VIRUS-L Digest   Wednesday, 17 Jan 1990    Volume 3 : Issue 13

Today's Topics:

Re: Shrink wrap...still safe?
XENO virus infection---help!!(Amiga)
Another WDEF infection (Mac)
WDEF at Arizona State University (Mac)
Vienna Virus (PC)
Re: Shrink Wrap...still safe?
Re: Biological references requested
Re: Morris stands trial (Internet)
Bulgarian viruses (PC)
Re: virus scanning

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

---------------------------------------------------------------------------

Date:    Tue, 16 Jan 90 15:04:31 -0500
From:    [email protected] (David Gursky)
Subject: Re: Shrink wrap...still safe?

Several people in Virus-L V3 #12 suggested that were vendors to distribute
applications on write-locked media, the potential for vandalism by buying an
application, infecting it, and return it, would be reduced.

While that statement is broad enough to be true, I would suggest that the
suggestion is far to easy for a vandal (and not even a very determined one
at that) to get around, where 3.5" media is concerned.

With 3.5" disks, a small hole can be covered by a moving tab, to indicate
to the disk drive whether the disk is locked or not.  Open is locked, closed
is writable.  If vendors disseminate applications on write-locked 3.5" media,
all a vandal needs to do is cover the hole with a small piece of electrical
tape.

5.25" media is more difficult to pull this stunt with.  The presence of small
notch in the side of the flexible case means the disk is writable.  In order
for a vandal to infect an application shipped on 5.25" media, the vandal would
have to physically mar the case, which is a surer sign of tampering.

------------------------------

Date:    16 Jan 90 23:44:00 +0700
From:    "Okay, S J" <[email protected]>
Subject: XENO virus infection---help!!(Amiga)

Arrrrggghhhh...After years of vigilance and checking everything I put in
the machines I use, I've finally been hit and hit bad.
My A2000 has contracted a bad case of XENO in just about all the directories
on my HD, so I am seriously considering a low-level format of my HD(fortunately
I have been wise enough to do continual backups and offloading).
So, questions for those Amiga users out there who have had Xeno, or from those
who know more technical details about it:
1. How did you deal with it???---I've about running KV on all of the infected
  files, but it appears that KV only disables, and doesn't remove the XENO
  virus. If this is true, how dangerous is an immobilized XENO, compared to
  a live one???---This is the main reason I am considering calling in an
  airstrike to blast my filesystem, since I'm assuming it could come back
  again in the same files if I ever catch a live copy again....
2. What exactly are the general symptoms. All I know is that I found it in my
  CRONTAB file ( which makes it a pretty stupid virus in my book...I basically
  have a disassembly of the little bugger tacked onto my CRONTAB entries),
  and some how it got into my Cron daemon
and it spread from there....
3. Any other helpful hints/comments/ideas you might have to offer....

Comments:
I know who I got it from and he checked his system and it was crawling all over
there too, so the source has been isolated.
The way I found it was through my Startup-Sequence failing numerous times
because "echo", "date" and "read" had had their filetypes changed from
executables to scripts and had to be replaced.
I'd also been getting an inordinate amount of Guru meditation #'s, specifically
#000000003 (CPU trap).
It wouldn't have spread so fast I don't think if it hadn't gotten into Cron,
which I make heavy use of....
Its easy for this one to sneak by, because until now, we Amigoids haven't had
to worry about anything except for Boot-infectors. Hence, there were no
readily available file-infectors to detect it until recently.

If what I've seen is any indication, I'd say its a pretty stupid virus in
terms of propagation...like I said, I found it in my CronTab as well as a
few other script and non-executable files....

I figure if I don't hear back in a few days with contrary recommendations,
I'll just have my system "duck and cover" and drop a 20 megaton low-level
format bomb on the whole thing and be done with it.
- ----Steve
- -------------------
Stephen Okay
[email protected]     Technical Aide, The MITRE Corporation

------------------------------

Date:    Tue, 16 Jan 90 22:05:00 -0500
From:    "Scott P Leslie" <[email protected]>
Subject: Another WDEF infection (Mac)

Hello,
  The University of North Carolina at Chapel Hill has seen WDEF.
We now have Disinfectent 1.5 and GateKeeper Aid 1.??.
- -spl

------------------------------

Date:    Tue, 16 Jan 90 21:31:51 -0700
From:    Ben Goren <[email protected]>
Subject: WDEF at Arizona State University (Mac)

For those of you trying to track WDEF (although I'm sure it's spread
everywhere by now), I just yesterday discovered WDEF A on an SE/30 in
the School of Music at Arizona State University.  I successfully removed
it with VirusDetective (after rembering that you can't do this from the
Finder) and immediately prepared a disk with clean copies of the latest
versions (as of 1/15/90) of GateKeeper, GateKeeper Aid, VirusDetective,
and Disinfectant (FTP'd from Info-Mac at Stanford), along with a
TeachText file describing each briefly and urging the usual "lock disks,
backup files, and don't pirate software" philosophy.

I am sure that the student use sites are infected, although I haven't
had a chance to check them personally--I haven't heard or seen anything
on campus about it, so I plan to call the various system administrators
to make sure they know about it.

My thanks and compliments to the three authors.  All four programs are
comprehensive, fill their function thoroghly, and are easy to use.

All opinions, etc., are my own.

.......................................................................
    Ben Goren                                      T T T        /
        Trumpet Performance Major           )------+-+-+--====*0
        Arizona State University               ( --|-| |---)
        Bitnet:  AUBXG@ASUACAD                   --+-+-+--
.......................................................................

------------------------------

Date:    17 Jan 90 06:16:56 +0000
From:    [email protected] (Mark R. Slezak)
Subject: Vienna Virus (PC)

Just so others know about it; the Oregon State University Kerr Library Micro-
Computer Lab got hit with the Vienna virus. Once I figured out what it was it
was easy enough to get riof (using M-Vienna...)

Just though those who track the viruses might like to know...
+-----------------------------------------------------------------------------+
Mark R. Slezak            {tektronix,hp-pcd}!orstcs!nyssa.CS.ORST.EDU!slezakm

------------------------------

Date:    16 Jan 90 15:42:54 +0000
From:    [email protected] (Mark Lord)
Subject: Re: Shrink Wrap...still safe?

[email protected] (Earle Ake) writes:
>       If you have a virus on your system that reproduced your master
>diskette, that virus could infect the copy.  If the store that
>re-sells your software takes off the shrink-wrap, tests the program
>and re-shrink-wraps it, there is a chance of a virus infecting it
>there.  If someone buys a package, takes it home and discovers it will
>not work on his system and returns the software, the store
>re-shrink-wraps it and sells it for new.  Yet another way to infect a
>disk even though it was sold 'shrink-wrapped'.  Do we have to put all
>software in tamper-resistant packaging like Tylenol?  If a store tries
>a package out so they can be able to tell customers how good it is,
>can they sell that diskette as new software still?  Do we have to
>demand a no-returns policy on software?  Hey, the customer might have
>a shrink-wrap machine available to them and would be able to
>shrink-wrap and return as new.  Where do we draw the line?

Hmm.. the simple solution to most of these problems is to distribute
software on diskettes without write-enable slots (ie. built-in write
protection tabs).  There is simply NO way, short of modifying hardware,
for such diskettes to become virus infected on the customers premises.

I'm actually quite suprised that 99% of the software I purchase comes
*without* write protection tabs installed on the diskettes (5.25" floppies).
I really have to force myself to install that critical tab *before* inserting
the disk in *any* drive.  This guarantees that I don't infect the masters.

This whole deal with shrink-wrap and Tylenol-packaging for software is
really a big scam in a lot of ways (IMHO).

I mean, think about this.. the customer is expected to plop out (here in
Canada, at least) between $60 and $200 for the most trivial of store-bought
software, WITHOUT any guarantee of system compatibility (most people DO NOT
have IBM/COMPAQ/TANDY machines.. face it!).  In addition, if the program
does not work, or demonstrates bugs, TOUGH NUGGIES.. no source code to fix
and no replacements available.  Would you buy anything else *new* under such
outrageous conditions???  [other than software, of course]

Where is Ralph Nader when we need him?  Ooops.  Wrong country.

'cuse me while I take a long dandelion break...
- --
+----------------------------------------+----------------------------+
| Mark S. Lord                           | Hey, It's only MY opinion. |
| ..!utgpu!bnr-vpa!bnr-fos!mlord%bmers58 | Feel free to have your own.|
+----------------------------------------+----------------------------+

------------------------------

Date:    Wed, 17 Jan 90 10:29:36 +0700
From:    [email protected]
Subject: Re: Biological references requested

A good reference about viruses in general as well as the analogy
between them and their biological coussins is:

J.C. Van Winkel, "The phenonemon computerviruses reviewed", 1989, NGI,
Amsterdam. ISBN: 90-70621-29-0.

Since their is a ISBN, I think you can order it in any bookstore. You
can also order direct by: NGI, 184 Van Diemenstraat, NL-1013 CP
Amsterdam, The Netherlands. It costs about $ 15,00.

------------------------------

Date:    17 Jan 90 13:36:11 +0000
From:    Irving Chidsey <[email protected]>
Subject: Re: Morris stands trial (Internet)

[email protected] (Damon Kelley; (RJE)) writes:

<Isn't a "jury of his peers" called for here?
<
<       She said that the trial would be more impartial if the jury is
<composed of non-tech persons.  Comments?

       There are two kinds of challanges, For Cause and Peremptory.
Each side gets an unlimited ( I think ) number of challanges for cause
and a moderate number of peremptory, just because, challenges.  The
defense gets more of the latter.  Both sides were probably afraid of
computer knowledgeble jurors because they know something about
computers.  Neither side wants experts on the jury, they are too hard
to sway and lawyers prefer pliable jurors who can be convinced by
rhetoric.

       I just finished a term as juror.  Got on one case, was
excluded from several others.  The cute blond prosecuting attorney
that turned me down was out of her mind :-).

                                                       Irv

I do not have signature authority.  I am not authorized to sign anything.
I am not authorized to commit the BRL, the DOA, the DOD, or the US Government
to anything, not even by implication.
                       Irving L. Chidsey  <[email protected]>

------------------------------

Date:    17 Jan 90 15:05:00 +0700
From:    [email protected]
Subject: Bulgarian viruses (PC)

                            Hello, everybody!

I am a computer virus expert from the Eastern block. My name is
Vesselin Vladimirov Bontchev and I live in Bulgaria. I have some
problems with the English language, so *please* excuse my mistakes.
Currently I am private for two months in Munich and for the first time
in my life I have access to an e-mail system. It is really wonderful!

The computer virus situation in our country is completely different.
We do not have too many kinds of viruses -- about 10-12 for IBM
PC/XT/AT and compatibles only -- but they are *very* widely spread.
One can find them just everywhere -- not only in high schools and
computer clubs.  The main reason is that literally no one takes
particularly care to prevent the infection and to exterminate the
viruses.  Another main reason is that the level of software piracy in
our country is very high -- there is no copyright law there.  I wrote
some antivirus programs which I am distributing freely and they are
widely used -- but of course, one cannot defeat alone the virus
threat.

If someone is interested, I am able to supply detailed information
about the viruses "made in Bulgaria":
       - Dark Avenger
       - VACSINA
       - Yankee Doodle
(In fact, the last two are different versions of a single virus -- and
I know very well the person who created them.)

As far as I know, these viruses are already spread in the Western
countries. There are also other "Bulgarian" viruses:
       - V651
       - V512
       - V2000

I can also supply information about them. If they have already spread
outside Bulgaria, please let me know.

The other viruses which are spread in our country are:
       - VHP-648 (Vienna)
       - Bouncing Ball (Italian, Turin)
       - V1813 (Israeli, Jerusalem, Friday 13th)
       - V1701/V1704 (Cascade, Autumn, Falling letters)
but they are too well known, so I do not think that someone will need
information about them.

                       Sincerely,
                                       Vesselin

------------------------------

Date:    17 Jan 90 15:07:00 +0700
From:    [email protected]
Subject: Re: virus scanning

> I am told that in the November '89 issue of the American Mathematical
> Monthly, to the effect that no completely safe computer virus test is
> possible.  The proof is suppose to be short, and along the lines of
> the various proofs of the Halting problem.

Yes, the problem whether a program is a virus or not, is in general
undecidable. The (informal) proof follows:

Let's define a virus as a program which can infect other programs. (For a
more complete definition, see [1].) Let A(P) be an algorithm which applied
to the program P returns a boolean value (true when P is a virus and false
if it isn't). Now we can construct the program P1 in the following way:

       program P1;
       begin
               if A(P1)
               then (* do nothing *)
               else infect_other_programs;
       end.

In other words, if A reports that P1 is a virus, then P1 does not infect
programs, i.e. is not a virus. Otherwise (if A reports that P1 is not a
virus), P1 infects programs, i.e. it is a virus.

Therefore, A cannot decide whether P1 is a virus or not.
                                       Q.E.D.

                       Vesselin

[1] Cohen F., "Computer Viruses. Theory and Experiments", COMPUTER
   SECURITY: A Global Challenge, J.H. Finch and E.G. Dougall (eds.),
   Elsevier Science Publishers B.V. (North-Holland), 1984.

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.