VIRUS-L Digest Tuesday, 23 Jan 1990 Volume 3 : Issue 19

VIRUS-L Digest Tuesday, 23 Jan 1990 Volume 3 : Issue 19

Today's Topics:

UNCONFIRMED Virus on VAX (VAX/VMS)
Re: theoretical virus scanning
Re: Internet worm writer to go to trial Jan 16th. (Internet)
BITFTP files also on SIMTEL20
Requests/Questions (PC)
The universal virus scanner
Eradicat'Em 1.0. Is is safe?? (Mac)
WDEF infection (Mac)
Warning of WDEF A Infection... (Mac)
WDEF A infection followup (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

---------------------------------------------------------------------------

Date: Mon, 22 Jan 90 10:16:00 -0400
From: The Man with the Plan <[email protected]>
Subject: UNCONFIRMED Virus on VAX (VAX/VMS)

>From: IN%"[email protected]" "Vax discussion" 21-JAN-1990 23:11:59.77
>Subj: <Vax 85> Virus on VAX
>From: [email protected]

> Hi!

> Dose anyone have a idea about VAX Virus? Or interesting on
> it? I think the most difficult point is how to spread it
> out. So if someone has any bright idea, contact with me.

> James Huang

Here is a message from UMNews's Vax discussion list. I
thought the list should know about this. The node is Taiwanese.

------------------------------

Date: 22 Jan 90 00:00:00 +0000
From: "David.M..Chess" <[email protected]>
Subject: Re: theoretical virus scanning

[email protected] (Kelly Goen) writes:

> All proofs aside on a practical level... it is possible with memory
> protection architectures to defend totally(well at least 99% of the
> time) against intrusion by infectious processes...I speak from
> REAL-LIFE experience here...

But when you speak from "REAL-LIFE experience", all you can talk about
is experience with the viruses that have been written so far, yes?
The viruses we've seen so far are, compared to what's possible,
awfully simple. I'd suggest being a tad less confident, myself!
Surely you can think of a virus or worm that could sneak past your
defenses?

(As an aside, I'm not sure I understand the reference to "memory
protection architectures"; even the current virus technology doesn't
have to rely on unprotected *memory* (although some viruses do). The
thing that would help most against the current sorts of viruses, it
seems to me, is better file-access-control. Of course, to implement
that reliably, you do need memory protection, but memory protection by
itself doesn't buy you much, anti-virus wise.)

On the other hand, I do agree that the theoretical proof is of limited
interest. It shows that you can't detect viruses with 100% accuracy.
But the interesting question is "can we detect them with -acceptable-
accuracy, and if so, how much will it cost?"

DC

------------------------------

Date: 23 Jan 90 17:28:23 +0000
From: [email protected] (Gene Spafford)
Subject: Re: Internet worm writer to go to trial Jan 16th. (Internet)

Sigh. I mistyped. My apologies.

[email protected] (Gene Spafford) writes:
>A jury of his peers would be 12 careless hackers with little concern
>for other people's ownership of their machines and software. (Okay,
>so we can have a jury of OSF hackers. :-)

I meant FSF, not OSF.

Repeat after me,
OSF is not FSF
OSF is not FSF

BTW, at 9:30 pm last night the jury returned a guilty verdict against
young Mr. Morris. The sentencing hearing is Feb. 27. Federal
sentencing guidelines would dictate a mandatory jail sentence of (as I
remember) 12 months. The judge in the case has a reputation of going
light on "white-collar" crime sentencing, however, and I suspect we
will see a fine, probation, and a suspended sentence.

- --
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: [email protected] uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf

------------------------------

Date: Mon, 22 Jan 90 14:52:24 -0500
From: Peter Jones <[email protected]>
Subject: BITFTP files also on SIMTEL20

On Fri, 19 Jan 90 15:38:07 EST The Moderator Kenneth R. van Wyk said:
>VIRUS-L Digest Friday, 19 Jan 1990 Volume 3 : Issue 16
>BitNet *can* FTP now.....
>Internet Worm Trial
>------------------------------
>
>Date: Fri, 19 Jan 90 10:28:53 -0600
>From: James Ford <[email protected]>
>Subject: New files (PC)
>
>The following files have been added to MIBSRV.MIB.ENG.UA.EDU
>(130.160.20.80):
[text deleted]
>
>James Ford - [email protected], [email protected]
> University of Alabama in Tuscaloosa.

The same files are available from SIMTEL20.

Peter Jones MAINT@UQAM (514)-987-3542
"Life's too short to try and fill up every minute of it" :-)

------------------------------

Date: Tue, 23 Jan 90 00:21:04 +0000
From: [email protected] (Fridrik Skulason)
Subject: Requests/Questions (PC)

Nothing important this time...just a few virus-related items.

1) I found this text inside the W13 virus. Can anybody translate it ?
Please send the translation to me ([email protected]), not to the list.

Program typu COM nie robi?cy absolutnie nic.
Jego przeznaczeniem jest;
wystawianie si? na wabia wirusom.

2) The "Palette" virus has been reported to be 1538 bytes long. Can anybody
confirm that ? The reported identification string matches my copy of
"Zero Bug" which has an infective length of 1536 bytes. Either we have
two variants or the "1538" may just be an error. Besides - 1536 is a much
nicer number - it turns out as 11000000000 in binary.... :-)

3) I have found two (very minor) bugs in my F-PROT package - one program
does not display a start up message and another may display a help message
in Icelandic instead of English. I will correct this in the next release.

4) And yes, if Roy Silvernail happens to read this - could you please E-Mail
me again - I lost your original message before I could reply.

- -frisk

------------------------------

Date: Tue, 23 Jan 90 10:25:04 +0000
From: "Dr. A. Wood" <[email protected]>
Subject: The universal virus scanner

A contribution to the universal virus scanner controversy.

On 17 Jan 90 15:07:00 +0700, [email protected] wrote:
"Construct the program Q thus:
program Q; begin
if is_a_virus(Q) then (* do nothing *) else infect_other_programs;
end.

On 19 Jan 90 19:56:06 -0400, GEORGE SVETLICHNY <[email protected]>
wrote:- "The same type of informal proof can be used to show the
impossibility of an algorithm to say if a program will stop or not.
Write the program
program R; begin
if will_stop(R) repeat while TRUE else exit;
end
A very simple argument and very powerful.".

These are versions of the ancient paradox which comes in various forms:-
(1) Statement (1) is untrue.
(2) Jack said "Everything I say is a lie.".
(3) The set of all (sets which are not members of themselves): is it a member
of itself?

What will probably happen will be that program Q or R will # examine
itself by going through all its code, including the instruction to
examine itself - repeat from # forever. Probably both Q and R will get
into infinite recursion when used to examine themselves, but may well
behave correctly when examining ordinary programs which are not
themselves program-checkers. When examining themselves, Q and R yield
neither YES nor NO, but simply crash.

{A.Appleyard} (email: [email protected]), Tue, 23 Jan 90 09:36:12 GMT

------------------------------

Date: Tue, 23 Jan 90 14:20:36 +0000
From: [email protected] (Glenn P Hoetker)
Subject: Eradicat'Em 1.0. Is is safe?? (Mac)

I remember, dimly, seeing warnings right after WDEF surfaced about the
Eradicat'Em Init, mainly that it was unstable. Now that I have that init
and am responsible for protecting two public Macs, I can't find those
articles, of course. So, with apologies for bringing it up again, is
Eradicat'Em 1.0 a safe, stable, and effective way to combat WDEF? Please
e-mail versus cluttering the board with old news. Thank you much in
advance.

Glenn Hoetker ([email protected])
Macintosh Resource Person
GSLIS/LRL
University of Illinois

- --
Glenn Hoetker
University of Illinois, Graduate School of Library and Information Science
[email protected] -or- ghoetker@UIUCVMD

------------------------------

Date: Tue, 23 Jan 90 11:20:00 -0600
From: Ken De Cruyenaere 204-474-8340 <[email protected]>
Subject: WDEF infection (Mac)

Reports of WDEF infections on our campus are coming in.
Gatekeeper aid is being used to fight it.
- ---------------------------------------------------------------------
Ken De Cruyenaere - Computer Security Coordinator
Computer Services - University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N
2
Bitnet: [email protected] (204)474-8340

------------------------------

Date: Sat, 20 Jan 90 23:37:37 -0500
From: [email protected] (David Gursky)
Subject: Warning of WDEF A Infection... (Mac)

[Ed. From VALERT-L - see related message (below).]

There is a new Macintosh application coming on the market now, called
Grammitik. I understand from a friend of mine who works at a local outlet of
Egghead Software that the copies they received have been infected with WDEF A.
I have not confirmed this myself, but I have the utmost faith in Andy's
ability and believe the report to be accurate. By the same token, neither
Andy or I believe this is a deliberate attempt by the publishers of
Grammatik to infect computers, but simply an error.

If you buy or have bought a copy of Grammatik, use Disinfectant, SAM, or any
of a number of known applications that can removed WDEF, on the Master Disk to
sanitize the disk.

Andy's original message has been forwarded to Virus-L. Any information in it
supersede's what I have written here, from memory.

David Gursky

------------------------------

Date: Fri, 19 Jan 90 17:35:38 -0500
From: [email protected] (David Gursky)
Subject: WDEF A infection followup (Mac)

Given all the messages regarding shrink-wrapped virus, I thought the following
message would be of interest to readers:

[From the Twilight Clone BBS in Washington DC.]

From: ANDREW SOLMSSEN Sent: 01-18-90 23:37
To: PAUL COZZA Rcvd: -NO-
Re: SHRINKWRAPPED VIRUSES

Paul, this might interest you: The first shipment of a new
package for the Mac, Grammatik Mac, that we received at Egghead
last week was infected with WDEF A. SAM 1.4 had no trouble in
in identifying and eradicating the infection. I did not get a
chance to try Intercept, but the Clinic performed admirably.
Thought the notion of shrinkwrapped viruses might interest you.

[End of Twilight Clone message.]

Needless to say, this type of infection would be immune to the type of
protection scheme I suggested several days ago. Also needless to say, this
type of infection would be immune to the counter-proposals had it occured
two months ago, before WDEF was isolated.

Also, this type of infection would be immune to the type of proposal Bill
Murray made several days ago.

In short, there is no single solution to the problem of shrink-wrapped
viruses, no "magic bullet". Until systems are introduced that are explicitly
user hostile to viruses (and those systems may be a long way off), (1) the
problem of shrink-wrapped viruses is here and here to stay and (2) the
procedures needed to combat it are time-consuming and expensive. If you cut
corners, you increase the risk of spreading a virus through shrink-wrapped
software.

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253