VIRUS-L Digest              Friday, 16 Jun 1989        Volume 2 : Issue 139

Today's Topics:
Virus threats to mainframes
Re: Forward of Virus Warning recieved from PCSUPT List
Network nasties or tough micro restrictions
RE: no viruses from software companies
Flushot+ query (PC)
Addendum to Previous Note re: WP virus (PC)
WordPerfect Virus (PC)
Wordperfect Virus and a Solution (PC)
Possible PC Virus?

---------------------------------------------------------------------------

Date:    Thu, 15 Jun 89 15:48 CDT
From:    Ken  De Cruyenaere <KDC%[email protected]>
Subject: Virus threats to mainframes

In tune with our moderator's interest in expanding the discussion on
viruses, here is some food for thought, from the June 1989 issue of
Canadian Datasystems:

 VIRUSES POSE INCREASING MENACE TO MAINFRAMES
Viruses represent a growing, unrecognized menace to large systems,
virus experts told a Canadian Information Processing (CIPS) security
seminar in Toronto recently.
Security consultant Peter Kingston of Kingston Goulborn & Assoc., Don
Mills, Ontario, said DP professionals badly under estimate their
exposure to viruses.  He said the threat is greater than most people
realized on mainframes.  Midrange systems were even more vulnerable.
Dr. Harold Highland, editor of computer security journals in the US
and UK and coordinator of an international study on virus filters,
said a lack of publicity did not mean mainframes had not yet been
attacked by viruses.  He said firms tend to cover up such breaches of
security, much as they do cases of embezzlement.  They don't want to
proscecute violators or make the incidents known.
 He had not officially heard of any viruses infiltrating mainframes,
he said.  But he had learned unofficially of viral assaults on
mainframes from vendors who sold security packages for large systems.
Awareness would remain low until some reporter dug out the facts and
revealed what has been happening.
 He said the extent of the threat was difficult to fathom because of
corporate secrecy and the fact many computer foulups mimic viral
intrusions.  A lot of suspected viruses turn out to be simply human
errors, he said.  For example, someone may try to run a communications
program on an incompatible operating system and blame the resulting
disruption on a virus.
 He indicated large systems could be infected more easily than was
commonly believed.  In particular, he said a glaring weakness existed
in Communications Monitoring System (CMS) version 4 for IBM's MVS
operating system where a dangerous virus could be introduced by simply
programming 16 lines of code.
 Networks are also highly vulnerable to infection, said Mr. Kingston.
He said LAN security depended a great deal on protecting file servers,
and monitoring gateways and passwords.  User and message
authentication was lacking at LAN front ends.  He said a lot more
encryption techniques and control of LAN administrators were needed to
forestall future trouble.
Dr. Highland demonstrated several different types of common PC
viruses.  One invaded spreadsheets and made incorrect adjustments to a
few figures in only one column of a worksheet every time the program
was activated.
For some software filters to work, users must indicate precisely what
files they want protected, he said.  Some filters take 4 to 6 hours to
install on each PC.  This could translate into substantial time and
expense for corporations with thousands of micros.
Dr. Highland said no foolproof measures existed for safeguarding
data.  He frequently advised people to go "to your church, synagogue,
mosque or whatever your place of worship and pray".

- ---------------------------------------------------------------------
Ken De Cruyenaere - Computer Security Coordinator
Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada
Bitnet: [email protected]               (204)474-8340

------------------------------

Date:    Thu, 15 Jun 89 12:51:52 PDT
From:    [email protected]
Subject: Re: Forward of Virus Warning recieved from PCSUPT List
Organization: University of California, Irvine

   RE: Word Perfect viruses

    Hi,

    The only time I have ever had a Word Perfect problem like that was
  when someone was running TUTOR.COM and did not have WP.EXE in the
  TUTOR subdirectory (WP Corp. instructs people to create a separate
  subdirectory for TUTOR).  By making a copy of WP.EXE to the TUTOR
  directory or by copying all the Tutor files into the WP directory,
  this error would no longer occur.

    Also, Word Perfect 5.0 had a series of bugs on its first release which
  I contacted the company about--we received two updates.  I wasn't into
  Word Perfect when version 4.2 came out but I wouldn't be surprized that
  the earlier releases had some bizarre bugs too.  Have you contacted the
  Word Perfect Corporation?

           Hope this helps,

                                     Robert J. Morey

------------------------------

Date:    16-JUN-1989 13:25:58 GMT
From:    [email protected]
Subject: Network nasties or tough micro restrictions

In VIRUS-L Digest V2 #137, 14 Jun 89, Kenneth van Wyk writes:

>The change has made me curious about the future of VIRUS-L/comp.virus.
>I will, as promised, continue to moderate, but where is the group
>heading?  At the SEI, my project is very Internet related.  I'd like
>to see some of the discussions here on VIRUS-L touch on network
>security issues.  I'd also like to see more discussions on
>non-microcomputers.  (This doesn't mean that we're abandoning micros
>by any means, merely that I'd like to see the group branch into other
>areas as well.)

       I agree with Ken that there should be more discussions on
network security issues. I joined the discussion list in November 88,
on the exact day when the RTM virus struck the internet community, and
most of the talk was about networks. Nowadays, it looks like the list
has gone to microcomputer-based viruses discussions...  We have had
few problems with these types of nasties in King's, simply because
restrictions on running software are followed carefully. I mean that
nobody is allowed to bring his/her own software and run it on the
machines. There is a strict registration scheme for use of PC's and
Macs, and whenever a machine is infected, it is possible to trace the
culprit (who often didn't even know that his floppy was infected) and
ban him from using the facilities.  Machines are checked for viruses
every morning using available checking programs, and any infection is
immediately dealed with. If anyone wants to run their own software
they must first submit it to the computer centre who will check it
carefully on a separate machine... etc. etc.
       This might sound rather strict to some people, and others
might think that it is a great waste of time, but it's a choice. As a
result, we haven't had *any* cases when all machines are infected,
loss of valuable information and so on.

       Coming back to network security, here is the question:
" Would another major disaster like the November 1988 Internet Worm be
possible now, more than 6 months later ? "

Feedback welcomed - Usual disclaimers apply...

O. Crepin-Leblond - Computer Systems & Electronics 2
Electrical & Electronics Engineering
King's College London, UK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|Olivier M.J. Crepin-Leblond                        |- If no-one can do it|
|JANET   :<[email protected]>                |  then do it yourself|
|BITNET  :<zdee699%elm.cc.kcl.ac.uk@ukacrl>         |- If you can't do it,|
|INTERNET:<zdee699%[email protected]>|then  P A N I C !!|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

------------------------------

Date:    16-JUN-1989 13:50:21 GMT
From:    [email protected]
Subject: RE: no viruses from software companies

In VIRUS-L Digest, Thursday, 8 Jun 1989, Volume 2 : Issue 132:
  [email protected] (Michael Odawa) writes:

> Let us set the record straight on this subject:

> No known software publisher has ever intentionally released a virus
> into circulation, nor is it likely that any would do so, as it would
> be contrary to their interests.  Viruses threaten the entire software
> industry and expose the releasing party to an enormous legal
> liability.

       Mr. Odawa might speak for U.S. software distributors, but
surely not for foreign publishers... however small they are.  The Alvi
brothers in Pakistan made a small software company, and included
viruses and bugs in their programs so as to get customers to pay them
when something was going wrong. It might be an isolated case, but then
Mr. Odawa cannot certify that "No known software publisher has ever
intentionally released a virus into circulation".

Feedback, Flames, etc. welcomed... to a certain extent...

O. Crepin-Leblond, Comp. Sys. & Electronics,
Electrical & Electronic Engineering,
King's College London, UK

Disclaimers etc. apply...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|Olivier M.J. Crepin-Leblond                        |- If no-one can do it|
|JANET   :<[email protected]>                |  then do it yourself|
|BITNET  :<zdee699%elm.cc.kcl.ac.uk@ukacrl>         |- If you can't do it,|
|INTERNET:<zdee699%[email protected]>|then  P A N I C !!|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

------------------------------

Date:    Fri, 16 Jun 89 09:55 EST
From:    Paul <[email protected]>
Subject: Flushot+ query (PC)

Hi all:

       Does anybody know the company name that makes Flushot +  ???

Thanks

/paul

[Ed. FluShot+ was written by Ross Greenberg - he can be reached by
email at <[email protected]>.]

------------------------------

Date:    Fri, 16 Jun 89 09:37:00 PAC
Sender:  Virus Alert List <[email protected]>
From:    Bill Pyle <[email protected]>
Subject: Addendum to Previous Note re: WP virus (PC)

I forgot to add at the bottom that it is necessary to tell WordPerfect
5.0 through SETUP that the printer files are on the C-disk.

We put the .PRS files on the ramdisk to save room on our second diskette.

This method would probably work with WP 4.2, but I think the printer
file would have to be on the A-drive with your WordPerfect program.
The ramdisk could be made a bit smaller in that case.

------------------------------

Date:    Fri, 16 Jun 89 08:55:00 PAC
Sender:  Virus Alert List <[email protected]>
From:    Bill Pyle <[email protected]>
Subject: WordPerfect Virus (PC)

I noted Jenny Wirtschafter's comments about the WordPerfect virus and
in particular the comment that the WordPerfect disk must be used
without a write protect tab.  We run WordPerfect 5.0 in our labs
with write protect tabs.  In fact, we have converted to notchless
diskettes in our lab.  This was prompted by the presence of the
Alameda and Pakistan viruses on our campus.

The Method:
We use two diskettes to load WordPerfect.

The boot diskette has
    DOS
    AUTOEXEC.BAT
    CONFIG.SYS
    WP.EXE
    WP{WP}.SET
    All .PRS files to support our printers.
    RAMDISK.SYS for 5 1/4" diskettes or VDISK.SYS for 3 1/2"

The second diskette has
    WP.FIL
    WP.MRS
    WPSMALL.DRS
    KEYS.MRS (on 3 1/2")
    WPHELP files (on 3 1/2")
    .LEX file (on 3 1/2")

The CONFIG.SYS file has
    FILES=20
    BUFFERS=15
    DEVICE=RAMDISK.SYS 48 (for 5 1/4")
    DEVICE=VDISK.SYS 48 512 16 (for 3 1/2)

The AUTOEXEC.BAT file has
    COPY A:*.PRS C:
    COPY A:*.SET C:
    B:
    SET WP=/D-C
    A:WP
    A:
    CLS

The CONFIG.SYS DEVICE= statement creates a 48K ramdisk (C-drive).

The AUTOEXEC.BAT file statements copy the printer resource files (.PRS)
and the WP{WP}.SET file to the ramdisk.

The /D-C option on the WP command (specified in the SET command),
causes WordPerfect to look at the C-drive for the SET file and it
also uses the C-drive for the overflow files.  The SET file and the
overflow files are the only ones requiring write access.  The also
lets the user change the printer settings through PRINT or other
settings through SETUP, but it won't mess up the next user, since
the original version of the SET file will be copied out to the
ramdisk the next time WordPerfect is loaded.  This allows for
guaranteeing that WordPerfect will always look the same for each
user.  Actually, we block out the SETUP command by redefining the
keyboard in a STARTUP macro, but it really isn't necessary and will
probably change that when we convert our whole lab to 3 1/2" drives.
At that point, we may start popping out the slide that allows the
user to control read/write access on 3 1/2" diskettes.  Not as
nice a notchless diskettes.

Bill Pyle
Manager, User Services
University of Idaho
Moscow, ID  83843
(208)  882-8872
BITNET:  BILLP@IDUI1

------------------------------

Date:    Fri, 16 Jun 89 14:32:00 EST
Sender:  Virus Alert List <[email protected]>
From:    Ron Kiener <[email protected]>
Subject: Wordperfect Virus and a Solution (PC)

I transmitted the original posting to friends at Tel Aviv University
who claim that the virus has been with them for 6 months or so. A
program was developed in Israel called UNVIRUS (freeware) which fixes
the problem.  I have yet to download and decode the UNVIRUS program,
but I will do so soon.  Since I use 5.0, I have not experienced this
problem, and I cannot test for the accuracy or reliability of the
program. I will be happy to post the UNVIRUS program in UUE format if
people want it.

Ronald Kiener                                      [email protected]
Trinity College

------------------------------

Date:    Fri, 16 Jun 1989 14:19 EDT
From:    David W. Loveless <[email protected]>
Subject: Possible PC Virus?

I've been asked to help with a possible virus PC infestation at
another institution, in our area. If this virus is confirmed, as far
as I know it would be the first PC virus found in our locale (London,
Ontario, CANADA). MAC viruses have hit our university at least once,
though.  Currently, this virus seems to be restricted to just one PC,
as far as we know, anyway.

The Symptoms:
   (1) When running Fastback-Plus to backup the 20 meg hard disk
       more than 100 floppies were needed

   (2) A second directory named CS was found on the hard disk. It had
       never knowingly been setup by the user. It contents seemed
       to reference files referenced in other directories.

   (3) When this CS directory was removed - none of the files it
       had referenced could be accessed even though they were still
       in existing directories.


Some thoughts:

   (1) Some people have suggested that Norton Utilities might setup
       a second directory to protect the hard disk. The Norton Utilities
       are on the hard disk but the user doesn't think this feature
       (if it exists) was ever activated.

   (2) The makers of Fastback Plus were contacted and have said that
       their product does not create any "mirror-image-like" directory.

Some questions:

   (1) I'm aware of virus-protection software like FLU-SHOT+
       and CHECKUP for PCs. Is there any virus-detection and
       identification software for PCs? Something we could
       use to isolate, identify and remove the virus, we are facing.

   (2) Has anyone seen a virus like this? If you have, what is it
       and how do you get rid of it.

   (3) Is there some other explanation for the symptoms? ie. - we
       don't really have a virus?

Thanks in advance for your help.

********************************* David W. Loveless
*  Today's Question...          * Technical Support Analyst
*                               * The University of Western Ontario
*  How do I know what virus I   * Computing and Communications Services
*  have? Is there a cure?       * Administrative Systems Support
*                               * Room #16, Stevenson-Lawson Building
********************************* London, Ontario
E-Mail:                           CANADA N6A 5B8
     [email protected]         PHONE: (519) 661-2111  EXT: 5993

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.