VIRUS-L Digest Friday, 10 Feb 1989 Volume 2 : Issue 44
Today's Topics:
Write protected disk (Mac + PC)
Virus detection
Virus Broadcast in Austria
Wide area network worms
---------------------------------------------------------------------------
Date: 10 Feb 89 17:31 +0100
From: Markus Mueller <muellerm%inf.ethz.ch@cernvax>
Subject: Write protected disk (Mac + PC)
Recently a virus (nVIR) has shown up on one of my disks for a
Macintosh although the floppy had been write protected at the time
virus got onto it. Therefore I would like to know:
1. Can the write protection mechanism on a Mac be overrided by software
as it is the case for an IBM PC (controller PD765)?
2. Are any viruses (nVIR or other) around that exploit this?
3. Same questions, but for IBP PC and clones (including those that use
the FE2100 floppy disk controller)
Thanks for your responses; I will post a summary.
Markus Mueller
Communication Systems Group
ETH Zurich
Switzerland
[email protected]
markus.mueller%
[email protected]
------------------------------
Date: Fri, 10 Feb 89 10:46:21 PST
From: PJS%
[email protected]
Subject: Virus detection
A little future speculation here... currently we seem to be fighting a
losing battle against virus detection and as viruses improve it's
unlikely that that will change. If we want the capability to download
shareware, etc, from bulletin boards, etc, then we must assume that we
cannot check the software for a virus with 100% success before running
it. In general, you can't know the output of a program given the
input without running it, except in special cases.
We can check for *known* viruses; but how long before shape-changing
and mutating viruses hit the scene that defeat all practical
recognition techniques?
Maybe the quarantine approach is better. Postulate a separate
computer for checking viruses on (perhaps some kind of virtual
machine). This computer runs a meta-program that automatically runs
new programs with as many different environments and inputs as
possible (teaching the meta-program how to use the new program is left
as an exercise to the reader). The system clock runs 1000 times
faster than normal to check for delayed-action viruses.
Comments, anyone?
Peter Scott (
[email protected])
------------------------------
Date: Fri, 10 Feb 89 21:06:59 MEZ
From: Konrad Neuwirth <
[email protected]>
Subject: Virus Broadcast in Austria
We had a "virus-special" on the news today, and I wanted to tell you
some "new things" i "learned" from that programme.
They showed a "virus" (nobodyt who talks about viri publicly does
understand the difference virus-worm-trojan) that ate all the . (full
stop) symbols from the screen with a face. I can't type the IBM-PC
Ascii's face here, but i am sure you all know what I mean. It looked
like:
blablabla. O (comment: approaching face).
Then, they showed one of the most harmful computer viri ever:
face.com. I am sure every user, especially those who read computer
magazines, will run to the virus-specialist immediatly if they see
that program on their screen.
Then they said that because of a computer, you have to "re-install the
computer". Hmm, that is really new to me. I only re-installed the
software when I was bitten.
Now here is the most important thing about viri: why they were
invented. I quote (translated):
"We find the roots of that problem some years back. Hackers broke into
big computer systems via phone, outsmarted electronic barriers and
cracked the copy-portection of programs. The marketplace got flooded
by illegal copies and the salesmen couldn't sell their original ones.
Loss was millions high. During the years, copying has become more
difficult. The hackers' answer: if not crakcing, at least disturbing.
That's why they invented viri."
Ain't that nice?
Another quote:"One way is via phone. A hacker dials into a net and
copies his virus into it. The other partner sees his screen
melting.." and they showed a amiga-screen melting.
They showed almost only amiga screens with well known "gadgets" which
are by no way viri, but can be found on every better public domain
collection.
Yeah, they showed one interesting virus:
A> (typetypetype)
Oh no!
A> (typetypetype)
You again!
A> (typetypetype)
Go to hell!
That is a really nice virus, isn't it?
Has anyone ever seen a good programme about viri which only said true
things????????
btw: we have an austrian virus already. it was written here in vienna
and is known as the "falling letter" virus. When it is active, all
letters fall down to the last line. Has it been seen in the US already
or is it only in europe? (I can't send it, as I don't have it).
- -konrad
------------------------------
From: David.J.Ferbrache <
[email protected]>
Date: Fri, 10 Feb 89 11:45:37 GMT
Subject: Wide area network worms
Re: the recent request for information on wide area network worms and
other infections.
The three major cases which jump to mind are:
1. The internet worm - for which the main reference must be Gene
Spafford's report "The Internet Worm Program: an analysis", which is
available from Purdue University, Technical report CSD-TR-823, No
1988.
2. The decnet worm - which affected the NASA SPAN/HEPNET network in
December 1988, which contained sufficient safeguards to ensure that it
did not cause the same crippling load problems evidenced by the
Internet worm. The best reference for this is the DDN Management
bulletin, No 50 23 Dec 1988, available from the SRI-NIC host usinf ftp
login=anonymous, password=guest. Pathname
DDN-NEWS:DDN-MGT-BULLETIN-50.TXT
3. The BITNET Christmas chain letter - the source of this chain letter
has now been published actually in the recently cited "Computer
Viruses- a high-tech disease" book. The source is on page 193. For
those who haven't yet found it, and on the basis that a number of
persons have already mentioned it existence, the citation is:
Computer viruses, a high-tech disease
R.Burger
Published by Abacus, 5370 52nd Street SE, Grand Rapids, MI 49508
ISBN 1-55755-043-3
Priced at Seventeen pound,45 pence in the UK
A passing comment must be that the book provides an in depth review of
the Vienna virus, plus a number of the viruses developed by the Chaos
Computer club. I suspect that the book will become a reference for
Hackers and Administrators alike within a very short time, and hence
all I can suggest is that administrators make very certain that their
systems are innoculated against the Vienna virus strain.
Unfortunately, with the publication of virus source it is certain that
we can expect a large number of variant strains to appear within a
very short time. The existing approach of signature recognition is
unlikely to be satisfactory. I believe that both the Italian and
Vienna viruses have now been published in source form, and hence the
degree of expertise required to re-engineer the virus by modifying the
manipulation task must be recognised as being comparitively small.
The modification of an existing virus to incorporate a long term delay
(such as 6 months or even a year) coupled with a totally destructive
manipulation task (such as a FAT, Boot sector scribble followed by a
complete format) is a fairly simple task. Such an action would convert
even a crude virus strain such as the Lehigh 1 virus into a
devistating strain. (Eg the comment by Ken that the modified version
of the Lehigh virus is now far more dangerous due to modification of
the delay in activation of its manipulation task).
Dave Ferbrache Personal mail to:
Dept of computer science Internet <
[email protected]>
Heriot-Watt University Janet <
[email protected]>
79 Grassmarket UUCP ..!mcvax!hwcs!davidf
Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
