VIRUS-L Digest   Friday, 19 Jan 1990    Volume 3 : Issue 15

Today's Topics:

Academic Press makes good! (PC)
Hard Drive Overlord (PC)
Re: Spool... Bug or Virus, what is more harmful
Re: Shrink-Wrapped Software
Re: Internet worm writer stands trial (Internet)
Re: Internet worm writer stands trial (Internet)
Ethical Judgement of the Internet Worm
fractal disk infection (PC)
WDEF at University of Oregon (Mac)
New anti-virals uploaded to SIMTEL20 (PC)
McAfee Included in top 100
Re: virus scanning
Re: Some more thoughts on shrink-wrapped software...
Shrink-wrapped SW

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks).  Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

---------------------------------------------------------------------------

Date:    Thu, 18 Jan 90 13:33:40 -0500
From:    [email protected]
Subject: Academic Press makes good! (PC)

Well, Academic Press finally came through!  You will recall that
the Barnsley DESKTOP FRACTAL DESIGN SYSTEM, sold through Academic
Press, was infected with a virus named "1813".  At the time I reported
this to Academic Press's Customer Service department, they knew about
the problem.  Yesterday I received a letter from them dated January
12 (about 2 days after I reported the virus) noting that some copies
of the program are "suspected of carrying a computer virus."  The
letter directs purchasers to call the Customer Service Department
to order a clean copy and get directions for how to clean up your
system.

I'm not sure why it took them so long, but at least AP is taking
responsibility.  I imagine their senior executives are holding
their aching heads and wondering why they decided to enter the
software publishing business.  Books never require product recalls.
  +-----------------------------------+---------------------------+
  |  ___                              |     Barbara Weitbrecht    |
  | (__  \      /           \         |    Computer Specialist    |
  | ___)EAL\/\/ YF       >-===-:}     |  Smithsonian Institution  |
  |                         /         |      IRMSS100 @ SIVM      |
  +-----------------------------------+---------------------------+
  |  The Sealwyf is a shape-shifter -- a woman in a seal's skin.  |
  +---------------------------------------------------------------+

------------------------------

Date:    Thu, 18 Jan 90 13:04:21 -0500
From:    Jim Kenyon <[email protected]>
Subject: Hard Drive Overlord (PC)

I am trying to get information on a programme called Hard Drive
Overlord which is published by A.B. Data Sales, Inc. of Saskatoon,
Saskatchewan, Canada.

It comes with five modules and seems to be similar to GateKeeper (Mac)
in function.  With all the discussion on the list about software, it's
hard to imagine why this one hasn't been mentioned before.

Please reply directly to me and I'll post a summary back.

Jim Kenyon                      NetNorth: [email protected]
Director, Veterinary Services   CONNECT:  Macvet
The Toronto Hospital
Toronto, Ontario, Canada        (416) 340-4652

------------------------------

Date:    Thu, 18 Jan 90 08:40:03 -0500
From:    Geraldo Xexeo <[email protected]>
Subject: Re: Spool... Bug or Virus, what is more harmful

 Some Digests ago there was a message saying that our errors are more
dangerous than virus. Could both of them be viewed in the same
perspective? Could "vaccines" be developed for both?

Second Point:
 Lately I receiving lots of RETURNED NETWORK from LISTSERVERS. I think
that it could cause, in extreme case, a traffic so large in the net
that it would collapse.

 Question: In this case, the LISTSERV will be considered a Virus (expecting
to get active)? Or the users that don't disconnect itself from servers are
guilty of bad use (non-ethical) of a computer program?

 Although it is not the place, I suggest that LISTSERVERs receive an
ANTI-MESSAGE protection to solve this specific problem, but I'm worried
with the generalization of this question.

                       Geraldo Xexeo
                       [email protected]

[Ed. Believe it or not, LISTSERVs actually attempt to parse incoming
mail to determine whether it is a bounced error message (in which case
the mail gets forwarded to me...) or a legitimate posting.
Unfortunately, postmasters and sites don't use any standard format
error message, and the LISTSERV occasionally is "tricked" into
believing that an error is actually a message for the list.  Instant
loop, just add water.  Those of you on VALERT-L may be relieved to
know that I *think* that the problem is fixed.  I know, I know -
famous last words...  :-)]

------------------------------

Date:    18 Jan 90 20:58:44 +0000
From:    Bernie Cosell <[email protected]>
Subject: Re: Shrink-Wrapped Software

[email protected] (Michael S. Maiten) writes:

}[email protected] writes:

}>   Users can protect themselves
}>   and discourage this risky practice by refusing to deal with retailers
}>   that offer them the right to return.

}Stores that offer return policies are exactly the ones with whom I do
}deal, since it is almost impossible to see if the software will meet
}my needs by reading the box or trying out the store demonstration
}copy.  What they should do is to be more careful when accepting the
}returned items (check for missing materials, and check for infection
}of the disks) before returning the person's money.

Actually, isn't this almost totally trivial for the store --- all they need
to is, before they re-shrink-wrap, do a sector-by-sector, byte-by-byte
comparsion of the *entire* disk(s) that were returned against a master set
the store keeps.  It doesn't seem hard, and surely cannot take long, and far
as I can tell totally elminates the problems.

 /Bernie\

------------------------------

Date:    Thu, 18 Jan 90 17:57:47 +0000
From:    "Ralph Treitz" <[email protected]>
Subject: Re: Internet worm writer stands trial (Internet)

It was interesting to hear about the sequel of the Internet-worm-story.
For our newspapers didn't mention anything about the trial, I'd like to
hear in this newsgroup, what's going on, and what will happen to Mr. Morris.
Thanks.

+----------------------------------+----------------------------------------+
!    Ralph Treitz                  !    Phone:  +49 6227 - 34 - 1641        !
!    S.A.P. AG                     !    Fax:    +49 6227 - 34 - 1282        !
!    SAA-C                         !    Telex:  466 004 sap d               !
!    Max-Planck-Str. 8             !                                        !
!    D-6909 Walldorf/Baden         !    E-Mail: [email protected]              !
!    West-Germany ( F.R.G. )       !            ...uunet!unido!sapwdf!rt    !
+----------------------------------+----------------------------------------+

------------------------------

Date:    18 Jan 90 22:34:50 +0000
From:    [email protected] (Robert Rubinoff)
Subject: Re: Internet worm writer stands trial (Internet)

[email protected] (Robert J Woodhead) writes:
> [...] In my circle of admittedly bright and educated friends, not
>a single one has, to my knowledge, ever been accepted for jury duty.

Well, I've never met RJW, so I don't qualify as a friend of his, but
I'm a PhD student in Computer Science at Penn, so I'm definitely
educated and presumably bright as well (at least I like to thing so).
I was just selected to serve on a jury even though I mentioned during
the selection process that I was a PhD student.  So I guess it's not
impossible.

   Robert

------------------------------

Date:    Thu, 18 Jan 90 15:07:00 -0500
From:    [email protected]
Subject: Ethical Judgement of the Internet Worm

>From VIRUS-L:

>My point is, this trial don't eliminates the necessity of a
>ethical judgement. Maybe what he did is not a crime, but is clearly
>a violation of ethical aspects of computer use.

I suspect the conclusion of the authorities at Cornell that young Morris
acted with "reckless disregard" for the consequences is the closest that
we will ever get to an ethical judgement about his actions.

>I suggest that a ethical code, similar to the ethical code in
>medicine should be developed. I suppose that ACM has one, but is not
>the same. ACM  didn't control the exercise of the computer activities.

Of course the ACM does have such a code, and it is likely that young
Morris has or would subscribe to it.  However, it did not deter him.
Since his lawyer plans for him to testify, we will likely get to hear
his rationale for his behavior.  However, I doubt that he seriously
considered the ethics of his actions until confronted with the
consequences.

Had he done so, I am not sure that it would have altered his behavior.
Like many of his defenders in the net, I suspect that he would have seen
as ethical, or as not an ethical issue.  There does not seem to be a
concensus among his contemporaries that that kind of behavior is
reprehensible.  Neither does there appear to be a concensus among them
that they have an interest in an orderly playground.

Note that though Morris aspires to be a professional in the field, and
is, therefore, subject to professional sanctions, most of his
contemporaries who use computers have no such aspirations and are not
subject to such sanctions.

It seems equally clear that this profession does not have sufficient
integrity to inoke such sanctions.  Though Cornell concluded that he
did it (and he does not deny it), they have said that he is eligible
to re-apply for admission to continue his studies.  Other
"responsible" members of the profession have been willing to employ
him.  Thus his contemporaries could conclude that, while such actions
might be in technical violation of the ACM's code, they are not in
violation of community standards.

If the profession and society are to be protected from such impolite,
disorderly, and destructive behavior, then we must reach a collective
conviction we are prepared to consistently support in both
voice and action.  In the absence of such a concensus, we can expect
more of the same.

William Hugh Murray, Fellow, Information System Security, Ernst & Young
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840

------------------------------

Date:    Thu, 18 Jan 90 19:49:49 -0000
From:    [email protected]
Subject: fractal disk infection (PC)

TO ANYBODY FIGHTING THE JERUSALEM/1813 VIRUS ON THE "DESKTOP FRACTAL
DISK"

There are two articles which explain the action of the virus and give
details of anti-viral programs to eradicate it:

Joe Hirst Getting inside PC viruses. Tech PC User may 1989 v1 n9 p22(5)

Powis, Kevin Programs to fight viruses. Tech PC User May 1989 v1 n9 p31(3)

The program to fight Jerusalem/1813 is called 1813BR, it's PD and you
can get it from the CoTRA conference on CIX

Rgds,

Iain Noble

------------------------------

Date:    Thu, 18 Jan 90 13:44:00 -0800
From:    "Hervey Allen" <[email protected]>
Subject: WDEF at University of Oregon (Mac)

Since people seem to be reporting occurrences of the WDEF virus, hopefully
to track its spread, I will throw in my two cents worth.

The WDEF virus was reported in the student computer lounge around January
8th.  The virus was removed using Disinfectant 1.5.  The computer lounge
has a voluntary virus check station.  The WDEF virus has been detected and
removed a number of times since the 8th.

I am writing from the University of Oregon Academic Computing Center.  We
have not seen the WDEF virus yet.  We scan numerous disks that are brought
into our public printing and public domain (both for Macintosh) stations.
We have exclusively seen Nvir A and B.  I informally track virus reports
from around the city (Eugene, Oregon) and have only received reports of
Nvir A and B.

On the PC side I have dealt with the Jerusalem virus once, and the Ping-
Pong virus once.  The Jerusalem virus was spread from a BBS in Portland,
Oregon.  No other PC viruses have been reported to our center.

Obviously, we have been lucky, so far.  One of my duties is virus removal
and prevention for PC and Macintosh at our center.  I receive numerous
calls for information and help from the campus community and the community
in general.

Hervey Allen              | Unversity of Oregon
Student Programmer        | Academic Computing
                         | [email protected]  (internet)
                         | [email protected]       (Bitnet)

------------------------------

Date:    Thu, 18 Jan 90 21:06:00 -0700
From:    Keith Petersen <[email protected]>
Subject: New anti-virals uploaded to SIMTEL20 (PC)

I have uploaded the following files to SIMTEL20:

pd1:<msdos.trojan-pro>
CLEANP55.ARC    Universal Virus disinfector, heals/removes
SCANV55.ARC     VirusScan, scans disk files for 60 viruses

These programs where downloaded from the Homebase BBS.

- - - --Keith Petersen
Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74]
Internet: [email protected], [email protected]  BITNET: w8sdz@NDSUVM1
Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz

------------------------------

Date:    Thu, 18 Jan 90 16:05:33 -0800
From:    [email protected]
Subject: McAfee Included in top 100

    The Microtimes third annual selection of the 100 most influential
leaders in the computer industry (published in the January 22 edition)
includes John McAfee for his work in the computer virus field.  To see
a virus researcher included with such luminaries as Steven Jobs, Bill
Gates, Mitch Kapor, Peter Norton, John Akers (Chairman of the Board of
IBM), Phillipe Kahn etc. implies that the establishment has finally
taken the virus issue seriously.  It's even more interesting when you
consider that Steve Wozniak, Brian Carlson, the Chairmen of ICL,
Intel, Olivetti, and the presidents of dozens of major computer
manufacturers were turned down for inclusion.
    I say hats off to a hard working representative of the antivirus
league and congratulations -- in spite of John's self deprecating
attitude (He claims that they confused him with someone else and that
his inclusion and description of his deeds can be attributed to an
editorial oversight).

Alan Roberts

[Ed. Congratulations, John!]

------------------------------

Date:    Thu, 18 Jan 90 09:46:10 -0700
From:    [email protected] (Dave Myers)
Subject: Re: virus scanning

>> I am told that in the November '89 issue of the American Mathematical
>> Monthly, to the effect that no completely safe computer virus test is
>> possible.  The proof is suppose to be short, and along the lines of
>> the various proofs of the Halting problem.
>
>Yes, the problem whether a program is a virus or not, is in general
>undecidable. The (informal) proof follows:
>
>Let's define a virus as a program which can infect other programs. (For a
>more complete definition, see [1].) Let A(P) be an algorithm which applied
>to the program P returns a boolean value (true when P is a virus and false
>if it isn't). Now we can construct the program P1 in the following way:
>
>        program P1;
>        begin
>                if A(P1)
>                then (* do nothing *)
>                else infect_other_programs;
>        end.
>
>In other words, if A reports that P1 is a virus, then P1 does not infect
>programs, i.e. is not a virus. Otherwise (if A reports that P1 is not a
>virus), P1 infects programs, i.e. it is a virus.
>
>Therefore, A cannot decide whether P1 is a virus or not.
>                                        Q.E.D.
>
>                        Vesselin

I may be missing something, but it seems the above program makes the
assumption that A cannot detect some virus.  If A can detect all
virisus then P1 will in fact be unable to infect another program and
is thus not a virus.

dave

------------------------------

Date:    17 Jan 90 19:03:01 +0000
From:    [email protected] (Woodrow Baker)
Subject: Re: Some more thoughts on shrink-wrapped software...

[email protected] (David Gursky) writes:
> What is really most amazing about the problem of a potential vandal infecting
> a commercial application, and returning it to an unsuspecting vendor is the
> ease with which the vendor can detect the problem.

Why not just run a good virus checker on returned software  before rewrapping?

Cheers
Woody

------------------------------

Date:    Thu, 18 Jan 90 10:16:57 +0100
From:    iaoobel!xof%[email protected] (Christof Ullwer)
Subject: Shrink-wrapped SW

In V3#12 Brian Piersel <[email protected]> writes:
>Another way vendors can help is to sell software on write-protected
>diskettes.

And [email protected] (Leonard P Levine) writes:
>Many vendors are now selling software on un-notched disks.  My most
>recent copy of wordstar, my copy of spinrite and even one shareware
>product have come to me on disks that cannot be written to except with
>modified computer hardware.

IMO, if someone evilminded really intends to infect a disk will
succeed even on write protected disks. On the other hand, verifying a
returned disk with a master copy as [email protected] (David
Gursky) suggests is time intensive and annoys the customers. Vendors
should put a new media i.e. a copy from a clean master diskette into
the box and then shrink-wrap it.

Christof
(xof%[email protected])

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.