home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.46
< prev
next >
Wrap
Text File
|
1995-01-03
|
24KB
|
583 lines
VIRUS-L Digest Wednesday, 21 Feb 1990 Volume 3 : Issue 46
Today's Topics:
AIDS Copy Prtection System
Copyright restrictions
WDef problems - it doesn't go away (Mac)
Effects on checksum programs (PC)
New variant of Cascade/1704 (PC)
F-PROT news (PC)
Certus (FoundationWare)
Gatekeeper 1.1.1?
WDEF details (Mac)
SCAN and the Brain (PC)
RE: Disinfectant 1.6 (Mac)
RE: Trojan Horses != Copy Protection
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
---------------------------------------------------------------------------
Date: Mon, 19 Feb 90 16:22:43 -0500
From: munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET (Ian Farquhar)
Subject: AIDS Copy Prtection System
My article about the PC Cyborg AIDS Copy Protection System has
caused quite a bit of discussion, and I would like to publicly
reply to many issues that were raised.
1) FREE MARKET
Many writers pointed out that the program itself was garbage, and
justified their position (that it was a Trojan) with the argument
that the money for the program was far too much and thus the
program was an extortion racket.
Being an Australia, I am used to being charged extortionate
prices for software by both amateurs and professional companies.
The point that must be made, however, is that in a free market
economy the supplier can charge what they like. The idea is that
supply and demand will weed out the excessively priced garbage
from the reasonably priced quality items.
Using this principle, PC Cyborg can charge what they like. This
is not an effective argument either way.
2) THE ABSENCE OF THE REGISTRATION DISKS
It is presumed that PC Cyborg would have sent the defuser program
on receipt of the registration fee. Many people have pointed out
that this did not happen. I imagine that the US Military rolling
into Panama may have had something to do with that.
3) THE DEFINITION OF COPY PROTECTION
Copy protection, by my definition, is a device, system or
technique whereby the copyright holder can guarantee that the
terms of the license are followed.
Let us take the example of the color-bar system. The color bar
is a small sheet or sheets of pages containing a series of codes
that are matched to colors. The program, when started, asks the
user what color is found on page 2, row 4 column 19. If the user
answers correctly, then the program proceeds. If not, the
program usually asks a couple of times more, then takes action.
By the definitions of many of the writers, this would not be a
copy protection system (because it allows you to copy the disk).
However, it maintains the license agreements as only the person
in possession of the color-bar sheet can run the program, and it
is hard to cheaply copy a colored sheet.
The AIDS CP System was simply an extension of this. It allowed
copying of the distribution disk, and it allowed backing up of
the hard disk. All it did was to ensure that people who were
unregistered (and which were, I hasten to add, involved in a
criminal activity) would have a lot of trouble.
As for the concept of the user having legal control over what was
deleted from his/her hard disk, I cannot see this as a problem.
Multi-user systems have traditionally provided mechanisms for the
superuser to control the user's files with far more privileges
than the users themselves. This has never, to my knowledge,
caused any legal problems.
4) INAPPLICABILITY OF US LAWS
Many correspondents have quoted US laws and precedents at great
length. These are totally irrelevant, as the license agreement
prohibited importation into the US.
5) PRESUMPTION OF INNOCENCE
Under British law, there is a concept called the "presumption of
innocence". Put basically, someone is innocent until they are
proven guilty. It would be nice to know that this basic concept
is still followed, though I really do have my doubts.
If I were the defense lawyer with access to this newsgroup, the
first thing that I would have done is to take all of the relevant
articles that have appeared, and present them as evidence
prejudicial to the fair conduct of the trial.
6) CONCLUSION
I am left wondering about the motives of many of the writers.
There seems to be a fanatical, indeed almost religious zeal to
see anyone concerned with the generation of viruses and Trojans
convicted irregardless of the evidence (or its lack).
There certainly seems to be a panic mentality at work here - the
illusion that quick action is necessary regardless of the
advisability of that action. There also is a strong reluctance
to change an opinion in the light of new evidence, which is very
worrying indeed.
I have always maintained that computer security experts and
employees of the intelligence services share many things in
common, primarily the huge and quite unwarranted sense of
paranoia. This whole discussion has only strengthened this view.
Disclaimer: My opinions are my own.
Ian Farquhar Phone : (612) 805-7420
Office of Computing Services Fax : (612) 805-7433
Macquarie University NSW 2109 Also : (612) 805-7205
Australia Telex : AA122377
ACSNet ifarqhar@macuni.mqcc.mq.oz.au ifarqhar@suna.mqcc.mq.oz.au
------------------------------
Date: Sun, 18 Feb 90 16:29:00 -0500
From: IA88000 <IA88@PACE.BITNET>
Subject: Copyright restrictions
When an item like a computer program is first created, it is my
understanding that it is immediately copyrighted. It is NOT REGISTERED
with the Copyright office until such time as you pay the ten dollar
fee and file the appropriate forms.
However, in the past some software has been released with a
copyright notice similar to:
XYZ DATABASE PROGRAM
Copyright 1987 as an UNPUBLISHED work
I have read the manual the copyright office will send you and find
that this is a legal way to copyright a program.
The questions are:
1) Was the AIDS program copyrighted? Did anyone bother to check to
see if an application was filed?
2) Assume for a moment that it was copyrighted. Can the copyright
be enforced and can the author collect damages?
3) Does the fact that a program appears to be and may be capable
of damaging a disk allow give anyone the right to violate a
copyright?
If you feel that statement three allows someone to violate a
copyright, consider this for a moment.
One of the major copy protection companies uses a scheme which
encrypts one or more tracks of a hard disk drive when someone
installs a copy protected program.
Until such time as the copy protected program is removed the
encrypted tracks are useless,(in fact some people may even call
them damaged) to any program other than the copy protected
program which was installed.
It really is the same thing. If a program is copyrighted, the
fact that it may be a virus, a trojan horse or a legitimate copy
protection package does not imply that it is fair game for some
people to hack apart and provide information about at will.
If in fact the same discussions and information were disclosed
regarding a major company in the spreadsheet market, that company
might (and has in the past) taken legal action against people who
disclosed information or transfered copies of the program.
Do not get me wrong, I think what was done by the creator of the
AIDS trojan was wrong, and he/she should be punished. However the
assumption that just because a copyrighted program happens to be
a virus or a trojan, and as such copyright law may be ignored is
also wrong.
*****************************DISCLAIMER*************************
The views expressed are my own! I do not speak for, nor do I
represent any other person, company or educational institution.
*****************************DISCLAIMER*************************
------------------------------
Date: Mon, 19 Feb 90 01:22:00 -0600
From: "Paul Duckenfield (Consultant, User Services)" <DUCKENFP@carleton.edu>
Subject: WDef problems - it doesn't go away (Mac)
As I mentioned in a previous message, we have had (and
probably still have) WDef B running about Carleton College's Macintosh
community. So far, it appears to have restricted itself to the public
labs and has yet to break into the general computing community. I have
found that RAM disks on public Macintosh Pluses have greatly limited
the spread of the virus because no single machine can have the virus
for very long (invariably, we have to reboot each machine every couple
of hours). Even if a RAM disk is infected, it is unlikely to infect
many other users since the RAM disk will be reset in a matter of
hours. This is our first line of protection. At the moment, we are
redoing the master RAM startup disks so that they have WDef protection
as well. That will be our second line of defense. Our final line of
defense is (hopefully) the responsibility of the individual user to
obtain virus protection from the Micro Lab and put it on his
Macintosh. With a good bit of publicity, this might be successful.
Another problem which we have had to deal with is recurring
system crashes on our AppleShare servers even after the eradication of
WDef. Although WDef if "officially" gone thanks to Disinfectant v1.6,
the servers still seem to crash regularly. It appears that WDef, like
polio can be cured, but it leaves lasting damage. The only solution I
have found is to delete the unused DESKTOP file on all server volumes.
This brought the number of crashes down from four a day to zero for a
week.
Paul Duckenfield
Carleton College
CC User Services
Micro Consultant
DUCKENFP@CARLETON.EDU
------------------------------
Date: Mon, 19 Feb 90 10:13:57 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Effects on checksum programs (PC)
I wonder if the readers of this group have considered the effects of
viruses like "The Number of the Beast" (alias "512" or "666") on
checksum programs.
As Vesselin Bontchev has pointed out, if the virus is active in
memory, no changes to the infected program will be seen, since the
virus will redirect any attempts to read the file so the original,
non-infected file will be read instead.
This means that with the virus active in memory no checksum program
will be able to detect infection of files, NO MATTER HOW STRONG THE
ALGORITHM used. All the discussion on which algorithm to use is
therefore rather pointless...
This is not a problem if the computer is first booted from a
non-infected diskette, but how can one be sure that COMMAND.COM on the
diskette was not infected ?
- --
Fridrik Skulason, University of Iceland
E-Mail: frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK).
Fax: 354-1-28801
------------------------------
Date: Mon, 19 Feb 90 10:10:20 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: New variant of Cascade/1704 (PC)
Some time ago I reported that 1704 seemed able to infect the same file
over and over on a Novell network.
I now have a copy of the virus in question, and it appears that this
has nothing to do with Novell networks - it is just a new variant of
the virus.
It is possible that this virus was created by a random mutation, which
seems to have changed one JA instruction into JNE, but it is not
certain.
Because the author of 1704 did not include self-correcting Hamming
code in the virus :-), the mutation spread - and spread faster than
the original, "healthy" variant.
All programs which are able to detect and remove the "standard" 1704
virus should also be able to handle this variant.
- --
Fridrik Skulason, University of Iceland
E-Mail: frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK).
Fax: 354-1-28801
------------------------------
Date: Mon, 19 Feb 90 10:12:12 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: F-PROT news (PC)
A week ago I reported that version 1.08 of F-PROT would become
available in a day or two - but unfortunately I have not been able to
get it out the door until now.
I apologize to everybody who has been waiting (in particular the 50
persons or so that I have promised a copy by E-mail), but I believe it
was worth the wait.
The reason for the delay was the arrival of 30 different virus
variants from Bulgaria. As 26 of them were previously unknown, I had
to write a number of new disinfectors - which has taken up most of my
spare time the past week. I have also added code to detect and remove
some other new viruses, like Devil's Dance, "1260", "E.D.V." and
"Hallochen".
Those of you having a copy of 1.07 can update it by adding the
following new entries to the SIGN.TXT file:
Dance BERj85djAtm5nmjXFAufHKK9H85FJcdKH9hO0Mn5adeD0535Ip
New Vienna CVRmsm3je7W2jWGfkBBzbMdVnf7r9Ai3sYcyCyduVhSKEO
New Vienna pVBmtjP5WtsnGfkb1Xwu1mfb5j7EqqOAAIvdFBIrkRjuxUZmcZZvR2
Pixel fBTMD5a5KdRMGEI4nROAAeJMhnDtHqQMpmNMU25MnME7Yq+Zfr
Eddie-2 X7Jjsmsm7euUMCFun90jkFfuSISWK6icEfuo4KP97ul4MNwlObmt
512 JENmS5rMi5PFbjjjCdYV4-UjAUguForRGswWc8jf6ZyhE81rEMPo3V
Old Yankee iEpMSjsmEmEY4Am4-upjU5357XVcxXA2mMDTG4TRUctKfNq-Wh
E.D.V. 87u5djDjddmmFZ-d8MiRxONMAdTMBM7V5fgAAeJwNbZ4QMK6jmwLit
Hallochen S7UjF5PMiiTm74Mo6RMqYY65jnm57KlIt8lqPKWm4ETQi3R5pMmBMf3u
Version 1.07 is not able to handle the 1260 virus, since no ordinary
identification string can be provided for it. I had to make some
changes to the program itself.
Other changes from 1.07 to 1.08:
The F-DRIVER.SYS program did not display a message saying it had been
installed, as stated in the documentation. This has been corrected.
This answers the question from Scott D. Gregory - yes, it is working,
even though it is only 1.5K in size. Well, actually version 1.08 is a
bit longer, it is closer to 2K, but I just finished testing it and it
stops every single virus in my collection, (which is one of the
largest around).
F-DLOCK.EXE contained a bug that prevented it from working with the
CHKDSK program. This program could also cause some problems in other
cases. This has now been corrected.
F-OSCHK would display a warning message in Icelandic, if it found that
a change had been made to the operating system - I has forgotten a
"#ifdef ENGLISH" somewhere. This has been corrected.
SIGN.TXT does no longer have to be in the current directory - it may also
be located in the same directory as the F-FCHK program.
Finally - a reply to Ron Warren Evans.
> He points out that F-PROT is virtually unknown in the U.S.,
That's true - I only finished the English version a short time ago,
but the Icelandic version has been on sale for several months now and
has been very successful here in Iceland. The market here is however
very small, only 0.1 % of the U.S. market.
> is produced by a lone Icelandic programmer,
How true - sometimes I wish I was a huge multinational corporation :-)
> is untested here
Well, not quite - several people have been playing with it for a few
months. Anyhow - most of the bugs should be gone by now - the people
here in Iceland who bought versions 1.00 to 1.06 probably managed to
find most of them. :-)
> and may not be well-supported.
Well, that depends on what kind of support you want - If you are
looking for a product that comes with a 24-hour hotline support and
on-site servicing you should look elsewhere. However - you would have
to pay more than what I am asking for.
I am just trying to provide powerful programs, able to catch all known
viruses and remove them. I believe my programs contain some useful
features, not found elsewhere, although they are not perfect. They
could be made easier to install, perhaps intergrated in one package,
but I will not make changes like that until I write version 2.0.
Support - well, for now, E-mail will just have to do.... :-)
- --
Fridrik Skulason, University of Iceland
E-Mail: frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK).
Fax: 354-1-28801
------------------------------
Date: 19 Feb 90 22:07:40 +0000
From: rymon@eniac.seas.upenn.edu (Ron Rymon)
Subject: Certus (FoundationWare)
I need information about a product named Certus (man. and dist. by
FoundationWare). Have anybody heard/used it?
I would appreciate sharing your experience. Particularly I am interested
in the type of instalation (single PC? LAN?), how many used in the site?
For how long? and how friendly it is? How effective?
Thanks a lot,
Ron
Ron Rymon
------------------------------
Date: 20 Feb 90 18:55:25 +0000
From: Paul Andrews <tenset!paul@relay.EU.net>
Subject: Gatekeeper 1.1.1?
I have a couple of questions:
1) What is different about gatekeeper 1.1.1 and the previous version (1.0?)?
2) Where can I get it? The problem here is that UUNET (or EUNET or whatever)
has a message size limit of 100k. The INFO-MAC archive file for gatekeeper
1.1.1 is >100k and we can't use ftp from this side of the pond. (In case
your wondering, I would normally use a listserv which fetches files from
INFO-MAC for me).
3) Does gatekeeper aid 1.0.1 NEED gatekeeper 1.1.1 or will it work with 1.0.?
- - Paul.
- --
- ------------------------------------------------------------------
| Paul Andrews | Post: Tenset Technologies Limited, |
| paul@tenset.uucp | Norfolk House, |
| Phone: +44 223 328886 | 301 Histon Road, |
| Fax: +44 223 460929 | Cambridge CB4 3NF, UK. |
- ------------------------------------------------------------------
------------------------------
Date: Tue, 20 Feb 90 14:19:00 -0600
From: "Paul Duckenfield (Consultant, User Services)" <DUCKENFP@carleton.edu>
Subject: WDEF details (Mac)
>From: wcpl_ltd@uhura.cc.rochester.edu (Wing Leung)
>Subject: More about WDEF
> Can someone tell me is WDEF an illegal string in the resource code?
> How about the program called WDEF uploaded in comp.binaries.mac?
> In fact, I've found some WDEF code in system version 6.0.3
> Please tell me more about this resource code.
WDef is a system resource which (basically) tells the Mac how
to draw its windows. There are several programs in the FREE/SHAREware
market which change how the window appear on your Macs screen. They
make it look like a NeXT or MS Windows or some other form other than
the "standard Apple"-look. They take advantage of the WDef resource in
the SYSTEM file.
The virus WDef is a little trickier. It infects the invisible
DESKTOP file in the root directory of any disk. You can't seem this
file, but it is there, keeping track of all your files.
That is the difference between WDef SYSTEM resource and WDef
DESKTOP resource (for the layman).
Incidentily, I have heard reports that it is possible
(although not easy) for someone to rename the WDef virus's resource to
CDef. Potentially this will create another virus, exactly the same as
the first except for the name, which can propogate quickly as well.
Anyone know anything about this?
Paul Duckenfield
CC User Services
Micro Consultant
DUCKENFP@Carleton.Edu
------------------------------
Date: Tue, 20 Feb 90 16:49:32 -0800
From: Alan_J_Roberts@cup.portal.com
Subject: SCAN and the Brain (PC)
The following is forwarded from John McAfee:
============================================================================
Michael Kapfer stated in yesterday's posting that SCAN will
not identify the Brain virus in memory. This is not entirely correct.
If you specifically ask for a memory scan (/M) then SCAN will identify
the virus if it is active. If you do not ask for a memory scan, then
SCAN will in any case scan memory for the "critical" viruses like
4096, Dark Avenger, 512 etc. It is this default memory scan that
Michael is talking about, and it indeed will not look for the Brain.
John McAfee
------------------------------
Date: Tue, 20 Feb 90 15:31:00 -0400
From: Ivy Anderson <ANDERSON@binah.cc.brandeis.edu>
Subject: RE: Disinfectant 1.6 (Mac)
I am brand new to VIRUS-L and to virus protection in general. I have
just read the posting which mentioned Disinfectant 1.6, a free
ant-virus program. Can someone advise me where we can obtain more
information about this program? Is there a PC version as well?
Thanks very much,
Ivy Anderson
Brandeis University Libraries
Bitnet: anderson@brandeis
Internet: anderson@binah.cc.brandeis.edu
------------------------------
Date: 21 Feb 90 15:28:30 +0000
From: rigel!wjm@bellcore.bellcore.com (23384-mitchell)
Subject: RE: Trojan Horses != Copy Protection
In an earlier posting, someone attempted to justify the reprehensible
behavior of the author(s) of the AIDS Trojan Horse as a copy protection
system.
IMHO, I beg to differ - there is a key differences between the behavior
of legitimate copy protection systems and the AIDS Trojan.
It would be legitimate for a copy protection system to remove the protected
program from the disk or otherwise render it unusable to unauthorized users,
but it is NOT legitimate (at least in the USA) for the copy protection system
to destroy, encrypt, or otherwise render unuseable programs or files that
are totally unrelated to the protected program.
An analogy: Under the laws of the USA, if I loan you the money to pay for
an automobile, the standard loan contract that I will have you sign gives
me the legal right to recover "repossess" the automobile if you fail to make
the loan payments on time. However, it does NOT give me the right to
confiscate your lawn mower, snow blower, wheelbarrow, and whatever else you
happen to be keeping in your garage along with the said automobile.
Removing any other personal property is considered to be THEFT and is
strongly discouraged, to say the least, by the authorities.
IMHO (this is only my opinion, however I am not an attorney, you
should consult with legal counsel for legal advice) the poster who said that
the magazines that published information about how to work around the problems
caused by the Trojan Horse were liable for damages to the work of the
Trojan Horse author(s) and his/their alleged company's reputation
was totally off base. IMHO, these magazines performed a valuable
service to the computing community and their behavior was totally consistent
with recogized computing community codes of ethics (e.g. ACM, IEEE).
We are not talking about legitimate
copy protection here, rather I think the appropriate term is "Extortion,"
which seems to be the term used by the legal authorities in the UK who are
bringing criminal charges in this matter.
IMHO, swift prosecution followed by a stiff penalty, if convicted, is the
best way to put an end to such incidents.
While I certainly favor using the USENET as a forum for the free expression
of ideas, IMHO postings calling outright extortion a valid form of copy
protection do no one any good and give the net a bad name.
Regards,
Bill Mitchell
Disclaimer: These are strictly my personal opinions and not
necessarily those of my employer or any other person. I am not an
attorney and am not providing any legal opinions or advice here.
Consult with your attorney for legal advice.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253