VIRUS-L Digest Thursday, 3 Oct 1991 Volume 4 : Issue 178

VIRUS-L Digest Thursday, 3 Oct 1991 Volume 4 : Issue 178

Today's Topics:

Virus protection hardware
Help with STONED 16 virus (PC)
New NOVELL virus? (NOVELL) (PC)
RE: Mac Puke INIT (Belch Virus??) (Mac)
Re: F-Prot 2.0 (PC)
Re: Heuristic analysis?
Re: New Virus Warning (PC)
Fred Cohen's contest
Artificial Life III: Call for Papers

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Mon, 30 Sep 91 16:19:45 -0400
>From: [email protected]
Subject: Virus protection hardware

All:
I am looking for any articles or adds for virus protection
hardware, (ie. PC boards) for some machines here on our network.
Could anyone knowing about an article or ad in a magazine or journal
please Email me soon so I can evaluate them...
Thanks in advance....
Chris

------------------------------

Date: Mon, 30 Sep 91 17:49:00 -0400
>From: "George Russ" <[email protected]>
Subject: Help with STONED 16 virus (PC)

We are currently encountering the virus STONED and have a few
questions we hoped you could answer.
How exactly does this virus infect?
What is the best protection to load at boot up?
(We are currently using Fprot ver20 [Virstop in config.sys])
Can the virus STONED get past Virstop?
We are using the disk lockdown program Disk Manager could this type
of protection prevent a Virus driver from being 100% effective?

Thanks in advance, your help will be most appreciated!

___________________________________________________________________________
George Russ Bitnet : [email protected]
IRM/Network Support Services Internet: soon
The Citadel Military College Voice : 803-792-6817
Charleston SC 29409
- ---------------------------------------------------------------------------

------------------------------

Date: Mon, 30 Sep 91 18:32:00 -0500
>From: [email protected]
Subject: New NOVELL virus? (NOVELL) (PC)

Today, a network under NOVELL 3.11, was hit by a unknown virus, at
least in our environment, the virus only affects the server, when you
issue the command "load monitor", few minutes later, the screen clears
and a worm composed by block characters showing different levels of
gray begins to run across the screen, the creature disappears when you
press the ESC key.

We're checked the server under DOS with CPAV v 1.0, and installed the
VSAFE.SYS program in memory, then run the program SERVER.EXE, issue
the "load monitor" command, and few minutes later, the worm appears on
the screen, and the VSAFE program says nothing, the CPAV program
doesn't say anything, and the worm continue to run across the screen.

If anybody out there has the answer, please reply ASAP!

Ronnie Nader
Catholic Universityof Ecuador at Guayaquil
System Engeneering Faculty

Pacific National Bank
Special Projects dept.
Guayaquil - Ecuador BITNET: [email protected]

------------------------------

Date: Mon, 30 Sep 91 23:09:16 -0600
>From: Diskmuncher <[email protected]>
Subject: RE: Mac Puke INIT (Belch Virus??) (Mac)

>From: Al Boulley <32DD3BN%[email protected]>

>I don't believe that MacPuke.init could be causing this because the
>sound occurs only upon ejection of a disk. Also, this would show up
>in a system folder, hidden or not. Anything else is beyond me.
> Al Boulley

Are you using System 7.0? If so, it would be in the
Extensions folder ("underneath" the System Folder). It's also
possible that someone renamed Mac Puke to something else. They might
have even changed the Get Info information (ResEdit Puke ID=0). My
solution would be the following:

Use ResEdit's GetInfo on suspicious files and look for a
creator type of PUKE.
Alternately (if you have ResEdit 2.1) load suspicious files
into ResEdit and play the Sound Resource(s) in each file. There are
other programs which can play Sound Resources, but they may or may not
"see" hidden files.

I'll bet $$ it is the Mac Puke INIT...just cleverly disguised.
Mac Puke (to my knowledge and experience) only activates *WHEN* a disk
is ejected.
John-David Childs
Consultant, University of Montana
[email protected]

P.S. ResEdit 2.1 can probably be obtained from any Mac dealer in your area.

------------------------------

Date: 01 Oct 91 10:23:10 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: F-Prot 2.0 (PC)

[email protected] writes:

> asking for a boot disk, and leaves them more room in memory. With
> F-Prot 1.6, I simply installed F- DRIVER.SYS on each start volume of
> the network (I use about 5 different start volumes, depending on
> classes, accounts, etc.). So far it worked, although I understand
> that the lack of infections may have been pure luck. Anyway, do I
> understand the new directions correctly: Load VIRSTOP.EXE in the
> AUTOEXEC.BAT file of the server(s) to protect the entire system? Or
> should I again load VIRSTOP.EXE on each start volume (3Com 3+Share
> system)?

How about trying to INSTALL it from CONFIG.SYS (if you run DOS 4.x or
higher)?

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN
[email protected] Schlueterstrasse 70, D-2000 Hamburg 13
New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 01 Oct 91 10:46:29 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Heuristic analysis?

[email protected] (Fred Waller) writes:

> As an example of this difficulty, I will describe the action of T.
> Matsumoto's data compressor called DIET v1.10a, (c) 1991. Previous

[description of Diet deleted]

> DIET's compression efficiency is quite good, often better than PKLITE
> and comparable to that of conventional compressors. But to achieve
> its good effect, the program must break "good" rules that a heuristic
> virus analyzer author might consider sacred:

Yes, Diet is a wonderful example of a "bad" program from the
anti-virus point of view... However, note that it does not HAVE TO
behave like that. There is a program, called STACKER, which performs
exactly the same task (and even much better), without doing any dirty
tricks. It is installed as a device driver and emulates a disk in a
some kind of large archive. The fact that the author of Diet used the
"bad" approach does not mean that the same cannot be achieved in a
"cleaner" way. And, of course, it does not mean that the Diet program
is bad per se (I personally like it), it just means that it does not
perform correctly from the virus protection point of view.
Nevertheless, the users will continue to write and use such programs,
that's why the suggested conception to write only "good" programs is
doomed.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN
[email protected] Schlueterstrasse 70, D-2000 Hamburg 13
New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 01 Oct 91 11:04:15 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: New Virus Warning (PC)

[email protected] (McAfee Associates) writes:

> A new, fast moving, and very destructive virus has been

Please note, that the virus is not destructive per se. It has no
destructive payload. Usually the damage is caused by an incompetent
user, trying to fix the problems with CHKDSK/F or Norton Disk Doctor.
One of my colleages proposed to call it "Do it yourself" virus,
because the damege is cased by the victim... :-)

> A disruptive characteristic of this virus is that if an infected
> system is booted from a clean floppy, none of the executable files
> can be copied from the system. Neither can they be backed up. If
> the system is not booted from a clean floppy, then the files can
> be copied and backed up, but the virus will copied along with the
> programs. It's a catch 22 situation. Additionally, if an infected
> system is booted from a clean floppy, and then a CHKDSK /F
> is run, then all executable files in the system will be destroyed.

This (and any other fully stealth virus) can be removed very easily,
without any anti-virus programs. Just make sure that the virus -IS-
active in memory. Then copy all executable files to non-executable
extensions (i.e., COPY FILENAME.COM FILENAME.VIR). Then delete all
executable files, reboot from a clean disk and rename the files back
to their executable extensions. Instead copying, you can also archive
them. Especially the ARJ archiver is very convenient, since it allows
the creation of multi-volume archives. Just have in mind that the
virus will overwite the last cluster of the disk, so tell the archiver
not to use all of the diskette space for the archive (ARJ has such
option). Afterwards, you should boot from a non-infected disk, delete
the executables, and then restore them from the archive.

> The Virus has been named DIR-2. It has been reported at numerous

Please, use the name Dir II, if possible. Also other known aliases are
MG series II and Creeping Death. The first was used by the person who
first discovered and reported the virus (Nikolay Spahiev) and the last
is used by the virus authors. I find it extremely inappropriate - the
virus does not "creep" - it "flies", and "death" is also inapropriate,
since it's not intentionally destructive.

> sites in Bulgaria, Poland, Yugoslavia and Hungary. We received our
> copy for analysis from Tamas Szalay in Budapest.

The Polish anti-virus researcher Marek Sell claims that he has found
it on a vrite-protected diskette which came from Taiwan. Also, I have
some reports about Norway. I would appreciate if the readers of this
newsgroup report this virus when they encounter it. I would like to
see how it will spread around the world.

> We are currently re-writing our SCAN and CLEAN programs to deal
> with this virus, as are most other anti-virus suppliers. A beta
> version of both programs will be available September 26th. Anyone
> reporting symptoms similar to the above described, please
> contact us.

To those that do not understand why all disinfectors have to be
rewritten. Since the virus does not infect neither the boot sector,
not the files, a new loop must be implemented is the disinfector, to
make to search the directory entries too.

And now some symptomes for this virus, that I forgot to describe in my
previous message:

1) Backups and/or archives that use the whole disk space on the
diskette suddenly become corrupted.

2) After formatting a diskette and looking at the disk usage map with
PC Tools (or something similar), you notice that the last sector is
marked as used. That's right, used, not bad.

3) The two copies of the FAT do not match. This can be observed only
if the virus is not active in memory.

4) When you copy files from an infected media (without the virus being
active), only one cluser (or 1024 bytes, whichever is larger) is
copied.

5) When you run a file from an infected diskette, it just exits to the
DOS prompt. At this time you're already badly infected. Running the
file for the second time will make it running, though.

6) CHKDSK (DON'T USE THE /F OPTION!!!) or Norton Disk Doctor (or an
equvalent disk repairing program) reports a lot (a huge number of)
cross-linked files and lost file chains. All files are cross-linked to
the last cluster of the disk. This is cluster 355 for 360 Kb floppies.

If you encounter the above problems, for goodness sake, don't try to
repair the problem yourselves!!! You are risking to lose all your
executables. Contact a person, who is qualified in anti-virus research
as soon as possible!

Hope that the above will not be of any use to you, but just in case...
<grin>

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN
[email protected] Schlueterstrasse 70, D-2000 Hamburg 13
New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Mon, 30 Sep 91 17:17:13 -0500
>From: [email protected] (Gene Spafford)
Subject: Fred Cohen's contest

The September/October issue of "The Sciences," published by the New
York Academy of Sciences, had an article by Fred Cohen. In it, he
tried to make a case for the existence of "good" viruses, and he
pulled out a number of supporting examples that really weren't viruses
or weren't clearly done well by viruses.

He concluded the article with an announcement of a contest. His
publishing company, ASP (which may be run by Fred for all I know) will
award $1000 for the best "good" virus as per vague rules laid down by
Fred in the article.

I was quite upset by the article, and especially the contest, because
I think it quite unethical to encourage the writing of viruses as he
is doing. I also think there is a very clear and significant conflict
of interest for him and/or ASP to be encouraging such a contest.

I wrote a letter of response to the editor a few weeks ago, and I have
spent the time since then thinking about it. The toned-down letter
that I actually sent is reproduced below, minus some italics and
bold-facing.

Whether you agree or disagree with my comments, if you wish to make
your own comments to the editor, his address is below; his fax
number is 212-260-1356. I doubt I am the only person with an opinion
on this matter. (Naturally, I could be the lone voice of dissent; I
hope not, but it may be the case.)

I thought you might be interested. If not, never mind.

Cheers,
- --spaf

Mr. Peter G. Brown, Editor
The Sciences
622 Broadway
New York, NY 10012

Dear Mr. Brown:

I began to read the recent article by Dr. Fred Cohen [1] with
considerable interest. Dr. Cohen is a pioneer in the field of
computer virus research, and I have found many of his writings quite
thought-provoking. Unfortunately, by the time I finished his article,
I was quite dismayed. I believe that Dr. Cohen has failed to
adequately consider both the practicality and the ethics of his
proposal.

First of all, I believe that there is an obvious conflict of interest
involved when the vendor of a computer virus prevention product
sponsors a contest soliciting the development of new viruses. I am
further troubled by the lack of a list of the judges of the contest
and the criteria for winning. I will not discuss these points
further, however, as they are minor matters compared with my main
concern: I believe that the writing of computer viruses is unethical,
[2--3] and to encourage their development in an unsupervised manner is
likewise unethical.

Computer viruses spread without the informed consent of the owner of
the software (``host'') they ``infect,'' and they are usually not
limited in their spread, in time or space. If scientists were to
experiment with organic viruses capable of infecting humans and
possessing these same properties, we would likely be taking vigilante
action against them, contest or no. Encouraging the general populace
to develop organic viruses would bring about widespread condemnation;
yet, oddly, encouraging the development of computer viruses leads to
publication in a journal.

To his credit, Dr. Cohen explicitly prohibits viruses that exhibit the
above two dangerous properties from being eligible for his contest.
However, many viruses cause damage because of flaws within the code,
or unexpected properties of their target computing environment;
examples include the ``Stoned'' virus for IBM PCs, and the ``WDEF''
virus for Apple Macintoshes (cf., [3--5]). What will be the attitude
of the community as a whole if a new destructive virus appears on the
scene because of a bug in the software meant to contain it? What if
something similar to Robert T. Morris's Internet Worm were to be
discovered and explained as a buggy test version intended for Cohen's
contest?

This brings me to another argument with Dr. Cohen's article: we
disagree about the definition of the term ``computer virus.'' Cohen
describes Morris's Internet program as a ``virus,'' while I (and
others) would define it as a ``worm.'' [6--7] Morris's program did not
alter existing software to include a copy of itself as do viruses.
His program was no more a virus than is a compiler (suggesting an
interesting class of potential submissions to the contest). In fact,
if we intuit a definition of ``contest-acceptable virus'' from Cohen's
article to be something that spreads from system to system, that
requires permission to install itself, and has limited potential for
spread (like the Worm), it is no longer clear we are speaking about
viruses at all!

Harold Thimbleby of Stirling University, Scotland and Ian Witten of
Calgary University, Canada have done extensive work on software that
would meet the above intuited definition of a computer virus. They
have developed some very sophisticated self-propagating applications,
including self-updating databases with window-based interfaces.
[8--9] It is not at all clear that the community recognizes these as
viruses. Professor Thimbleby himself has chosen to call them
``liveware'' to make the distinction clear. I am surprised that Dr.
Cohen is unfamiliar with their work and did not cite it in his
Sciences article; it would be a clear favorite if it were to be
entered in the ASP contest. However, it also serves to illustrate how
something that might win the contest is not likely to be viewed as a
``virus'' by the community of researchers.

This brings me to the second of my two major objections to Cohen's
article and contest. I believe that his underlying thesis is flawed:
I do not believe that there are any practical ``good'' viruses.
During the Second Conference on Artificial Life, held in Santa Fe in
1990 (cf. [10]), I was on a panel discussing computer viruses.
Russell Brand, another panelist, made the observation that there is
nothing that can be done by a computer virus that cannot be done more
efficiently and generally by other means. This observation was
debated by the panel, and discussed extensively by others since that
time. To my knowledge, everyone involved in these discussions now
believes that is a true statement.

Consider that a computer virus is nothing other than a program coupled
with code to transport and install itself as part of existing
software. It will be more difficult (or impossible) than a
stand-alone program to update for new releases, customize, and
maintain. A virus will also be more difficult to write and test for
correctness than will a stand-alone program because of its interaction
with its environment. Viruses are simply not the most practical or
efficient approach to any particular task. His example in the article
of the billing system demonstrates an inadequacy in the data model
used and tools available, and not the superiority of using a
quasi-virus. Even the example Cohen gave in his PhD dissertation of a
compression virus would be better served by a well-written stand-alone
program over which the user has more control. I believe that any
attempt made to promote ``useful'' viruses involves a contradiction of
the word ``useful,'' assuming that ``useful'' does not also imply
``malicious.''

To return to my first fundamental objection (and the one I feel most
strongly about) -- the impropriety of encouraging virus authorship.
We have been battling computer viruses for five years now, and the
indications are that the problem is growing exponentially (cf.
[11--12]). Computer viruses --- even those intended to be harmless,
and limited in scope and duration --- continue to cause untold amounts
of damage to computer systems. For someone of Dr. Cohen's reputation
within the field to actually promote the uncontrolled writing of any
kind of virus, even with his stated stipulations, is to act
irresponsibly and immorally. To act in such a manner is likely to
encourage the development of yet more viruses ``in the wild'' by
muddling the ethics and dangers involved. It will reinforce the
attitude that there may be some benefit to be gained from writing
viruses (when there is as yet absolutely no clear indication that such
is the case), and may encourage people to begin uncontrolled
experiments with viruses they might not otherwise have undertaken. We
have seen cases already where well-trained virus researchers have
accidentally released experimental computer viruses into the
population; to encourage amateurs to also engage in risky behavior
that may lead to similar or worse results is quite appalling. It is
my fond hope that no one attempts to enter Dr. Cohen's contest, and
that he quickly recognizes the dangers and cancels it.

A few decades ago, physicists talked about peaceful uses of atomic
weapons, such as blasting out canals and destroying threatening
icebergs. They were attempting, in good faith, to put a better moral
cast on their research. Thankfully, none of them offered money in a
contest for the best demonstration of such an application! Alfred
Nobel, horrified at the use to which his invention of stabilized
explosives were being put, did not establish a contest for the best
peaceful use of dynamite. Instead, he established world-reknowned
awards for research in peaceful pursuits, funded by the income from
his discovery. It is quite unfortunate that ASP and Dr. Cohen could
not have taken a similar approach with their $1000 prize. They could
have made a powerful statement about responsible behavior, but instead
have increased the danger to the community and generated doubts about
their own motivations.

Eugene H. Spafford, PhD

References

[1]
Friendly Contagion: Harnessing the Subtle Power of Computer
Viruses, by Fred Cohen, The Sciences, Sep/Oct 1991, pp. 22--28.

[2]
Computer Viruses and Ethics, by Eugene H. Spafford, in Collegiate
Microcomputer, special issue on the Rose-Hullman/GTE Computing and
Ethics Seminars, to appear, 1992.

[3]
Computer Viruses: Dealing with Electronic Vandalism and
Programmed Threats, by Eugene H. Spafford, Kathleen A. Heaphy and
David J. Ferbrache, ADAPSO, 1989.

[4]
Rogue Programs: Viruses, Worms, and Trojan Horses, edited
by Lance J. Hoffman, Van Nostrand Reinhold, 1990.

[5]
Computers Under Attack: Intruders, Worms and Viruses, edited
by Peter J. Denning, ACM Press/Addison-Wesley, 1990.

[6] What is A Computer Virus?, by Eugene H. Spafford, Kathleen A.
Heaphy and David J. Ferbrache, Chapter 2 in [4].

[7]
An Analysis of the Internet Worm, by Eugene H. Spafford, in
Lecture Notes in Computer Science 387, Springer-Verlag,
1989.

[8] Bugs, Viruses and Liveware: Collected Papers by Harold Thimbleby,
technical report of the Department of Computer Science, Stirling
University, Scotland, 1990.

[9] Liveware: A New Approach to Sharing Data in Social Networks, by I.
H. Witten, H. W. Thimbleby, G. F. Coulouris, and S. Greenberg, in
International Journal of Man-Machine Studies, 1990.

[10] Artificial Life II, Studies in the Sciences of Complexity, Volume
XII, edited by D. Farmer, C. Langton, S. Rasmussen, and C. Taylor,
Addison-Wesley, 1992.

[11] Virus Trends: Up, Up, Up by David Stang in National Computer
Security Association News, 2(2), March/April 1991.

[12] The Kinetics of Computer Virus Replication by Peter S. Tippet in
Proceedings of the Fourth Annual DPMA Computer Virus Security
Conference, New York, March 1991.

------------------------------

Date: Thu, 03 Oct 91 08:45:51 +0000
>From: [email protected] (C G Langton)
Subject: Artificial Life III: Call for Papers

Artificial Life III

June 15-19, 1992
Santa Fe, NM

CALL FOR PAPERS

We are happy to invite contributions for the Third Artificial Life
Workshop, to be held in Santa Fe, New Mexico, June 15-19, 1992.

Artificial Life complements the traditional Biological sciences, concerned
with the analysis of living organisms, by attempting to synthesize behaviors
normally associated with natural living systems within computers and other
"artificial" media. By extending the empirical foundation upon which the
science of Biology rests beyond the carbon-chain based life that has evolved
on Earth, Artificial Life can contribute to Theoretical Biology by locating
"life-as-we-know-it" within the larger context of "life-as-it-could-be."

Contributions may be submitted in the following categories: TALK (please
specify a 20 or a 45 minute talk); POSTER, which may include a computer
display (BYOC); DEMONSTRATION, which includes computer demos and/or videos
(please give time estimate); or OTHER (please specify).

Authors should send an abstract (5 pages at most) to the address below
by January 15, 1992. DO NOT WAIT UNTIL JAN. 14!!! Please try to get your
abstract in early. Authors will be notified of the status of their
contributions by March 15, 1992.

Proceedings of the first two Artificial Life Workshops are now available
from Addison Wesley Publishers (1-800-447-2226 to order). The proceedings
of the second workshop also include a videotape. We intend to emphasize
visualization in the third workshop as well, and encourage contributions
based on working mobile robots.

Contributions to the workshop will automatically be considered for
inclusion in the proceedings. Papers for the proceedings will be due at
the workshop, and papers may be submitted then which were not submitted as
contributions to the workshop itself. The end of the workshop is the
deadline for submission of papers for the proceedings. All papers received
by the end of the workshop will be sent out for review and authors notified
by the end of August.

We will also be holding a greatly expanded "Artificial 4H Show,"
involving exhibits of, judging among, and contests between, various
software and hardware artificial life forms. People who wish to enter
their artificial organisms in the "Artificial 4H Show" should send
a description of what they plan to exhibit to the address below. We
will be announcing a series of contests and challenges for robots,
genetic algorithms, and software life forms soon. Some of these will
carry cash-prizes. All contests and challenges will be carried out
during the workshop.

Abstracts should be sent to:

AlifeIII
Program Committee
Santa Fe Institute
1660 Old Pecos Trail
Santa Fe, NM 87501

[email protected]

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 178]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253