========================================================================= Date: Mon, 7 Nov 88 17:29:54 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Mark S. Zinzow" In-Reply-To: Message of Mon, 7 Nov 88 16:24:45 EST from > >As for the question about the Computer Virus Association, I myself >am trying to find out more about it. It seems to be an association >for developers of anti-viral software. From what I saw this >morning,John McAfee is considered as one of its spokespeople. I'm not sure about the Computer Virus Association, but John McAfee is a sysop of the National BBS Society Homebase BBS. He also works for Interpath Corporation which sells anti-virus software. The bbs number (408-988-4004) was mentioned in an early article posted to virus-l entitled Anti-Virus Measures. I called when we were hit with brain here, and Mr. McAfee was gracious enough to break in to chat while I was leaving a note to the sysop about our problem at log off. There also seems to be another organization involved, the Interactive Communications Users Guild which I think is a SIG of the National BBS Society. He has since been most helpful in dealing with our infection. P.S. The article is available here via anonymous ftp from uxe.cso.uiuc.edu (128.174.5.54) in pc/virus/virdoc2.txt as well as from the Homebase BBS. -------Electronic Mail----------------------------U.S. Mail-------------------- ARPA: markz@vmd.cso.uiuc.edu Mark S. Zinzow, Research Programmer BITNET: MARKZ@UIUCVMD.BITNET University of Illinois at Urbana-Champaign CSNET: markz%uiucvmd@uiuc.csnet Computing Services Office "Oh drat these computers, they are 150 Digital Computer Laboratory so naughty and complex I could 1304 West Springfield Ave. just pinch them!" Marvin Martian Urbana, IL 61801-2987 USENET/uucp: {ihnp4,convex,pur-ee,cmcl2,seismo}!uiucdcs!uiucuxc!uiucuxe!zinzow (Phone: (217) 244-1289 Office: CSOB 110) ihnp4!pyrchi/ \markz%uiucvmd ========================================================================= Date: Mon, 7 Nov 88 16:23:00 MST Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Re: About the virus notices In-Reply-To: Message of 6 Nov 88 14:42 MST from "Savior faire is everywhere!" Date: 6 November 1988 14:42 mst From: Savior faire is everywhere! Subject: About the virus notices Can we get a little organized around here? I have just received two message containing the same article from RISK. This is the second or third time thi happenned. We should just designate one person to forward all messages from RISK concerning the virus. -Santanu Sircar- I must appologize, my message APPEARED later than the rest (at least it did to me), but I sent it on wednesday or so. I guess the delay in getting messages from here in Canada down to Bethlehem (Lehigh really) is greater than from other areas. As far as Risks submissions go, I (as many of you are I am sure) am a subscriber to the Risks Digest List, and I would be willing to take on the responsibility of posting anything from Risks that I feel in some way relates to Virus-L. Greg. P.S. Risks Digests 7.69, 7.70, and 7.71 all cover the InterNet Virus in some light. ========================================================================= Date: Mon, 7 Nov 88 23:05:00 MST Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Re: Please! In-Reply-To: Message of 7 Nov 88 07:16 MST from "Ben Chi" Date: 7 November 1988 07:16 mst From: Ben Chi Subject: Please! What's all this about virii? "Virii" is the plural of "virius." If you mean more than one virus, try "viruses" or, if you must, "viri." On the other hand, we could let virii = 2 viruses viriii = 3 viruses viriv = 4 viruses virv = 5 viruses etc. (Please understand that I don't mean this to be a flame) The only proper plural form of the word virus is viruses. Virus is NOT a Latin word, and hence should not be declined like one. (In fact viri can be any one of the Genetive singular, Nominative plural, or Vocative plural forms of the noun man (vir)). Just so that we can avoid a major bagging session as has occurred on USENET in teh past. :-) Greg. ========================================================================= Date: Tue, 8 Nov 88 08:58:00 MET Reply-To: Virus Discussion List Sender: Virus Discussion List From: GERT LOKHORST Subject: VIRUS on ARPA net Cliff, A final report on the ARPAnet virus is of interest to us all. Do not mail the results of your inquiry to the respondents only. Gert Lokhorst |\ |*| |*| _ BITnet : LOKHORST@HWALHW50 |*| /*\ DECnet : LUWRVD::LOKHORST |*|/* *| PSI/X25 : (0204)18370060638::LOKHORST |***/|*| /\ Phone : (+31)08370-83785 \*/ |*| /*/ Agricultural University, |*|/*/ Wageningen,The Netherlands |***/ \*/ ========================================================================= Date: Mon, 7 Nov 88 11:44:52 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Haller" Subject: Re: MILNET/ARPANET Virus In-Reply-To: Message of Sat, 5 Nov 88 16:12:00 MST from > Greg Lypowy >P.S. Chris Haller, what have things been like at Cornell (where this >'virus' is purported to have emanated?? > >P.P.S. To You All -- Is this a true virus or could we better define it >as a > worm?? --------------------- At Cornell things were much the same as elsewhere. We were hit by the worm about 1:30 AM Thursday. From what I have heard, we were not the first ones affected, but given the cleverness of the scheme of attack that should be no surprise. The author could have launched the worm manually into one or more distant systems from here, and it would seem to have started there. Overall, about 100 Cornell computers were affected, and some are still cut off from our campus backbone net pending thorough cleanup. At that hour of the morning, the symptoms of periodic crashes and slowdowns went mostly unnoticed. Next morning, we read the NetNews that many sites were under attack, discovered we were too, and immediately disconnected Cornell from Internet and also disconnected all our subnets from one another to isolate the worm from any vulnerable systems not yet invaded. The Supercomputing Facility was back on line in about 30 minutes, once we were sure it would not be affected, and other subnets came back one by one during the day. Our EE Dept. and the Theory Center (which is the organization behind supercomputing here) got hold of the fixes for VAXen from outside sources (UCB and MIT, right?), while the Laboratory for Solid State Physics developed program fixes for Sun workstations, and the Laboratory for Plasma Studies developed a local repair procedure for Ultrix.By T with one another. As for the perpetrator, he seems to be a modern Sorcerer's Apprentice. It seems he intended no real harm, and I have heard more than one person say he did us (not Cornell, but us computer users) a big favor by showing so clearly that even a manager could understand it, that we are far from protected against such encroachments. We know no more about his motives than we have read in the newspapers. The NY Times and Washington Post have had lengthy articles, and seem to have had access to sources not yet available to Cornell or the Computer Science Department. (I.e., anonymous phone calls from his friends.) He is a nice person, we know from acquaintances: sings in the choir, for example. I suppose the Cornell administration cannot possibly let him get away without some kind of official punishment, but I for one don't think he deserves a very severe one. The cost of restitution alone would be enormous if he had to reimburse people for some fraction of the time they have spent cleaning up, not to mention discussing the matter! -Chris Haller, Technical Services, Cornell University DISCLAIMER (gee, first time I figured I needed one): these views are mine, not official positions of Cornell U. or God or lawyers. ========================================================================= Date: Sun, 6 Nov 88 18:31:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Daniel M. Greenberg" Subject: Apranet Virus Following is an article re-printed from the Rochester Democrat & Chronicle State/Nation Section A pp.23-24, Sunday, November 6, 1988. SINGLE PROGRAM ERROR MADE 'VIRUS' MULTIPLY Big computer jam horrified creator The New York Times and The Associated Press Robert Tappan Morris Jr. spent many weeks painstakingly creating the computer "virus" that beleaguered many of the nation's computer networks Wednesday night and Thursday. By all accounts the 23-year-old computer science student intended no harm. But in the end, working with great intensity and little sleep, he made a single programming error that ultimately jammed more than 6,000 computers, including some at the University of Rochester. That mistake also brought Morris' life crashing down around him, three friends have told The New York Times. He quickly recognized that things had gone terribly wrong and arranged for a friend to send out instructions on eradicating the virus to the computers plagued by it. But the instructions were electronically posted in a bulletin board where few would see them. Then he turned himself in to his father, Robert T. Morris Sr., one of the government's top experts on computer security. The first-year Cornell University graduate student was not available for comment yesterday. But those who knew him as a student at Harvard, where he earned his undergraduate degree in computer science, paint a picture of a remarkably bright but private person. Professors at Harvard and Cornell said Morris was not malicious, stressing that the program could have been easily modified to destroy data. Morris' father, Robert Morris Sr., 56, worked for many years at AT&T's Bell Labs in New Jersey. He helped develop the Unix operating system, which was the target of his son's virus. Two years ago, the elder Morris left Bell Labs and went to work as the chief scientist for the National Computer Security Center, the division of the National Security Agency that focuses on computer security. A student who is friends with Morris Jr. said that when he discovered the flaw that would let him secretly enter Unix computers connected to the Arpanet, a Department of Defense computer research network, he was so excited that he literally jumped on the friend's desk. This friend and others said Morris' original vision was to spread a tiny program widely throughout the United States and internationally and have it secretly take up residence in the memory of each computer it entered. The program was supposed to slowly propagate, always hiding in the back- ground to escape detection. However, because the young computer expert chose a single incorrect number, and that number bore directly on the rate of replication, the virus instead sped madly out of control creating dozens or even hundreds of copies on each machine it entered rather than the one copy originally planned. Morris learned of his replication error through a monitoring mechanism he had built into his program. In trying to alert people to the virus after discovering his error, Morris had a friend post detailed instructions on how to disable it, but the electronic "bulletin board" he chose for posting was an obscure one, the friend who posted it said. Yesterday at Harvard, from which Morris graduated last spring, his professors were shocked that he undertook the project. "What surprises me about this is that it cuts across the grain of Robert's personality," said Mark Friedell, the assistant professor of computer science who was the young student's advisor for three years. "He probably got scared and froze; he could have stopped it." University officials also were unable to contact him, Lynn said. His parents obtained an attorney and was planning to meet shortly with U.S. Justice Department officials. Cornell officials said they began examining Morris' computer files Friday night after The Times identified him. Morris had passwords in his files "for some computers at Cornell and Stanford to which he is not entitled," although those could have been placed there by someone else, Lynn said. A computer file dated Oct. 26 found in Cornell's system yesterday is the earliest indication that Morris may have been writing the program that spawned the virus, Lynn said. The creator "apparently found a gaping hole in the system that I'm amazed no one exploited before," Cornell instructor Dexter Kozen said. While the loophole in the system was not evident before the virus was unleashed, "in retrospect, it's really quite obvious." Morris' father, Robert Morris Sr., a top government computer security expert, refused to comment on whether his son concocted the virus. But he said the episode may prevent a serious security breach in the future. "It's going to be remembered for a long time," said the elder Morris, chief scientist at the National Computer Security Center in Bethesda, Md. "And I think we'll see a substantial improvement in the way computers and networks are administered." Morris also said he felt ambivalent about the incident. "I'm close to this in two ways," he said. "I myself am a computer user but I'm also a father. That makes it difficult to separate the two roles, although, of course, they have to be separated." Morris said he is convinced the virus was unleashed accidentally. "It seems there was no malicious intent involved. No harm was intended or actually done in the host computers, other than overload, and that appears to be a design error," he said. -=-=- That was the entire article. I thought you might find it interesting. Daniel M. Greenberg -=- Rochester Institute of Technology '92 US MAIL : CPU #1026 25 Andrews Memorial Dr. Rochester, NY 14623 BITNET : DMG4449@RITVAX INTERNET : dmg4449%ritvax.bitnet@CORNELLC.CCS.CORNELL.EDU UUCP : {psuvax1,mcvax}!ritvax.bitnet!dmg4449 Compuserve : 71641,1311 | GEnie : D.GREENBERG2 | PHONE : [716] 475-4295 ========================================================================= Date: Tue, 8 Nov 88 12:13:49 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDEE731@ELM.CC.KCL.AC.UK Subject: UK VIRUS Apart from the PC virii, UK computers seem to be more secure to VIRII due to good housekeeping and minor technical difficulties However this may also be due to the fact that British kids don't have the same intelligence as American ones. ========================================================================= Date: Tue, 8 Nov 88 12:16:16 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDEE731@ELM.CC.KCL.AC.UK Subject: REDISTIBRUTION From: Virus Discussion List 8-NOV-1988 12:15 To: ZDEE731 Subj: RETRIBUTION OR REDISTRIBUTION EVEN Received: from UKACRL by UK.AC.RL.IB (Mailer X1.25) with BSMTP id 5244; Tue, 08 Nov 88 12:11:48 GM Received: by UKACRL (Mailer X1.25) id 6608; Tue, 08 Nov 88 12:11:45 GMT Date: Mon, 7 Nov 88 18:51:24 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDEE731@UK.AC.KCL.CC.ELM Subject: RETRIBUTION OR REDISTRIBUTION EVEN To: Bob Jolly From: Virus Discussion List 7-NOV-1988 18:39 To: ZDEE731 Subj: Received: from UKACRL by UK.AC.RL.IB (Mailer X1.25) with BSMTP id 5375; Mon, 07 Nov 88 18:18:58 GM Received: by UKACRL (Mailer X1.25) id 6488; Mon, 07 Nov 88 18:18:56 GMT Date: Mon, 7 Nov 88 07:34:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Joseph M. Beckman" To: Bob Jolly [0666] (42 lines) Stoll.CCS 11/06/88 0806.7 est Sun bb Subject: Re: Virus on the Arpanet *** PLEASE DISTRIBUTE THIS NOTE WIDELY THANK YOU! ***REDISTRIBUTE THIS NOTE TO ANY PLACE YOU THINK BEST - THANX!*** COLLECTING ARPANET VIRUS STORIES I'm collecting information about the Nov 3 Arpanet virus, trying to determine: > How many sites were infected > How many were not > How quickly it spread SO: If you were infected, please send me a note describing your experiences. Please include: > Where are you? What type of computers? i > What times were stamped on the /usr/tmp/x files? > Which of your computers were infected? All of them? Please send your anecdotes & stories, such as: > What time did you discover it? > What tipped you off? > How did you and your colleagues respond? > What would you differently? > Did you call anyone? Or did anyone call you? > Where would you turn for information next time? > When did you finally eradicate it? > Any weird wrinkles or strange effects? I'm interested in hearing from you even if you were not infected! Please pass this message on to others: I would rather have multiple responses from a site than none. Thank you very much for your time & trouble. In return, I'll mail summaries to everyone that contributes. If you'd like a copy, please include your address. Thank you very much for your time & troubles! Cliff Stoll Harvard/Smithsonian Center for Astrophysics 617/495-7147 60 Garden Street, Cambridge, MA 02138 lbl ) [Nov 5, '88] ---[0666]--- (pref = [0665], nref = [0667]) ========================================================================= Date: Tue, 8 Nov 88 08:50:01 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Sean T Montgomery Subject: Re: nVIR virus In-Reply-To: Message of Mon, 7 Nov 88 16:07:53 PST from In reply to Sam Cropsey's questions about nVIR: the strains of nVIR which we've run into here have only infected the System, Finder and application files on an infected Mac, no DA's in the sense that using Font/DA Mover would spread the infection. Someone correct me if I'm wrong. As far as getting rid of nVIR, it's a good deal easier to use the Init known as KillVirus (available in various electronic places, including MACSERVE on BITNET). This Init installs a tiny nVIR resource with ID=10 in the System ( this resource is NOT infectious). The author of nVIR included a back door in the program: if nVIR "sees" the nVIR ID=10 resource, it cleanly removes itself from the infected system or application. This should be easier than the explicit coding, etc. suggested in the MacTutor article, though not as much fun! ;-) Sean ========================================================================= Date: Tue, 8 Nov 88 10:02:51 -0500 Reply-To: Virus Discussion List Sender: Virus Discussion List From: bukys@CS.ROCHESTER.EDU Subject: Macintosh "worms" Application -- is this a virus? I am not a Mac user, so please forgive any lapses in terminology. A local Mac user tells me that he recently discovered a new application on his disk, called "worms". Running it pops up a little display with worms crawling around on it. He doesn't know where it came from. He claims that he does not share disks with people. He is connected to an AppleTalk network, which is connected to a FastPath. Now, in light of the Internet Worm, he's feeling suspicious about this Macintosh Worm of unknown origin. Is it possible that it's a virus? Has anyone else seen this application? ========================================================================= Date: Tue, 8 Nov 88 09:33:58 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Iris Tennenbaum Subject: SPELLING ( was Re: Please! ) In-Reply-To: Message of Mon, 7 Nov 88 09:16:53 EST from >What's all this about virii? "Virii" is the plural of "virius." If you >mean more than one virus, try "viruses" or, if you must, "viri." Viruses is the correct spelling. And viricide or virucide is the correct word for antidotes for viruses. VIRICIDE - an agent that destroys or inactivates viruses VIRUCIDE - spelling variation of viricide. ========================================================================= Date: Tue, 8 Nov 88 09:22:26 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: About the virus notices In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Nov 7, 88 at 4:23 pm >I must appologize, my message APPEARED later than the rest (at least it >did to me), but I sent it on wednesday or so. I guess the delay in >getting messages from here in Canada down to Bethlehem (Lehigh really) >is greater than from other areas. As far as Risks submissions go, I (as >many of you are I am sure) am a subscriber to the Risks Digest List, and >I would be willing to take on the responsibility of posting anything >from Risks that I feel in some way relates to Virus-L. Big deal, so we saw several copies of the same message during an event that was of significance to us. I would rather see the several copies than have to wait for the "official" copy that would be sent by one person who might be busy or unavailable. If we need organization let us join a political party, I prefer an excess of information. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 8 Nov 88 09:24:03 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Computer Virus Association In-Reply-To: Message from "Dimitri Vulis" of Nov 7, 88 at 5:59 pm > > >MIS week, vol 9, no 35 (aug 29 this year) had a first-page feature blasting >the Computer Virus Industry Association and its leader John McAfee. >(the later also runs the National Bulletin Board Society) >There was also some negative stuff in PC WEEK. >The article is pretty long; if there is sufficient interest, I'll key >in a digest. >By the way, this coming Friday I'm giving a talk in class about computer viri; >are there any suggestions as to what I should say? >-Dimitri > Love to attend, where are you? Is it far from Milwaukee? + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 8 Nov 88 09:17:54 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: MILNET/ARPANET Virus In-Reply-To: Message from "Christian J. Haller" of Nov 7, 88 at 11:44 am >anonymous phone calls from his friends.) He is a nice person, we know >from acquaintances: sings in the choir, for example. I suppose the >Cornell administration cannot possibly let him get away without some >kind of official punishment, but I for one don't think he deserves a >very severe one. The cost of restitution alone would be enormous if >he had to reimburse people for some fraction of the time they have spent >cleaning up, not to mention discussing the matter! > Of course he should pay the cost of fixing up the mess. If a black kid in the ghetto had painted up some walls, as a means of self expression and to show us all how vulnerable we are, then he would be expected to make restitution, why not this child of education and culture? If he is an adult then he is responsible for what he does, if not then we should put him somewhere where he cannot harm himself or others. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 8 Nov 88 13:08:19 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDEE731@ELM.CC.KCL.AC.UK Subject: TEST , ,!*00Ol. "!|OO###0*;, .,,'":::"@@*##@0@, '";!|||||||!*#0|0#Ol0I;"' .";||||||!:"';*@###@O*####Ol!|;". .:||||||||:!+0I#######;;@#####0!|||:. .;;Il!||||||||||+I0#####0++######*:!|||!' .'IlI@*Il*+||||||||IO###000####OO@#OOI!||, ,|I+000####@II||||||||+O@##############@0OI; .""";:. l||l|!l@000*0@0+||||||||+O@###0"!l+O@0@#@#@@##0*I|' ;|||||l@##OO0####0+||||||||IO@! '||||ll+III+*I;. .!|||||l@###########OI|||||||!:,'||||!!!. .;||||||+@#######0000+;"!||||||||||||;. ,;|||||||I*0@##@00##@:.:|||||||||;, .':!||||||||llIIIl|||||||||!:'. .'";!!|||||||||||!!;"'. .,,,,,,,. ,":":"::;:;;!;!!|!!ll|l!|!!!;!!;::!!||||lI++ll|!!;;;!;:"....,:!|!;|!;!@0|!|!| .'""""""""::::;:!!!!!|!!!!!;;;:"!I*OO0@@@@@#@@0O*||||;"'. ";!::;|;@Oll||| . ..,'"'""""""!!!!;:::"",,'";|+*00@@@########@@0O+l||:'. .'"""';!++!;|;; ...''''""'::::",.. ,!ll+*00@@@###@#@##@00OOOIl!:, ,'',,...';I;!;;|; .,,,''"::', ';I**000@@##@@@@#@@@@000OO+!!".',, ,;!!;!;! ..,,,,";:", ,;!||llI*00@@@@@@0***+I++*I!:".. .;!!;!; ..,''"'""!!;", ,"""":;:":|*@@@0*||;!!|llIlll:, "!!;;; .','"""::!!;", .!|!::";l**l+I@##O+l!!:""":":ll|".. .";!;;| .,.,'"":!!". :O000O***@#@O+@@0O0##@Oll+I+00OI; ,"""!|!! . .,':::, :l*O0@###@@0*O@@0OO@@####@##@@O|" .,'';!;! ..":" .,!|IO@0@@#OIlO@0+IO0@####@@0O+l!:,. .'""|!! ,'"". . .:!|OO0@@Il!;!|lII@@@@@@@0OI!;||!. . .':"";|| .,'",'.. ... ,. :|I*OO000000@@@@@@@@@00*l|;|'" . .'"::":!| . .,'"""'''"""'. ':!!Illl|;||IllIl*O00000*||;! ,"":;:;!! ,.,,'";":;;!!!:.. ;!!lI+ll*O0O@00OI+O@000*ll:..'", ,:"":;!!;! ..,'":!:;!!!!|:. ''. ."!!|lllI+I+*OOOO0000*+l!: ,"'.."", ,'"":"";;!!| ..,'";|!|!|;!!:',:", ,";!l+*00@@@@@00OO*I;" .':"":":;;;:::;:;;|| .','"!!!!||!!!;:''":,. ,'":!;||l|Il|;"'. . ":"''::!!|!!!;;!!!!|| .'""!!!;:;;!;;|!".."":". . .... ,'';|:"""""!|!!!|!|!|||| .. . ... ... ............. ,;I*####0+l:. "*@000O0*I+0##*. ;#@000000OlO@###0: 'O#000*@*0@@0O00###" '#0@0+I00@l@@@@*0@#O. ., ,, !#0@O*"I@@+00@#!@0@@' ,',.,. ",,.',,.,. 0#@#I'l*0@@@@+0####' ..,.,. :####@lO@@@@@#**@###I' "O###@#!@#0######@@@@##+ .*@#@@@@@############00@@*: !+OO@@#####################I |I+0###@0###########@*@#####| ,;0@@####0|+@@O0@######@:+######' 'O###@00@|;!+0O0@@##@@##I:O#####@, !OO"|O@*IOO+I+O*O00@##+' ;0#####0, '++|,I0OI+0##########@; "O@####0. l| ."l00I+0+0########+. .';|+@#####; !+lI+*O##+O00@00@@@@0**0@###########| .":|*lO@@#####OOO00OOOOOOOOOO00@##@" ,##00*0#@O0@@@@@0+;':::::::"',,. l##@@O00@###@@@@#@@l 0####@####0l*#####@@O: |@########lIO@#######@! "*0######0+***#########| ##########################@#@##@@@0**I|::":;!IO@@############################## ################################@@0*Il".,:;!|ll*0@#########################@@## ##########################@@@@@@@@0*I||:!|l+O0@@@0@@####################@###### ##########################@@00@00O++++*O++*OO0@####@########################### #########################@@@0OOOOO0O*IlO@*+*O@@################################ ########################@O*+II+*0000*I+O#0*00@####@@@@##################@#####@ #####################@0*I+III+*O*+O00+*0OO*0@#########@@@###################### ###################@0**I|!|I***+*O0O*OO*++I+O@########@####################@### ##############@@OO*+!::'::;||llII*OO0@@O+I|||l*OO@0000@#################@###### ##############@O*++I. ,:!;:"'''::!IO@@Ol!"',";I++llII*0############@######### #############@O*I++: ;lIl;:;"";;!lO@#@0OO+*O@@0|.'";|+0@################@### #############@O*O*: .;+O00000000@@@###########@| .';l+0@#####@######@#####@ ##############@00l. .:l+OOO0@0O+O@@@@@@@######0!,;||+OO@################@### ############@@@@O; .;I+***OO*++++OO00@#@@#@@0";|l+O@###################### ##############@0I. '|I+******O*I+*+I*O0@@@@|;!|+O@###############@@#####@ #############@OOI'. ,:l**O*+I|;!!||IO@@@@+',;l+O@@@@O0O0@#####@@####@#### #############@000+:. "|I***O****0###@0I||I*O0@0+Illl++00@############## ################00@O+l, .'"., ';lI+*OO0@@0*IlllI+II+O0*I|lI**O@@#############@ ################OOOO0O+I||||:' ,:!|llI*++l||l|llI+|;!+**OO++O@################# ###############@@00O+l;:"";|++I;;|||IIIIIll|!:"':"::"!+O@@0@###*I+||I+lI+l**+## #############@@@##@0O+llI++I+0@0**+II+ll++++++I+I|;;;!|O@@#########|O@|*I+++O#@ ####################@+l*****+O@##@0*I|*#####@##@*I!!|!|*@##@###;!ll*+Il@I|*|0|l ###################@@O+O*****+O##@O+II0@@#@##@@0*IlI+*+O#@####@l***I*@##@00@#00 #@@##############@@00OO****+I++@@@0O**OO@0@0O0O********O0@#@@@@I@IlOI++IOl0@@I@ ========================================================================= Date: Tue, 8 Nov 88 13:13:44 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: RE: TEST Excuse me, but would it be too much to ask if you could take your garbage elsewhere? I am sure that most people do not want ascii pictures sent to them through VIRUS-L -David Bader DAB3@LEHIGH ========================================================================= Date: Tue, 8 Nov 88 13:44:03 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: RE: TEST In-Reply-To: Your message of Tue, 8 Nov 88 13:13:44 EST > Excuse me, but would it be too much to ask if you could take your > garbage elsewhere? I am sure that most people do not want ascii > pictures sent to them through VIRUS-L The problem has been taken care of; the user was removed from the list and asked not to return. Please, let's not perpetuate this any further. Thank you all for your cooperation in this. Ken Kenneth R. van Wyk Calvin: (hammer hammer hammer ...) User Services Senior Consultant Mom: Calvin, what are you DOING to the Lehigh University Computing Center coffee table?! Internet: Calvin: Is this some sort of trick BITNET: question? ========================================================================= Date: Tue, 8 Nov 88 12:34:28 PLT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Wim Bonner <27313853@WSUVM1> Subject: Re: About the virus notices In-Reply-To: Message of Mon, 7 Nov 88 16:23:00 MST from Actually, Your supposition that if they can find who started the virus, it is a frame job, has got to be incorrect. Very few people have enough control over their ego to keep something that hits the national news a secret, let alone something that crashes the local system. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-= Lemmings never grow old, they just die. =-=-=-=-=-=-= Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat) The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d ========================================================================= Date: Tue, 8 Nov 88 17:04:44 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Sieczkowski Subject: Internet Worm I've read the various accounts of the internet worm and there is one thing I am having trouble with. The worm took advantage of the fact that when sendmail is put in debug mode a remote shell command could be executed through it. I thought that even if sendmail is compiled with the debug option on, this was only possible if the local machine or user on the local machine knew the remote machines wizard password. Although I haven't analyzed the complete source, a cursory look at the source I have reveals the following lines: (Note: this is an older version, but I presume it's still set up in the same way.) ---------------------------------------------------------------------- char *WizWord; /* the wizard word to compare against*/ if (strcmp(WizWord, crypt(p, seed)) == 0) { IsWiz = TRUE; message("200", "Please pass, oh mighty wizard"); } else message("500", "You are no wizard!"); ---------------------------------------------------------------------- As part of the sendmail configuration file (sendmail.cf), typically you see the following line which is the encrypted password. ---------------------------------------------------------------------- # wizard's password OW* ---------------------------------------------------------------------- Since no encryption yield's "*", there should be nothing to worry about in this case. I have seen many config files that omit this or fail to set it. That could be a problem. According to all accounts though, sendmail in debug mode was letting anyone send a remote shell command. So was there a problem in the source, or was the problem lacking to set a wizard password when debugging was enabled? Joe ========================================================================= Date: Tue, 8 Nov 88 16:43:00 MST Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Oops! Virus is Latin Hi Gang, I must admit that I did not consult the Latin dictinary in my office before writing that last message. As David Chess astutely reminded me, the word virus is in fact Latin. It can mean either a slimy liquid or poison (especially the poison that comes from snakes). Read into these definitions what you may. A Somewhat red-faced Greg Lypowy ========================================================================= Date: Tue, 8 Nov 88 20:01:02 ECT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken Hoover Subject: ARPANET accountability The article that went through here last night covering the discovery and exposure of the creator of the ARPANET virus seemed to gloss over, or simply miss, the fact that (according to its own text) this program was not something that turned into a virus and went out on its own at all. The article stated that the programmer's "original vision was to spread a tiny program widely... and have it take up residence in the memory of each computer it encountered" and was supposed to "slowly propogate, always hiding in the background to escape detection". That sure sounds like a virus to me. What this student seemed to be so appalled at was that his program mutated on him (due to an apparent programming error) and changed from a virus to a "bacterium" (to use the term that's been being used around here) and was thus easily seen, but not until it had begun overloading computers nationwide. It seems that, as it was so aptly put, he was playing with fire and got burned. However, on the question of whether to prosecute this person, the article put its head in the sand. The question is not of a program that, by a simple compiler error, went berzerk and became a virus by sheer chance. This is an exposure of what was intended to be a virus in the first place, but was rendered VISIBLE by that programming error. We should cousider ourselves fortunate that this error was made at all, and that no damage occurred (so far) to databases and stored files. Would we prefer that a virus be created which would take advantage of this same (gaping) hole and use it to (for instance) clog networks by sending all of the files it can reach out the nearest link? Or worse yet, to a specific destination computer, either for plagiaristic use or simple theft of information? I say prosecute. Any others? (get your flamers ready) - Kenneth J. Hoover SUNY-Binghamton Sophomore, T.J. Watson School of Engineering Binghamton, NY. BG1838@BINGVMA ========================================================================= Date: Tue, 8 Nov 88 20:24:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Dimitri Vulis Subject: CVIA I though I'd key this in (took me almost an hour!) sorry for the typos. PC WEEK, Aug. 1, 1988 Virus Association You knew it had to happen. With software viruses making headlines everywhere, scads of companies have come up with antivirus programs Now there are so many that they're forming a trade group. The computer virus industry association (CVIA) has 10 members, all of whom sell products desgined to wipe out viruses. They said joining the groups lends their products extra credibility, because members' products have to pass a suite of tests to prove they work. That's an importatnt edge in market whose prodycts often get as much respect as wiehgt-loss pills and baldness cures---and often are about as effective. ``It's an environment that's conductive to misinformation and farud,'' said John McAfee, president of CVIA. PC WEEK, Aug. 15, 1988 (letters) To the Editor: I'd like to comment on the Aug. 1 Monitor report entitled ``Virus association'' about the CVIA [Computer Virus Industry Association]. John McAfee, the self-appointed president of the group, sent out a press release announcing the organization of the association. The release claimed that CVIa members have 90 precent of the anti-virus software market. We at WordldWide Data [manufacturer of vaccine 2.0/2.1] decided that to see if CVIA could back up its claims with some solid facts. When I spoke to Mr. McAfee he could not substantiate his 90 percent market claim, nor the credibility of CVIA's members. In fact Mr. McAfee promised to send out a second release to recant these claims by CVIA. Interestingly enough, your article quotes Mr. McAfee as describing the anti-viral marketplace as being ```...conductive to misinformation and fraud.'' This makes us wonder if the CVIA might be a case of having the foxes guard the chicken coop! While we like the idea of ``watchdog groups'' in general, we're not quite sure what CVIA is up to. As far as market share and product effectiveness are concerned, we think the good old methods suffice: namely, product reviews in the computer press and user references. We proudly stand behind ours. As far as watchdog groupd and associations are concerned, there are plenty of good ones around to keep anyone on their toes, particularly the Computer Security Institute and the NYPC Users Group (Jon David of the Security SIG is very active on the virus-protection issue), as well as other organizations of which we are members. Ron Benvenisti WorldWide Data Corp New York, NY MIS Week, Aug. 29, 1988 (top, first page) VIRUS INDUSTRY LEADER ASSAILED New York---An association set up to coordinate the activities of antiviral software makers is coming under fire because the intentions of its self-appointed chairman are being questioned. John McAfee, who established the Computer Virus Inductry Association (CVIA), heads another organization which has created the tests against which CVIA members' antiviral software are measured. One of the antiviral software packages tested is from McAfee's own company, and it mastered every viral test. In addition, McAfee has refused to submit his antiviral software to testing anywhere else, except at three universities he has chosen, none of which has reputation for expertise in viruses. He has also been accused of using questionable techniques within the CVIA, using unscrupulous methods to attract members, and has been charged with promoting too much hype within the virus community. ``I would not call it a scam, but it sure as hell is one of the most unethical things I've withnessed,'' said Ross greenberg, an independent consoltant here. McAfee established the CVIA, based in Santa Clara, Calif., to standartize marketing and sales terminology as well as to educate computer users about the issues surrounding viruses, he said. Ten companies that merket and develop antiviral software, including McAfee's InterPath Corp., have joined CVIA. In addition to being in charge of CVIA and Interpath, McAfee has also been running the National Bulletin Board Society (NBBS), where viruses are collected, studied and simulated to create and test antiviral software. The test of CVIA members' antoviral software was developed by NBBS using simulated viruses. It came as no surprise, then, when McAfee announced that his antoviral software tested successfully against all 38 strains of simulated viruses from the NBBS, according to Raymond Glath, president of RG Software Systems Inc, Willow Grove, Ps. Glath said InterPath and NBBS have the same address in Santa Clara, which was never made obvious to software consumers. ``There seems to be a conflict of interest. They (InterPath) have a virus simulator, as well as antivirus software,'' said Kenneth van Wyk, user consultant, Lehigh University computing center, Bethlehem, Pa. ``It can be tailored so their program comes out smelling like daisies. it is a valid conclusion---it ought to be developed by an independent source.'' ............... Many professionals in the virus field said an organization composed of antiviral software manufactueres should not be setting the standards of the virus community. Michael S. Riemer, FoundationWare's vice president of marketing, Cleveland, said, ''If you want to have a non-biased organization disseminating information on viruses, it should not necessarily be run by the people creating security products.'' Ron Benvenosti, product manager as WorldWide Data Corp., New York, said ``It might be that the fox is guarding the chicken coop. We don't believe in vendors starting watchdog groups.'' Benvenisti liked the situation to an automobile manufacturer's taking over the department of motor vehicles and then creating the national safety standards to be imposed on cars. ................ McAfee annonced that Adelphi Univerity, Pace University and Sarah Lawrence College were selected to perform, jointly, product testing and evaluation of antiviral measures marketed by association members. In additiion, John Cordani, assistant professor of management science at Adelphi University in Garden City, will act as chairman of the evaluation program and as liaison between CVIA and the testing labs. ``Precise arrangements have yet to be worked out,'' Cordani said. McAfee said InterPath will continue to do initial, informal testing before the software is sent out to the universities. ''Everybody has to test using something. You have to test your software.'' ``We are taking the hands-off approcahs,'' he said. ``We are not testing our own products. We never had any intention to test our own products We have tried to make this as completely impartial as possible. I don't know how to make it any more impartial,'' McAfee said. This did not satisfy other members of the antiviral community. Harold Joseph Highland, editor of ``Computers & Security,'' Elmont, NY, said ``These are not the major computing institutions in the area. Whether they have any people that know anything about viruses, I do not know. Most schools do not have experienced virus researchers.'' Similarly, Jon R. David, Systems R & D Inc, Fort Lee, NJ, said there are several very capable schools in the New York metropolitan area that are more attuned to viruses than those selected. And although the specific people chosen to work on the testing may be accomplished in their field, there people are not in the computer science division or the math division but they are in business administration, David said. In addition, he said, the announcement of the universities made little difference because the universities are testing CVIA's antiviral softwae with NBBS's simulator. ``When it's your simulator, you know with 100 precent certainty what you were going to be tested against.'' He likened this to a game of Trivia Pursuit in which you have peeked at the answers. ``It's his (McAfeee's) simulator. Conceptually it (using universities) makes it more valid. But you are not letting the industry agency run tests, The agency does not have the ability to design valid tests. You are giving them the testing tool. The results you know ahead of time. It does not seem to be any more valid,'' David said. McAfee said it was because CVA was adamant about putting all of the software through testing that many vendors refused to join the organization. ``A number of people selling antiviral products chose not to be members of the organization. It's the testing of the product that scared many away.'' He said there were vendors who planned on becoming members until they were told their products would have to be submitted for tetinf first, and then they had a change of mind. Although McAfee said others were afraid to expose their products for testing, David said McAfee refused to offer his software for testing. David is assisting an international study of antiviral software associated with Highland and his publication ``Computers & Security.'' When david called on McAfee to submit his antiviral software for testing, McAfee refused. ``It striked me as being rather odd. He says (his antiviral software) tests fine with a simulator, but he resuses to have it tested in a real-world environment,'' David said. ''If I were in his position, I would much rather go on luster than performance. ''Other members of his group (CVIA) are actively cooperating. Other members seem not to find a real-world test abhorrent,'' David said. ``You can't play games like that. Give me one valid reason for him refusing to send a copy of his software to test. Everybody else is anxious to send their own.'' Several members of CIA have forwarded their software for testing, David said, and a couple of those members indicated they were interested in disassociating themselves from the organization. When questioned about why they chose not to join CVIA, certain members of the antiviral community gave reasons that had nothing to do with having their products tested. Some said they did not like the way McAfee was operating CVIA. ``McAfee is distributing viruses by disk and bulletin board, which is a practice which is certainly questionable. The harm (is) letting the little buggers out. If I was selling a bulletproof vest, I would offer to test it in a controlled environment, but I'd be damned to send live ammunition and loaded machine guns through the mail. A virus is a potentially dangerous thing. You want this on a bulletin board? In the mail?'' David said. Pamela Kane, president of Panda Systems, Wilmington, Del., said ``John's (McAfee) timing was unfortunate and his motives very questionable. Most major developers and industry experts were involved with the PC Expo in New York at the time his plan was hatched. We were told the press release would be scheduled (for release) the following day and our decision to participate had to be made immediatelty. ``In the absence of any information other than the text of the press release, the lack of organizational planning and John's self-appointed chairmanship, none of us were able to makr a business decision to participate.'' ``Interestingly,'' Kane added, ``there was an opportunity for all of us to meet in Boston within the next ten days---to meet among ourselves and to appear before the Boston Computer Society as a concerned group of prefessionals. John refused to meet with us.'' Several antiviral vendors refused to participate in the organization because they said McAfee had put names on the membership lists before vendors agreed, as a means of enticing others to join. ``He played the same game with all of us,'' Greenberg said. While Glath, Greenberg and reimer all said this same technique was used with them as a means of having others join the organization, McAfee denied he lured members in this way. Glath said, for example, that McAfee had told at least one vendor that RG Software Systems was a member of CVIA, although Glath never agreed to join. ``Since it (CVIA) is headed by a guy who is throwing most of the type out, we said no (to joinin McAfee's organization).'' Part of the hype that Glath referred to is InterPath's Winnebago that travels from infected site to infected site in the Silicon Valley region of California, ``collecting virus residue,'' McAfee explained. A 27-foot motor home equipped with special purpose hardwae for isolating viruses, the ``virus bug buster'' loads up with tools and software and drives out to the infected site. A visit from the ``mobile lab'' is free. ========================================================================= Date: Tue, 8 Nov 88 10:57:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Shaffer Subject: RE: Macintosh "worms" Application -- is this a virus? >I am not a Mac user, so please forgive any lapses in terminology. >A local Mac user tells me that he recently discovered a new application >on his disk, called "worms". Running it pops up a little display with >worms crawling around on it. I don't know about "worms", but I've seen (perfectly harmless) programs for the Mac called "measles" and "crabs," which produce similar screen displays. How the program got onto a disk which he says he's never shared with anyone is another story, though. If this *IS* a virus of some sort, particularly a (ugh!) network virus, please let me know. For the time being, I'm not going to post this to Info-Mac because it doesn't sound suspicious and I don't want to generate pan-network junk mail. But I'll cross-post it if any more evidence turns up. Jim ========================================================================= Date: Tue, 8 Nov 88 09:16:18 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Peter Murray Subject: Re: Please! In-Reply-To: Message of Mon, 7 Nov 88 23:05:00 MST from >> What's all this about virii? "Virii" is the plural of "virius." If you >> mean more than one virus, try "viruses" or, if you must, "viri." >> >> On the other hand, we could let >> >> virii = 2 viruses >> viriii = 3 viruses >> viriv = 4 viruses >> virv = 5 viruses >> etc. >> > >The only proper plural form of the word virus is viruses. Virus is NOT >a Latin word, and hence should not be declined like one. (In fact viri >can be any one of the Genetive singular, Nominative plural, or Vocative >plural forms of the noun man (vir)). > >Just so that we can avoid a major bagging session as has occurred on >USENET in teh past. :-) > I thought it was very humorous: putting the roman numerals on the end as suffixes. Was it intended this way? A little comedy break every now and then lightens the serious mood of this discussion. ]] Peter E. Murray [[ Miami University Oxford, Ohio ========================================================================= Date: Wed, 9 Nov 88 00:18:06 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: safox@TRILLIUM.UWATERLOO.CA UNSUB VIRUS-L Sandy Fox ========================================================================= Date: Wed, 9 Nov 88 09:01:44 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Prof Arthur I. Larky" Subject: Virus class >From: Dimitri Vulis >MIS week, vol 9, no 35 (aug 29 this year) had a first-page feature blasting >the Computer Virus Industry Association and its leader John McAfee. >(the later also runs the National Bulletin Board Society) >There was also some negative stuff in PC WEEK. >The article is pretty long; if there is sufficient interest, I'll key >in a digest. >By the way, this coming Friday I'm giving a talk in class about computer viri; >are there any suggestions as to what I should say? >-Dimitri I suggest a good dose of ethics and why virii are dangerous. Last week's episode was a good example of how even a 'benign' virus (worm, actually) can cause major harm because the writer didn't anticipate its effect on other computers. The corolary to TINSTAAFL is: There Is No Such Thing As A Safe Virus. Art Larky, Lehigh University Computer Science & Electrical Engineering Dept ========================================================================= Date: Wed, 9 Nov 88 11:16:26 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Administrative announcement. Dear Readers: In an effort to improve the quality of VIRUS-L, I've decided to start digestifying VIRUS-L. Please note that it is not my intention to censor submissions, merely to weed out irrelevant ones (e.g., one-liners like "SIGNOFF VIRUS-L", ASCII pictures like the ones we all read recently, identical submissions). Also, rest assured that VIRUS-L will continue to be distributed in a timely manner. Urgent messages (virus warnings, etc.) will be distributed as soon as possible, and separately from actual digests, which will go out once a day, if any incoming mail exists. I hope that in doing this, the quality of VIRUS-L will continue to improve. Note that GNU EMACS (rmail) users can undigestify individual digests with an "M-X undigestify" command while reading their mail. As always, I invite your comments and suggestions. This should be the last non-digestified message (other than any future urgent announcements) to go out. Regards, Ken Kenneth R. van Wyk Calvin: (hammer hammer hammer ...) User Services Senior Consultant Mom: Calvin, what are you DOING to the Lehigh University Computing Center coffee table?! Internet: Calvin: Is this some sort of trick BITNET: question? ========================================================================= X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X