home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.207
< prev
next >
Wrap
Text File
|
1995-01-03
|
17KB
|
423 lines
VIRUS-L Digest Friday, 29 Sep 1989 Volume 2 : Issue 207
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: Tiger Team comments
DATACRIME II INFO (PC)
Tiger teams attempting to penetrate corporate machines at night
New virus on a PC ??
Virus detector program (PC)
Re: Anti-viral hard disk controllers
Re: Review of NIST anti-virus paper...
When is a virus not a virus?
Cascade in Sargon III (PC)
ViruScan Length (PC)
Oct 13 PC virus question
FixCrime.arc (PC)
---------------------------------------------------------------------------
Date: Thu, 28 Sep 89 07:41:32 -0400
From: dmg@lid.mitre.org (David Gursky)
Subject: Re: Tiger Team comments
In Virus-L #205, Steve <XRAYSROK@SBCCVM.BITNET> and
<CTDONATH@SUNRISE.BITNE> had some good comments about my Tiger Team
suggestion. Here are some answers to their comments:
RE: Most viruses are not spread by someone sneaking in at night...
Absolutely true. The objective of this proposal would be to ensure
that users are following a published anti-virus strategy, beyond
simply backing up the data. If the user targeted by the Tiger Team is
following the procedures properly, then the virus should not be able
to get in. For instance, say the policy reads "All Macintosh
computers shall run Gatekeeper". Gatekeeper is very effective at
stopping nVir. If the Tiger Team attempts to infect a Mac with nVir,
and the attempt fails, the user of the system is not properly
following the established procedure.
RE: What corporation is willing to take the risk of letting someone
*tamper* with the computers which the company depends upon, especially
when proper operating procedures will offer you very good protection?
Good question. I would hope any company worth its salt. The
objective of the "Tiger Teams" is to help ensure the corporate
anti-virus policy is being adhered to. "Proper operating procedures"
per se do not prevent an infection, *following* those procedures do.
RE: Can you guarantee that the "Team" will not do damage?...
In order for this proposal to be effective, the TT must do a complete
backup of the system's data before proceding (I suspect an image
backup would be preferred in this instance), and a restore afterward,
regardless of whether the team succeeds or fails.
RE: If they are introducing live viruses, ... no one can guarantee the
virus will be benign in all situations...
I have a problem with this suggestion. Viruses (even nasty ones) such
as nVIR, (c) Brain, Lehigh, and so on are well understood. If I start
with a "known" strain of one of these (and there are libraries out
there of unmodified versions of these and other viruses), I know
exactly how a virus will behave under any set of conditions.
Please also remember that I proposed using a "neutered" version of a
virus. Using (c) Brain as an example, if the logic-bomb or time-bomb
is removed from it, leaving only the infector, it's hard to say that
such a neutered virus proposes a serious threat to a user when used by
a TT to check for the use of anti-virus procedures.
RE: If the tiger team fails to exterminate ALL copies of the virus
there is the possibility of virus parinoia (sic), files that grow in
size for no good reason, and the possibility of lost data thru virus
malfunctions.
See my earlier comment about backups and neutered versions.
RE: The virus would be released in a unsuspecting work area. The
presence of strangers insisting on checking every disk that leaves the
area would cause chaos.
As described above, the virus would not be released in an unsuspecting
work area. Tiger Teams are used as a method to test the effectiveness
of a given policy. If the users within a given work area are not
following an established anti-virus policy (it is taken as a given the
suggestion of TT is only valid where such a policy exists, for the
exact reason you point out) then they are at risk for a virus
infection, and poss a risk for other computing resources (oops! Poss
= pose).
RE: "Controlled" environment
Such environments are possible. They are routinely used for the
handling of classified materials for example. Again, the
effectiveness of the controls directly depends on how well you adhere
to them.
------------------------------
Date: 28 Sep 89 23:03:57 +0000
From: edvvie!eliza!andreas@relay.EU.net (Andreas Brandl)
Subject: DATACRIME II INFO (PC)
Hello out there,
a few days ago I read a article about the DATACRIME-
virus and how I can find it with search-strings. Yesterday I read in
an info-paper from a very, very, very big corporation about them.
This paper tells about three versions of DATACRIME.
The first two versions only infect COM-files. Their functions are
identical, only their increase-sizes are different. One increases the file
size by 1168 bytes, and the other by 1280 bytes. DATACRIME II virus is the
third version and infects COM and EXE files. In this version COM files
grow by 1514 bytes and EXE by a similar, but variable, size.
I possibly know the search-string for the third version. But I can give no
warranty, that my info is absolut right. The search-string is like the
following:
5E81EE030183FE00742A2E8A9403018DBC2901.
I hope this is a little help to locate and destroy this virus.
Bye bye, Andreas
- --
------------------------------------------------------------------
EDV Ges.m.b.H Vienna Andreas Brandl
Hofmuehlgasse 3 - 5 USENET: andreas@edvvie.at
A-1060 Vienna, Austria/Europe Tel: (0043) (222) 59907 (8-16 CET)
------------------------------
Date: 28 Sep 89 13:27:06 +0000
From: cpsolv!rhg@uunet.UU.NET (Richard H. Gumpertz)
Subject: Tiger teams attempting to penetrate corporate machines at night
Why should such a "tiger team" work under cover of dark? Why not "surprise
inspections"? "We're from virus security and we're here to help you ..."
- --
==========================================================================
| Richard H. Gumpertz rhg@cpsolv.UUCP -or- ...uunet!amgraf!cpsolv!rhg |
| Computer Problem Solving, 8905 Mohawk Lane, Leawood, Kansas 66206-1749 |
==========================================================================
------------------------------
Date: 28 Sep 89 20:57:36 +0000
From: cosc75a@uhnix1.uh.edu (Parameshwaran Krishnan)
Subject: New virus on a PC ??
Hi,
I am working in the College Of Business Admn, of the Univ
of Houston. And I am in the RICS Deptt. I manage Novell Networks
there.
Today there was a report of a virus in a floppy disk.
I am listing down its features any body who would have seen it before
please inform me
1. how destructive it can be .
2. How can it be disinfected.
Features :
1. It seemingly attaches to an exe file. When u try to execute
the file it says that the very same file was not found (??).
and asks for a path (in this specific instance it was a
Wordperfect file. If u executed wp, it said wp.exe not found
Please give a path likd c:\wp\wp.exe. I have a feeling that it
does this to infect the harddisk too). If the path is given then
it goes bonkers.
2. In this case it created a hidden file called
Wordperf.cet. It also screws some exe files on the hard disk
It took up 660Bytes extra and wrote the wp.exe back again on
the disk. I think this might be the virus code.
If u want any other feedback please e-mail me and i will
send it to u.
Thanks in advance,
P Krishnan (cosc75a@uhnix1.uh.edu)
(create a virus free computer world)
------------------------------
Date: Thu, 28 Sep 89 13:48:53 -0400
From: unhd!stm@uunet.UU.NET (Steven T Mcclure)
Subject: Virus detector program (PC)
I would be very interested in seeing this program posted, as I don't
know much at all about viruses. I have an AT&T PC6300 with MS-DOS 3.0
with a HD, and would like to be able to find out if I have any viruses
currently, and would also like to be told if a new one is being
introduced into the system. I don't have ftp access, so I would
rather see it posted to c.b.i.p, and there are probably other people
who know about as much as I do who would be interested also, but
aren't news/ftp/bbs wizards. Thanks.
-- Steve
------------------------------
Date: Thu, 28 Sep 89 21:02:15 +0000
From: time@oxtrap.oxtrap (Tim Endres)
Subject: Re: Anti-viral hard disk controllers
Virus infection is not *spread* via hard disks. Floppies and modems
are the *movement* medium. I am not sure what advantage this read only
hard disk has over simply monitoring the checksum of an application.
More importantly, not all computer systems have "read-only"
executables. Most notably, the Macintosh stores code in the resource
fork of an application, which is *frequently* modified. The move to
distributed execution from file servers is slowly changing this, but
it remains an issue.
We have a program, that once run against an executable, makes it
IMPOSSIBLE for a virus to infect that application and be executed.
Infection is still possible, but the application will never execute
again, thus stopping propogation. This is simply a check sum of the
executable set up in a way to inhibit execution once infection has
occurred. The use of a quick key word entered by the user at run time
prevents the virus from "intelligently" by-passing the check sum.
This solves only one facet of the problem, but a large facet it be.
------------------------------
Date: Thu, 28 Sep 89 21:07:32 +0000
From: time@oxtrap.oxtrap (Tim Endres)
Subject: Re: Review of NIST anti-virus paper...
> Discussion of the NIST virus paper...
The paper forwards the myth that programs obtained from public sources
(bulletin boards; public network libraries) are inheritely tainted,
and that shareware/freeware/etc. should really be avoided.
By the same token, the paper forwards the myth that commercially
obtained applications are inheritly untainted.
Sounds like the committee was seated with commercial software vendors!
------------------------------
Date: 28 Sep 89 20:38:05 +0000
From: mrsvr!gemed.mrisi!davej@csd4.csd.uwm.edu (David Johnson)
Subject: When is a virus not a virus?
The following article copied without permission from the Milwaukee
Sentinel, Thursday, September 28, 1988 to promote discussion
on the ethics involved, legal implications (especially if
Lab Force didn't answer their phone on a Saturday :-)), etc.
I have no interest nor association with any of the parties mentioned
in the article below; I just thought it would provide some interesting
beginnings for discussion. I'm especially interested in hearing about
"good faith" legal ramifications of the software described below.
=== BEGIN ARTICLE
"FIRM SAYS 'VIRUS' ENSURES PAYMENT"
By Mike Mulvey
Sentinel staff writer
The "viruses" that allegedly infected a computer system serving three
Milwaukee-area hospitals were actually fail-safe devices installed by
the manufacturer to ensure payment on the system, the company's president
said Wednesday.
Robert C. Lewis, president of Lab Force Inc. in Dallas, Texas, vehemently
denied allegations that his company intentionally introduced viruses to
sabotage the computer network that provided laboratory test results.
"The allegations are totally without merit," Lewis said. "It is insane."
"We have not and never will cause a virus to disrupt a computer system."
Federal Judge John W. Reynolds issued a temporary restraining order
Tuesday barring the Dallas company from introducing any more alleged
viruses into the computer system.
The computer network run by Franciscan Shared Laboratory Inc. services
St. Michael and St. Joseph's Hospitals in Milwaukee and Elmbrook
Memorial Hospital in Brookfield.
Franciscan, of 11020 W. Plank Ct., Wauwatosa, file a lawsuit Tuesday
in Federal Court, alleging Lab Force introduced a computer virus that
disabled the system Sept. 16 and another virus scheduled to be
activated Nov. 15.
The suite alleged actions by Lab Force were endangering the lives of
patients at the three hospitals. A hearing on the case is scheduled
for Oct. 6 in Federal Court
"We will let the evidence speak for itself. We've done what we believe
is in the beset interest of our client and its patients," said attorney
John Busch, who is representing Franciscan.
"Lewis may deny allegations of sabotage, but he doesn't deny the fact
that the system was down."
Lewis said the system began operation in April 1988, although Lab Force
still is adding to the network.
He said the system always had had a "key," a device that locks out the
user if a payment schedule isn't kept or a licensing agreement isn't
honored.
Although Franciscan had been making its payments on time, the key that
originally was set to shut down the system Sept. 16 was not rescheduled
for a later date because of a mistake by a Lab Force technician,
Lewis said.
When the technician was notified that the computer system shut down
Sept. 16, he immediately corrected the problem by rescheduling the key
for Nov. 15, said Jerry Levine, a consultant for Lab Force.
"It was a mistake. Our operator screwed up. There has never been a
virus in there. There has only been a simple key."
"Keys are commonly used by hundreds, if not thousands, of software
companies," Levine said. "Until software is accepted and paid for,
the only protection a software company has against the equipment being
stolen is to place a key in the system."
Lewis said Lab Force was considering filing a countersuit against
Franciscan for damage done to the Dallas company's reputation.
=== END ARTICLE
- --
David J. Johnson - Computer People Unlimited, Inc. @ GE Medical Systems
gemed!python!davej@crd.ge.com - OR - sun!sunbird!gemed!python!davej
"What a terrible thing it is to lose one's mind." - Dan Quayle
------------------------------
Date: Thu, 28 Sep 89 12:30:50 +0000
From: Fridrik Skulason <frisk@RHI.HI.IS>
Subject: Cascade in Sargon III (PC)
I just received a report of a shrink-wrapped and write-protected copy of
Sargon III arriving infected with the cascade (1704-A) virus.
The store selling the program did not have any more copies, but since they
do not allow the return of games, the disk must have been infected outside
of Iceland. Has anybody else seen found an infected original of this
program ?
--- frisk
------------------------------
Date: Thu, 28 Sep 89 07:19:19 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: ViruScan Length (PC)
John McAfee asked me to forward the following message:
My apologies to the VIRUSCAN user community about my premature
announcement some months back that VIRUSCAN would always remain 34400
bytes long. I am old enough to have known better. Architectural
changes brought about by newer viruses have necessitated a changing
size for some versions. Version 39 in particular, has been virtually
re-written to double its speed, link with the SHEZ program to scan
archived files and provide an individual file scan if requested. Such
changes can't be squeezed into the original 34400 bytes. I accept the
title of idiot from anyone who wishes to confer it on me. Future
versions of SCAN will contain the file size in the documentation, and
sizes will be appropriately advertised. John McAfee
------------------------------
Date: Thu, 28 Sep 89 14:48:00 -0600
From: Frank Simmons <FSIMMONS%UMNDUL.BITNET@VMA.CC.CMU.EDU>
Subject: Oct 13 PC virus question
I am the editor of our Computer center newsletter. I want to include
an article in our early October issue about this Oct 13 virus. Has
anyone any concrete facts about this I can relate and secondly what
hope/vaccines can I offer my readership?
Frank Simmons
------------------------------
Date: Thu, 28 Sep 89 18:47:36 -0500
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: FixCrime.arc (PC)
New anti-viral, sent directly to me by the author.
fixcrime.arc
Will fix files infected by DataCrime virus. Operates only
on .COM files, not .EXE. Has programs to combat three
different strains of DataCrime. *Use with caution!*
FIXCRIME.ARC Removes infections of DataCrime virus
Jim
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253