VIRUS-L Digest              Tuesday, 6 Dec 1988         Volume 1 : Issue 35

Today's Topics:
FSP; Hardcard problem (PC)
Re: Computer Virus Eradication Act of 1988
Did Morris write it all?
RE: media (virus) humor vs. disinformation
Christma Exec (IBM VM/CMS)
BINHEX 4.0 and Stuffit ... URGENT ...!!!
making amends
Internet report (ASCII version) avail. for anon. FTP

---------------------------------------------------------------------------

Date:        Tue,  06 Dec 88 15:59:23 +0200
From:        Y. Radai <RADAI1@HBUNOS>
Subject:     FSP; Hardcard problem (PC)

 Paul Coen asked for opinions on (1) FluShot+ 1.4 and (2) the inability
to access a hard card when booting from a DOS 2.11 floppy.

 FLU_SHOT+
 ---------
 I have been using FSP (FLU_SHOT+) 1.4 for several weeks.  (Previously
I used Version 1.2.)  The first experiment I tried was to infect an FSP-
protected computer with the Israeli virus.  FSP prevented the virus from
installing itself in RAM and notified me of the attempt.  It also warns
me of all attempts to format disks.  In these two senses the program
seems to be quite effective.
 When I tried to write-protect a file using the P option, I found that
it worked well against attempts to write directly to the file, but that
there was an easy way of getting around the write protection: create a
new file containing the desired information, delete or rename the ori-
ginal file, then rename the new file to the original name.
 Similarly, the read-protection on a given file can be circumvented by
renaming the file.
 The checksum feature is quite fast.  However, it is basically insecure
since the checksum for any given file is the same for all users.  Also,
the files which are to be checksummed must be specified individually by
the user since wildcard notation is not allowed with the C option.
Particularly annoying is the fact that instead of the program recording
the checksums automatically, the user is forced to enter each checksum
manually into the file containing the filenames, after first running
the program with dummy checksums in that file and writing down each
"correction" displayed by the program.  Finally, there is no provision
for "static" checksumming, i.e. you can't ask for checksumming whenever
you feel like it (unless you use something like MARK/RELEASE to get rid
ofvery now and then, for no apparent reason, I get a mes-
sage from FSP saying "CMOS has been changed!".  I reply "Y" and the
message usually goes away with no apparent ill effects.  However, some-
times I can't get rid of the message (along with a non-stop buzzing
sound and inability to continue working) without re-booting.
 By the way, although the documentation doesn't mention it, I found
that FSP didn't work properly when the value of FILES in the CONFIG.SYS
file was 10 or less (the default is 8).
 A final point is that a program like FSP can be neutralized by a virus
or Trojan which looks for it in memory and temporarily diverts inter-
rupts hooked by the program until it has finished its dirty work.
Another way of circumventing such a program might be to issue commands
directly to the h.d. controller, provided it can be determined which
controller is being used.

 Accessing hard disks when booting from diskettes
 ------------------------------------------------
sk whether a hard disk can
be made inaccessible even when booting from a DOS 3.xx diskette.  The
answer is definitely yes, since it's a fact that PC-Lock does that.
And I'm fairly certain that the way it does it is by modifying the
partition table to make the DOS partition seem non-DOS even to 3.xx,
and correcting for this when booting from the hard disk by means of a
special device driver.

                                          Y. Radai
                                          Hebrew Univ. of Jerusalem

------------------------------

Date: 6 December 1988, 09:42:26 EST
From: David M. Chess                                 CHESS    at YKTVMV
Subject: Re: Computer Virus Eradication Act of 1988

Interesting stuff!  Nice that our legislators are thinking about it.
A few points:

 - It really ought to be the "Trojan Horse Eradication Act", since
   it covers the silly erase-all-files-and-print-"gotcha" programs
   that infants write and post to BBSs under atuses.

 - Would it cover the Internet worm?   I'm not sure in what sense
   the author of the worm program "provided" it "to others".  Not
   *human* others, anyway.

 - Would it cover a virus that spread, but did no intentional
   damage?   For instance, the Mac virus that (was supposed to)
   just put up a "message of peace" and then delete itself.  Rumor
   says that it did do some unintentional damage if run on the
   wrong sort of system.  This law, though, seems intended only
   to cover actions analogous to vandalism, rather than those
   analogous to unlawful entry.

DC
Watson Research
* No one but me has any idea that I'm posting this

------------------------------

Date:    Tue, 06 Dec 88 10:57 EST
From:    "Scott P Leslie" <[email protected]>
Subject: Did Morris write it all?

Hi,
  This regards the possibility that Morris did not actaully write
all (or even any) of the Internet worm.  You can't really go by coding
style and content in s are hastily done and don't nearly show of your
programming ability.  Also, Morris supposeedly wasn't finished with
the worm program and was just testing it a bit.  While the programming
style seems to indicate that other people should be investigated
to see if they help create the program, it "style" doesn't really
mean much.
  Also, other people could have worked on the project but not been
in on the "release" of the worm.  What do the lawyers out there
say to their liability?

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.