Return-Path: <
[email protected]>
Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by csrc.ncsl.nist.gov (4.1/NIST)
id AA02706; Fri, 9 Oct 92 10:10:57 EDT
Posted-Date: Fri, 9 Oct 1992 09:17:11 -0400
Received-Date: Fri, 9 Oct 92 10:10:57 EDT
Errors-To:
[email protected]
Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA01467; Fri, 9 Oct 92 10:05:37 EDT
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA21970
(5.65c/IDA-1.4.4); Fri, 9 Oct 1992 09:17:11 -0400
Date: Fri, 9 Oct 1992 09:17:11 -0400
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V5 #161
Status: RO
VIRUS-L Digest Friday, 9 Oct 1992 Volume 5 : Issue 161
Today's Topics:
report on virus detection (PC)
Re: VIRSCAN detects Yankee-Doodle 2885 (PC)
Question:NOVI anti virus (PC)
Re: Re[2]: NAVSCAN (PC)
CPAV false positives (was FLIP) (PC)
Re: Recent IBM Virus List? (PC)
Re: FLIP (PC)
Virus Scanner Comparisons (PC)
Brazil Virus! (PC)
Virus alert: "Larry on a Screen" (PC)
How trojans work. (PC)
Re: FLIP (PC)
FileSize Checking Program (PC)
OS/2 version of Integrity Toolkit (OS/2)
A less virus prone architecture
driver's licence
Re: network security
Re: The Harmless Virus
Re: MacMag, the original data virus! (CVP)
Re: The Hacker Files (Vol 5 #156)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to
[email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: Sun, 04 Oct 92 18:18:08 -0400
>From:
[email protected]
Subject: report on virus detection (PC)
Hello everybody,
August this year I completed a report on virus detection. This report
was the result of my traineeship at the Dutch National Criminal
Intelligence Center (CRI). The abstract of the report reads as
follows:
An evaluation of different techniques for virus
detection. The discussion is sufficiently general to
be applicable to a substantial number of computing
platforms. All mentioned practical issues concern
the MS DOS operating system. Improvement of the
operating system is presented as the most
fundamental and therefore effective way to tackle
the virus problem.
I have produced an ASCII version of the report, which should now be
available for interested readers, through anonymous ftp at
ftp.informatik.uni-hamburg.de, in the directory
pub/virus/texts/viruses The filename is virusdet.zip.
Any constructive criticism concerning the contents of the report is
welcome at my e-mail address.
Patrick Min
Leiden University
[email protected]
------------------------------
Date: 05 Oct 92 13:48:32 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: VIRSCAN detects Yankee-Doodle 2885 (PC)
[email protected] (David M. Chess) writes:
> I think F-Prot calls it "Yankee (TP-44)". Not too atrociously
> different! *8) It's not a fascinating virus; it infects COM and EXE
> files, and sometimes plays the tune Yankee Doodle at 5pm. It also
Well, the understanding of the word "fascinating virus" is subjective,
of course, but for me this virus has one very interesting property -
it is able to repair itself from random errors, using a Hamming
self-correcting code.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 05 Oct 92 19:19:48 -0500
>From:
[email protected]
Subject: Question:NOVI anti virus (PC)
Hi there,
I do not know if this newsgroup is the right one for my posting. but
anyway, I got together with a couple of friend last weekend, after a
long talk, mostly about computer. We came across to the virus topic.
One of them mention about this anti virus program called 'NOVI anti
virus', this one suppose need no upgrage, because the program can
upgrade themself. in other term, NOVI can find a new viruses and kill
it. Out from my curiosity, I would like to know, if this anti virus
program really work. If anybody know, or use it before. Please
e-mail. thanks in advance.
- -Oemar-
[email protected]
------------------------------
Date: Tue, 06 Oct 92 14:40:57 +0000
>From:
[email protected] (N. Michelis)
Subject: Re: Re[2]: NAVSCAN (PC)
[email protected] (Peter Duffield) writes:
>
[email protected] writes:
>>Robert Slade reports:
>>>> Where can i get NAVSCAN? or When its gonna be out?
>>
>>It is on Compuserve in the following locations: NORUTL, VIRUS, IBMSYS,
>>and UKFORUM. It is available from the Symantec BBSs: 2400:
>>408-973-9598, 9600: 408-973-9834.
>You will also find it for anonymous ftp on wuarchive.wustl.edu in the
>directory /pub/MSDOS_UPLOADS
What version is this.
Nav has released an upgrade for 2.0. Nav 2.1 is available and scan
1400+ virus It costs $30 (AUS) for the upgrade plus postage. Ring
symantec for more details.
------------------------------
Date: Tue, 06 Oct 92 18:01:53 +0000
>From:
[email protected] (Robert Slade)
Subject: CPAV false positives (was FLIP) (PC)
Unfortunately this is a fairly well known false positive. Central
Point does not encrypt their signature search strings, either on disk
or in memory. Therefore, wherever CPAV uses the same search string as
other scanners (as in the case of FLIP), CPAV will be identified as
being infected. If you run the TSR scanner portion of CPAV and then
use another scanner, you will also find the "infection" in memory.
Incidentally, further to Microsoft's inclusion of portions of CPAV in
MS-DOS version 6, someone who has seen a beta copy indicates that
VSAFE will be included. Fortunately, VSAFE is the activity monitor
portion, and does not do any signature scanning.
=============
Vancouver
[email protected] | "Remember, by the
Institute for
[email protected] | rules of the game, I
Research into
[email protected] | *must* lie. *Now* do
User
[email protected] | you believe me?"
Security Canada V7K 2G6 | Margaret Atwood
------------------------------
Date: Tue, 06 Oct 92 18:17:31 +0000
>From:
[email protected] (John Mechalas)
Subject: Re: Recent IBM Virus List? (PC)
[email protected] (Fridrik Skulason) writes:
>
[email protected] (John Mechalas) writes:
>
>>Where can I find a current list of known IBM viruses that is in the
>>public domain?
>
>If you find one, let me know :-)
I will. I promise. :)
>Seriously, there is no list that is 100% up to date - with several new
>viruses arriving every day it is not possible. You can get a
>reasonably good list from several sources, but no 100% complete.
Obviously there won't be a 100% complete. :) But, according to the
FAQ for this group, for instance, it says that the catalogs at
informatik.de are incomplete for the IBM listings...is there a more
complete version?
Your F-Prot database, for instance, is pretty close to what I am
looking for, but in a public-domain listing.
> I am looking for
>
> virus name: Yeah, me too :-) ....unfortunately, there is still a lot of
> naming confusion in this field.
Understood.
>
> type: I assume you mean "Reasident/Non-resident" and what it infects,
> right ?
Exactly.
>
> disinfectant method: I am not sure what you mean by this - I don't
> any publically avalible virus list described the method to
> disinfect them.
I realized afterwords that this was not really a good question, but it
was too late to edit the article after I sent it. :) I meant, can it
be removed by disinfectant software, or must it be replaced? This is,
however, essentially irrelevant, since the best "cure" for an
infection is to *always* replace the offending files with clean
backups. So just ignore this one. :)
- --
John Mechalas [This space intentionally left blank]
[email protected]
Purdue University Computing Center Help put a ban on censorship
General Consulting #include disclaimer.h
------------------------------
Date: 06 Oct 92 20:16:41 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: FLIP (PC)
[email protected] (CS/DO;675-3254) writes:
>Vivek Swarup of moh.gov.on.ca writes:
>>On 1 of our PCs CPAV detected some virus but could not tell us which
>>one. We obtained a copy of f-prot V2.02 which indicated this system
>>had a FLIP Virus. We obtained a new version of f-port (v2.05) which
>>indicated the PC has the TELECOM Virus.
Both are wrong - What F-PROT is really detecting are virus signatures
left in memory by the Central Point programs. The same applies to
several other anti-virus programs - they produce false alarms on the
Central Point anti- virus software.
PLEASE, PLEASE read the CPAV manual. It specifically states that CPAV
is not compatible with other anti-virus programs. The problem is
really that CPAV contains various virus signatures, and unlike any
decent anti-virus program, it does not bother to encrypt them.
If you use CPAV, don't use any other anti-virus program.
(or better....don't use CPAV :-)....)
- -frisk
------------------------------
Date: Tue, 06 Oct 92 17:35:00 -0500
>From: <
[email protected]>
Subject: Virus Scanner Comparisons (PC)
Some time back, virus scanner comparison data was posted to this
newsgroup. I thought I saved a copy of it, but apparently I was
halucinating. I would really appreciate it if some kind soul would
either re-post it or point me to an ftp site containing the
information. Our department is in the process of choosing a scanner or
scanners for internal use. Post or E-mail, whichever you prefer.
- --
Joe Lawrence |"All opinions are mine, not Rockwell's"
Engineering Support Services | To do is to be - Nietzsche
Rockwell International | To be is to do - Sarte
[email protected] | Do be do be do - Sinatra
------------------------------
Date: Tue, 06 Oct 92 19:27:44 -0400
>From:
[email protected]
Subject: Brazil Virus! (PC)
I want to thank Brian Seborg, Vesselin Bontchev, McAfee, and Fridrick
Skulasson, who answered my request on Brazil Virus!
I've summarized the answers to the list where I read the report about
the virus. But I have not an infected copy.
LUIZ ARTHUR PAGANI
DEPARTAMENTO DE LETRAS VERNACULAS E CLASSICAS
CENTRO DE LETRAS E CIENCIAS HUMANAS
UNIVERSIDADE ESTADUAL DE LONDRINA
LONDRINA - PARANA' - BRASIL
CAIXA POSTAL 6001 - CEP 86051-970
TEL: (0432) 21-2000 RAMAL 428
FAX: (0432) 27-6932
E-MAIL:
[email protected]
RESIDENCIA: R. PARANAGUA', NO. 2035, APT. 203 - CENTRO - LONDRINA
CEP: 86.015-030
TEL: (0432) 23-9956
------------------------------
Date: Wed, 07 Oct 92 02:05:17 +0000
>From:
[email protected] (Brian Marriott)
Subject: Virus alert: "Larry on a Screen" (PC)
A virus has shown up in Tasmania, Australia, which we haven't seen
reported before, and which isn't known by name to F-Prot 205 or TBScan
43 (although they both pick it up by heuristics).
We have only analysed it far enough to get its name and an ID
string; we don't know potential damage.
Name: Larry on a Screen
Infects: .EXE & .COM files (at least)
COM files grow by 491 bytes, .EXE files by 403 bytes (or so it
seems on samples of one of each)
Signature strings: "Larry on a Screen"
Hex"50cbbf00018b750181c6d90257b90500fcf3a481"
Further information may be obtainable from:
Russell Twining (
[email protected])
Brian Marriott (
[email protected])
- -----------------------------------------------------------------------
Brian Marriott, Department of Computer Science, University of Tasmania
Mail: GPO Box 252C, Hobart, Tasmania 7001, AUSTRALIA. Ph: +61-02-202929
Internet:
[email protected] Fax: +61-02-202913
------------------------------
Date: Tue, 06 Oct 92 22:10:30 -0400
>From: FIRED UP...ALL FIRED UP...PRG 2026 <
[email protected]>
Subject: How trojans work. (PC)
Hello, My name is Andy Hardison and I am a BBS sysop with a problem.
I was notified by a user of a program that scanned clean, but when
run, caused a Michaelangelo infection.
Here is what I was told, Xyphr.zip was unzipped to form the game
files, Xyphr.exe, .dat, etc. When trying to run Xyphr, the computer
would hang. My user rebooted the computer with a CTRL-ALT-DEL. Since
he thought it was a memory problem, he ran Quarterdecks Manifest, mft.
He thought he was running MFT.exe, but there was a 300 or so byte
MFT.com file present.
He typed in MFT and his computer locked up again. Upon a second
reboot, with an actual powerdown, the computer lost some files. He
scanned with Fprot and McAfee. Both reported Michaelangelo in the
boot track.
Could someone out there explain to me how Michaelangelo could have
gotten onto the system via this method of infection. My user is more
paranoid about virii than I am (I scan all incoming files, but do not
run the executables). He did not have an infected computer before
running Xyphr, but did after the above mentioned sequence of events.
Any help would be appreciated.
andy hardison
[email protected]
------------------------------
Date: Wed, 07 Oct 92 02:12:43 -0400
>From:
[email protected]
Subject: Re: FLIP (PC)
Vivek Swarup of moh.gov.on.ca writes:
>On 1 of our PCs CPAV detected some virus but could not tell us which
>one. We obtained a copy of F-Prot V2.02 which indicated this system
>had a FLIP Virus. We obtained a new version of F-Prot V2.05 which
>indicated the PC has the TELECOM Virus. Shortly there after we had
The explaination of the FLIP report by Henry Tindall of ankar2.af.mil
was an excellent example of conflicts between different Anti-Viral
products when cross testing files although other conflicts arise when
different Anti-Viral products are run consecutively due to testing
residue in system memory of which we believe to be the case in the
TELECOM report by F-Prot which led us to the discovery of these
residue conflicts. The following are the results of the testing of
a Norton Disk Doctor undo file from the removal of the STONED virus
from a floppy disk. Similar results can be achieved using any file
and various products run consecutively without cold rebooting to a
clean dos between tests.
Norton Anti-Virus Nothing
Virex Possible Stoned Dropper
ViruScan Nothing
Central Point Anti-Virus Nothing
F-Prot Signs of Cascade in Memory
F-Prot Signs of Telecom in Memory
Integrity Master P1 active in Memory
Virex Stoned Active in Memory
Scan Nothing
The initial Virex result is a correct result, although the others
are semi-correct in their own ways. Since it is almost impossible
for Anti-Virus developers to test for these types of inconsistancies
it makes it very important to cold boot between Anti-Virus Tests.
I hope to have full testing results available within the next month
for all interested parties.
H.
I. Marc Alon-Tolbert
Industries Internet:
[email protected]
------------------------------
Date: Wed, 07 Oct 92 14:16:35 +0000
>From:
[email protected] (Blow Me Down)
Subject: FileSize Checking Program (PC)
Hi all,
I'm looking for a program that saves a checksum of files on the PC and
later checks for files changes automatically.
I'm after a program that does something like CPAV (Central Point Anti-
Virus). But I not using the virus checker. Does anyone know of such a
program? If so, please E-mail me.
Thanks in Advance...
Chris
E-Mail :
[email protected]
- --------------------------------------------------------------------------
Chris Chew Hong Gunn | A Signature?
B.Sc/B.E (Third Year) | I'll have to think about it...
University of Tasmania | Email:
[email protected]
Australia |
[email protected]
- --------------------------------------------------------------------------
------------------------------
Date: Mon, 05 Oct 92 02:46:23 -0400
>From:
[email protected] (Fred Cohen)
Subject: OS/2 version of Integrity Toolkit (OS/2)
Yes Vess, there is a Santa Clause
Integrity Toolkit for OS/2 is called the Protection Toolkit,
and provides most of the current features of Integrity Tookit. Soon,
it will exceed IT. P.T. currently includes login by user ID
w/password, integrity shell and snapshot under DOS box, known virus
scanner, crypto-checksum, DOS box trap mechanisms, and the nice
management tool. As soon as IBM sends us the driver information
(which they seem to want to withold untill other vendors have a 6
month lead on us), we will have disk-wide encryption using DES, ANSI
standard, and other user settable algorithms, full OS/2 integrity
shells, OS2 based access controls, network access controls, and lots
of other good stuf. - Thanks for the plug :)(:))=-_)* - how do you do
that thing?
FC
------------------------------
Date: Mon, 05 Oct 92 00:54:24 +0000
>From:
[email protected] (robert j kolker)
Subject: A less virus prone architecture
I was reading a book on the Babbage analytica engine the other day,
and it occurred to me that a Babbage machine may be less virus prone,
then a Von Neuman machine.
A Babbage machine differs from a Von Neuman machine, in that its
program is external stored on a medium separate from the data store of
the machine. Thus the operands of a program are in store, but the
program that transforms them is not. The Babbage analytic engine was
patterned after the Jacquard Loom.
The question I put is this. Is a computer, in which the program is
stored in a totally separate memory space from data, less prone to
virus attack or not.
I would appreciate your opinions on this question.
Conan the Libertarian
[email protected]
"If you can't love the Constitution, at least hate the Government"
[Moderator's note: Pardon my ignorance on this, but wasn't the Babbage
machine a 19th century mechanical computing device, and isn't there an
effort under way to implement (again, in hardware) one of his later
machines? Are there any software implementations of his designs?]
------------------------------
Date: 05 Oct 92 03:53:35 +0000
>From:
[email protected] ( )
Subject: driver's licence
I just got my California driver's licence, the new one with the
magnetic stripe on the back where an officer of the law can
see my whole life story in one stroke.
Strictly for information purpose only, is their any viruses
out there, that could infect the magnetic stripe on my
CA. licence? I could build a 'magnetic stripe read and write head.'
as long as it is legal in my state to do so.
ps. I have no intention of breaking the law, state or fed.
nor do I advocate any body breaking law
This is for INFORMATION PURPOSE ONLY AND NOTHING ELES!!
------------------------------
Date: 05 Oct 92 12:13:14 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: network security
[email protected] (Brian Seborg) writes:
> surprised that the virus was different. As for 1963 having
> "nothing in common" with the Dark_Avenger virus, I will leave you
> to argue this out with Patricia since she seems to disagree with
> you here.
I have myself disassembled 1963 completely. Simultaneously, in my
contacts with Patricia Hoffman I came into conclusion that she is not
able even to -read- the well-commented virus disassemblies sent to
her, let alone to disassemble a virus herself. Sorry, but I will even
not argue with her on this subject.
> my posting!?! I am not sure why you wasted the band width to
> revisit this since it was obvious to any reader that no definitive
> answer was being provided.
Because I saw a claim which I knew was wrong, so I decided to post a
correction, in order to prevent the readers from getting false
knowledge about this particular virus. I definitively do not consider
this a "wasted bandwidth".
> While I must agree that VSUM does have its share of errors, and
> provides little in the way of "down and dirty" technical
> information, I still believe it is a good reference for ball-
> parking whether you have a particular virus or not. I have to
No, this exactly what it does not provide. It might have been useful
when SCAN used to identify viruses better, since then VSUM contained
the name that SCAN gave to the particular virus. Nowadays SCAN is
completely useless for virus identification and the virus names in
VSUM do not have even this value.
There is nothing in VSUM that really helps you identify which virus
you have. No virus maps for exact identification. No cross-reference
between the names that the different products use. No correct
technical information. Even such basic information, as the virus
infective length is sometimes wrong. Several of the listed viruses do
not exist (I know, I have the files appropriate files from Patti's
collection). Several viruses are listed twice or more times, under
different names - and curiously - with different properties. For most
viruses it is said "It is not know what the virus does besides
replicate" - even for those viruses, for which the name suggests what
they are doing...
My (wild) guess is that the information in VSUM is a combination of
what Mrs. Hoffman has been told about the virus and what she has
observed when running the virus on a sacrificial system.
> admit that I prefer the descriptions put out by Brunnestein's
> students (including you) for accuracy, although the user-
> friendliness of the lists containing these descriptions leaves
> something to be desired.:-)
I know, I know... :-) We are working on the subject...
> >Astra viruses infect only device drivers. Some viruses (Tequila
> >and StarShip, I think) will not
> Wrong about Tequila, it infects just fine.
Well, I wrote "I think", didn't I? I was not sure, because I didn't
have the disassembly of the virus in front of me.
> Remember, it is a multi-partite virus and it does go TSR.
So is StarShip, yet it works exactly in the way I described. And I
don't just "think" this time - I -know- it.
> >infect, if you don't have a hard disk - because they don't go
> >resident when you run an infected file, but only modify the MBR
> >and wait until the user reboot... There are some other pitfalls.
> > We have a huge amount of files here, about which we cannot easily
> >decide whether they are viruses, trojans, buggy programs, or just
> >innocent tools. They all refuse to replicate on the systems we
> >have tested them, but this does not imply that they will not
> >replicate on some other
> But this does imply that they are unlikely to represent a threat
> since there survival is unlikely.
Huh, as far as I remember, the question what exactly represents a
threat has not been mentioned neither in your message, nor in my
reply. You were just listing a few methods how to determine whether
what you have is really a virus or not, and I pointed out that in some
cases it doesn't work. That's all.
> >systems. The only way to solve the problem is to disassemble each
> >one of them and see what it does. And this is a LOT of work...
> No disagreement here. Disassembly is obviously the best solution,
> however, many users are not assembly programmers, and are unlikely
> to be able to dis-assemble the virus. Also, in cases where the
In this case I am not speaking about the users - they don't have to
bother with all those "unknown" files from our collection. I am
speaking about us, and we -are- both good assembly language
programmers and able to disassemble a virus. Gosh, we are doing this
all the time; we are even teaching the students how to do it... My
point was that it is a lot of work - for us - to disassemble all those
files. And this work is low-priority, because we have to deal with
lots of viruses every day that -do- replicate perfectly...
> user notices changes in files (like the one we are speaking of) my
> suggested technique works well. I never said that it was "the only
Your suggested technique sounded (to me, at least) as a general
approach for dealing with viruses. It is indeed useful as such, it
just needs to be updated and refined, what I believed to do with my
message. Sorry for any misunderstanding.
> virus. Also, continually bringing up viruses which have "new" and
> "different" techniques that have often never been seen "in the
> wild", or which are only the product of an active imagination may
> be a useful academic exercise, but let's put some statistics next
> to these viruses you have noted.
I strongly disagree with you here. To constantly bring up new
"research" techniques here definitively has a beneficial effect. Here
is one example. The Dir_II virus is -extremely- spread in Bulgaria.
More than 90% of the requests for help to my Lab there are for this
virus - they have documented statistics about this. Yet, I made a lot
of fuss about this virus here, so now most of the popular scanners are
able to detect it (McAfee's CLEAN can even remove it), and we
succeeded to prevent the wide spread of this virus in the West.
Second example. I made a lot of fuss about the MtE, so not several
scanners are able to detect it. When I was in Bulgaria this summer, I
met a virus writer and asked him whether he intends to use the MtE.
The answer was "Why bother, even McAfee can detect it!". The truth is
that SCAN does not detect the MtE reliably, but so what... The
important thing is that we prevented a wave of MtE-based viruses.
> Have they infected any computers
> at all other than in the lab? Let's be reasonable!?! I act as the
> CERT for a network with over 350 servers, and 10,000 nodes. In
> addition, we have over 3000 lap-tops. If I were "fishing" for
My Lab in Bulgaria is basically the only official anti-virus
supporting team in Bulgaria and they have almost half a million of PCs
in that country. This, combined with the fact that several people
consider writing and/or releasing a virus there to be some kind of
entertainment, leads to some unexpected results...
For instance, I have seen myself Anti-Pascal.605 in the wild -
combined with Cascade. If you have ever disassembled this extremely
stupid virus, you'll understand my surprise.
Also, can you believe that I spent almost a week hunting for Kamikaze
- - a silly overwriting virus that should never spread at all? (I
finally nailed it using an integrity checker, but this is another
story, which I could tell you if you are interested.)
> a virus. I think it's time we started being realistic about the
> actual threat from these viruses.
No disagreement here, although we probably interpret the above
sentence differently...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 05 Oct 92 13:43:11 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: The Harmless Virus
[email protected] writes:
> This is a simple oversight, but writing the perfectly harmless virus
> requires this knowledge plus perfect knowledge of all other relevant
> factors about every system in the population. Such perfect knowledge
> is impossible.
The above is, of course, true, but it also holds for any program, not
just for viruses. It is not possible to write a perfect program, which
will not damage anything in any conditions, just because of the
reasons that you are listing. Some such "imperfect" programs are
significantly more widespread that some of the "research" viruses.
:-) The only advantage is that they don't replicate by themselves and
do not try to run on your computer without your permission...
(Note: I am not advocating the writing of "harmless" viruses, I am
just observing a fact.)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Tue, 06 Oct 92 14:50:42 -0400
>From:
[email protected] (Joseph D. McMahon)
Subject: Re: MacMag, the original data virus! (CVP)
[email protected] writes:
>
> Semantics aside, how could a data file affect the system at all?
>
> Well, more and more programs have "macro", "script" or interpreter
> capability. Thus the distinction between data and program blurs.
> Hypercard stacks have "commands" as well as data associated with
> them. Generally, these commands only govern the ability to "flip"
> from one "card" to another. However, an extended command set, XCMD,
> allowed for additional functions beyond those normally available in
> Hypercard. This was used to affect the system changes.
Calling MagMac a "data virus" disturbs me. I thought that the
definition of a data virus was a virus which is transported as a
non-executable and which is then transformed into an executable virus
when the file is used. This is a bit of a semantic clash, as I
understand the definition vs. the actual XCMD mechanism.
HyperCard XCMDs are executable resources of arbitrary function written
by a programmer in C or Pascal (masochists may use assembler, if they
wish). They are installed as XCMD resources into a stack and provide
an extension to the normal command set provided in HyperCard
"scripts".
The phrase "arbitrary function" is the key here. The XCMD can provide
any function that a Macintosh application can; the viral XCMD was
simply a section of code which added another executable resource to
the System file. There was no transformation of data into program;
all viral code was present inside the XCMD itself. Any HyperCard stack
containing the XCMD could have been used to spread the virus, simply
by invoking the XCMD by name.
I speculate that the stack was used as a vector because it took less
time to throw a "teaser" Trojan stack together that it would have to
make a throw-away application which would have been sufficiently
tantalizing to get people to download it.
Now, there have been true HyperTalk viruses, in which HyperCard
scripts were written to infect other stacks with the viral script, but
this really isn't a data virus either, because the virus is still an
executable program of sorts.
The closest thing I've seen to a real "data virus" were the "implied
loader" viruses, which subverted a Finder datafile into becoming a
means of replacing part of the System simply because the Finder opened
them. But this still required an executable resource be present.
I don't think we've really seen a virus which transforms itself from
the executable to the non-executable realm yet. I emphasize "yet".
--- Joe M.
------------------------------
Date: Tue, 06 Oct 92 23:31:16 +0000
>From:
[email protected] (Sten M. Drescher)
Subject: Re: The Hacker Files (Vol 5 #156)
[email protected] (zmudzinski, thomas) writes:
> ps would send a copy of this to DC Comics but no E-Mail address was given.
> In issue #1 on the second page of "usr/hacker/mail" (what becomes
> the letters section in later issues), in the upper right-hand corner,
> Lewis Shiner (the creator of "THE HACKER FILES") says:
> Because THE HACKER FILES is spe-
> cial, you have an alternative. I am in
> the process of setting up on-line letter
> columns on both the GEnie and
> CompuServe bulletin boards. The
> Mr. Shiner must have been at least half-way successful as three of the
> letters in issue #4 were posted through GEnie. Try there.
OK, but I have neither a CI$ nor a GEnie account. I would
LIKE to have seen an email address to use.
- -------------------------------+---------------------------------------------
Sten Drescher | There are men who seem like more than men.
AL/HRTI | Living examples of what we could be if we
Brooks AFB, TX 78235 | tried. They are men of courage, compassion,
- -------------------------------+ and justice. On the other hand, there are
[email protected] | presidential candidates.
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 161]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
