home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
The World of Computer Software.iso
/
vl6-3.zip
/
VL6-3.TXT
< prev
Wrap
Internet Message Format
|
1993-01-15
|
39KB
From lehigh.edu!virus-l Fri Jan 8 03:48:34 1993
Date: Tue, 5 Jan 1993 14:35:58 -0500
Message-Id: <9301051858.AA13030@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #3
Status: R
VIRUS-L Digest Tuesday, 5 Jan 1993 Volume 6 : Issue 3
Today's Topics:
re: os2-stuff (OS/2)
Re: Viruses in OS/2 HPFS (OS/2)
Re: CHRISTMA EXEC (IBM VM/CMS)
Filler virus (PC)
Virus Simulator MtE Supplement (PC)
Re: VSHIELD, VIRSTOP, ... comparison ? (PC)
Clash between FDISK/MBR and scanners (PC)
Invalid Boot Sectors (PC)
Trojan detection/protection (PC)
Re: Is this a new virus? (PC)
ANTI-tel (PC)
Info on Vascina and 1701/1704 in Novell networks wanted (PC)
Does anyone have info on DAME (PC)
MS-DOS CHKDSK & VER /R (PC)
Good use of (possible bad) viruses
Good and bad viruses (was FC on virus creation)
Re: Viral Based Distribution System
TBAV 5.02 and VSIG9214 upload (PC)
The Internet Worm (CVP)
March Virus/Security Conference
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 23 Dec 92 02:36:37 -0500
From: KARGRA@GBA930.ZAMG.AC.AT
Subject: re: os2-stuff (OS/2)
Hi Vesselin,
as pointed out in point 10 at least *.dll and *.drv files contain code which
cannot be executed by the user, but is loaded and executed as any other *.ov?
As there are viruses which infect overlays, they can be infected in a similar
way. However, if the virus is not specialized on these newer formats, they
shurely will be destroyed. BUT: Si vis pacem, para bellum. (If you want peace,
prepare for war.) I hope things will stay too complicated for most virus-
writers for the next 5 x 10^9 years.
Silly me! Forget about point 4...
Yesterday I downloaded the newest versions of McAfees OS2-scanning software.
There is a os2-specific version for netscan, so I'll try this one too, though
I do not expect it will work, as there is no network here on my poor, lonesome
home-pc. :)
Sorry for missing point B8. I'll look it up immediately. Thanks for info.
The only mention of the /EXT= switch of F-Prot I found in NEW.206. It is
definitely missing in COMMANDS.DOC. I just looked up all textfiles. Even
READ_ME.DOC :-)
As I go on vacation, I hope to report my results in January.
A A
AXA AXA
OOO M E R R Y C H R I S T M A S OOO
OVO OVO
V and a V
I I
--- H A P P Y N E W Y E A R ---
I I I I
I I WITHOUT MICH et al. I I
I I Alfred I I
--- ---
------------------------------
Date: Fri, 25 Dec 92 09:12:10 +0000
From: buhr@umanitoba.ca (Kevin Andrew Buhr)
Subject: Re: Viruses in OS/2 HPFS (OS/2)
bjl1@Ra.MsState.Edu (Brett J.L. Landry) writes:
|
| There has been aa lot of talk about OS/2 not being able to be infected
| from regular old DOS boot sector viruses using the HPFS. This is false
| since regular old STONED can infect both logical and physical parttions
| on OS/2 using HPFS. Why wait for true OS/2 viruses when you can suffer
| from regular DOS viruses.
Keep in mind there is at least one special consideration with respect
to OS/2 and the "Stoned" variety of viri, however. Be forewarned that
the following is a mixture of real knowledge and a bit of deduction.
The deduction part might trip me up a bit, but I'm pretty sure most of
the details are accurate.
For one thing, if a boot sector virus infects your system on start up,
it won't survive the OS/2 startup process. You may get the "Your
computer is stoned!" message, since this is displayed (randomly
approximately one out of every eight times in many cases) before the
operating system is loaded. HOWEVER, OS/2's own floppy disk device
drivers will take control of the floppy drive away from the boot
sector virus. The virus will be neutralized, and will not spread to
floppy disks. This will be true whether you are using the HPFS or the
FAT file system.
(In special situations, the virus may remain in a "semi-active" state.
It will not be able to infect floppy disks, but it may still cause a
system crash when the virus is overwritten by OS/2. See the note
below for more information on this.)
"Normal" DOS sessions you start under OS/2 will *not* contain copies
of the virus, because they are not "booted" in the normal sense. Only
special "DOS from Drive A"-style sessions, which are booted from
floppies, could potentially become infected if the floppy was
infected. Only in these cases would the virus be able to spread, and
it would only spread during floppy drive accesses in the infected DOS
sessions; accesses from other sessions would have no effect.
As mentioned above, there is a special case where the boot sector
could remain partially active and interfere with OS/2's operation. To
allow OS/2 to work with special hard disk devices (like Bernoulli
drives, I understand), OS/2 can be set up to use the built-in BIOS
routines for disk control rather than its internal drivers. I'm not
sure how OS/2 behaves in this situation (i.e. I don't know whether it
uses the value of the INT 13 vector or generates an address in a more
elementary manner), but it seems possible to me that OS/2 could
mistake the virus code for the BIOS disk routines. In this case, OS/2
could attempt to operate the hard drive via the virus code.
Because of the way OS/2 handles memory management, when OS/2 attempts
to access the hard drive, the virus code will probably be "invisible".
As a result, the operating system will immediately trap and display an
error message.
In summary, the worst you can expect is your system simply not
working. An infected OS/2 system generally won't infect new floppy
disks unless you use the special "DOS from Drive A" sessions with an
infected boot floppy.
Kevin <buhr@ccu.UManitoba.CA>
------------------------------
Date: Tue, 22 Dec 92 17:14:20 -0500
From: <U33515@UICVM.UIC.EDU>
Subject: Re: CHRISTMA EXEC (IBM VM/CMS)
Howdy!
About 6-8 months ago I received a "ZEBRATELL EXEC", this was the
CHRISTMA with a new hook. ( It sent tells with each letter a
different color ) My copy of ZEBRATELL does not erase itself.
I did read the code and send it, with a warning, to our systems
administrators, they were able to prevent it from spreading to
or from our node.
Happy Holidays,
Tom Kirke | All standard and non-standard
U33515@UICVM.CC.UIC.EDU | disclaimers, declaimers, and claimers
U33515@UICVM.CC.UIC.EDU@INTERNET#| apply.
APPLELINK:HARDBALL |
We have discovered a *therapy* (NOT a cure) for the common cold,
play tuba for an hour.
------------------------------
Date: 28 Dec 92 23:21:00 +0000
From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: Filler virus (PC)
Quoting from Brill@aecom.yu.edu to All About Filler virus (PC) on 12-07-92
B > Scan 99 detected "Filler" active in the memory of my computer.
B > When I booted from a write-protected floppy the nasty virus was not
B > found, no matter how many times I tried. By the way, I have CPAV
B > constantly running and it did not detect anything wrong.
You have probably already received many answers, but I will add my two
cents any way.
The problem is the VSAFE or VWATCH TSRs that comes with CPAV. The virus
signatures are not encrypted when these TSRs are in memory, and Scan finds
the signature, and assumes the rest of the virus is there.
You have several options.
A. Use CPAV exclusively.
B. Stop using CPAV.
In my tests, these scanners rank highest.
F-Prot from Frisk Software
VIRx from Data Watch Software (Used to be Microcom)
McAfee's Scan.
Bill
- ---
* WinQwk 2.0 a#383 * HALLOWEEN activates Oct 31st
------------------------------
Date: 23 Dec 92 03:13:17 +0000
From: as194@cleveland.Freenet.Edu (Doren Rosenthal)
Subject: Virus Simulator MtE Supplement (PC)
Doren Rosenthal
3737 Sequoia
San Luis Obispo, CA USA 93401
To: Vesselin Vladimirov Bontchev, Virus Test Center, University of Hamburg
In response to your questions posted on this forum about my Virus
Simulator MtE Supplement.
> 1) Does is simulate perfectly the behavior of the MtE?
YES. Although safe and controlled, these dummy sample programs behave
identically to those produced MtE mutation engine viruses.
>I.e., are the dummy files generated by it the same as if
>generated by the MtE? If not, then it is not good as a simulator,
>because the simulation is not
>perfect enough.
YES. The dummy simulations are the same as those encrypted by the
MtE mutation engine.
>2) If the answer of the above question is "yes", then it means that it
>uses the MtE itself to encrypt the dummy files - because using
>anything else would mean imperfect simulation. If it uses the MtE, do
>you include the MtE itself in the generated dummies?
YES. At the hart of the simulations is an actual MtE mutation
engine.
>3) If the answer of the above question is "no", then the simulation is
>again not good enough, since the only way a scanner could detect the
>unencrypted replicants of an MtE-based virus is to scan for a scan
>signature of the unencrypted body of MtE. If the answer of the above
>question is "yes", then it is pretty easy to extract the MtE from the
>unencrypted dummies... Therefore, you are distributing malicious
>software...
I disagree. Although these are real MtE viruses, steps have been taken to
insure they will only infect the dummy test programs provided and
modifications or reverse engineering has been discouraged.
>Conclusion: regardless how you answer to the above questions, either
>the simulator is useless, or you are distributing malicious
>software... Hmm, I was able to draw this conclusion even without
>having to look at the simulator... Pretty good, isn't it?... :-)
I'm disappointed that you would pass yourself off as a fair and open
scientist and researcher open to new ideas. Then ask what would appear to
be legitimate questions and without giving my response a fair hearing or
even examining the Virus Simulator MtE Supplement yourself, draw a
conclusion and announce your findings in a public forum.
I also do not appreciate being accused of distributing malicious software.
If you have evidence of this you should present it before posting anything
else on this forum or use the forum for a public apology.
>Leaving the ethical problems aside, do you try all kinds of flags
>(i.e., the contents of the AX register before calling the MtE)?
>Because, if you don't, you'll be able to generate only a small subset
>of the code that can be generated with the MtE...
The Virus Simulator MtE Supplement exercises as may flags and options as
possible.
Doren Rosenthal
------------------------------
Date: Wed, 23 Dec 92 05:16:52 -0500
From: David_Conrad@MTS.cc.Wayne.edu
Subject: Re: VSHIELD, VIRSTOP, ... comparison ? (PC)
In VIRUS-L v5i207 Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) write
s:
> > 3) VShield uses much more memory than VirStop.
>
>But may be loaded to high memory, and then needs less then 1K of
>conventional memory.
Implying that Virstop cannot?! Virstop can be loaded high, and then
requires no conventional memory.
And still, VSHIELD will use more high memory that Virstop, reducing the
number of other things you can have loaded high simultaneously.
Even with loadhigh in DOS 5.0, smaller is still better when it
comes to memory-resident programs.
Regards,
David R. Conrad
David_Conrad@mts.cc.wayne.edu, dave@michigan.com
------------------------------
Date: Wed, 23 Dec 92 20:55:07 -0500
From: "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Clash between FDISK/MBR and scanners (PC)
The command FDISK /MBR is often recommended for removing MBR
infectors (Stoned, etc) from hard disks. However in some
circumstances this can cause problems with some scanners. It
appears that some versions of FDISK/MBR rewrite the Master Boot
Record only as far as the end of the error messages, leaving the all
important partition information unchanged, but also leaving any
viral code between the messages and the partition information.
This will cause problems if the user later scans the disk with a
scanner which uses a string in this area to detect the virus.
In our case VET reported that the MBR of a PC was infected, and the
recovered copy of the MBR was also infected, but the PC booted OK,
the top of memory was OK, the virus was not in memory, and the PC
did not infect floppies. The main part of the MBR seemde normal,
but code from Stoned followed the messages. It appears that the PC
had twice been infected with Stoned, and each time it had been
removed using FDISK/MBR. Thus both the MBR, and the copy saved by
Stoned, contained viral code, which included the template used by
VET.
FPROT reported the infected MBR as
Master boot sector: Possibly a new varient of Stoned.
SCAN, Dr. S Toolkit, did not report any virus.
We understand that FDISK was definitely run on this PC, but we could
not confirm that FDISK was responsible, as it cleared this part of
the MBR when we used it to remove Stoned from an experimentally
infected PC.
Roger Riordan riordan.cybec@tmxmelb.mhs.oz.au
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Wed, 23 Dec 92 20:55:50 -0500
From: "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Invalid Boot Sectors (PC)
I recently wrote
>In a recent comment on a query by MOPURC01@ULKYVM.LOUISVILLE.EDU
>(Michael Purcell) about a virus which allegedly made disks
>unreadable I wrote.
>> If you put the wrong byte in the wrong place you can get the
>> symptoms described. ...
It appears the original message got lost, but the gist was that,
IN THEORY, it is possible to write a BS virus which is invisible
on an infected PC, but impossible to detect on an uninfected PC
with any existing scanner because DOS will crash if any attempt is
made to access an infected disk.
More seriously, we have established that neither F-Prot V2.05,
nor SCAN 8.9V97 will detect QUOX on 1.44M 3.5" disks.
F-Prot reports
Scanning boot sector B:
Error: B: not found
SCAN less elegantly crashes with a critical error
Scanning for known viruses.
General failure reading drive B
Abort, Retry, Fail?
Seasons Greetings to All,
(PS - I'll be away till early Jan)
Roger Riordan riordan.cybec@tmxmelb.mhs.oz.au
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Mon, 14 Dec 92 22:39:00 +0000
From: Chris_Franzen@f3060.n492.z9.virnet.bad.se (Chris Franzen)
Subject: Trojan detection/protection (PC)
> McAfee Associates does not make any kind of memory-resident "filter"
> type program to look for Trojan horse programs because it is (1)
> extremely simple to write a Trojan horse, as your batch file example
> shows; and (2) prone to false alarms on legitimate actions, such as
> formatting a disk or running DEBUG. Given these two conditions, it
> makes it very difficult to write some sort of program that will
> accurately detect malicious activity while not giving any false
> alarms.
Now there of course *are* memory-resident "filter" type programs (or
"watchers" in the field. One of them is Thunderbyte, which does not
work to well.
I understand, though, that at least one vendor is beta-testing a
product that looks very good and successfully keeps trojans out of the
house. I am puzzled by the low number of false alarms the program
generates. (Formatting a disk is one of them because the boot sector
is being written. i think nobody is going to create a solution to
this.)
I wonder: If you guys work so hard against viruses (and you do :-),
why don't you create a product in the anti-trojan field?
Don't you *have* an anti-trojan type program (VSHIELD) which takes
action to avoid infection by unknown viruses?
Maybe you would trash your ViruScan product because any good
anti-trojan were a very good anti-virus, too? (Well *that* might be a
reason everyone understands...)
> Regards,
> Aryeh Goretsky
> Technical Support
Chris
- ---
* Origin: You wanted junk -- so I drop some. (9:492/3060)
------------------------------
Date: 24 Dec 92 07:03:27 +0000
From: tck@bend.ucsd.edu (Kevin Marcus)
Subject: Re: Is this a new virus? (PC)
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>tck@fold.ucsd.edu (Kevin Marcus) writes:
>
>> I have varients of stoned which copy to 0,0,15, and 0,0,7, as well as a
>> few other locations. They do not necessarily copy to the same spot.
>
>And we have here variants that put the original MBR at 0,0,2 and
>0,0,8. This is irrelevant. What is rellevant is that the problem with
>Michelangelo occurs exactly because the "standard" Stoned variant put
>the original MBR at 0,0,7 - at the same place as Michelangelo, and
>because the two viruses do not recognize each other.
Oh, come on, it is relevant. The original problem: Disinfection of a
Stoned and MIchelangelo infection. Where they move the orig. MBR is
quite important, because in one case, it is possible to remove the
viruses by pulling the original MBR up, and in the other, it is not.
- --
|| Kevin Marcus, Computer Virologist. (619)/457-1836; RE-xxx, TSCAN ||
|| INET: tck@bend.ucsd.edu []-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]
|| tck@fold.ucsd.edu || All I wanted was a Pepsi... ||
|| datadec@watserv.ucr.edu || And she wouldn't give it to me...||
------------------------------
Date: Thu, 24 Dec 92 18:50:03 +0000
From: Jean_Vanhove@f108.n321.z9.virnet.bad.se (Jean Vanhove)
Subject: ANTI-tel (PC)
Hello all,
warning!!! Anti-tel virus found on a local cite in Belgium. Reading
vsum : status RARE Barcelona June 1991. Found twice removed with
clean version 97b detected with scan version 89. No dataloss, partion
table was damaged, but the virus was discovered in an early stade.
Groetjes,
Jean Vanhove
Sysop De Bosbeer 2:292/124 9:321/108
- --- FMail 0.92+
* Origin: bosbeer is er bij (9:321/108)
------------------------------
Date: Wed, 30 Dec 92 08:51:28 +0000
From: haverkam@uni-duesseldorf.de (Wilhelm Haverkamp)
Subject: Info on Vascina and 1701/1704 in Novell networks wanted (PC)
Who has got experiences with Vascina and 1701/1704 viruses on Novell
networks (SFT 286, V. 2.15)? What would be the correct reaction of
the system administrator? Any help will be appreciated. Please mail
directly to me. Best wishes for 1993. Wilhelm
------------------------------
Date: 29 Dec 92 06:47:00 +0000
From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: Does anyone have info on DAME (PC)
Quoting from Dave Mickle X5205 to All About Does anyone have info on on
12-20-92
DM> We've got a PC which is displaying a message to the effect it's
DM> infected by the "DAME" virus. Don't know what symptoms there are in
DM> addition to the message. We're going to do a low level format, but
DM> would like to know what we've contracted.
I don't know of a DAME virus.
Did yje virus display that information, or did McAfee's Scan report this?
If this was reported by Scan, it found a a virus that uses the DAME
(Dark Avenger Mutation Engine). The DAME also known as MtE is a
routine that causes the virus to mutate.
Bill
- ---
* WinQwk 2.0 a#383 * Viruses often make my FAT go on a crash diet.
------------------------------
Date: 29 Dec 92 06:37:00 +0000
From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: MS-DOS CHKDSK & VER /R (PC)
Quoting from A. Padgett Peterson to All About MS-DOS CHKDSK & why VER / on
12-20-92
AP> Further, COMP finds no difference between this COMMAND.COM and the on
AP> just expanded from a new set of distribution disks that is dated 11-1
Just for your information, FC (File Compare) does a better job at
comparing files than COMP.
Bill
- ---
* WinQwk 2.0 a#383 * SURIV 3.0 activates Friday the 13th
------------------------------
Date: Tue, 22 Dec 92 17:04:50 -0500
From: celustka@sun.felk.cvut.cs (Celustkova-k336-doktorand(Richta))
Subject: Good use of (possible bad) viruses
Hi boys and girls, (a day of inspiration,huh ?)
Just one of those days...Two examples of good use of (possible bad)
viruses come to my mind :
1. Viruses written to improve an A-V product
The logic is simple. It is better that I write virus which can do this
or that and have prepared solution to implement in my A-V product than
wait that such virus arises in wild and then react. That means if I
know that today exist viruses which could be stealthy, tunneling or
polymorfic why shouldn't I write virus which is all that and design my
A-V product to recognize such virus before it really appears in wild.
(Well, maybe it is not commercial, I don't know). If such virus *by
accident* escape from my lab I already have a response and there is no
ethical problem at all.
2. Viruses built in an A-V product (it's just an idea, don't blame me if it
is not applicable in reality)
Suppose that we have an A-V product which in regular intervals or
randomly send a virus in system. Virus (fast infector) infects only
programs which checksum doesn't correspond to previously calculated
values. If no such program is found virus deletes itself or removes
from memory. If changed program found virus activates scanner to check
if there is any known virus. If known virus is found message is sent
to the user. If program is changed and no known virus is found the
message is sent to the user to make decision. If decision is to leave
program as is, virus cuts itself from the program. The whole process
(except messages) takes place in background. There is no need for all
A-V program (which is combination of I-checker and scanner) to be TSR,
only virus is occasionally TSR. There is slight similarity in this
idea with reaction of human immunity system. Anyone has ethical
problem with her/his own immunity system ?
Cheeeers,
Suzana
____________________________________________________
/ / | |
/ |\__/| / | We wish you Merry Christmas |
/~~~~~~\ / \ | and Happy New Year ! |
~\( * * )/~~\( 0 0 )/~ |______________________________|
( O ) ( O )
\______/ \______/
@/ \@ @/ \@
- ---------------------------------------------------------------------------
Address: Suzana Stojakovic-Celustka e-mail addresses:
Department of Computers celustka@sun.felk.cvut.cs
Faculty of Electrical Engineering celustkova@cs.felk.cvut.cs
Karlovo namesti 13
12135 Prague 2 phone : (+42 2) 293485
Czechoslovakia fax : (+42 2) 290159
------------------------------
Date: Tue, 22 Dec 92 17:04:48 -0500
From: celustka@sun.felk.cvut.cs (Celustkova-k336-doktorand(Richta))
Subject: Good and bad viruses (was FC on virus creation)
With properly defined computer virus there shoudln't be doubts what is
a good and what is a bad virus. Or should be ? Let's suppose that bad
virus is intended to cause some unwanted function in system. Some
programs (even antiviral) can do the same thing, (what is unwanted
function anyway ?) but they cannot propagate. Good virus can
propagate, but it is supposed to not invoke anything unwanted. But, by
definition good virus can mutate, so can become bad virus. Also, good
virus on one system can be bad virus on another system (causing some
unwanted function). Could all bad viruses be good viruses ? Yes,
because without them many A-V producers would loose their source of
money. Can all good viruses be bad viruses ? Yes, because they are
viruses (something very suspicious). Confusing ? Not to anyone who
ever met chinese philosophy and principles of Yin and Yang. Shortly,
good and bad are inseparable and dependent one of the another (you
can't define good without defining bad and vice versa).
So, what to do ? Let's throw (unnecessary) philosophy and look at
(poor) simple PC user. S/he finds something weird on her/his PC and
suspects it could be a virus (whatever could be called by that name).
S/he chooses some A-V product and tries to solve the problem. If the
product solves problem and everything is like before user is
satisfied. And that should be the main goal of every A-V producer. If
Fred Cohen's customers are satisfied with his product why all that
complaining about ethical correctness. Ask them if they have any
ethical problem using that product. If they are not satisfied that is
Fred Cohen's problem and he has to solve it. Simple, isn't it ?
Cheeers, __________________________
| |
Suzana /| I'm a good virus! |\ |\__/|
/~~~~~~\ / | He's a bad virus! | \ / \
~\( * * )/~ |__________________________| ~\( 0 0 )/~
( \___/ ) ( /---\ )
\______/ \______/
@/ \@ @/ \@
- ---------------------------------------------------------------------------
Address: Suzana Stojakovic-Celustka e-mail addresses:
Department of Computers celustka@sun.felk.cvut.cs
Faculty of Electrical Engineering celustkova@cs.felk.cvut.cs
Karlovo namesti 13
12135 Prague 2 phone : (+42 2) 293485
Czechoslovakia fax : (+42 2) 290159
------------------------------
Date: 24 Dec 92 22:10:21 +0000
From: ygoland@edison.SEAS.UCLA.EDU (The Jester)
Subject: Re: Viral Based Distribution System
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>ygoland@edison.SEAS.UCLA.EDU (The Jester) writes:
>
>> If this is an
>> effective means of distribution then why use a virus at all?
>
>The question is incorrect. According to Dr. Cohen's definition, "this"
>- -is- a virus. And, since you are using it to do something you would
>like to be done, it is obviously a benevolent virus. Do you see the
>misunderstanding now? It's all matter of definitions...
Yes.. I understand. And may I say I STRONGLY disagree with Dr.
Cohen's definition. A program in the login script that checks if you
have been updated and then updates you is NOT a virus. The program in
the loader does NOT reproduce itself it reproduces another program
which is itself NOT a virus. (Lets ignore the obvious case where the
loader installs an infected program =) For me the acid test of a virus
is:Can it reproduce itself? Is the login script programing trying to
run around and find other login scripts or executable files to infect?
No. It doesn't infect anyone! 'Damnit Jim, its not alive!'
>> In conclusion, a system that changes in an unpredictable manner,
>> that uses hard to track mechanisms of change, is a security
>> nightmare.
>
>Yup... Ever tried MS Windows?... :-)
After reading this line I laughed so hard I almost fell out of my
chair. AS a matter of fact I have. Thats why I now run on OS/2. What
do you say about a program whose most recent release has as it's main
selling point "we fixed all the bugs in our previous release". Of
course microsoft doesn't have 'bugs', they have 'features'. =) But I
digress.
>> The Jester-PGP Ver2 upon Request
>Please consider this a request... :-)
Actually I bet you already have it, I have yours. You can finger me
but I'll send it to you anyway just to be annoying. =)
Yaron (The Jester) Goland
p.s. see mister moderator, I remembered!!! =)
- --
The Jester
"Whats a Knock Out like you doing in a computer generated Gin
joint like this one?"-William Riker
"I'm god, whats your excuse?"-The Jester
------------------------------
Date: Fri, 25 Dec 92 16:36:04 +0700
From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers)
Subject: TBAV 5.02 and VSIG9214 upload (PC)
Hi all,
I just uploaded to oak.oakland.edu and garbo.uwasa.fi the following
files:
<MSDOS.TROJAN-PRO>
VSIG9214.ZIP VIRSCAN.DAT with fix for TBSCANX
TBAV502.ZIP TBAV utils 5.02 (was tbscanXX.zip)
TBAVU502.ZIP TBAV utils upgrade 5.01 to 5.02
TBAVX502.ZIP TBAV utils 5.02 processor optimized version
BTW: Merry X-mas and a healty 1993!
- --
jeroen voice: +31-2522-20908 (19:00-23:00 UTC)
snail: P.O. Box 266
jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim
jeroen_pluimers@f256.n281.z2.fidonet.org The Netherlands
------------------------------
Date: Fri, 25 Dec 92 00:15:35 -0800
From: rslade@sfu.ca
Subject: The Internet Worm (CVP)
HISVIRO.CVP 921215
The Internet Worm
By the fall of 1988, VIRUS-L had been established (let's hear it for
Ken!) and was very active. Issues were, in fact, coming out on a
daily basis, so I was quite surprised when I didn't receive one on
November 3rd. I didn't get one on November 4th, either. It wasn't
until November 5th, actually, that I found out why.
Most machines on the net were not of the type that the Worm would
have affected. The Worm was only able to run and propagate on
machine running the UNIX operating system, and then only those with
specific versions and specific CPUs. However, given that the
machines that are connected to the Internet also comprise the
transport mechanism for the Internet, a "minority group" of
machines, thus affected, impacted the performance of the net as a
whole.
I learned it, initially, from a newspaper report. However, by the
5th I was also starting to get mailings across the net again.
During the run of the worm, a sufficient number of machines had been
affected that both email and distribution list mailings were
impaired. Some mail was lost, either by mailers which could not
handle the large volumes that "backed up", or by mail queues being
dumped in an effort disinfect systems.
Most mail was not lost, but was substantially delayed. The delay
could have been caused by a number, or combination of factors. In
some cases mail would have been re-routed, via a possibly less
efficient path, after a certain time. In other cases "backbone"
machines, affected by the Worm, were simply much slower at
processing mail. In still others, mail routers would either crash
or be stopped, with a consequent delay in mail delivery.
Ironically, electronic mail was the primary means that the various
parties attempting to deal with the worm were trying to use to
contact each other.
By Sunday, November 6th, things were pretty much back to normal.
Mail was flowing, distribution lists and electronic "periodicals"
were running and the news was getting around. The one difference
was the enormous volume of traffic given over to one topic: the
Internet Worm.
The Internet Worm is still the pre-eminent case of a viral program
in our time. Even today, no "virus" story in the popular media is
complete without some reference to it. It rates a mention in "The
Cuckoo's Egg". Each school term brings fresh requests for
bibliographic material on it (sparked, one suspects, by either
choice or assignment of essay topics). Currently (December of 1992)
there is a "thread" running on comp.security.misc on "Fun things to
do with RTM" which occupies about half the total bandwidth.
In many ways this fame (or infamy) is deserved: the Internet Worm is
the story of data security in miniature. The Worm used "trusted"
links, password cracking, security "holes" in standard programs,
standard and default operations and, of course, the power of viral
replication.
copyright Robert M. Slade, 1992 HISVIRO.CVP 921215
==============
Vancouver ROBERTS@decus.ca | Slade's Law of Computer
Institute for Robert_Slade@sfu.ca | Literacy:
Research into rslade@cue.bc.ca | - There is no such thing
User p1@CyberStore.ca | as "computer illiteracy";
Security Canada V7K 2G6 | only illiteracy itself.
------------------------------
Date: Mon, 28 Dec 92 15:57:00 -0800
From: Richard W. Lefkon <dklefkon@well.sf.ca.us>
Subject: March Virus/Security Conference
6th INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE AND EXPOSITION
Wed thru Fri - March 10-12, 1993 - Madison Square Garden Ramada, NYC
spons by DPMA Fin Ind. Ch. in coop. with
ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInypc, IEEE Computer Society
Box 894 NY NY 10268 (800) 835-2246 x190
NOVELL'S REKHI KEYNOTES "IDES OF MARCH" SECURITY CONFERENCE -
-----------------------------------------------------------
UNIX Head for USL's New Owner Joins IBM, Apple Security Chiefs
--------------------------------------------------------------
- - New York
[Information on conference: Judy Brand, (800) 835-2246 x190]
With increased emphasis on hacker and virus attacks across systems,
the Sixth International Computer Security and Virus Conference and
Exposition has announced Kanwal Rekhi, Novell, Inc.'s EVP and General
Manager for Interoperability, as the March, 1993 Keynote Speaker.
Tentatively titled "Seamless Security," Rekhi's talk will focus on
UNIX strategies, TCP/IP, internetworking with workstations and
microcomputers, and network management. His confirmation comes on the
heels of Novell's UNIX Systems Laboratories coup. He will speak
Thursday, March 11, middle day of the annual "Ides of March"
conference, at the glass-enclosed 18th Floor of New York's Madison
Square Garden Ramada Hotel.
More than two thousand attendees are expected for the three days of
security security courses, panels, research papers and product
exhibits. Ninety speaker from seven continents will be distributed
over the 46 sessions in five confer- ence tracks, and 70 vendors of
computer and network protection will demonstrate their wares. This
year's theme is "Global vs. Corporate Solutions."
The conference is sponsored by the DPMA Financial Industries Chapter,
in cooperation with ACM-SIGSAC, Boston Computer Society, Corporation
for Open Systems, New York LAN Association / NetWare Users
International, Communications Managers Association, local chapters of
EDP Auditors association and Information Systems Security Association,
and the 90,000-strong IEEE Computer Society. Because a great number
of world class security authorities speak here each March, two
European-based international security groups will hold one-day
meetings nearby.
Lead Speaker in the Research and Technical Track is Willilam Vance,
computer security head for IBM Corporation. Other speakers and
session chairs include Jane Paradise, security head for Apple Corp.;
Gail Thackeray, leading prosecutor of toll fraud and telecom
break-ins; Robert Schiffreen, British hacker who managed to invade the
Queen's husband's computer mailbox, was exonerated by Parliament, and
then wrote a book explaining how to protect against attacks like his;
and Scott Charney, head of the U. S. Justice Department's initiative
against computer crime.
Mr. Rekhi of Novell previously served as President and CEO of Excelan,
a $100 million per year public company which merged with Novell in
1989. Having previously overseen all product and technology
development for Novell, he currently is responsible for Univel,
connectivity and messaging products, internetworking products and
network management products.
The "Ides of March" conference, nicknamed to match the season and the
effort to avoid sneak attacks on computers and networks, played a key
role in combatting last year's outbreak of Michelangelo Virus on
personal computers. Technician Roger Riordan of Australia first
announced and named Michelangelo at this event in 1991, and subsequent
collaboration by various speakers enabled most anti-virus products to
recognize and defeat the electronic parasite before it could destroy
too many valuable business files. CBS and ABC television spotlighted
the 1992 event, as well as a variety of industry and general
circulation periodicals.
Press conference is scheduled for 11:00 am Wednesday, March 10, at the
Ramada. A "Meet the Experts" sit-down reception for press and
registrants will take place Thursday evening at the Empire State
Building Obeservatory.
Floor management at this year's event will be handled by Expoconsul
International, which also runs computer and network conferences such
as DEXPO, Open Systems Initiative, and Microcomputer Graphics.
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 3]
****************************************