VIRUS-L Digest Friday, 11 Oct 1991 Volume 4 : Issue 188

VIRUS-L Digest Friday, 11 Oct 1991 Volume 4 : Issue 188

Today's Topics:

Virus-writing course for teenagers
Classic Theory
Dr. Fred's Contest
Re: Azusa Virus hits University of Kentucky (PC)
Books on viruses?
Variations
Re: Morris worms through courts
Re: disable ctrl/break? (PC)
is vshield working?
Re: desouza or souza virus (PC)
new files; correction
Re: OS/2 2.0 (OS/2)
Re: SF Worms/Viruses (Re: HW not a solution)
DIR-II virus, symptoms ??? (PC)
Re: DIR II (Cluster) Virus (PC)
Response re DIET (PC)
Update on Bontchev paper availability

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 10 Oct 91 14:11:00 +0300
>From: Y. Radai <[email protected]>
Subject: Virus-writing course for teenagers

I was looking through the syllabus of a science-for-youth program
which is due to start next month. The courses on computers include:
Grades
5-6 Intro. to computers, Logo, Pascal
7-8 Pascal, Assembler, AI, Graphics
9-12 Above four courses plus Data Structures, C, Supercomputers,
Defenses against Viruses.

Looks pretty good, until you read the description of the course on
Assembler. This is a literal translation:

You already know Basic? You already know Pascal? What do you
still lack in order to analyze the brain of the computer? - Assem-
bler. In this language you'll be able to acquire tools for things
which cannot be done in any other language, like: how to 'create
viruses', how to write protection programs and how to crack them.

Needless to say, the matter has been brought to the attention of the
program director, and it is expected that the above applications will
not actually get mentioned when the course is presented. It has also
been suggested that part of each course be devoted to a discussion of
computer offenses and rules of ethics. (I would also hope that the
instructor who suggested the above applications be replaced, though
that's perhaps too much to expect.)

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Thu, 10 Oct 91 15:10:00 -0500
>From: <[email protected]>
Subject: Classic Theory

I'm a college student who has been studying viruses for several years
now. I've now reached the point where I'd like to do some more
theoretical work at a high level...does anyone know of a good source
of some of the classic papers done in the field (works for Cohen and
the like)? I'm looking for a basis for an independant study and
perhaps an honors thesis for the future. Thanks!

Charles

------------------------------

Date: Thu, 10 Oct 91 15:19:44 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Dr. Fred's Contest

I have just had the opportunity to read Dr. Cohen's article from "The
Sciences" and have had a glimmer of how such a "benign" virus might
operate. The key would be "human permission" and such a methodology
might even simplify the "LAN Nightmare" many administrators stay
wakeful over:

Consider the problem of a LAN with a large number of clients that are
not under the control of the administrator. Add in a resident set of
antiviral utilities that protect the LAN such as my DiskSecure, which
uses stealth and integrity management but loads only on request and
which replaces hard and floppy disk boot sectors with itself, but
again only on user request. At this point it is a program not a virus
since it does not propagate (some like replicate, but propagate is
more definative).

Now consider that all of the software is site licensed for use on any
node on the LAN (no pirates here !).

Next, consider that the administrator requires that this software be
in use on all PCs connected to the LAN, and goes one step further:
uses the LOGIN script file to validate that all clients are running
the required software. Still within the realm of common defense
measures we have discussed on virus-l.

The major diversion occurs if the LOGIN script determines that the
required management safeguards are NOT in place on the client
requesting connection and the script then gives the client the choice
of having the software (which includes a mix of TSRs and replacement
MBR and boot records) installed on his/her machine or being denied
access. If the INSTALL option is selected, does the subsequent action
fulfill the requirements of a "virus" ? e.g. propagation to a platform
that was not known at the time the program "set" (executables and
script files) was installed.

Since the new client then has the ability to make my special
"maintenance" disks, unique to his PC, there is at least one following
propagation stage.

(anyone know where I can get an entry form, the prize would cover a
new Bernoulli Transportable & script files are easy to write).

Padgett

Obviously not any connection with my employer.

------------------------------

Date: Thu, 10 Oct 91 21:40:41 +0000
>From: [email protected] (Tanu Kartawiria)
Subject: Re: Azusa Virus hits University of Kentucky (PC)

[email protected] (Wes Morgan) writes:
>For those who track such things, the Azusa virus was discovered at the
>University of Kentucky today (9.24.91). The Azusa virus infects the
>boot sector of floppy disks, the partition table of hard disks, and stays
>resident in memory. It causes corruption of data files, general system
>slowdown, and generally wreaks havoc.
>
>McAfee SCAN found it, and McAfee CLEAN removed it. However, on several
>occasions, the data on the floppies was unrecoverable.

The Azusa virus was also found in Long Beach State University Lab,
SCAN and CLEAN found it, HOWEVER, VSHIELD doesn't seem to be able to
block it.

------------------------------

Date: Thu, 10 Oct 91 21:05:43 -0500
>From: [email protected] (Joseph Costanzo)
Subject: Books on viruses?

Surely there must have been a good book published recently about
viruses - the basics. I really don't know much about them, but would
like to learn. I'm rather new to the world of networks, but I know
that I'm hooked for life. I have gathered that the risks of
networking can be significant when working on these networks.

Anyway, to protect my system, I'd like to know a bit about viruses:
how they work, how to protect/defeat them, etc.

Any suggestions?

Many sincere thanks...

JC

------------------------------

Date: Thu, 10 Oct 91 19:20:33 -0700
>From: [email protected] (Fred Waller)
Subject: Variations

Writes padgett%[email protected] (A. Padgett Peterson):

> Now if everyone used DiskSecure, virus writers could just
> target it, however if MicroSoft, Norton, Mace, Central Point,
> Digital Research, and all the others came out with similar but
> different software, and AMI, Phoenix, Award, and Tandon each
> had a different BIOS implementation a generic virus becomes
> so difficult to write and would have to be so big to handle all
> of the cases the it would become uneconomical...

Yes, a single virus would be unwieldy. But should we expect that?
Shouldn't we rather expect the prompt appearance of many viruses,
each one capable of attacking one of those systems? The net result
would be similar to having one virus capable of attacking all of them.
Worse actually, since it would require many times the effort to guard
against.

All our experience shows us that devising virus-specific defenses,
or `distributing' defenses in the hope of diluting the effort of
virus authors, is ineffective. It only causes proliferation of new
`species'. We can't outwrite them. This is one reason why scanners
are bad, and this is also why every other taxon-specific approach
is bad.

Any thinking that aims at resisting viruses by combating them as
individual entities, or any measure that aims at creating specific
defenses against only one group of viruses, is likely to continue
being ineffective. For this reason, the idea that creating many
firmware variations will help stop viruses is, in my opinion, also
unlikely to work. There will simply be more viruses.

If any proof is needed, just look at the field. We have more
antivirus utilities than ever. There are more defense variations
than ever. There are also more viruses than ever. They infect more
machines than ever.

Taxon-specific antivirus measures have proven generally ineffective.
Such measures are quickly overcome by new, ever more ingenious
viruses. What's needed is a general defense. Such a defense can
more likely be obtained by pure hardware means than by software
means.

------------------------------

Date: Thu, 10 Oct 91 21:06:00 -0600
>From: TODD TURNBLOM <[email protected]>
Subject: Re: Morris worms through courts

[email protected] (Gene Spafford) writes:
> For those of you who missed it, Morris's appeal to the Supreme Court
> was rejected without comment or opinion. Thus, his conviction stands,
> and the interpretation of 18 USC 1030 is now known to be that no
> intent to damage need be proven in court -- only intent to access.

Well, not quite. The Supreme Court has the right to pick and choose
the cases that it thinks important enough to spend it's limited time
on. There are a lot of cases that ask the Court for consideration and
only a very limited number actually get looked at. What you said
above only means the Court didn't want to deal with it right now.
IMHO this is only because they don't see some computer case as near as
important as many of the others. They can decide to hear another
computer case in the future and probably will when it appears
important. Until then, the only thing that can be said is that the
Court hasn't said anything about it. There has been no interpretation
because the Court hasn't even looked at it.

- --
_______________________________________________________________________________
Todd A. Turnblom | Utah State University | [email protected] or [email protected]
-
-------------------------------------------------------------------------------
"If I had wanted to be a _well-known_ crook, I should have gone into politics."
-Guido, 'Colection Specialist', _M.Y.T.H. Inc. in Action_
_______________________________________________________________________________

------------------------------

Date: 10 Oct 91 23:11:16 -0400
>From: Jon Freivald <[email protected]>
Subject: Re: disable ctrl/break? (PC)

>From: [email protected]
>
>Our lab machines run a virus check at boot and are SUPPOSED to hang
>if a virus is found. Unfortunately, our instructors have been saving
>time by teaching the students to press Ctrl/Break at boot in order to
>skip the test. The result is of course that the lab machines are all
>infected. Can this (ctrl/break) be disabled?

I've seen a number of TSR's (one I think from PC Magazine?) that allow
you to "turn off" Ctrl/break, ctrl/c & ctrl/alt/del.

I've also written a shell for McAfee's viruscan that executes it with
the "/NOBREAK" parameter the first time it is run on a given day. It's
freeware & available on my BBS [(516) 483-5841, N,8,1, 300-2400 + 9600
HST]. I could try to send it UUencoded, but I think it exceeds
CompuServe's message size limit.

Jon

------------------------------

Date: Fri, 11 Oct 91 01:45:16 -0500
>From: [email protected] (Robert Yung)
Subject: is vshield working?

Now that I got QEMM 6, I can finally load vshield in UMB (initially
needs about 110K, but then goes down to 35K). How do I know that it is
working up there without actually getting my system infected??? I wish
vshield had some sort of on-line command so I can see if it responds.
Does vshield (v82) work right in UMBs? Will a new one come out (to
scan DIR II) soon???

/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
| Robert 'Bobby' Yung | | That is about as effective as trying |
(| [email protected] | | to melt an iceberg with a warm stream |
| "THE MACHINE!" | | of piss. -Armmstrong |
\~~~~~~~~~~~~~~~~~~~~~~~~ |_______________________________________/

------------------------------

Date: Fri, 11 Oct 91 18:13:00 +0930
>From: Message from The Operator <[email protected]>
Subject: Re: desouza or souza virus (PC)

[email protected] writes:
> Two faculty here at UWSP have reported that their home PC's have been
> infected with the "desouza" or "souza" virus. I looked through FPROT
> 2.0's list of virus information, but could not locate a reference to
> either name.
>
> I have not yet gone to their homes to try to use FPROT 2.0 to clean
> their disks. I might find out at that time that these are known
> viruses and will be easly cleaned. But, wanted to ask ahead of time
> if anyone knows of viruses with these names.

Hi Tom!

I'm a Computer Operator at the University of South Australia. I think
the virus you are looking for is called Azusa. We have just had a
huge infection accross the whole of our Underdale campus. The source
was traced to a number of high school students illegally playing
pirated games in one of the student pools. McAfees latest V82
utilities (available on comp.binaries.ibm.pc) will cope with it.

Hope it helps.

Cheers,

Cameron McConnochie.
Ops
([email protected])

------------------------------

Date: Fri, 11 Oct 91 08:35:00 -0400
>From: [email protected]
Subject: new files; correction

Hello.
1- Now available from our site:
New J. McAfee's programs:
CLEAN84.ZIP;1 SCANV84.ZIP;1 VSHLD84.ZIP;1
NETSCAN and VCOPY will be made available as soon as received. The above
mentionned files were fetched directly from M. McAfee's BBS.

2- We received a report concerning the access to our site via anonymous FTP.
When one logs on, s/he is in the [anonymous] directory. The files are in
[anonymous.msdos.antivirus] directory. To change directory one of the
following should work:
cd .msdos.antivirus<ret>
cd [anonymous.msdos.antivirus]<ret>
cd [.msdos.antivirus]<ret>

Please let us know (our system administrator and myself) if you encounter
any problems fetching the files via FTP. Our IP number is 141.166.1.6
user=anonymous, password <your_e-mail_address>.

Thanks for taking the time of reading this. Regards, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

Date: Thu, 10 Oct 91 20:05:22 +0000
>From: [email protected] (Zoltan Kelemen)
Subject: Re: OS/2 2.0 (OS/2)

[email protected] writes:
>We did some limited testing DOS viruses under a widely distributed
>July 1991 Beta version of OS/2 2.0 (driver number 6.149, if anybody
>cares). The following notes hold *only* for that Beta version; the
>ship level version (whenever it happens) may be different in some
>particulars. (I'm not in any way affiliated with the OS/2 2.0
>development group, other than working for the same company.)
>
[some stuff deleted]
>
>Minuses:
>(-)No file-level access controls. (Arggghhh!)

It won't take long before somebody makes this extension. With it I
think we will be able to get rid of the virus problem on PCs. Not
because the system will be completely fool-proof, but the entrance
level should be high enough to stop the majority of todays virus
writers.

------------------------------

Date: 10 Oct 91 20:37:50 +0000
>From: [email protected] (Johnathan Vail)
Subject: Re: SF Worms/Viruses (Re: HW not a solution)

[email protected] (Jay Skeer) writes:

>P.P.S. I got the idea of a computer virus from an old S.F. book. In
>the book they actually describe a worm (and called it that) ...
>.... This was in 1983 or 4.
>Does any one know the name of that book, or of an earlyer reference to
>computer viruses?

In early 1980 I remember reading about 'worm' research at Xerox PARC.
After reading that I went and hacked a couple of (what we now would
call boot sector) viruses for an Apple ][. This was in 1980 so
certainly the concepts were known and experimented with in the 70's.

If anyone has information or references about the PARC work I would be
curious to read about it again.

PS in an ironic misnomer I called my virus a 'worm' after the PARC
ones I was trying to emulate on a personal computer.

"Death Machines: they shook hands. I could hear the metal grind as
their palms met. Their eyes flickerd. Their mouths opened."
-- Henry Rollins about lawyers
_____
| | Johnathan Vail | [email protected]
|Tegra| Member: LPF | [email protected](WorldNet)
----- (508) 663-7435 | [email protected]

------------------------------

Date: Thu, 10 Oct 91 14:02:58 -0700
>From: Mike Ramey <[email protected]>
Subject: DIR-II virus, symptoms ??? (PC)

How will I know if DIR-II hits my computer lab ???
I'm a computer tech, not a researcher, and would like to
know what the symptoms are. Thanks,
- -Mike Ramey, Civil Eng, Univ of Wash, Seattle WA 98195-

------------------------------

Date: 10 Oct 91 20:49:08 +0000
>From: [email protected] (Johnathan Vail)
Subject: Re: DIR II (Cluster) Virus (PC)

A question of terminology follows:

In private discussion with turtle (Fred Waller) he raises this point
about the DIR 2 virus:

It's not a worm, it's not a virus, but it's a virus that is a worm.
I think we have to revise definitions, rather than insist that virus
writers conform to the definitions that we have accepted <g>.

In my collection of terms I define virus and worm thus:

virus - a piece of code that is executed as part of another program
and can replicate itself in other programs. The analogy to real
viruses is pertinent ("a core of nucleic acid, having the ability to
reproduce only inside a living cell"). Most viruses on PCs really are
viruses.

worm - A self-replicating, autonomous program (or set of programs)
that can replicate itself, usually over a network. A worm is a
complete program by itself unlike a virus which is part of another
program. Robert Morris's program, the Internet Worm, is an example of
a worm although it has been mistakenly identified in the popular media
as a virus.

My claim is that DIR 2 can legitimately be called a virus since it is
logically still part of another program and relies on a host program
being run in order to get an execution thread.

Comments and discussion are welcome.

jv <- "floor wax or desert topping?"
_____
| | Johnathan Vail | [email protected]
|Tegra| Member: LPF | [email protected](WorldNet)
----- (508) 663-7435 | [email protected]

------------------------------

Date: Thu, 10 Oct 91 19:22:08 -0700
>From: [email protected] (Fred Waller)
Subject: Response re DIET (PC)

I apologize for any `off-topicness'(?) of this post - won't pursue
it further. However, some replies were received here regarding a
comment I made on DIET, the excutable compressor that uses viral
techniques for good purpose, and I'd like to respond briefly:

Writes [email protected] (Ping Huang):

> I find it interesting that DIET has branched out in function as
> you have described, thus making it much more like a general-
> purpose on-the-fly disk compressor such as Stacker or DoubleDisk,
> or, for that matter, a set of utilities (freely distributable but
> still copyrighted) published by PC Magazine some years back called
> DCOMPRESS. However, the fact that these commercial utilities have
> existed for many years negates your claim that DIET is first in
> providing this kind of functionality...

Well, STACKER and other commercial systems, including the ExpanZ
card, etc., encrypt the entire disk volume. They are not equivalent
to Matsumoto's DIET v1.10a, which compresses individual files,
chosen on the fly by the user, and which can coexist with non-
compressed files. DIET files remain DOS files and may be copied,
renamed, transferred to another system and decompressed there, etc.
Also, DIET has some inherent intelligence and will not try to
compress again files that are already compressed, such as archives,
or smaller than one disk allocation unit.

I wasn't familiar with the DCOMPRESS program, so I went and
downloaded its source code before posting this reply. I found that
DCOMPRESS is a rather different animal from DIET: it requires that
the user prepare ahead of time special ASCII files for each
subdirectoruy, listing files to be excluded, requires that a
separate utility (PCMANAGE) be used to compress the files also
ahead of time, and has other requirements, including the need to
change the system date by one week, then run PCMANAGE, then reset
the system date back again, etc., which render it much less elegant
and more difficult to use than DIET. I intend no offense against
DCOMPRESS' author, but DCOMPRESS is not equivalent to DIET v1.10a.

Thus, I repeat that the functionality offered by DIET v1.10a is
not found in any other program that I know. Its usefulness and
functionality are achieved, to an important extent, by the use
of what might be termed `virus programming techniques'.

Just now, I'm taking a quick first look at v1.20 of DIET, which
has even more interesting features.

Fred Waller

------------------------------

Date: Fri, 11 Oct 91 09:19:27 -0400
>From: Kenneth R. van Wyk <[email protected]>
Subject: Update on Bontchev paper availability

In VIRUS-L Volume 4 Issue 186, I announced the availability of
Vesselin Bontchev's paper, "The Bulgarian and Soviet Virus Factories"
in both TeX and ASCII formats on our anonymous FTP archive,
cert.sei.cmu.edu. As it turns out, the ASCII version was garbled
(due, I'm sure, to my lack of TeXpertise). I've replaced the ASCII
file with a PostScript file which appears to be (at least) better, and
I removed the ASCII file from the archive.

If any avid TeX user out there cares to take the time to properly
format the paper into an ASCII document, I would be happy to replace
the .doc file. It would be most appreciated!

Sorry for any inconvenience.

Ken

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 188]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253