home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
v05i010.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
32KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #10
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Tuesday, 21 Jan 1992 Volume 5 : Issue 10
Today's Topics:
WARNING - Michelangelo Virus (PC)
Kennedy virus (PC)
UK mag (PC Fun) distributes Stoned (PC)
Dir-II/Other Stuff (PC)
Re: Untouchable (PC)
ENIGMA virus (PC)
Smulders-virus found? (PC)
NO VIRUS in SCANV85 !!!!! (PC)
Re: Dir-II/Other Stuff (PC)
Joshi virus removal with FDISK /MBR (PC)
i/o ports (was re: Iraqi virus) (PC)
QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC)
Re: Looking for info on "Friday the 13th" virus (PC)
Re: Form virus infected Dos 5.0 diskettes (PC)
Virus detectors for Unix? (UNIX)
Gulf War Virus & "Softwar"
VS920109.ZIP - Virus signatures for HTSCAN/TBSCAN - 920109 (PC)
Reviews and request (PC + Amiga)
"Desert Storm" viral myths
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Fri, 17 Jan 92 13:10:17 -0500
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Subject: WARNING - Michelangelo Virus (PC)
From all reports this destructive virus is spreading world-
wide very rapidly. Unlike the DataCrime "fizzle" in 1989 which
contained similar destructive capability but never spread, the
Michelangelo appears to have become "common" in just ten months
following detection. I have encountered three cases locally in
just the last few weeks.
Three factors make this virus particularly dangerous:
1) The virus uses similar techniques as the "STONED" virus which
while first identifies in early 1988 remains the most common
virus currently reported. Since the virus infects only the
Master Boot Record on hard disks and the boot record of
floppy disks, viral detection techniques that rely on
alteration of DOS executable files will not detect the
virus. Similarly, techniques that monitor the status of the
MBR may only provide users with a single warning that, if
execution is permitted to continue, may not be repeated.
2) Michelangelo was first discovered in Europe in mid-1991
consequently many virus scanners in use today will not pick
up the virus unless more recent updates have been obtained.
3) Unlike the Stoned and Jerusalem (the most common viruses in
the past) which are more annoying than dangerous, the
Michelangelo virus will, on its trigger date of March 6th,
attempt to overwrite vital areas of the hard disk rendering
it unreadable by DOS. Further, since the FATs (file
allocation tables) may be damaged , unless backups are
available recovery will be very difficult and require
someone who is able to rebuild a corrupt FAT (also a very
time-consuming process).
Fortunately, the Michelangelo virus is also very easy to
detect: when resident in a PC, the CHKDSK (included with MS-DOS
(Microsoft), PC-DOS (IBM), and DR-DOS (Digital Research) {all
names are registered by their owners}) program will return a
"total bytes memory" value 2048 bytes lower than normal. This
means that a 640k PC which normally returns 655,360 "total bytes
memory" will report 653,312. While a low value will not
necessarily mean that Michelangelo or any other virus is present,
the PC should be examined by someone familiar with viral activity
to determine the reason.
If the Michelangelo virus is found, the PC should be turned
off until disinfected properly. All floppy disks and other
machines in the area should then also be examined since the
Michelangelo virus is spread in the boot record (executable area
found on all floppy disks including data-only disks).
Padgett Peterson
Internet: padgett%tccslr.dnet@mmc.com
Note: the opinions expressed are my own and not necessarily those
of my employer. Comments refer only to the specific example of
the virus that I have examined. Other strains may exist.
------------------------------
Date: 15 Jan 92 21:04:13 +0000
From: sph0301@utsph.sph.uth.tmc.edu (Kate Wilson)
Subject: Kennedy virus (PC)
We have just been infected by the Kennedy virus. McAfee's SCANV85
finds it but CLEAN V85 does not. Is there any way to remove this
virus other than deleting the infected files?
Kate Wilson
UT School of Public Health, Houston
sph0301@utsph.sph.uth.tmc.edu
------------------------------
Date: Thu, 16 Jan 92 15:49:00 +1300
From: "Nick FitzGerald <CCTR132@csc.canterbury.ac.nz>
Subject: UK mag (PC Fun) distributes Stoned (PC)
Following all the reports we've had of hardware and software vendors
distributing virus infected diskettes or programs, the following was
reported in my local paper this morning.
It is, perhaps, interesting to note the degree of _accuracy_ in this
report. On matters of fact I only noted three errors, and these are
all minor to trivial (and all in the same paragraph - dare I hazard
suggesting that this accuracy is at the price of content?)
From: The Press, Christchurch, NZ, 16/2/92, p.9
Free disk proves a flop - NZPA, London.
A New Zealand computer virus has embarrassed organisers of a British
magazine promotion in which 18,000 floppy disks were offered free to
readers.
Each January issue of "PC Fun" included a giveaway disk, but the editor,
Mr Adrian Pumphrey, siad the "Stoned" virus was found to have
infilitrated the batch.
"It is bad news,' he said. "The magazines had already been on the
shelves for two weeks before the virus was discovered."
The virus - which prints out the message "Your PC is now stoned" -
originated at Victoria University in Wellington about five years ago.
A computer expert, Dr Alan Solomon, who was consulted by "PC Fun",
described the virus as extremely common, but said it was a nuisance more
than anything else.
"We first saw it in Britain in 1988 and it is now probably the commonest
virus here. It is certainly the commonest virus in New Zealand.
"It is not terribly seruious; more an annoyance and a nuisance."
However, he said computer users still had to get rid of it. This was so
as not to pass it on and because, in some rare instances, it could lead
to loss of data.
"It will have been a real pain for `PC Fun'," Dr Solomon said. "But the
virus is quite easy to get rid of if you do it right."
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
------------------------------
Date: 16 Jan 92 10:47:16 +0000
From: RUTSTEIN@hws.bitnet
Subject: Dir-II/Other Stuff (PC)
For those of you still attempting to track the spread of the DIR-II, I
had a configmed report yesterday of a single machine infected in the
country of Jordan. The actual path of infection is unknown at this
time. As most should know by now, DIR-II is not at all dangerous (
(relatively), but does spread rapidly and is a bit of a curiosity.
Removal is simple using only DOS commands....
In other news, the National Computer Security Association (NCSA) BBS
is now fully operational with 5 lines up and running. Number is (202)
364-1304, with the first four lines 9600 V.32, fifth at 2400 MNP.
On-line is virus and security info of all types, latest copies of
anti-virus sharware and P/D software, info on NCSA and other
anti-virus organizations, etc. {In the interest of full disclosure, I
should mention that I've been working on the BBS for NCSA for several
weeks now and pouring blood, sweat, and tears into it :) }
Is anyone out there using a disassembler other than sourcer which you
feel is superior in some way? If so, how about passing along some
info?ou feel
Charles
***************************************************************************
Rutstein@HWS.BITNET (Charles Rutstein)
****************************************************************************
------------------------------
Date: Thu, 16 Jan 92 13:41:00 +0200
From: Y. Radai <RADAI@HUJIVMS.BITNET>
Subject: Re: Untouchable (PC)
Dusty Flory asks:
> Can anyone comment on the anti-virus package 'Untouchable' by Fifth
> Generation Systems, Inc? It claims to be able to detect both known
> and future viruses without upgrades.
First of all, if all it did were to *detect* known and unknown virus-
es, there would be nothing new in that. The whole point is that it
can also *restore* the original file in almost every case where the
modification is due to a virus.
Actually, your question was answered here a month ago. I'll repeat
the first part:
>> Untouchable consists of three modules. The main one, UT, is an
>>extension of a program, V-Analyst, which I have been using for several
>>years. V-Analyst is a generic detection program (modification detec-
>>tor), which, in my opinion, is the best of its kind, partly because in
>>addition to checking for modifications, it takes into account several
>>ways in which a virus can propagate without modifying existing files.
>>(It's the only program I've heard of which was ready for companion
>>viruses two years before they appeared, and it's ready for other such
>>methods too.) UT is essentially V-Analyst augmented to include
>>*generic disinfection*. That is, UT stores enough information to be
>>able to restore a file infected by any virus, even an unknown one.
>>(Of course, that doesn't hold for overwriting viruses, and it's possi-
>>ble that there are a few non-overwriting viruses on which it won't
>>work.)
Additional comments:
1. When I said "overwriting viruses", I was referring to those which
overwrite program code. It turns out that Ver. 1.0 also doesn't work
on viruses which overwrite stack space, such as ZeroHunt and Lehigh,
but I'm told that the next version will. I have not yet found any
other virus on which it doesn't work.
2. The program will *never* restore a file incorrectly since it
compares the checksum of the restored file with that of the original
one.
> I received a mailing offering for $99 (normally $165) until 2/1/92.
> Is it worth it?
Imho, yes. (Btw, I heard the official price was $175. Who's offering
it for $99?)
Disclaimer: While I know the authors and we exchange ideas, I have
no commercial interest whatsoever in this product. I'm simply a sa-
tisfied (and experienced) user of the product.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
RADAI@HUJIVMS.BITNET
RADAI@VMS.HUJI.AC.IL
------------------------------
Date: Thu, 16 Jan 92 15:11:57 +0700
From: avi enbal <MCCCOVI@HAIFAUVM.BITNET>
Subject: ENIGMA virus (PC)
Hello There !
Does anyone know's how to handle with the ENIGMA virus?
none of our anti viral softwer's do it.(McAfee's v85 only SCAN it).
Thank's in edvance
Avi.
*================================================================*
| Avi Enbal - <mcccovi@haifauvm.bitnet> | TL. 972-4-240777 |
| Computers Communication & Service Dep' | 972-4-240925 |
* Computer Center * *
| UNIVERSITY OF HAIFA | |
| mt'carmel, HAIFA - 31905, ISRAEL | FAX. 972-4-342097 |
*================================================================*
------------------------------
Date: Thu, 16 Jan 92 14:21:47 +0000
From: a0522457@let.rug.nl (L.E. Plat)
Subject: Smulders-virus found? (PC)
From: Automatiseringsgids (Dutch weekly concerning computer matters; serious)
Wednesday 15 January 1992 (w/o permission, I'm afraid)
"Tangram finds virus:
Tangram in Utrecht (NL) warns about the recently found 'Smulders'-virus.
This virus renames all directories up tto two levels deep to
Criminal.XXX.
In these directories all files are renamed to this name [that's a bit weird,
isn't it? MS-Dos wouldn't allow that, as far as I know]. After that follows a
message stating that the user should call the nearest police station.
Virusscanners do not [as yet, I suppose] recognize this virus. The CRI
[Dutch Criminal Investigations Bureau] has been notified."
Dunno if I'm telling anything new with this; I don't read this group
regularly. & please no flames about the lousy ('cause on-line) translation.
________________ ______________________________________________________
Bert Plat 'Things as they are / are played upon the blue guitar'
a0522457@let.rug.nl (Wallace Stevens)
------------------------------
Date: Thu, 16 Jan 92 12:40:59 -0600
From: Jarda Dvoracek <DVORACEK@CSEARN.BITNET>
Subject: NO VIRUS in SCANV85 !!!!! (PC)
!!! APOLOGY !!!
!!! NO VIRUS IN SCANV85 !!!
Many thanks to all those responding with information on my last msg.
My difficulties were caused not by virus, but by on-error running SCAN
with /AV option, what at least one program (T602.exe) does not accept.
I apologize to anyone, to whom I might have caused any troubles with
my warning and to the firm McAfee and its agent:
##### adresa: AEC Ltd., Sumavska 33,
### ### ################ 61264 Brno, Czechoslovakia
### ### ### ### Tel: +42-5-7112 linka 502
################### ### Fax: +42-5-744984
### #### ########## BBS: +42-5-749889
########## FidoNet: 2:421/16
Association for Electronics & Computers VirNet: 9:421/101
authorized agent of InterCom: 83:425/1 (NCN mail)
McAFEE ASSOCIATES
Jarda Dvoracek
1st.Internal Clinic
Faculty Hospital
I.P.Pavlova 6
772 00 Olomouc
Czechoslovakia
E-mail(bitnet): dvoracek @ csearn
Phone: 0042 68 474, ext. 3201(secretary)
------------------------------
Date: Thu, 16 Jan 92 16:21:16 +0000
From: bdh@gsbsun.uchicago.edu (Brian D. Howard)
Subject: Re: Dir-II/Other Stuff (PC)
RUTSTEIN@HWS.BITNET writes:
>In other news, the National Computer Security Association (NCSA) BBS
Is this affiliated in any way with the NCSA (National Center for Super-
computing Applications)?
_______________________________________________________________________________
This space intentionally left what would otherwise be blank were this not here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
Date: Thu, 16 Jan 92 12:39:21 -0500
From: Eric Carlson <NVCARLE@VCCSCENT.BITNET>
Subject: Joshi virus removal with FDISK /MBR (PC)
We have a group of 4 computer labs that often get JOSHI. On a lot of these
machines we couldn't get rid of JOSHI on the hard drives. We tries CLEANv84,
F-prot 2.01, CPAV, and NAV with no luck. (it did work on a few machines)
We would:
- - Cold boot with a clean write protected floppy
- - Clean the hard drive
- - Cold boot with a clean floppy again
- - Scan and find JOSHI still there
The machines are a mix of 8088, 286, 386sx. MS-DOS 3.30 and 4.01.
We had to low-level format the drives to clean them and restore from our clean
backups.
We finally solved the problem by using IBM-DOS 5.0 FDISK /MBR even with MS-DOS
3.30 and 4.01 on the hard drives.
The lab supervisor is very happy now.
- Eric Carlson - Microcomputer Software Support -
- Northern Virginia Community College System -
- NOVA BBS 703-323-3321 - 14,400 BPS -
- - -
------------------------------
Date: Thu, 16 Jan 92 14:19:31 -0500
From: stus5239@mary.cs.fredonia.edu (Kevin Stussman)
Subject: i/o ports (was re: Iraqi virus) (PC)
>> Virus on a chip?? How and when did it go off? What type virus?
>> (it probably wasn't a real virus (not self replicating) but nasty
>> screen killing code on a chip) So now hacking is now legal, but only
>> during wartime against an enemy. (goes with killing)
>
>Nonsense, complete nonsense. If it is in the printer, it cannot force
>you to execute it. It cannot copy itself to the computer. It cannot
>exist. Period.
This brings up an interesting problem. Can it happen via a
serial / parallel port? This would mean there has to be direct control
over the CPU from a device attached to the port. Usually there is
software driving the IO of the port, but can an device sieze control
and send instructions without driving software? Now if this isn't
possible then I can see that it would be impossible. But just saying
NO because it's on a chip is nonsense. There is nothing saying I cant
place an EPROM in a strategic place that will place a virus of my
choice on a hard drive or floppy, OR DO ANYTHING without even striking
a key. If that chip has code to blank the screen, it will be blank
before any control is given the user. (how do you think a PC knows
where to look for DOS Startup Code -- hardware)
>The whole story is a rumor, just as the "modem virus", an excellent
>article about which was posted by Rob Slade just in time.
>And the rumor in this case is based on an April 1st joke, made by a
>computer magazine.
Where is this article? And it seems strange to me that CNN wouldn't
have known this. Then again, don't believe everything you hear.
K.
+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
_ __
| | / / -*> stus5239%mary.cs.fredonia.edu@cs.buffalo.edu
| | / / stus5239@mary.cs.fredonia.edu
| |< < UUCP:...{ucbvax,rutgers}!sunybcs!mary!stus5239
| | \ \
|_| \_\ evin Stussman -*>Never has so many known so little about so much.<*-
+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
------------------------------
Date: Thu, 16 Jan 92 21:48:22 +0000
From: hendee%3338.span@Sdsc.Edu (Jim Hendee)
Subject: QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC)
I've noticed that you can use Quarterdeck's QEMM386 and LOADHI to load
VSHIELD1.EXE in high memory, as well as FPROT's VIRSTOP.EXE, but you
can't load VSHIELD.EXE high (so far as I'm aware). My questions are:
1) When you load these two small anti-viral programs high, do they still
work?
2) I noticed that when I tried loading both VSHIELD1.EXE and VIRSTOP.EXE
they seem to load okay back to back. In this case, what happens when they
*both* detect a virus at the same time? Will they detect it? Is their
any percentage in configuring like this (you've mentioned that you should
always use more than one virus checker, whenever possible).
3) Why can't you load VSHIELD.EXE high, or can you? Will it still work?
Many thanks for your guidance!
Jim Hendee
Data Manager
Ocean Chemistry Division
National Oceanic and
Atmospheric Administration
Atlantic Oceanographic and
Meteorological Laboratories
========================
No "official" opinions here, just my own.
------------------------------
Date: Thu, 16 Jan 92 22:07:49 +0200
From: Tapio Keih{nen <tapio@nic.funet.fi>
Subject: Re: Looking for info on "Friday the 13th" virus (PC)
>also Datacrime. If I remember correctly, Monxla, Leningrad, and Omega
>do not format the disk... Or am I wrong? Does any of it at least
>overwrite it? Maybe this has been misinterpretted as formatting... And
>I can't remember what Relzfu does when it activates... :-(
Omega overwrites first sectors of hard disk when infected file is
executed on Friday the 13th. Relfzu displays a message saying
VirX 3/90
on Friday the 13th and then hangs the computer.
- --
Tapio Keih{nen | Mesihein{nkatu 2 B 6 | 33340 Tampere | Finland
- ------------------========tapio@nic.funet.fi========---------------
"You've got some stairs to heaven, you may be right
I only know in my world, I hate the light
I speed at night!" -R.J. Dio, 1984-
------------------------------
Date: 17 Jan 92 10:23:04 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Form virus infected Dos 5.0 diskettes (PC)
root@itnsg1.cineca.it (Valter Cavecchia) writes:
> were running Dos 5.0. We tried to remove the virus using M-DISK but
> found that Dos 5.0 is not yet supported. Is there a new version of
> M-DISK available? Is there any other way to clean up the diskettes
> (without formatting :-)) ?
No need for that. Just run DOS 5.0 FDISK with the (undocumented) /MBR
option, and you'll get the same results as with M-DISK and even
better.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 15 Jan 92 17:24:54 +0000
From: paulf@ci.deere.com (Paul A. Fisher)
Subject: Virus detectors for Unix? (UNIX)
Are there any virus detectors for unix? The PC's in our company are
very carefully watched, but our corporate security department wants to
make sure we are covered for Unix as well.
In case it matters we are running Suns, IBM R/S-6000's, and a few
DECstations.
Any suggestions or pointers would be greatly appreciated.
- --
Paul A. Fisher paulf@ci.deere.com
Deere Tech Services ...uunet!deere!paulf
John Deere Road (309) 765-4547
Moline, Illinois 61265
------------------------------
Date: Thu, 16 Jan 92 14:47:00 -0700
From: "Rich Travsky" <RTRAVSKY@corral.uwyo.edu>
Subject: Gulf War Virus & "Softwar"
Regarding the Gulf War virus: Anyone remember the book "Softwar", by
Thierry Breton and Denis Beneich? Came out in 1984. Been a while since
I read it, goes something like this: The U.S. allows the Soviets to
buy a super-computer. The chips were, uh, slightly modified. Or
something like that. You can guess the rest. Fair reading as I recall.
Too bad the Gulf War version seems to an April Fool's story. (We
coulda had a sequel to the book!)
+-----------------+ Richard Travsky
| | Division of Information Technology
| | University of Wyoming
| |
| | RTRAVSKY @ CORRAL.UWYO.EDU
| U W | (307) 766 - 3663 / 3668
| * | "Wyoming is the capital of Denver." - a tourist
+-----------------+ "One of those square states." - another tourist
Home state of Dick Cheney, Secretary of Defense of these here UNITED STATES!
------------------------------
Date: Tue, 14 Jan 92 05:48:41 +0100
From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers)
Subject: VS920109.ZIP - Virus signatures for HTSCAN/TBSCAN - 920109 (PC)
(Reposted by Keith Petersen)
I have uploaded to SIMTEL20:
pd1:<msdos.trojan-pro>
VS920109.ZIP Virus signatures for HTSCAN/TBSCAN - 920109
It replaces the existing VS911114.ZIP in the same directory.
o _ _ _ _ _ voice: +31-2522-20908 (18:00-24:00 UTC)
/ (_' | (_) (_' | | snail: P.S.O.
__/ attn. Jeroen W. Pluimers
P.O. Box 266
jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim
jeroen_pluimers@f521.n281.z2.fidonet.org The Netherlands
------------------------------
Date: Wed, 15 Jan 92 22:39:28 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: Reviews and request (PC + Amiga)
per recent requests for reviews, the following is my current list (in
order):
EliaShim's ViruSafe
Worldwide's Vaccine
Solomon AntiVirus Toolkit
Sophos Vaccine
Fifth Generation's Untouchable
(Of course, any more rumours like this past week, and this could be
delayed a long time.)
Now, a request. We haven't heard much from the Amiga people lately. Can
I get some feedback on the top Amiga antiviral shareware of recent date?
==============
Vancouver p1@arkham.wimsey.bc.ca | "A ship in a harbour
Institute for Robert_Slade@sfu.ca | is safe, but that is
Research into CyberStore Dpac 85301030 | not what ships are
User rslade@cue.bc.ca | built for."
Security Canada V7K 2G6 | John Parks
------------------------------
Date: Wed, 15 Jan 92 22:41:58 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: "Desert Storm" viral myths
This was pretty much forced on me by the press. There have also been a
lot of messages on the topic in alt.folklore.computers.
DEFMTH7.CVP 920115
"Desert Storm" viral myths
The recent spate of reports of a virus which shut down Iraq's air
defence system during "Desert Shield/Storm" seems to have started with
the series "Triumph Without Victory: The Unreported History of the
Persian Gulf War" by U. S. News and World Report. The articles are
being rerun in many papers (as well, apparently, as CNN and ABC
Nightline), and the article on the virus run in my local paper is
specifically credited to USN&WR. The bare bones of the article are that
a French printer was to be smuggled into Iraq through Jordan, that US
agents intercepted the printer, replaced a microchip in the printer with
one reprogrammed by the NSA, that a virus on the reprogrammed chip
invaded the air defence network to which the printer was connected and
erased information on display screens when "windows" were opened for
additional information on aircraft.
The first question is: could a chip in a printer send a virus? Doesn't
a printer just accept data?
Both parallel/Centronics and serial RS-232 ports are bidirectional.
(Cabling is not always, and I well remember having to deal, in the early
days of PCs, with serial ports which had been used as printer ports, and
could not be used as modem ports because the "return" pin had been
sheared off, a common practice to "fix" balky printers.) However, the
"information" which comes back over the line is concerned strictly with
whether or not the printer is ready to accept more data. It is never
accepted as a program by the "host".
The case of "network" printers, is somewhat more complex. There are two
possible cases: network printer servers and "network printers (such as
the Mac Laserwriters): and they are quite distinct. The print server
(on, say, DECnet) is actually a networked computer acting as a print
server; accepting files from other network sources and spooling them to
a printer. True, this computer/printer combo is often referred to simply
as a printer, but it would not, in any case, be able to submit programs
to other hosts on the net. The Mac case is substantially different,
since the Mac laser printers are attached as "peers". Mac Laserwriters,
at least, do have the ability to submit programs to other computers on
the network, and one Mac virus uses the Laserwriter as a vector.
However, it is unlikely that the Iraqi air defence system was Mac based,
and few other systems see printers as peers.
Second question: if it *was* possible to send some kind of program from
the printer to the computer system/network, was it a virus?
Given the scenario, of a new printer coming into an existing system, any
damaging program would pretty much have had to have been a virus. In a
situation like that, the first thing to do when the system malfunctions
after a new piece of equipment has been added is to take out the new
part. Unless the "chip" could send out a program which could survive,
in the network or system, by itself, the removal of the printer would
solve the problem.
Third question: could a virus, installed on a chip, and entered into
the air defence computer system, have done what it was credited with?
Coming from the popular press, "chip" could mean pretty much anything,
so my initial reaction that the program couldn't be large enough to do
much damage means little. However, the programming task involved would
be substantial. The program would first have to run on the
printer/server/peripheral, in order to get itself transferred to the
host. The article mentions that a peripheral was used in order to
circumvent normal security measures, but all systems have internal
security measures as well in order to prevent a printer from "bringing
down" the net. The program would have to be able to run/compile or be
interpreted on the host, and would thus have to know what the host was,
and how it was configured. The program would then have to know exactly
what the air defence software was, and how it was set up to display the
information. It would also have to be sophisticated enough in avoiding
detection that it could masquerade as a "bug" in the software, and
persistent enough that it could avoid elimination by the reloading of
software which would immediately take place in such a situation.
The Infoworld AF/91 prank article has been mentioned as the "source" for
the USN&WR virus article. There was, however, another article, quite
seriously presented in a French military aerospace magazine in February
(which possibly prompted the Infoworld joke.) This earlier article
stated that a virus had been developed which would prevent Exocet
missiles, which the French had sold to Iraq, from impacting on French
ships in the area. The author used a mix of technobabble and unrelated
facts, somehow inferring from the downloading of weather data at the
last minute before launch, the programmability of targets on certain
missiles and the radio destruct sequences used in testing that such a
"virus" was possible.
It has also been rumoured, and by sources who should know, that the US
military has sent out an RFP on the use of computer viri as
Downloaded From P-80 International Information Systems 304-744-2253