this bike, help! User Services Senior Consultant Hobbes: Turn into a gravel driveway and Lehigh University Computing Center fall! Quick! Internet: Calvin: Screeeech! Boom! :-( BITNET: Hobbes: I didn't think you'd listen to me! ========================================================================= Date: Wed, 12 Oct 88 08:26:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: the Preserver Subject: Help with Brain virus wanted EDU%"luken@SPOT.CC.LEHIGH.EDU" "Ken van Wyk" writes: >> An original (unmutated) Brain virus either disassembled or on disk. >> Any mutated forms of the above mentioned virus, disassembled or on disk. >> Any noted behaviors of the Brain virus and its progeny. >> Any suggestions on possible remedies. >There were some pretty good descriptions (etc.) of the Brain here on >VIRUS-L over the summer (May and/or June, if memory serves me >correctly). You might want to start by perusing through the archives. I am already doing that. However, we here at CIRCA do not want to spend time reinventing the wheel while this (supposedly) benign virus sweeps over campus. In order to minimize the damage done, we would greatly appreciate anyone sharing their previous work with us. >I don't recall hearing anything about PKARC being a carrier of the >Brain virus (which only infects boot sectors). Unless anyone else has >more info on this, I assume that it's an unfounded rumor. Please, >lets not turn VIRUS-L into a place to (even accidentally) start >rumors. >Ken What I meant to say is this. The virus spread to us from a local BBS which had an arced file which when unarced released the initial Trojan that set the Brain up. Anyone else heard of this? Or are we the victims of a local virus hacker? (not suprising) Les Hill vishnu@ufpine.bitnet postmast@ufpine.bitnet vishnu@pine.circa.ufl.edu postmaster@pine.circa.ufl.edu CIRCA consulting, UF ========================================================================= Date: Wed, 12 Oct 88 09:59:54 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Announce w/o Panic Since the nVIR virus is a Mac virus, I suggest you also provide Vaccine to the persons involved and make up a big poster showing the Vaccine dialog with a message reading "HAVE YOU SEEN THIS DIALOG?" along with what to do, who to see, and assurances that it is (relatively) easy to fix. --- Joe M. ========================================================================= Date: Wed, 12 Oct 88 10:10:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Shawn V. Hernan" Hello, Just yesterday we discovered 'nVIR' here, and now we have something I've never heard of. Does this look familiar to anyone: We used Virus Rx to check a program for the nVIR virus and found this: _________________________ Invisible files and INITs embedded in system files @#$% FILE----Bostb Be Evill--------: ________________________________________ Warning: Files are too new. * ZSYS MACS--------System----------: ________________________________________ SUMMARRY: Invisible Files & Questionable INITs: 1 *One or more questionable files were found. * *These don't seem to be of immediate concern. * *You may wish to check their resource forks. * *Relax for now but run this program again later. * The file 'Bostb Be Evill' has us somewhat concerned. Anyone know what this might be? Shawn Hernan Valentin@pittvms University of Pittsburg ========================================================================= Date: Wed, 12 Oct 88 10:43:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Mann muss immer alles umkehren Subject: nVir? So what's the nVIR virus? ========================================================================= Date: Wed, 12 Oct 88 10:59:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Hugh Pritchard/Catholic U of America Computer Ctr Subject: Re: NY student Bernie writes, jocularly, > Ps. The admin. at Albany should have hired that student as a security > consultant! :-) . People who stumble upon holes in security, or who malevolently take advantage of other users' naivete, gullibility, or trust HAVE BY NO MEANS displayed any qualifications as any sort of "security consultant". /Hugh Pritchard, |on BITNET: PRITCHARD@CUA Senior Systems Programmer |on INTERNET: PRITCHARD%CUAVAX.DNET@NETCON.CUA.EDU | or PRITCHARD%CUA.BITNET@CUNYVM.CUNY.EDU The Catholic University of America Computer Center (202) 635-5373 Washington, DC 20064, USA Disclaimer: My views aren't necessarily those of the Pope. ========================================================================= Date: Wed, 12 Oct 88 11:56:26 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Simpson Subject: Macintosh viruses and countermeasures There is an excellent article on the common macintosh viruses, including detailed descriptions of how they work, can be identified, and can be eradicated. The article also attempts to put the virus issue into appropriate perspective and , in my opinion, succeedes. As a bonus social and legal issues are covered. My congratulations to a remarkable author! MacWorld, November 1988, "Mad Macs", Suzanne Stefanac, ppg 93-101. ========================================================================= Date: Wed, 12 Oct 88 13:14:06 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: Bost be Evill About 2 months ago there was an outbreak of this sort elsewhere. I don't recall where, but it's in the VIRUS-L archives. Which brings me to a question: How do you grab VIRUS-L archives? - Jeff Ogata ========================================================================= Date: Wed, 12 Oct 88 11:23:27 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Brain virus! HELP! In-Reply-To: Message from "the Preserver" of Oct 11, 88 at 1:28 pm > > >Hi guys. Guess what? You guessed! > >UF has finally contracted a PC virus. > >I would like to ask the readers of this list to please send any useful > Ok I give up. Who or what is UF? We must all be aware that this is a global board, and that not all of us are on the same campus, or even in the same country. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Wed, 12 Oct 88 13:18:12 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ed Nilges Subject: Re: NY student In-Reply-To: Message of Wed, 12 Oct 88 10:59:00 EDT from >Bernie writes, jocularly, > >> Ps. The admin. at Albany should have hired that student as a security >> consultant! :-) . > >People who stumble upon holes in security, or who malevolently take >advantage of other users' naivete, gullibility, or trust HAVE BY NO >MEANS displayed any qualifications as any sort of "security consultant". > I heartily agree, yet in spite of Mr. Chi's recent posting on this brouhaha, I still believe that the student's punishment was cruel and unusual. Mr. Chi revealed that the student's primary concern seemed to be that his own directory was threatened by the virus. However, the student doubtless knew that if he revealed his behavior to the systems manager, he would probably lose the account anyway. The wording of his confession "something terrible has happened" reveals, to this writer, an honest remorse and desire to fix the problem. No, the student should NOT be hired as a security consultant. But neither is it ethical or fair to make him a nonperson. Community service, and a course in business and scientific ethics, seem to be the ticket here. It still appears that the student's case appeared at exactly the wrong time, right after a TIME magazine article which, although reasonably accurate and well-researched, spread fear among non-programming computer users as to the safety of their files. The case also sets a bad precedent, for real programmers will be at risk if ethics and law do not discriminate between honest mistakes, negligence, and malice. Imagine losing your job over a bug...who said it, in Shakespeare's King Lear, "use every man according to his deserts, and who should 'scape whipping?"? Disclaimer: these views are mine, and do not represent those of my employer. ========================================================================= Date: Wed, 12 Oct 88 14:04:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: the Preserver Subject: Brain virus help.... I thought everyone knew, UF is the University of Florida :-> Les vishnu@ufpine.bitnet ========================================================================= Date: Wed, 12 Oct 88 14:17:58 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Bost be Evill In-Reply-To: Your message of Wed, 12 Oct 88 13:14:06 EDT > How do you grab VIRUS-L archives? As described in my monthly announcement, you can get the archives by sending mail to LISTSERV@LEHIIBM1. Please do *not* send this to VIRUS-L@LEHIIBM1! In the message, put any of the following commands: HELP - gives you some info on using the LISTSERV. INDEX VIRUS-L - lists the files available on the LISTSERV. GET filename filetype - sends the requested file to you via e-mail. The archive files are in the following format: VIRUS-L LOGyymmw where yy is the year (88), mm is the month (05, 06, ...), and w is the week (A, B,...). For example, VIRUS-L LOG8809A contains the first week's worth of conversations in September, 1988. Note that there's a space between the filename and filetype, not a period like in most operating systems. Ken Kenneth R. van Wyk Calvin: I can't stop this bike, help! User Services Senior Consultant Hobbes: Turn into a gravel driveway and Lehigh University Computing Center fall! Quick! Internet: Calvin: Screeeech! Boom! :-( BITNET: Hobbes: I didn't think you'd listen to me! ========================================================================= Date: Wed, 12 Oct 88 14:42:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ACS045@GMUVAX Subject: Thanx and one more question... Thanx to all of you who sent me the Conference info....now if you'll indulge me one more question...how close is the Allentown Holiday Inn to all of this?? I couldn't afford the Sheraton and wasn't willing to take a chance on any of the local hostelries so thats where I' m going to be Also, if there's anybody else from Virginia going drop me a mail message...my ride just pulled out from going and so I'm trying to work out alternate transportation,etc. (I'll be there on Friday...I've put too much aggravation into this to give up now :>) ---Steve ========================================================================= Date: Wed, 12 Oct 88 13:28:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken De Cruyenaere 204-474-8340 Subject: Global Board >Ok I give up. Who or what is UF? We must all be aware that this is a >global board, and that not all of us are on the same campus, or even >in the same country. Good point! While we"re at it, who or what is UTEP ?? Ken De Cruyenaere Computer Security Coordinator University of Manitoba - Winnipeg, Manitoba, Canada ========================================================================= Date: Wed, 12 Oct 88 15:34:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark F. Haven" Subject: Re: Global Board >Date: Wed, 12 Oct 88 13:28:00 CDT >From: Ken De Cruyenaere 204-474-8340 >Subject: Global Board > >>Ok I give up. Who or what is UF? We must all be aware that this is a >>global board, and that not all of us are on the same campus, or even >>in the same country. > >Good point! While we"re at it, who or what is UTEP ?? UTEP is a BITNET address for the University of Texas at El Paso Computer Center. UF is a common abbreviation for the University of Florida. Given that this is a very international board it would be helpful if we avoid abbreviations, no matter how common we think they are. ========================================================================= Date: Wed, 12 Oct 88 16:21:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: The "Brain" virus from an ARC file That's very interesting! I've never heard of anyone getting it that way before. Are you sure that's what happened? There is an ARC file going around the boards that contains a binary dump of the "Brain", but you'd have to take rather sophisticated conscious action to produce an infected diskette from it. If there's really an executable (EXE or COM or...) going around that puts the "Brain" onto a diskette, I think we'd all like to hear about it. Please go on! Dave Chess Watson Research ========================================================================= Date: Wed, 12 Oct 88 16:46:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GREENY Subject: re: re: NY Student >> P.S. The admin. at Albany should have hired that student as a security >> Consultant :-). > People who stumble upon holes in security, or who malevolently take > advantage of other users' naivete, gullibility, or trust HAVE BY NO > MEANS displayed any qualifications as any sort of "security consultant". > /Hugh Prichard Personally, I think that they would ahve been much better off to simply put the student on Disciplinary Probation, and then given him a job in the computing center as a consultant. That is probably what the student was looking for in the first place, and by his own admission that he wrote a virus which escaped -- he proved that he does have some responsible bones in his body. If he didnt, then he could have simply claimed that a rogue hacker got into his account, and proliferated a viral program to get him into trouble -- and no one would have probably been able to prove a thing. Several years ago, I was introduced to the UNIX system here at my campus and quickly grew to love it -- the brevity of the commands made it a dream for someone like me who despises "user friendly" interfaces who assume that you really dont want to do something that you went to the trouble to key in.. UNIX doesn't bug ya with annoying messages. Also, it is very secure if set up in the proper manner....however, several years ago, I accidently discovered a bug one day when I performed a shell escape from MAIL and created a temporary message to send to a collegue....the file I created was owned by ROOT (not my account...) and from this it was relatively easy to obtain superuser status on the machine. I went to the system admin. and informed him of this bug. We quickly became friends as he saw that I was a responsible individual, and he made the offer to me that "if I ever wanted superuser status for *ANY* reason, that he would give it to me...", but that he would appreciate it "if I were to ask for it, and not simply take it, because if someone got into my account, then it could create havoc...". This request was simple, and I have lived with it for a long time. We are still friends, and when I come across a bug or a sec. hole, I tell him. But if I had been fined $2K, suspended, and whatever else, then you can bet that the university would be having some severe problems with getting me to stop spreading information about all of the bugs.....first ammendment rights would probably protect me enough so that I could produce a "For Informational Purposes Only" newsletter about the computing bugs....and as we all are well aware of -- accounts are VERY easy to come by. ---- Moral of this dialogue?: Simple really, when you find a hacker -- befriend him/her/it and try to use it to *YOUR* advantage. Besides, if the hacker could program well enough to get in, why not hire the hacker...the hacker has proven his/her/its capabilities already, and to not utilize them to the fullest would be foolish... ....*flame off* -- mellow out and give the guy a second chance... Bye for now but not for long Greeny Bitnet: miss026@ecncdc Internet: miss026%ecncdc.bitnet@cunyvm.cuny.edu Disclaimer: #include P.s. I definately know what school I'm *NOT* going to continue my graduate studies at... :-> ========================================================================= Date: Wed, 12 Oct 88 16:04:09 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Marks Subject: Re: Global Board In-Reply-To: Message of Wed, 12 Oct 88 13:28:00 CDT from In reply to question about UTEP... How did that come up? Anyway, UTEP stands for University of Texas at El Paso (I guess that's what you mean). This is as opposed to the University of Texas at Austin, or UT for short, which is also short for University of Tennessee (at Knoxville) . Which is probably why what Ken said makes a lot of sense. After all, here in the Southeast, USC often means Univ. of South Carolina, while in California it means something else. We're quite often overassuming (is that a word?) on here. If in the slightest doubt (and this doesn't just go for college names), spell it out. Jim Marks Georgia Tech Research Institute (GTRI) Georgia Institute of Technology (GIT or GT...) ========================================================================= Date: Wed, 12 Oct 88 14:43:52 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Douglas James Martin Subject: Re: NY student > The wording of his confession "something terrible has happened" > reveals, to this writer, an honest remorse and desire to fix the > problem. Maybe I misunderstood the previous postings, but it sounded to me like the virus 'got away' while evidence of the author remained in it. On that basis my immediate suspicion would be that the author knew he would be caught and hoped that by coming forward he might reduce the unavoidable consequences. It doesn't sound to me like there was any "honest mistake" involved; he WAS working on a Trojan Horse (at least, according to these postings), which just happened to go off before he planned it to. I don't have the information to say whether I'd be in favour of indefinite suspension, since there isn't enough detail given about what the Trojan Horse did to its "recipients", but I'd almost certainly be in favour of cutting off the guy's computing access. ========================================================================= Date: Wed, 12 Oct 88 17:22:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Conference Attendance Is there anyone else out there from Canada planning Is there anyone else (on this list) from Canada who is planning on attending the upcoming virus conference? (Send me E-Mail...don't reply to this message or the list will be full of mail that not everyone needs to wade through :-) ). Greg Lypowy (LYPOWY.UNCAMULT.BITNET) P.S. I'm just curious really! ========================================================================= Date: Wed, 12 Oct 88 22:06:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Shawn V. Hernan" Subject: networks Does anyone know for sure whether the 'nVir' virus can spread over a network? Specifically appleshare and TOPS? That is, if I'm running an application from a file server, is the floppy in my machine at risk. I suspect yes, but some MacIntosh folx I know think otherwise. (they are not familiar with viruses at all). Any help is appreciated. Shawn V. Hernan Valentin@pittvms University of Pittsburgh ========================================================================= Date: Thu, 13 Oct 88 08:59:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: networks In-Reply-To: Message of Wed, 12 Oct 88 22:06:00 EDT from None of the Mac viruses now known can actively transfer across a network. If you run a program on a server which is infected, that program can infect your machine. However, if your machine is infected, it cannot infect the server. The program MUST be run on the target system to infect it. Clear? :-) ---Joe M. ========================================================================= Date: Thu, 13 Oct 88 09:29:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Glen Matthews In-Reply-To: In reply to your message of WED 12 OCT 1988 13:28:00 EDT The University of Texas at El Paso, 'natch! ========================================================================= Date: Thu, 13 Oct 88 08:37:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Gordon Keegan Subject: Ditto > P.s. I definately know what school I'm *NOT* going to continue my graduate > studies at... :-> That goes for me, too! ========================================================================= Date: Thu, 13 Oct 88 13:51:13 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Neil Goldman Subject: Wang/VS Virus No, I am not currently aware of any wang/vs viruses, however I am interested to know if anyone has seen or heard of any. Thanks. Neil A. Goldman NG44SPEL@MIAMIU.BITNET Replies, Concerns, Disagreements, and Flames expected. Mastercard, Visa, and American Express not accepted. ========================================================================= Date: Thu, 13 Oct 88 16:04:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: (Mac) Networks and Virus Spread Gene Lott has pointed out to me how a file server could infect a number of other machines. He is absolutely correct - an infected server will allow you to infect your machine if you run any of its software on yours. Also, if a user with write access to the server is infected, the server can become infected. The AppleTalk networks I was thinking of were in general simpler ones, without file sharing or servers - a typical two-Macs-and-a-LaserWriter setup. In this case, the known viruses will not spread from machine to machine, because they are unable to use AppleTalk themselves to propagate - they must be carried by driver (vector? :-) ) software. --- Joe M. ========================================================================= Date: Thu, 13 Oct 88 17:46:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: The CAEC managers Subject: Help! To Everyone: Help! My name is Tom Kurke, and I am a consulant at Villanova University... apparantly we have been infected by some kind of "virus" "trojan-horse" or something.... Let me give you the information that I know now. Apparently, when using Bank Street Righter, (in our micro-labs, using floppy disks with hard disk access... dos is on the hard disk), Bank Street Righter corrupts the information on the data disk- namely, all of the files are still on the disk (they haven't been written over), but there are no directory enteries for them. Stranger than that, if you use Norton to peek at the FAT sectors and the DIR sectors, you find that in almost all cases a file has been saved in the DIR area, either in sector 12 or sector 14, areas reserved specifically for directory information. Also, when trying to call the files up using Bank Street Righter, an "@" appears in the upper right hand corner, or a date like 6/11/88. Any information that you can provide me about this would be greatly appreciated. I am not one who knows much about Bank Street Righter- nor how it saves files, but does this sound like a viral attack or just a hacker doing something to corrupt our copies of Bank Street Righter? Any information that you can provide me with will be greatly appreciated... thank you! Sincerely, + + * Tom Kurke | | V * Consultant | | + | | I U * Computer Aided Engineering Center (CAEC) | | | | | L N * College of Engineering | | / \ | | L I * Villanova University | | | | | | A V * Villanova PA, 19085 | | / \ | | N E * I-----I / \ I-----I O R * NuclearTHREATNet: Villanova.Bomb | |/ \| | V S * Bitnet: CAEC@VUVAXCOM | |---------| | A I * UUCP: ...!vu-vlsi!excalibur!CAEC | | | | T * MA-BellNet: (215) 645-7360 | | | | Y * Home of the Wildcats! | | | | * | | | | * A standard disclaimer applies to anything ----------------------- * that I may have blabbed about above-- the * views I have expressed are soley mine, UNIVERSITY COMPUTING * not the University's... come to think of AND * it,if that EVER happened that would be a INFORMATION SERVICES * strange coincidence indeed!!! ;-) ========================================================================= Date: Thu, 13 Oct 88 16:43:29 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Kevin Trojanowski Subject: RE: NY Student I agree that the punishment in this case WAS a bit severe. But, by the same token, to give the student a job as a consultant, or security person would do nothing but encourage this kind of activity. Anyone wanting a job in such a position would have to do nothing but hack their way into the system somehow, and create a virus, or trojan horse. Far from productive, I think. -Kevin Trojanowski troj@umaxc.weeg.uiowa.edu ========================================================================= Date: Thu, 13 Oct 88 18:22:09 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: GARY SAMEK Subject: RE: NY Student In-Reply-To: Message of Thu, 13 Oct 88 16:43:29 CDT from I would like to share a similiar situation, as far as hiring a student who is known to have done questionable activities on a computer. Back when we had a dec 2060, a high school student discovered that he could advise the operator console from a batch file, an obvious security problem. He then used the operator privs to discover the passwords for all of the priveleged accounts. We decided that the best move was to reset all of the passwords for all of the accounts which became a very uncomfortable situation on the entire campus. We were finally able to catch this individual the second time he tried the same trick. Our user services manager had a talk with this individual and felt that this person could be trusted since he was only experimenting with a main frame. This manager hired the student when he began to attend classes at this university. The student was hired on as a user assistant, a student worker who is available outside the hours of 8-5 for students unfamiliar with the use of computers. With this job he given an account with few resource restrictions, but no privs (at least some intelligence had been shown up to this point). When the student was promoted a year later to problem analyst, which is essentially a first defense for staff members, he gained access to an account with limited privs. The student then used these privs to begin to learn how to bypass accounting records of his activities. The first time he caught doing this, this institution gave him a verbal slap on the hands, yet continued to show their good will and trust by letting the situtation end at that. The student was again caught doing the activities as before when he had unsuccessfully attempted to update his accounting records on all three of the main frames we had at the time. Finally, the student was brought before a university review board and suspended for one year from this university. In summation, it has been my experience that once someone is let off too easily from a major offense, that this individual will be unable to find a reason to discontinue his activities. He will only feel that it is more exiting, and that he only needs to be a little more careful next time. Thus, a feeble attempt in discipline may only lead to a potentially greater risk in the future. I apologize for the long letter, but this is a very embarassing situation for the university and those of us who maintain the computers for the academic environment. Disclaimer: These views are entirely from my own viewpoint and no one else's. At the time of these activites, I was in no way responsible for hiring and firing, nor I was I responsible for the security or maintainance of these mainframes. Gary Samek Bitnet C133GES@UTARLVM1 Telnet C133GES@UTARLG Arpanet C133GES@UTARLG.ARLINGTON.TEXAS.EDU ========================================================================= Date: Thu, 13 Oct 88 19:10:52 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: networks In-Reply-To: Message from "Joe McMahon" of Oct 13, 88 at 8:59 am > >None of the Mac viruses now known can actively transfer across a network. >If you run a program on a server which is infected, that program can >infect your machine. However, if your machine is infected, it cannot >infect the server. The program MUST be run on the target system to >infect it. Clear? :-) > That seems strange to me. It seems that in any system, if a file is writable, then a virus can write to it. Of course, if read-only status can be enforced, then infection of the file can be prevented. Thus, only if a server file is read-only, and NO code in the local machine can write to the server, is the obove true. Any comments? + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 13 Oct 88 21:12:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Daniel M. Greenberg" Subject: RE: NY Student Gary Samek (C133GES@UTARLVM1) writes: > In summation, it has been my experience that once someone is let off too > easily from a major offense, that this individual will be unable to find > a reason to discontinue his activities. He will only feel that it is more > exiting, and that he only needs to be a little more careful next time. > Thus, a feeble attempt in discipline may only lead to a potentially > greater risk in the future. That is quite a strong generalization. Your experience with just one person has condemned all. This might even be correct in a majority of cases, but not always. Some people do learn from their mistakes. Oh, and by the way, I think the fault when when the University didn't do anything to make him realize it was serious the first time he tampered with the accounting. Just in case you don't know, many past hackers work for large corporations or the government as informants on with security Daniel ========================================================================= Date: Thu, 13 Oct 88 21:04:03 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: portal!cup.portal.com!dan-hankins@SUN.COM Subject: Bank Street Righter Are you sure that's not Bank Street Writer? Anyway, it sounds to me like a perfectly ordinary bug in the program. Contact the author or get another copy of the program from a completely different source (like the author) and see if the two programs are the same size and behave the same way. Do a DIFF on the two programs. If they are identical and both corrupt data, it is most likely a bug. If they are different, than one of three things has happened: you have a buggy file, a file which was corrupted during transmission by line noise or a file which has been deliberately modified to be hostile. The last of those is the least likely, and the first the most likely. Most programs that trash data have bugs. Dan Hankins ========================================================================= Date: Fri, 14 Oct 88 07:07:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Otto Stolz +49 7531 88 2645 Subject: How can we help, at all? OR: netiquette, again To Tom Kurke: What sort of system are you using? McIntosh?? Unix??? MS-DOS???? Atari????? Other?????? To everybody on this list: Please, please, please, DO INDICATE THE SYSTEM in question in the subject fields of you contributions. Let's know, what you are gonna discuss with us! After all these dicussions, I still do not know, to which sort of systems the "Pakistani" and "Brain" viri are bound -- honestly! Can anybody tell me? To Ken: Same holds for VIRUS-L FILELIST, available from LISTSERV at LEHIIBM1. The NOBRAIN, FluShot+, and other programs are USELESS to everybody who doesn't know (like me) for which system they are ment -- and I reckon that is the major part of possible users of this service. I hope that helps (me and everybody in this discussion group :-) Otto ========================================================================= Date: Fri, 14 Oct 88 10:09:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: Ex-hackers (was "Re: NY Student") Daniel M. Greenberg (DMG4449@RITVAX) mentions in passing: > Just in case you don't know, many past hackers work for large > corporations or the government as informants on with security Does anyone have any evidence (there I go again!) that this is really true? It's certainly "common knowledge", and it happens constantly in paperback novels, but the few actual security managers that I've mentioned the subject to have generally laughed at the idea, and indicated that an ex-cracker would be the *last* person they'd want to hire. DC ========================================================================= Date: Fri, 14 Oct 88 10:45:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: EAE114@URIMVS Subject: Hackers as security consultants On the idea that hackers can and. or should be hired as security consultants: In the not-so-old days when competent computer people were hard to come by, It made sense to hire hackers to help your security effort. The extra effort to control them and the leap of faith required were made worthwhile, because of the limited pool of talent available. I do not think this is true anymore. It IS still true that hackers may be an important source of talent, IF you have the resources to control them, or a loose enough situation to prevent severe dammage. If, as in most places I've been, you can't spare the effort, I'd still say that a first offence ought to result in forced restitution and a real short chain. Class this as stupidity, rather than malice. A second offence is evidence of both stupidity AND severe mental defectiveness, and ought to get a body bounced as high as you can get them. Eristic (EAE114@URIMVS) ========================================================================= Date: Fri, 14 Oct 88 11:05:43 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Simpson Subject: Macintosh network exposure to viruses The generally imprecise use of terminology in network discussion may mislead persons discussing the potential for spread of viruses on Macintosh networks. "Appletalk" is a generic name for a suite of protocols defined by Apple Computer. The suite of protocols, in and of themselves, provides very little applications level service. Useful applications are built on top of the Appletalk protocols. For example, Laser printing service and network dot matrix printing. To share data one must add additional software. Two very common products to accomplish this are AppleShare and TOPS. Using these as our models we can talk about network exposure to viral contamination. First. If a virus is written to use low level appletalk protocols directly to spread a virus from an infected host, I believe that the target machine would have to be running software beyond the low level protocol suite. Some examples would be disk sharing software or email software. We are now talking about a very sophisticated (and probably very large virus). Note that the requirement of higher level software is a premise and not an established fact. Second. A virus that interacts with disk media at the read/write block level probably cannot propagte via read/write block over the network. Again this is a premise not a verified conclusion. If one accepts these premises, network exposure to viruses falls into two classes. Class B (banal). If one is running disk or file sharing software and executes a virus vector on the local machine, then the local machine is at the same level of risk that it assumes if the executable application were resident. This statement also applies to trojans and generally buggy software and is a tribute to clean design and accurate coding of the Macintosh OS and Appletalk protocol suite. Class A (awful). The typical virus assumes a domain of addressable files (volumes only if one accepts low level read/write which I do not). If an infected host has in its domain of addressible files, a subset that is addressable by other, uninfected, clients of the network, then the network should accelerate the spread of the virus. My premise, not verified conclusion, is that many disk/file sharing applications on Appletalk are very clean implementations and present a "local disk" image to applications that avoid low level read/write. Tentative conclusions. The risk is real and must be assessed against the benefits of the network. Network administrators (and under tops individual clients) should develop a strategy to determine the scope of files that are addressable by others and the permisions granted to these persons. Obvious(?) techniques to reduce exposure. 1. Don't permit access to a system folder by other than the local machine. 2. Where practical, make executable applications read only. 3. Try to limit write access to shared domains to data files only. If any one is able to confirm or invalidate any of my premises, I would be very grateful to them. ========================================================================= Date: Fri, 14 Oct 88 11:17:59 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: yee@AMES.ARC.NASA.GOV Subject: Re: Ex-hackers (was "Re: NY Student") In-Reply-To: Your message of Fri, 14 Oct 88 10:09:00 -0400. <8810141415.AA21283@ames.arc.nasa.gov> Lawrence Livermore National Labs employs one ex-cracker in computer security. An article about him was published in the Oakland Tribune (10/11/88). -Peter Yee yee@ames.arc.nasa.gov ames!yee ========================================================================= Date: Fri, 14 Oct 88 14:23:23 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SHERK@UMDD Subject: Re: networks In-Reply-To: Message received on Thu, 13 Oct 88 20:24:40 EDT ========================================================================= > >>None of the Mac viruses now known can actively transfer across a network >>If you run a program on a server which is infected, that program can >>infect your machine. However, if your machine is infected, it cannot >>infect the server. The program MUST be run on the target system to >>infect it. Clear? :-) > >That seems strange to me. It seems that in any system, if a file is >writable, then a virus can write to it. Of course, if read-only >status can be enforced, then infection of the file can be prevented. >Thus, only if a server file is read-only, and NO code in the local >machine can write to the server, is the obove true. Any comments? | Leonard P. Levine e-mail len@evax.milw.wisc.edu | There is an important differance between network drives and local drives. To use DOS as an example, when a program wants to write to a file it calls INT 21 with subfunction 40h (Write to file or device). DOS will then determine what type of device the file is on. If the device is a network drive, DOS will hand off the request to the network software. But if the device is a local disk, DOS will call INT 26h (Absolute disk write) to write the data to disk. The (c) Brain virus called INT 26h directly, so it can't infect a network drive. This is the blessing/curse of machine dependent code! Erik Sherk Workstation Programer, Computer Science Center. University of Maryland ========================================================================= Date: Fri, 14 Oct 88 15:48:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark F. Haven" Subject: Move discussion on virus writers I suggest we move discussion on rewards and/or penalties and/or excommunication for virus writers to a more appropriate list ETHICS-L and reserve this list for matters of a more technical nature. ETHICS-L is moderated by Harry Williams (HARRY@MARIST) and is described as being to : "delineate and discuss the basic issues and hot areas in computer ethics. Topics include ownership of information, who is responsible for program failures, how much privacy is reasonable. Students are welcome to participate." The preceding was plagiarized in toto without permission from a listing on my desk from whence I know not where it came. ========================================================================= Date: Fri, 14 Oct 88 14:04:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bernie Subject: Re: Hackers as security consultants In-Reply-To: Message of 14 Oct 88 08:45 MDT from "EAE114 at URIMVS" I don't get it. How can showing an intrest in things imply malice. Unfortunately I still believe people are not inately evil. If computer science has this Calvinistic attitude for long, we'll never see innovation or advance again. ========================================================================= Date: Fri, 14 Oct 88 15:37:29 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: networks In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Oct 14, 88 at 2:23 pm >>Thus, only if a server file is read-only, and NO code in the local >>machine can write to the server, is the obove true. >Any comments? > >There is an important differance between network drives and local >drives. To use DOS as an example, when a program wants to write to >a file it calls INT 21 with subfunction 40h (Write to file or device). >DOS will then determine what type of device the file is on. If the >device is a network drive, DOS will hand off the request to the network >software. But if the device is a local disk, DOS will call INT 26h >(Absolute disk write) to write the data to disk. > The (c) Brain virus called INT 26h directly, so it can't infect >a network drive. This is the blessing/curse of machine dependent code! > >Erik Sherk > Interesting, however the virus can call the same routines that the DOS server does. Thus, only if the server file is read-only AT THAT END can you be sure that a virus cannot infect the server. If code at the user end can write to the server, in any way, then a virus code can do the same. Read-only files, protected at the server end where the virus is assumed not to reside, are protected. (as an aside, we have moved the discussion from MAC to DOS here, we also are discussing what a virus can do, not what known viruses actually do. I for one am discussing potential and not existing threats.) + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Fri, 14 Oct 88 16:55:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Gordon Meyer Subject: employing ex-hackers To answer DC's question about ex-hackers working for large corporations or the government. Yes, I have evidence and can confirm that statement for you. However, the ones that I am aware of work as informants, not as "regular" employees. They continue to be active in the hacker's world, but they in turn supply information to the gov't or large corporations. On other matters it has been interesting to read the various "harsh punisments result in halted activity" arguments. This too seems to be a popular notion but is on shaky theoretical and empirical grounds. But then I'm a criminology graduate student so I guess I'm "into" such things. :-) Cheers! -=->G<-=- X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X