VIRUS-L Digest Monday, 5 Feb 1990 Volume 3 : Issue 31

VIRUS-L Digest Monday, 5 Feb 1990 Volume 3 : Issue 31

Today's Topics:

Included privileges with programs
Re: Virus Modeling
Help with Using Clean! (PC)
WDEF-A report (Mac)
Re: The Ultimate Anti-Viral Solution?
Virus detection through change detection / authorization
RE:YANKEE DOODLE (PC)
Viral Help (PC)
F-PROT and Virus Buster (PC)
WDEF on campus (Mac)
Re: 4096 and 1260 Viruses (PC)
Re: Universal virus detector
Re: Statistical Distribution of Viruses
WDEF A at the USC (Mac)
AIDS Trojan - the Police charge a US Citizen
Re: Gatekeeper veto: Normal behavior or virus attack? (Mac)
Universal virus detectors: Once more with feeling
AIDS Virus Suspect Arrested Near Cleveland, Ohio
Washington Post story on Joseph Popp; FYI

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to [email protected] (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].
- Ken van Wyk

---------------------------------------------------------------------------

Date: Fri, 02 Feb 90 09:56:13 -0500
From: [email protected]
Subject: Included privileges with programs

Hi,

Ben Smith had an idea to monitor actions taken by programs
and compare those actions with what the vendor says the program needs
to do in order to function.

I hate to shoot this down but consider this hypothetical case:

"PC-DOS V8.0" includes a security monitor with a list of privileges
for "Norton Super Utilities V6". This list has "modify memory" and
"write boot sector" listed for Norton.

Now suppose that a virus instead of trying to modify the boot
sector by itself, modifies Norton Disk Doctor to do the dirty work?
The monitor program would allow the Disk Doctor full access to the
boot sector and not know that it was really a corrupted Disk Doctor
actually writing viral code to the boot sector instead of making
repairs like the Disk Doctor normally does.

My point is that even if a program is allowed to perform some
action, how is the monitor supposed to know whether that action is
legitimate or not?

Andy Wing
Senior Analyst
Temple University School of Medicine

------------------------------

Date: 02 Feb 90 15:46:01 +0000
From: [email protected] (Greg Fife)
Subject: Re: Virus Modeling

[email protected] writes:
> As someone pointed out, a real
>computer isn't a finite state machine because it includes the person
>operating it

A human being may or may not be a finite state machine, but the
effect he he has on a computer system is merely to add a finite
number of transitions to the computer. (Striking one of the finite
number of keys changes the interrupt state on a PC, putting in
a new disk changes many of the bits on that mass storage device).

You can't model exactly which inputs the human will provide, but
you can reason about behavior under any possible set of inputs.
In effect, a person at a computer is running a huge finite
automata through an input string consisting of his actions.

Take the initial state to be one of the finite number of
states which represents the introduction of the virus into
the system. Mark the finite number of states which represent
"infection" as final states. The question: "can infection occur"
is merely the question "does this FA have a nonempty language."
That question can be settled in finite time by testing the FA
on every input string of length less than or equal to the number
of states in the FA. Do this once for every initial "infection"
state, and the result follows. :-)

You may need to add a few more states to better model
the input devices and the clock.

>(well the whole universe has a finite number of states
>but we're getting way beyond anything of practical use).

Yep.

Greg Fife
[email protected] , virginia.bitnet
uunet!virginia!uvacs!gnf3e

------------------------------

Date: Fri, 02 Feb 90 12:41:00 -0400
From: Michael Greve <[email protected]>
Subject: Help with Using Clean! (PC)

I tried using M-Jruslm on a .exe file. After it was finally done
disinfecting the file it would no longer work. When trying to run the
exe file my machine froze. I have downloaded CLEANP57 and tried
running it but have been unsucessful. I'm following the directions
that come with the program but I'm still having problems. I'm typing
the following:

CLEAN A:\FILE.EXE [JERUSALEM B]

When I try it this way I get "Sorry I don't know anything about
[Jerusalem B].

When I try:

CLEAN A:\FILE.EXE JERUSALEM B

it comes back with the instructions again. Nothing happens. I know
I'm not using this correctly. Can anybody help with the proper
syntax. When it asks for the "virus name", what do I type in for
Jerusalem B. Do I use the [] brackets. Do I have the correct
version. I am running CLEAN 2.7V57. When I run it, I do get a
message saying "This program may not be used in a business,
corporation, organization, government or agency environment without a
negotiated site license." I'm not sure if this is the problem or not.
If I have a bad version, where could I get the correct one. I've
tried getting onto Simtel but either cannot its very busy or I end up
downloading unusable or corrupted files. I got this from the
"130.160.20.80" list. Does anybody know of others I can use?? I'm
new to all this so please bear with me. Thanks for any assistance. I
really want to get rid of this virus.

Michael Greve
University of Pa.
Wharton Computing
[email protected]

------------------------------

Date: Fri, 02 Feb 90 10:11:00 -0500
From: "Anne Harwell/Technology Resources Ops. Mgr." <[email protected]>
Subject: WDEF-A report (Mac)

For those of you keeping track, WDEF-A has arrived in south Texas at
University of Tecas - Pan American. I had not heard of it getting this
far south until yesterday, when a routine virus inspection of the Mac
lab revelaed WDEF-A. The infection has been disinfected and I am sure
that it will recur next week, because many of the students in the lab
had infected floppies.

Anne Harwell
Technology Resources
University of Texas Pan American
AH491D@PANAM

------------------------------

Date: 02 Feb 90 19:13:16 +0000
From: vronay%[email protected] (David Vronay)
Subject: Re: The Ultimate Anti-Viral Solution?

Well, the idea of programs containing descriptions of their own
activity is nice, but doesn't really solve the problem. After
all, all an infecting virus has to do is change these permission
files. Or better yet, the virus could patch the code that did
these checks so that the code would let this particular virus
go through. If we think about how current virus detection programs
"work", they basically do exactly what you described (only, instead
of each manufacturing describing the program's behaviour, the burden
is on the user). Take SAM, for instance, which can keep track of
legal and illegal activities on an application-by-application basis.
When it detects illegal activity, it brings up a dialog box that says
"Allow" "Deny" and "Learn" (or three similar options). Clicking on
"Learn" will change SAM's description of that program to allow that
potentially-illegal action in the future. Now, that information is
stored in SAM somewhere, where any moderately clever virus could
find it and modify it. Now, let's go one one step further and pretend
that Symantech made it impossible (via some yet-undiscovered hardware
scheme) for SAM to be modified. Now our virus would be forced to
use the following piece of pseudo-code:

Step 1: Set the window-manager's port 16,000 pixels to the left
Step 2: Set up dialog-box sniffer code that works at _vblank time.
Step 3: Do illegal virus activity
Step 4: SAM brings up its dialog box, which now appears about 16
feet off the screen due to step 1.
Step 5: The dialog sniffer from step 2 "sees" the dialog and
generates a mouse-down event over the "Learn" button.
Step 6: SAM writes the new exception to its special harware
Step 7: Restore the window-manager's port to its old position.

We have now successfully infected, despite all of super-SAM's
harware whatever.

Let's face it. There is NO WAY WHATSOEVER to make a computer
virus-proof, because there is no way that a computer can
determine the true intentions of a piece of code. (which, in tern,
is due to the fact that code doesn't HAVE intentions, only the
programmer who wrote it has intentions, and guess what? They
don't make it through the compile! :-)

We should concentrate our efforts on education, not complex software
solutions. After all, computer virii seem more a social problem
than a technological one.

- - ice
==================
email replies to: [email protected]
DISCLAIMER: Not even I subscribe to everything I say
==================

------------------------------

Date: Fri, 02 Feb 90 14:07:03 -0500
From: "David W. Levine" <[email protected]>
Subject: Virus detection through change detection / authorization

When we try to evaluate schemes for detecting and preventing
the spread of viruses, it's important to remember that a virus
uses those operations a user normally does to spread. If a
virus only infects programs when you do something to modify
an executable program, you now have to determine that the
modification that was made was the one you desired. That's
a correctness problem, which we know is undecidable.

Determining what's executable, on modern day systems, is
also a very hard problem. Any systems that have shell
languages, or interpreters complicate this task immeasurably.
What does a shell script look like? A text file. What does
a hyper-text stack look like? While the current generation
of micro-computer viruses live mostly in program images,
there is no requirement that this be true in the future.

We can slow down the spread of viruses through lots of
different mechanisms, but each of these mechanisms reduces
the utility of computers. As long as we want our computers
to be general purpose machines, with lots of flexibility,
the virus writers will be able to exploit a programs legitimate
capabilities to spread viruses. Distinguishing between normal,
legitimate, change and illicit change is a very difficult problem.

- David W. Levine

------------------------------

Date: Fri, 02 Feb 90 17:07:19 +0000
From: [email protected]
Subject: RE:YANKEE DOODLE (PC)

Hi,
A few weeks ago, I asked about info and disinfector for the Yankee doodle
virus on a PC. It seems nobody knows anything about it, since I haven't
got any answer, so anybody out there has any idea !!
Last week, I downloaded "CLEAN UP" from Simtel, which claims to cure many
strains including Yankee Doodle, But the only thing it manages to do is
to offer deleting the infected file. I don't want to be rude, but what's
wrong with the good old DOS ">DEL file.ext" ?. Why to bother writing code
to do what DOS can do.

O. FADEL

- ------------------------------------------------------------------------------
Research student | JANET : [email protected]
Computer Science Dept. | ARPANET : [email protected]
Bristol University | BITNET : ousama%[email protected]
BRISTOL, UK | UUCP : ... !mcvax!ukc!csisles!ousama
BS8 1TR |
- ------------------------------------------------------------------------------

------------------------------

Date: 02 Feb 90 20:02:02 +0000
From: James Kolasa <[email protected]>
Subject: Viral Help (PC)

I've been having some problems with some PC's at the college where I teach.
The evidence points to a virus. Someone from IBM ran a virus scanner on
a couple PC's and got the following message:

Found signature in (master boot record of drive 80) at offset 21 (15H):
1E5080FC02721780FC047312AD2750E33C08ED8A03F04A8017503E80700
A boot record of this disk may be infected with the Stoned virus.

Does "Stoned virus" ring a bell with anyone. Could someone give me some
backgroud info? References to past messages will be appreciated also.

Thanx,
jk

- --
- -- James Kolasa | "Computers are so naughty,
--
- -- 121 Moloney, L.C.C. | I could just pinch them"
--
- -- Lexington, Ky. 40506-0235 | -The Martian
--
- -- [email protected] {rutgers,uunet}!ukma!jkolasa [email protected]
--

------------------------------

Date: Fri, 02 Feb 90 17:15:10 +0000
From: [email protected]
Subject: F-PROT and Virus Buster (PC)

Hi,

I tried to use VB_110.ARC to disinfect some files infected with Vienna
Virus, it works on some and leaves few without even sensing that the
virus is still exist, anybody has the same experience??

Another point, Running F-FCHK.EXE on a disk containing VB.EXE it gives
the message: VB.EXE suspected virus Alabama. While SCAN does not
detect anything wrong, any suggestion ??

O. FADEL

- ------------------------------------------------------------------------------
Research student | JANET : [email protected]
Computer Science Dept. | ARPANET : [email protected]
Bristol University | BITNET : ousama%[email protected]
BRISTOL, UK | UUCP : ... !mcvax!ukc!csisles!ousama
BS8 1TR |
- ------------------------------------------------------------------------------

------------------------------

Date: Fri, 02 Feb 90 15:38:00 -0600
From: [email protected]
Subject: WDEF on campus (Mac)

FYI

The WDEF virus has reached us here at Texas Christian University. A
student came into our User Services area to obtain virus software and
one of his disks was infected. Luckily I had installed GateKeeper Aid
the day it came out. I just wanted the list to know how far this thing
has spread.

Karen Moncrief
Sr User Services Consultant
Texas Christian University
Fort Worth, Texas 76129
AppleLink: U1069
Bitnet: MONCRIEF@TCUAVMS

------------------------------

Date: Fri, 02 Feb 90 23:19:13 +0000
From: [email protected] (David Dyer-Bennet)
Subject: Re: 4096 and 1260 Viruses (PC)

John McAfee writes:
: The strangest part of the virus is that it is also able to
:trap all other disk reads and writes, and whenever an infected file is
:accessed by any program, the virus performs a disinfection of the
:program on the fly.
^^^^^^^ infected file?

As a BBS sysop, I find this a particularly amusing feature: it assures
my users that anything downloaded from my BBS is not infected with
this class of virus! The concept of BBS's as *the safest* source of
software (at least in this one regard) is rather amusing.

- --
David Dyer-Bennet, [email protected]
or [email protected]
or Fidonet 1:282/341.0, (612) 721-8967 9600hst/2400/1200/300
or [email protected], ...{amdahl,hpda}!bungia!viper!terrabit!ddb

------------------------------

Date: Fri, 02 Feb 90 16:53:56 +0000
From: [email protected] (Peter da Silva)
Subject: Re: Universal virus detector

> For example, you can add a
> hardware-enforced switch which when in the OFF position makes it
> impossible to set the "is executable" bit at all.

So far so good.

> In this mode, you
> can't do program development, install new executables, or even copy
> executable files -

Pretty much so.

> but you absolutely can't be infected either.

Not true. What constitutes an "executable file"? Is a BASIC program one?
You can write a virus in BASIC. How about Postscript? You can hide a
virus in Postscript. You can't turn off your BASIC or Postscript
interpreters...

This is the basic sort of protection used by old Burroughs computers: only
the compilers could create executable files, and they were trusted programs.
They had no memory protection hardware at all.
- --
_--_|\ Peter da Silva. +1 713 274 5180. <[email protected]>.
/ \
\_.--._/ Xenix Support -- it's not just a job, it's an adventure!
v "Have you hugged your wolf today?" `-_-'

------------------------------

Date: Fri, 02 Feb 90 22:14:19 +0000
From: [email protected] (Peter da Silva)
Subject: Re: Statistical Distribution of Viruses

[email protected] writes:
> I have never been innoculated against Polio-myelitis.

> We no longer innoculate against Small-pox.

The two cases are not equivalent. Smallpox doesn't have a non-human
vector. Polio does... in fact I believe that stagnant water can serve
as a reservior for Polio. So we can't "eradicate" Polio the way we
have (almost) Smallpox.

Now I'll leave it up to you folks to decide which of these should
serve as a paradigm for Viruses.
- --
_--_|\ Peter da Silva. +1 713 274 5180. <[email protected]>.
/ \
\_.--._/ Xenix Support -- it's not just a job, it's an adventure!
v "Have you hugged your wolf today?" `-_-'

------------------------------

Date: Fri, 02 Feb 90 23:08:54 -0500
From: "Gregory E. Gilbert" <[email protected]>
Subject: WDEF A at the USC (Mac)

Guess that says it all.

So far we have seen two (2) infected disks at the computer center Mac
lab. However, there are numerous other Mac labs that are not as
concerned about viruses as we are. I assume we will see more infected
disks.

Greg.

Postal address: Gregory E. Gilbert
Computer Services Division
University of South Carolina
Columbia, South Carolina USA 29208
(803) 777-6015
Acknowledge-To: <C0195@UNIVSCVM>

------------------------------

Date: Fri, 02 Feb 90 07:53:00 -0700
From: [email protected] (Alan Jay)
Subject: AIDS Trojan - the Police charge a US Citizen

Yesterday afternoon in Clevland Ohio the FBI arrested a man on
blackmail charges relating to the AIDS trojan program sent out from
the UK in December.

The suspect, Dr Popp aged 39, was arrested at his parents residence.
He will appear in court today on the blackmail charge and extradition
procedures are under way.

=========================================================================

I wonder if anybody out there knows anything more about the gentelman
concerned with this event. If so please email me and I will summarise.

Alan Jay

PS I think it is interesting that unlike the recent 'internet' case
that the charge is blackmail. I suspect that this is due to the
current state of UK law.

- --
Alan Jay - Editor Connectivity The IBM PC User Group, PO Box 360,
Tel. 01-863 1191 Fax: 01-863 6095 Harrow HA1 4LQ, ENGLAND
Email: [email protected] Path: ..!ukc!ibmpcug!alanj
*** For all users of IBM PC & ALL Compatibles *** (+ Standard Disclaimer)

------------------------------

Date: Sat, 03 Feb 90 15:17:36 -0600
From: [email protected] (Alexis Rosen)
Subject: Re: Gatekeeper veto: Normal behavior or virus attack? (Mac)

[email protected] (Norman Swenson) writes:
>I have noticed something suspiciously virus-like on my Mac II. I was

First the good news.
This is almost certainly not a virus.
To make sure, find out if the file signature of ADoBe Separator
is ADBS. If it is, you're fine.
Otherwise, you might have a problem.

>getting a "Serious disk error" message from Microsoft Word and garbage
>in my files when using the editor in TeXtures. Fearing an imminent
>disk crash, I backed up my hard disk to another. While the files were
>copying over. I got a veto message from Gatekeeper (ver 1.1.1, w
>Gatekeeper Aid). I decided to check my disk using Disinfectant 1.5...

> ...However, whenever I try to open the Illustrator folder on the backup
>disk, I get the following veto message: 'Gatekeeper has vetoed an
>attempt by Finder to violate "Res(other)" privileges against Desktop.
>[AddResource(ADBS,0)]'. I have isolated the behavior to the Adobe
>Separator 2.0 program. When I remove it from that folder, I do not
>get the message. When I put it back, I don't get the message the
>first time I open the folder, but I do every time after that. I made
>a copy of the folder on another disk, and at first I got the same
>behavior, but after I rebooted it went away on the second disk. I
>looked at both desktop files using resedit; one had the ADBS resource
>in it, the other did not. Is this normal behavior, or could it be due
>to a virus that Disinfectant 1.5 is not catching? Why would opening a
>folder require adding a resource to the desktop file? And why did
>Gatekeeper veto it on one disk, but not the other?

I've seen this coming ever since the GK-Aid INIT was released- but
then again, I anticipated WDEF in a message about seven months ago,
and all of this revolves around one concept- file signatures that look
like code, and vice versa (I can't claim any great genius on this,
though- I got the idea from seeing C. Weber's FKEY Manager program
cause crashes on Cmd-Shift-0... anyone else remember that?).

To answer your questions (as best as I can from your description), the
Adobe Separator utility has a file signature which happens to have the
exact same four bytes as a type of executable resource that lives in
the system file. Now while I've never seen the GateKeeper-Aid, I'm
pretty certain I know exactly what it does- it prevents any resource
which looks like executable code to the Mac OS from going into the Mac
desktop. This is a well-defined list which includes (not surprisingly)
WDEF.

So what happened was, when Separator was put on your hard disk, you
didn't have GK-Aid, and so the Separator bundle (signature ADBS) was
added to your desktop (as it should have been). When you tried to open
the folder containing Separator for the first time, on your other
disk, you were running GK-Aid. At that point, the Finder wanted to
add the bundle resource 'ADBS' to the second disk's Desktop file, and
GateKeeper vetoed it.

In summary, everything is OK (as long as I'm right that Separator's
signature is 'ADBS'). GK and the Finder are both behaving as they
should. The folks at Adobe get the programming-fools-of-the-week award
for picking such a bad signature. Nothing to shoot them over, though.

If you just override GK long enough for the signature to get into the
desktop file, it will stop bothering you (the Finder only adds a
bundle once).

Hope this helps (and I _really_ hope it's right)--
Alexis Rosen
[email protected]
{apple,cmcl2}!panix!alexis

DISCLAIMER: IF A NEW VIRUS TRASHES YOUR DISK, DON'T BLAME ME.

------------------------------

Date: Sat, 03 Feb 90 18:17:00 -0500
From: [email protected]
Subject: Universal virus detectors: Once more with feeling

David Chess continues, in essense, to complain about the user
interface. He says that determining which changes to executables were
deliberate and which not is too hard, etc. This again misses my
point. I was not trying to sell anyone on a "solution to the virus
problem". I was trying to point out that the apparent THEORETICAL
impediments to virus DETECTION were in no sense basic, but were
side-effects of the particular ways we have chosen to build our
hardware and our mathematical models. We can make other choices if we
wish.

He also asks:

Or it could create the object that it wanted, and call the copy
utility. Or is it impossible for a program to copy a non-executable
thing to an executable thing? That would help a little, but would
also make the system less convenient to use. How do you get a new
copy of the linker? How do you write a patch program?

No, on such a system you could not copy a non-executable thing to an
executable, unless you chose to have a copy routine which was marked
"may set the 'executable' bit". Most people do not need patch
programs - most people are not programmers. Those who need a patch
program can give it the appropriate rights. You create a new linker
by linking one with the old one, if you are in the business of
creating new linkers. Or you install one, already marked as
executable, from a binary disk you got from a trusted source.

Russell Wallace has two complaints: That this technique only catches
viruses at run-time, rather than by examining the code, and that
various things he does on his Amiga, like patching code, would become
impossible. For the first, I suggest that *I* examine code by running
it on my CPU - it's much better at looking closely at things than I
am. Today, that's a dangerous thing to do, since the act of
examination may let a virus do damage. On a properly built system, I
would be told if the code tried to do anything to any of my
executables.

As for patching and such: The machines I described are perfectly
capable of doing anything any current machine can do. If you give a
patch program the right to create executable code, it will work just
as it does today. Of course, in the process you give up some of your
protection. Hey, if you release the safety on a gun, you could
accidentally shoot yourself. Imagine that!

Arthur Larky writes: "Perhaps I'm Missing Something" and points out
that an MS/DOS timestamp is worthless. Yes, he did miss something -
my article which talked about where these timestamps come from.
Sorry, not from MS/DOS or any existing software or hardware....

He also says:

But that's what I do for a living: "program development, install new
executables, etc." Oh, well, one can always retire to something less
challenging such as urban warfare.

Welcome to the real world. Only a minority of us do program
development, a minority that is growing smaller every day. While most
owners of PC's have to install executables, that involves a minute
fraction of the time they spend using their systems. If a system
protected them, it would be well worth building. As to the developers
- - they are inherently doing something riskier, and will have to watch
their systems more carefully. With the "no new executables" switch
off, they can develop - and be infected - as always. They still get
the hardware modification log if they want it.

I translate this to mean "find something other than a PC or a MAC on
which to do your computing." True, but it doesn't solve the current
problem for most of us.

You bet. But, to repeat myself, I wasn't TRYING to solve anyone's
current problems - I was trying to show that a solution is POSSIBLE,
if we decide it is worth the costs. The problems involved are
monetary/political/organizational, NOT technical.
-- Jerry

------------------------------

Date: 03 Feb 90 17:57:50 +0000
From: [email protected] ( Dr. Robin Lake )
Subject: AIDS Virus Suspect Arrested Near Cleveland, Ohio

COMPUTER BLACKMAIL ALLEGED
Lake [County] man held on British counts

For those of you who don't find the Cleveland Plain Dealer on your
doorstep or bushes each morning ----

>From Page 1 of The Plain Dealer, Cleveland, OH, Saturday, February 3
By META McMILLAN, Staff Writer

" A Willowick man is being held without bond on a federal fugitive
warrant, pending extradition to England to face blackmail and
extortion charges in connection with a computer disk that scrambled
and stymied computer systems across Europe and Africa.

Joseph L. Popp Jr., 39, of W. Willowick Dr., was brought before U.S.
Magistrate Joseph W. Bartunek yesterday morning, complaining of
mental illness, to face charges that the disk he allegedly created and
mailed to as many as 26,000 businesses and hospitals was part of an
elaborate blackmail scheme.

Authorities in England are seeking to extradite Popp under the terms
of a 1972 treaty with the United States.

Bartunek delayed the extradition hearing until after he can review two
psychiatric evaluations of Popp. The magistrate ordered the
examinations --- one by a court-appointed psychiatrist and the other
by Popp's doctor --- after Popp's lawyer told the judge his client was
suffering from mental illness and was on medication.

Bartunek said he expected the psychiatric reports to be available
within 10 days, after which he will determine whether a competency
hearing is needed before an extradition hearing is scheduled.

Popp was arrested Thursday without incident by FBI agents and
Willowick police at the home he shared with is parents. A warrant for
his arrest was issued Jan. 18 by a London magistrate. A sealed U.S.
warrant was issued Jan. 24 by U.S. District Judge Ann Aldrich.

Scotland Yard charges that about Dec. 11, while he was in London, Popp
mailed 20,000 to 26,000 IBM data disks to hospitals, insurance
companies and major corporations.

The disks purportedly provided information on what individuals could
do to reduce their chances of catching acquired immune deficiency
syndrome.

After some computers became infected by the program, word of the
potentially destructive disks spread within days, and AIDS researches
in the United States were put on alert.

Companies in African nations, England, Belgium, Denmark, Holland and
Australia received the disks, London officials said. Investigators
believe no disks were mailed to the United States or Canada.

The packages containing the disks bore a printed warning that users
would be billed up to $378 for use of the disk. Payments were to be
sent to PC Cyborg Corp., whose address is a post office box in Panama.

Gary Arbeznik, an assistant U.S. attorney, said that London
authorities had told U.S. investigators that "when the disk was used
in a computer, an AIDS program was generated. At the end of that
program, the screen would go blank, except for an invoice, which said
"if you wish to use this computer," up to $378 must be paid to an
address in Panama.

"When the money was paid, an antidote would be sent," Arbeznik said,
"Until then, the machine was unusable."

Popp is believed to have used the mailing list from PC Business World,
a London computer publication, to target recipients of the disks.

Officials of PC BUsiness World said a man identifying himself as
"Ketema," an African businessman, contacted the magazine's circulation
department in October about purchasing part of its mailing list. He
paid more than $1,000 for 7,000 names, the magazine said. About 1,200
of those PC users were hit with the virus; the rest were warned in
time, said senior reporter Mark Hamilton.

PC Business World said Cyborg also used other mailing lists.

Cyborg's directors are listed as Kitain Mekonen, Asrat Wakjira and
Fantu Mekease.

The suit for extradition said Popp began planning the scheme in
February 1989, when he set up the Panama firm. FBI spokesman Bob Hawk
said the bureau had information that Popp was prepared to mail out an
additional 2 million disks.

Popp, soft-spoken with dark hair and flecks of gray in his dark beard,
was handcuffed as he appeared in the courtroom. He was dressed in
loafers, faded blue jeans and a multicolored sweater. His eyes at
time darted anxiously toward the few spectators in the courtroom.

He was rushed in and out of the federal courtroom through back
entrances.

Popp is a zoologist and anthropologist who has conducted animal
behavior research for several international health agencies, including
UNICEF and the World Health ORganization. He said he was under
psychiatric care and taking medication for a mental illness. Twice
during the morning hearing, he said he was not clear about
proceedings.

Bartunek ordered the courtroom cleared so Popp could consult with his
lawyer, John Kilroy, who practices in Euclid [Ohio]. The meeting
lasted several minutes, after which Bartunek again apprised Popp of
the charges.

Popp said he understood what they involved but added "I do not
understand how it applies to my case." Kilroy unsuccessfully asked
that Popp be held in a psychiatric hospital rather than in jail.

Kilroy described Popp, and Ohio State University graduate [1972,
biological science] with a doctorate in anthropology from Harvard
University [1979], as a respected anthropologist being unfairly
painted as a criminal.

Popp left the World Health Organization, a special agency of the
United Nations, a few weeks before Christmas and returned to his
parents' home, Kilroy said.

Popp received no money in his endeavor to market the flawed disk,
Kilroy said, but had hoped to generate money to conduct research on
the AIDS virus.

Kilroy said he did not have enough information to explain why the
disks apparently had shut down computer systems across two continents
and in some cases destroyed the information those systems contained.

He said he had had only two brief interviews with Popp since his
arrest.

John Austen, an investigator with the computer crimes division of New
Scotland Yard, said Popp's actions were motivated by money and that
Popp could face up to 10 years in prison for each count of blackmail.
He declined comment on whether investigators believe Popp acted alone,
but a recent article in the Times of London referred to an
investigation seeking four men in connection with the virus.

Popp was moved after the hearing to an undisclosed jail. Bartunek
told Kilroy to make a list of medications Popp required so federal
marshals could ensure that he received them. Popp has complained to
Bartunek that while he was held at the Lake County Jail after his
arrest Thursday, he as not given proper medication.

"I am deeply disturbed at times," he told Bartunek, "and one day in
custody ... can be a day of disorientation." " Staff writers Eric
Stringfellow and Rebecca Yerak contributed to this article. "

[Sidebar articles include a diagram of a PC with a Computer Virus
Glossary: "Time bomb, Logic bomb, Trojan horse, Vaccine"; and
"Neighbors express surprise at arrest". Summary: "Quiet, Intelligent,
Outstanding young man. He was a real smart kid ... we didn't
socialize that much, but I always figured he would end up being a CPA.
I remember him as a real gentleman.]

------------------------------

Date: Sun, 04 Feb 90 09:39:00 -0500
From: <DAVID%[email protected]>
Subject: Washington Post story on Joseph Popp; FYI

From: The Washington Post, February 4, 1990. Page 18.
Byline Reuter.

"Cleveland, [Ohio] Feb. 3 -- An anthropologist accused of
international computer fraud involving information about AIDS and a
possible computer virus was held without bail while a judge considered
reports on his sanity, authorities said today."
"Joseph Popp, 39, appeared before a U. S. magistrate to face charges
that the computer disk he created was part of an international
blackmail scheme, said Assistant U.S. Attorney Gary Arbeznik."
"The Cleveland Plain Dealer said that Popp, while in England, mail
the IBM data disks to as many as 26,000 hospitals, businesses and
government agencies worldwide."
"The disks claimed to provide information on AIDS prevention but at
the end of the computer program Popp allegedly said a computer virus
would be unleashed unless $378 was sent to a post office box in
Panama."

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253