Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / VIRUS / CSVIR88.TXT < prev next >

Wrap

Text File | 1990-08-26 | 104KB | 1,758 lines

The following text is copyright (c) 1987-1990 CompuServe Magazine and may not be reproduced without the express written permission of CompuServe. CompuServe Magazine's Virus History Timeline CompuServe Magazine is published monthly by the CompuServe Information Service, the world's largest on-line information service with over 600,000 subscribers worldwide. If you would like to become a CompuServe subscriber, call 1-800-848-8199 to receive a copy of the CompuServe Information Service membership kit. - 1988 - COMPUTER VIRUS THREATENS HEBREW UNIVERSITY'S EXTENSIVE SYSTEM (Jan. 8) In Jerusalem, Hebrew University computer specialists are fighting a deadline to conquer a digital "virus" that threatens to wipe out the university's system on the first Friday the 13th of the year. That would be May 13. Associated Press writer Dan Izenberg says the experts are working on a two-step "immune" and "unvirus" program that could knock down the vandalized area of the system. "Viruses" are the latest in computer vandalism, carrying trojan horses and logic bombs to a new level, because the destructiveness is passed from one infected system to another. Izenberg quotes senior university programmer Yisrael Radai as saying that other institutions and individual computers in Israel already have been contaminated. "In fact," writes the wire service, "anyone using a contaminated computer disk in an IBM or IBM-compatible computer was a potential victim." Radai says the virus was devised and introduced several months ago by "an evidently mentally ill person who wanted to wield power over others and didn't care how he did it." AP describes the situation this way: "The saboteur inserted the virus into the computer's memory and the computer then infected all disk files exposed to it. Those disk files then contaminated healthy computers and disks in an electronic version of a contagious cold." Apparently, the intruder wanted to wipe out the files by Friday, May 13, ╬ü║ôí+φühaW:╜╤╤ò╣üimpatient, because he then had his virus order contaminated programs to slow down on Fridays and on the 13th day of each month. Radai thinks that was the culprit's first mistake, because it allowed researchers to notice the pattern and set about finding the reason why. "Another clue," says AP, "was derived from a flaw in the virus itself. Instead of infecting each program or data file once, the m!l`gnant orders copied themselves over and over, consuming increasing amounts of memory space. Last week, experts found the virus and developed an antidote to diagnose and treat it." Of viruses in general, computer expert Shai Bushinsky told AP, "It might do to computers what AIDS has done to sex. The current free flow of information will stop. Everyone will be very careful who they come into contact with and with whom they share their information." --Charles Bowen TAMPA COMPUTERISTS FIGHT VIRUS (Jan. 10) Tampa, Fla., computerists say they are fighting a digital "virus" that sounds as if it may be th}áαame`ú«╣¡üé╔╜¥╔à╡ür╜▌üé▒à¥╒Ñ╣¥ü ü¬╣Ñ┘ò╔═Ñ╤σüJ╣üRòëστale[⌐H ═üreported earlier, Hebrew University computer specialists are contending with a virus program that threatens to wipe out the university's system on the first Friday the 13th of the year -- May 13. The Jerusalem team is working on a two-step "immune" and "unvirus" program that could knock down the vandalized area of the system. Meanwhile, members of the Tampa Amiga User's Group now tell United Press International that they, too, are fighting a computer virus, and UPI quotes one expert as saying a version of that vandalizing program also is designed to begin destroying files on May 13. Computer viruses are self-propagating programs that spread from one machine to another and from one disk to another, a sort of new generation of more destructive trojan horses and logic bombs. "It kinda creeps up on you," president Jeff White of the Amiga group told the wire service, adding that the group's membership was infiltrated by the program. UPI reports, "Experts don't yet know what, if any, damage the virus can cause to the disks or programs. Similar problems have erased programs and information. ... White said the program spread itself to more than 20 of his floppy disks before he discovered it. But by then, the program had spread to the disks of many of the club's members via its regular disk-of-the-month distribution." White said he doesn't know how the bug got to Tampa, but suspects it came from West Germany on a disk from an overseas user group. "White said the program works invisibly," says UPI. "When the computer is turned on, the program stores itself in the machine's main memory and then begins spreading copies of itself to new disks used in the machine." He added that the Tampa club members now use a "virus-checker" program to test disks to prevent another infection. --Charles Bowen VIRUS PROGRAMS COULD HAVE USEFUL APPLICATIONS, SAYS COLUMNIST (Jan. 11) Despite all the recent negative publicity about computer "viruses" -- self-propagating programs that spread from one machine to another in way that has been called the computer version of AIDS -- a California computer columnist says there could be a positive result. Writing in The San Francisco Examiner, John Markoff observes, "In the future, distributed computing systems harnessed by software programs that break tasks into smaller parts and then run portions simultaneously on multiple machines will be commonplace. In the mid-1970s computer researchers John Shoch and Jon Hupp at Xerox's Palo Alto Research Center wrote experimental virus programs designed to harness many computers together to work on a single task." Markoff points out that some of the programs in that work functioned as "'town criers' carrying messages through the Xerox networks; others were diagnostic programs that continuously monitored the health of the computers in the networks." Also the researchers called one of their programs a "vampire worm" because it hid in the network and came out only at night to take advantage of free computers. In the morning, it disappeared again, freeing the machines for human users. For now, nonetheless, most viruses -- particularly in the personal computing world -- are viewed as destructive higher forms of trojan horses and logic bombs. Markoff traces the first virus to the military ARPAnet in 1970. On that system, which links the university, military and corporate computers, someone let loose a program called "creeper." Notes the paper, "It crawled through the network, springing up on computer terminals with the message, 'I'm the creeper, catch me if you can!' In response, another programmer wrote a second virus, called 'reaper' which also jumped through the network detecting and 'killing' creepers." Markoff also pointed out that Bell Labs scientist Ken Thompson, winner of the prestigious Turing Award, recently discussed how he created a virus in the lab to imbed in AT&T's Unix operating system, which he and colleague Dennis Ritchie designed. In a paper, Thompson noted how he had embedded a hidden "trapdoor" in the Unix log-on module each time it created a new version of the operating system. The trapdoor altered the log-on mechanism so that Unix would recognize a password ╡╢own only to Thompson. Thompson and Ritchie say the Unix virus never escaped Bell Labs. --Charles Bowen SUBSCRIBER, SYSOP BLOCK POSSIBLE "VIRUS" IN APPLE HYPERCARD FORUM (Feb. 8) Quick reactions by a subscriber and a veteran forum administrator have blocked a possible computer "virus" program that was uploaded over the weekend to CompuServe's new Hypercard Forum. The suspicious entry was an Apple Hypercard "stack" file called "NEWAPP.STK," which was uploaded Friday to the forum's Data Library 9, "HyperMagazines." It was online for about 24 hours before it was caught. Subscriber Glenn McPherson was the first to blow the whistle. Saturday night McPherson posted a message saying that when he ran the application, the file altered his Macintosh's systems file. "I don't know why it did this," he wrote, "but no stack should touch my system file." Neil Shapiro, chief forum administrator of the Micronetworked Apple Users Group (MAUG), quickly investigated and removed the suspicious file. In a bulletin to the membership, Shapiro warned those who already had downloaded NEWAPP.STK that the stack would alter the system files with unknown results. He also warned against using system files from any disk that was run while the NEWAPP.STK's modified system was in effect. Said Shapiro, "If you run NEWAPP.STK, it will modify the system on the disk it is on so that the system's INITs contain an INIT labeled 'DR.' Then, if you use another system with the DR-infected system as your boot system, the new system will also contain the self-propagating 'DR' INIT Resource. While it is possible to, apparently, 'cut' this resource from infected systems with the Resource Editor, the only sure course of action is to trash any system file that has come in contact with this stack." It was not immediately known if the system alternations were deliberately or accidentally programmed into NEWAPP.STK. Shapiro notes the file's uploader has been locked off the entire system and that "he will be contacted by CompuServe and/or myself." Computer "viruses" -- self- propagating programs that infect system files and then spread to other disks -- have been in the news for the past six months. To- date, most of their targets have been regional computer users groups, private and semi-public networks and stand-along bulletin board systems. This apparently is the first report of a virus-like program on a national consumer information service. Shapiro says in his bulletin that in eight years of the various Apple forums' operation, this is the only such occurrence. "While I, of course, cannot say it will be the last, I still have just as much confidence as always in the fact that 99.99999999% of the Mac community are quite trustworthy and that there is no real need to fear downloads," he wrote. Shapiro also urged his membership, "If you have not used (NEWAPP.STK) yet, do not! If you have uploaded it to other BBS or network systems, please immediately advise the sysops there of the problem. If you have placed it on a club disk, please be certain to remove it from that disk before distribution and -- if it has been run from the 'Master' disk already -- don't just remove it, but trash the system." Subscriber McPherson indicates the suspect file already has spread to other systems. His forum note says he found the same stack program also in a software library on the General Electric's GEnie network. --Charles Bowen DOD TRIES TO PROTECT ITS COMPUTERS FROM ELECTRONIC VIRU (Feb. 9) Just as a medical virus can spread rapidly, so does the deadly computer virus seem to be making the rounds. In an effort to inoculate itself against an outbreak, the Department of Defense has taken steps to prevent the electronic sabotage from affecting its computers, reports Government Computer News. The computer viruses are self- propagating programs that are designed to spread automatically from one computer to another and from one disk to another, totally disrupting normal operations. As reported in Online Today, such viruses have already struck computer systems at Hebrew University in Jerusalem and IBM Corp.'s regional offices in Tampa, Fla. "It can spread through computer networks in the same way it spreads through computers," said DOD spokeswoman Sherry Hanson. "The major problem areas are denial of service and compromising data integrity." In addition to basic security measures, computer scientists at the National Security Agency are installing programming tools and hardware devices to prevent the infiltration of virus programs. Hanson told GCN that DOD is also using specialized ROM devices and intrusion detectors. The virus only comprises a few lines of programming code and is easy to develop with few traces. After IBM was infiltrated last December with an innocent- looking Christmas message that kept duplicating itself many times over and substantially slowed the company's massive message system, specialists installed a filter program to monitor the system and protect against further intrusion. According to GCN, executable programs can't be traj3│erred from one computer to another within IBM's networi Ñ╢Yéò╔═╜╣à▒ü╜╡┴╒╤ò╔ü¬═ò╔═ü ╔òü║╜╔╔Ñòæ▒ÜÑ╣ìòüóíòü▓Ñ╔╒═üÆò╡àÑ╣═üBÑææò╣üJ╣ü 5RcomΦuteµô.jàÑuümemory. For instance, almost the entire membership of a Florida Commodore Amiga users group was infected by a virus before it was discovered. The president of the group said he believed the virus originated in Europe on a disk of programs the group received from an overseas source. The club now has a checker program to check disks for viruses before they are used. Al Gengler, a member of the Amiga group, compared the virus to AIDS. "You've got to watch who you compute with now," he said. --Cathryn Conroy EXPERTS SEES TWO SCENARIOS FOR THE COMPUTER "VIRUS" PROBLEM (Feb. 9) Don Parker, who heads the information security program for the Menlo Park, Calif., SRI International, has been studying the problem of computer "viruses" and now says he see two possible directions in the future. Speaking with Pamela Nakaso of the Reuter Financial News Service, Parker said his scenarios are: -:- One, that viruses will be too difficult to design and use for infiltration, and that interest in using them as "weapons" will die away. -:- Or, two, viruses will increase in destructiveness as more sophisticated saboteurs use them to destroy the public domain software resources available. Nakaso also quotes editor Harold Highland of the magazine Computers and Security as saying that "hysteria" over the few documented incidents may fuel even more viruses, which are defined as self-propagating files that usually damage a computer's systems files and then spread to other disks. Highland pointed out that in a recent Australian virus case among Amiga computers, one tabloid newspaper reported the incident with a headline that sp`■ned the entire cover, reading, "Terror Strikes in the DP Industry." Parker told Reuter, "The vulner`≥ility is growing at the same rate as the number of computers and number of communications with computers." Nakaso writes, "Parker estimates that of the 2,000 cases of documented computer crime he has compiled at SRI, about 20 to 30 have been virus attacks. There is no question, however, the reported incidents are rising, and they are expanding beyond personal computers to mainframes and other networks." --Charles Bowen COMPUTER VIRUS CALLED FRAUD (Feb. 10) Comp}⌠dr viruses may be frauds. Although lots of people are talking about computerdoms latest illicit fad, to date, no one has produced a copy of a living breathing virus. Now, a University of Utah expert on urban legends thinks that the dreaded virus may be have become the high tech version of the bogey man. Professor Jan Harold Brunvand has written three books about urban legends and he seems to think that the virus is just the latest incarnation in a long line of legends. Brunvand, and others, have pointed out that there are striking similarΘ╫ÉV ╡╜╣=ür╦╕K╤═üof the virus and legends such as the cat in the microwave oven. For one thing, there are lots of reported sightings but no concrete evidence. And urban legends always seem to appear and affect those things about which urban dwellers are just coming to terms with: shopping malls and microwave ovens in the 70's, computers in the 80's. In do╠ayg│Ü╜ìÑò╤σ▒ üò╔═ò╔¡ü╜╡┴╒╤ò╔üóíà╤ü"ò═╤╔╜σ═üJ╤═üz▌╣ò╔¥Üü"à╤à5Rc═rtai▌ly qualifies as the stuff about which legends are made. Even the way in which the deed is accompli.HY6áà═ümystical qualities: a computer wizard works strange magic with the secret programming codes of a computer operating system. Brunvand, a computer owner himself, says that although viruses could be created, he has found absolutely no evidence to support claims about their existence. --James Moran HYPERCARD VIRUS JUDGED "HARMLESS" (Feb. 12) Administrators of a CompuServe forum supporting the Apple Hypercard technology have confirmed that a file uploaded to their data libraries last weekend did indeed contain a so-called computer "virus." However, they also have determined the program apparently was harmless, meant only to display a surprise message from a Canadian computer magazine called MacMag. As reported earlier this week, forum administrator Neil Shapiro of the Micronetworked Apple Users Groups (MAUG) removed the suspicious entry, a Hypercard "stack" file called "NEWAPP.STK," after a forum member reported that the file apparently altered his Macintosh's system files. Computer "viruses," a hot topic in the general press these days, have been defined as self-propagating programs that alter system files and then spread themselves to other disks. Since removing the file last weekend, the Apple administrators have been examining the file and now Shapiro says it apparently was designed merely to display a message from MacMag on March 2. On the HyperForum message board ¿G2APPHYPER), Shapiro reports, "Billy Steinberg was able to reverse engineer (disassemble) the INIT that the virus places into system files. The good news is that the virus is harmless. But it *is* a computer virus." Shapiro says that if the downloaded file remained in the user's system, then on March 2, the screen would display: "Richard Brandnow, publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world." Apparently the file is so designed that after March 2 it removes itself from the ¼δû«╥.╩═σΩem\ Shapiro notes that, while this file apparently is harmless, it still raises the question of the propriety of database entries that quietly alter a user's system files. Shapiro said he has spoken to publisher Brandnow. "It was not his intention to place it in a HyperCard stack nor to have it on (CompuServe)," Shapiro writes. "What he did do was to develop the INIT in December and 'left' it on their (MacMag's) own machines with the hope that 'it would spread.'" Subsequently, someone else apparently captured the file, added it to his "stack" and uploaded to the CompuServe forum and other information services. While Brandnow maintains the system-altering INIT file was harmless, Shapiro says he's concerned about what the NEWAPP.STK incident could represent. "While the INIT itself is non-destructive," Shapiro wrote, "I believe it was at least irresponsible for MacMag to have perpetrated this type of problem and to have caused the confusion that they did. I also fear that this could give other people ideas on less peaceful uses of such a virus. "I belΘede that MacMag has opened here a Pandora's Box of problems which will haunt our community for years. I hope I am wrong." --Charles Bowen PUBLISHER DEFENDS HIS "VIRUS" PROGRAM AS "GOOD FOR COMMUNITY" (Feb. 13) The publisher of Canadian computer magazine MacMag contends the computer "virus" program his staff initiated recently was not only harmless but was "good for the Macintosh community." Says 24-year-old Richard Brandow, "If other people do nasty things (with virus programs), it is their responsibility. You can't blame Einstein for Hiroshima." Speaking by phone with reporter Don Clark of The San Francisco Chronicle, Brandow maintained his magazine's virus program, which spread through the Apple Macintosh community this week on this continent and apparently reached Europe, was intended to do nothing more than display a "peaceful" message on Mac screens on March 2, the first anniversary of the introduction of the Apple Mac II. Of the so-called "virus" technology, Brandow said, "This message is very good for the Macintosh community." The controversy centered around an Apple Hypercard "stack" file called "NEWAPP.STK" that was uploaded to various public domain databases around the country, including the data library of CompuServe's HyperForum (G APPHYPER). When subscribers discovered that the file quietly altered their Mac's system files when it was executed, a warning was posted and forum administrator Neil Shapiro immediately removed the data library entry. Only after the forum's sysops had disassembled the suspect file could it be determined that NEWAPP.STK's only apparent function was to display a March 2 greeting from Brandow and the MacMag staff. HyperForum members now have been informed that the file, while indeed a "virus," apparently is harmless. However, Shapiro contends MacMag staffers were "at least irresponsible ... to have perpetrated this type of problem and to have caused the confusion that they did." Shapiro is quoted in The Chronicle as adding, "This is very similar to someone breaking into your home and writing a message of good will in red lipstick on your wall. It is a violation of the right of private property... Our computers are machines that belong to us and other people should remain out of them." On the other side of the argument, Brandow told the paper, "The idea behind all this is to promote peaceful methods of communication between individuals using harmless ways." Montreal-based MacMag, with a circulation of 40,000, is Canada's only Macintosh magazine. Brandow also heads a 1,250-member Mac user group, which he says is Canada's largest. Brandow told Clark that programmers worked more than a year on the virus, adding that it was inspired by two groups, known as "The Neoists" and "The Church of!Σhe SubGenius." (He said the latter was formed in Texas as a satire on fundamentalist religion and inspired a 1983 book.) As noted here earlier, the MacMag virus also reached beyond CompuServe to other information services and private bulletin board systems. For instance, The Chronicle quotes General Manager Bill Louden of General Electric's GEnie as saying that about 200 users downloaded the file from that information service before it was discovered and removed early Monday. Meanwhile, Shapiro told Clark that only about 40 of CompuServe's subscribers retrieved the file before it was removed early Sunday. The Chronicle says that Mac devotees in the Bay Area were "stunned" by news of the virus, but not all were upset. For example, Apple wizard Andy Hertzfeld, a co-designer of the original Mac, told the paper, "As far as I'm concerned, it doesn't have any malicious intent and is just some people having fun. I don't see why people are so uptight." Meanwhile, a spokeswoman for Apple at company headquarters in Cupertino, Calif., said the company is searching for details of the virus and could not comment on it at present. --Charles Bowen TWO FIRMS OFFER TO "INOCULATE" US AGAINST THE COMPUTER "VIRUSES" (March 4) The debate continues over whether computer "viruses" are real or just the latest urban legend, but at least two companies are hoping that we don't want to take any changes. Independent of each other, the firms this week both claimed to have the first commercial software to "inoculate" systems against those reported rogue programs that damage data and systems files. One of the companies, Lasertrieve Inc. of Metuchen, N.J., introduced its VirALARM product during Microsoft Corp.'s CD-ROM conference in Seattle. In addition, in Stockholm, a Swedish company called Secure Transmission AB (Sectra) today announced a similar anti-virus program called TCELL, after a counterpart in human biology. A Lasertrieve statement contends that previous anti-viral software utilities -- mostly offered in the public domain -- work by drawing attention to the virus's attempted alterations of system files, noting a change of file size, or monitoring the dates of program changes. However, the New Jersey firm contends, this approach makes such programs "easily fooled by sophisticated viruses." Lasertrieve says its VirALARM contains a program designed to protect another program, creating a software "barrier." According to the statement, before anyone can use the protected program, VirALARM checks to determine whether the program has been altered since it was inoculated. If there has been any change, the software then blocks use of the altered program, notifies the user and suggests a backup copy of the program be substituted. Meanwhile, Bo-Goran Arfwidsson, marketing director of the Swedish company, told Bengt Ljung of United Press International that its TCELL "vaccine" gives a database a partial outside protection, sounds an alarm if a computer virus appears inside a database and identifies the infected file so it can be isolated. The contaminated part then can be replaced with a backup file. Sectra spokesman Torben Kronander said that TCELL has been "tested for a year now and ther% `s no question that it works," adding that since early 1987 the software has functioned on computers of major Swedish manufacturing companies. Arfwidsson declined to name those companies for security purposes. Kronander said TCELL simply made the task of creating a virus so complicated that only vast computer systems would be able to carry it out. "We've effectively removed the hacker type of attack, and these have been the problem. It will take the resources of a major software producer or a country to produce a virus in the future." UPI says Sectra is a 10-year-old research company with 19 employees in Linkoping in central Sweden, closely tied to the city's Institute of Technology. --Charles Bowen "VIRUS" SPREADS TO COMMERCIAL PROGRAM; LEGAL ACTION CONSIDERED (March 16) That so-called "benign virus" that stirred the Apple Macintosh community earlier this year when it cropped up in a public domain file in forums on CompuServe and other information services now apparently has invaded a commercial program called FreeHand. The publisher, Seattle's Aldus Corp., says it had to recall or rework some 5,000 FreeHand packages once the virus was discovered and now is considering legal action against those who admitted writing the self- propagating program. Meanwhile, other major software companies reportedly are worried that the virus may have affected some of their products as well. At the heart of the controversy is a "peace message" that Canadian Richard Brandow, publisher of Montreal's MacMag magazine, acknowledged writing. As reported here earlier, that file was designed to simply pop up on Mac screens7¬│round the world on March 2 to celebrate the first anniversary of the release of the Macintosh II. However, many Mac users reacted angrily when they learned that the file quietly had altered their systems files in order to make the surprise message possible. Now the virus has re-emerged, this time in FreeHand, a new Mac program Aldus developed. Aldus spokeswoman Laury Bryant told Associated Press writer George Tibbits that Brandow's message flashed when the program was loaded in the computer. Bryant added that, while it "was a very benign incident," Aldus officials are angry and "are talking with our attorneys to understand what our legal rights are in this instance.... We feel that Richard Brandow's actions deserve to be condemned by every member of the Macintosh community." This may be the first instance of a so-called "virus" infecting commercial software. Tibbits says the Brandow virus apparently inadvertently spread to the Aldus program through a Chicago subcontractor called MacroMind Inc. MacroMind President Marc Canter told AP that the virus appears to have been in software he obtained from Brandow which included a game program called "Mr. Potato Head," a version of the popular toy. Canter said that, unaware of the digital infection, he ran the game program once, then later used the same computer to work on a disk to teach Mac owners how to use FreeHand. That disk, eventually sent to Aldus, became infected. Then it inadvertently was copied onto disks sold to customers and infected their computers, Canter said. Upset with Brandow, Canter says he also is considering legal action. For his part, Brandow says he met Canter, but denied giving him the software. The whole incident apparently has some at other companies worried because they also use Canter's services. Tibbits says that among MacroMind's clients are Microsoft, Ashton-Tate, Lotus Development Corp. and Apple Computers. A-T has not commented, but officials at Microsoft, Apple and Lotus all told AP that none of their software was infected. Ma!╖while, Brandow told Tibbits that, besides calling for world peace, the virus message was meant to discourage software piracy and to encourage computer users to buy original copies. The full message read: "Richard Brandow, the publisher of MacMag, and its entire staff would like to take tZl.H▌Ωtuni∞y Φo convey their universal message of peace to all Macintosh users around the world." Beneath that was a picture of a globe. Bran╚Kw`│XZóíà╤üz╔Ñ¥Ñ╣à▒▒σüBòü*ß┴òì╤òæüéò╜┴▒òüjà¡Ñ╣¥ü¬╣à╒╤í╜╔ÑΘòæü╜┴Ñò═üzÖ5R░«δ╔à╡═üz╣üóíòüjàìíÑ╣òü║╜╒▒æüÜ┴╔ òàæüóíòü▓Ñ╔╒═üJ╣üóíòüj╜╣▒╔òàeüarea and possibly a few other areas of Canada and the United States. However, he said he was shocked later to find that, after the virus program began to appear in the databases of online information services, an estimated 350,000 people in North America and Europe saw the message pop up on their computers on March 2. --Charles Bowen THREAT OF "VIRUS" BLOWN OUT OF PROPORTION, NORTON AND SYSOPS SAY (April 10) The threat of so-called computer "viruses" has been vastly overrated, according to software guru Petσr2Norton and two CompuServe forum administrators. "We're dealing with an urban myth," Norton told Insight magazine. "It's like the story of alligators in the sewers of New York. Everyone knows about them, but no one's ever seen them. Typically, these stories come up(σwery three to five years." Don Watkins, administrator of CompuServe's IBM Users Network forums (GO IBMNET) also told the general interest magazine that he's more concerned about being hit by a meteor than a computer virus. "In five years," Watson said, "I've seen only one program that was designed to do intentional damage. That was about three yeaΣW`í╓ï ╣æüJ╤ü║à═╣¥óü▓ò╔σ5R│íÑ═╤Ñìà╤òæ╣j @""I@have never spoken to anyone who personally, firsthand, has ever seen or experienced a program like this," Watson added, "and my job keeps me i▄touchM ╖Zóò╣═üzÖüóí╜╒═à╣æ═üzÖüéò╜┴▒ò╣j$ ComΦuS╦╣W2╜╔╒╡üadministrators check each piece of user-contributed software before posting it in data libraries for general distribution. The alleged virus problem received widespread attention in early March when an unauthorized message was placed onto Freehand, a commercial software product for the Apple Macintosh published by Aldus Corp. Earlier, the same message circulated in several information services and was uploaded to CompuServe's Hyper Forum, a forum devoted to the Hypertext technology that is part of the Micronetworked Apple Users Groups (GO MAUG). The message read "Richard Brandow, publisher of MacMag, would like to take this opportunity to convey a universal message of peace to all Macintosh users." It then erased itself without doing any harm. Of the situation, Neil Shapiro, MAUG's chief sysop, said, "The whole problem has been completely hyped out of proportion." --Daniel Janal COMPUTER VIRUS NEWSLETTER DEBUTS (April 13) If you want to follow all the latest news on insipid computer viruses, you might be interested in the debut of "Computer Virology," a newsletter devoted to identifying and analyzing those annoying computer diseases. Produced by Director Technologies Inc., the developers of Disk Defender, a hardware device that write protects PC hard disks, the newsletter will be published monthly. Topics will include developments for protection against the viruses, precautions and procedures to follow to insure that terrorists not let loose this rampant epidemic. "The latest strain of computer viruses presently causing serious damage at university labs, scientific research facilities, hospitals and business organizations worldwide, has created a very real concern for the future of having free access to the tremendous amounts of information that are now readily available for unlimited use," said Dennis Director, president of Director Technologies. "The potential dangers of such viruses is that they can be used not only as a means to facilitate malicious pranks in the home computer area, but also pose a real `terrorist' threat to academic computing labs, scientific research projects and business. Data loss can cost hundreds of thousands of dollars in real money, as well as in wasted man-hours." The newsletter is distributed free of charge. For information or to subscribe, contact Director Technologies Inc., 906 University Pl., Evanston, IL 60201. 312/491-2334. SIR-TECH UNVEILS ANTI-VIRUS (April 14) Sir-tech Software Inc., the Ogdensburg, N.Y., firm best known for its recreational programs such as the acclaimed "Wizardry" series of adventure games, now has released a free program called "Interferon, the Magic Bullet" that it says is meant to "halt the devastation of computer virus." A company statement reports that Robert Woodhead, 29-year-old director of Sir-tech's Ithaca, N.Y., development center, designed the Apple Macintosh program to "detect and destroy the highly-publicized computer virus which threatens the integrity of the world's computer systems." Sir-tech says the program will be offered free for downloading from related services oε QompuServe and GEnie. In addition, it is available by mailing a diskette with a self-addressed, stamped envelope to Sir-tech, 10 Spruce Lane, Ithaca, N.Y. 14850. While the program itself is free, Woodhead asks for donations to a fund established to buy computer equipment for visually impaired users. A notice in the software gives details on the fund. Woodhead said he has worked since early this year to come up with Interferon, named for the antiviral treatment for cancer. "Just as a virus leaves clues in a human body, the computer virus is detectable if users know what to look for," Woodhead said. The Inter~σΓon`░«δ╔à╡üÆòì╜¥╣ÑΘò═üíà╣¥ò═üóíà╤ü╜╡┴╒╤ò╔ü▓Ñ╔╒═ò═üjà¡òü ═üóíòσ5R│╔òàæüóíòÑ╔üJ╣Öòì╤Ñ╜╣ü ╣æü║Ñ▒▒üJ╣æÑìà╤òüóíà╤üóíò╔òüJ═üÜ╜╡ò╤íÑ╣¥ü ╡Ñ══▒óíò5Rstatement`│XZûóàòü╙╖V╓╤Ñ╜╣ücan be cured by deleting the diseased files," it added. "As new viruses are discovered, Interferon will be updated for instant detection." --Charles Bowen NEW VIRUS PLAGUES MACINTOSHES AT NASA AND APPLE (April 18) Apple Macintosh computers at the National Aeronautics and Space Administration and at Apple Computer as well as other business offices around the country have caught a new computer virus, reports0N╬wsdayn @"Thebà╤ò═╤ühigh-tech plague is under investigation by Apple and federal aut┐G╕ities. During the past three weeks, Apple has been receiving reports of a virus called Scores. Although it has not been known to erase any data, it can cause malfunctions in printing and accessing files and can cause system crashes, Cynthia Macon of Apple Computer told Newsday. Two hundred of the 400 Macintosh computers at the Washington, D.C. offices of NASA have been infected. Many of them are connected to local area networks and are spreading the virus. "This particular virus does not attack data. We have no record indicating anyone lost anything important," said Charles Redmond, a NASA spokesman. Newsday notes that the Scores virus can be detected by the altered symbols that appear in Scrapbook and Note Pad, two Macintosh files. Instead of the Mac logo, users see a symbol that looks like a dog-eared piece of paper. Two days after the virus is transmitted, it is activated and begins to randomly infect applications, such as word processing and spreadsheet programs. EDS Corp. of Dallas, Texas was also infected with the Scores virus, but managed to stop its spread. -- Cathryn Conroy FRIDAY THE 13TH "VIRUS" FIZZLES (May 14) Good morning, computerdom! It's Saturday the 14th and we're all still here. At least, we all SEEM to still be here, though some are saying it's too early to tell for sure. Yesterday, the first Friday the 13th of the year, was widely reported to be the target date for the denotation of a computer virus called "Black Friday" which was first discovered in the computers of the Hebrew University in Jerusalem late last year. The virus, which was reported to have spread from Jerusalem to computers around the world, was said to be designed to destroy computer files on May 13. However, no early reports of damage have surfaced. Computer experts in Jerusalem told Associated Press writer Karin Laub that the so-called virus was undone because most computer users were alerted in time. Hebrew University researchers detected the virus on Dec. 24 because of a flaw in its design, according to senior programmer Yisrael Radai. Nonetheless, a few experts are saying that we aren't out of the woods yet. For instance, Donn Parker of the SRI International research firm in Menlo Park, Calif., told The Washington Post this morning that he hadn't heard of any virus-related damage, "but we have been holding our breath. I think it will be a dud, but we won't know until next week, and only then if people whose computers go down talk about it." Some software companies tackled the virus scare. AP reports that the Iris software publisher of Tel Aviv developed an anti-virus program for the Israeli computing community and sold 4,000 copies before yesterday. President Ofer Ahituv estimated that 30 percent of his 6,000 customers, most of them businesses, had been infected by the Black Friday virus. Meanwhile, some are saying the apparent fizzle of the virus is what they expected all along. "Viruses are like the bogyman," said Byron C. Howes, a computer systems manager at the University of North Carolina at Chapel Hill. Speaking with AP, he compared programmers who believe in viruses to "people who set little bowls of milk outside our doors to feed the dwarfs." Barry B. Cooper, owner of Commercial Software in Raleigh, N.C., agreed. "I just think that the whole thing is a joke," like the prediction by medieval seer Nostradamus of a major earthquake on May 8, 1988. "That didn't come true, and this won't come true." --Charles Bowen R.I. NEWSPAPER DISLODGES VIRUS (May 16) The Providence, R.I., Journal-Bulletin says it worked for the past week and a half to stamp out a "virus" that infected an in-house personal computer network used by reporters and editors, but not before the virus destroyed one reporter's data and infected scores of floppy disks. Writing in The Journal, Jeffrey L. Hiday said the virus was "a well-known, highly sophisticated variation called the 'brain' virus, which was created by two brothers who run a computer store in Lahore, Pakistan." Variations of the virus, he noted, have been discovered at companies and colleges across the country, including, last week, Bowie State College in Maryland, where it destroyed five students' disks. Online Today reported on April 23 that a similar Pakistan-based virus infected a student system used at Miami University in Ohio, threatening to wipe out term papers stored there. Apparently this is the first time a virus has invaded a US newspaper's system. Hiday said The Journal contacted one of the Pakistan brothers by phone, who said he created this particular virus merely to keep track of software he wrote and sold, adding that he did not know how it got to the United States. However, Hiday added, "US computer programming experts ... believe the Pakistanis developed the virus with malicious intent. The original version may be relatively harmless, they point out, but its elegance lends itself to alterations by other programmers that would make it more destructive." The newspaper says it discovered the virus on May 6 when a message popped up on computer screens reading, "Welcome to the Dungeon. ... Beware of this VIRUS. Contact us for vaccination." The message included a 1986 copyright date, two names (Basit and Amjad), a company (Brain Computer Services), an address (730 Nizam Block Allama Iqbal in Lahore, Pakistan) and three phone numbers. Journal-Bulletin systems engineer Peter Scheidler told Hiday, "I was sort of shocked. I never thought I'd see a virus. That's something you read about." The virus infected only the PC network; neither the paper's Atex news-editing system nor its IBM mainframe that supports other departments were affected. Hiday says the newspaper now is taking steps to protect itself against another virus attacks. It has tightened dissemination of new software and discussed installing "anti-virus" devices. In addition, computer users have been warned not to use "foreign" software, and reporters have been instructed to turn their computers off and then on again before inserting floppy disks. --Charles Bowen EPA MACINTOSHES RECOVER FROM VIRUS (May 18) Although Apple Macintosh computers at the Environmental Protection Agency were recently plagued with a virus, all of them seem to be on the mend now. According to Government Computer News, the computers were vaccinated with Virus Rx, a free program issued by Apple Computer Inc. to help users determine if their hard disks have been infected. Apple has begun an educational campaign to promote "safe computing practices," Apple spokeswoman Cynthia Macon told GCN. Virus Rx is available on CompuServe in the Apple Developers Forum (GO APPDEV) in Data Library 8 under the name VIRUS.SIT. Macon said the best long-term response to viruses "is to make users aware of steps they can take to protect themselves." These include backing up data files, knowing the source of programs and write-protecting master disks. Other steps include booting from a floppy disk and running all programs from floppies rather than installing and running them from the hard disk. EPA is having some trouble with reinfection. Since up to 20 people may use one Macintosh, someone may unknowingly insert a virus-plagued disk into a clean machine. "It's like mono. You just never get rid of it," said Leslie Blumenthal, a Unisys Corp. contract employee at EPA. FBI agents in Washington, D.C. and San Jose, Calif. are investigating the spread of the Macintosh virus, notes GCN. -- Cathryn Conroy CONGRESS CONSIDERS VIRUS PROBLEMS (May 19) Computer viruses have come to the attention of Congress and legislators would like to be assured that US defense computers are safe from the replicating little bugs. Although defense systems can't be reached simply by telephoning them, a virus could be contracted through an infected disk containing non-essential information. The Defense Authorization Bill for FY 1989 is likely to direct the Defense Department (DoD) to report on its methods for handling potential viral infections. Congress also wants to know what DoD has done about safeguarding military computers. They'd like some assurance that the Defense Department also has considered situations where a primary contractor's computer could be infected and subsequently endanger DoD's own computers. Anticipating future hearings, Congressional staffers are soliciting comments from knowledgeable users as to what the report to Congress should cover. Interested parties should forward their comments to Mr. Herb Lin, House Armed Services Committee, 2120 Rayburn House Office Building, Washington DC 20515. Further information is available by calling 202/225-7740. All comments will be kept in confidence. --James Moran TEXAN STANDS TRIAL FOR ALLEGEDLY INFECTING SYSTEM WITH "VIRUS" (May 24) In Fort Worth, Texas, a 39-year-old programmer is to stand trial July 11 on felony charges that he intentionally infected an ex-employer's system with a computer "virus." If convicted, he faces up to 10 years in prison. The man, Donald Gene Burleson, apparently will be the first person ever tried under the state's tougher computer sabotage law, which took effect Sept. 1, 1985. Dan Malone of the Dallas Morning News broke the story this morning, reporting on indictments that accuse Burleson of executing programs "designed to interfere with the normal use of the computer" and of acts "that resulted in records being deleted" from the systems of USPA and IRA Co., a Fort Worth-based national securities and brokerage. The paper quoted police as saying the electronic interference was a "massive deletion" of more than 168,000 records of sales commissions for employees of the company, where Burleson once worked as a computer security officer. Burleson currently is free on a $3,000 bonding pending the trial. Davis McCown, chief of the Tarrant County district attorney's economic crimes division, said of the alleged virus, "You can see it, but you can't see what it does -- just like a human virus. It had the ability to multiply and move around and was designed to change its name so it wouldn't be detected." McCown also told Malone he wanted to make sure "that this type of criminal understands that we have the ability to make these type of cases; that it's not so sophisticated or complicated that it's above the law." Company officials first noticed a problem on Sept. 21, 1985. Says the Dallas newspaper, "Further investigation revealed that an intruder had entered the building at night and used a 'back-door password' to gain access to the computer. ... Once inside, the saboteur covered his tracks by erasing computer logs that would have followed his activity, police said. With his access to the computer complete, the intruder manually deleted the records." Authorities say that only a few of the 200 workers in the USPA home office -- including Burleson -- had access and the knowledge needed to sabotage the system. Earlier USPA was awarded $12,000 by a jury in a civil lawsuit filed against Burleson. --Charles Bowen FBI CALLED TO PROBE VIRUS CASE (July 4) The FBI has been called in by NASA officials to investigate an alleged computer virus that has destroyed data on its personal computers and those of several other government agencies. The New York Times reported this morning that the rogue program -- apparently the so- called "Scores" virus that surfaced last April -- was designed to sabotage data at Dallas' Electronic Data Systems. The paper said the virus did little damage to the Texas company but did wreak havoc on thousands of PCs nationwide. The Times quoted NASA officials as saying the FBI was called in because, even though damage to government data was limited, files were destroyed, projects delayed and hundreds of hours were spent tracking the culprit at various government agencies, including NASA, the Environmental Protection Agency, the National Oceanic and Atmospheric Administration and the US Sentencing Commission. NASA says it doesn't know how the program, which damaged files from January to May, spread from the Texas EDS firm to PC networks nor whether the virus was deliberately or accidentally introduced at government agencies. Meanwhile, the Times quoted experts as saying that at least 40 so-called "viruses" now have been identified in the United States, defining a virus as a program that conceals its presence on a disk and replicates itself repeatedly onto other disks and into the memory of computers. As reported here in April, the Scores virus was blamed for infecting hundreds of Apple Macintosh computers at NASA and other facilities in Washington, Maryland and Florida. The Times says the spread of the virus was exacerbated when private contractors in Washington and North Carolina inadvertently sold dozens of computers carrying the virus to government agencies. The virus spread for as long as two months and infected networks of personal computers before it was discovered. --Charles Bowen NEW MEXICO BBS SUES OVER VIRUS (Aug. 17) The operator of a New Mexico computer bulletin board system has filed what may be the first federal suit against a person accused of uploading a computer "virus." William A. Christison, sysop of the Santa Fe Message BBS, alleges in his suit that a man named Michael Dagg visited his board in the early hours of last May 4 and "knowingly and intentionally" uploaded a digitally-infected file called "BBSMON.COM." The suit says Christison "checked the program before releasing it to the public and discovered that it was a 'Trojan Horse'; i.e., it appeared to be a normal program but it contained hidden commands which caused the program to vandalize Plaintiff's system, erasing the operating system and damaging the file allocation tables, making the files and programs stored in the computer unusable." Christison says that the defendant re-visited the BBS nine times between May 5 and May 12, sometimes logging in under a pseudonym. "Several of these times," the suit says, "he sent in messages and on May 7, 1988, he knowingly and intentionally sent in by modem a program of the same name, BBSMON.COM, as the original 'Trojan Horse' computer program." Through attorney Ann Yalman, Christison asks the court to grant $1,000 for each Trojan Horse violation and to enjoin the defendant "from sending 'Trojan Horses' or 'viruses' or other vandalizing programs to Plaintiff or anyone else." A copy of the Santa Fe Message's suit has been uploaded to CompuServe's IBM Communications Forum. To see it, visit the forum by entering GO IBMCOM at any prompt. The ASCII file is VIRUS.CHG in forum library 0. Also, you can reach Christison BBS directly with a modem call to 505/988-5867. --Charles Bowen VIRUS FIGHTERS FIGHT EACH OTHER (Aug. 31) Two groups that mean to protect us in the fight against so-called computer "viruses" seem to be spending rather a lot of their energies fighting each other. "I personally know most of the people in this industry and I have never seen this kind of animosity," Brian Camenker of the Boston Computer Society tells business writer Peter Coy. The bickering grew louder on Monday in page-one article in MIS Week trade newspaper in which each side accused the other of using sloppy techniques and manipulating the testing process for its own purposes. Says Coy, "The intensity of the debate has left some software developers disgusted with the whole business." The argument, which centers around fair evaluation anti-virus "vaccine" software, pits the 2- month-old Computer Virus Industry Association led by John McAfee, president of InterPath Corp. of Santa Clara, Calif., against what Coy terms "a loose collection of other computer experts" led by consultant Jon R. David of Tappan and editor Harold Highland of Computers & Security magazine. "Customers and producers agree on the need for an independent panel of experts to review the (vaccine) software," Coy comments. "The question splitting the industry is who should be in charge." CVIA is pulling together an independent university testing panel made up of representatives of Pace University, Adelphi University and Sarah Lawrence College and headed by John Cordani, who teaches computer science at Adelphi and Pace. However, David and Highland say these people don't have the necessary credentials and that McAfee's InterPath products will have an advantage in the testing because McAfee invented a virus simulator that will be used as a testing mechanism. Meanwhile, Highland says he's getting funding from his publisher, Elsevier Advanced Technology Publications, for his own review of anti-viral software, but adds he isn't interested in operating an ongoing review board. --Charles Bowen VIRUS TRIAL BEGINS IN FORT WORTH (Sept. 7) A 40-year-old Texas programmer has gone on trial this week, accused of using a "virus" to sabotage thousands of computer records at his former employer's business. If convicted in what is believed to be the nation's first virus-related criminal trial, Donald G. Burleson faces up to 10 years in jail and a $5,000 fine. Reporting from the state criminal district court in Fort Worth, Texas, The Associated Press notes Burleson was indicted on charges of burglary and harmful access to a computer in connection with damage to data at USPA & IRA Co. securities firm two days after he was fired. The trial is expected to last about two weeks. USPA, which earlier was awarded $12,000 in a civil suit against Burleson, alleges the defendant went into its offices one night and planted a virus in its computer records that, says AP, "would wipe out sales commissions records every month. The virus was discovered two days later, after it had eliminated 168,000 records." --Charles Bowen VIRUS ATTACKS JAPANESE NETWORK (Sept. 14) Japan's largest computer network -- NEC Corp.'s 45,000- subscriber PC-VAN service -- has been infected by a computer "virus." McGraw-Hill News quotes a NEC spokesman as saying that over the past two weeks 13 different PC- VAN users have reported virus incidents. Subscribers' user IDs and passwords "were apparently stolen by the virus planter when the members accessed one of the service's electronic bulletin boards," MH says. "The intruder then used the information to access other services of the system and charged the access fees to the password holders." NEC, which says it has not yet been able to identify the virus planter, gave the 13 subscribers new user IDs and passwords to check the proliferation of the virus. --Charles Bowen JURY CONVICTS PROGRAMMER OF VIRUS (Sept. 20) After deliberating six hours, a Fort Worth, Texas, jury late yesterday convicted a 40-year-old programmer of planting a "virus" to wipe out 168,000 computer records in revenge for being fired by an insurance firm. Donald Gene Burleson is believed to be the first person convicted under Texas's 3-year-old computer sabotage law. The trial, which started Sept. 6, also was among the first of its kind in the nation, Judge John Bradshaw told the Tarrant County jury after receiving its verdict. The Associated Press says jurors now are to return to State District Court to determine the sentence. Burleson, an Irving, Texas, resident, was found guilty of harmful access to a computer, a third-degree felony with a maximum penalty of 10 years in prison and a $5,000 fine. However, as a first-time offender, Burleson also is eligible for probation. As reported here earlier, Burleson was alleged to have planted a rogue program in computers used to store records at USPA and IRA Co., a Fort Worth insurance and brokerage firm. During the trial, prosecutor Davis McCown told the jury the virus was programmed like a time bomb and was activated Sept. 21, 1985, two days after Burleson was fired as a programmer at the firm because of alleged personality conflicts with other employees. AP quoted McCown as saying, "There were a series of programs built into the system as early as Labor Day (1985). Once he got fired, those programs went off." McCown added the virus was discovered two days later after it had eliminated 168,000 payroll records, holding up paychecks to employees for more than a month. Expert witnesses also testified in the three-week trial that the virus was entered in the system via Burleson's terminal by someone who used Burleson's personal access code. However, the defense said Burleson was set up by someone else using his terminal and code. Says AP, "Burleson's attorneys attempted to prove he was vacationing in another part of the state with his son on the dates in early September when the rogue programs were entered into the system. But prosecutors presented records showing that Burleson was at work and his son was attending school on those dates." The Fort Worth Star-Telegram reports that also during the trial, Duane Benson, a USPA & IRA senior programmer analyst, testified the automated virus series, which was designed to repeat itself periodically until it destroyed all the records in the system, never was automatically activated. Instead, Benson said, someone manually set one of the programs in motion Sept. 21, 1985, deleting the records, then covering his or her tracks by deleting the program. Prosecutor McCown says data damage in the system could have amounted to hundreds of thousands of dollars had the virus continued undetected. As reported here earlier, Burleson also has lost a civil case to USPA in connection with the incident. That jury ordered him to pay his former employers $12,000. Following the yesterday's verdict, McCown told Star-Telegram reporter Martha Deller, "This proves (virus damage) is not an unprosecutable offense. It may be hard to put a case together, but it's not impossible." --Charles Bowen UNIVERSITY PROFESSORS ATTACK COMPUTER VIRUSES (Sept. 30) Because they have not been given access to the National Security Agency's anti-virus research, several university- based computer experts are planning to begin their own testing and validating of software defenses against computer viruses, reports Government Computer News. Led by John Cordani, assistant professor of information systems at Adelphi University, the results will be made public, unlike those being researched by NSA. The work being done by the Department of Defense is too classified for use by the general computer community. GCN notes that computer viruses are hard-to-detect programs that secretly replicate themselves in computer systems, sometimes causing major damage. Cordani and five other academics will establish secure laboratories to study viruses in three New York colleges: Adelphi University, Pace University and Sarah Lawrence College. The lab will test anti-virus software developed by companies that are members of the Computer Virus Industry Association, a consortium of anti-virus defense developers. The group will then publish what it is calling "consumer reports" in the media and on electronic bulletin board systems. Once sufficient research is completed, more general grading systems will be applied, said Cordani. In addition, the lab will use viruses sent to them by the CVIA to develop classification algorithms to aid in describing a virus' actions and effects. -- Cathryn Conroy SECOND VIRUS FOUND AT ALDUS CORP. (Oct. 21) For the second time this year, a computer "virus" has been found in a commercial program produced by Seattle's Aldus Corp. The infection was found in the latest version of the FreeHand drawing software, the same software that was invaded by a different virus last March. An Aldus official told The Associated Press the company was able to prevent the virus's spread to programs for sale to the public, but that an entire computer network within Aldus' headquarters has been infected. The virus was found in a version of the Apple Macintosh software that was sent to specific users to be tested before going to market. One of the testers discovered the virus, dubbed "nVir," and two days later, Aldus realized the virus was in its own in-house network. Said Aldus spokeswoman Jane Dauber, "We don't know where it came from. That is the nature of the virus. You can't really track it." AP says Aldus officials said the new virus has remained dormant so far, a tiny program that merely attaches itself to other programs. "We don't know why," Dauber said. "We don't know what invokes this virus. With some of them, you have to launch the program a certain number of times," for the virus to activate. The company told the wire service that, while it does not know where the virus originated, reports are that it apparently has infected at least one unidentified East Coast university's computers. Another Aldus spokeswoman, Laury Bryant, added, "You just can't always stop these things from coming in the door. But what we have done is to set up systems which eliminate them before they are actually in full version, shrink-wrap software and stop them from going out the door." Last March, in what was apparently the first instance of an infection in commercial software, a virus called the "March 2 peace message" was found in some FreeHand programs. The invasion caused Aldus to recall or rework thousands of packages of the new software. --Charles Bowen MAN SENTENCED IN NATION'S FIRST VIRUS-RELATED CRIMINAL COURT CASE (Oct. 23) Donald Gene Burleson, the first person ever convicted of using a computer "virus" to sabotage data, has been sentenced to seven years' probation and ordered to pay back nearly $12,000 to his former employer. The 40-year-old Irving, Texas, man's attorney told United Press International he will appeal the sentenced handed down late Friday by District Judge John Bradshaw in Fort Worth, Texas. As reported earlier, Burleson was convicted Sept. 19 of the third-degree felony, the first conviction under the new Texas state computer sabotage law. He was accused of infecting the computers of USPA & IRA, a Fort Worth insurance and securities firm a few days after his firing Sept. 18, 1985. Burleson could have received two to 10 years in prison and a fine up to $5,000 under the 1985 law. As a first-time offender, however, he was eligible for probation. As reported during last month's trial, a few days after Burleson's firing in 1985, company officials discovered that 168,000 records of sales commissions had been deleted from their system. Burleson testified that he was more than 300 miles away from Fort Worth on Sept. 2 and Sept. 3 when the virus was created. However, UPI notes that evidence showed that his son was not traveling with him as he said but in school, and that a credit card receipt Burleson said proved he was in Rusk on Sept. 3 turned out to be from 1987. Associated Press writer Mark Godich quoted Burleson's lawyer, Jack Beech, as saying he had asked for five years' probation for his client, and restitution not to exceed $2,500. Godich also observed that the Burleson's conviction and sentencing "could pave the way for similar prosecutions of people who use viruses." Chairman John McAfee of the Computer Virus Industry Association in Santa, Clara, Calif., told AP the Texas case was precedent-setting and that it's rare that people who spread computer viruses are caught. He added his organization had documented about 250,000 cases of sabotage by computer virus. --Charles Bowen BRAIN VIRUS HITS HONG KONG (Oct. 30) According to Computing Australia, a major financial operation in Hong Kong was infected with a version of the "Brain" virus. This is the first reported infection of a commercial business in the East. Business International, a major financial consulting firm in Hong Kong, is believed not to have suffered any major damage. A company spokeswoman played down the appearance of the virus and said that no data had been lost. The "brain" virus has been reported as a highly sophisticated piece of programming that was created by two men in Lahore, Pakistan who run the Brain Computer Services company. It's last reported appearance in the US was during May when it popped up at the Providence, R.I., Journal- Bulletin newspaper. --James Moran 60 COMPUTER FIRMS SET VIRUS GOALS (Nov. 2) Some 60 computer companies have organized a group to set guidelines that they say should increase reliability of computers and protect the systems from so-called "viruses." The Reuter Financial News Service says that among firms taking part in the movement are Microsoft Corp., 3Com Inc., Banyan Systems and Novell Inc. At the same time, though, declining to join the efforts are such big guys as IBM and Digital Equipment Corp. Reuter reports, "The companies said the measures would promote competition while allowing them to cooperate in making computers more reliable and less vulnerable to viruses." However, the firms apparently have shied away from specific proposals, instead issuing broad recommendations that leave it up to each company to develop the technology needed to prevent the spread of viruses, Reuter said. --Charles Bowen THOUSANDS OF UNIVERSITY, RESEARCH COMPUTERS STUCK IN MAJOR ASSAULT (Nov. 4) Thousands of Unix-based computers at universities and research and military installations were slowed or shut down throughout the day yesterday as a rogue program ripped through international networks, an incident proclaimed by some to be the largest assault ever on the nation's computers. No permanent damage or security breaches appear to have occurred during the attack. This led some to say this morning that the intrusion was not actually a computer "virus" but rather was a "worm" program, in that it apparently was designed to reproduce itself, but not to destroy data. Science writer Celia Hooper of United Press International says the virus/worm penetrated the computers through a "security hole" in debugging software for electronic mail systems that connect Unix-based computers, evidently then moving primarily through ARPAnet (the Advanced Research Projects Agency Network) and NSFnet (network of the National Science Foundation) that link 2,000 computers worldwide. At other systems: -:- The virus/worm also apparently invaded the Science Internet network that serves many labs, including NASA's Jet Propulsion Laboratory in Pasadena, Calif. -:- NASA spokesman Charles Redmond said there were no reports of the space agency's network, Space Physics Analysis Network (SPAN), being affected by the attack, but he added that SPAN was linked to some of the infected networks. Meanwhile, The New York Times this morning reported an anonymous call from a person who said his associate was responsible for the attack and that the perpetrator had meant it to be harmless. The caller told the newspaper that his associate was a graduate student who made a programing error in designing the virus, causing the intruder to replicate much faster than expected. Said The Times, "The student realized his error shortly after letting the program loose and ... was now terrified of the consequences." UPI's Hooper says the virus/worm intrusion was detected about 9 p.m. Eastern Time Wednesday at San Francisco's Lawrence Livermore National Laboratory, one of two such labs where nuclear weapons are designed. Spokeswoman Bonnie Jean Barringer told UPI said the invasion "was detected and contained within two hours." The rogue program evidently spread through a flaw in the e- mail system of the networks. Hooper said it quickly penetrated Air Force systems at the NASA Ames Research Center in Mountain View, Calif., and systems at the Massachusetts Institute of Technology, the University of California at Berkeley, the University of Wisconsin, the University of Chicago, the University of Michigan, the University of Rochester, the University of Illinois and Rutgers, Boston, Stanford, Harvard, Princeton, Columbia, Cornell and Purdue universities. Charley Kline, senior research programmer with the Computing Services Office at the University of Illinois at Urbana-Champaign, Ill., told Associated Press writer Bernard Schoenburg, "This is the first time that I know of that (a virus infection) has happened on this scale to larger systems." Kline agreed the virus traveled between computer systems through e-mail and, once the messages were received, they linked up to command controls and told the local computers to make copies of the virus. Kline said the copies then sought out other connected devices. He also said that as far as he knows, only locations using Digital Equipment Corp.'s VAX computers or those systems made by Sun Microsystems Inc. were affected. He estimated about 75 percent of all national networks use such systems. Schoenburg also noted that all the affected computers use the BSD Unix operating system, written at University of California/Berkeley as a modified version AT&T's original Unix. Commenting on the situation, Chairman John McAfee of the new Computer Virus Industry Association in Santa Clara, Calif., told AP writer Paul A. Driscoll, "The developer was clearly a very high-order hacker (because) he used a flaw in the operating systems of these computers." Research director Todd Nugent of the University of Chicago's computing department told UPI computer operators across the country were tipped off to the invasion when they noticed their Unix-based systems running unusually slowly. Thmálachines turned out to be bogged down by loads of viral programs. Nugent said that in one machine he had disconnected, the virus appeared to have replicated itself 85 times. Today, in the morning-after, systems operators were fighting back on several fronts: -:- First, a software "patch" has been developed to fend off the virus/worm. Spokesman Bill Allen of the University of Illinois at Urbana-Champaign told UPI's Hooper, "The strategy is to shut off various (infected) computers from the network then sanitize them, purging the virus with a patch program." Hooper said the patches, which find and excise the virus/worm from the computer and then plug the hole through which it entered, now are circulating on campuses and have been posted nationally on computer bulletin board systems. -:- Secondly, the Defense Communications Agency has set up an emergency center to deal with the problem. However, The New York Times noted that no known criminal investigations are under way. NSFnet Program Manager Al Thaler told UPI he considered the virus/worm "a mean-spirited, vicious thing that interferes severely with the communications network our research computers live in. We are angry." Even though it will be hard to determine who started the virus/worm, Thaler said, "We are going to try." Finally, McAfee of the virus group told AP that this virus/worm was rare because it infested computers at major institutions, not just personal computers. "Any hacker in the world can infect personal computers," McAfee said, "but in this case, the person who did this would have had to have been physically at the site of one of the computers belonging to the network." He added, though, that chances of identifying that person were "extremely slim." --Charles Bowen REPORTS NAME 23-YEAR-OLD CORNELL STUDENT AS THE AUTHOR OF "VIRUS" (Nov. 5) A 23-year-old Cornell University student and the son of a government computer security expert now is said to be the person who planted that "virus" that stymied some 6,000 Unix- based computers across the nation for more than 36 hours this week. The New York Times this morning quoted two sources as identifying the suspect as Robert T. Morris Jr., a computer science graduate student. The paper says Cornell University authorities found that the young man possessed unauthorized computer codes. The young man's father, Robert Morris Sr., the Silver Springs, Md., chief scientist at the National Computer Security Center in Bethesda, Md., acknowledged this morning that "it's possible" his son was responsible for the rapidly-replicating virus that started crashing international networks late Wednesday night. However, Morris Sr., who is known for security programming in Unix systems, told science writer Celia Hooper of United Press International that he had "no direct information" on his son's involvement. He added he had not spoken to his son in several days and was unaware of his whereabouts. The elder Morris also told The Times that the virus "has raised the public awareness to a considerable degree. It is likely to make people more careful and more attentive to vulnerabilities in the future." As reported here yesterday (GO OLT-391), the incident, in which thousands of networked computers at universities and research and military installations were halted or slowed, is said to be the largest assault ever on the nation's computers. However, no permanent damage or security breaches appear to have occurred during the attack. Of Morris Jr.'s alleged involvement, Cornell Vice President M. Stuart Lynn released a statement late last night saying the Ithaca, N.Y., university has uncovered some evidence. For instance, "We are investigating the (computer files) to see if the virus was inserted in the system at Cornell. So far, we have determined that this particular student's account does hold files that appear to have passwords for some computers at Cornell and Stanford University to which he's not entitled. "We also found that his account contains a list of passwords substantially similar to those contained in the virus," said Lynn. He added that students' accounts show which computers they had accessed and what they had stored. The university is preserving all pertinent computer tapes and records to determine the history of the virus. Morris Jr. himself has not been reached for comment. Associated Press writer Douglas Rowe says the young man is believed to have flown to Washington, D.C., yesterday and plans to hire a lawyer and to meet with officials in charge of the infected computer networks to discuss the incident. Rowe also quotes computer scientists as saying the younger Morris worked in recent summers at the AT&T's Bell Laboratories, where one of his projects reportedly was rewriting the communications security software for most computers that run AT&T's Unix operating system. AP also notes that computer scientists who now are disassembling the virus to learn how it worked said they have been impressed with its power and cleverness. Of this, Morris' 56-year-old father told the Times that the virus may have been "the work of a bored graduate student." Rowe says that when this comment was heard back at Cornell, Dexter Kozen, graduate faculty representative in the computer science department, chuckled and said, "We try to keep them from getting bored. I guess we didn't try hard enough." Meanwhile, there already is talk of repercussions if Morris is determined to be responsible for the virus. Lynn said, "We certainly at Cornell deplore any action that disrupts computer networks and computer systems whether or not it was designed to do so. And certainly if we find a member of the Cornell community was involved, we will take appropriate disciplinary action." He declined to specify what the action would be. In addition, federal authorities may be calling. Speaking with reporter Joseph Verrengia of Denver's Rocky Mountain News late yesterday, FBI spokesman William Carter said a criminal investigation would be launched if it is determined federal law was violated. He said the bureau will review the Computer Fraud and Abuse Act, which deals with unauthorized access to government computers or computers in two or more states. Conviction carries a maximum penalty of 10 years in prison. --Charles Bowen ROBERT MORRIS' FRIENDS SAY NO MALICE MEANT WITH ALLEGED VIRUS (Nov. 7) Friends of a Cornell University graduate student suspected of creating a "virus" that jammed some 6,000 networked computers for 36 hours last week say they believe he intended no malice and that he also frantically tried to warn operators after he saw his programming experiment had gone terribly awry. Twenty-three-year-old Robert Tappen Morris Jr. is said to now be in contact with his father -- Robert T. Morris Sr., a computer security expert with the super secret National Security Agency - - and is expected to meet this week with FBI agents after hiring a lawyer. As reported earlier, the virus, which started Wednesday night, spread along several major networks and, for about 36 hours, created widespread disturbances in the unclassified branch of the military's defense data system, as well as in thousands of university and research computer systems. However, apparently no information was lost or damaged. Morris Sr. told Associated Press writer David Germain that he met with FBI agents for about an hour Saturday to explain why his son will not immediately comply with their request for more information. The elder Morris said the family has had preliminary discussions with an attorney and expects to hire one by today. He said his son won't be available for a comment until at least tomorrow or Wednesday. The New York Times yesterday quoted Morris' friends as saying he had spent weeks creating the virus. However, the paper said that by all accounts Morris meant no harm to the systems; instead, the virus, created as an intellectual challenge, was supposed to lie dormant in the systems. A friend alleges Morris discovered a flaw in the electronic mail section of the Unix 4.3 operating system, a modification of AT&T's original Unix produced by the University of California at Berkeley. When he saw the flaw allowed him to secretly enter the networked Unix computers, Morris literally jumped onto the friend's desk and paced around on top of it, the Times reported. Cornell instructor Dexter Kozen told AP the flaw was "a gaping hole in the system that I'm amazed no one exploited before." While the loophole was not evident before the virus was unleashed, "in retrospect it's really quite obvious," Kozen said. Incidentally, the programmer who designed Unix's e-mail program through which the virus apparently entered told the Times this weekend that he had forgotten to close a secret "back door." Eric Allman said he created the opening to make adjustments to the program, but forgot to remove the entry point before the program was widely distributed in 1985. He was working for a programming organization at the University of California/Berkeley at the time. Friends and others say Morris' original vision was to spread a tiny program throughout and have it secretly take up residence in the memory of each computer it entered, the Times said. Working virtually around the clock, Morris reportedly made a single programming error involving one number that ultimately jammed more than 6,000 computers by repeating messages time after time. AP's Germain said Morris reportedly went to dinner after setting the program loose Wednesday night and then checked it again before going to bed. Discovering his mistake, Morris desperately worked to find a way to stop the virus' spread. However, "his machines at Cornell were so badly clogged he couldn't get the message out," said Mark Friedell, an assistant professor of computer science at Harvard University, where Morris did his undergraduate studies. AP says that, panicked, Morris called Andrew Sudduth, systems manager at Harvard's Aiken Laboratory. He asked Sudduth to send urgent messages to a computer bulletin board system, explaining how to defeat the virus. Sudduth told The Washington Post, "The nets were like molasses. It took me more than an hour to get anything out at all." At a press conference this weekend, Cornell University officials said that, while the computer virus was traced to their institution, they actually had no evidence to positively identify Morris as the virus creator. Said Dean Krafft, Cornell's computer facilities manager, "We have no fingerprints. We have no eyewitness, but it was created on his computer account." Krafft added that Morris' computer account holds files that appear to have unauthorized passwords for computers at Cornell and Stanford University. In addition, Cornell Vice President M. Stuart Lynn said the origin of the program is hard to investigate, and it may be impossible to trace the virus back to Morris. "At this stage we're simply not in a position to determine if the allegations are true," Lynn said, adding he did not know how long the investigation would take. Curiously, in light of Krafft's statements, Lynn is quoted as saying, "It's quite conceivable we may not be able to say with any certainty" if the virus was created in Cornell's computer system. Lynn also said the university had been contacted by the FBI, but there was no indication any criminal charges would be filed. Officials said the school could discipline Morris if he was involved. By the way, one Cornell official, who spoke on condition of anonymity, told AP that it appeared there was an earlier version of the virus in Morris' computer files. Regarding possible penalties, United Press International this morning quoted an FBI spokesman as saying that the person responsible for the virus could face up to 20 years in prison and $250,000 in fines for the federal offense of unauthorized access to government computers. Finally, Harvard graduate student Paul Graham, a friend of Morris, told the Times he thought Morris' exploit was similar to that of Mathias Rust, the young West German who flew a light plane through Soviet air defenses in May 1987 and landed in Moscow. "It's as if Mathias Rust had not just flown into Red Square, but built himself a stealth bomber by hand and then flown into Red Square." --Charles Bowen NEW LAN LABORATORY GROUP OFFERS SUGGESTIONS FOR VIRUS PREVENTION (Nov. 7) Just a week or so before thousands of networked computers across the country were struck by a rapid virus, some 60 computer companies endorsed a set of virus-prevention guidelines drafted by the National LAN Laboratory. The Reston, Va., group, devoted to local area networks, hopes its tips can prevent and control future viruses and worm program intrusions. Speaking with business writer Peter Coy of The Associated Press, LAN Lab spokesman Delbert Jones said, "The key issue is that with proper precautions, one can continue to live a normal existence. ... "It's very much like the AIDS virus: The best solution is precaution." Here, according to AP, are the suggestions by the LAN Lab group: 1. All software should be purchased from known, reputable sources. 2. Purchased software should be in its original shrink wrap or sealed disk containers when received. 3. Back-up copies should be made as soon as the software package is opened. Back-ups should be stored off-site. 4. All software should be reviewed carefully by a system manager before it is installed on a network. 6. New software should be quarantined on an isolated computer. This testing will greatly reduce the risk of system virus contamination. 7. A back-up of all system software and data should be made at least once a month, with the back-up copy stored for at least one year before re-use. This will allow restoration of a system that has been contaminated by a "time-released" virus. A plan that includes "grandfathered" rotation of back-up copies will reduce risk even further. 8. System administrators should restrict access to system programs and data on ┬"needm┤½Skòëà═Ñ═╣óa┼δ isol╔teτ!p«K▒ò╡═▒ protects critZÑX ┴┴▒Ñìà╤Ñ╜╣═▒ and aids problem diagnosis. 9. All programs on a system should be checked regularly for program length changes. Any program-length deviations could be evidence of tampering, or virus infiltration. 10. Many shared or free programs are invaluable. However, these are the prime entry point for viruses. Skeptical review of such programs is prudent. Also, extended quarantine is essential before these programs are introduced to a computer system. 11. Any software that exhibits symptoms of possible virus contamination should be removed immediately. System managers should develop plans for quick removal of all copies of a suspect program, and immediate backup of all related data. These plans should be made known to all users, and tested and reviewed periodical╡Qùâ#jjZíàæ▒ò═üBowen FBI UPGRADES VIRUS PROBE TO A "FULL CRIMINAL INVESTIGATION" (Nov. 8) The young man alleged to have written the virus that stymied some 6,000 networked computers last week has hired a Washington, D.C., attorney. His selection apparently comes just in time, because the FBI reportedly is upgrading its probe of the matter to a full criminal investigation. Robert T. Morris Jr., 23-year- old Cornell University graduate student, has not been formally charged, but nonetheless is widely alleged to have created the virus that played havoc for 36 hours last week with Unix- based computers on the Pentagon-backed ARPANET network and other systems. Associated Press writer Anne Buckley this morning reported that lawyer Thomas Guidoboni of the Washington firm of Bonner & O'Connell has been retained to represent Morris. Guidoboni told Buckley, "We have notified the federal authorities of our representation and (Morris') whereabouts. We are in the process of investigating the facts and circumstances which have been reported by the press in order to determine our course of action." Meanwhile, The Washington Post this morning quoted law enforcement sources as confirming their inquiry has been expanded to a full field investigation by the FBI's Washington field office. That means the FBI has consulted with federal prosecutors, agreed that the bureau has jurisdiction and that there is reason to believe there may have been a violationáot federal criminal law. "In a full-scale investigation," Buckley said, "the government has the power to subpoena records and documents and compel testimony through the authorization of immunity, two techniques which are not permitted through preliminary inquiries. The move indicate(s) the FBI (is) moving very quickly in the case because in many instances, preliminary inquiries take a month or more." AP also quoted a government source who spoke on condition of anonymity as saying investigators aren't sure whether any criminal activity actually occurred, as defined by a statute passed in 1984. Says Buckley, "A section of that law says it is unlawful to enter a government computer with the intent to disrupt its functions. The crime is punishable by up to 10 years in prison. The source said that in this case, there's no evidence that anything was taken from the computers, but rather that it was a question of disrupting computer systems. One section of law addresses sabotage, but the source said it (is) unclear whether the virus case would involve an intent to disrupt the computer." AP says its source believes the bureau is investigating the matter in view of the fact that there were breaches of security, and that the Justice Department will have to determine whether the matter involved criminal conduct. --Charles Bowen GOVERNMENT MAY SUBPOENA CORNELL (Nov. 9) Sources close to the investigation of last week's massive virus attack say the government may seek search warrants or subpoenas to get documents from Cornell University before trying to interview the virus's alleged author. AssoCiY║Yé╔ò══üwriter Pete Yost quotes Washington, D.C., lawyer Thomas Guidoboni as saying he hasn't been contacted by the FBI since informing the bureau that he was chosen on Monday to represent the suspect, 23-year-old Robert T. Morris Jr., a Cornell graduate student. Says Guidoboni, "The ball's in their court. We're waiting to hear from them." Yost notes that earlier the FBI had sought to question Morris, but that was before Guidoboni was retained. The lawyer told AP he didn't think "we'll have enough information by the end of this week" to determine whether to talk to the FBI. He says he wants to talk more with his client before deciding what course to take. Says the wire service, "The possibility of seeking grand jury subpoenas or a search warrant for data at Cornell that could shed light on the computer virus incident was considered (yesterday) within the FBI. It was discarded as being unnecessary and then revived in discussions with Justice Department lawyers, said the sources, speaking on condition of anonymity." Meanwhile, Cornell Vice President M. Stuart Lynn reiterated that the university will cooperate fully with the investigation. Morris, son of acclaimed computer security expert Robert Morris Sr. of Arnold, Va., has not been formally charged. Still, he is widely alleged to be the person who created the virus that paralyzed some 6,000 networked Unix-based computers on the Pentagon-backed ARPANET network and other systems for about 36 hours last week. --Charles Bowen "BRAIN VIRUS" APPEARS IN HOUSTON (Nov. 9) A version of the so-called "Brain virus," a rogue program believed to have originated in Pakistan, now has cropped up in computers used by University of Houston business students. Texas officials say that the virus, while a nuisance, has posed no real problem. University research director Michael Walters told The Associated Press, "It probably hasn't cost us much, except a few days of people-time to clean up these disks, but it probably cost the students a good bit of frustration." Some students report they have lost data, but Walters told the wire service he knows of no one who has lost an entire term paper or other large quantity of work. Nonetheless, reports still were coming in from students late yesterday. This version of the Brain virus, which last spring was traced to a computer store in Lahore, Pakistan, announced itself at the university early last week on the screen of one of the 150 PCs the business department has for students and faculty. Walters said the virus hasn't spread to the school's larger computers. AP quotes Walters as saying the virus flashed this message (with these misspellings) to students who tried to use infected programs: "Welcome to the dungeon. Copyright 1968 Brain & Amjads, PVT, LTD. Virus shoe record V9.0. Dedicated to the dynamic memory of millions of virus who are no longer with us today -- Thank Goodness. BEWARE OF THE VIRUS. This program is catching. Program follows after these messeges." The original "Brain" virus -- which appeared in May at colleges and businesses along the East Coast and in the computers of The Providence, R.I., Journal-Bulletin newspaper -- flashed the "Welcome to the Dungeon" message, but added "Contact us for vaccination." It also gave names, an address and a phone number of two brothers who run a Lahore, Pakistan, computer store. Walters said the Houston version of the virus says nothing about any vaccine, and the "V9.0" in its message suggests it may be a modified version. Before this, the most recent sighting of the "Brain" virus was at Business International, a Hong Kong financial operation. It was thought to be the first reported digital infection of a commercial business in the East. The firm is believed not to have suffered any major damage. --Charles Bowen UNIX EXPERT SAYS VIRUS "PANIC" UNNECESSARY, BLAMES BAD PLANNING (Nov. 10) An expert on the Unix operating system says that much of last week's "panic" over the virus that brought down some 6,000 networked computers was caused by poor management technique. In a statement from his Rescue, Calif., offices, newsletter editor Bruce Hunter said, "Most of the damage was done by the organizations themselves, not the virus." Hunter, who edits Root, a bimonthly Unix administration and management journal published by InfoPro Systems, observed that more than 50,000 users were reportedly cut off at a single site due to last week's virus, and that more than a million people are believed to have been directly affected. However, Hunter said, "By dropping network connections, administrators were ensuring that the virus was winning. Good communications and information sharing between administrators is what helped people on the network find and implement a solution to the virus quickly." Hunter, who also is an author and mainframe Unix system manager, said that one job of an administrator is to keep all system resources available to users, and another is to "go around searching for possible trouble." He said the most important lesson learned from last week's virus was that a definite plan is imperative to avoid inappropriate reactions. Hunter made these suggestions to managers: -:- Develop a set of scenarios and responses for future virus attacks as well as physical disasters. -:- Keep a printed list of system administrators at all company sites. -:- Establish a central point of information. -:- Coordinate an emergency response task force of key personnel. -:- Keep current off-site backups of all data. -:- Perform regular security audits. --Charles Bowen FBI LOOKING AT WIDE RANGE OF POSSIBLE VIOLATIONS IN VIRUS CASE (Nov. 10) The FBI now is looking at a wide range of possible federal violations in connection with last week's massive computer virus incident, ranging beyond the bureau's original focus on the provisions of the Computer Fraud and Abuse Act of 1986. That was the word today from FBI Director William Sessions, who told a news conference in Washington that the FBI is trying to determine whether statutes concerning wire fraud, malicious mischief or unlawful access to stored communications may have been broken. The Associated Press notes that earlier the FBI had said it was concentrating on the 1986 Computer Fraud and Abuse Act, which prohibits fraud or related activity in connection with computers. The FBI chief said, "We often look at intent as being knowing and intentional doing of an act which the law forbids and knowing that the law forbids it to be done. But we also have other statutes which deal simply with knowingly doing something." The wire service observed the following about two statutes to which Sessions referred: -:- The malicious mischief statute provides a maximum 10-year prison term for anyone who wilfully interferes with the use of any communications line controlled by the US government. -:- The unlawful access law makes it a crime to prevent authorized access to electronic communications while they are in electronic storage and carries a maximum six-month jail term absent malicious destruction or damage. Sessions also told reporters the preliminary phase of the bureau's criminal investigation probably will be completed in the next two weeks. As reported here earlier, authorities think 23-year-old Cornell University student Robert T. Morris created the virus that disrupted thousands of networked computers last week. However, Morris has not yet been charged with any crime. --Charles Bowen MICHIGAN WEIGHS ANTI-VIRUS LAW (Nov. 15) Michigan lawmakers soon will consider a proposed state law that would impose felony penalties against anyone convicted of creating or spreading computer "viruses." Sponsoring the bill, Republican Sen. Vern Ehlers told United Press International, "Because this is a new type of crime, it is essential we address it directly with a law that deals with the unique nature of computers." Citing this month's virus attack on military and research computers linked by ARPANET and other networks, Ehlers added, "The country recently saw how quickly a virus can spread through network users. The Defense Department and its contractors were extremely fortunate that the virus was relatively harmless." The senator said his bill, still being drafted, is expected to include provisions making it a felony for anyone to deliberately introduce a virus into a computer system. UPI notes Ehlers is a physicist with a Ph.D who has 30 years' experience with computers. --Charles Bowen VIRUS STRIKES CALIF. MACINTOSHES (Nov. 15) Students at Southern California universities were being warned today of a rapidly spreading West German virus that reportedly is disrupting functions of Apple Macintosh computers. "In general, this thing is spreading like mad," Chris Sales, computer center consultant at California State University at Northridge, told The Associated Press. "It originated in West Germany, found its way to UCLA and in a short time infected us here." AP quotes school officials as saying that at least a dozen Macs at the suburban San Fernando Valley campus have been infected since the virus first cropped up last week. Cal State says the virus apparently does not erase data, but that it does stall the computers and removal requires hours of reprogramming. The wire service said students' disks are "being tested for the virus" before they can rent a Mac0a∞ the`╡+╦ò╔═Ñ╤σü╜╜¡═╤╜╔ò╣j @"--C╥arlY.╜▌ò╣5 COMPUTER SECURITY EXPERT OFFERS TIPS (Nov. 15) The need to protect against computer viruses has heralded the end of the user-friendly computer era, says one security expert. According to Government Computer News, Sanford Sherizen, president of Data Security Systems Inc. of Natick, Mass. said the objective now is to make software bullet-proof, not accessible. He said that since the advent of computers in offices, managers have been faced with the conflicting needs of protecting the data versus producing it. Data must be accessible to those who need it and yet at the same time secure from those who can alter, delete, destroy, disclose or steal it or steal computm≥!hardware. Sherizen told GCN reporter Richard A. Danca that non- technical managers can contribute to computer security as advocates and facilitators. Users must learn that security is a part of their jobs. He predicted that security managers will soon use biometric security measures such as comparing retinal blood vessels or fingerprints. Needless to say, such techniques raise complicated issues of civil liberties and privacy. Sherizen said that all information deserves protection. --Cathryn Conroy VIRUS THREAT SAID EXAGGERATED (Nov. 16) Because of the latest reports of attacks by computer "viruses," some in the industry are ready to blame such rogue programs for anything that goes wrong. However, expert Charles Wood told a 15th annual computer security conference in Miami Beach, Fla., this week, "Out of over 1,400 complaints to the Software Service Bureau this year, in only 2 percent of the cases was an electronic virus the cause of the problem. People are jumping to the conclusion that whenever a system slows down, it's a virus that's responsible." The Associated Press reports that Wood and other panelists cautioned that computer-dependent companies should focus more on the day-to-day breakdowns caused by human error than on viruses. President Steve Irwin of LeeMah Datacom Security Corp. told the conference that this month's virus assault on networked computers on the ARPANET system "could be a cheap lesson." Said Irwin, "We were lucky because it was not a real malicious attempt ... If (the virus' author) had ordered the programs to be erased, the loss could have gone into billions, lots of zeroes." AP quoted Wood as adding, "The virus is the hot topic right now, but actually the real important subject is disaster recovery planning. But that's not as glamorous as the viruses." --Charles Bowen FBI SEIZES MORRIS RECORDS IN PROBE OF NATIONAL VIRUS CASE (Nov. 17) While young Robert T. Morris Jr. still has not been charged with anything in connection with the nation's largest computer virus case, the FBI now reveals that items it has seized so far in its probe include magnetic tapes from Morris' computer account at Cornell University. The Associated Press reports that documents released by the FBI late yesterday say investigators seized "two magnetic tapes labeled `files from Morris account including backups' and hard copy related thereto" from Dean Krafft, a research associate in computer science at Cornell, where the 23- year-old Morris is a graduate student. AP says the agents also obtained "two yellow legal pads with calculus and assorted notes." Associate university counsel Thomas Santoro had taken the legal pads from an office in Upson Hall, a campus building that contains computer science classrooms and offices, AP says. Even though Morris hasn't been charged, it has been widely reported that the young man told friends he created the virus tHa╕ stymied an estimated 6,200 Unix- based computers on ARPANET and other networks for some 36 hours earlier this month. As reported, the FBI is conducting a criminal investigation to determine whether statutes concerning wire fraud, malicious mischief or unlawful access to stored communications may have been violated. AP quotes these latest FBI documents as saying that US District Judge Gustave J. DiBianco in the northern district of New York in Syracuse issued two warrants on Nov. 10 for the Cornell searches. The FBI searches were conducted that same afternoon. "The government had said earlier that it might try to obtain documents from the university before interviewing Morris," AP observes, "and Cornell's vice president for information technologies, M. Stuart Lynn, had said the university would cooperate fully with the investigation." --Charles Bowen SPA FORMS GROUP TO KNOCK DOWN RUMORS ABOUT COMPUTER VIRUSES (Nov. 17) Upset over wild rumors about the destructiveness of computer viruses, the Software Publisher Association has formed a special interest group to address computer security. In a statement released today at the Comdex trade show in Las Vegas, SPA says its new Software Security SIG will help distribute information and serve as liaison for software publishers, industry analysts and consultants. McGraw-Hill News quotes SPA member Ross Greenberg, president of Software Concepts Design, as saying, "Recent unsubstantiated statements regarding the actual damage caused by viruses...has caused more of X┤╒ë▒Ñìüfervor than served as a public service." At the SIG's organizational meeting, several companies discussed setting standards on how to educate the public regarding viruses and various anti-viral products now being advertised. --Charles Bowen