VIRUS-L Digest Monday, 29 Jan 1990 Volume 3 : Issue 23
Today's Topics:
Re: Internet Worm
RE: Virus request
Another WDEF infection (Mac)
Re: WDEF at University of Oregon (Mac)
WDEF A infection (Mac)
Re: Trial & Double Standard
Re: theoretical virus scanning
New virus? (Mac)
Virus Modeling
Virus Info Request (PC)
W13 Polish text (PC)
WDEF in public places (Mac)
Re: Practical a-priori viruscan?
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to
[email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
- Ken van Wyk
---------------------------------------------------------------------------
Date: Wed, 24 Jan 90 18:29:14 +0000
From:
[email protected] (Geoffrey H. Cooper)
Subject: Re: Internet Worm
I agree, Morris acted irresponsibly. He did something he knew was
wrong and thought to be a minor annoyance to the world; then it blew
up in his face. That is certainly puts his actions within the realm
of criminal activity, in the same way as someone who deliberately runs
a red light and accidentally hurts someone.
One thing that makes me wonder: A newspaper article claims that Morris
wanted to stop the worm when it started to get out of control, and
decided that he wasn't able to. When the Internet group started to
try and control it, why didn't he offer to help? At least a copy of
the source code would have been of great assistance. Instead, he
hides and waits for the FBI to find him.
Would not this have been his best opportunity to show his benign
intentions? Or perhaps he was advised not to help by someone.
Did anyone hear anything about this from the trial?
- - Geof
- --
[email protected] /
[email protected] / geof%
[email protected]
------------------------------
Date: Thu, 25 Jan 90 12:08:35 -0500
From:
[email protected]
Subject: RE: Virus request
> >From: IN%"
[email protected]" "Vax discussion" 21-JAN-1990 23:11:59.77
> >Subj: <Vax 85> Virus on VAX
> >From:
[email protected]
>
> > Hi!
>
> > Dose anyone have a idea about VAX Virus? Or interesting on
> > it? I think the most difficult point is how to spread it
> > out. So if someone has any bright idea, contact with me.
>
> > James Huang
>
> Here is a message from UMNews's Vax discussion list. I
> thought the list should know about this. The node is Taiwanese.
This is insane. Obviously this particular Taiwanese knows little
about VAX networking and uses of viruses(worms) in those networking
facilities.
He will probably get a few replies as well as some sources. What as a
whole can the computer industry do to help prevent individuals like
this from the potential releasing of these viruses(viri?) into the
vast networks??
Should it be illegal to own or transmit virus source (for non-security
personnel)??
Also, should there be an international watchdog agency set up to
investigate such requests?? Should the CIA/FBI/FCC be involved in
cooperation with IBM/DEC/AT&T/etc.. to form a task force along with
our list's virus expert?
Has anyone contacted this person's administration along with MAINE's
and BITNIC/BITNET administration?
Right now, its up to us to report these requests and its the
responsibility of MAINE to act on requests submitted via UMNEWS.
Can we make it illegal to have virus sources without stomping on our
constitutional rights?? What about other countries??
- --
DON INGLI-United States Department of Agriculture - Soil Conservation Service
INTERNET:
[email protected] PHONEnet: 314!875!5344
UUCP(short): uunet!scsmo1!don UUCP(long): uunet!mimsy!woodb!scsmo1!don
These are my opinions. I represent myself.
Who do you think you are, Bjorn Nitmo(sp)? David Letterman '90 Catch Phrase
------------------------------
Date: Thu, 25 Jan 90 14:30:35 +0000
From: DEL2%
[email protected]
Subject: Another WDEF infection (Mac)
Just for the record, since I haven't seen any other report of it here,
Cambridge public user area Macintoshes were hit with WDEF A on or
about 22 January. Disinfectant 1.5 was recommended to deal with it.
Douglas de Lacey <
[email protected]>
------------------------------
Date: 23 Jan 90 15:34:12 +0000
From:
[email protected] ( Jamie Saker -- Student, UNO)
Subject: Re: WDEF at University of Oregon (Mac)
[email protected] (Hervey Allen) writes:
> Since people seem to be reporting occurrences of the WDEF virus, hopefully
> to track its spread, I will throw in my two cents worth.
I'll add my two cents worth too. At the Univ. Nebraska Omaha, on 16 January,
we had an outbreak of WDEF virus on 10 machines (SEs). After installing
anti WDEF software (all servers also have Disinfectant eliminate infected
disks) the probablem has been eliminated.
So now we only have occasional Scores problems to worry about:)
_____________________________________________________________________________
/ Jamie Saker Editor-in-Chief Monitor Month
[email protected] \
------------------------------
Date: Thu, 25 Jan 90 16:26:46 +0700
From: Chuck Martin <
[email protected]>
Subject: WDEF A infection (Mac)
So that it can be tracked, I'm reporting that our office Mac was
infected by WDEF A. Disinfectant 1.5 removed it and we have
implemented tighter security. I don't know if any of the other Macs
on campus are infected.
-
-------------------------------------------------------------------------------
Chuck Martin, Consultant
Computer Information Center, Washington State University
MARTINCH @ WSUVM1.BITNET (509) 335-0411
-
-------------------------------------------------------------------------------
Beam me up Scotty. There's no intelligent life here.
-
-------------------------------------------------------------------------------
------------------------------
Date: 26 Jan 90 01:33:04 +0000
From: Bernie Cosell <
[email protected]>
Subject: Re: Trial & Double Standard
[email protected] (Bob Bosen) writes:
}Why don't bankers abandon the use of credit cards, photo IDs and
}signatures and just debit our bank accounts whenever a merchant
}tells them our passwords? It would be a lot easier.
For good or ill, we already have done just that. The entire
phone-in-credit-purchase industry is built around _precisely_ that
functionality. And even on in-person sales, the dial-in authentication
codes have nothing to do with any actual 'identification' [although
they do require the shopkeeper to actually have your card [or a
facsimile!] in his hand].
Similarly, with ATM cards, the primary 'line of defense' is some
security-by-obscurity encoding on the card and a three-digit password
[which, I think, is also encoded on the card].
Banks do not verify signatures on checks that they honor. The only
line of defense here is the individual patron verifying his own checks
when they come in at the end of the month. If you think the bank's
have people actually comparing signatures on the zillions of checks
that come in, you're wrong.
This is not to excuse the almost-total lack of true security [and audit
trails and such] in most of our computer systems, BUT.... it just isn't
as much of a "double standard" as you paint it to be.
And this is pretty funny:
} Dear esteemed depositor:
} As you know, for the past 15 years, you have been entrusted with
} our bank card, and have used it in your banking transactions. We
} are replacing your bank card with a password. You will no longer
} have to carry your bank card. Your new password is "FRED". Please
} keep it secret. Whenever you want to withdraw funds or make
} credit card purchases, just write FRED at the bottom of the
} invoice and we'll take care of the rest. If you ever suspect
} that anybody has found out your password, please drop drop us a
} post card with "FRED" crossed out in red pen and a new password
} of your choice written in blue ink. It is your responsibility to
} keep your password secret. You will be held accountable for any
} and all banking transactions that say FRED on them, including
} questionable or illegal transactions, for which you will be
} prosecuted to the full extent of the law.
That is almost exactly what my bank said when I got my ATM card and I
had to select a "PIN" [except for the bit at the end about liability
for misuse of my card]. Is your bank different?
/Bernie\
------------------------------
Date: Thu, 25 Jan 90 16:22:14 +0000
From:
[email protected] (Peter da Silva)
Subject: Re: theoretical virus scanning
The fact that the halting problem is not applicable to FSMs isn't relevant,
because it's not known that part of the system involved is a FSM. The person
operating the computer is part of the system.
For example, if you run your virus in the halting machine and discover it
in an infinite loop polling the keyboard you'll decide it's not going to
infect the machine (halt). Actually it's waiting on a keystroke.
- --
_--_|\ Peter da Silva. +1 713 274 5180. <
[email protected]>.
/ \
\_.--._/ Xenix Support -- it's not just a job, it's an adventure!
v "Have you hugged your wolf today?" `-_-'
------------------------------
Date: 26 Jan 90 13:28:33 +0000
From:
[email protected] (Mike McCann)
Subject: New virus? (Mac)
Posted for someone else:
We've had a report in our department (MatSci) of a new n-vir-like
virus. The latest version of Virex is able to detect it, but cannot
identify it, nor can it repair infected applications. Disinfectant
1.5 does not find it.
Upon examining several infected applications with ResEdit, they all
have a spurious resource "fuck". Has anyone encountered this strain
before? If so, how can we repair infected files, and configure other
virus-detecting programs to recognize it?
D. Daniel Sternbergh
[email protected]
Mike McCann (803) 656-3714 Internet =
[email protected]
Poole Computer Center (Box P-21) Bitnet =
[email protected]
Clemson University
Clemson, S.C. 29634-2803 DISCLAIMER = I speak only for myself.
------------------------------
Date: Fri, 26 Jan 90 08:31:00 -0500
From:
[email protected]
Subject: Virus Modeling
A co-worker of mine wrote:
One way to characterize a Trojan Horse or a virus is to build
mathematical, abstract models of them. Such a model may be an
n-tuple of interrelated subjects, objects, and operations.
Thereafter, abstracted audit data and host machine
characteristics can be organized to find if all the components of
such an n-tuple are present.
My assignment was to help with the research in attempting to come up
with such a model. Now, from what I have been reading on the Virus
forum, I am wondering if this task is even possible.
A proof was offered that stated that it was not possible to come up
with an algorithm that could find all viruses. Then, this proof was
refuted based on the fact that a computer is a finite state machine.
Based on this, it was also stated that a theoretical universal virus
dectector does exist for every real machine, however making one would
not be practical.
One theoretical universal virus detector would be to compare the state
of the computer against a list of what is and what is not a virus. This
is a task too large to attempt. However, if someone were to be able to
come up with the distinguishing characteristics of a virus, what sets
it apart from other programs, how humans can tell when they look at a
program if it is a virus or not, then maybe an algorithm could be
developed. One that could catch viruses by comparing the state of the
computer against the model, and the characteristics of a virus.
Is it possible to come up with such a model? Is it possible to list
ALL of the characteristics of a virus? If so, what might these
characteristics be? If not, why not?
David T. Opitz - NSCS
------------------------------
Date: Fri, 26 Jan 90 12:30:20 +0000
From: Dr. P. R. Fielden <
[email protected]>
Subject: Virus Info Request (PC)
Our dept. has just been hit by the STONED virus and I've found PING
PONG and PING PONG B on a local public access cluster on the same
floor as our dept so I suppose I'll be finding them soon. I've been
asked to produce a document about viruses for all staff and students,
I'm sure somebody must of already of done this. I would appreciate it
if anybody that has would send me a copy. Also what is the best way
to protect a public access cluster.
The following ideas have been put forward.
1. Install SCANRES and keep everybody informed.
2. Buy diskless computers.
3. Manually disconnect the floppy drive cable.
4. Install either software or hardware security system.
5. Try something like Flushot.
6. Do nothing - it'll go away !! <- Not my suggestion.
Any comments please.
Reply to the list or to
[email protected] (Janet) - the domain is
reversed for the rest of the world.
Thanks in advance, Andy Packham.
Peter Fielden (
[email protected])
------------------------------
Date: Fri, 26 Jan 90 09:02:00 -0500
From:
[email protected]
Subject: W13 Polish text (PC)
The translation of the Polish text in the W13 virus is: "The COM type
program does absolutely nothing. It is designed to be a decoy for the
virus."
I know it was requested that it be sent to the requestor, not to the
network, but unless it is posted on the network, there will be
duplication of effort.
On another matter, there is a simple procedure which can be used to
check for most viruses and other forms of corrupt code. It is this:
All viruses have to be in some executable file in order to act. Usually
insertion of a virus either changes an existing executable file or
creates a new one. The new executable file may be apparent or hidden,
and if hidden may be a hidden file per se or may disguise itself as a
bad sector. Therefore a simple program which compares the size of all
executable files with a known good standard, and then compares the size
of hidden files and bad sectors with a known good standard, will check
for most viruses. Even if it is hidden in the idle space of an
executable file, thus not changing its size - and this is rare - it will
be detected as soon as it propagates to any other executable file. If
anyone is interested, I will post a sample program which does this and
also allows for updates as new known executable files are put on line.
The program can be placed in the autoexec.bat or hello type bootstrap
files for automatic execution whenever the machine is turned on or
invoked at any time. In the bootstrap file it adds about 35 seconds to
boot time to the average system. Of course it is possible to design
viruses to get around this, but it adds more work to the attacker, at
little cost to the defender.
One final note: All of the 45 books I have read on computer security
that have said anything about viruses claim that you have to delete
everything once your system is infected. Not so. Text files cannot
propagate a virus and should not be deleted unless they have already
been trashed by the corrupt code. Nor is there any need to delete
executable files which have not been corrupted, although they are
generally easier to replace since most people's executable files
represent commercial software while their text files represent custom
made files.
DGStewart NCSC
------------------------------
Date: 26 Jan 90 16:56:37 +0000
From:
[email protected] (carl radens)
Subject: WDEF in public places (Mac)
One aspect of the computer virus discussion which bears consideration
is the "public health" policy question. Commercial and public Mac and
IBMPC services such as laser printing stations and other graphics
services are potential infection sources; they may also be subject to
government regulation and legal action.
In this location, we've twice found the WDEF on disks used at a popular
national copy center chain which also offers MAC laser printing services.
We found the WDEF at a university bookstore MAC store back at the
beginning of December.
These are places where a large volume of disks pass each day, and where
(presumedly) professional services are rendered on a retail commercial
basis.
What is the professional responsibility in cases where a customer informs
the merchant of a viral infection, and the merchant does not remedy
the situation on their own machine ?
The WDEF virus appears to be benign; no data was lost and Gatekeeper Aid
removed the infection in each case. The Nationally known copy center
was informed of the problem, and several weeks later a WDEF infection
was again obtained from their machine. This time no damage was inflicted.
Its only a matter of time before a more serious virus appears, and I
wonder if these commercial places are just going to be sitting on their cans
when it happens.
Is there any legal precedent for this type of situation ?
- -Carl Radens, Cincinnati
[email protected]
------------------------------
Date: Fri, 26 Jan 90 13:05:44 -0500
From: Peter Jones <
[email protected]>
Subject: Re: Practical a-priori viruscan?
>From: GEORGE SVETLICHNY <
[email protected]>
>Subject: Practical a-priori viruscan?
>
>There is a biological analog to the "second byte" situation above.
>Some genes overlap with others, that is, a base-pair sequence
I'm reminded of a few LP records with more than one groove on them, that
will play one of several programs, depending on where the needle happens
to land. Monty Python, among others, has porduced such a record.
Peter Jones MAINT@UQAM (514)-987-3542
"Life's too short to try and fill up every minute of it" :-)
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
