The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / pc / virus / g10.txt < prev next >

Wrap

Text File | 2003-06-11 | 55.8 KB | 1,184 lines

(Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition since the outbreak in November 1987 through March 1988.) "VIRUS" INFECTS COMMODORE COMPUTERS (Nov. 20) A "virus" has been infecting Commodore's Amiga computers, and what was once considered an innocent bit of hacking has turned into a disaster for some users. The "virus" is a secret modification to the boot block, an area on many disks using operating system facilities of the Amiga. In addition to its transparent purpose --- starting the operating system -- the virus contains code that can infect other disks. Once a virus infected disk is used on a computer, the computer's memory becomes a breeding ground and all other bootable disks that find their way to that computer will eventually become infected. Any exchange of diskettes with another computer then infects the new computer. Although the original intention of the virus apparently was benign, it may have spread to thousands of Amiga computers and disrupted their normal operations. Since some commercial software developers use coded information in the boot block of their distribution disks, the virus can inadvertently damage these disks and render the software useless. Knowledgeable users say the virus was meant to be a high-tech joke that displayed a message after it had completely infiltrated a user's disks library. According to Amiga technical support personnel, the only sure way for users to keep the virus out of their systems is to avoid warm starting the computer. It should always be powered down first. --James Moran VIRUS MOVES TO IBM COMPUTERS (Dec. 7) On the heels of the Amiga virus, reported recently in Online Today, a new apparently less benign virus has been making the rounds of IBM personal computers. The IBM-related virus was first noted at Lehigh University where, last week, a representative in the User Services section reported its discovery by student consultants. As with other similar viruses, this one is spread by means of an infected system file. In this case, a hacked version of IBM's COMMAND.COM processor is the host that harbors the virus. Once infected, the host PC will then infect the first four computers with which it comes in contact. In all cases, the virus is spread through an illegally modified version of the IBM command processor. Once the host has infected four other computers, the host virus is reported to purposely destroy the boot tracks and allocation tables for all disks and diskettes that are online to the host computer. The action renders the disks completely unreadable, even when reconstructs are attempted with popular disk repair software. The consultant at Lehigh University who first alerted general users to the virus says that it can be detected by examining the date on the COMMAND.COM file. A recent date would suggest that the file had been illegally modified. --James Moran CHRISTMAS GREETINGS MESSAGE TIES UP IBM'S ELECTRONIC MAIL SYSTEM (Dec. 12) IBM nearly lost its Christmas spirit yesterday. It seems that a digital Christmas card sent through its electronic mail system jammed computers at plants across the United States for up to 90 minutes. The Associated Press quotes IBM spokesman Joseph Dahm as saying the incident caused no permanent damage, but forced the company to turn off links between computer terminals for a while. AP says, "Curious employees who read the message discovered an illustration of a Christmas tree with 'Holiday Greetings' superimposed on it. A caption advised, 'Don't browse it, it's more fun to run it.' Once a person opened the computer message on their screen, it rarely accepted a command to stop the message from unfolding on the screen. As a result, several people shut off their computers and lost reports or mail that had not previously been filed." Apparently the message also automatically duplicated itself and was sent to other workstations. Online plants in Texas and New York were affected, Dahm said. Meanwhile, sources said that other facilities in Charlotte, N.C.; Lexington, Ky.; California and Europe also received the message. Federal agents even may investigate the incident, the wire service says, since the message apparently crossed state lines. --Charles Bowen COMPUTER VIRUS THREATENS HEBREW UNIVERSITY'S EXTENSIVE SYSTEM (Jan. 8) In Jerusalem, Hebrew University computer specialists are fighting a deadline to conquer a digital "virus" that threatens to wipe out the university's system on the first Friday the 13th of the year. That would be May 13. Associated Press writer Dan Izenberg says the experts are working on a two-step "immune" and "unvirus" program that could knock down the vandalized area of the system. "Viruses" are the latest in computer vandalism, carrying trojan horses and logic bombs to a new level, because the destructiveness is passed from one infected system to another. Izenberg quotes senior university programmer Yisrael Radai as saying that other institutions and individual computers in Israel already have been contaminated. "In fact," writes the wire service, "anyone using a contaminated computer disk in an IBM or IBM-compatible computer was a potential victim." Radai says the virus was devised and introduced several months ago by "an evidently mentally ill person who wanted to wield power over others and didn't care how he did it." AP describes the situation this way: "The saboteur inserted the virus into the computer's memory and the computer then infected all disk files exposed to it. Those disk files then contaminated healthy computers and disks in an electronic version of a contagious cold." Apparently, the intruder wanted to wipe out the files by Friday, May 13, but may have gotten impatient, because he then had his virus order contaminated programs to slow down on Fridays and on the 13th day of each month. Radai thinks that was the culprit's first mistake, because it allowed researchers to notice the pattern and set about finding the reason why. "Another clue," says AP, "was derived from a flaw in the virus itself. Instead of infecting each program or data file once, the malignant orders copied themselves over and over, consuming increasing amounts of memory space. Last week, experts found the virus and developed an antidote to diagnose and treat it." Of viruses in general, computer expert Shai Bushinsky told AP, "It might do to computers what AIDS has done to sex. The current free flow of information will stop. Everyone will be very careful who they come into contact with and with whom they share their information." --Charles Bowen TAMPA COMPUTERISTS FIGHT VIRUS (Jan. 10) Tampa, Fla., computerists say they are fighting a digital "virus" that sounds as if it may be the same crank program now plaguing a university in Jerusalem. As reported earlier, Hebrew University computer specialists are contending with a virus program that threatens to wipe out the university's system on the first Friday the 13th of the year -- May 13. The Jerusalem team is working on a two-step "immune" and "unvirus" program that could knock down the vandalized area of the system. Meanwhile, members of the Tampa Amiga User's Group now tell United Press International that they, too, are fighting a computer virus, and UPI quotes one expert as saying a version of that vandalizing program also is designed to begin destroying files on May 13. Computer viruses are self-propagating programs that spread from one machine to another and from one disk to another, a sort of new generation of more destructive trojan horses and logic bombs. "It kinda creeps up on you," president Jeff White of the Amiga group told the wire service, adding that the group's membership was infiltrated by the program. UPI reports, "Experts don't yet know what, if any, damage the virus can cause to the disks or programs. Similar problems have erased programs and information. ... White said the program spread itself to more than 20 of his floppy disks before he discovered it. But by then, the program had spread to the disks of many of the club's members via its regular disk-of- the-month distribution." White said he doesn't know how the bug got to Tampa, but suspects it came from West Germany on a disk from an overseas user group. "White said the program works invisibly," says UPI. "When the computer is turned on, the program stores itself in the machine's main memory and then begins spreading copies of itself to new disks used in the machine." He added that the Tampa club members now use a "virus-checker" program to test disks to prevent another infection. --Charles Bowen VIRUS PROGRAMS COULD HAVE USEFUL APPLICATIONS, SAYS COLUMNIST (Jan. 11) Despite all the recent negative publicity about computer "viruses" -- self-propagating programs that spread from one machine to another in way that has been called the computer version of AIDS -- a California computer columnist says there could be a positive result. Writing in The San Francisco Examiner, John Markoff observes, "In the future, distributed computing systems harnessed by software programs that break tasks into smaller parts and then run portions simultaneously on multiple machines will be commonplace. In the mid-1970s computer researchers John Shoch and Jon Hupp at Xerox's Palo Alto Research Center wrote experimental virus programs designed to harness many computers together to work on a single task." Markoff points out that some of the programs in that work functioned as "'town criers' carrying messages through the Xerox networks; others were diagnostic programs that continuously monitored the health of the computers in the networks." Also the researchers called one of their programs a "vampire worm" because it hid in the network and came out only at night to take advantage of free computers. In the morning, it disappeared again, freeing the machines for human users. For now, nonetheless, most viruses -- particularly in the personal computing world -- are viewed as destructive higher forms of trojan horses and logic bombs. Markoff traces the first virus to the military ARPAnet in 1970. On that system, which links the university, military and corporate computers, someone let loose a program called "creeper." Notes the paper, "It crawled through the network, springing up on computer terminals with the message, 'I'm the creeper, catch me if you can!' In response, another programmer wrote a second virus, called 'reaper' which also jumped through the network detecting and 'killing' creepers." Markoff also pointed out that Bell Labs scientist Ken Thompson, winner of the prestigious Turing Award, recently discussed how he created a virus in the lab to imbed in AT&T's Unix operating system, which he and colleague Dennis Ritchie designed. In a paper, Thompson noted how he had embedded a hidden "trapdoor" in the Unix log-on module each time it created a new version of the operating system. The trapdoor altered the log-on mechanism so that Unix would recognize a password known only to Thompson. Thompson and Ritchie say the Unix virus never escaped Bell Labs. --Charles Bowen SUBSCRIBER, SYSOP BLOCK POSSIBLE "VIRUS" IN APPLE HYPERCARD FORUM (Feb. 8) Quick reactions by a subscriber and a veteran forum administrator have blocked a possible computer "virus" program that was uploaded over the weekend to CompuServe's new Hypercard Forum. The suspicious entry was an Apple Hypercard "stack" file called "NEWAPP.STK," which was uploaded Friday to the forum's Data Library 9, "HyperMagazines." It was online for about 24 hours before it was caught. Subscriber Glenn McPherson was the first to blow the whistle. Saturday night McPherson posted a message saying that when he ran the application, the file altered his Macintosh's systems file. "I don't know why it did this," he wrote, "but no stack should touch my system file." Neil Shapiro, chief forum administrator of the Micronetworked Apple Users Group (MAUG), quickly investigated and removed the suspicious file. In a bulletin to the membership, Shapiro warned those who already had downloaded NEWAPP.STK that the stack would alter the system files with unknown results. He also warned against using system files from any disk that was run while the NEWAPP.STK's modified system was in effect. Said Shapiro, "If you run NEWAPP.STK, it will modify the system on the disk it is on so that the system's INITs contain an INIT labeled 'DR.' Then, if you use another system with the DR-infected system as your boot system, the new system will also contain the self-propagating 'DR' INIT Resource. While it is possible to, apparently, 'cut' this resource from infected systems with the Resource Editor, the only sure course of action is to trash any system file that has come in contact with this stack." It was not immediately known if the system alternations were deliberately or accidentally programmed into NEWAPP.STK. Shapiro notes the file's uploader has been locked off the entire system and that "he will be contacted by CompuServe and/or myself." Computer "viruses" -- self- propagating programs that infect system files and then spread to other disks -- have been in the news for the past six months. To-date, most of their targets have been regional computer users groups, private and semi-public networks and stand-along bulletin board systems. This apparently is the first report of a virus-like program on a national consumer information service. Shapiro says in his bulletin that in eight years of the various Apple forums' operation, this is the only such occurrence. "While I, of course, cannot say it will be the last, I still have just as much confidence as always in the fact that 99.99999999% of the Mac community are quite trustworthy and that there is no real need to fear downloads," he wrote. Shapiro also urged his membership, "If you have not used (NEWAPP.STK) yet, do not! If you have uploaded it to other BBS or network systems, please immediately advise the sysops there of the problem. If you have placed it on a club disk, please be certain to remove it from that disk before distribution and -- if it has been run from the 'Master' disk already -- don't just remove it, but trash the system." Subscriber McPherson indicates the suspect file already has spread to other systems. His forum note says he found the same stack program also in a software library on the General Electric's GEnie network. --Charles Bowen DOD TRIES TO PROTECT ITS COMPUTERS FROM ELECTRONIC VIRUS (Feb. 9) Just as a medical virus can spread rapidly, so does the deadly computer virus seem to be making the rounds. In an effort to inoculate itself against an outbreak, the Department of Defense has taken steps to prevent the electronic sabotage from affecting its computers, reports Government Computer News. The computer viruses are self- propagating programs that are designed to spread automatically from one computer to another and from one disk to another, totally disrupting normal operations. As reported in Online Today, such viruses have already struck computer systems at Hebrew University in Jerusalem and IBM Corp.'s regional offices in Tampa, Fla. "It can spread through computer networks in the same way it spreads through computers," said DOD spokeswoman Sherry Hanson. "The major problem areas are denial of service and compromising data integrity." In addition to basic security measures, computer scientists at the National Security Agency are installing programming tools and hardware devices to prevent the infiltration of virus programs. Hanson told GCN that DOD is also using specialized ROM devices and intrusion detectors. The virus only comprises a few lines of programming code and is easy to develop with few traces. After IBM was infiltrated last December with an innocent- looking Christmas message that kept duplicating itself many times over and substantially slowed the company's massive message system, specialists installed a filter program to monitor the system and protect against further intrusion. According to GCN, executable programs can't be transferred from one computer to another within IBM's network. Even personal computer users are worried, since the virus remains hidden in a computer's main memory. For instance, almost the entire membership of a Florida Commodore Amiga users group was infected by a virus before it was discovered. The president of the group said he believed the virus originated in Europe on a disk of programs the group received from an overseas source. The club now has a checker program to check disks for viruses before they are used. Al Gengler, a member of the Amiga group, compared the virus to AIDS. "You've got to watch who you compute with now," he said. --Cathryn Conroy EXPERTS SEES TWO SCENARIOS FOR THE COMPUTER "VIRUS" PROBLEM (Feb. 9) Don Parker, who heads the information security program for the Menlo Park, Calif., SRI International, has been studying the problem of computer "viruses" and now says he see two possible directions in the future. Speaking with Pamela Nakaso of the Reuter Financial News Service, Parker said his scenarios are: -:- One, that viruses will be too difficult to design and use for infiltration, and that interest in using them as "weapons" will die away. -:- Or, two, viruses will increase in destructiveness as more sophisticated saboteurs use them to destroy the public domain software resources available. Nakaso also quotes editor Harold Highland of the magazine Computers and Security as saying that "hysteria" over the few documented incidents may fuel even more viruses, which are defined as self-propagating files that usually damage a computer's systems files and then spread to other disks. Highland pointed out that in a recent Australian virus case among Amiga computers, one tabloid newspaper reported the incident with a headline that spanned the entire cover, reading, "Terror Strikes in the DP Industry." Parker told Reuter, "The vulnerability is growing at the same rate as the number of computers and number of communications with computers." Nakaso writes, "Parker estimates that of the 2,000 cases of documented computer crime he has compiled at SRI, about 20 to 30 have been virus attacks. There is no question, however, the reported incidents are rising, and they are expanding beyond personal computers to mainframes and other networks." --Charles Bowen COMPUTER VIRUS CALLED FRAUD (Feb. 10) Computer viruses may be frauds. Although lots of people are talking about computerdoms latest illicit fad, to date, no one has produced a copy of a living breathing virus. Now, a University of Utah expert on urban legends thinks that the dreaded virus may be have become the high tech version of the bogey man. Professor Jan Harold Brunvand has written three books about urban legends and he seems to think that the virus is just the latest incarnation in a long line of legends. Brunvand, and others, have pointed out that there are striking similarities among reports of the virus and legends such as the cat in the microwave oven. For one thing, there are lots of reported sightings but no concrete evidence. And urban legends always seem to appear and affect those things about which urban dwellers are just coming to terms with: shopping malls and microwave ovens in the 70's, computers in the 80's. In today's society, a berserk computer that destroys its owner's data certainly qualifies as the stuff about which legends are made. Even the way in which the deed is accomplished has mystical qualities: a computer wizard works strange magic with the secret programming codes of a computer operating system. Brunvand, a computer owner himself, says that although viruses could be created, he has found absolutely no evidence to support claims about their existence. --James Moran HYPERCARD VIRUS JUDGED "HARMLESS" (Feb. 12) Administrators of a CompuServe forum supporting the Apple Hypercard technology have confirmed that a file uploaded to their data libraries last weekend did indeed contain a so-called computer "virus." However, they also have determined the program apparently was harmless, meant only to display a surprise message from a Canadian computer magazine called MacMag. As reported earlier this week, forum administrator Neil Shapiro of the Micronetworked Apple Users Groups (MAUG) removed the suspicious entry, a Hypercard "stack" file called "NEWAPP.STK," after a forum member reported that the file apparently altered his Macintosh's system files. Computer "viruses," a hot topic in the general press these days, have been defined as self-propagating programs that alter system files and then spread themselves to other disks. Since removing the file last weekend, the Apple administrators have been examining the file and now Shapiro says it apparently was designed merely to display a message from MacMag on March 2. On the HyperForum message board (G APPHYPER), Shapiro reports, "Billy Steinberg was able to reverse engineer (disassemble) the INIT that the virus places into system files. The good news is that the virus is harmless. But it *is* a computer virus." Shapiro says that if the downloaded file remained in the user's system, then on March 2, the screen would display: "Richard Brandnow, publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world." Apparently the file is so designed that after March 2 it removes itself from the user's system. Shapiro notes that, while this file apparently is harmless, it still raises the question of the propriety of database entries that quietly alter a user's system files. Shapiro said he has spoken to publisher Brandnow. "It was not his intention to place it in a HyperCard stack nor to have it on (CompuServe)," Shapiro writes. "What he did do was to develop the INIT in December and 'left' it on their (MacMag's) own machines with the hope that 'it would spread.'" Subsequently, someone else apparently captured the file, added it to his "stack" and uploaded to the CompuServe forum and other information services. While Brandnow maintains the system-altering INIT file was harmless, Shapiro says he's concerned about what the NEWAPP.STK incident could represent. "While the INIT itself is non-destructive," Shapiro wrote, "I believe it was at least irresponsible for MacMag to have perpetrated this type of problem and to have caused the confusion that they did. I also fear that this could give other people ideas on less peaceful uses of such a virus. "I believe that MacMag has opened here a Pandora's Box of problems which will haunt our community for years. I hope I am wrong." --Charles Bowen PUBLISHER DEFENDS HIS "VIRUS" PROGRAM AS "GOOD FOR COMMUNITY" (Feb. 13) The publisher of Canadian computer magazine MacMag contends the computer "virus" program his staff initiated recently was not only harmless but was "good for the Macintosh community." Says 24-year-old Richard Brandow, "If other people do nasty things (with virus programs), it is their responsibility. You can't blame Einstein for Hiroshima." Speaking by phone with reporter Don Clark of The San Francisco Chronicle, Brandow maintained his magazine's virus program, which spread through the Apple Macintosh community this week on this continent and apparently reached Europe, was intended to do nothing more than display a "peaceful" message on Mac screens on March 2, the first anniversary of the introduction of the Apple Mac II. Of the so-called "virus" technology, Brandow said, "This message is very good for the Macintosh community." The controversy centered around an Apple Hypercard "stack" file called "NEWAPP.STK" that was uploaded to various public domain databases around the country, including the data library of CompuServe's HyperForum (G APPHYPER). When subscribers discovered that the file quietly altered their Mac's system files when it was executed, a warning was posted and forum administrator Neil Shapiro immediately removed the data library entry. Only after the forum's sysops had disassembled the suspect file could it be determined that NEWAPP.STK's only apparent function was to display a March 2 greeting from Brandow and the MacMag staff. HyperForum members now have been informed that the file, while indeed a "virus," apparently is harmless. However, Shapiro contends MacMag staffers were "at least irresponsible ... to have perpetrated this type of problem and to have caused the confusion that they did." Shapiro is quoted in The Chronicle as adding, "This is very similar to someone breaking into your home and writing a message of good will in red lipstick on your wall. It is a violation of the right of private property... Our computers are machines that belong to us and other people should remain out of them." On the other side of the argument, Brandow told the paper, "The idea behind all this is to promote peaceful methods of communication between individuals using harmless ways." Montreal-based MacMag, with a circulation of 40,000, is Canada's only Macintosh magazine. Brandow also heads a 1,250-member Mac user group, which he says is Canada's largest. Brandow told Clark that programmers worked more than a year on the virus, adding that it was inspired by two groups, known as "The Neoists" and "The Church of the SubGenius." (He said the latter was formed in Texas as a satire on fundamentalist religion and inspired a 1983 book.) As noted here earlier, the MacMag virus also reached beyond CompuServe to other information services and private bulletin board systems. For instance, The Chronicle quotes General Manager Bill Louden of General Electric's GEnie as saying that about 200 users downloaded the file from that information service before it was discovered and removed early Monday. Meanwhile, Shapiro told Clark that only about 40 of CompuServe's subscribers retrieved the file before it was removed early Sunday. The Chronicle says that Mac devotees in the Bay Area were "stunned" by news of the virus, but not all were upset. For example, Apple wizard Andy Hertzfeld, a co-designer of the original Mac, told the paper, "As far as I'm concerned, it doesn't have any malicious intent and is just some people having fun. I don't see why people are so uptight." Meanwhile, a spokeswoman for Apple at company headquarters in Cupertino, Calif., said the company is searching for details of the virus and could not comment on it at present. --Charles Bowen TWO FIRMS OFFER TO "INOCULATE" US AGAINST THE COMPUTER "VIRUSES" (March 4) The debate continues over whether computer "viruses" are real or just the latest urban legend, but at least two companies are hoping that we don't want to take any changes. Independent of each other, the firms this week both claimed to have the first commercial software to "inoculate" systems against those reported rogue programs that damage data and systems files. One of the companies, Lasertrieve Inc. of Metuchen, N.J., introduced its VirALARM product during Microsoft Corp.'s CD-ROM conference in Seattle. In addition, in Stockholm, a Swedish company called Secure Transmission AB (Sectra) today announced a similar anti-virus program called TCELL, after a counterpart in human biology. A Lasertrieve statement contends that previous anti-viral software utilities -- mostly offered in the public domain -- work by drawing attention to the virus's attempted alterations of system files, noting a change of file size, or monitoring the dates of program changes. However, the New Jersey firm contends, this approach makes such programs "easily fooled by sophisticated viruses." Lasertrieve says its VirALARM contains a program designed to protect another program, creating a software "barrier." According to the statement, before anyone can use the protected program, VirALARM checks to determine whether the program has been altered since it was inoculated. If there has been any change, the software then blocks use of the altered program, notifies the user and suggests a backup copy of the program be substituted. Meanwhile, Bo-Goran Arfwidsson, marketing director of the Swedish company, told Bengt Ljung of United Press International that its TCELL "vaccine" gives a database a partial outside protection, sounds an alarm if a computer virus appears inside a database and identifies the infected file so it can be isolated. The contaminated part then can be replaced with a backup file. Sectra spokesman Torben Kronander said that TCELL has been "tested for a year now and there is no question that it works," adding that since early 1987 the software has functioned on computers of major Swedish manufacturing companies. Arfwidsson declined to name those companies for security purposes. Kronander said TCELL simply made the task of creating a virus so complicated that only vast computer systems would be able to carry it out. "We've effectively removed the hacker type of attack, and these have been the problem. It will take the resources of a major software producer or a country to produce a virus in the future." UPI says Sectra is a 10-year-old research company with 19 employees in Linkoping in central Sweden, closely tied to the city's Institute of Technology. --Charles Bowen "VIRUS" SPREADS TO COMMERCIAL PROGRAM; LEGAL ACTION CONSIDERED (March 16) That so-called "benign virus" that stirred the Apple Macintosh community earlier this year when it cropped up in a public domain file in forums on CompuServe and other information services now apparently has invaded a commercial program called FreeHand. The publisher, Seattle's Aldus Corp., says it had to recall or rework some 5,000 FreeHand packages once the virus was discovered and now is considering legal action against those who admitted writing the self- propagating program. Meanwhile, other major software companies reportedly are worried that the virus may have affected some of their products as well. At the heart of the controversy is a "peace message" that Canadian Richard Brandow, publisher of Montreal's MacMag magazine, acknowledged writing. As reported here earlier, that file was designed to simply pop up on Mac screens around the world on March 2 to celebrate the first anniversary of the release of the Macintosh II. However, many Mac users reacted angrily when they learned that the file quietly had altered their systems files in order to make the surprise message possible. Now the virus has re-emerged, this time in FreeHand, a new Mac program Aldus developed. Aldus spokeswoman Laury Bryant told Associated Press writer George Tibbits that Brandow's message flashed when the program was loaded in the computer. Bryant added that, while it "was a very benign incident," Aldus officials are angry and "are talking with our attorneys to understand what our legal rights are in this instance.... We feel that Richard Brandow's actions deserve to be condemned by every member of the Macintosh community." This may be the first instance of a so-called "virus" infecting commercial software. Tibbits says the Brandow virus apparently inadvertently spread to the Aldus program through a Chicago subcontractor called MacroMind Inc. MacroMind President Marc Canter told AP that the virus appears to have been in software he obtained from Brandow which included a game program called "Mr. Potato Head," a version of the popular toy. Canter said that, unaware of the digital infection, he ran the game program once, then later used the same computer to work on a disk to teach Mac owners how to use FreeHand. That disk, eventually sent to Aldus, became infected. Then it inadvertently was copied onto disks sold to customers and infected their computers, Canter said. Upset with Brandow, Canter says he also is considering legal action. For his part, Brandow says he met Canter, but denied giving him the software. The whole incident apparently has some at other companies worried because they also use Canter's services. Tibbits says that among MacroMind's clients are Microsoft, Ashton-Tate, Lotus Development Corp. and Apple Computers. A-T has not commented, but officials at Microsoft, Apple and Lotus all told AP that none of their software was infected. Meanwhile, Brandow told Tibbits that, besides calling for world peace, the virus message was meant to discourage software piracy and to encourage computer users to buy original copies. The full message read: "Richard Brandow, the publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world." Beneath that was a picture of a globe. Brandow said that originally he expected people making unauthorized copies of programs on the machine would spread the virus in the Montreal area and possibly a few other areas of Canada and the United States. However, he said he was shocked later to find that, after the virus program began to appear in the databases of online information services, an estimated 350,000 people in North America and Europe saw the message pop up on their computers on March 2. --Charles Bowen ONLINE TODAY'S BACKGROUNDER: COMPUTER "VIRUS," PART TWO (Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition from April through July 1988.) THREAT OF "VIRUS" BLOWN OUT OF PROPORTION, NORTON AND SYSOPS SAY (April 10) The threat of so-called computer "viruses" has been vastly overrated, according to software guru Peter Norton and two CompuServe forum administrators. "We're dealing with an urban myth," Norton told Insight magazine. "It's like the story of alligators in the sewers of New York. Everyone knows about them, but no one's ever seen them. Typically, these stories come up every three to five years." Don Watkins, administrator of CompuServe's IBM Users Network forums (GO IBMNET) also told the general interest magazine that he's more worried about being hit by a meteor than a computer virus. "In five years," Watson said, "I've seen only one program that was designed to do intentional damage. That was about three years ago, and it wasn't very sophisticated. "I have never spoken to anyone who personally, firsthand, has ever seen or experienced a program like this," Watson added, "and my job keeps me in touch with tens of thousands of people." CompuServe forum administrators check each piece of user-contributed software before posting it in data libraries for general distribution. The alleged virus problem received widespread attention in early March when an unauthorized message was placed onto Freehand, a commercial software product for the Apple Macintosh published by Aldus Corp. Earlier, the same message circulated in several information services and was uploaded to CompuServe's Hyper Forum, a forum devoted to the Hypertext technology that is part of the Micronetworked Apple Users Groups (GO MAUG). The message read "Richard Brandow, publisher of MacMag, would like to take this opportunity to convey a universal message of peace to all Macintosh users." It then erased itself without doing any harm. Of the situation, Neil Shapiro, MAUG's chief sysop, said, "The whole problem has been completely hyped out of proportion." --Daniel Janal COMPUTER VIRUS NEWSLETTER DEBUTS (April 13) If you want to follow all the latest news on insipid computer viruses, you might be interested in the debut of "Computer Virology," a newsletter devoted to identifying and analyzing those annoying computer diseases. Produced by Director Technologies Inc., the developers of Disk Defender, a hardware device that write protects PC hard disks, the newsletter will be published monthly. Topics will include developments for protection against the viruses, precautions and procedures to follow to insure that terrorists not let loose this rampant epidemic. "The latest strain of computer viruses presently causing serious damage at university labs, scientific research facilities, hospitals and business organizations worldwide, has created a very real concern for the future of having free access to the tremendous amounts of information that are now readily available for unlimited use," said Dennis Director, president of Director Technologies. "The potential dangers of such viruses is that they can be used not only as a means to facilitate malicious pranks in the home computer area, but also pose a real `terrorist' threat to academic computing labs, scientific research projects and business. Data loss can cost hundreds of thousands of dollars in real money, as well as in wasted man-hours." The newsletter is distributed free of charge. For information or to subscribe, contact Director Technologies Inc., 906 University Pl., Evanston, IL 60201. 312/491-2334. SIR-TECH UNVEILS ANTI-VIRUS (April 14) Sir-tech Software Inc., the Ogdensburg, N.Y., firm best known for its recreational programs such as the acclaimed "Wizardry" series of adventure games, now has released a free program called "Interferon, the Magic Bullet" that it says is meant to "halt the devastation of computer virus." A company statement reports that Robert Woodhead, 29-year-old director of Sir-tech's Ithaca, N.Y., development center, designed the Apple Macintosh program to "detect and destroy the highly-publicized computer virus which threatens the integrity of the world's computer systems." Sir-tech says the program will be offered free for downloading from related services on CompuServe and GEnie. In addition, it is available by mailing a diskette with a self-addressed, stamped envelope to Sir-tech, 10 Spruce Lane, Ithaca, N.Y. 14850. While the program itself is free, Woodhead asks for donations to a fund established to buy computer equipment for visually impaired users. A notice in the software gives details on the fund. Woodhead said he has worked since early this year to come up with Interferon, named for the antiviral treatment for cancer. "Just as a virus leaves clues in a human body, the computer virus is detectable if users know what to look for," Woodhead said. The Interferon program recognizes changes that computer viruses make as they spread their infection and will indicate that there is something amiss, the statement said. "The infection can be cured by deleting the diseased files," it added. "As new viruses are discovered, Interferon will be updated for instant detection." --Charles Bowen NEW VIRUS PLAGUES MACINTOSHES AT NASA AND APPLE (April 18) Apple Macintosh computers at the National Aeronautics and Space Administration and at Apple Computer as well as other business offices around the country have caught a new computer virus, reports Newsday. The latest high-tech plague is under investigation by Apple and federal authorities. During the past three weeks, Apple has been receiving reports of a virus called Scores. Although it has not been known to erase any data, it can cause malfunctions in printing and accessing files and can cause system crashes, Cynthia Macon of Apple Computer told Newsday. Two hundred of the 400 Macintosh computers at the Washington, D.C. offices of NASA have been infected. Many of them are connected to local area networks and are spreading the virus. "This particular virus does not attack data. We have no record indicating anyone lost anything important," said Charles Redmond, a NASA spokesman. Newsday notes that the Scores virus can be detected by the altered symbols that appear in Scrapbook and Note Pad, two Macintosh files. Instead of the Mac logo, users see a symbol that looks like a dog-eared piece of paper. Two days after the virus is transmitted, it is activated and begins to randomly infect applications, such as word processing and spreadsheet programs. EDS Corp. of Dallas, Texas was also infected with the Scores virus, but managed to stop its spread. -- Cathryn Conroy FRIDAY THE 13TH "VIRUS" FIZZLES (May 14) Good morning, computerdom! It's Saturday the 14th and we're all still here. At least, we all SEEM to still be here, though some are saying it's too early to tell for sure. Yesterday, the first Friday the 13th of the year, was widely reported to be the target date for the denotation of a computer virus called "Black Friday" which was first discovered in the computers of the Hebrew University in Jerusalem late last year. The virus, which was reported to have spread from Jerusalem to computers around the world, was said to be designed to destroy computer files on May 13. However, no early reports of damage have surfaced. Computer experts in Jerusalem told Associated Press writer Karin Laub that the so-called virus was undone because most computer users were alerted in time. Hebrew University researchers detected the virus on Dec. 24 because of a flaw in its design, according to senior programmer Yisrael Radai. Nonetheless, a few experts are saying that we aren't out of the woods yet. For instance, Donn Parker of the SRI International research firm in Menlo Park, Calif., told The Washington Post this morning that he hadn't heard of any virus-related damage, "but we have been holding our breath. I think it will be a dud, but we won't know until next week, and only then if people whose computers go down talk about it." Some software companies tackled the virus scare. AP reports that the Iris software publisher of Tel Aviv developed an anti-virus program for the Israeli computing community and sold 4,000 copies before yesterday. President Ofer Ahituv estimated that 30 percent of his 6,000 customers, most of them businesses, had been infected by the Black Friday virus. Meanwhile, some are saying the apparent fizzle of the virus is what they expected all along. "Viruses are like the bogyman," said Byron C. Howes, a computer systems manager at the University of North Carolina at Chapel Hill. Speaking with AP, he compared programmers who believe in viruses to "people who set little bowls of milk outside our doors to feed the dwarfs." Barry B. Cooper, owner of Commercial Software in Raleigh, N.C., agreed. "I just think that the whole thing is a joke," like the prediction by medieval seer Nostradamus of a major earthquake on May 8, 1988. "That didn't come true, and this won't come true." --Charles Bowen R.I. NEWSPAPER DISLODGES VIRUS (May 16) The Providence, R.I., Journal-Bulletin says it worked for the past week and a half to stamp out a "virus" that infected an in-house personal computer network used by reporters and editors, but not before the virus destroyed one reporter's data and infected scores of floppy disks. Writing in The Journal, Jeffrey L. Hiday said the virus was "a well- known, highly sophisticated variation called the 'brain' virus, which was created by two brothers who run a computer store in Lahore, Pakistan." Variations of the virus, he noted, have been discovered at companies and colleges across the country, including, last week, Bowie State College in Maryland, where it destroyed five students' disks. Online Today reported on April 23 that a similar Pakistan-based virus infected a student system used at Miami University in Ohio, threatening to wipe out term papers stored there. Apparently this is the first time a virus has invaded a US newspaper's system. Hiday said The Journal contacted one of the Pakistan brothers by phone, who said he created this particular virus merely to keep track of software he wrote and sold, adding that he did not know how it got to the United States. However, Hiday added, "US computer programming experts ... believe the Pakistanis developed the virus with malicious intent. The original version may be relatively harmless, they point out, but its elegance lends itself to alterations by other programmers that would make it more destructive." The newspaper says it discovered the virus on May 6 when a message popped up on computer screens reading, "Welcome to the Dungeon. ... Beware of this VIRUS. Contact us for vaccination." The message included a 1986 copyright date, two names (Basit and Amjad), a company (Brain Computer Services), an address (730 Nizam Block Allama Iqbal in Lahore, Pakistan) and three phone numbers. Journal-Bulletin systems engineer Peter Scheidler told Hiday, "I was sort of shocked. I never thought I'd see a virus. That's something you read about." The virus infected only the PC network; neither the paper's Atex news- editing system nor its IBM mainframe that supports other departments were affected. Hiday says the newspaper now is taking steps to protect itself against another virus attacks. It has tightened dissemination of new software and discussed installing "anti-virus" devices. In addition, computer users have been warned not to use "foreign" software, and reporters have been instructed to turn their computers off and then on again before inserting floppy disks. --Charles Bowen EPA MACINTOSHES RECOVER FROM VIRUS (May 18) Although Apple Macintosh computers at the Environmental Protection Agency were recently plagued with a virus, all of them seem to be on the mend now. According to Government Computer News, the computers were vaccinated with Virus Rx, a free program issued by Apple Computer Inc. to help users determine if their hard disks have been infected. Apple has begun an educational campaign to promote "safe computing practices," Apple spokeswoman Cynthia Macon told GCN. Virus Rx is available on CompuServe in the Apple Developers Forum (GO APPDEV) in Data Library 8 under the name VIRUS.SIT. Macon said the best long-term response to viruses "is to make users aware of steps they can take to protect themselves." These include backing up data files, knowing the source of programs and write-protecting master disks. Other steps include booting from a floppy disk and running all programs from floppies rather than installing and running them from the hard disk. EPA is having some trouble with reinfection. Since up to 20 people may use one Macintosh, someone may unknowingly insert a virus-plagued disk into a clean machine. "It's like mono. You just never get rid of it," said Leslie Blumenthal, a Unisys Corp. contract employee at EPA. FBI agents in Washington, D.C. and San Jose, Calif. are investigating the spread of the Macintosh virus, notes GCN. -- Cathryn Conroy CONGRESS CONSIDERS VIRUS PROBLEMS (May 19) Computer viruses have come to the attention of Congress and legislators would like to be assured that US defense computers are safe from the replicating little bugs. Although defense systems can't be reached simply by telephoning them, a virus could be contracted through an infected disk containing non-essential information. The Defense Authorization Bill for FY 1989 is likely to direct the Defense Department (DoD) to report on its methods for handling potential viral infections. Congress also wants to know what DoD has done about safeguarding military computers. They'd like some assurance that the Defense Department also has considered situations where a primary contractor's computer could be infected and subsequently endanger DoD's own computers. Anticipating future hearings, Congressional staffers are soliciting comments from knowledgeable users as to what the report to Congress should cover. Interested parties should forward their comments to Mr. Herb Lin, House Armed Services Committee, 2120 Rayburn House Office Building, Washington DC 20515. Further information is available by calling 202/225- 7740. All comments will be kept in confidence. --James Moran TEXAN STANDS TRIAL FOR ALLEGEDLY INFECTING SYSTEM WITH "VIRUS" (May 24) In Fort Worth, Texas, a 39-year-old programmer is to stand trial July 11 on felony charges that he intetionally infecnted an ex-employer's system with a computer "virus." If convicted, he faces up to 10 years in prison. The man, Donald Gene Burleson, apparently will be the first person ever tried under the state's tougher computer sabotage law, which took effect Sept. 1, 1985. Dan Malone of the Dallas Morning News broke the story this morning, reporting on indictments that accuse Burleson of executing programs "designed to interfere with the normal use of the computer" and of acts "that resulted in records being deleted" from the systems of USPA and IRA Co., a Fort Worth-based national securities and brokerage. The paper quoted police as saying the electronic interference was a "massive deletion" of more than 168,000 records of sales commissions for employees of the company, where Burleson once worked as a computer security officer. Burleson currently is free on a $3,000 bonding pending the trial. Davis McCown, chief of the Tarrant County district attorney's economic crimes division, said of the alleged virus, "You can see it, but you can't see what it does -- just like a human virus. It had the ability to multiply and move around and was designed to change its name so it wouldn't be detected." McCown also told Malone he wanted to make sure "that this type of criminal understands that we have the ability to make these type of cases; that it's not so sophisticated or complicated that it's above the law." Company officials first noticed a problem on Sept. 21, 1985. Says the Dallas newspaper, "Further investigation revealed that an intruder had entered the building at night and used a 'back-door password' to gain access to the computer. ... Once inside, the saboteur covered his tracks by erasing computer logs that would have followed his activity, police said. With his access to the computer complete, the intruder manually deleted the records." Authorities say that only a few of the 200 workers in the USPA home office -- including Burleson -- had access and the knowledge needed to sabotage the system. Earlier USPA was awarded $12,000 by a jury in a civil lawsuit filed against Burleson. --Charles Bowen FBI CALLED TO PROBE VIRUS CASE (July 4) The FBI has been called in by NASA officials to investigate an alleged computer virus that has destroyed data on its personal computers and those of several other government agencies. The New York Times reported this morning that the rogue program -- apparently the so- called "Scores" virus that surfaced last April -- was designed to sabotage data at Dallas' Electronic Data Systems. The paper said the virus did little damage to the Texas company but did wreak havoc on thousands of PCs nationwide. The Times quoted NASA officials as saying the FBI was called in because, even though damage to government data was limited, files were destroyed, projects delayed and hundreds of hours were spent tracking the culprit at various government agencies, including NASA, the Environmental Protection Agency, the National Oceanic and Atmospheric Administration and the US Sentencing Commission. NASA says it doesn't know how the program, which damaged files from January to May, spread from the Texas EDS firm to PC networks nor whether the virus was deliberately or accidentally introduced at government agencies. Meanwhile, the Times quoted experts as saying that at least 40 so- called "viruses" now have been identified in the United States, defining a virus as a program that conceals its presence on a disk and replicates itself repeatedly program that conceals its presence on a disk and replicates itself repeatedly As reported here in April, the Scores virus was blamed for infecting hundreds of Apple Macintosh computers at NASA and other facilities in Washington, Maryland and Florida. The Times says the spread of the virus was exacerbated when private contractors in Washington and North Carolina inadvertently sold dozens of computers carrying the virus to government agencies. The virus spread for as long as two months and infected networks of personal computers before it was discovered. --Charles Bowen