home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.140
< prev
next >
Wrap
Text File
|
1995-01-03
|
14KB
|
327 lines
VIRUS-L Digest Tuesday, 20 Jun 1989 Volume 2 : Issue 140
Today's Topics:
Re: The strange story of the WordPerfect virus (PC)
More on the WordPerfect Virus [PC]
virus spreading modes
Virus policy
Mainframe Vulnerability
Large computer problems...
Saveinfo.exe (PC)
Robert T. Morris suspended from Cornell
---------------------------------------------------------------------------
Date: Fri, 16 Jun 89 12:34:07 PDT
From: Rob Dixon <robd%jumbo.wv.tek.com@RELAY.CS.NET>
Subject: Re: The strange story of the WordPerfect virus (PC)
Greetings Mr. Radai,
I would greatly appreciate a copy of your UnVirus routine in uuencode
format. While we have not absolutly identified an infection, we do
seem to have some of the anomolys you documented.
Best regards,
Robert Dixon
robd@orca.WV.TEK.COM
[503]685-2811
------------------------------
Date: Fri, 16 Jun 89 23:00 EST
From: Ron Kiener <RKIENER@TRINCC.BITNET>
Subject: More on the WordPerfect Virus [PC]
I today received the following message from Israel concerning the reported
WordPerfect virus. This letter is in response to the original VALERT
message which I passed on to friends in Israel. The following message
includes instructions for using UNVIRUS.EXE.
Here is the message:
> Date: Fri, 16 Jun 89 19:22:01 IST
> From: Shlomo <BIDERMAN@TAUNIVM.BITNET>
> Subject: Virus
>
> Dear Ron,
> Yoav sent me your Virus-letters. I read it and had a good laugh:
> almost half of the pc users in our advanced country have encountered
> the described virus more than 6 months ago (I had it too!!). And a
> remedy was found by two wizards from Jerusalem. I am sending it
> to you. It is called UNVIRUS.EXE. This is what you should do:
>
> 1) Put it on a *floppy* (NOT on HD), together with Command.Com (i.e.,
> the DOS system)
> 2) Boot up your pc with the Diskette (Don't write-protect it, since
> UNVIRUS.EXE creates a temporary file while operating)
> 3) Type
>
> unvirus c:<cr>
>
> 4) And boom ... out went the virus!!
> The program is free of charge, as you can see in the introduction
> Bye. Shlomo
Since I know nothing about viruses, and a bit about WordPerfect, I cannot
vouch for the UNVIRUS program. I did decode it and run it according to
instructions, but since I do not have the virus, the UNVIRUS program
reported my hard drive was clean. During operation, I noted that the
UNVIRUS program examined all subdirectories of my drive and quickly
flashed through all .EXE files.
In a separate file I am also posting the UNVIRUS.UUE file which I received
from my friend at Tel Aviv University, a user of WordPerfect 4.2. He is
also not a virus "maven." I take no responsibility for the outcome of
UNVIRUS.EXE, but I do hope it solves this problem.
Ronald Kiener RKIENER@TRINCC.BITNET
Trinity College, Hartford, CT
------------------------------
Date: Sat, 17 Jun 89 10:50:06 CST
From: Acrc014@UNLCDC3
Subject: virus spreading modes
This is my first posting on VIRUS-L and these are some of my scattered
thoughts. They may have been discusses before, but I have not read all
of the back issues as of yet.
The Trojan horse approach can be triggered by dates. Has there ever
been one that activated by finding a seperate program.
An example of this would be a GIF shower triggered by a certain GIF
picture.
Has there ever been code written so that the same effect (harmful or not)
appeared on more then one type of machine (I know it would take different
programs). There has been discussion of hos >[Dw
a software company would "never" write a virus to be activated by a
competitor's program. This I agree with, but with the reservation
that an individual might try and duplicate the effect. If they were
ambitious and knowledgable, they could try and do it on a program that
had become popular enough to spread across machine boundaries.
On the issue of legality, how vulnerable are the people who put up
technical information about bugs in systems. A hacker (virus writer)
might by hard to find and prosecute. But if a virus is based on such
information, the source author would be east to find (easy to find).
------------------------------
Date: Mon, 19 Jun 89 09:59:38 EST
From: Margie Rogis <MDR100T@ODUVM.BITNET>
Subject: Virus policy
Here at Old Dominion University, our internal auditors have asked that a
virus policy be adopted. We are forming a working group, composed of a
mainframe systems person, pc/lab person, and academic services person.
I joined this list in the hopes of learning from those who have gone
before! I am seeking any advice, or policies set up by other
institutions which could help us define our own.
I suppose we would like to address prevention, detection, and recovery, as
well as procedures for dealing with anyone caught trying to infect any
of our systems.
Any responses would be GREATLY appreciated.
------------------------------
Date: Mon, 19 Jun 89 10:55 EDT
From: WHMurray@DOCKMASTER.ARPA
Subject: Mainframe Vulnerability
> He [Harold Joseph Highland] indicated large systems could be
>infected more easily than was
>commonly believed. In particular, he said a glaring weakness existed
>in Communications Monitoring System (CMS) version 4 for IBM's MVS
>operating system where a dangerous virus could be introduced by simply
>programming 16 lines of code.
Since this problem has been referred to several times, a little
background might be useful.
The "weakness" referred to was in a spool handling program shipped
as part of VM/SP, not MVS. In early VM systems, spool objects were
"card images" containing only one CMS named object per spool object.
Later a "disk image" spool object was added. This disk image could
contain more than one CMS object per spool object.
A user, looking at his in-spool queue, or READER, would see as the
name of the spool object only the name of the first CMS object in
the spool object. Unless he scanned, or PEEKed, the object in the
spool before reading it in, he might read in a CMS object that he
did not know about.
HJH may call it a glaring weakness if he likes. It seems to me that
the problem was that it did not "glare" enough. Indeed, it was
quite subtle, but it might have made it likely for someone to read
into his virtual machine a named data object that he had not seen in
his reader. Such an object could have been "an armed warrior" in a
gift horse.
I call it a reasonable design choice, at least at the time that the
choice was made.
IBM made a change in Rel. 5 to protect a naive user from his own
behavior. It did so at the expense of a performance hit and a
useability hit to all users. It made the change on its own
initiative. If memory serves me correctly, there were no complaints
from customers about the the condition. On the other hand, there
were a number of questions raised about the performance implications
of the change. Had IBM not made the change, it is unlikely that HJH
would know anything of the exposure.
[I am retired from IBM and receive a small income from them. In return
for that income, I owe them nothing in comparison to what I owe the
truth.]
William Hugh Murray, Fellow, Information System Security, Ernst & Whinney
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
------------------------------
Date: Mon, 19 Jun 89 11:51 EDT
From: John McMahon - NASA GSFC ADFTO - <FASTEDDY@DFTBIT.BITNET>
Subject: Large computer problems...
A few comments on the latest issue of VIRUS-L...
***> From: Ken De Cruyenaere <KDC%ccm.UManitoba.CA@CUNYVM.CUNY.EDU>
***>
***> He indicated large systems could be infected more easily than was
***> commonly believed. In particular, he said a glaring weakness existed in
***> Communications Monitoring System (CMS) version 4 for IBM's MVS operating
***> system where a dangerous virus could be introduced by simply programming
***> 16 lines of code.
Well, the problem I see here (although I may be wrong also) is the
perennial problem of the media getting their facts straight (or lack of
proper verification). I thought CMS was the "Conversational Monitor
System" and ran under the IBM VM (Virtual Machine) operating system, not
MVS.
My favorite media confusion story is when a newspaper in a college town
near here blamed the failure of the local ATMs on the release of a
computer virus... The virus in question was the Internet Worm. What
really happened ? Backhoe Bill plowed through one of the main phone
circuits into town, and the ATMs couldn't reach their home offices to
verify transactions.
I think there is a need to promote computer literacy in the media...
***> From: ZDEE699@ELM.CC.KCL.AC.UK
***>
***> I agree with Ken that there should be more discussions on network
***> security issues. I joined the discussion list in November 88, on the
***> exact day when the RTM virus struck the internet community, and most of
***> the talk was about networks. Nowadays, it looks like the list has gone
***> to microcomputer-based viruses discussions...
I too joined the discussion after a major "big machine" event. In my
case it was the SPAN/HEPnet Father Xmas Worm. The PC stuff is nice, and
I find a few raw bits in their that is useable... but I am more
concerned about my big machines, and the WANs they are connected to.
***> Coming back to network security, here is the question:
***> " Would another major disaster like the November 1988 Internet Worm be
***> possible now, more than 6 months later ? "
Probably... but I doubt we will see another "big" event real soon.
However, there are probably "small" events which happen every day out on
the network that noone ever catches.
For example... This mail message claims to be from
FASTEDDY@DFTBIT.BITNET... but did I (being the owner of that account)
really write it ? Could you verify it if you had to ? If I didn't
write it, could you figure out who did ? What is the risk of having an
unsecured network mail system ?
Just some food for thought...
+------------------------------------+----------------------------------------+
|John "Fast Eddie" McMahon | Span: SDCDCL::FASTEDDY (Node 6.9) |
|Advanced Data Flow Technology Office| Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV |
|Code 630.4 - Building 28/W255 | Bitnet: FASTEDDY@DFTBIT |
|NASA Goddard Space Flight Center |GSFCmail: JMCMAHON |
|Greenbelt, Maryland 20771 | Phone: x6-2045 |
+------------------------------------+----------------------------------------+
------------------------------
Date: MON 19 JUN 1989 19:38:00 EDT
From: IA96000 <IA96@PACE.BITNET>
Subject: Saveinfo.exe (PC)
I just downloaded a program named safeinfo.exe from a bbs
at (201)473-1991. safeinfo (tm) is a trademark of
safeware (TM) incorporated. the program is a clone of norton's
sysinfo with more features.
what makes it worthy of mention here is the fact that safeware (TM)
runs an internal test upon itself each and every time it is loaded.
this test checks a crc as well as the file length of the particular
safeware (tm) product being run. if >> any << changes have been
made since it was compiled, execution stops and the user is then
informed of the change that was made.
i tested it, and any changes made to the file are picked up and
reported as claimed. The full documentation is not included with
safeinfo (TM) but i managed to speak to the author and the here is
a capsule of what was discussed, with his permission.
safeware (TM) is a unique new concept in shareware. all safeware (TM)
products run safeware's (TM) proprietary selftest (TM) module as soon
as they are loaded.
selftest (TM) checks the file and only lets execution proceed if the
file has not been altered in any way since it was compiled.
any change made is immediately picked up and reported
------------------------------
Date: 20-JUN-1989 12:38:20 GMT
From: ZDEE699@ELM.CC.KCL.AC.UK
Subject: Robert T. Morris suspended from Cornell
I was surprised that these news were not forwarded to VIRUS-L.
Message forwarded from RISKS-FORUM digest 8.74 with authorisation from
Dave Curry (davy@riacs.edu).
forwarded message:
-------------------------
Original-Date: Thu, 25 May 89 18:49:38 -0700
Original-From: davy@riacs.edu
Original-Subject: Robert T. Morris suspended from Cornell
Taken from San Jose Mercury News, 5/25/89 (From the New York Times)
Cornell University has suspended the graduate student identified by school
officials as the author of [the Internet worm].
In a May 16 letter to Robert Tappan Morris, 23, the dean of the Cornell Uni-
versity Graduate School said a university panel had found him guilty of vio-
lating the school's Code of Academic Integrity.
He will be suspended until the beginning of the fall semester of 1990, and
then could reapply.
No criminal charges have been filed against Morris. A federal grand jury
this year forwarded its recommendations to the Justice Department, which has
not taken any action. [....]
- -------------------------
end of forwarded message.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|Olivier M.J. Crepin-Leblond | - If no-one can do it |
|JANET : <zdee699@uk.ac.kcl.cc.elm> | then do it yourself |
|BITNET : <zdee699%elm.cc.kcl.ac.uk@ukacrl> | - If you can't do it, |
|INTERNET: <zdee699%elm.cc.kcl.ac.uk@uk.ac.nsfnet-relay>| then P A N I C ! ! |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253