Subject: VIRUS-L Digest V3 #105
From:
[email protected]
VIRUS-L Digest Friday, 1 Jun 1990 Volume 3 : Issue 105
Today's Topics:
getting a list of all LISTSERV groups
Mac virus alert vendor product (forwarded) (Mac)
Re: File tranfser of software--A way to curb commercial infections?
Re: Military Viruses
write-protection viruses
Legal aid for hackers?
help against virus needed (PC)
Re: Does write-protection work? ...for Mac
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Thu, 31 May 90 13:30:52 -0500
From: "Mark R. Williamson" <
[email protected]>
Subject: getting a list of all LISTSERV groups
On Thu, 31 May 90 13:52:08 EDT you said:
>VIRUS-L Digest Thursday, 31 May 1990 Volume 3 : Issue 104
..
>I don't know whether either a GRAMMAR-L or a LATIN-L exist. The
>LISTSERV@BITNIC would be a good source to check, however. Send mail
>to it stating "LIST", and it will send you a *big* list of lists.]
That's the _small_ list of lists handled directly by LISTSERV@BITNIC.
For the *BIG* list of lists handled by _all_ LISTSERVs, send the command
"LIST GLOBAL". It's >2000 lines long!
Just for your information.
Mark R. Williamson, Rice University, Houston, TX;
[email protected]
- ------------------------- MARK@RICEVM1 on BITNET
------------------------------
Date: Thu, 31 May 90 14:22:40 -0700
From:
[email protected] (Rollo D. Rogers)
Subject: Mac virus alert vendor product (forwarded) (Mac)
Original-From:
[email protected] (Chuck Hoffman)
Original-Newsgroups: comp.sys.mac,comp.sys.mac.programmer
Original-Subject: ALERT about VIRUS in vendor-distributed product
Original-Date: 31 May 90 18:30:43 GMT
On May 25, I received the Diskworld diskette for May from Softdisk
Publishing in Shreveport, Louisiana. I run Virex 2.6 (among others) which
intercepted the mount of the diskette and gave me a warning that the
diskette has a known strain of the WDEF virus. Naturally, I chose the
"Eject" option of Virex, so the mount never was completed.
WDEF is simple, but difficult. Simple in that it lives in the
invisible desktop file of each disk or diskette. So it can be eliminated
by rebuilding the desktop file by holding down the command and option keys
during the mount (or during startup, for an internal hard disk or SCSI).
Difficult for the same reason. The gurus tell us that, if you are unaware
of the virus, by the time you see the diskette icon on your desktop
display, ALL the other disks (including internal and attached SCSI) will
already have been infected. I did a controlled experiment of my own a few
months ago, and found that this was true.
I called Softdisk Publishing to report my experience, and spoke with a
woman who said they already knew of the virus problem. She suggested that
I simply reinsert the disk while holding down the command and option keys
to rebuild the desktop file, but I asked her to send me a clean copy of
the diskette instead.
Lesson? "Doesn't matter if the box is snazzy. Use virus detectors to
protect your azzy."
- -Chuck
- - Chuck Hoffman, GTE Laboratories, Inc.
[email protected]
Telephone (U.S.A.) 617-466-2131
GTE VoiceNet: 679-2131
GTE Telemail: C.HOFFMAN
------------------------------
Date: Thu, 31 May 90 11:32:14 -0500
From:
[email protected] (Gary Heston)
Subject: Re: File tranfser of software--A way to curb commercial infections?
[email protected] (Terry Ingoldsby) writes:
> I've always felt that networks are less likely to transmit viruses
> than floppy disks because it is more likely that the culprit will be
> caught. I grant that games can be played with the signatures, etc.,
> but chances are that some sort of log files are kept by the system
> administrators about what came in, and when. Although difficult, in a
> crisis there is at least some hope that the dissemination path used by
> the virus can be discovered. Although not foolproof, this should act
> as somewhat of a deterrent to virus writers.
Due to a company policy (which I disagree with), I am not able to
discuss any infections which may or may not have occurred here.
Consequently, if I have any real examples, I can't cite them.
Networks can propagate a virus thru several avenues, particularly if
the netadmin is inexperienced and hasn't quite got file protections
for network executables set correctly. If user Fred logs in to a
network, works a while, and runs a infected game during lunch without
rebooting (whether from a local hard drive or floppy), the virus will
try to infect the next program executed via the net. If user Barney,
who carefully logs off during lunch, logs back in and runs the infected
program, it will try to infect Barneys' local drives as well (it should
have already gotten established on Freds').
Now, we have a logfile that shows Fred, Barney, and 30 other users
ran this particular piece of software, at various times during the
day, and probably more than once. What points to the infection
source?
If there are any publicly writeable areas where users can put
executables, there is an even larger gaping hole an infection
can enter thru. (Users like to have these types of areas.)
This can be controlled somewhat by the netadmin getting the
setup correct; however, this is a somewhat optomistic hope in
view of the complexity of network software and the limited
training new admins get (I'm trying to learn Novell right
now; the company decided nobody needs to go to seminars for
anything). It's difficult to track down a security hole when
the boss is asking hourly "Why isn't the network up yet?".
The possibility of installing infected shrink-wrap software
is also a big hazard now; people who thought they were safe
by prohibiting public domain or shareware aren't.
I think the biggest thing that can and must be done is
education. Admins need it, users need it, and managers need it.
Training users to check software before they run it, scan
their drive periodically, and recognize early signs of infection
is necessary. Training admins to check EVERY piece of software
prior to installation, no matter how many layers of plastic it
was (or wasn't) wrapped in, along with safe setups. Teaching
management that this really is necessary, not just a waste
of resources, and you really do need that many tapes for
backups. Etc.
> Floppy disks are almost untraceable since they carry *no* copy history,
> *no* history of what machines they visited and almost no means of
> identifying the offender.
True. However, the person holding it can explain why they were
running the software without checking it....
> Terry Ingoldsby
[email protected]
> Land Information Services or
> The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb
Incidentally, the stated reason for the do-not-discuss policy was
to prevent stock price manipulation. I still disagree, I don't think
a infection report would affect a stock price more than a few cents,
if at all. I didn't win the argument, though.
- --
Gary Heston { uunet!sci34hub!gary } System Mismanager
SCI Technology, Inc. OEM Products Department (i.e., computers)
"I think, therefore, !PANIC! illegal protected mode access attempt
Memory fault: core dumped
------------------------------
Date: Thu, 31 May 90 22:35:20 -0500
From:
[email protected]
Subject: Re: Military Viruses
I posted Jim Vavrina's posting regarding the Military Virus
story (Virus-L Volume: 3 Issue: 93) to the RISKS forum (Volume
9 Number 92), where the matter was being discussed as well. In the
following issue of RISKS (Volume: 9 Number: 93) Rory J. O'Connor of
the San Jose Mercury News, the author of the article that started the
discussion, posted his response to Mr. Vavrina. That response,
excerpted from RISKS 9.93, follows:
------------------------------------------------------------------------
Reply-to:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Monday 21 May 1990 Volume 9 : Issue 93
------------------------------
Date: Sun, 20 May 90 14:25:39 PDT
From:
[email protected] (Rory J. O'Connor)
Subject: Military Computer Virus Contract (RISKS-9.92)
I'm the reporter at the San Jose Mercury News who wrote the story on the Army's
SBIR proposal regarding computer viruses. I feel I must respond to the charge
made by Mr. Jim Vavrina of the Army Information Systems Software Center that I
mis-identified myself while researching the story. That assertion is false.
At all times, as is standard practice among professional journalists, I made it
clear to everyone I called or interviewed that I was a newspaper reporter
working on a story about this proposal. When I reached a woman named Joyce
Crisci at Ft. Monmouth, NJ, who identified herself as the project
administrator, I identified myself as a reporter. When she attempted to tell me
how to apply for the available funds, I felt she might have failed to
understand that, so I again told her I was a reporter working on a story for my
newspaper. She then answered most of my questions, but made it clear she would
not discuss any technical details nor provide me with the names of the
engineers who had written the project. The reason, she said, was that if such
information appeared in my story, it could prejudice the bidding process.
Indeed, at the conclusion of our interview, she verified the spelling of her
name and gave me her (rather complicated) mailing address and requested I send
her a copy of the article when it appeared in the newspaper.
I'm sorry Mr. Vavrina never called me to ask my side of the story about this
interview. If Mr. Vavrina thinks my story about the virus was in some way
factually incorrect, or did not fully describe the Army's project or reasoning,
I'd be happy to talk to him about it. I can be reached at (408) 920-5019, or at
MCI Mail mailbox 361-2192, or at the San Jose Mercury News, 750 Ridder Park
Drive, San Jose, CA 95190. Anyone else who would like to discuss this story,
or the topic of computer viruses in general, may also contact me there.
Rory J. O'Connor, Computing Editor, San Jose Mercury News
------------------------------
------------------------------
Date: Thu, 31 May 90 21:13:27 -0400
From:
[email protected] (Simson L. Garfinkel)
Subject: write-protection viruses
Write protection on the Apple II computer is done in software; on this
machine a virus could overcome write-protection on a floppy disk.
I once used a program that "degaused" a floppy disk in 15 seconds or
so on the Apple II, even if the floppy disk was write protected.
------------------------------
Date: Fri, 01 Jun 90 08:05:30 -0400
From:
[email protected]
Subject: Legal aid for hackers?
I'm sending along the following from yesterday's Washington Post. I'd
like to know Cliff Stoll's (The Cuckoo's Egg) reaction!!.
The Washington Post, Business Section, May 31, 1990
By Willie Schatz
Mitchell Kapor, inventor of Lotus 1-2-3, the world's most popular
financial software package, is considering backing a national effort to
defend computer hackers against prosecutions resulting form Operation Sun
Devil, a two-year Secret Service investigation of potential computer fraud.
Operation Sun Devil was disclosed early this month by the Secret
Service, which conducted 27 searches of suspected hackers' homes and
offices, confiscating 23,000 computer disks and 40 computer systems. There
have been three arrests thus far. The Secret Service said the hackers who
were the target of the probe are individuals who had gained unauthorized
access to company computer systems--including one at American Telephone &
Telegraph Co.--or had stolen and distributed software programs that
belonged to major corporations.
In an interview from the Cambridge, Mass., headquarters of his new
company, ON Technology, Inc., Kapor said he thinks the government probe is
misdirected. He said it is damaging technological innovation and
dissemination of information through the ubiquitous electronic message
networks called bulletin boards that are the hackers' prime method of
communication. Kapor intends to announce tomorrow whether he will pay for
all or part of the hackers' legal defense.
"It's plausible that there's a witch hunt going on," Kapor said. "I'm
concerned that hackers' civil liberties are being violated [by the Secret
Service]. I'm concerned these kids--which is mostly what hackers
are--aren't getting a fair shake in the legal system. They don't have
access to legal counsel that would let them adequately defend their
rights."
Sources said Kapor is reviewing a proposal he received yesterday from
two law firms that asks him to help finance a $200,000 hackers' legal
defense fund. Lawyers involved in the matter plan to provide much of their
legal work free. The proposal before Kapor also includes a program to
lobby Congress to change the computer fraud law and a public education
campaign about hackers.
"Sun Devil gives me a funny feeling in the pit of my stomach," Kapor
said. "There's an incongruence between the language of the Secret Service
and the acts and attitudes of hackers. I understand and know that
[hackers'] kind of mentality. You don't want to use an A-bomb to kill a
fly. There has to be an appropriate response and understanding of what's
at issue. I'm lacking confidence that that's there."
Earlier this month, Garry J. Jenkins, assistant director of the Secret
Service, said Operation Sun Devil revealed that an "alarming number of
young people" exploit computers through credit card fraud, unlawful
placement of free long-distance phone calls and other criminal activities.
In an interview, Dale Boll, an assistant special agent in charge of the
Secret Service's fraud division, defended the government probe.
"We have not declared war," Boll said. "Computer crime is a serious
offense, but we don't overreact. There's no tendency for overkill. We
were given these laws to enforce and we're doing the best we can. We
prefer to work more hardened criminals. The government didn't prosecute
hackers when they were juveniles. But now they're growing up and doing
more serious things."
The damage form the government's aggressive law enforcement efforts,
according to Kapor, is a "chilling effect" on the flow in information among
computer designers and programmers. Kapor contends that if the people
responsible for operating computer bulletin boards are held responsible for
information posted on their boards, hackers will stop using the boards.
"It's a gigantic social experiment in progress," Kapor said. If the
government "cuts it off at the knees by inappropriately ruling [that the
bulletin board operators are guilty of fraud], they're cutting off their
own future."
John Barlow, a dedicated hacker and a lyricist for The Greatful Dead
band, said he already is committed to financing the hackers' cause. "I'm
going to chip in to secure them legal council and so is Mitch," Barlow said
from his home in Pinedale, Wyo. "I'm sure the [Secret Service's] assault
is having an effect. It's turning mischievous kids into high-tech
criminals. These hackers are explorers, not criminals or vandals. They're
exploring a new information frontier. It's a reincarnation of what
happened with the settling of the Old West, only in the computer sphere."
Government officials have a different view. "Many computer hacker
suspects are no longer misguided teenagers mischievously playing games with
their computers in the bedroom," the Secret Service's Jenkins said. "...We
will continue to investigate aggressively those crimes which threaten to
disrupt our nation's business and government services."
------------------------------
Date: Fri, 01 Jun 90 17:45:17 +0700
From: GUNNAR RADONS <
[email protected]>
Subject: help against virus needed (PC)
hi pple,
It looks as if we have been hit by a virus. As far as I could find out
from the people which reported the problems to me, the normal behaviour
seems to hinder programs from running properly. Programs who ran fine
before suddenly don't find subroutines or other things, but will run ok
after they've been restarted.
Also the virus once showed the contents of the disk directory as a sub-
directories which repeated on and on. A later look did not show any
subdir. Also checking after rebooting didn't show any additional subdirs
The same problems where reported from another institute here a few weeks
ago. It might be that the virus hooks itself into some free space of the
command.com, but this is a pure guess right now.
If this sounds familiar to you and if you now a way to find the virus
to cure the programs, please let me know.
Send your comments to s46 at dhdurz1 please.
==============
Bye, Gunnar Radons
------------------------------
Date: Fri, 01 Jun 90 17:58:48 +0000
From:
[email protected] (Robert Minich)
Subject: Re: Does write-protection work? ...for Mac
[email protected] (Alberto Sulaiman Sade Junior) writes:
| SOME TIMES AGO I READ THAT IS POSSIGLE A VIRUS INFECT A DISKETTE
| PHISICALLY PROTECTED. I KNOW IT IS AN OLD DISCUSSION BUT IS IT REALLY
| POSSIBLE ?
|
| [Ed. Yes, this discussion has come up a few times before. After much
| heated discussion, the consensus was that (on a PC), the write
| protection is implemented by hardware in the floppy disk drive
| (according to the IBM Tech. Ref. schematics). At least in the case of
| PCs, I urge us to consider this matter closed unless someone can come
| up with conclusive proof to the contrary (i.e., send me a piece of
| source code that proves it).]
Let me add that all macintoshes implement write protection for
floppies through a hardware mechanism.
- --
| _ /| | Robert Minich |
| \'o.O' | Oklahoma State University |
| =(___)= |
[email protected] |
| U | - Bill sez "Ackphtth" |
------------------------------
End of VIRUS-L Digest [Volume 3 Issue 105]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
