home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.34
< prev
next >
Wrap
Text File
|
1995-01-03
|
17KB
|
409 lines
VIRUS-L Digest Thursday, 8 Feb 1990 Volume 3 : Issue 34
Today's Topics:
AIDS Virus (Mac) and AIDS Trojan (Non-Mac)
WDEF-A arrives at Smith College (Massachusetts) (Mac)
Re: Are virus sources public domain software ?
Re: Virus Modeling
Mac Virus Harmlessness
WDEF, WDEF, WDEF (Mac)
W/1813 Virus (PC)
Anyone heard of the SYSLOCK virus? (PC)
Other progs identify trojans? (Mac)
copyrighting virus code
More about 847 (PC)
More on the new Mac Trojans
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
---------------------------------------------------------------------------
Date: Wed, 07 Feb 90 13:58:10 -0500
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: AIDS Virus (Mac) and AIDS Trojan (Non-Mac)
There is a Mac virus named AIDS. It's an nVIR-b clone (i.e., the
resources and code were modified to use resources of that name instead
of "nVIR"). It does the same stuff that nVIR does - i.e., reproduce
and sometimes beep when a program is launched. It does nothing
connected with the disease.
The non-Mac "AIDS Disk" being talked about lately is NOT connected
with the Mac at all. It was a program that purported to be a survey
which would tell you how much of a risk you had of contracting the
(non-computer) virus. It instead encrypted all of your files and
attempted to get you to mail $300-and-some to an address in Panama.
Clear?
--- Joe M.
------------------------------
Date: Wed, 07 Feb 90 13:52:00 -0500
From: PSHANNON@SMITH.BITNET
Subject: WDEF-A arrives at Smith College (Massachusetts) (Mac)
Our one and only Mac lab became infected with WDEF-A this past weekend.
Many thanks to John Norstad, Chris Johnson, and others for providing
tools to fight these things!
Peggy Shannon
Center for Academic Computing
Smith College
Northampton, Massachusetts
pshannon@smith.bitnet
------------------------------
Date: Wed, 07 Feb 90 13:57:28 -0600
From: davies@sp20.csrd.uiuc.edu (James R. B. Davies)
Subject: Re: Are virus sources public domain software ?
ZDEE699@ELM.CC.KCL.AC.UK writes:
> From: ZDEE699@ELM.CC.KCL.AC.UK
> Subject: Are virus sources public domain software ?
> Date: 5 Feb 90 10:31:39 GMT
>
> In VIRUS-L, V3-I29, Todd Hooper (<CHOOPER@acad.cut.oz>) writes:
> > What possible technique could you use
> > to make it illegal 'illegal to own or transmit virus code '? "
>
> Well, how about some reliable organisation (the CERT, for example)
> registering the source code under copyright laws ? Is virus code
> considered as public domain software ? I wouldn't think so ! If the
> source was copyright, then anyone having an unauthorized copy of it
> would be in illegality. In fact, one might even say that the virus
> itself is illegal on the grounds that it copies itself without
> authorization. Anybody who feel they *NEED* to keep the source in
> their possession should then also register or ask for authorization
> from the organisation holding the copyright.
>
> Olivier M.J. Crepin-Leblond
No, in order to register a copyright you must be the author of the work,
or have the rights explicitly assigned to you by the author.
(I wouldn't consider an organization reliable if they WERE the authors,
would you?)
I suspect that there is no good legal solution for the virus problem.
People who create viruses don't expect to get caught, and probably
wouldn't be deterred by the threat of legal sanctions. Also, it would
be an immense problem to prove who first released a virus in most (if
not all) cases. For example, the Internet worm case was not quite
open-and-shut, despite the following unusual facts:
1. The defendant admitted under oath that he did it
2. There was a law which explicitly forbade what he did
(i.e. unauthorized access to government computers with damage)
I would venture to guess that there are very few known virus authors out
there, even for the oldest, most widespread varieties. The Brain virus
seems to be the exception, but even in that case it would be a nightmare
to try to prosecute the perpetrators.
------------------------------
Date: Wed, 07 Feb 90 19:41:17 +0000
From: rwallace@vax1.tcd.ie
Subject: Re: Virus Modeling
gnf3e@uvacs.cs.Virginia.EDU (Greg Fife) writes:
> RWALLACE@vax1.tcd.ie writes:
>> As someone pointed out, a real
>>computer isn't a finite state machine because it includes the person
>>operating it
>
> A human being may or may not be a finite state machine, but the
> effect he he has on a computer system is merely to add a finite
> number of transitions to the computer. (Striking one of the finite
> number of keys changes the interrupt state on a PC, putting in
> a new disk changes many of the bits on that mass storage device).
>
> You can't model exactly which inputs the human will provide, but
> you can reason about behavior under any possible set of inputs.
> In effect, a person at a computer is running a huge finite
> automata through an input string consisting of his actions.
>
> Take the initial state to be one of the finite number of
> states which represents the introduction of the virus into
> the system. Mark the finite number of states which represent
> "infection" as final states. The question: "can infection occur"
> is merely the question "does this FA have a nonempty language."
> That question can be settled in finite time by testing the FA
> on every input string of length less than or equal to the number
> of states in the FA. Do this once for every initial "infection"
> state, and the result follows. :-)
Take a binary file editor. Or an interactive assembler. Or uudecode
reading from stdin. Any of these programs will take input from the
user and based on this input can reach most of the possible states of
the system, including those in which replication of the program can
occur. (I'm using "almost" in a loose sense: 2^990,000 is almost
2^1,000,000). So are these viruses? By your rationale they are. Or a
terminal emulator which based on input from the outside world could
cause infection (it could download an infected program from a bulletin
board). And what about a worm program that transmits itself to another
machine but does not infect other programs on the current machine?
Having said that, your method would be OK for most software, if you
only want to check for viruses not worms.
"To summarize the summary of the summary: people are a problem"
Russell Wallace, Trinity College, Dublin
rwallace@vax1.tcd.ie
------------------------------
Date: Wed, 07 Feb 90 16:32:24 -0500
From: Joe McMahon <XRJDM@SCFVM.BITNET>
Subject: Mac Virus Harmlessness
It's interesting, but up until now, most viruses on the Mac have been
"damageless" - the only reason the cause trouble is because of bugs
and incompatabilities, not deliberately harmful code. nVIR, at worst,
causes your Mac to beep in some cases (side effects are worse -
crashes, hangs, printing failures).
Perhaps we just haven't had the right (wrong?) people writing Mac
viruses so far. Any ideas?
--- Joe M.
------------------------------
Date: Wed, 07 Feb 90 16:38:46 -0500
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: WDEF, WDEF, WDEF (Mac)
>From: Jason Ari Goldstein <jg3o+@andrew.cmu.edu>
>
>Just like everywhere else the WDEF is thriving here at Carnegie-Mellon
>Univ. I recently removed WDEF A & B off of 15 disks of a friend of
>mine. When I commented to somone here about the virus they said there
>was nothing they could do to stop it, except remove it once a machine
>got infected.
Eradicate'em and Gatekeeper Aid both stop the virus and automatically
remove it from the disk as disks are inserted.
>I don't know much about Macs (Being a PC person) but if I understand
>correctly every time the disk is inserted the they Virus is spread to
>the disk...
Close enough; the default window definition procedure also has to be
invoked, and you have to be running under the Finder.
>Well, why doesn't someone write an innoculation directly
>based on the virus itself....
>The only problem with this is that it is a virus also, but with the
>proper prompts (allowing the user the choice of being innoculated) I
>don't think this would be a problem....
It might not be a problem on current Macs or current versions of the
System, but would be very likely to fail in future incarnations.
Also, available anti-virals probably wouldn't be able to tell the
difference between your "WDEF C" and a real infection, so well-meaning
disinfectors would wipe out your "inoculation". Finally, I think we
all agree that viruses to fight viruses simply help to continue the
upward spiral of virus technology, and that *any* virus has the
potential to cause damage under some circumstances. Worse, a virus
writer could take your supposedly harmless virus and hack it into a
virulent one. If your anti-virus virus contains your name, you might
have trouble convincing people (including law enforcement) that you
didn't write the nasy variant.
>In the mean time, about 75% of the time I in a cluster I remove WDEF A
>or B from either a hard disk or someone elses floppies.
Jason, if no one there has the programs I mentioned above, they are
available from our LISTSERV. Worst case, there is a very simple way
of getting rid of WDEF infections, and it's BUILT IN to the Mac!
When you insert a disk, hold down the Command and Option keys. You'll
get a message asking if you want to rebuild the Desktop file. Click "OK".
This will blow away any existing WDEF infection. The same can be done
for boot disks: just hold down those two keys after the "Welcome to
Macintosh" screen appears. You'll get the same dialog, to which you
respond in the same way. Nothing could be simpler. Rebuilding the
Desktop causes it to be thrown away, virus and all, and a new copy
built. Since WDEF doesn't live anywhere else, you're all set.
>From: Fung P Lau <LAU@ricevm1.rice.edu>
>
> I have recently read something about Disinfectant 1.6 from this
>newsgroup. Its author said that there was no Disinfectant 1.6...
At the time the message was posted, that was true. John Norstad created
1.6 since then, so versions of that program from sumex, John's node, or
the SCFVM LISTSERV are true, valid copies of Disinfectant 1.6.
>From: wcpl_ltd@uhura.cc.rochester.edu (Wing Leung)
>
> Can someone tell me is WDEF an illegal string in the resource code?
WDEF resources are "window definition procedure" resources. They define
how windows look and act. They are legal.
>How about the program called WDEF uploaded in comp.binaries.mac?
It's an alternate window definition procedure and is OK.
>In fact, I've found some WDEF resource code in system version 6.0.3.
> Please tell me more about this resource code.
That's the code that defines the standard Mac window (scroll bars,
go-away box, zoom box, etc). DON'T DELETE IT or your System file will
no longer be usable.
Whew.
--- Joe M.
------------------------------
Date: Wed, 07 Feb 90 15:16:15 +0000
From: mikem@gaudi.Berkeley.EDU (Mike Mize)
Subject: W/1813 Virus (PC)
I'm looking for info regarding the W/1813 virus. It seems that a PC
in one our campus labs is infected and we can't get rid of the virus.
Could someone please mail me info on symptoms and iradication methods
for this virus. I would greatly appreciate it.
|\ /| | | : Michael Mize
| \/ | * __ |__ __ __ | : C. S. U., Fresno MS 93
| | | | | | | | |__| | : Fresno, Ca. 93740
| | | |__ | | |__|_ |__ |_ : mikem@gaudi.CSUFresno.edu
------------------------------
Date: Tue, 06 Feb 90 15:46:15 +0000
From: jjsc@informatics.rutherford.ac.uk
Subject: Anyone heard of the SYSLOCK virus? (PC)
I'm posting this request on behalf of a friend who doesn't have access
to news. Also, I don't always read this newsgroup, so please mail any
replies direct to me. If there is sufficient response, I will
summarise to the net.
The subject line says it all really...does anyone know anything about
the so- called "SYSLOCK" virus, and in particular, how it works, how
to get rid of it? It has been discovered on "Compaq 286 & 386's and
PS2/30 + 20Mb HD". All my friend knows about it is that it appears to
add ~3500 bytes to files and spreads quickly!
Any help anyone could give would be much appreciated!
Thanks in advance,
John
===============================================================================
John Cullen || JANET : jjsc@uk.ac.rl.inf
System Support Group || ARPA : jjsc%inf.rl.ac.uk@nsfnet-relay.ac.uk
Informatics Department || BITNET: jjsc%uk.ac.rl.inf@ukacrl
Rutherford Appleton Laboratory || UUCP : {...!mcvax}!ukc!rlinf!jjsc
Chilton, Didcot, Oxon. OX11 0QX || VOICE : +44 (0)235 821900 ext 5739
===============================================================================
------------------------------
Date: Wed, 07 Feb 90 16:38:58 -0700
From: Peter Johnston <USERGOLD@UALTAMTS.BITNET>
Subject: Other progs identify trojans? (Mac)
To the best of my knowledge, only SAM and the VD string I specified
will identify these two trojans at the present time. I would assume
that the anti-viral software developers will be updating their
products fairly quickly, and would expect to see announcements fairly
quickly though.
One point I would like to re-iterate, as several people have contacted
me about it and I may not have been very clear in my original posting:
Neither the "Mosaic" nor the "FontFinder" trojans are viruses. Neither
has the ability to reproduce or self-propigate. The only way that
either of these applications can be duplicated is by a user copying
the file, or by up/down-loading the files to/from a BBS...
- - - - - - - - - - - - - - - - - - - - - - - - - -
Peter Johnston, Senior Analyst,
University Computing Systems, 352 - GenSvcBldg,
The University of Alberta, Edmonton, Alberta, CANADA
Voice: 403/492-2462 Bitnet: USERGOLD@UALTAMTS
- - - - - - - - - - - - - - - - - - - - - - - - - -
------------------------------
Date: Wed, 07 Feb 90 18:49:30 -0500
From: Steven C Woronick <XRAYSROK@SBCCVM.BITNET>
Subject: copyrighting virus code
M.J. Crepin-LeBlond <ZDEE699@ELM.CC.KCL.AC.UK> suggests that all you
have to do to make having virus code illegal (except for the
privileged few who obtain permission) is to copyright it. I'm no
lawyer, but it was my impression that once something has been released
in some form (uncopyrighted) to the general public, it could then
never be copyrighted. Even if you could copyright viral code, it's
not likely to discourage the kind of people who write viruses (aren't
those the ones you are really after?) from copying it. Also, what
happens if some virus-loving person copyrights it before you do and
then grants universal privilege to copy? Just wondering...
------------------------------
Date: Thu, 08 Feb 90 08:18:57 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: More about 847 (PC)
The "Bulgarian" 847 virus is closely related to the Amstrad virus.
They are not identical, however. The text is different, and some minor
changes have been made to the code.
It is however so similar that existing virus scanners can detect any
program infected with "847" (PIXEL), "345" or "299".
- -frisk
------------------------------
Date: 07 Feb 90 22:15:00 -0800
From: D1660@applelink.apple.com
Subject: More on the new Mac Trojans
More on the new Mac Trojans:
In response to Peter Johnston's message about the Trojans Mosaic and
FontFinder, I'd like to add a few things:
The Trojans hang (whether or not SAM denied the write attempt) due to
a bug in the code. When the bug is 'fixed', Mosaic goes on to give
further information to the user about what it has done.
As Peter mentioned, disks ARE undamaged if the Trojans' write attempt
is denied in SAM. All versions of SAM will alert you to this write
attempt with the message 'There is an attempt to bypass the file
system'. HOWEVER, this alert will only be given to the user if SAM is
configured in ADVANCED level.
Again, the best protection, as always, is to be sure your files are
backed up!
Paul Cozza
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253