home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.36
< prev
next >
Wrap
Text File
|
1995-01-03
|
13KB
|
311 lines
VIRUS-L Digest Monday, 6 Feb 1989 Volume 2 : Issue 36
Today's Topics:
re: Malicious program classification
Locking out floppy drive boot (PC)
RE: floppy boot (PC)
courses in viruses
re: Hardware lock (PC)
Re: Mac Gatekeeper problems
Virus Attack (PC)
INIT 29 Virus (Mac)
Sneak Virus (Mac)
(c) Brain Virus (PC)
---------------------------------------------------------------------------
Date: 3 February 89, 12:15:38 +0100 (MEZ)
From: Otto Stolz <RZOTTO@DKNKURZ1.BITNET>
Subject: re: Malicious program classification
Hello fellow-huntsmen,
> A kind of "standard notation" [...] in a single sequence of characters.
We should definitely use consistent terminology, but let it not be too
terse. You should be able to understand a program-description without
referring to some "code-book".
> three kinds of programs - Trojans, worms, and viruses [...]
> CHRISTMA.EXEC would be a fWOR (as far as I know) under this notation.
The term "worm" is widely used (as far as I'm aware) for a program
that spreads over a network without human intervention, using the RJE
services of the network. (The Internet-worm exploited a bug in the
"fingerd" program, and a backdoor in the "sendmail" program, both
providing unauthorized, RJE-like services.)
CHRISTMA EXEC was definitely not a worm, but something which doesn't
fall within one of Ken H's categories: It was a Trojan horse whose
unexpected action involved sending copies of itself all around the
network; hence, it depended on human intervention, as any virus or
Trojan. Supposedly, the term "rabbit" I read recently in a survey was
meant to apply to this sort of beast? (Btw: I'm still waiting,
eagerly, for the results of that survey to be published in VIRUS-L
...)
Hence, we should adopt a more complete terminology for our zoo!
> three methods of activity - hardware, error, and feature exploitation
As to my opinion, this distinction is not so important for
(short-range) virus/worm/&c defeating; it bears more on (long-term)
strategies for systems-architecture developping. Moreover, most virus
strains do not fall neatly within one of these categories. (Somehow,
the hardware is exploited by every piece of code, isn't it? :-)
Hence, I'd drop this issue for virus catalogues, alerts and the like.
However, Ken H has not mentioned a much more important distinction in
the modes of operation. If we adopt some formalism, we definitely
should include this one: Link-virus vs. System-Virus.
This distinction only applies to viruses, dividing them into two sub-
categories.
- -- A link virus incorporates itself into application-programs or system
parts wich are invoked like application-programs (e.g COM, EXE, and
OVL files in MS-DOS; MODULEs in CMS). If some virus only incorporates
itself into application-programs of some particular form, this behavi-
our should be accounted for in the term (e.g. Blackjack is a COM-virus
for MS-DOS).
- -- A system virus incorporates itself into a part of the operating system
that is invoked in some particular way (e.g. a Boot-Sector Virus, a
COMMAND.COM-Virus, or a KEYB.COM-Virus in MS-DOS).
Maybe, there are similar distinctions to be drawn in other areas, e.g.
for worms. Opinions?
Btw, a German group around Prof. Klaus Brunnstein at Hamburg is
currently evaluating a sample of various virus strains for Amiga,
MacIntosh, Atari, and MS-DOS systems (about two dozen, altogether) and
of anti-virus soft- ware. They have started compiling two catalogues
(virus/antivirus) and publishing them on a BB in Germany. The
distinction between "link" and "system" virus stems from them. They
also have started translating their catalogue to English. I suppose,
they are currently checking with Ken [vW, this time], whether it can
be made available on LISTSERV at LEHIIBM. We'll probably read more of
this endeveaour, shortly.
Good hunting|
Otto
------------------------------
Date: Fri, 3 Feb 89 09:49:24 EST
From: "Bret Ingerman 315-443-1865" <INGERMAN@SUVM.ACS.SYR.EDU>
Subject: Locking out floppy drive boot (PC)
James Ford asks about locking a hard disk to always boot from drive
C: but still have drive A: available.
It depends on the type of computer. We have a Zenith AT that can
easily be set up to do this. By pressing "ALT-CTRL-INS" a
configuration menu pops up. You can then specify what drive to boot
from. You can specify always boot from drive A:, always from C:, or
to try A: first and then C:
Hop this helps.
Bret Ingerman INGERMAN@SUVM.bitnet
Syracuse University
------------------------------
Date: Fri, 3 Feb 89 09:50 MST
From: GORDON_A%CUBLDR@VAXF.COLORADO.EDU
Subject: RE: floppy boot (PC)
re: computers booting from drive C instead of Drive A: I presume that
you have some sort of IBM PC compatible system. The boot process is
controlled by the BIOS which is on a ROM chip on the motherboard. In
older PC's and for example the old COMPAQ portables, the BIOS was not
written to recognize a hard drive. Thus an upgrade is required. That
is you need to purchase a new version of the BIOS. In the old COMPAQ
portables, this costs about $50. In addition, you may need to replace
the power supply as well
Allen Gordon
------------------------------
Date: Fri, 3 Feb 89 14:00 EST
From: Les Gotch <Gotch@DOCKMASTER.ARPA>
Subject: courses in viruses
In reply to Stan Horowitz's question about COMPUSEC courses at
universities on December 16, 1988:
The Information Security Education Office of the National Security
Agency has worked with members of the academic community and developed
several Computer Security Education Modules. They were designed for
inclusion in college curricula and range from lower undergraduate
courses through graduate level. The undergraduate modules can be
incorporated into an existing course structure of a computer science,
engineering, business, or an information science department curricula.
The following Computer Security undergraduate modules are intended to be
used in either a computer science or engineering curricula. They are
entitled: Introduction to Information Protection, Database System
Security, Network Security, Formal Specification and Verification,
Operating Systems Security, and Risk Analysis. These modules are
available for any university or college upon request.
In addition, there are seven Information Security undergraduate modules
designed to stand alone as a course or comprise part of a business or
information science curriculum. The modules include: PC/Workstation
Security, Security Fundamentals, Introduction to Information Protection,
Information Security Legislation and Liability, System Security,
Communications Security, and Corporate Security Management.
The University of Maryland's Engineering Department is offering, during
the spring 1989 semester, four computer security graduate courses.
These courses are the first four of nine to be developed that permit a
student to plan a degree program with a concentration in the area of
computer security. They are entitled: ENEE 748A Architecture for
Secure Systems, ENEE 748B Networking and Network Security, ENEE 748F
Theoretical Foundations of Computer Security, and ENEE 748G Operating
System Security.
Janet Meeks, (301) 859-4477
------------------------------
Date: 3 February 89, 20:11:49 +0100 (MEZ)
From: Otto Stolz <RZOTTO@DKNKURZ1.BITNET>
Subject: re: Hardware lock (PC)
> is there any way to (hardware) fix drive "A" so that the computer will
> ... boot from C always, read/write from A and C ?
We use the "SafeGuard Plus" card for this purpose.
It'll also fix drive B the same way.
We never have experienced any boot-virus :-)
Otto
------------------------------
Date: Fri, 3 Feb 89 21:37 GMT
From: Danny Schwendener <SEKRETARIAT@CZHETH5A.BITNET>
Subject: Re: Mac Gatekeeper problems
>Observed Problems:
> 1. Gatekeeper *DOES NOT* register inside the Control Panel
You need to reboot the system first. Apparently, the Gatekeeper
cdev appears only if the INIT has been executed. At least, I
had the same symptoms, which disappeared when I rebooted my
system.
> - ID = 02
> - ID = 03
> - ID = 22
> - ID = 15
Once you get it to work, Gatekeeper prevents any non-authorised program
from copying resources or/and changing file information. It just
returns an error status code. It's up to the application to perform
a correct error handling.
Unfortunately, many application programmers don't care a bit about
error handling. They don't check if the things have been done as
expected. In some cases, this will cause the application to crash.
Gatekeeper prevents efficiently abuses of the resource manager calls
by any programs (including viruses). Programmers will find it
extremely useful, because you can configure it to give full access of
the resource manager to *some* programs, like compilers. HOWEVER it
takes much more time to have it tuned correctly.
I recommend Gatekeeper to those it was written for, Programmers. Other
people should stick to the Vaccine CDEV.
- -- Danny Schwendener
- -- ETH Macintosh Support, ETH-Zentrum m/s PL, CH-8092 Zuerich
- -- Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman
- -- Ean : macman@ifi.ethz.ch Voice : yodel three times
------------------------------
Date: Fri 03 Feb 1989 17:12 CDT
From: GREENY <MISS026@ECNCDC.BITNET>
Subject: Virus Attack (PC)
A virus which is purported to be of the BRAIN type has supposedly just
hit EIU (Eastern Illinois University). Has anyone got any info on how
to eradicate the bugger? I usually specialize in Mac stuff, but my
school (WIU) and EIU are on the same network so they asked for help
via a local Bulletin Board.
Any info will be appreciated. Also, I already told them to snag a
copy of NOBRAIN.C from the server...
Bye for now but not for long
Greeny
BITNET: miss026@ecncdc
Internet: miss026%ecncdc.bitnet@cunyvm.cuny.edu
Disclaimer: I only repeat what I hear that ain't classified!
------------------------------
Date: 03 FEB 89 21:12:33 CST
From: RBCSCG05 <COSTERHD@SFAUSTIN.BITNET>
Subject: INIT 29 Virus (Mac)
This "new" virus (to me at least) seems to be the most dangerous
so far -- attacking even data files ! Gone are the days of restoring
applications only.
Nevertheless, nothing may be available now to immunize against it
or remove it, but I think it can be "easierly" detected then through
RESEDIT and the like (especially since that is a dangerous application
to pry through your disk and programs, even knowing what you are
doing). Yes, I may be overly cautious, but you can never be when it
comes to viruses.
A program called VCHECK creates checksums of your applications and
creates a corresponding report with can be easily printed. After the
first checksums are done, subsequent ones will use the previous one to
see if anything has changed -- this includes if the applications may
have been moved, renamed or duplicated. You will be shown those that
may have changed.
VCHECK by Albert Lunde at Northwestern University. The version I
have is 1.3 (7/5/1988). I believe it is available at the VIRUS-L
archive on the network BITNET. I do not remember where I got my
from, but I know it was off the BITNET network. After a SCORES
virus hit me, I searched for any and all anti-viral software.
If you use a checksum method, keep the checksum document on a
separate disk so it will not be possibly corrupted (viruses or
otherwise).
Chris Osterheld <COSTERHD@SFAUSTIN.BITNET>
------------------------------
Date: Fri, 03 Feb 89 19:27:29 PST
From: Sam Cropsey <SAM@POMONA.BITNET>
Subject: Sneak Virus (Mac)
Has anyone dealt with the sneak virus? Well we have it and I sure do
not want it. If anyone has some info...please send it to me at:
SAM@POMONA or SCROPSEY@PCMATH. Thanks...
------------------------------
Date: Fri, 03 Feb 89 19:34:31 PST
From: "Sam Cropsey (Micro Coord. Pomona College)" <SAM@POMONA.BITNET>
Subject: (c) Brain Virus (PC)
I know much has been written concerning the Brain virus on PC's.
However, I do not get the chance to read all that is published on this
service. If anyone has some useful info on combatting the Brain, I
would greatly appreciate the help. My address is
SAM@POMONA OR SCROPSEY@PCMATH. Thanks for your help...
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253