home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.213
< prev
next >
Wrap
Text File
|
1995-01-03
|
16KB
|
352 lines
VIRUS-L Digest Thursday, 5 Oct 1989 Volume 2 : Issue 213
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Pointer to Cohens publications
Re: Followup on new virus (Mac)
Re: Why not change OS?
About the DH&S proceeding(s)...
Re: OGRE virus in Arizona (PC)
Increasing rate of virus appearances
Binghamton Jerusalem-B virus - The day after. (PC)
M-1704 question (PC)
WSMR newspaper article on Anti-Virus program
---------------------------------------------------------------------------
Date: Wed, 04 Oct 89 19:18:50 -0500
From: Christoph Fischer <RY15@DKAUNI11.BITNET>
Subject: Pointer to Cohens publications
Hello
I need the exact bibliographic data of Fred Cohen's dissertation
and publications in the field of computerviruses.
If there exists an downloadable printfile with such material I would
be very happy about any hints.
Thanks Chris
*****************************************************************
* Torsten Boerstler and Christoph Fischer and Rainer Stober *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
Date: 04 Oct 89 18:09:20 +0000
From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson)
Subject: Re: Followup on new virus (Mac)
In article <0004.8910041115.AA07054@ge.sei.cmu.edu> eplrx7!milbouma@uunet.UU.NE
T (milbouma) writes:
>I can recommend Symantec's new antiviral package, SAM, which will flag
>any abnormal writes from an application (like Vaccine if you're
>familiar with it, but better than Vaccine). SAM will at least protect
>your machines from getting infected and also has a Virus scanner
>program that scans for known viruses and can also repair irreplaceable
>apps that are infected. Part of the protection init also will ask you
>if you want to scan a floppy for known viruses whenever you insert
>one.
Of course, as an alternative to SAM, you can save yourself a lot of
money and go with GateKeeper 1.1.1, which has not only been stopping
viruses around the world 6 months longer than SAM (and all the other
johnny-come-lately commercial systems), but is completely free.
Furthermore, I gather that GateKeeper is significantly more
configurable than SAM insofar as it maintains a privilege list which
can be easily viewed and edited (I've never used SAM, so I don't speak
from first-hand experience on this point, but people assure me that
it's a *very* important difference in practice).
If you need telephone support, though, SAM is clearly better for
you... the closest thing to interactive support available with
GateKeeper is email.
GateKeeper doesn't provide a virus-scanner, but with Disinfectant
available (also for free) it's not much of a problem.
One other thing that makes GateKeeper unique in the world of Macintosh
anti- virus systems is that it keeps a log file that details exactly
what virus related operations have been attempted, when, by whom and
against whom.
GateKeeper 1.1.1 (as well as Disinfectant) is available from most
archive sites, including a local system, ix1.cc.utexas.edu in the
microlib/mac/virus directory.
Well, happy virus hunting no matter what system you choose,
- ----Chris (Johnson)
- ----Author of GateKeeper
------------------------------
Date: Wed, 04 Oct 89 17:01:06 -0400
From: Tim Endres <time@oxtrap.aa.ox.com>
Subject: Re: Why not change OS?
Better than changing OS to get better virus "resistance", why not
encourage the systems designers at Apple and IBM to implement
protection in their respective operating systems?
An entire document dedicated to stopping virus acitivity at the OS
level was mailed to John Sculley at Apple. Yet, to this day, even with
an entire new OS release, not one of the suggestions given has been
implemented! I am sure that there are many complex issues facing a
company such as Apple, with regards to this problem, and changes at
the OS level to deal with viruses will, and probably should, be slow.
Further, I must give Apple credit for the action they did take when
Macintosh viruses first surfaced. In some cases, they sent their own
engineers to infected sites for investigation and assistance. They
were the first to engage in "Virus Awareness" campaigns.
Unfortunately, we have seen no work at the OS level.
What users should be doing, is overtly pressuring computer
manufacturers to address this need at the OS level, and start buying
equipment from vendors who move in that direction.
------------------------------
Date: Wed, 04 Oct 00 19:89:18 +0000
From: utoday!greenber@uunet.UU.NET (Ross M. Greenberg)
Subject: About the DH&S proceeding(s)...
I wasn't too happy with the end result of what DH&S (Steve Ross works
for them) produced. The invitational excluded a number of people
(including me, so this might be a biased report). The only person
there really familiar with the world of PC and other micro viruses was
Pam Kane (Panda Systems & Dr. Panda Utilities - good stuff!).
They spent a great deal of time on nomenclature. Something like two
days. Very little on practical "how-to's" or anything at all of a
technical nature. The conclusion of the report is basically a
sales-promo piece on why you should hire DH&S consultants if you have
a virus problem or wish to make sure you don;t get one.
I consider this mailing list *considerably* more informative,
objective, and honest.
Note: I ended up attending the symposium, then being asked to leave
when I mentioned that it seemed inappropriate to give this little
meeting any credibility when only three or four people there, out of
the 50 or so who presented, had *ever* seen a virus. To be honest, I
was a gate crasher.
Ross M. Greenberg
Author, FLU_SHOT+
------------------------------
Date: 04 Oct 89 23:15:47 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Re: OGRE virus in Arizona (PC)
In article <0011.8910041808.AA09177@ge.sei.cmu.edu> WIER@NAUVAX.BITNET writes:
| Because the OGRE virus operates at such a "low level," none of the
| existing virus detection/elimination programs currently in existence
| for the IBM PC will work.
|
| FUTURE VIRUS DETECTION IDEA
|
| Checksum the boot blocks.
The new program BootChek goes one better than this. It will compare the
entire boot block with a secured copy. Since it is small, this comparison
is fast, and better than a checksum. If a change is detected, the computer
is halted. WARNING: This will detect any *change* in the boot block.
If you start with an infected system, this won't help.
- --
Jim Wright
jwright@atanasoff.cs.iastate.edu
------------------------------
Date: Wed, 04 Oct 89 20:39:29 -0400
From: RREINER@YORKVM1.BITNET
Subject: Increasing rate of virus appearances
It is my impression, judging primarily from reports on VALERT-L, that
the rate at which new viruses are appearing has accelerated
substantially in recent weeks. There was previously what seemed a
stable rate of one new virus every few weeks; this seems now to have
become one new virus every few days. Has anyone been keeping more
careful records? What is the rate of increase of the rate of
increase?
Richard J. Reiner BITNET == rreiner@vm1.yorku.ca
Internet == grad3077@writer.yorku.ca
Compu$erve == 73457,3257
------------------------------
Date: 05 Oct 89 04:31:42 +0000
From: consp06@bingvaxu.cc.binghamton.edu
Subject: Binghamton Jerusalem-B virus - The day after. (PC)
Thanks to all of you who responded so quickly to my messages for help.
We now have several programs that will arm us in controlling the
virus. Any more messages, although appreciated, are unnecessary.
It's good to see that people are so eager to help when a crisis
occurs.
-Robert Konigsberg
------------------------------
Date: Wed, 04 Oct 89 15:07:00 -0400
From: Jim Shanesy <JSHANESY%NAS.BITNET@VMA.CC.CMU.EDU>
Subject: M-1704 question (PC)
We (Don Kazem of our Technical Systems group, and myself, a
programmer/analyst) have just downloaded M-1704.ARC from the Homebase
bulletin board and found upon reading the documentation that SCANV40
is supposed to detect M-1704.EXE as a virus. It does not. We both
ran SCANV40 (also obtained from Homebase) on our respective hard disks
and SCAN reports them both as clean.
Don's machine is a PS/2 Model 70 with ESDI-controlled 120 Meg hard
disk, and mine is a PS/2 Model 60 with ESDI-controlled 66 Meg hard
drive. We are reluctant to run this program until we verify that it
is not indeed infected, since its behavior is different from that
described in the documentation.
Any comments, Mr. McAfee?
[Ed. I believe that the newer ViruScan versions were modified to *not*
produce this false alarm; perhaps Mr. McAfee can confirm this.]
**********************************************************************
Jim Shanesy JSHANESY@NAS.BITNET
Office of Computer and Information Technology
National Academy of Sciences
2101 Constitution Ave., NW
Washington, DC 20418
(202)-334-3219
**********************************************************************
------------------------------
Date: Wed, 04 Oct 89 12:58:00 -0600
From: Chris McDonald ASQNC-TWS-RA <cmcdonal@wsmr-emh10.army.mil>
Subject: WSMR newspaper article on Anti-Virus program
THE WSMR ANTI-VIRUS PROGRAM
The subject of computer "viruses" has attracted considerable
attention in the last three years. The publicity of a Columbus Day
virus and the continuing infection rates of several Friday the 13th
viruses has pointed out the necessity of ensuring all users are aware
of common sense policies and procedures to minimize the threat of
viral attacks. This article attempts to describe our virus defense
program at the Range.
We at White Sands have a unique history in viral research.
In the summer of 1984 we at White Sands Missile Range sponsored a
computer virus "experiment" by a University of Southern California
(USC) undergraduate, Mr. Fred Cohen. Fred went on to obtain his PhD
and has written and lectured extensively on the computer virus
phenomenon. So we have had some direct experience in the area at a
rather early stage.
The definition of a "virus" from Dr. Cohen's original research
work is short, but extremely important to understand some recent viral
attacks. He defined a "virus" as "a computer program that can infect
other programs by modifying them to include a possible evolved copy of
itself." With the infection property a virus can spread throughout a
computer system or network using the authorizations of every user who
might use it to infect their own programs.
Viruses can spread on personal computers as well as on
mainframes. For a variety of reasons we have seen the majority of
viruses infecting personal computers. An Israeli researcher has
published a catalog of 77 identified MS-DOS viruses, including their
variations, as of 2 Oct 89. Other researchers have identified at
least 10 Macintosh viruses, including variations, as of 3 Oct 89.
"Variations" occur as individuals receive a copy of an original virus
and then make some change to it for the purpose of creating a "new"
virus.
If a "computer virus" is similar to a "biological virus," then
could one apply the defenses or at least the methodology used to
counter infectious human diseases to the issue of automation security?
On the assumption that the comparison holds, then prevention,
treatment and education would seem logical control measures.
We can limit our exposure to computer viruses by controlling
and by monitoring the source of our software. We can "buy" from
reputable sources. We can apply the two-person rule to the
development and to the review of software which we develop in-house.
If we must use public domain and shareware software, then we have an
obligation to observe the policies and procedures which our particular
organization has for the acquisition, control and testing of such
software. Users should also be aware that certain tenant activities
at WSMR prohibit the use of public domain software.
We have at our disposal both commercial and shareware software
products to detect known computer viruses. We have advertised over
the Workplace Automation System (WAS) electronic bulletin board the
availability of VIRUSCAN which specifically detects several Friday the
13th and Columbus Day viruses identified as the DatacrimeI and
DatacrimeII viruses. Users can contact either Bob Rothenbuhler, the
installation systems security manager, at 678-4236, or Chris Mc
Donald, an ISC information systems management specialist, at 678-4176
for assistance.
There are a variety of "disinfectant" programs for the MS-DOS
and for the Macintosh worlds which we maintain in the event of a viral
outbreak. We also have access to the resources of the National
Computer Security Center (NCSC), the Computer Virus Industry
Association (CVIA), and the Computer Emergency Response Center (CERT)
in the event of viral attacks. While it is impossible to stockpile
all possible "treatment" remedies, we have at least a good foundation.
Finally, an article such as this serves to "educate" you, the
user community, as to the threats and to some of the defenses
applicable to the computer virus problem. We have available a
briefing on computer viruses entitled "Everything the New England
Journal of Medicine will never tell you!" which discusses this
subject in some detail. The Information Systems Command has also
initiated an eight hour training class, "Protection of Automation
Resources", which will address the whole subject of automation
security, to include viruses. Both Bob and Chris are always available
to answer specific questions and to assist users within their
respective fields of interest.
While we cannot eliminate computer viruses, we can maintain a
program of prevention, detection and education to minimize the
possibly negative impact on our computing environment. Using good
common sense computing practices can reduce the likelihood of
contracting and spreading any virus.
- Backup your files periodically
- Control access to your PC or terminal and limit use to those people
whom you know and trust
- Know what software should be on your system and its characteristics
- Use only software obtained from reputable and reliable sources
- Test public domain, shareware, and freeware software before you use
it for production work
- If you suspect your PC contains a virus, STOP using it and get
assistance
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253