The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / pc / virus / virus.doc < prev next >

Wrap

Text File | 2003-06-11 | 200.3 KB | 6,201 lines

COMPUTER VIRUS EPIDEMIC 1987-1991 ONLINE TODAY'S BACKGROUNDER: COMPUTER "VIRUS," PART ONE (Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition since the outbreak in November 1987 through March 1988.) "VIRUS" INFECTS COMMODORE COMPUTERS (Nov. 20) A "virus" has been infecting Commodore's Amiga computers, and what was once considered an innocent bit of hacking has turned into a disaster for some users. The "virus" is a secret modification to the boot block, an area on many disks using operating system facilities of the Amiga. In addition to its transparent purpose --- starting the operating system -- the virus contains code that can infect other disks. Once a virus infected disk is used on a computer, the computer's memory becomes a breeding ground and all other bootable disks that find their way to that computer will eventually become infected. Any exchange of diskettes with another computer then infects the new computer. Although the original intention of the virus apparently was benign, it may have spread to thousands of Amiga computers and disrupted their normal operations. Since some commercial software developers use coded information in the boot block of their distribution disks, the virus can inadvertently damage these disks and render the software useless. Knowledgeable users say the virus was meant to be a high-tech joke that displayed a message after it had completely infiltrated a user's disks library. According to Amiga technical support personnel, the only sure way for users to keep the virus out of their systems is to avoid warm starting the computer. It should always be powered down first. -- VIRUS MOVES TO IBM COMPUTERS (Dec. 7) On the heels of the Amiga virus, reported recently in Online Today, a new apparently less benign virus has been making the rounds of IBM personal computers. The IBM-related virus was first noted at Lehigh University where, last week, a representative in the User Services section reported its discovery by student consultants. As with other similar viruses, this one is spread by means of an infected system file. In this case, a hacked version of IBM's COMMAND.COM processor is the host that harbors the virus. Once infected, the host PC will then infect the first four computers with which it comes in contact. In all cases, the virus is spread through an illegally modified version of the IBM command processor. Once the host has infected four other computers, the host virus is reported to purposely destroy the boot tracks and allocation tables for all disks and diskettes that are online to the host computer. The action renders the disks completely unreadable, even when reconstructs are attempted with popular disk repair software. The consultant at Lehigh University who first alerted general users to the virus says that it can be detected by examining the date on the COMMAND.COM file. A recent date would suggest that the file had been illegally modified. -- CHRISTMAS GREETINGS MESSAGE TIES UP IBM'S ELECTRONIC MAIL SYSTEM (Dec. 12) IBM nearly lost its Christmas spirit yesterday. It seems that a digital Christmas card sent through its electronic mail system jammed computers at plants across the United States for up to 90 minutes. The Associated Press quotes IBM spokesman Joseph Dahm as saying the incident caused no permanent damage, but forced the company to turn off links between computer terminals for a while. AP says, "Curious employees who read the message discovered an illustration of a Christmas tree with 'Holiday Greetings' superimposed on it. A caption advised, 'Don't browse it, it's more fun to run it.' Once a person opened the computer message on their screen, it rarely accepted a command to stop the message from unfolding on the screen. As a result, several people shut off their computers and lost reports or mail that had not previously been filed." Apparently the message also automatically duplicated itself and was sent to other workstations. Online plants in Texas and New York were affected, Dahm said. Meanwhile, sources said that other facilities in Charlotte, N.C.; Lexington, Ky.; California and Europe also received the message. Federal agents even may investigate the incident, the wire service says, since the message apparently crossed state lines. -- COMPUTER VIRUS THREATENS HEBREW UNIVERSITY'S EXTENSIVE SYSTEM (Jan. 8) In Jerusalem, Hebrew University computer specialists are fighting a deadline to conquer a digital "virus" that threatens to wipe out the university's system on the first Friday the 13th of the year. That would be May 13. Associated Press writer Dan Izenberg says the experts are working on a two-step "immune" and "unvirus" program that could knock down the vandalized area of the system. "Viruses" are the latest in computer vandalism, carrying trojan horses and logic bombs to a new level, because the destructiveness is passed from one infected system to another. Izenberg quotes senior university programmer Yisrael Radai as saying that other institutions and individual computers in Israel already have been contaminated. "In fact," writes the wire service, "anyone using a contaminated computer disk in an IBM or IBM-compatible computer was a potential victim." Radai says the virus was devised and introduced several months ago by "an evidently mentally ill person who wanted to wield power over others and didn't care how he did it." AP describes the situation this way: "The saboteur inserted the virus into the computer's memory and the computer then infected all disk files exposed to it. Those disk files then contaminated healthy computers and disks in an electronic version of a contagious cold." Apparently, the intruder wanted to wipe out the files by Friday, May 13, but may have gotten impatient, because he then had his virus order contaminated programs to slow down on Fridays and on the 13th day of each month. Radai thinks that was the culprit's first mistake, because it allowed researchers to notice the pattern and set about finding the reason why. "Another clue," says AP, "was derived from a flaw in the virus itself. Instead of infecting each program or data file once, the malignant orders copied themselves over and over, consuming increasing amounts of memory space. Last week, experts found the virus and developed an antidote to diagnose and treat it." Of viruses in general, computer expert Shai Bushinsky told AP, "It might do to computers what AIDS has done to sex. The current free flow of information will stop. Everyone will be very careful who they come into contact with and with whom they share their information." -- TAMPA COMPUTERISTS FIGHT VIRUS (Jan. 10) Tampa, Fla., computerists say they are fighting a digital "virus" that sounds as if it may be the same crank program now plaguing a university in Jerusalem. As reported earlier, Hebrew University computer specialists are contending with a virus program that threatens to wipe out the university's system on the first Friday the 13th of the year -- May 13. The Jerusalem team is working on a two-step "immune" and "unvirus" program that could knock down the vandalized area of the system. Meanwhile, members of the Tampa Amiga User's Group now tell United Press International that they, too, are fighting a computer virus, and UPI quotes one expert as saying a version of that vandalizing program also is designed to begin destroying files on May 13. Computer viruses are self-propagating programs that spread from one machine to another and from one disk to another, a sort of new generation of more destructive trojan horses and logic bombs. "It kinda creeps up on you," president Jeff White of the Amiga group told the wire service, adding that the group's membership was infiltrated by the program. UPI reports, "Experts don't yet know what, if any, damage the virus can cause to the disks or programs. Similar problems have erased programs and information. ... White said the program spread itself to more than 20 of his floppy disks before he discovered it. But by then, the program had spread to the disks of many of the club's members via its regular disk-of-the-month distribution." White said he doesn't know how the bug got to Tampa, but suspects it came from West Germany on a disk from an overseas user group. "White said the program works invisibly," says UPI. "When the computer is turned on, the program stores itself in the machine's main memory and then begins spreading copies of itself to new disks used in the machine." He added that the Tampa club members now use a "virus-checker" program to test disks to prevent another infection. -- VIRUS PROGRAMS COULD HAVE USEFUL APPLICATIONS, SAYS COLUMNIST (Jan. 11) Despite all the recent negative publicity about computer "viruses" -- self-propagating programs that spread from one machine to another in way that has been called the computer version of AIDS -- a California computer columnist says there could be a positive result. Writing in The San Francisco Examiner, John Markoff observes, "In the future, distributed computing systems harnessed by software programs that break tasks into smaller parts and then run portions simultaneously on multiple machines will be commonplace. In the mid-1970s computer researchers John Shoch and Jon Hupp at Xerox's Palo Alto Research Center wrote experimental virus programs designed to harness many computers together to work on a single task." Markoff points out that some of the programs in that work functioned as "'town criers' carrying messages through the Xerox networks; others were diagnostic programs that continuously monitored the health of the computers in the networks." Also the researchers called one of their programs a "vampire worm" because it hid in the network and came out only at night to take advantage of free computers. In the morning, it disappeared again, freeing the machines for human users. For now, nonetheless, most viruses -- particularly in the personal computing world -- are viewed as destructive higher forms of trojan horses and logic bombs. Markoff traces the first virus to the military ARPAnet in 1970. On that system, which links the university, military and corporate computers, someone let loose a program called "creeper." Notes the paper, "It crawled through the network, springing up on computer terminals with the message, 'I'm the creeper, catch me if you can!' In response, another programmer wrote a second virus, called 'reaper' which also jumped through the network detecting and 'killing' creepers." Markoff also pointed out that Bell Labs scientist Ken Thompson, winner of the prestigious Turing Award, recently discussed how he created a virus in the lab to imbed in AT&T's Unix operating system, which he and colleague Dennis Ritchie designed. In a paper, Thompson noted how he had embedded a hidden "trapdoor" in the Unix log-on module each time it created a new version of the operating system. The trapdoor altered the log-on mechanism so that Unix would recognize a password known only to Thompson. Thompson and Ritchie say the Unix virus never escaped Bell Labs. -- SUBSCRIBER, SYSOP BLOCK POSSIBLE "VIRUS" IN APPLE HYPERCARD FORUM (Feb. 8) Quick reactions by a subscriber and a veteran forum administrator have blocked a possible computer "virus" program that was uploaded over the weekend to CompuServe's new Hypercard Forum. The suspicious entry was an Apple Hypercard "stack" file called "NEWAPP.STK," which was uploaded Friday to the forum's Data Library 9, "HyperMagazines." It was online for about 24 hours before it was caught. Subscriber Glenn McPherson was the first to blow the whistle. Saturday night McPherson posted a message saying that when he ran the application, the file altered his Macintosh's systems file. "I don't know why it did this," he wrote, "but no stack should touch my system file." Neil Shapiro, chief forum administrator of the Micronetworked Apple Users Group (MAUG), quickly investigated and removed the suspicious file. In a bulletin to the membership, Shapiro warned those who already had downloaded NEWAPP.STK that the stack would alter the system files with unknown results. He also warned against using system files from any disk that was run while the NEWAPP.STK's modified system was in effect. Said Shapiro, "If you run NEWAPP.STK, it will modify the system on the disk it is on so that the system's INITs contain an INIT labeled 'DR.' Then, if you use another system with the DR-infected system as your boot system, the new system will also contain the self-propagating 'DR' INIT Resource. While it is possible to, apparently, 'cut' this resource from infected systems with the Resource Editor, the only sure course of action is to trash any system file that has come in contact with this stack." It was not immediately known if the system alternations were deliberately or accidentally programmed into NEWAPP.STK. Shapiro notes the file's uploader has been locked off the entire system and that "he will be contacted by CompuServe and/or myself." Computer "viruses" -- self- propagating programs that infect system files and then spread to other disks -- have been in the news for the past six months. To- date, most of their targets have been regional computer users groups, private and semi-public networks and stand-along bulletin board systems. This apparently is the first report of a virus-like program on a national consumer information service. Shapiro says in his bulletin that in eight years of the various Apple forums' operation, this is the only such occurrence. "While I, of course, cannot say it will be the last, I still have just as much confidence as always in the fact that 99.99999999% of the Mac community are quite trustworthy and that there is no real need to fear downloads," he wrote. Shapiro also urged his membership, "If you have not used (NEWAPP.STK) yet, do not! If you have uploaded it to other BBS or network systems, please immediately advise the sysops there of the problem. If you have placed it on a club disk, please be certain to remove it from that disk before distribution and -- if it has been run from the 'Master' disk already -- don't just remove it, but trash the system." Subscriber McPherson indicates the suspect file already has spread to other systems. His forum note says he found the same stack program also in a software library on the General Electric's GEnie network. -- DOD TRIES TO PROTECT ITS COMPUTERS FROM ELECTRONIC VIRUS (Feb. 9) Just as a medical virus can spread rapidly, so does the deadly computer virus seem to be making the rounds. In an effort to inoculate itself against an outbreak, the Department of Defense has taken steps to prevent the electronic sabotage from affecting its computers, reports Government Computer News. The computer viruses are self- propagating programs that are designed to spread automatically from one computer to another and from one disk to another, totally disrupting normal operations. As reported in Online Today, such viruses have already struck computer systems at Hebrew University in Jerusalem and IBM Corp.'s regional offices in Tampa, Fla. "It can spread through computer networks in the same way it spreads through computers," said DOD spokeswoman Sherry Hanson. "The major problem areas are denial of service and compromising data integrity." In addition to basic security measures, computer scientists at the National Security Agency are installing programming tools and hardware devices to prevent the infiltration of virus programs. Hanson told GCN that DOD is also using specialized ROM devices and intrusion detectors. The virus only comprises a few lines of programming code and is easy to develop with few traces. After IBM was infiltrated last December with an innocent- looking Christmas message that kept duplicating itself many times over and substantially slowed the company's massive message system, specialists installed a filter program to monitor the system and protect against further intrusion. According to GCN, executable programs can't be transferred from one computer to another within IBM's network. Even personal computer users are worried, since the virus remains hidden in a computer's main memory. For instance, almost the entire membership of a Florida Commodore Amiga users group was infected by a virus before it was discovered. The president of the group said he believed the virus originated in Europe on a disk of programs the group received from an overseas source. The club now has a checker program to check disks for viruses before they are used. Al Gengler, a member of the Amiga group, compared the virus to AIDS. "You've got to watch who you compute with now," he said. --Cathryn Conroy EXPERTS SEES TWO SCENARIOS FOR THE COMPUTER "VIRUS" PROBLEM (Feb. 9) Don Parker, who heads the information security program for the Menlo Park, Calif., SRI International, has been studying the problem of computer "viruses" and now says he see two possible directions in the future. Speaking with Pamela Nakaso of the Reuter Financial News Service, Parker said his scenarios are: -:- One, that viruses will be too difficult to design and use for infiltration, and that interest in using them as "weapons" will die away. -:- Or, two, viruses will increase in destructiveness as more sophisticated saboteurs use them to destroy the public domain software resources available. Nakaso also quotes editor Harold Highland of the magazine Computers and Security as saying that "hysteria" over the few documented incidents may fuel even more viruses, which are defined as self-propagating files that usually damage a computer's systems files and then spread to other disks. Highland pointed out that in a recent Australian virus case among Amiga computers, one tabloid newspaper reported the incident with a headline that spanned the entire cover, reading, "Terror Strikes in the DP Industry." Parker told Reuter, "The vulnerability is growing at the same rate as the number of computers and number of communications with computers." Nakaso writes, "Parker estimates that of the 2,000 cases of documented computer crime he has compiled at SRI, about 20 to 30 have been virus attacks. There is no question, however, the reported incidents are rising, and they are expanding beyond personal computers to mainframes and other networks." -- COMPUTER VIRUS CALLED FRAUD (Feb. 10) Computer viruses may be frauds. Although lots of people are talking about computerdoms latest illicit fad, to date, no one has produced a copy of a living breathing virus. Now, a University of Utah expert on urban legends thinks that the dreaded virus may be have become the high tech version of the bogey man. Professor Jan Harold Brunvand has written three books about urban legends and he seems to think that the virus is just the latest incarnation in a long line of legends. Brunvand, and others, have pointed out that there are striking similarities among reports of the virus and legends such as the cat in the microwave oven. For one thing, there are lots of reported sightings but no concrete evidence. And urban legends always seem to appear and affect those things about which urban dwellers are just coming to terms with: shopping malls and microwave ovens in the 70's, computers in the 80's. In today's society, a berserk computer that destroys its owner's data certainly qualifies as the stuff about which legends are made. Even the way in which the deed is accomplished has mystical qualities: a computer wizard works strange magic with the secret programming codes of a computer operating system. Brunvand, a computer owner himself, says that although viruses could be created, he has found absolutely no evidence to support claims about their existence. -- HYPERCARD VIRUS JUDGED "HARMLESS" (Feb. 12) Administrators of a CompuServe forum supporting the Apple Hypercard technology have confirmed that a file uploaded to their data libraries last weekend did indeed contain a so-called computer "virus." However, they also have determined the program apparently was harmless, meant only to display a surprise message from a Canadian computer magazine called MacMag. As reported earlier this week, forum administrator Neil Shapiro of the Micronetworked Apple Users Groups (MAUG) removed the suspicious entry, a Hypercard "stack" file called "NEWAPP.STK," after a forum member reported that the file apparently altered his Macintosh's system files. Computer "viruses," a hot topic in the general press these days, have been defined as self-propagating programs that alter system files and then spread themselves to other disks. Since removing the file last weekend, the Apple administrators have been examining the file and now Shapiro says it apparently was designed merely to display a message from MacMag on March 2. On the HyperForum message board (G APPHYPER), Shapiro reports, "Billy Steinberg was able to reverse engineer (disassemble) the INIT that the virus places into system files. The good news is that the virus is harmless. But it *is* a computer virus." Shapiro says that if the downloaded file remained in the user's system, then on March 2, the screen would display: "Richard Brandnow, publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world." Apparently the file is so designed that after March 2 it removes itself from the user's system. Shapiro notes that, while this file apparently is harmless, it still raises the question of the propriety of database entries that quietly alter a user's system files. Shapiro said he has spoken to publisher Brandnow. "It was not his intention to place it in a HyperCard stack nor to have it on (CompuServe)," Shapiro writes. "What he did do was to develop the INIT in December and 'left' it on their (MacMag's) own machines with the hope that 'it would spread.'" Subsequently, someone else apparently captured the file, added it to his "stack" and uploaded to the CompuServe forum and other information services. While Brandnow maintains the system-altering INIT file was harmless, Shapiro says he's concerned about what the NEWAPP.STK incident could represent. "While the INIT itself is non-destructive," Shapiro wrote, "I believe it was at least irresponsible for MacMag to have perpetrated this type of problem and to have caused the confusion that they did. I also fear that this could give other people ideas on less peaceful uses of such a virus. "I believe that MacMag has opened here a Pandora's Box of problems which will haunt our community for years. I hope I am wrong." -- PUBLISHER DEFENDS HIS "VIRUS" PROGRAM AS "GOOD FOR COMMUNITY" (Feb. 13) The publisher of Canadian computer magazine MacMag contends the computer "virus" program his staff initiated recently was not only harmless but was "good for the Macintosh community." Says 24-year-old Richard Brandow, "If other people do nasty things (with virus programs), it is their responsibility. You can't blame Einstein for Hiroshima." Speaking by phone with reporter Don Clark of The San Francisco Chronicle, Brandow maintained his magazine's virus program, which spread through the Apple Macintosh community this week on this continent and apparently reached Europe, was intended to do nothing more than display a "peaceful" message on Mac screens on March 2, the first anniversary of the introduction of the Apple Mac II. Of the so-called "virus" technology, Brandow said, "This message is very good for the Macintosh community." The controversy centered around an Apple Hypercard "stack" file called "NEWAPP.STK" that was uploaded to various public domain databases around the country, including the data library of CompuServe's HyperForum (G APPHYPER). When subscribers discovered that the file quietly altered their Mac's system files when it was executed, a warning was posted and forum administrator Neil Shapiro immediately removed the data library entry. Only after the forum's sysops had disassembled the suspect file could it be determined that NEWAPP.STK's only apparent function was to display a March 2 greeting from Brandow and the MacMag staff. HyperForum members now have been informed that the file, while indeed a "virus," apparently is harmless. However, Shapiro contends MacMag staffers were "at least irresponsible ... to have perpetrated this type of problem and to have caused the confusion that they did." Shapiro is quoted in The Chronicle as adding, "This is very similar to someone breaking into your home and writing a message of good will in red lipstick on your wall. It is a violation of the right of private property... Our computers are machines that belong to us and other people should remain out of them." On the other side of the argument, Brandow told the paper, "The idea behind all this is to promote peaceful methods of communication between individuals using harmless ways." Montreal-based MacMag, with a circulation of 40,000, is Canada's only Macintosh magazine. Brandow also heads a 1,250-member Mac user group, which he says is Canada's largest. Brandow told Clark that programmers worked more than a year on the virus, adding that it was inspired by two groups, known as "The Neoists" and "The Church of the SubGenius." (He said the latter was formed in Texas as a satire on fundamentalist religion and inspired a 1983 book.) As noted here earlier, the MacMag virus also reached beyond CompuServe to other information services and private bulletin board systems. For instance, The Chronicle quotes General Manager Bill Louden of General Electric's GEnie as saying that about 200 users downloaded the file from that information service before it was discovered and removed early Monday. Meanwhile, Shapiro told Clark that only about 40 of CompuServe's subscribers retrieved the file before it was removed early Sunday. The Chronicle says that Mac devotees in the Bay Area were "stunned" by news of the virus, but not all were upset. For example, Apple wizard Andy Hertzfeld, a co-designer of the original Mac, told the paper, "As far as I'm concerned, it doesn't have any malicious intent and is just some people having fun. I don't see why people are so uptight." Meanwhile, a spokeswoman for Apple at company headquarters in Cupertino, Calif., said the company is searching for details of the virus and could not comment on it at present. -- TWO FIRMS OFFER TO "INOCULATE" US AGAINST THE COMPUTER "VIRUSES" (March 4) The debate continues over whether computer "viruses" are real or just the latest urban legend, but at least two companies are hoping that we don't want to take any changes. Independent of each other, the firms this week both claimed to have the first commercial software to "inoculate" systems against those reported rogue programs that damage data and systems files. One of the companies, Lasertrieve Inc. of Metuchen, N.J., introduced its VirALARM product during Microsoft Corp.'s CD-ROM conference in Seattle. In addition, in Stockholm, a Swedish company called Secure Transmission AB (Sectra) today announced a similar anti-virus program called TCELL, after a counterpart in human biology. A Lasertrieve statement contends that previous anti-viral software utilities -- mostly offered in the public domain -- work by drawing attention to the virus's attempted alterations of system files, noting a change of file size, or monitoring the dates of program changes. However, the New Jersey firm contends, this approach makes such programs "easily fooled by sophisticated viruses." Lasertrieve says its VirALARM contains a program designed to protect another program, creating a software "barrier." According to the statement, before anyone can use the protected program, VirALARM checks to determine whether the program has been altered since it was inoculated. If there has been any change, the software then blocks use of the altered program, notifies the user and suggests a backup copy of the program be substituted. Meanwhile, Bo-Goran Arfwidsson, marketing director of the Swedish company, told Bengt Ljung of United Press International that its TCELL "vaccine" gives a database a partial outside protection, sounds an alarm if a computer virus appears inside a database and identifies the infected file so it can be isolated. The contaminated part then can be replaced with a backup file. Sectra spokesman Torben Kronander said that TCELL has been "tested for a year now and there is no question that it works," adding that since early 1987 the software has functioned on computers of major Swedish manufacturing companies. Arfwidsson declined to name those companies for security purposes. Kronander said TCELL simply made the task of creating a virus so complicated that only vast computer systems would be able to carry it out. "We've effectively removed the hacker type of attack, and these have been the problem. It will take the resources of a major software producer or a country to produce a virus in the future." UPI says Sectra is a 10-year-old research company with 19 employees in Linkoping in central Sweden, closely tied to the city's Institute of Technology. -- "VIRUS" SPREADS TO COMMERCIAL PROGRAM; LEGAL ACTION CONSIDERED (March 16) That so-called "benign virus" that stirred the Apple Macintosh community earlier this year when it cropped up in a public domain file in forums on CompuServe and other information services now apparently has invaded a commercial program called FreeHand. The publisher, Seattle's Aldus Corp., says it had to recall or rework some 5,000 FreeHand packages once the virus was discovered and now is considering legal action against those who admitted writing the self- propagating program. Meanwhile, other major software companies reportedly are worried that the virus may have affected some of their products as well. At the heart of the controversy is a "peace message" that Canadian Richard Brandow, publisher of Montreal's MacMag magazine, acknowledged writing. As reported here earlier, that file was designed to simply pop up on Mac screens around the world on March 2 to celebrate the first anniversary of the release of the Macintosh II. However, many Mac users reacted angrily when they learned that the file quietly had altered their systems files in order to make the surprise message possible. Now the virus has re-emerged, this time in FreeHand, a new Mac program Aldus developed. Aldus spokeswoman Laury Bryant told Associated Press writer George Tibbits that Brandow's message flashed when the program was loaded in the computer. Bryant added that, while it "was a very benign incident," Aldus officials are angry and "are talking with our attorneys to understand what our legal rights are in this instance.... We feel that Richard Brandow's actions deserve to be condemned by every member of the Macintosh community." This may be the first instance of a so-called "virus" infecting commercial software. Tibbits says the Brandow virus apparently inadvertently spread to the Aldus program through a Chicago subcontractor called MacroMind Inc. MacroMind President Marc Canter told AP that the virus appears to have been in software he obtained from Brandow which included a game program called "Mr. Potato Head," a version of the popular toy. Canter said that, unaware of the digital infection, he ran the game program once, then later used the same computer to work on a disk to teach Mac owners how to use FreeHand. That disk, eventually sent to Aldus, became infected. Then it inadvertently was copied onto disks sold to customers and infected their computers, Canter said. Upset with Brandow, Canter says he also is considering legal action. For his part, Brandow says he met Canter, but denied giving him the software. The whole incident apparently has some at other companies worried because they also use Canter's services. Tibbits says that among MacroMind's clients are Microsoft, Ashton-Tate, Lotus Development Corp. and Apple Computers. A-T has not commented, but officials at Microsoft, Apple and Lotus all told AP that none of their software was infected. Meanwhile, Brandow told Tibbits that, besides calling for world peace, the virus message was meant to discourage software piracy and to encourage computer users to buy original copies. The full message read: "Richard Brandow, the publisher of MacMag, and its entire staff would like to take this opportunity to convey their universal message of peace to all Macintosh users around the world." Beneath that was a picture of a globe. Brandow said that originally he expected people making unauthorized copies of programs on the machine would spread the virus in the Montreal area and possibly a few other areas of Canada and the United States. However, he said he was shocked later to find that, after the virus program began to appear in the databases of online information services, an estimated 350,000 people in North America and Europe saw the message pop up on their computers on March 2. -- Last page !m Online Today OLT-2039 COMPUTER VIRUS EPIDEMIC 1 Backgrounder, Part I 2 Backgrounder, Part II 3 Backgrounder, Part III 4 Backgrounder, Part IV 5 Backgrounder, Part V 6 Backgrounder, Part VI Enter choice !2 Online Today OLT-3125 ONLINE TODAY'S BACKGROUNDER: COMPUTER "VIRUS," PART TWO (Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition from April through November 1988.) Press <CR> for more !s THREAT OF "VIRUS" BLOWN OUT OF PROPORTION, NORTON AND SYSOPS SAY (April 10) The threat of so-called computer "viruses" has been vastly overrated, according to software guru Peter Norton and two CompuServe forum administrators. "We're dealing with an urban myth," Norton told Insight magazine. "It's like the story of alligators in the sewers of New York. Everyone knows about them, but no one's ever seen them. Typically, these stories come up every three to five years." Don Watkins, administrator of CompuServe's IBM Users Network forums (GO IBMNET) also told the general interest magazine that he's more concerned about being hit by a meteor than a computer virus. "In five years," Watson said, "I've seen only one program that was designed to do intentional damage. That was about three years ago, and it wasn't very sophisticated. "I have never spoken to anyone who personally, firsthand, has ever seen or experienced a program like this," Watson added, "and my job keeps me in touch with tens of thousands of people." CompuServe forum administrators check each piece of user-contributed software before posting it in data libraries for general distribution. The alleged virus problem received widespread attention in early March when an unauthorized message was placed onto Freehand, a commercial software product for the Apple Macintosh published by Aldus Corp. Earlier, the same message circulated in several information services and was uploaded to CompuServe's Hyper Forum, a forum devoted to the Hypertext technology that is part of the Micronetworked Apple Users Groups (GO MAUG). The message read "Richard Brandow, publisher of MacMag, would like to take this opportunity to convey a universal message of peace to all Macintosh users." It then erased itself without doing any harm. Of the situation, Neil Shapiro, MAUG's chief sysop, said, "The whole problem has been completely hyped out of proportion." --Daniel Janal COMPUTER VIRUS NEWSLETTER DEBUTS (April 13) If you want to follow all the latest news on insipid computer viruses, you might be interested in the debut of "Computer Virology," a newsletter devoted to identifying and analyzing those annoying computer diseases. Produced by Director Technologies Inc., the developers of Disk Defender, a hardware device that write protects PC hard disks, the newsletter will be published monthly. Topics will include developments for protection against the viruses, precautions and procedures to follow to insure that terrorists not let loose this rampant epidemic. "The latest strain of computer viruses presently causing serious damage at university labs, scientific research facilities, hospitals and business organizations worldwide, has created a very real concern for the future of having free access to the tremendous amounts of information that are now readily available for unlimited use," said Dennis Director, president of Director Technologies. "The potential dangers of such viruses is that they can be used not only as a means to facilitate malicious pranks in the home computer area, but also pose a real `terrorist' threat to academic computing labs, scientific research projects and business. Data loss can cost hundreds of thousands of dollars in real money, as well as in wasted man-hours." The newsletter is distributed free of charge. For information or to subscribe, contact Director Technologies Inc., 906 University Pl., Evanston, IL 60201. 312/491-2334. SIR-TECH UNVEILS ANTI-VIRUS (April 14) Sir-tech Software Inc., the Ogdensburg, N.Y., firm best known for its recreational programs such as the acclaimed "Wizardry" series of adventure games, now has released a free program called "Interferon, the Magic Bullet" that it says is meant to "halt the devastation of computer virus." A company statement reports that Robert Woodhead, 29-year-old director of Sir-tech's Ithaca, N.Y., development center, designed the Apple Macintosh program to "detect and destroy the highly-publicized computer virus which threatens the integrity of the world's computer systems." Sir-tech says the program will be offered free for downloading from related services on CompuServe and GEnie. In addition, it is available by mailing a diskette with a self-addressed, stamped envelope to Sir-tech, 10 Spruce Lane, Ithaca, N.Y. 14850. While the program itself is free, Woodhead asks for donations to a fund established to buy computer equipment for visually impaired users. A notice in the software gives details on the fund. Woodhead said he has worked since early this year to come up with Interferon, named for the antiviral treatment for cancer. "Just as a virus leaves clues in a human body, the computer virus is detectable if users know what to look for," Woodhead said. The Interferon program recognizes changes that computer viruses make as they spread their infection and will indicate that there is something amiss, the statement said. "The infection can be cured by deleting the diseased files," it added. "As new viruses are discovered, Interferon will be updated for instant detection." -- NEW VIRUS PLAGUES MACINTOSHES AT NASA AND APPLE (April 18) Apple Macintosh computers at the National Aeronautics and Space Administration and at Apple Computer as well as other business offices around the country have caught a new computer virus, reports Newsday. The latest high-tech plague is under investigation by Apple and federal authorities. During the past three weeks, Apple has been receiving reports of a virus called Scores. Although it has not been known to erase any data, it can cause malfunctions in printing and accessing files and can cause system crashes, Cynthia Macon of Apple Computer told Newsday. Two hundred of the 400 Macintosh computers at the Washington, D.C. offices of NASA have been infected. Many of them are connected to local area networks and are spreading the virus. "This particular virus does not attack data. We have no record indicating anyone lost anything important," said Charles Redmond, a NASA spokesman. Newsday notes that the Scores virus can be detected by the altered symbols that appear in Scrapbook and Note Pad, two Macintosh files. Instead of the Mac logo, users see a symbol that looks like a dog-eared piece of paper. Two days after the virus is transmitted, it is activated and begins to randomly infect applications, such as word processing and spreadsheet programs. EDS Corp. of Dallas, Texas was also infected with the Scores virus, but managed to stop its spread. -- Cathryn Conroy FRIDAY THE 13TH "VIRUS" FIZZLES (May 14) Good morning, computerdom! It's Saturday the 14th and we're all still here. At least, we all SEEM to still be here, though some are saying it's too early to tell for sure. Yesterday, the first Friday the 13th of the year, was widely reported to be the target date for the denotation of a computer virus called "Black Friday" which was first discovered in the computers of the Hebrew University in Jerusalem late last year. The virus, which was reported to have spread from Jerusalem to computers around the world, was said to be designed to destroy computer files on May 13. However, no early reports of damage have surfaced. Computer experts in Jerusalem told Associated Press writer Karin Laub that the so-called virus was undone because most computer users were alerted in time. Hebrew University researchers detected the virus on Dec. 24 because of a flaw in its design, according to senior programmer Yisrael Radai. Nonetheless, a few experts are saying that we aren't out of the woods yet. For instance, Donn Parker of the SRI International research firm in Menlo Park, Calif., told The Washington Post this morning that he hadn't heard of any virus-related damage, "but we have been holding our breath. I think it will be a dud, but we won't know until next week, and only then if people whose computers go down talk about it." Some software companies tackled the virus scare. AP reports that the Iris software publisher of Tel Aviv developed an anti-virus program for the Israeli computing community and sold 4,000 copies before yesterday. President Ofer Ahituv estimated that 30 percent of his 6,000 customers, most of them businesses, had been infected by the Black Friday virus. Meanwhile, some are saying the apparent fizzle of the virus is what they expected all along. "Viruses are like the bogyman," said Byron C. Howes, a computer systems manager at the University of North Carolina at Chapel Hill. Speaking with AP, he compared programmers who believe in viruses to "people who set little bowls of milk outside our doors to feed the dwarfs." Barry B. Cooper, owner of Commercial Software in Raleigh, N.C., agreed. "I just think that the whole thing is a joke," like the prediction by medieval seer Nostradamus of a major earthquake on May 8, 1988. "That didn't come true, and this won't come true." -- R.I. NEWSPAPER DISLODGES VIRUS (May 16) The Providence, R.I., Journal-Bulletin says it worked for the past week and a half to stamp out a "virus" that infected an in-house personal computer network used by reporters and editors, but not before the virus destroyed one reporter's data and infected scores of floppy disks. Writing in The Journal, Jeffrey L. Hiday said the virus was "a well-known, highly sophisticated variation called the 'brain' virus, which was created by two brothers who run a computer store in Lahore, Pakistan." Variations of the virus, he noted, have been discovered at companies and colleges across the country, including, last week, Bowie State College in Maryland, where it destroyed five students' disks. Online Today reported on April 23 that a similar Pakistan-based virus infected a student system used at Miami University in Ohio, threatening to wipe out term papers stored there. Apparently this is the first time a virus has invaded a US newspaper's system. Hiday said The Journal contacted one of the Pakistan brothers by phone, who said he created this particular virus merely to keep track of software he wrote and sold, adding that he did not know how it got to the United States. However, Hiday added, "US computer programming experts ... believe the Pakistanis developed the virus with malicious intent. The original version may be relatively harmless, they point out, but its elegance lends itself to alterations by other programmers that would make it more destructive." The newspaper says it discovered the virus on May 6 when a message popped up on computer screens reading, "Welcome to the Dungeon. ... Beware of this VIRUS. Contact us for vaccination." The message included a 1986 copyright date, two names (Basit and Amjad), a company (Brain Computer Services), an address (730 Nizam Block Allama Iqbal in Lahore, Pakistan) and three phone numbers. Journal-Bulletin systems engineer Peter Scheidler told Hiday, "I was sort of shocked. I never thought I'd see a virus. That's something you read about." The virus infected only the PC network; neither the paper's Atex news-editing system nor its IBM mainframe that supports other departments were affected. Hiday says the newspaper now is taking steps to protect itself against another virus attacks. It has tightened dissemination of new software and discussed installing "anti-virus" devices. In addition, computer users have been warned not to use "foreign" software, and reporters have been instructed to turn their computers off and then on again before inserting floppy disks. -- EPA MACINTOSHES RECOVER FROM VIRUS (May 18) Although Apple Macintosh computers at the Environmental Protection Agency were recently plagued with a virus, all of them seem to be on the mend now. According to Government Computer News, the computers were vaccinated with Virus Rx, a free program issued by Apple Computer Inc. to help users determine if their hard disks have been infected. Apple has begun an educational campaign to promote "safe computing practices," Apple spokeswoman Cynthia Macon told GCN. Virus Rx is available on CompuServe in the Apple Developers Forum (GO APPDEV) in Data Library 8 under the name VIRUS.SIT. Macon said the best long-term response to viruses "is to make users aware of steps they can take to protect themselves." These include backing up data files, knowing the source of programs and write-protecting master disks. Other steps include booting from a floppy disk and running all programs from floppies rather than installing and running them from the hard disk. EPA is having some trouble with reinfection. Since up to 20 people may use one Macintosh, someone may unknowingly insert a virus-plagued disk into a clean machine. "It's like mono. You just never get rid of it," said Leslie Blumenthal, a Unisys Corp. contract employee at EPA. FBI agents in Washington, D.C. and San Jose, Calif. are investigating the spread of the Macintosh virus, notes GCN. -- Cathryn Conroy CONGRESS CONSIDERS VIRUS PROBLEMS (May 19) Computer viruses have come to the attention of Congress and legislators would like to be assured that US defense computers are safe from the replicating little bugs. Although defense systems can't be reached simply by telephoning them, a virus could be contracted through an infected disk containing non-essential information. The Defense Authorization Bill for FY 1989 is likely to direct the Defense Department (DoD) to report on its methods for handling potential viral infections. Congress also wants to know what DoD has done about safeguarding military computers. They'd like some assurance that the Defense Department also has considered situations where a primary contractor's computer could be infected and subsequently endanger DoD's own computers. Anticipating future hearings, Congressional staffers are soliciting comments from knowledgeable users as to what the report to Congress should cover. Interested parties should forward their comments to Mr. Herb Lin, House Armed Services Committee, 2120 Rayburn House Office Building, Washington DC 20515. Further information is available by calling 202/225-7740. All comments will be kept in confidence. -- TEXAN STANDS TRIAL FOR ALLEGEDLY INFECTING SYSTEM WITH "VIRUS" (May 24) In Fort Worth, Texas, a 39-year-old programmer is to stand trial July 11 on felony charges that he intentionally infected an ex-employer's system with a computer "virus." If convicted, he faces up to 10 years in prison. The man, Donald Gene Burleson, apparently will be the first person ever tried under the state's tougher computer sabotage law, which took effect Sept. 1, 1985. Dan Malone of the Dallas Morning News broke the story this morning, reporting on indictments that accuse Burleson of executing programs "designed to interfere with the normal use of the computer" and of acts "that resulted in records being deleted" from the systems of USPA and IRA Co., a Fort Worth-based national securities and brokerage. The paper quoted police as saying the electronic interference was a "massive deletion" of more than 168,000 records of sales commissions for employees of the company, where Burleson once worked as a computer security officer. Burleson currently is free on a $3,000 bonding pending the trial. Davis McCown, chief of the Tarrant County district attorney's economic crimes division, said of the alleged virus, "You can see it, but you can't see what it does -- just like a human virus. It had the ability to multiply and move around and was designed to change its name so it wouldn't be detected." McCown also told Malone he wanted to make sure "that this type of criminal understands that we have the ability to make these type of cases; that it's not so sophisticated or complicated that it's above the law." Company officials first noticed a problem on Sept. 21, 1985. Says the Dallas newspaper, "Further investigation revealed that an intruder had entered the building at night and used a 'back-door password' to gain access to the computer. ... Once inside, the saboteur covered his tracks by erasing computer logs that would have followed his activity, police said. With his access to the computer complete, the intruder manually deleted the records." Authorities say that only a few of the 200 workers in the USPA home office -- including Burleson -- had access and the knowledge needed to sabotage the system. Earlier USPA was awarded $12,000 by a jury in a civil lawsuit filed against Burleson. -- FBI CALLED TO PROBE VIRUS CASE (July 4) The FBI has been called in by NASA officials to investigate an alleged computer virus that has destroyed data on its personal computers and those of several other government agencies. The New York Times reported this morning that the rogue program -- apparently the so- called "Scores" virus that surfaced last April -- was designed to sabotage data at Dallas' Electronic Data Systems. The paper said the virus did little damage to the Texas company but did wreak havoc on thousands of PCs nationwide. The Times quoted NASA officials as saying the FBI was called in because, even though damage to government data was limited, files were destroyed, projects delayed and hundreds of hours were spent tracking the culprit at various government agencies, including NASA, the Environmental Protection Agency, the National Oceanic and Atmospheric Administration and the US Sentencing Commission. NASA says it doesn't know how the program, which damaged files from January to May, spread from the Texas EDS firm to PC networks nor whether the virus was deliberately or accidentally introduced at government agencies. Meanwhile, the Times quoted experts as saying that at least 40 so-called "viruses" now have been identified in the United States, defining a virus as a program that conceals its presence on a disk and replicates itself repeatedly onto other disks and into the memory of computers. As reported here in April, the Scores virus was blamed for infecting hundreds of Apple Macintosh computers at NASA and other facilities in Washington, Maryland and Florida. The Times says the spread of the virus was exacerbated when private contractors in Washington and North Carolina inadvertently sold dozens of computers carrying the virus to government agencies. The virus spread for as long as two months and infected networks of personal computers before it was discovered. -- NEW MEXICO BBS SUES OVER VIRUS (Aug. 17) The operator of a New Mexico computer bulletin board system has filed what may be the first federal suit against a person accused of uploading a computer "virus." William A. Christison, sysop of the Santa Fe Message BBS, alleges in his suit that a man named Michael Dagg visited his board in the early hours of last May 4 and "knowingly and intentionally" uploaded a digitally-infected file called "BBSMON.COM." The suit says Christison "checked the program before releasing it to the public and discovered that it was a 'Trojan Horse'; i.e., it appeared to be a normal program but it contained hidden commands which caused the program to vandalize Plaintiff's system, erasing the operating system and damaging the file allocation tables, making the files and programs stored in the computer unusable." Christison says that the defendant re-visited the BBS nine times between May 5 and May 12, sometimes logging in under a pseudonym. "Several of these times," the suit says, "he sent in messages and on May 7, 1988, he knowingly and intentionally sent in by modem a program of the same name, BBSMON.COM, as the original 'Trojan Horse' computer program." Through attorney Ann Yalman, Christison asks the court to grant $1,000 for each Trojan Horse violation and to enjoin the defendant "from sending 'Trojan Horses' or 'viruses' or other vandalizing programs to Plaintiff or anyone else." A copy of the Santa Fe Message's suit has been uploaded to CompuServe's IBM Communications Forum. To see it, visit the forum by entering GO IBMCOM at any prompt. The ASCII file is VIRUS.CHG in forum library 0. Also, you can reach Christison BBS directly with a modem call to 505/988-5867. -- VIRUS FIGHTERS FIGHT EACH OTHER (Aug. 31) Two groups that mean to protect us in the fight against so-called computer "viruses" seem to be spending rather a lot of their energies fighting each other. "I personally know most of the people in this industry and I have never seen this kind of animosity," Brian Camenker of the Boston Computer Society tells business writer Peter Coy. The bickering grew louder on Monday in page-one article in MIS Week trade newspaper in which each side accused the other of using sloppy techniques and manipulating the testing process for its own purposes. Says Coy, "The intensity of the debate has left some software developers disgusted with the whole business." The argument, which centers around fair evaluation anti-virus "vaccine" software, pits the 2- month-old Computer Virus Industry Association led by John McAfee, president of InterPath Corp. of Santa Clara, Calif., against what Coy terms "a loose collection of other computer experts" led by consultant Jon R. David of Tappan and editor Harold Highland of Computers & Security magazine. "Customers and producers agree on the need for an independent panel of experts to review the (vaccine) software," Coy comments. "The question splitting the industry is who should be in charge." CVIA is pulling together an independent university testing panel made up of representatives of Pace University, Adelphi University and Sarah Lawrence College and headed by John Cordani, who teaches computer science at Adelphi and Pace. However, David and Highland say these people don't have the necessary credentials and that McAfee's InterPath products will have an advantage in the testing because McAfee invented a virus simulator that will be used as a testing mechanism. Meanwhile, Highland says he's getting funding from his publisher, Elsevier Advanced Technology Publications, for his own review of anti-viral software, but adds he isn't interested in operating an ongoing review board. -- VIRUS TRIAL BEGINS IN FORT WORTH (Sept. 7) A 40-year-old Texas programmer has gone on trial this week, accused of using a "virus" to sabotage thousands of computer records at his former employer's business. If convicted in what is believed to be the nation's first virus-related criminal trial, Donald G. Burleson faces up to 10 years in jail and a $5,000 fine. Reporting from the state criminal district court in Fort Worth, Texas, The Associated Press notes Burleson was indicted on charges of burglary and harmful access to a computer in connection with damage to data at USPA & IRA Co. securities firm two days after he was fired. The trial is expected to last about two weeks. USPA, which earlier was awarded $12,000 in a civil suit against Burleson, alleges the defendant went into its offices one night and planted a virus in its computer records that, says AP, "would wipe out sales commissions records every month. The virus was discovered two days later, after it had eliminated 168,000 records." -- VIRUS ATTACKS JAPANESE NETWORK (Sept. 14) Japan's largest computer network -- NEC Corp.'s 45,000- subscriber PC-VAN service -- has been infected by a computer "virus." McGraw-Hill News quotes a NEC spokesman as saying that over the past two weeks 13 different PC- VAN users have reported virus incidents. Subscribers' user IDs and passwords "were apparently stolen by the virus planter when the members accessed one of the service's electronic bulletin boards," MH says. "The intruder then used the information to access other services of the system and charged the access fees to the password holders." NEC, which says it has not yet been able to identify the virus planter, gave the 13 subscribers new user IDs and passwords to check the proliferation of the virus. -- JURY CONVICTS PROGRAMMER OF VIRUS (Sept. 20) After deliberating six hours, a Fort Worth, Texas, jury late yesterday convicted a 40-year-old programmer of planting a "virus" to wipe out 168,000 computer records in revenge for being fired by an insurance firm. Donald Gene Burleson is believed to be the first person convicted under Texas's 3-year-old computer sabotage law. The trial, which started Sept. 6, also was among the first of its kind in the nation, Judge John Bradshaw told the Tarrant County jury after receiving its verdict. The Associated Press says jurors now are to return to State District Court to determine the sentence. Burleson, an Irving, Texas, resident, was found guilty of harmful access to a computer, a third-degree felony with a maximum penalty of 10 years in prison and a $5,000 fine. However, as a first-time offender, Burleson also is eligible for probation. As reported here earlier, Burleson was alleged to have planted a rogue program in computers used to store records at USPA and IRA Co., a Fort Worth insurance and brokerage firm. During the trial, prosecutor Davis McCown told the jury the virus was programmed like a time bomb and was activated Sept. 21, 1985, two days after Burleson was fired as a programmer at the firm because of alleged personality conflicts with other employees. AP quoted McCown as saying, "There were a series of programs built into the system as early as Labor Day (1985). Once he got fired, those programs went off." McCown added the virus was discovered two days later after it had eliminated 168,000 payroll records, holding up paychecks to employees for more than a month. Expert witnesses also testified in the three-week trial that the virus was entered in the system via Burleson's terminal by someone who used Burleson's personal access code. However, the defense said Burleson was set up by someone else using his terminal and code. Says AP, "Burleson's attorneys attempted to prove he was vacationing in another part of the state with his son on the dates in early September when the rogue programs were entered into the system. But prosecutors presented records showing that Burleson was at work and his son was attending school on those dates." The Fort Worth Star-Telegram reports that also during the trial, Duane Benson, a USPA & IRA senior programmer analyst, testified the automated virus series, which was designed to repeat itself periodically until it destroyed all the records in the system, never was automatically activated. Instead, Benson said, someone manually set one of the programs in motion Sept. 21, 1985, deleting the records, then covering his or her tracks by deleting the program. Prosecutor McCown says data damage in the system could have amounted to hundreds of thousands of dollars had the virus continued undetected. As reported here earlier, Burleson also has lost a civil case to USPA in connection with the incident. That jury ordered him to pay his former employers $12,000. Following the yesterday's verdict, McCown told Star-Telegram reporter Martha Deller, "This proves (virus damage) is not an unprosecutable offense. It may be hard to put a case together, but it's not impossible." -- UNIVERSITY PROFESSORS ATTACK COMPUTER VIRUSES (Sept. 30) Because they have not been given access to the National Security Agency's anti-virus research, several university- based computer experts are planning to begin their own testing and validating of software defenses against computer viruses, reports Government Computer News. Led by John Cordani, assistant professor of information systems at Adelphi University, the results will be made public, unlike those being researched by NSA. The work being done by the Department of Defense is too classified for use by the general computer community. GCN notes that computer viruses are hard-to-detect programs that secretly replicate themselves in computer systems, sometimes causing major damage. Cordani and five other academics will establish secure laboratories to study viruses in three New York colleges: Adelphi University, Pace University and Sarah Lawrence College. The lab will test anti-virus software developed by companies that are members of the Computer Virus Industry Association, a consortium of anti-virus defense developers. The group will then publish what it is calling "consumer reports" in the media and on electronic bulletin board systems. Once sufficient research is completed, more general grading systems will be applied, said Cordani. In addition, the lab will use viruses sent to them by the CVIA to develop classification algorithms to aid in describing a virus' actions and effects. -- Cathryn Conroy SECOND VIRUS FOUND AT ALDUS CORP. (Oct. 21) For the second time this year, a computer "virus" has been found in a commercial program produced by Seattle's Aldus Corp. The infection was found in the latest version of the FreeHand drawing software, the same software that was invaded by a different virus last March. An Aldus official told The Associated Press the company was able to prevent the virus's spread to programs for sale to the public, but that an entire computer network within Aldus' headquarters has been infected. The virus was found in a version of the Apple Macintosh software that was sent to specific users to be tested before going to market. One of the testers discovered the virus, dubbed "nVir," and two days later, Aldus realized the virus was in its own in-house network. Said Aldus spokeswoman Jane Dauber, "We don't know where it came from. That is the nature of the virus. You can't really track it." AP says Aldus officials said the new virus has remained dormant so far, a tiny program that merely attaches itself to other programs. "We don't know why," Dauber said. "We don't know what invokes this virus. With some of them, you have to launch the program a certain number of times," for the virus to activate. The company told the wire service that, while it does not know where the virus originated, reports are that it apparently has infected at least one unidentified East Coast university's computers. Another Aldus spokeswoman, Laury Bryant, added, "You just can't always stop these things from coming in the door. But what we have done is to set up systems which eliminate them before they are actually in full version, shrink-wrap software and stop them from going out the door." Last March, in what was apparently the first instance of an infection in commercial software, a virus called the "March 2 peace message" was found in some FreeHand programs. The invasion caused Aldus to recall or rework thousands of packages of the new software. -- MAN SENTENCED IN NATION'S FIRST VIRUS-RELATED CRIMINAL COURT CASE (Oct. 23) Donald Gene Burleson, the first person ever convicted of using a computer "virus" to sabotage data, has been sentenced to seven years' probation and ordered to pay back nearly $12,000 to his former employer. The 40-year-old Irving, Texas, man's attorney told United Press International he will appeal the sentenced handed down late Friday by District Judge John Bradshaw in Fort Worth, Texas. As reported earlier, Burleson was convicted Sept. 19 of the third-degree felony, the first conviction under the new Texas state computer sabotage law. He was accused of infecting the computers of USPA & IRA, a Fort Worth insurance and securities firm a few days after his firing Sept. 18, 1985. Burleson could have received two to 10 years in prison and a fine up to $5,000 under the 1985 law. As a first-time offender, however, he was eligible for probation. As reported during last month's trial, a few days after Burleson's firing in 1985, company officials discovered that 168,000 records of sales commissions had been deleted from their system. Burleson testified that he was more than 300 miles away from Fort Worth on Sept. 2 and Sept. 3 when the virus was created. However, UPI notes that evidence showed that his son was not traveling with him as he said but in school, and that a credit card receipt Burleson said proved he was in Rusk on Sept. 3 turned out to be from 1987. Associated Press writer Mark Godich quoted Burleson's lawyer, Jack Beech, as saying he had asked for five years' probation for his client, and restitution not to exceed $2,500. Godich also observed that the Burleson's conviction and sentencing "could pave the way for similar prosecutions of people who use viruses." Chairman John McAfee of the Computer Virus Industry Association in Santa, Clara, Calif., told AP the Texas case was precedent-setting and that it's rare that people who spread computer viruses are caught. He added his organization had documented about 250,000 cases of sabotage by computer virus. -- BRAIN VIRUS HITS HONG KONG (Oct. 30) According to Computing Australia, a major financial operation in Hong Kong was infected with a version of the "Brain" virus. This is the first reported infection of a commercial business in the East. Business International, a major financial consulting firm in Hong Kong, is believed not to have suffered any major damage. A company spokeswoman played down the appearance of the virus and said that no data had been lost. The "brain" virus has been reported as a highly sophisticated piece of programming that was created by two men in Lahore, Pakistan who run the Brain Computer Services company. It's last reported appearance in the US was during May when it popped up at the Providence, R.I., Journal- Bulletin newspaper. -- 60 COMPUTER FIRMS SET VIRUS GOALS (Nov. 2) Some 60 computer companies have organized a group to set guidelines that they say should increase reliability of computers and protect the systems from so-called "viruses." The Reuter Financial News Service says that among firms taking part in the movement are Microsoft Corp., 3Com Inc., Banyan Systems and Novell Inc. At the same time, though, declining to join the efforts are such big guys as IBM and Digital Equipment Corp. Reuter reports, "The companies said the measures would promote competition while allowing them to cooperate in making computers more reliable and less vulnerable to viruses." However, the firms apparently have shied away from specific proposals, instead issuing broad recommendations that leave it up to each company to develop the technology needed to prevent the spread of viruses, Reuter said. -- Last page !m Online Today OLT-2039 COMPUTER VIRUS EPIDEMIC 1 Backgrounder, Part I 2 Backgrounder, Part II 3 Backgrounder, Part III 4 Backgrounder, Part IV 5 Backgrounder, Part V 6 Backgrounder, Part VI Enter choice !3 Online Today OLT-1005 ONLINE TODAY'S BACKGROUNDER: COMPUTER "VIRUS," PART THREE (Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition beginning in November 1988.) Press <CR> for more !s NEW LAN LABORATORY GROUP OFFERS SUGGESTIONS FOR VIRUS PREVENTION (Nov. 7) Just a week or so before thousands of networked computers across the country were struck by a rapid virus, some 60 computer companies endorsed a set of virus-prevention guidelines drafted by the National LAN Laboratory. The Reston, Va., group, devoted to local area networks, hopes its tips can prevent and control future viruses and worm program intrusions. Speaking with business writer Peter Coy of The Associated Press, LAN Lab spokesman Delbert Jones said, "The key issue is that with proper precautions, one can continue to live a normal existence. ... "It's very much like the AIDS virus: The best solution is precaution." Here, according to AP, are the suggestions by the LAN Lab group: 1. All software should be purchased from known, reputable sources. 2. Purchased software should be in its original shrink wrap or sealed disk containers when received. 3. Back-up copies should be made as soon as the software package is opened. Back-ups should be stored off-site. 4. All software should be reviewed carefully by a system manager before it is installed on a network. 6. New software should be quarantined on an isolated computer. This testing will greatly reduce the risk of system virus contamination. 7. A back-up of all system software and data should be made at least once a month, with the back-up copy stored for at least one year before re-use. This will allow restoration of a system that has been contaminated by a "time-released" virus. A plan that includes "grandfathered" rotation of back-up copies will reduce risk even further. 8. System administrators should restrict access to system programs and data on a "need-to-use" basis. This isolates problems, protects critical applications, and aids problem diagnosis. 9. All programs on a system should be checked regularly for program length changes. Any program-length deviations could be evidence of tampering, or virus infiltration. 10. Many shared or free programs are invaluable. However, these are the prime entry point for viruses. Skeptical review of such programs is prudent. Also, extended quarantine is essential before these programs are introduced to a computer system. 11. Any software that exhibits symptoms of possible virus contamination should be removed immediately. System managers should develop plans for quick removal of all copies of a suspect program, and immediate backup of all related data. These plans should be made known to all users, and tested and reviewed periodically. -- "BRAIN VIRUS" APPEARS IN HOUSTON (Nov. 9) A version of the so-called "Brain virus," a rogue program believed to have originated in Pakistan, now has cropped up in computers used by University of Houston business students. Texas officials say that the virus, while a nuisance, has posed no real problem. University research director Michael Walters told The Associated Press, "It probably hasn't cost us much, except a few days of people-time to clean up these disks, but it probably cost the students a good bit of frustration." Some students report they have lost data, but Walters told the wire service he knows of no one who has lost an entire term paper or other large quantity of work. Nonetheless, reports still were coming in from students late yesterday. This version of the Brain virus, which last spring was traced to a computer store in Lahore, Pakistan, announced itself at the university early last week on the screen of one of the 150 PCs the business department has for students and faculty. Walters said the virus hasn't spread to the school's larger computers. AP quotes Walters as saying the virus flashed this message (with these misspellings) to students who tried to use infected programs: "Welcome to the dungeon. Copyright 1968 Brain & Amjads, PVT, LTD. Virus shoe record V9.0. Dedicated to the dynamic memory of millions of virus who are no longer with us today -- Thank Goodness. BEWARE OF THE VIRUS. This program is catching. Program follows after these messeges." The original "Brain" virus -- which appeared in May at colleges and businesses along the East Coast and in the computers of The Providence, R.I., Journal-Bulletin newspaper -- flashed the "Welcome to the Dungeon" message, but added "Contact us for vaccination." It also gave names, an address and a phone number of two brothers who run a Lahore, Pakistan, computer store. Walters said the Houston version of the virus says nothing about any vaccine, and the "V9.0" in its message suggests it may be a modified version. Before this, the most recent sighting of the "Brain" virus was at Business International, a Hong Kong financial operation. It was thought to be the first reported digital infection of a commercial business in the East. The firm is believed not to have suffered any major damage. -- UNIX EXPERT SAYS VIRUS "PANIC" UNNECESSARY, BLAMES BAD PLANNING (Nov. 10) An expert on the Unix operating system says that much of last week's "panic" over the virus that brought down some 6,000 networked computers was caused by poor management technique. In a statement from his Rescue, Calif., offices, newsletter editor Bruce Hunter said, "Most of the damage was done by the organizations themselves, not the virus." Hunter, who edits Root, a bimonthly Unix administration and management journal published by InfoPro Systems, observed that more than 50,000 users were reportedly cut off at a single site due to last week's virus, and that more than a million people are believed to have been directly affected. However, Hunter said, "By dropping network connections, administrators were ensuring that the virus was winning. Good communications and information sharing between administrators is what helped people on the network find and implement a solution to the virus quickly." Hunter, who also is an author and mainframe Unix system manager, said that one job of an administrator is to keep all system resources available to users, and another is to "go around searching for possible trouble." He said the most important lesson learned from last week's virus was that a definite plan is imperative to avoid inappropriate reactions. Hunter made these suggestions to managers: -:- Develop a set of scenarios and responses for future virus attacks as well as physical disasters. -:- Keep a printed list of system administrators at all company sites. -:- Establish a central point of information. -:- Coordinate an emergency response task force of key personnel. -:- Keep current off-site backups of all data. -:- Perform regular security audits. -- MICHIGAN WEIGHS ANTI-VIRUS LAW (Nov. 15) Michigan lawmakers soon will consider a proposed state law that would impose felony penalties against anyone convicted of creating or spreading computer "viruses." Sponsoring the bill, Republican Sen. Vern Ehlers told United Press International, "Because this is a new type of crime, it is essential we address it directly with a law that deals with the unique nature of computers." Citing this month's virus attack on military and research computers linked by ARPANET and other networks, Ehlers added, "The country recently saw how quickly a virus can spread through network users. The Defense Department and its contractors were extremely fortunate that the virus was relatively harmless." The senator said his bill, still being drafted, is expected to include provisions making it a felony for anyone to deliberately introduce a virus into a computer system. UPI notes Ehlers is a physicist with a Ph.D who has 30 years' experience with computers. -- VIRUS STRIKES CALIF. MACINTOSHES (Nov. 15) Students at Southern California universities were being warned today of a rapidly spreading West German virus that reportedly is disrupting functions of Apple Macintosh computers. "In general, this thing is spreading like mad," Chris Sales, computer center consultant at California State University at Northridge, told The Associated Press. "It originated in West Germany, found its way to UCLA and in a short time infected us here." AP quotes school officials as saying that at least a dozen Macs at the suburban San Fernando Valley campus have been infected since the virus first cropped up last week. Cal State says the virus apparently does not erase data, but that it does stall the computers and removal requires hours of reprogramming. The wire service said students' disks are "being tested for the virus" before they can rent a Mac at the university bookstore. -- COMPUTER SECURITY EXPERT OFFERS TIPS (Nov. 15) The need to protect against computer viruses has heralded the end of the user-friendly computer era, says one security expert. According to Government Computer News, Sanford Sherizen, president of Data Security Systems Inc. of Natick, Mass. said the objective now is to make software bullet-proof, not accessible. He said that since the advent of computers in offices, managers have been faced with the conflicting needs of protecting the data versus producing it. Data must be accessible to those who need it and yet at the same time secure from those who can alter, delete, destroy, disclose or steal it or steal computer hardware. Sherizen told GCN reporter Richard A. Danca that non- technical managers can contribute to computer security as advocates and facilitators. Users must learn that security is a part of their jobs. He predicted that security managers will soon use biometric security measures such as comparing retinal blood vessels or fingerprints. Needless to say, such techniques raise complicated issues of civil liberties and privacy. Sherizen said that all information deserves protection. --Cathryn Conroy VIRUS THREAT SAID EXAGGERATED (Nov. 16) Because of the latest reports of attacks by computer "viruses," some in the industry are ready to blame such rogue programs for anything that goes wrong. However, expert Charles Wood told a 15th annual computer security conference in Miami Beach, Fla., this week, "Out of over 1,400 complaints to the Software Service Bureau this year, in only 2 percent of the cases was an electronic virus the cause of the problem. People are jumping to the conclusion that whenever a system slows down, it's a virus that's responsible." The Associated Press reports that Wood and other panelists cautioned that computer-dependent companies should focus more on the day-to-day breakdowns caused by human error than on viruses. President Steve Irwin of LeeMah Datacom Security Corp. told the conference that this month's virus assault on networked computers on the ARPANET system "could be a cheap lesson." Said Irwin, "We were lucky because it was not a real malicious attempt ... If (the virus' author) had ordered the programs to be erased, the loss could have gone into billions, lots of zeroes." AP quoted Wood as adding, "The virus is the hot topic right now, but actually the real important subject is disaster recovery planning. But that's not as glamorous as the viruses." -- SPA FORMS GROUP TO KNOCK DOWN RUMORS ABOUT COMPUTER VIRUSES (Nov. 17) Upset over wild rumors about the destructiveness of computer viruses, the Software Publisher Association has formed a special interest group to address computer security. In a statement released today at the Comdex trade show in Las Vegas, SPA says its new Software Security SIG will help distribute information and serve as liaison for software publishers, industry analysts and consultants. McGraw-Hill News quotes SPA member Ross Greenberg, president of Software Concepts Design, as saying, "Recent unsubstantiated statements regarding the actual damage caused by viruses...has caused more of a public fervor than served as a public service." At the SIG's organizational meeting, several companies discussed setting standards on how to educate the public regarding viruses and various anti-viral products now being advertised. -- FEDERAL COMPUTERS AT RISK (Nov. 22) Many federal computer systems are vulnerable to viruses and other security problems because of inadequate controls on the design and operation, reports The Washington Post of a report issued by the General Accounting Office. GAO warned that the planned computer expansion (some $17 billion will be spent by Uncle Sam in 1989) could only increase security risks since the computer growth will be so rapid. It advised that particular attention be paid to security concerns, especially in the early phases of system development. "Recent instances of security breaches in automated information systems have resulted in the loss of assets, compromise of program objectives and leaks of sensitive information," said the report, which is part of series prepared by GAO for the incoming Bush administration on national problems it views as critical. The Post notes that some computer experts said that the government's security woes are no worse than those that affect corporate or university systems. GAO cited specific cases where government computer security had been breached: -:-A clerk used a computer processing system to embezzle more than $800,000; -:-employees prepared fraudulent documents for a tax processing system and had the refunds sent to themselves and others; -:-about 30 employees obtained illicit access to computer files and made unauthorized disclosures of highly sensitive information; -:-several federal agencies have been the victims of computer viruses that have destroyed software and data. -- Cathryn Conroy VIRUS THREAT ANALYZED BY EXPERTS (Nov. 23) The Computer Virus Industry Association reports there have been 300 recorded "events" of computer virus attacks on some 48,000 computers during the past eight months. John McAfee, chairman of the association, told The Washington Post that 97 percent of those incidents involved personal computers. He says he considers them to be more vulnerable than larger systems because people frequently stick their disks into other people's computers to share data or software or just to use another's printer. Sharing data is not considered a risky proposition; sharing software is another matter, since viruses attach themselves to programs. And once infected, that program can spread the virus to other programs and computers. McAfee told The Post his group has counted some 30 strains of viruses that affect PCs, some of which are quite innocuous while others have potentially disastrous consequences. Some viruses act immediately; others sit like time bombs waiting to go off at a set time. But the experts warn users to not become hysterical over the threat of viruses. Peter Norton, author of the popular Norton Utility programs, likens viruses to "urban myths, like alligators in the New York sewers." The CVIA says that just four percent of the cases reported to it have actually be verified as real viruses. Most are software bugs, system errors or similar problems, notes The Post. -- Cathryn Conroy FBI PROBES INTERNET INTRUSION (Nov. 24) Although the so-called virus "attack" that affected a number of national computer networks has been characterized as unintentional, the Federal Bureau of Investigation is apparently gathering information to support criminal sanctions against the virus' developer. The FBI's authority to pursue such an investigation stems from the Computer Fraud and Abuse Act of 1986 -- legislation that criminalizes unauthorized access to a computer system being operated for the use of the federal government. The network intrusion on November 3, affected a number of computers at federal installations including those at the Lawrence Livermore National Laboratory in San Francisco and the NASA Ames Research Center in Mountain View, Calif. Reportedly, the FBI Case Agent has asked the Defense Data Network (DDN) Project Management Office "to collect the names of organizations and Points of Contact (names and phone numbers) that were hit by the Virus." Those who wish to submit information will be contacted by their local FBI Field Office. Additional information is available from the DDN security office at 703/285-5206. -- "CORE WARS" CREATOR URGES VIRUS CONTROL CENTERS TO BE SET UP (Nov. 25) A Canadian professor and computer columnist with Scientific American says that governments ought to set up centers for "computer virus control" patterned after the Centers for Disease Control. Alexander Dewdney, professor of computer science at the University of Western Ontario, told reporter Stephen Strauss of The Toronto Globe and Mail that the centers could isolate, identify and then develop antidotes for self-replicating viruses. Dewdney became famous a few years ago by writing in Scientific American about how the principle of computer viruses could be turned into a game he called "Core Wars." Strauss writes, "Under Dewdney's plan, an organization knowing or suspecting its system of being infected by a virus would send a copy of all or part of its main operating program to the center. There, the contaminated program would be routed to a special 'clean room' portion of the center's computer memory where it would not be able to attack anything else. Virus experts would then examine the program to determine what kind of bug was let loose... Once the viral type was determined, countermeasures could be put into effect." Dewdney suggests this last step could be either a program counteracting the original virus or one which made the invading virus destroy all copies of itself. "People," he said, "could expect that within 24 hours some kind of remedy would be in place." -- GOVERNMENT RESPONDS TO RECENT VIRUS ATTACKS (Nov. 25) Federal computer security officials are scrambling to prevent further attacks by computer viruses on government systems. According to Government Computer News, top officials from both the military-based National Security Agency and the civilian-based National Institute of Standards and Technology are working together to develop solutions to threat. One idea that is being considered, according to Stuart Katzke, NIST computer security chief, is the formation of a federal center for anti-virus effort that would be operated jointly by NIST and NSA. He told GCN that the center would include a clearinghouse that would collect and disseminate information about threats, such as flaws in operating systems as well as solutions. In addition, it would help organize responses to emergencies by quickly warning users of new threats and defenses against them. Katzke explained that those who have solutions to a threat could transmit their answers through the center to threatened users. A database of experts would be created to speed response to immediate threats. The center would also develop means of correcting flaws in software, such as trapdoors in operating systems. Vendors would even be asked to develop and field solutions, notes GCN. The only stumbling block is funding and personnel for the center. Katzke did emphasize that viruses are actually less of a threat than poor security that allows abusers to access systems. Excellent technical anti-virus defenses are of no use at all if management does not maintain proper control of the computer system, he told GCN. Congress is expected to respond to the recent outbreak of virus attacks. One bill that died in the 100th Congress, The Computer Virus Eradication Act of 1988, will be reintroduced by Rep. Wally Herger (R-Calif.). -- Cathryn Conroy LINK BETWEEN ARPANET AND MILITARY SYSTEM CUT BECAUSE OF INTRUDER (Dec. 1) Apparently because of an unknown computer intruder, the Pentagon this week cut links between its unclassified military network called Milnet and Arpanet, the national academic and corporate network. The link reportedly was cut at 10 p.m. Monday and was expected to be restored sometime today. According to The New York Times this morning, Pentagon officials are saying officially that the move was due to technical difficulties. However, The Times quoted several unidentified security experts as saying the connection was broken after a recent intrusion into several computers operated by defense contractors and the military. The Times said the Defense Department apparently acted after a computer at the Mitre Corp., a Bedford, Mass., think tank, was illegally entered several times over the past month. Officials at several US and Canadian universities said the intruder used their computers to reach Mitre's. A Mitre spokeswoman confirmed that one of the firm's computers had indeed been entered, but said the systems involved had not handled any classified or sensitive information and that the problem was fixed within hours of detection. Seven computer gateways link Milnet to Arpanet. Arpanet is the same network that was stymied for 36 hours a month ago by a so-called virus allegedly created by Cornell University graduate student Robert Morris Jr., 23, of Arnold, Md. The Times quoted its experts as speculating that the Pentagon may have kept the connection between Milnet and Arpanet severed while it tried to rid the system of a security flaw. Speaking of Morris, two Harvard University computer experts, graduate student Paul Graham and programmer Andrew H. Suddeth, appeared yesterday before a federal grand jury in Syracuse, N.Y., which is investigating the virus incident. Suddeth said earlier that Morris called him in a panic for help in getting out a message to other computer operators after he reportedly realized what the virus was doing. The Associated Press says a third person subpoenaed -- Mark Friedell, an associate professor of computer science -- was excused from testifying because he told prosecutors he knew nothing about the allegations of Morris' involvement with the virus. Morris has not been subpoenaed to appear before the grand jury, lawyer Thomas Guidoboni of Washington, D.C., told the Syracuse Herald-Journal. Says AP, "Guidoboni so far has advised Morris not to talk with anyone about the virus, including FBI agents. But the lawyer said an agreement may soon be reached in which an interview with agents would be arranged." -- CONGRESS TO PROBE VIRUS (Dec. 4) The Internet "WORM", previously characterized as a virus, has caught the attention of federal legislators. Two congressional committees plan to schedule hearings on the purported actions of a 23-year-old Cornell University student said to be responsible for inserting the WORM program into a national computer communications network. The House Science, Space and Technology Committee and the Crime Subcommittee of the House Judiciary Committee are planning hearings on the Internet WORM when the new 101st Congress meets. Representative Robert Roe (D-N.J.) and Rep. William Hughes (D-N.J.), the respective chairmen of the two legislative groups, are apparently concerned that even more serious pitfalls await computers used in the federal government. Rep. Hughes is well-known in computer security circles and has been instrumental in introducing computer-related legislation. Both chairman are said to be concerned about the vulnerability of federal computers to intrusions either planned or accidental. Committee hearing dates will probably be scheduled soon after the new congress convenes on January 9. -- PENTAGON FORMS VIRUS "SWAT TEAM" (Dec. 7) The Pentagon is bringing together some 100 unidentified computer experts from across the country to act as a kind of "SWAT team" to respond to self-replicating "virus" programs that might threaten US defense computers. Called CERT (the Computer Emergency Response Team), the group includes technical experts, site managers, government officers, industry contacts, executives and representatives from investigative agencies. United Press International quotes a Pentagon statement as saying the experts' knowledge will be called upon when needed; otherwise, they will go about their usual jobs. CERT is to be coordinated from the Software Engineering Institute at Pittsburgh's Carnegie Mellon University, where a six-member staff already is in place, UPI says. A Pentagon spokeswoman characterized the group as "sort of a SWAT team" that will respond to security threats such as the virus that thwarted Arpanet computers for some 36 hours on Nov. 2 and 3. The government says CERT will assist researchers in responding to emergencies and will be able to rapidly establish communications with experts working to solve the problems, with affected computer users and with government authorities. -- NIST AND NSA JOIN IN VIRUS DEFENSE PLAN (Dec. 12) The National Security Agency and the National Institute of Standards and Technology have developed 11 possible courses of action in a plan to fight the recurrence of computer viruses on federal computer systems, reports Government Computer News. Although many details of the plans are incomplete, sources told GCN that some of the ideas include establishment of an anti-virus coordination center for the federal government where problems would be reported and jointly supported by NSA and NIST. The center might actually evolve into a national command center that would also support commercial networks. GCN notes that staff experts would carry beepers so they could be summoned around the clock for immediate response to a virus attack. Other plans called for the development of standard virus analysis tools to aid in the disassembly and study of viruses as well as the establishment of a response team from the government, industry and academia with the specialized skills to analyze viruses and develop defenses. GCN notes that the group also recommended that a network of experts be maintained to ensure access to their specialized skills in a crisis. The establishment of an emergency broadcast network to disseminate attack warnings and virus defenses was also suggested. Anti-virus defenses could be broadcast over telephone lines by phones using recorded messages. Other recommendations include better training for operators, improved back-up procedures to prevent viruses from being copied to secure backup disks and greater participation of law enforcement agencies in emergencies. All the recommendations could be implemented under the Computer Security Act, which gives NIST authority to oversee security for civilian computer systems. Before the plan can be implemented formally, however, NIST and NSA officials must approve it, money must be allocated and personnel must be hired. --Cathryn Conroy SOVIETS FIGHT COMPUTER VIRUSES (Dec. 19) The Soviet Union says it has contended with its first computer virus, one that may have stemmed from a computer studies "summer camp" there attended earlier this year by Soviet and foreign children. Computer specialist Sergei Abramov of the USSR Academy of Sciences told Radio Moscow yesterday that the virus was found last August at the academy's Institute of Program Systems. He said the virus invaded systems in at least five government-run institutions, but that scientists now have developed a way to detect known viruses and to prevent serious damage. Charles Mitchell of United Press International quoted Abramov as saying the virus, dubbed DOS-62, infected 80 computers at the academy before it was brought under control 18 hours later. Abramov believes the virus was introduced when Soviet students used the institute's computers to copy infected application programs and games for personal computers. Of the computer summer camp, Abramov did not say from which countries the foreign students came, but added, "Here in the Soviet Union there was not a single instance of a computer virus attack until August of this year but now at least two different viruses have been encountered by five different institutions." He did not identify the five institutions, nor did he say whether viruses had infected any Soviet computers connected to Western European databases. Mitchell also quoted Abramov as saying that concern about viruses caused Soviet scientists to place a high priority on finding a defense for what he said were the 15 known digital virus strains in the world. He said he headed the team that found such a shield. "This protective system has no counterpart in the world," Abramov said, adding that details remain a state secret but that the defense, known formally as PC-Shield, has been tested on IBM computers in the Soviet Union. "The system provides early warning of an attack by practically any virus known in the world," he said. "It has a two-tiered system of protection. The first tier warns the user of an attack enabling him to stop the computer. The second tier assures the detection of any virus still unknown as well as known and prevents it from spreading." UPI also quoted Radio Moscow as saying that earlier this year an unidentified programer at the Gorky Automobile Works on the Volga river was charged with deliberately using a virus to shut down an assembly line in a dispute over work conditions. The broadcast said the man was convicted under Article 206, the so-called Hooliganism law, which provides for a jail term of up to six years for "violating public order in a coarse manner and expressing a clear disrespect toward society." -- ANOTHER COMMERCIAL PROGRAM SAID TO BE INFECTED BY "NVIR" VIRUS (Dec. 20) For the third time this year, a commercial software package has been infected by a computer virus. This time the rogue program -- apparently another version of the so-called "nVir" virus -- has shown up on a compact disk. Business writer Peter Coy of The Associated Press says the virus was found in seven programs on the second edition of a CD-ROM called MegaROM, which is sold for the Apple Macintosh community by Quantum Leap Technology Inc. of Coral Gables, Fla. Coy says the infection, which was detected with virus- screening programs, apparently occurred when the disk was being prepared for duplication at Nimbus Records in Charlottesville, Va. The virus, which does not appear to be dangerous, was spotted after about 400 copies of the disk had been shipped, he says. John Sands, technical operations manager of Nimbus' CD- ROM division, told the wire service the virus came from a piece of software residing on a hard disk for Macintosh computers that was manufactured by CMS Enhancements Inc. of Tustin, Calif. Sands faulted CMS for not alerting Nimbus and its other disk drive customers about the virus threat. In response, CMS President Jim Farooque told Coy that as of yesterday afternoon he hadn't been able to verify that the virus had indeed come from his company. Conceding that some of his employees previously had told people at Nimbus that the virus had come on a CMS floppy disk used to prepare the hard disk for receiving data, Farooque said, "It's possible that ... they are communicating back and forth information that may or may not be true." He added the company voluntarily was helping people get rid of the viruses without admitting responsibility for them. Quantum Leap President Robert Burr told Coy his firm was alerted to the virus on Dec. 9 and began notifying recipients of the infected MegaRom disks last week. The infected disks are imprinted with a green decorative pattern, while the new disks that are virus-free have a blue pattern. Coy also noted, "Almost half of the infected disks were shipped to members of the computer press for review. The disks are filled with programs, known as shareware or freeware, that are available for free from places such as computer bulletin boards." The nVir virus first appeared in another commercial program -- Aldus Corp.'s FreeHand drawing software for the Mac -- last October. Until now, Aldus was the only commercial software firm to publicly report a virus problem. Last March, an earlier version of FreeHand was infected by different virus. -- VIRUSES TEST COMPUTER CRIME LAWS (Dec. 20) The perpetration of computer viruses is a punishable crime that is generally, although not specifically, addressed by a number of federal and state criminal statues. Despite this, law enforcement officials are finding that successful prosecutions tend to decrease dramatically as the sophistication of the misdeed increases, reports the Los Angeles Times. "There are a lot of hairy evidence questions with computer crimes," said Jack Bologna, head of the International Association of Computer Crime Investigators. "Documentation today is different than when you had a complete paper trail. It is now possible to cause a computer crime in which you destroy all the evidence." Traditionally, computer thieves have been tried under ordinary grand theft and fraud sections of state criminal codes, but since 1984 (a year after the debut of the movie "War Games"), the laws have been changing to keep up with the state of technology. Now, 48 states and the federal government have specific laws governing against computer crime. Statistics show that an overwhelming majority of cases that reach a judge result in convictions, according to the National Center for Computer Crime Data. But most of the crimes are never prosecuted because of lack of sufficient evidence or because the victims, usually large corporations, are too embarrassed to notify authorities. But to date, there have been no prosecutions of computer viruses, which first emerged about 18 months ago. Even the notorious case of Robert T. Morris Jr., the 23- year-old Cornell University graduate student suspected of creating the virus that madly replicated across the vast network of military and university computers this fall, has not yet been prosecuted. The Times notes that the FBI is now studying four federal criminal statutes to determine whether it should prosecute Morris. Authorities concede the case is fraught with legal problems, meaning it is possible he will never be prosecuted. --Cathryn Conroy Online Today OLT-1512 ONLINE TODAY'S BACKGROUNDER: COMPUTER "VIRUS," PART FOUR (Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition beginning in January 1989.) VIRUS STRIKES UNIVERSITY OF OKLA. (Jan. 11) Officials at the University of Oklahoma in Norman, Okla., blame a computer virus for ruining several students' papers and shutting down terminals and printers in a student lab at the university library. Manager Donald Hudson of Bizzell Memorial Library told The Associated Press that officials have purged the library computers of the virus. He said the library also has set up extra computers at its lab entrance to inspect students' programs for viruses before they are used on other computers. The wire service said the library's virus probably got into a computer through a student's disk, but the student may not have known the virus was there. Hudson said the library's computers are not linked to any off-campus systems. However, the computers are connected through printers, which he said allowed the virus to spread. -- "FRIDAY THE 13TH" VIRUS STRIKES (Jan. 13) Data files and programs on personal computers throughout Britain apparently were destroyed today by what was termed a "Friday the 13th" computer virus. Alan Solomon, managing director of S and S Enterprises, a British data recovery center, told The Associated Press that hundreds of users of IBM and compatible PCs reported the virus, which he said might be a new species. Solomon, who also is chairman of an IBM users group, told the wire service that phone lines to the center were busy with calls for help from businesses and individuals whose computers were struck by the virus. "It has been frisky," he said, "and hundreds of people, including a large firm with over 400 computers, have telephoned with their problems." S and S hopes to figure out how the virus operates and then attempt to disable it. "The important thing is not to panic and start trying to delete everything in a bid to remove the virus," Solomon said. "It is just a pesky nuisance and is causing a lot of problems today." -- "FRIDAY THE 13TH" VIRUS MAY BE NEW VERSION OF ONE FROM ISRAEL (Jan. 14) Investigators think the "Friday the 13th" virus that struck Britain yesterday might be a new version of the one that stymied computers at the Hebrew University in Jerusalem on another Friday the 13th last May. As reported here yesterday (GO OLT-308), hundreds of British IBM PCs and compatibles were struck by the virus, which garbled data and deleted files. Jonathan Randal of The Washington Post Foreign Service reports the program is being called the "1,813" variety, because of the number of unwanted bytes it adds to infected software. He says the specialists are convinced the program "is the brainchild of a mischievous -- and undetected -- computer hacker at Hebrew University." Alan Solomon, who runs the IBM Personal Computer User Group near London, told the Post wire service that 1,813 was relatively benign, "very minor, just a nuisance or a practical joke." Solomon said he and other specialists first noted the virus in Britain several months ago when it began infecting computers. Solomon's group wrote security software with it distributed free, so, he said, the virus basically struck only the unlucky users who didn't take precautions. -- LIBRARY OF CONGRESS VIRUS VICTIM (Jan. 27) An official with the US Library of Congress acknowledges that the institution was struck by a computer virus last fall. Speaking to a delegation of Japanese computer specialists touring Washington, D.C., yesterday, Glenn McLoughlin of the library's Congressional Research Service disclosed that a virus was spotted and killed out of the main catalog computer system before it could inflict any damage to data files. Associated Press writer Barton Reppert quoted McLoughlin as saying, "It was identified before it could spread or permanently erase any data." McLoughlin added the virus was found after personnel logged onto computers at the library and noticed they had substantially less memory space to work with than they had expected. He said the virus apparently entered the system through software obtained from the University of Maryland. "We don't know," he said, "whether it was a student at Maryland, or whether Maryland had gotten it from somebody else. That was simply the latest point of departure for the software." Meanwhile, Reppert also quoted computer security specialist Lance J. Hoffman of George Washington University as saying the world may be heading toward a catastrophic computer failure unless more effective measures are taken to combat viruses. Comparing last November's virus assault on the Pentagon's ARPANET network to a nuclear accident that "could have had very disastrous consequences for our society," Hoffman told the visitors, "It wasn't Chernobyl yet, it was the Three Mile Island -- it woke a lot of people up." Online Today has been following reports of viruses for more than a year now. For background files, type GO OLT-2039 at any prompt. And for other stories from The Associated Press, type GO APO. -- CHRISTMAS VIRUS FROM FRANCE? (Jan 30) A little noticed software worm, the so-called Christmas Decnet virus, may have originated from Germany or France. Apparently released at the end of December, the worm replicated itself only onto Digital Equipment Corp. computers that were connected to Decnet, a national communications network often accessed by DEC users. At least one system administrator has noticed that the worm collected identifying information from the invaded terminals and electronically mailed that information to a network node in France. The assumption is that the French node collected the information and, subsequently, used it to propagate the worm throughout the network. The so-called German connection came about because of the way the worm presents text information on invaded terminals. Though written in English, the worm message is said to contain strong indications of Germanic language syntax. Predictably, a German "connection" has led to speculation that Germany's Chaos Computer Club may have had a role in worm's creation. -- FEDERAL GROUP FIGHTS VIRUSES (Feb. 3) The Computer Emergency Response Team (CERT) has been formed by the Department of Defense and hopes to find volunteer computer experts who will help federal agencies fight computer viruses. CERT's group of UNIX experts are expected to help users when they encounter network problems brought on by worms or viruses. A temporary group that was formed last year after Robert T. Morris Jr. apparently let loose a bug that infected the Department of Defense's Advanced Project Agency network (ARPANET), will be disbanded. The Morris case has some confusing aspects in that some computer groups have accused federal prosecutors with reacting hysterically to the ARPANET infection. It has been pointed out that the so-called Morris infection was not a virus, and that evidence indicates it was released onto the federal network accidentally. CERT is looking toward ARPANET members to supply its volunteers. Among those users are federal agencies, the Software Engineering Institute and a number of federally-funded learning institutions. Additional information is available from CERT at 412/268- 7090. -- COMPUTER VIRUSES HOT ISSUE IN CONGRESS (Feb. 3) One of the hottest high-tech issues on Capitol Hill is stemming the plague of computer viruses. According to Government Computer News, Rep. Wally Herger (R-Calif.) has pledged to reintroduce a computer virus bill that failed to pass before the 100th Congress adjourned this past fall. The measure will create penalties for people who inject viruses into computer systems. "Unfortunately, federal penalties for those who plant these deadly programs do not currently exist," said Herger. "As a result, experts agree that there is little reason for a hacker to even think twice about planting a virus." (Herger then later corrected himself saying those who plant viruses are not hackers but rather criminals.) GCN notes that the bill calls for prison sentences of up to 10 years and extensive fines for anyone convicted of spreading a computer virus. It would also allow for civil suits so people and businesses could seek reimbursement for system damage caused by a virus attack. If the bill is referred to the Judiciary Committee, as is likely, it stands a reasonable chance of passage. Rep. Jack Brooks, a longtime technology supporter, is the new head of that committee and he has already stated that the new position will not dampen his high-tech interests. -- Cathryn Conroy CONGRESS LOOKS AT ANOTHER COMPUTER PROTECTION BILL (Feb. 27) The Computer Protection Act (HR 287) is the latest attempt by Congress to battle computer viruses and other forms of sabotage on the high-tech machines. Introduced by Rep. Tom McMillan (D-Md.), the bill calls for a maximum of 15 years in prison with fines of $100,000 to $250,000 for those convicted of tampering with a computer, be it hardware or software. "With the proliferation of various techniques to tamper with computers, we need to fill the void in federal law to deal with these criminals," said McMillan. "This legislation will send the clear signal that infiltrating computers is not just a cute trick; it's against the law." The bill, which has been referred to the Judiciary Committee, is written quite broadly and is open to interpretation. -- Cathryn Conroy VIRUS CREATOR FOUND DEAD AT 39 (March 17) A Californian who said he and one of his students created the first computer virus seven years ago as an experiment has been found dead at 39 following an apparent aneurysm of the brain. Jim Hauser of San Luis Obispo died Sunday night or Monday morning, the local Deputy Coroner, Ray Connelly, told The Associated Press. Hauser once said he and a student developed the first virus in 1982, designing it to give users a "guided tour" of an Apple II. He said that, while his own program was harmless, he saw the potentially destructive capability of what he termed an "electronic hitchhiker" that could attach itself to programs without being detected and sneak into private systems. -- HOSPITAL STRUCK BY COMPUTER VIRUS (March 22) Data on two Apple Macintoshes used by a Michigan hospital was altered recently by one or more computer viruses, at least one of which apparently traveled into the system on a new hard disk that the institution bought. In its latest edition, the prestigious New England Journal of Medicine quotes a letter from a radiologist at William Beaumont Hospitals in Royal Oak, Mich., that describes what happened when two viruses infected computers used to store and read nuclear scans that are taken to diagnose patients' diseases. The radiologist, Dr. Jack E. Juni, said one of the viruses was relatively benign, making copies of itself while leaving other data alone. However, the second virus inserted itself into programs and directories of patient information and made the machines malfunction. "No lasting harm was done by this," Juni wrote, because the hospital had backups, "but there certainly was the potential." Science writer Daniel Q. Haney of The Associated Press quoted Juni's letter as saying about three-quarters of the programs stored in the two Mac II PCs were infected. Haney said Juni did not know the origin of the less harmful virus, "but the more venal of the two apparently was on the hard disk of one of the computers when the hospital bought it new. ... The virus spread from one computer to another when a doctor used a word processing program on both machines while writing a medical paper." Juni said the hard disk in question was manufactured by CMS Enhancements of Tustin, Calif. CMS spokesman Ted James confirmed for AP that a virus was inadvertently put on 600 hard disks last October. Says Haney, "The virus had contaminated a program used to format the hard disks. ... It apparently got into the company's plant on a hard disk that had been returned for servicing. James said that of the 600 virus-tainted disks, 200 were shipped to dealers, and four were sold to customers." James also said the virus was "as harmless as it's possible to be," that it merely inserted a small piece of extra computer code on hard disks but did not reproduce or tamper with other material on the disk. James told AP he did not think the Michigan hospital's problems actually were caused by that virus. -- MORE HOSPITALS STRUCK BY VIRUS (March 23) The latest computer virus attack, this one on hospital systems, apparently was more far- reaching than originally thought. As reported here, a radiologist wrote a letter to the New England Journal of Medicine detailing how data on two Apple Macintoshes used by the William Beaumont Hospital in Royal Oak, Mich., was altered by one or more computer viruses. At least one of the viruses, he said, apparently traveled into the system on a new hard disk the institution bought. Now Science writer Rob Stein of United Press International says the virus -- possibly another incarnation of the so-called "nVIR" virus -- infected computers at three Michigan hospitals last fall. Besides the Royal Oak facility, computers at another William Beaumont Hospital in Troy, Mich., were infected as were some desktop units at the University of Michigan Medical Center in Ann Arbor. Stein also quoted Paul Pomes, a virus expert at the University of Illinois in Champaign, as saying this was the first case he had heard of in which a virus had disrupted a computer used for patient care or diagnosis in a hospital. However, he added such disruptions could become more common as personal computers are used more widely in hospitals. The virus did not harm any patients but reportedly did delay diagnoses by shutting down computers, creating files of non-existent patients and garbling names on patient records, which could have caused more serious problems. Dr. Jack Juni, the radiology who reported the problem in the medical journal, said the virus "definitely did affect care in delaying things and it could have affected care in terms of losing this information completely." He added that if patient information had been lost, the virus could have forced doctors to repeat tests that involve exposing patients to radiation. Phony and garbled files could have caused a mix-up in patient diagnosis. "This was information we were using to base diagnoses on," he said. "We were lucky and caught it in time." Juni said the virus surfaced when a computer used to display images used to diagnose cancer and other diseases began to malfunction at the 250-bed Troy hospital last August. In October, Juni discovered a virus in the computer in the Troy hospital. The next day, he found the same virus in a similar computer in the 1,200-bed Royal Oak facility. As noted, the virus seems to have gotten into the systems through a new hard disk the hospitals bought, then spread via floppy disks. The provider of the disk, CMS Enhancements Inc. of Tustin, Calif., said it found a virus in a number of disks, removed the virus from the disks that had not been sent to customers and sent replacement programs to distributors that had received some 200 similar disks that already had been shipped. However, CMS spokesman Ted James described the virus his company found as harmless, adding he doubted it could have caused the problems Juni described. "It was a simple non-harmful virus," James told UPI, "that had been created by a software programmer as a demonstration of how viruses can infect a computer." Juni, however, maintains the version of the virus he discovered was a mutant, damaging version of what originally had been written as a harmless virus known as "nVIR." He added he also found a second virus that apparently was harmless. He did not know where the second virus originated. -- GOVERNMENT PLANS FOR ANTI-VIRUS CENTERS (March 24) Federal anti-virus response centers that will provide authentic solutions to virus attacks as they occur will be developed by the National Institute of Standards and Technology, reports Government Computer News. The centers will rely on unclassified material throughout the federal government and provide common services and communication among other response centers. NIST will urge agencies to establish a network of centers, each of which will service a different use or technological constituency. They will offer emergency response support to users, including problem-solving and identification of resources. GCN notes they will also aid in routine information sharing and help identify problems not considered immediately dangerous, but which can make users or a system vulnerable to sabotage. A prototype center called the Computer Emergency Response Team is already operational at the Defense Advanced Research Projects Agency and will serve as a model for the others. Although NIST and the Department of Energy will provide start-up funds, each agency will have to financially support its response center. --Cathryn Conroy ILLINOIS STUDIES VIRUS LAW (April 15) The virus panic in some state legislatures continues as anti- virus legislation is introduced in Illinois. Illinois House Bill 498 has been drafted by Rep. Ellis B. Levin (D-Chicago) to provide criminal penalties for loosing a so-called computer virus upon the public. The bill is similar to one that has been introduced in Congress. Rep. Levin's bill provides that a person commits "'computer tampering by program' when he knowingly: inserts into a computer program information or commands which, when the program is run, causes or is designed to cause the loss, damage or disruption of a computer or its data, programs or property to another person; or provides or offers such a program to another person." Conviction under the legislation would result in a felony. A second conviction would bring harsher penalties. Currently, the bill is awaiting a hearing in the Illinois' House Judiciary II Committee. It is expected that testimony on HB 498 will be scheduled sometime during April. -- ERRORS, NOT CRACKERS, MAIN THREAT (April 28) A panel of computer security experts has concluded that careless users pose a greater threat than malicious saboteurs to corporate and government computer networks. Citing the well-publicized allegations that Cornell University graduate student Robert T. Morris Jr. created a worm program last November that swept through some 6,000 networked systems, Robert H. Courtney Jr. commented, "It was a network that no one attempted to secure." According to business writer Heather Clancy of United Press International, Courtney, president of Robert Courtney Inc. computer security firm, said the openness of Internet was the primary reason it was popular among computer crackers, some of whom are less talented or more careless than others. "People making mistakes are going to remain our single biggest security problems," he said. "Crooks can never, ever catch up." Sharing the panel discussion in New York, Dennis D. Steinauer, a computer scientist with the National Institute for Standards and Technologies, added that network users should not rely only on technological solutions for security breaks. "Not everyone needs all security products and mechanisms out there," he said. "The market is not as large as it is for networking equipment in general." He added that a standard set of program guidelines, applicable to all types of networks, should be created to prevent mishaps. "There has been a tremendous amount of work in computer (operating) standards. The same thing is now happening in security." Fellow panelist Leslie Forman, AT&T's division manager for the data systems group, said companies can insure against possible security problems by training employees how to use computers properly and tracking users to make sure they aren't making potentially destructive errors. "It's not a single home run that is going to produce security in a network," she said. "It's a lot of little bunts." -- EXPERTS TESTIFY ON COMPUTER CRIME (May 16) Electronic "burglar alarms" are needed to protect US military and civilian computer systems, Clifford Stoll, an astronomer at the Harvard- Smithsonian Center for Astrophysics, told a Senate Judiciary subcommittee hearing on computer crimes, reports United Press International. Stoll was the alert scientist who detected a 75-cent accounting error in August 1986 in a computer program at Lawrence Berkeley Laboratory that led him to discover a nationwide computer system had been electronically invaded by West Germans. "This was a thief stealing information from our country," he said. "It deeply bothers me that there are reprobates who say, `I will steal anything I can and sell it to whoever I want to.' It opened my eyes." Following his discovery, Stoll was so immersed in monitoring the illegal activity that he was unable to do any astronomy work for a year. "People kind of look at this as a prank," Stoll said. "It's kind of funny on the one hand. But it's people's work that's getting wiped out." The West German computer criminals, who were later determined to have been working for Soviet intelligence, searched the US computer network for information on the Strategic Defense Initiative, the North American Defense Command and the US KH-11 spy satellite. They also withdrew information from military computers in Alabama and California, although no classified information was on any of the computer systems. William Sessions, FBI director, also appeared before the Senate subcommittee and said the bureau is setting up a team to concentrate on the problem. He explained that computer crimes are among "the most elusive to investigate" since they are often "invisible." The FBI has trained more than 500 agents in this area. UPI notes that Sessions agreed to submit his recommendations to Sen. Patrick Leahy (D-Vt.), the subcommittee chairman, for new laws that could be used to protect sensitive computer networks from viruses. Currently, there are no federal laws barring computer viruses. The FBI is working with other federal agencies to assess the threat of such crimes to business and national security. William Bayes, assistant FBI director, told the senators he likens a computer to a house with locks on the door. He explained that he has placed a burglar alarm on his computer at Berkeley, programming it to phone him when someone tries to enter it. He said more computer burglar alarms may be needed. -- Cathryn Conroy MASS. CONSIDERS NEW INTRUSION LAW (May 21) In Boston, a state senator has offered a bill that would make it a violation of Massachusetts law to enter a computer without authorization. It also would level penalties against those caught planting so-called computer "viruses." Sen. William Keating, the bill's sponsor, told The Associated Press his measure considers this new category of crime to be analogous to breaking into a building. "It's an attempt," Keating added, "to put on the statutes a law that would penalize people for destruction or deliberate modification or interference with computer properties. It clarifies the criminal nature of the wrongdoing and, I think, in that sense serves as a deterrent and makes clear that this kind of behavior is criminal activity." The senator credits a constituent, Elissa Royal, with the idea for the bill. Royal, whose background is in hospital administration, told AP, "I heard about (computer) viruses on the news. My first thought was the clinical pathology program. Our doctors would look at it and make all these decisions without looking at the hard copy. I thought, what if some malevolent, bright little hacker got into the system and changed the information? How many people would be injured or die?" Keating's bill would increase penalties depending on whether the attacker merely entered a computer, interfered with its operations or destroyed data. In the most serious case, a person found guilty of knowingly releasing a virus would be subject to a maximum of 10 years in prison or a $25,000 fine. AP says the bill is pending in committee, as staff members are refining its language to carefully define the term "virus." -- COMPUTER VACCINE MARKET THRIVES ON USER FEAR (May 23) The computer protection market is thriving. The reason? Fear. Fear of the spread of computer viruses and worms has caused a boom in products that are designed to protect unwitting users from the hazards of high- tech diseases. According to the Dallas Morning News, there is a surging cottage industry devoted to creating "flu shots" and "vaccines" in the form of software and hardware; however, many of these cures are nothing more than placebos. "There's a protection racket springing up," said Laura A. DiDio, senior editor of Network World, the trade publication that sponsored a recent executive roundtable conference in Dallas on "Network Terrorism." Last year alone, American businesses lost a whopping $555.5 million, 930 years of human endeavor and 15 years of computer time from unauthorized access to computers, according to statistics released by the National Center for computer Crime Data in Los Angeles, Calif. The most difficult systems to protect against viruses are computer networks since they distribute computing power throughout an organization. Despite the threat, sales are thriving. Market Intelligence Research says sales of personal computing networking equipment grew 50 percent last year and are expected to grow another 41 percent this year to $929.5 million. Meanwhile, the Computer Virus Industry Association says that the number of computer devices infected by viruses in a given month grew last year from about 1,000 in January to nearly 20,000 in November and remained above 15,000 in December. -- Cathryn Conroy PENDING COMPUTER LAWS CRITICIZED (June 18) Computer attorney Jonathan Wallace says that the virus hysteria still hasn't quieted down and that legislation that will be reintroduced in Congress this year is vague and poorly drafted. Noting that at least one state, New York, is also considering similar legislation, Wallace says that legislators may have overlooked existing laws that apply to "software weapons." In a newsletter sent out to clients, Wallace notes that both the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA) cover the vast majority of software crimes. Wallace points out that both the ECPA and the CFAA already impose criminal penalties on illegal actions. Even the Senate Judiciary Committee has refutted the idea that more federal laws are needed. "Why don't we give existing laws a chance to work, before rushing off to create new ones," Wallace asks. Wallace is the editor of Computer Law Letter and is an Assistant System Administrator on CompuServe's Legal Forum (GO LAWSIG). -- NEW VIRUS HITS THAI COMPUTERS (June 27) A newspaper in Bangkok is reporting that a new computer virus, said to be the most destructive yet discovered, has struck computer systems in Thailand. According to the Newsbytes News Service, computer security specialist John Dehaven has told The Bangkok Post, "This is a very subtle virus that can lay dormant, literally, for years." The wire service says that two Thai banks and several faculties at Chulalongkorn University were hit by the rogue program -- called the "Israeli virus," because it was first detected there -- at the beginning of last month. Newsbytes says the infection spreads quickly through any computer once it is activated. -- CONGRESS STUDIES COMPUTER VIRUSES (July 21) The Congress is taking a hard look at a new report that says major computer networks remain vulnerable to computer viruses that are capable of crippling communications and stopping the nation's telecommunications infrastructure dead in its tracks. Rep. Edward Markey (D-Mass.), chairman of the House telecommunications subcommittee, told a hearing earlier this week that federal legislation may be needed to ease the threats posed by computer viruses. "The risk and fear of computer-based sabotage must be reduced to an acceptable level before we can reasonably expect our national networks to accomplish the purposes for which they were created," Markey said during a hearing Wednesday on the new congressional study. "We must develop policies that ensure (network's) secure operation and the individuals' rights to privacy as computer network technologies and applications proliferate," he added. The report by the General Accounting Office examined last year's virus attack that shut down the massive Internet system, which links 60,000 university, government and industry research computers. The GAO found that Internet and other similar systems remain open to attack with much more serious results than the temporary shutdown experienced by Internet. The GAO warned that the Internet virus, a "worm" which recopied itself until it exhausted all of the systems available memory, was relatively mild compared to other more destructive viruses. "A few changes to the virus program could have resulted in widespread damage and compromise," the GAO report said. "With a slightly enhanced program, the virus could have erased files on infected computers or remained undetected for weeks, surreptitiously changing information on computer files," the report continued. The GAO recommended the president's science advisor and the Office of Science and Technology Policy should take the lead in developing new security for Internet. In addition, the report said Congress should consider changes to the Computer Fraud and Abuse Act of 1986, or the Wire Fraud Act, to make it easier to bring charges against computer saboteurs. Joining in sounding the alarm at the hearing was John Landry, executive vice president of Cullinet Software of Westwood, Mass., who spoke on behalf of ADAPSO. "The range of threats posed by viruses, worms and their kin is limited only by the destructive imagination of their authors," Landry said. "Existing computer security systems often provide only minimal protection against a determined attack." Landry agreed the Internet attack could have been much worse. He said viruses have been found that can modify data and corrupt information in computers by means as simple as moving decimal points one place to the left or right. One recently discovered virus, he said, can increase disk access speed, resulting in the wearing out of disk drives. They also have been linked to "embezzlement, fraud, industrial espionage and, more recently, international political espionage," he said. "Virus attacks can be life threatening," Landry said, citing a recent attack on a computer used to control a medical experiment. "The risk of loss of life resulting from infections of airline traffic control or nuclear plant monitoring systems is easily imaginable," he said. Landry said ADAPSO endorses the congressional drive toward tightening existing law to ensure that computer viruses are covered along with other computer abuses. --J. Scott Orr GLOSSARY OF VIRUS-RELATED TERMS (July 21) Until last year's computer virus attack on the massive Internet network made headlines, computer sabotage attracted little attention outside computer and telecommunications circles. Today "computer virus" has become a blanket term covering a wide range of software threats. ADAPSO, the computer software and services industry association, believes the term has been thrown around a little too loosely. Here, then, is ADAPSO's computer virus glossary: -:- COMPUTER VIRUS, a computer program that attaches itself to a legitimate, executable program, then reproduces itself when the program is run. -:- TROJAN HORSE, a piece of unauthorized code hidden within a legitimate program that, like a virus, may execute immediately or be linked to a certain time or event. A trojan horse, however, does not self-replicate. -:- WORM, an infection that enters a computer system, typically through a security loophole, and searches for idle computer memory. As in the Internet case, the worm recopies itself to use up available memory. -:- TRAPDOOR, a program written to provide future access to computer systems. These are typical entryways for worms. -:- TIME BOMB, a set of computer instructions entered into a system or piece of software that are designed to go off at a predetermined time. April Fool's Day and Friday the 13th have been popular times for time bomb's to go off. -:- LOGIC BOMB, similar to a time bomb, but linked instead to a certain event, such as the execution of a particular sequence of commands. -:- CHAOS CLUB, a West German organization that some have alleged was formed to wreak havoc on computer systems through the use of viruses and their kin. --J. Scott Orr ONLINE TODAY'S BACKGROUNDER: COMPUTER "VIRUS," PART FIVE (Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition beginning on July 31, 1989, the first time word was received of the so-called "Datacrime" or "Columbus Day virus.") RESEARCHER UNCOVERS OCT. 12 VIRUS (July 31) An official with a British firm that markets anti-virus software says the company has uncovered a new virus called "Datacrime" is set to attack MS-DOS systems starting Oct. 12. Dr. Jan Hruska of Sophos UK tells Computergram International the virus apparently appends itself to .COM (command) files on MS-DOS systems. "Operating on a trigger mechanism," CI says, "the virus reformats track 0 of the hard disk on or after Oct. 12. It has no year check and so will remain active from Oct. 12 onwards destroying or losing programs and data." Hruska told the publication this is a relatively new virus and that its encrypted form reveals its name ("Datacrime") and its date of release, last March 1. Sophos markets a program called Vaccine version 4 designed to detect known viruses. -- NIST FORMS COMPUTER SECURITY NETWORK (Aug. 3) The National Institute of Standards and Technology is working with other federal agencies to establish a government-wide information network on security incidents and issues, reports Government Computer News. Organized by NIST's Computer Security Division, the network would supply the latest information to agencies on security threats, develop a program to report and assess security incidents as well as offer assistance. Dennis Steinauer, evaluation group manager of the Computer Security Division, said the plan is a response to the communications problems federal agencies suffered during last November's worm attack on Internet by Cornell University graduate student Robert T. Morris Jr. In addition to NIST, the departments of Energy, Justice and Transportation as well as the National Science Foundation and NASA are participating in the project, which calls for each agency to organize a security incident response and resource center. NIST's network would connect the centers electronically, allowing them to communicate with one another. Steinauer said he wants to set up a master database of contacts, phone numbers and fax numbers to ensure communications. One aspect of the plan calls for each center to become expert in some specific area of the technology, such as personal computers, local area networks or multiuser hosts. "The answer is not some monolithic, centralized command center for government," Steinauer told GCN. "Problems occur in specific user or technology communities, and we see the solutions evolving where the reaction is by people who know the user community and the environment." He explained that the Computer Security Act has helped increase security awareness within the government, but the emergence of computer viruses, worms and other sophisticated threats has demonstrated the need for more advanced security tools. -- Cathryn Conroy AUSTRALIAN CHARGED WITH CRACKING (Aug. 14) Australia is reporting its first computer cracking arrest. A Melbourne student is charged with computer trespass and attempted criminal damage. Authorities allege 32-year-old Deon Barylak was seen loading a personal computer with a disk that was later found to possess a computer virus. "Fortunately, it was stopped before it could spread, which is why the charge was only attempted criminal damage," senior detective Maurice Lynn told Gavin Atkins for a report in Newsbytes News Service. The wire service said Barylak could face a maximum of 100 years' jail and a fine. Also police expect to make further arrests in connection with the case. Authorities said Barylak also faces charges of possessing computer equipment allegedly stolen from a community center. -- INTERNET VIRUS BACK? (Sept. 4) Apparently, neither the threat of criminal sanctions nor the hazards of investigation by the FBI is enough to keep the Internet computer communications network secure from intrusion. The Department of Defense agency responsible for monitoring Internet security has issued a warning that unauthorized system activity recently has been detected at a number of sites. The Computer Emergency Response Team (CERT) says that the activity has been evident for some months and that security on some networked computers may have been compromised. In a warning broadcast to the Internet, CERT says that the problem is spreading. Internet first came to general attention when a came to much of the computing communities attention when a 23-year-old Cornell University student was said to be responsible for inserting a software "worm" into the network. The Department of Defense's Advanced Project Agency network (ARPANET) also was infected and CERT was formed to safeguard networks used or accessed by DoD emplyees and contractors. In its warning about recent intrusions, CERT says that several computers have had their network communications programs replaced with hacked versions that surreptitiously capture passwords used on remote systems. "It appears that access has been gained to many of the machines which have appeared in some of these session logs," says a broadcast CERT warning. "As a first step, frequent telnet [communications program] users should change their passwords immediately. While there is no cause for panic, there are a number of things that system administrators can do to detect whether the security on their machines has been compromised using this approach and to tighten security on their systems where necessary." CERT went on to suggest a number of steps that could be taken to verify the authenticity of existing programs on any individual UNIX computer. Among those was a suggestion to reload programs from original installation media. -- AIR FORCE WARNS ITS BASES OF POSSIBLE "COLUMBUS DAY VIRUS" (Sept. 10) The US Air Force has warned its bases across the country about a possible computer virus reportedly set to strike MS-DOS systems Oct. 12. Warning of the so-called "Columbus Day virus" was issued by the Air Force Communications Command at Scott Air Force Base, Ill., at the request of the Office of Special Investigations. OSI spokesman Sgt. Mike Grinnell in Washington, D.C., told David Tortorano of United Press International the advisory was issued so computer operators could guard against the alleged virus. "We're warning the military about this," Grinnell said, "but anybody that uses MS-DOS systems can be affected." As reported here July 31, Dr. Jan Hruska, an official with a British firm called Sophos UK, which markets anti-virus software, said his company had uncovered a new virus called "Datacrime." Hruska told Computergram International at the time that the virus apparently appends itself to .COM (command) files on MS-DOS systems. Said CI, "Operating on a trigger mechanism, the virus reformats track 0 of the hard disk on or after Oct. 12. It has no year check and so will remain active from Oct. 12 onwards destroying or losing programs and data." Hruska told the publication this was a relatively new virus and that its encrypted form revealed its name ("Datacrime") and its date of release, last March 1. Meanwhile, Air Force spokeswoman Lynn Helmintoller at Hurlburt Field near Fort Walton Beach, Fla., told UPI that computer operators there had been directed to begin making backup copies of files on floppy disks just in case. She said the warning was received at the base Aug. 28. Staff Sgt. Carl Shogren, in charge of the small computer technology center at Hurlburt, told Tortorano no classified data would be affected by the possible virus attack because the disks used for classified work are different from those that might be struck. UPI quoted officials at Scott Air Force Base as saying the warning was sent to every base with a communications command unit, but that they did not know how many bases were involved. -- COMPUTER VIRUSES PLAGUE CONGRESS (Sept. 11) Although Congress recently passed the Computer Security Act to force federal agencies to guard against high-tech break- ins and computer viruses, the legislators may soon realize they made a costly mistake. The law applies to all federal agencies -- except Congress itself. And according to Government Computer News, Capitol Hill has been the victim of several recent virus attacks. One virus, for instance, emerged about a year ago in the Apple Macintosh computers of several House offices causing unexplained system crashes. A steep bill of some $100,000 was incurred before experts were confident the plague, now known as Scores, was stopped. However, it does still lurk in the depths of the computers, notes GCN, causing occasional malfunctions. Dave Gaydos, Congress' computer security manager, says the sources of many viruses may never be known, since some 10,000 programmers are capable of producing them. Capitol Hill legislators and staff members are only now becoming aware of the potential danger of viruses as more offices are exploring ways to connect with online database services and with each other through local area networks. GCN reports that last February, a California congressional office was the victim of a virus, caught while using a so-called vaccine program meant to detect intruders into the system. "I used to laugh about viruses," said Dewayne Basnett, a systems specialist on Capitol Hill. "But now when you ask me about them, I get very angry. I think of all the time and effort expended to repair the damage they do." According to GCN, many of the 3,000 House employees with computers are ignorant of the risks and unable to take basic precautions. Although various computer specialists are trying to inform Hill users of computer security issues and offer training sessions, there is no broad support from the legislators themselves for such actions. "We are working to alert people to the dangers," said Gaydos, "but it may take an incident like a destructive virus to move [Congress] to take precautions." -- Cathryn Conroy VIRUS HITS AUSTRALIA (Sept. 12) Australian authorities are said to be confused about the origin of a supposed computer virus that has been making the rounds of computer installations in the South Pacific. An Australian newspaper, The Dominion, says that sensitive data in Defense Department computers has been destroyed by the virus. Dubbed the Marijuana virus because of the pro-drug message that is displayed before any data is erased, it is thought that the misbehaving bug originated in New Zealand. Some have even suggested that the program was purposely introduced into Australian Defense computers by agents of New Zealand, a contention that a Defense Department spokesman branded as "irresponsible." The two South Pacific nations have had strong disagreements about defense matters, including recent joint maneuvers in the area by Australian and US forces. A more likely explanation for the intrusion into Defense computers is the likelihood that Australian security specialists were examining the virus when they inadvertently released it into their own security system. The Marijuana virus is known to have been infecting computers in the country for at least three months and its only known appearance in government computers occurred in a Defense sub-department responsible for the investigation and prevention of computer viruses. -- VIRUS THREAT ABSURDLY OVERBLOWN, SAY EXPERTS (Sept. 18) The so-called "Columbus Day Virus" purportedly set to destructively attack MS-DOS computers on Oct. 13 has computer users -- including the US military -- scampering to protect their machines. But according to The Washington Post, the threat is absurdly overblown with less than 10 verified sightings of the virus in a country with tens of millions of computers. "At this point, the panic seems to have been more destructive than any virus itself," said Kenneth R. Van Wyk, a security specialist at Carnegie-Mellon University's Software Engineering Institute, who has been taking some 20 phone calls daily from callers seeking advice on the subject. Bill Vance, director of secure systems for IBM Corp., told The Post, "If it was out there in any number, it would be spreading and be more noticeable." He predicted Oct. 13 is not likely to be "a major event." As reported in Online Today, this latest virus goes by several names, including Datacrime, Friday the 13th and Columbus Day. It lies dormant and unnoticed in the computer until Oct. 13 and then activates when the user turns on the machine. Appending itself to .COM (command) files, the virus will apparently reformats track 0 of the hard disk. The Post notes that the federal government views viruses as a grave threat to the nation's information systems and has set in motion special programs to guard computers against them and to punish those who introduce them. Centel Federal Systems in Reston, Va., a subsidiary of Centel Corp. of Chicago, is taking the threat seriously, operating a toll-free hotline staff by six full-time staff members. More than 1,000 calls have already been received. Tom Patterson, senior analyst for Centel's security operations, began working on the virus five weeks ago after receiving a tip from an acquaintance in Europe. He said he has dissected a version of it and found it can penetrate a number of software products designed to keep viruses out. Patterson told The Post that he found the virus on one of the machines of a Centel client. "The virus is out there. It's real," he said. Of course, where there's trouble, there's also a way to make money. "The more panicked people get," said Jude Franklin, general manager of Planning Research Corp.'s technology division, "the more people who have solutions are going to make money." For $25 Centel is selling software that searches for the virus. Patterson said, however, the company is losing money on the product and that the fee only covers the cost of the disk, shipping and handling. "I'm not trying to hype this," he said. "I'm working 20-hour days to get the word out." -- Cathryn Conroy SICK SOFTWARE INFECTS 100 HOSPITALS NATIONWIDE (Sept. 20) When a hospital bookkeeping computer program could not figure out yesterday's date, some 100 hospitals around the country were forced to abandon their computers and turn to pen and paper for major bookkeeping and patient admissions functions, reports The Washington Post. Although there was no permanent loss of data or threat to treatment of patients, the hospital accounting departments found themselves at the mercy of a software bug that caused major disruptions in the usual methods of doing business. The incident affected hospitals using a program provided by Shared Medical Systems Corp. of Pennsylvania. The firm stores and processes information for hospitals on its own mainframe computers and provides software that is used on IBM Corp. equipment. According to The Post, the program allows hospitals to automate the ordering and reporting of laboratory tests, but a glitch in the software would not recognize the date Sept. 19, 1989 and "went into a loop" refusing to function properly, explained A. Scott Holmes, spokesman for Shared Medical Systems. The firm dubbed the bug a "birth defect" as opposed to a "virus," since it was an accidental fault put into the program in its early days that later threatened the system's health. At the affected hospitals around the country, patients were admitted with pen and paper applications. Hospital administrators admitted the process was slower and caused some delay in admissions, but patient care was never compromised. -- Cathryn Conroy ARMY TO BEGIN VIRUS RESEARCH (Sept. 21) Viruses seem to be on the mind of virtually every department administrator in the federal government, and the US Army is no exception. The Department of the Army says it will begin funding for basic research to safeguard against the presence of computer viruses in computerized weapons systems. The Army says it will fund three primary areas of research: computer security, virus detection and the development of anti-viral products. Research awards will be made to US businesses who are eligible to participate in the Small Business Innovation Research (SBIR) program. The Army program, scheduled to begin in fiscal year 1990, is at least partially the result of Congressional pressure. For some months, Congressional staffers have been soliciting comments about viruses and their potential effect on the readiness of the US defense computers. Small businesses who would like to bid on the viral research project may obtain a copy of Program Solicitation 90.1 from the Defense Technical Information Center at 800/368-5211. -- SO-CALLED "DATACRIME" VIRUS REPORTED ON DANISH POSTGIRO NET (Sept. 22) The so-called "Datacrime" virus, said to be aimed at MS-DOS system next month, reportedly has turned up on the Danish Postgiro network, a system of 260 personal computers described as the largest such network in Scandinavia. Computergram International, the British newsletter that first reported the existence of the Datacrime virus back in July, says, ""Twenty specialists are now having to check 200,000 floppy disks to make sure that they are free from the virus." Datacrime is said to attach itself to the MS-DOS .COM files and reformats track zero of the hard disk, effectively erasing it. However, as reported, some experts are saying the threat of the virus is absurdly overblown, that there have been fewer than 10 verified sightings of the virus in a country with tens of millions of computers. -- In a rare move, IBM says it is releasing a program to check for personal computer viruses in response, in part, to customer worries about a possible attack next week from the so-called "Datacrime" virus. "Up until the recent press hype, our customers had not expressed any tremendous interest (in viruses) over and above what we already do in terms of security products and awareness," Art Gilbert, IBM's manager of secure systems industry support, told business writer Peter Coy of The Associated Press. However, reports of a "Datacrime" virus, rumored to be set to strike MS-DOS systems, have caused what Coy describes as "widespread alarm," even as many experts say the virus is rare and a relatively small number of PCs are likely to be harmed. IBM says it is releasing its Virus Scanning Program for MS-DOS systems that can spot three strains of the Datacrime virus as well as more common viruses that go by names such as the Jerusalem, Lehigh, Bouncing Ball, Cascade and Brain. The $35 program is available directly from IBM or from dealers, marketing representatives and remarketers and, according to Gilbert, will detect but not eradicate viruses. Gilbert added that installing a virus checker is not a substitute for safe-computing practices such as making backup copies of programs and data and being cautious about software of unknown origin. Meanwhile, virus experts speaking with Coy generally praised IBM's actions. "It's about time one of the big boys realized what a problem this is and did something about it," said Ross Greenberg, a New York consultant and author of Flu-Shot Plus. "To date, all the anti-virus activity is being done by the mom and pops out there." In addition, Pamela Kane, president of Panda Systems in Wilmington, Del., and author of a new book, "Virus Protection," called the move "a very important and responsible step." As noted, experts are differing widely over whether there is truly a threat from the Datacrime virus. The alleged virus -- also dubbed The Columbus Day virus, because it reportedly is timed to begin working on and after Oct. 12 -- supposedly cripples MS-DOS- based hard disks by wiping out the directory's partition table and file allocation table. Besides the IBM virus scanning software, a number of public domain and shareware efforts have been contributed online, collected on CompuServe by the IBM Systems/Utilities Forum (GO IBMSYS). For more details, visit the forum, see Library 0 and BROwse files with the keyword of VIRUS (as in BRO/KEY:VIRUS). -- DUTCH COMPUTERISTS FEAR 'DATACRIME' VIRUS (Oct. 7) The "Datacrime"/Columbus Day virus, which is being widely down-played in the US, may be much more common in the Netherlands. A Dutch newspaper reported this week the virus had spread to 10 percent of the personal computers there. "Those figures are possibly inflated," police spokesman Rob Brons of the Hague told The Associated Press. Nonetheless, police are doing brisk business with an antidote to fight the alleged virus. Brons said his department has sold "hundreds" of $2.35 floppy disks with a program that purportedly detects and destroys the virus. As reported, Datacrime has been described as a virus set to destroy data in MS-DOS systems on or after Oct. 12. AP notes that in the US there have been fewer than a dozen confirmed sightings of the dormant virus by experts who disassembled it. The wire service also quotes Joe Hirst, a British expert on viruses, as saying some now believe the virus was created by an unidentified Austrian computerist. He added that as far as he knew the Netherlands was the only European country in which the virus had been spotted. -- BY JOVE, THAT'S IT! DATACRIME VIRUS IS THE VIKINGS' REVENGE (Oct. 10) Computergram International has a tongue-in-cheek theory on the origin of that nasty Datacrime virus which is said to be poised to strike MS-DOS computers this week. "The latest," the British computer journal reports in today's edition, "is that it may have been planted by a Norwegian: the theory is that as it is set to destroy data on Columbus Day a diehard Norwegian, convinced that the Vikings discovered the American continent first, is taking revenge." Nonetheless, the newsletter adds, "Computergram prefers the idea that it is all the work of the Sioux." -- AT&T AND IBM WARN STAFF ABOUT DATACRIME VIRUS (Oct. 11) Although industry experts say the so-called Datacrime virus set to invade MS-DOS systems on Friday, Oct. 13 is not that great a threat, major corporations are taking it quite seriously. According to Reuter, several companies are advising their employees to protect their computer systems. AT&T Co. and IBM Corp. have issued internal memos warning staff members about the virus. "We are taking the virus threat seriously," said an AT&T Bell Laboratories spokesman. AT&T has specifically asked employees not use software from unknown sources and to back up data, while IBM has instructed staff members to use the company's anti-viral software introduced last week and to make copies of their data. "It's very, very rare but very destructive," said Russell Brand, chief technical advisor at Lawrence Livermore Laboratories in Livermore, Calif. Brand has examined the virus in an infected computer and says that unlike most viruses that allow the data to be put back together, Datacrime has the ability to wipe out a complete hard disk. Brand told Reuter that there are about 77 different viruses in circulation now. "People are worried about viruses, especially those that rely on their PCs," said Michael Riemer, executive vice president of Foundationware Inc., a consulting firm in Cleveland. "But what viruses have done is forced people to look at security and system management in place." Mike Odawa, president of the Software Development Council, told Reuter that he does not anticipate any big problems caused by Datacrime. "I think Friday the 13th will come and everyone will be disappointed by it," he said. -- Cathryn Conroy GOVERNMENT EMPLOYEES WARNED ABOUT DATACRIME VIRUS (Oct. 11) The National Institute of Standards and Technology is warning federal agencies to be on guard against the Datacrime virus, supposedly set to attack MS-DOS computers this week. According to Government Computer News, NIST has issued the first governmentwide guide on computer viruses in an attempt to make security an integral part of any computer course and to include computer viruses in agencies' risk analyses and contingency plans. "With the widespread use of personal computers that lack effective security mechanisms, it is relatively easy for knowledgeable users to author malicious software and then dupe unsuspecting users into copying it," says the guide, which is titled Computer Viruses and Related Threats: A Management Guide. Ronald Shoupe, automation group leader for NASA's Goddard Space Flight Center, told GCN he found a virus contamination that strongly resembles Datacrime. The virus was on a machine Shoupe keeps separated from others for virus detection. He said the nature of the virus is a mystery to him, since it activates by itself. "I've never seen anything that triggered by itself. I don't know of a way for a file to self-activate unless it perhaps does something to the boot track," he explained. Shoupe said this was the only occurrence of the Datacrime virus in government computers of which he is aware. "We're watching but treating it as a rumor rather than a fact. We've alerted the computer security officers. We're trying not to broadcast this too much," he admitted. Richard Carr, computer security program manager for NASA, said alerting users to the danger only serves to spread more rumors and give would-be vandals ideas they might not otherwise have. "If we publicize some of the unfounded rumors, some of the crazies out there might try to make this a self-fulfilling prophecy. We can't let these people know what protective measures we have. It's a tough call to make," said Carr. He admitted that the ramifications of a computer virus attack at NASA would be enormous. One concern is the upcoming launch of the next space shuttle early next week. NIST officials are urging government employees to back up their hard disks and consider using virus detection utilities. -- Cathryn Conroy ANTI-VIRUS PUBLISHER GIVES TIPS FOR VIRUS DETECTION AND REMOVAL (Oct. 11) You say you've done nothing special to protect your computer and now the news media keeps saying the viruses are coming (...The Viruses Are Coming!) So, what now? Don't panic, says Cleveland- based FoundationWare Inc., developer of the Certus anti-virus security system. You're probably going to come through it just fine. Saying the computing community needs to meet the "current virus hysteria from a calm, logical and pragmatic business perspective," FoundationWare released an extensive statement today that provides specific tips for detecting and removing the so- called Datacrime and Friday the 13th viruses, alleged to be set to activate in MS-DOS computers starting tomorrow. But also FoundationWare urged computerists not to over-react to the current virus fears. "The truth is that viruses are not as common as widely believed," the statement said. "If you have not already taken action to protect yourself ... do not worry about them now. Prepare yourself and your employees should one of your machines go down by having (data only) backups available." The software publisher also criticized one-time, "quick fix" search programs that look for blocks of code known to be part of a specific virus, saying such programs have inherently limited capabilities. "It's like buying a home security system that protects against blond-hair blue-eyed people," said FoundationWare Vice President Michael Riemer, who is also chairman of the Software Publishers Association's security special interest group. "You won't be protected if a bald, brown-eyed person breaks into your house." Riemer suggested the computing public needs to begin addressing viruses by taking "a more global perspective," adding that such an approach would include: 1. Regular data back-up. 2. Not backing-up data and programs on the same diskettes. 3. Educating users on the threat of malicious software. 4. Determining and implementing appropriate integrity checking, security and management mechanisms. Regarding the Datacrime and Friday the 13th viruses, the FoundationWare report suggested that users look for unexplained increases in file size, "a telltale sign of most virus infections." The company also noted the users could determine if a disk has been infected by using the MS-DOS DEBUG utility to scan executable files in the following manner: A. For the Datacrime virus (also called "Columbus Day" virus), use DEBUG to scan .COM files for the Hexadecimal codes EB00B4OECD21B4, AND/OR, 00568DB43005CD21. If the codes are present, the system is infected, the company said. B. For the Friday the 13th Virus (also called the Israeli virus), use DEBUG to scan .EXE and .COM files for the Hexadecimal codes 2EFF0E1F00, E992000000, AND/OR 7355524956. The company also made a number of suggestions for removing viruses, (though it acknowledged the methods aren't foolproof nor recommended as "a complete solution" for fighting these or future viruses). The suggestions are: -:- Never attempt to remove or isolate a virus from a currently active computer. Instead, boot from a clean original and write-protected DOS floppy disk. -:- On a local area network, first check network operating system files on local drives before logging onto the network. Isolate LAN/PCs, so that there are no active users beside you. -:- If you think you have the Friday the 13th or Datacrime virus (which are keyed to specific days), give yourself some extra time before they activate by simply changing your system time/date to an earlier date, such as January 15, 1989. -:- To create a clean system, boot your computer from an original, write-protected DOS floppy disk and run your backup program (from your original write-protected floppy source) and back-up only your data (not your programs). Perform a low-level and DOS FORMAT using programs from the original write- protected distribution disks (not from your hard disk), then reinstall the software from original write-protected disks and restore the "data-only" backup. -:- If you isolate a virus which is present in your system's boot track or partition table (this will not be either the Datacrime or Jerusalem virus), you have other options. You should boot from a write-protected original DOS floppy disk and run a disk utility program that can replace the partition table. (Note: be sure the operator is very familiar with such a program before using it). -:- If you believe that a virus is in the boot track (IO.SYS, MSDOS.SYS) or the operating system (COMMAND.COM), you can take still other measures. Boot from a write-protected original DOS floppy disk and run the "SYS C:" command from the clean floppy disk which then replaces IO.SYS and MSDOS.SYS files. You should then type "DEL COMMAND.COM" and replace it with a clean copy of COMMAND.COM from the A: drive. Finally, speaking of viruses in general, the FoundationWare statement notes that if you suspect your system is infected, you should delete all suspected files (that is, all .EXE and .COM program files) and those found to contain a virus and then replace the questionable software with "trusted copies" from the original write-protected distribution disks. Also, the report notes, "It has been suggested that using standard DOS DEL, ERASE or COPY may in some instances not be enough to remove the infected program (though for these two viruses DELETE and ERASE are adequate). It is recommended that you use a program which actually writes over (the) program area to completely eradicate infected files." -- VIRUSES STRIKE IN EUROPE (Oct. 13) As many predicted all along, the computer viruses that struck today on this Friday the 13th didn't mean the end of computing as we know it. Still, the day also was not completely free of system vandalism caused by the rogue programs. While confirmed virus attacks appear to have been few and minor in the United States, more serious incidents occurred in Europe, with virus-related computer problems reported in Great Britain, the Netherlands, Portugal, France and Switzerland. As noted earlier, the computing community was bracing itself for a double-whammy of virus assaults this week, from the so-called Datacrime/Columbus Day virus starting yesterday and from the Friday the 13th/Jerusalem virus today. In the US, at least one CompuServe subscriber reported a virus incident. Writing on the message board of the IBM Systems/Utilities Forum (GO IBMSYS), Tom Ohlson told his fellow forum members that a friend of his in Staten Island, N.Y., had used a copy of an anti- virus program called SCAN40, downloaded earlier from the forum, to locate the Datacrime virus. Ohlson said the friend had traced the virus to a copy of a game program that was passed around on a floppy disk. Elsewhere in New York, security specialist Ross M. Greenberg, creator of Flu-Shot Plus and Virex-PC anti-viral software, told The Associated Press that by midmorning he had received seven reports of virus strikes since midnight, but that only one was the Columbus Day virus. Greenberg reported that a dozen PCs at Columbia University in New York City were affected, but that the university had made backup files, so the virus was merely an inconvenience. The other six virus reports concerned what he called the "PLO virus," an older virus designed to erase programs every Friday the 13th. Greenberg said earlier the PLO virus was far more widespread and likely would cause more trouble today than newer viruses. Meanwhile, in Urbana, Ill., Michael Harper, a staff person at the University of Illinois' Micro Resource Center, told United Press International a virus was detected in some of the campus's 1,000 terminals, but that the university was able to treat the computers before it did any damage. "We're definitely breathing easier," Harper said. He said a virus was introduced on campus by a piece of software used for inputting scientific data. The university now has a installed an anti-virus warning program. And now, from assorted wire dispatches, here are virus incidents reported elsewhere in the world today: -:- Great Britain: In perhaps the worst virus assault of the day, computers at London's Royal National Institution for the Blind were infected by what experts are saying was a previously known virus. "We found that most of our program files are gone," Corri Barrett of the institute told reporters. "Every time we try to look at a new program file it vanishes in front of our eyes. It's horrendous. Months and months of work has been wiped out here." Barrett told a BBC-TV interviewer the virus might have contaminated disks distributed to blind clients and that their systems had been infected. -:- The Netherlands: In the Netherlands, where the first alert of the so-called Datacrime virus was given last summer, a unit set up to hunt viruses said it had been flooded with telephone calls from panicked users today. Many told the officials they had "lost everything, all their data stored in memory and all their programs," according to a spokesman. At the social affairs ministry, a spokesman said yesterday the Datacrime virus had been isolated and destroyed "on several occasions" in recent days. Also, Amsterdam university managed to kill the Datacrime virus in time to save its data, an official told Dutch television yesterday. In addition, the "Jerusalem" virus, detected four times in the microcomputer network of the Dutch rail company, was rooted out before today, when it was still dormant, a spokesman said. -:- Portugal: In Lisbon, at least two infected computers flashed ominous warning messages across their screens, triggering panic among users. The first, the "Friday the 13th" virus, cropped up in the computer system of a bank. The second, said to be of a strain dubbed "Pakistan," attacked computers at a medium-size company. In both cases, the viruses were neutralized, a spokesman for a Portuguese computer association said. -:- France: Daniel Dutil, in charge of a special unit set up to search and destroy the viruses, said that fewer than one percent of that nation's PCs were contaminated, adding, "It's a normal situation, if you take into account that viruses are always found in computer programs." Dutil said some 2,000 computer programs had come under the harsh scrutiny of his unit, dubbed the anti-viral platform, since it opened its campaign to wipe out the viruses on Tuesday. He said that whenever viruses were programmed to awaken from their dormant state and activate themselves on symbolic dates such as January 1, April 1 or July 14, there was usually only "slight virus activity similar to that observed today." Meanwhile, Guy Hervier, an administration official at the University of Nice in southern France, said yesterday a virus scheduled to activate today was discovered in the university's computer lab in June but was easily detected and destroyed. -:- Switzerland: Bernhard Schmid, head of the federal personal computer team, said several dozen of the government's 3,500 personal computers were found to have been carrying a virus. However, experts managed to cancel and reprogram all infected systems. He said infected programs had been found in a wide range of administrative branches. -- VIRUS EXPERTS CITE PREPAREDNESS, EXAGGERATION, BUSINESS SILENCE (Oct. 14) On the morning after, some computer experts today were saying yesterday's reported low incidence of virus assaults was due to the exaggeration of the threat all along, while others were crediting the computing community's preparedness due to early warnings. Meanwhile, another observer said the number of virus attacks actually may have been greater than we realize, because many corporate users are reluctant to publicize computer security violations at their businesses. Wes Thomas, editor of a new electronic newsletter called Virus Alert, told The Associated Press his group received 50 unconfirmed reports of virus outbreaks worldwide and that a headquarters was set up in San Francisco to study the cases. "There's a lot of false positives," Thomas said. "We are attempting to form a center for disease control for computer viruses so we can centralize information and find out what's going on." Thomas said he helped spread the word about the so- called Columbus Day or Datacrime virus after attending an August meeting in Amsterdam where the rogue program was discussed. Actually, most of the reported virus attacks over the past two days seemed to have been the work, not of Datacrime, but of the older Friday the 13th or Jerusalem virus that was first discovered at Hebrew University in December 1987. Experts disagree, but one report is that there now are about 30 different computer virus strains making the rounds. Fred Cohen, an independent researcher in Pittsburgh who is credited with exposing the first computer virus in 1983, told AP he believes this week's outbreaks were kept down because computer users took proper precautions. "Everybody was looking for it." However, Cohen also cautioned, "This is a long-term sort of threat. It's like biological warfare." Speaking with the Reuter Financial News Service, John McAfee, chairman of the Computer Virus Industry Association, said he saw no rise yesterday in reported computer virus problems, which he said usually number 30 to 40 a day. Elsewhere, Winn Schwartau, president of American Computer Security Industries Inc., told Reuter he had been informed of 25 outbreaks of the Friday the 13th version this week at organizations ranging from universities to banks. "It's not Armageddon -- it's not going to all come at once crashing down around us," he said, but he added the impact actually could last for months as new strains develop. He said the customer base of his company, which was started five years ago, has increased 50 to 100 times in the past 30 days because of fear of the viruses after rumors began spreading in late August. He also said accurate virus reports are difficult to gauge, because most companies consider the damage to be confidential information. "Major corporations don't want the publicity," Schwartau said. -- ONLINE TODAY'S BACKGROUNDER: COMPUTER "VIRUS," PART SIX (Editor's note: Computer "viruses" -- self-propagating programs that spread from one machine to another and from one disk to another -- have been very much in the news. This file contains virus-related stories carried by Online Today's electronic edition beginning in late October 1989.) VIRUS DESTROYS DATA IN TOKYO (Oct. 30) An official at the University of Tokyo has confirmed a computer virus has caused at least minor damage to some research information at the school. A representative of the university's Ocean Research Institute has told The Associated Press the virus was detected earlier this month in four or five of the center's 100 computers, but was believed to have first infected the computers last month. The official who requested anonymity told the wire service the virus was found only in personal computers being used by researchers, and not major computer systems, adding the damage was not serious. The source declined to give further details, but AP says the Japan Broadcasting Corp. has reported a virus also had been found in computers at the university's Earthquake Research Institute. That report said the virus was the most sophisticated yet detected in Japan, where the problem is not widespread. -- 10 PERCENT OF CHINESE COMPUTERS STRUCK BY VIRUSES, NEWSPAPER SAYS (Nov. 5) A newspaper in Beijing reports 10 percent of China's some 300,000 computers have been struck by computer viruses. The Xinhua Chinese news service quotes a report yesterday in the China Daily as saying three types of viruses have been found so far, called "small ball," "marijuana" and "the shell." The paper says universities and statistical bureaus have been particularly hard hit by the viruses. Reporting on a computer security conference in the southwest city of Kunming, the English-language daily quoted Yang Zhihui, deputy chief of the Ministry of Public Security's computer security department, as saying, "We have already worked out some vaccination and sterilization programs for the virus." Yang said the wide variety of computers in use in China -- both foreign and domestic -- makes it hard for a sweeping sterilization campaign to be carried out. The newspaper said the estimate that one in 10 Chinese system have been virus victims was reached by the Ministry of Public Security following a survey last August. The paper did not say how many, if any, computers in China were struck by the well- publicized "Friday the 13th"/"Datacrime" viruses last month. However, regarding the "small ball" virus -- which reportedly was found in statistical bureaus in 21 provincial, municipal and regional offices -- the paper gave this description of an attack: "A computer was doing its word processing, the cursor blinking brightly on the screen. Suddenly, a jumping white ball appeared. Then a second one and a third. Slowly the screen was full of them. Operation stopped." The paper said the "small ball" virus can slow down or halt computer operation, but it does not appear to affect memory. -- CONGRESS URGED TO BE CAUTIOUS IN WEIGHING ANTI-VIRUS/WORM LAWS (Nov. 8) The president of the Computer and Business Equipment Manufacturers Association says Congress should be cautious in making laws to fight computer viruses, because, "Like the swine flu vaccine of the 1970s, these anti-virus bills could end up doing more harm than good." In remarks prepared for a hearing of the House Judiciary subcommittee on criminal justice, John L. Pickitt added, "Outlawing some of the programming techniques used to create computer viruses might prevent the use of similar programs for beneficial purposes, including countering a virus." Associated Press writer Barton Reppert notes Pickitt, whose Washington-based trade association represents companies with combined sales of more than $230 billion, aimed his criticism at three anti-virus bills, including those sponsored by Reps. Wally Herger, R-Calif., C. Thomas McMillen, D-Md., and Edward J. Markey, D-Mass. "The same sharing techniques which make computer networks vulnerable to virus attack can also be responsible for breakthroughs in electronics and telecommunications technology," Pickitt said. "While Congress may wish to clean up some of the language in the current laws ... we urge Congress to act cautiously in considering new criminal statutes to deal with computer viruses." Of bills currently under consideration, Reppert observed: -:- Herger's measure would impose penalties of up to 20 years in prison on people convicted of "interfering with the operations of computers through the use of programs containing hidden commands that can cause harm." -:- The McMillen bill seeks to punish anyone who "willfully and knowingly sabotages the proper operation of a computer hardware system or the associated software." -:- Markey's proposal is to make the introduction of a virus into an interstate electronic network a federal crime. -- CONGRESS HEARS TESTIMONY ON THE COST OF VIRUS ATTACKS (Nov. 9) A computer security official with the EDP Auditors Association has estimated for Congress that "hundreds of thousands" of computer virus attacks have occurred in recent years on the systems of American corporations and the government. However, most attacks go unreported, said specialist Carolyn Conn, "because there is not a high expectation of successful prosecution." Also, she said, "Organizations do not want to publicize their vulnerabilities when seemingly there is little or no benefit" from public disclosure. Associated Press writer Barton Reppert, covering Conn's appearance yesterday afternoon before the House Judiciary subcommittee on criminal justice, quoted her as testifying that the costs of viruses are "staggering." Said Conn, "Viruses have cost corporations, government agencies and educational institutions millions of dollars to prevent, detect and recover from computer virus attacks." Conn, whose Illinois-based EDP Auditors Association represents some 9,000 electronic data processing professionals across the country, made her estimate of the number of virus attacks in response to questions by the congressional subcommittee. Reppert reports the panel chairman, Rep. Charles E. Schumer, D-N.Y., asked her for a estimate of the overall number of virus attacks that have occurred in recent years. "Is it tens, is it hundreds, is it thousands?" he asked. Ms. Conn replied, "I think probably in the hundreds of thousands." -- BAR ASSOCIATION FEARS LOOPHOLES IN EXISTING VIRUS/WORM LAWS (Nov. 13) The chairman of the American Bar Association's task force on computer crime has told a House subcommittee he is concerned about loopholes in existing laws that cover computer viruses, worms and similar rogue programs. "There are clearly some types of computer virus activity that would be beyond the terms of the current statute," Joseph B. Tompkins Jr. testified recently before the House Judiciary subcommittee on criminal justice. Associated Press writer Barton Reppert reports Tompkins and other witnesses posed several questions about activities that they said might fall through the cracks of ambiguous federal laws, such as: -:- If a renegade programmer sends a program containing a hidden virus to a computer bulletin board system, can he or she then be prosecuted for harm that results when other BBS users transfer the software into their own systems? -:- Can virus/worm authors be successfully prosecuted if they claim they really didn't have any malicious intent, but instead were merely trying to pull off an innocent prank or aiming to demonstrate existing weaknesses in security? Witnesses said that under current federal law, the answer to both questions is "maybe." Tompkins said the Computer Fraud and Abuse Act of 1986 -- which makes it a federal crime to "intentionally access a federal interest computer without authorization and alter, destroy or damage information in such computer or prevent authorized access to such computer if such conduct causes the loss of $1,000 or more during any one-year period" -- is not clear enough. For instance, he testified, "The statute does not in clear terms cover the intentional implantation of a computer virus in a computer which one is authorized to access, even if the perpetrator clearly intended harm or the virus in fact caused significant harm." He said the law also has been attacked as unconstitutionally vague. "While these arguments are probably overstated, clarifying the statute might prevent such arguments from being raised and might encourage prosecutors to make more frequent use of the statute," Tompkins said. -- `CONDOMS' FOR DISKS MAKE GAG GIFT (Nov. 27) In Christmases past, gag gifts for computerists have ranged from chocolate disks to empty "vaporware" packages. This year.... well... A Fremont, Neb., firm called Tekservices Inc. has announced "Safedisk," a product described as a "poly floppy disk condom." The Associated Press notes word of Safedisk spread recently after TV talk-show host Arsenio Hall tittered about it on his late- night program. Stephen Nabity -- the 33-year- old "Dr. Safedisk" -- told AP he got the idea while watching a news broadcast about a predicted outbreak of computer viruses earlier this autumn. "It came to me that people should practice safe whatever-they-do," Nabity said. "A lot of computer viruses were going around." He acknowledged his product doesn't actually protect against viruses, but he hopes that, at $7.95, it will be considered a possible stocking-stuffer for computer buffs. -- COMPANY OFFERS VIRUS INSURANCE (Dec. 2) Allstate Insurance Co. may be the first insurer to reimburse customers who encounter the destruction of programs and data caused by computer viruses. Currently, the company offers inexpensive riders to its homeowners and renters insurance to cover other types of damage to personal computers. The new virus coverage is included at no additional cost for customers who currently have in effect a Standard Electronic Data Protection Policy. The data protection policy was originally designed for owners of small businesses. Though existing virus protection insurance carries a $100,000 limit, higher amounts are available at an additional cost. No claims have yet been filed on any of the policies currently in force. Until recently, Safeware was the only mass-market insurer with a large base of policies issued to owners of personal computers. The company specializes in insuring computer equipment against theft, natural disasters and accidental damage. It does not pay for damages caused by electrical problems or viruses. -- BRITISH GROUP WARNS OF POSSIBLE TROJAN HORSE IN AIDS INFO DISK (Dec. 13) In London, the chairman of a PC users group is warning computer users to avoid a mailed floppy disk that purports to give information about AIDS. He says the disk might contain a "Trojan horse" sabotage program. Speaking with The Associated Press, Dr. Alan Solomon, who leads the IBM Personal Computer Users Group, said several thousand of the disks -- called "The AIDS Information Introductory Diskette" -- have been mailed to computer users. Solomon, who also heads a British company called S and S which specializes in the examination of computer viruses, said users' addresses may have been taken from computer magazines. He said the full effect of the suspected Trojan horse program are not yet known. He told AP he received one of the disks in the mail on Monday bearing a Panama postal box address. He said he feared more could arrive in the mail this week. Said Solomon, "There is no urgent panic in the short term but if (the disk) has already been installed I would advise (computer users) to seek urgent help because it is a nasty thing." He commented that few experienced computer users would risk installing an unsolicited disk without first checking it, but that some less experienced users might. AP says a letter accompanying the disk asks for payment of $189 for one type of license and $378 for another. -- VANDALIZED AIDS INFORMATION DISK WORRIES COMPUTERISTS WORLDWIDE (Dec. 14) Word out of London of an apparently vandalized computer diskette has caused concerns among AIDS researchers around the world and now has prompted one computer virus expert to call the incident a "well-orchestrated and undeniably well-financed terrorist act." As reported here, Chairman Alan Solomon of London's IBM Personal Computer Users Group was first to sound a warning to computer users to avoid a mailed floppy disk called "The AIDS Information Introductory Diskette," because, he said, the software might contain a "Trojan horse" sabotage program that destroys data. Since that announcement, there have been these developments, according to The Associated Press in Britain and in the US: -:- London's Scotland Yard issued a warning to banks, hospitals, universities and other institutions to be on guard against the disk. Investigators there say the disks have destroyed information in at least 10 computers. -:- Among those reported to have received the disks are the London Stock Exchange, British Telecommunications PLC, which runs most of the nation's phone network, the Midland Bank, Lloyds Bank, the Australia and New Zealand Bank in London, as well as universities, hospitals and public health laboratories. -:- The British newspaper The Guardian reports computer systems in hospitals are among those damaged. It said the disks also turned up in California, Belgium and Zimbabwe but gave no details. -:- The British domestic news agency Press Association quotes an unnamed Health Education Authority spokesman as saying a contact in Norway also received a disk. -:- In the US, the Rand Corp., which has 15 people working on acquired immune deficiency syndrome research, has warned its employees. Ann Shoben, a spokeswoman for the Santa Monica, Calif., research firm, told AP, "We're safe. We have not been hit. The concern is for others that use personal computers and those who work on AIDS research might pick up this program and have their databases destroyed." -:- Also in the US, Chase Manhattan Bank reportedly was one of the first to report problems with the software. As reported yesterday, several thousand disks were believed to have been mailed to London area computer users. Officials there say users' addresses may have been taken from computer magazines. Now the UK police say many of the disks were mailed in London's South Kensington district. A letter accompanying the disk asks for payment of $189 for one type of license and $378 for another. The letter warns that if the money is not paid, the sender will use program mechanisms to stop a computer functioning normally. Also, the program carries this ominous advisory: "Warning: Do not use these programs unless you are prepared to pay for them." Joe Hirst, former technical editor of Virus Bulletin and a consultant on computer software, told AP's Michael West in London there are two programs on the disk. "The first," Hirst said, "is an installation program and the second is a questionnaire on the risk of AIDS which will not run unless it is installed on a hard disk. It then prints off an invoice for a company in Panama, but the damage has already been done by the installation." Apparently, that Panama company is bogus. The London Guardian newspaper quotes the letter as saying the money demanded should be sent to "PC Cyborg Corporation" at a box number in Panama. However, neither the corporation nor the box number -- 87-17-44 -- exists. (The Guardian adds that the American computer software company called Cyborg Systems and its British subsidiary sent warnings to customers yesterday that it was not involved in this incident.) AP's West said computer companies in UK believe addresses for receiving the disks were obtained from PC Business World, a British weekly trade paper on computing. Police say PC Business World sold its 700-name mailing list in good faith to someone claiming he wanted to publicize the export of computers to Nigeria. Another London newspaper, The Independent, reports the list was bought for about $1,300 by a Kenyan businessman identified as "E. Ketema." Says the paper, "Mr. Ketema had taken out a short-term subscription with The Business Center in New Bond Street, London, to receive mail and telephone messages on his behalf while he was in the country from Oct. 31 to Nov. 30. He described himself as an accountant, but the center does not know his first name, nor does it have a forwarding address." Meanwhile, in the US, the Rand Corp. said it warned its employees of the disk after receiving an advisory from computer virus expert John McAfee. McAfee, chairman of the Computer Virus Industry Association of Santa Clara, Calif., told AP writer Louinn Lota it is unusual for his group to issue such a blanket warning against a particular disk, but because he has received calls from PC users around the world, he believes the threat is real. "This is not a hoax," McAfee said. "This is not a simple case of a hacker in a back bedroom somewhere. It is a well orchestrated and undeniably well financed terrorist act. Few groups or individuals can afford to waste hundreds of thousands of dollars to bring harm to a party and bring nothing in return." He said he believes the topic of AIDS was used by the creator of the damaging program because many computer users are likely curious about the disease. People are encouraged to use the disk because it is advertised as being able to predict the chances a person has of contracting AIDS, he said. "Unlike an accounting program," McAfee added, "this is a subject everyone is aware of and virtually all people will want to learn more about risks of having AIDS." -- MICROCOM BUYS ANTI-VIRUS COMPANY (Dec. 26) For undisclosed terms, software publisher Microcom Inc. has acquired HJC Software Inc., a Durham, N.C., firm that markets programs for detecting and eliminating viruses in Apple Macintosh systems. In a statement from Norwood, Mass., Microcom says the virus software product line -- called Virex -- will be integrated with its own Carbon Copy Plus and Relay Gold communications packages. Microcom President/CEO James M. Dow said the Virex products "are a key addition to our strategy of providing comprehensive network administration and management tools for the end user." Dow noted that because of the large number of users sharing files, PCs and their networks "have been especially vulnerable to viruses." He said the Virex product line "will substantially reduce the likelihood of catastrophic failure for many PC and PC network users." -- From 1990 files: NEWSBYTES COMPUTER HIT BY VIRUS (Jan. 2) Newsbytes News Service reports the Apple Macintosh SE/30 used at its San Francisco headquarters was infected just before Christmas by what the editor describes as one of the faster- spreading computer viruses on record, called WDEF A and WDEF B. "Before the problem was pinpointed," editor Wendy Woods reports, "the virus had spread to every unlocked floppy disk and hard disk in use." Woods quotes John Norstad of Northwestern University as saying the virus that struck Newsbytes was discovered in early December by programmers in Belgium. Since then, he said, it has spread throughout the US in the past few weeks and now is reported at "virtually every major university." The WDEF virus is said to cause Mac windows to close, icons to fail to appear, files to be listed as "locked," system error messages to flash on the screen and applications to crash and sometimes causes the computer to fail to start at all. Norstad -- author of Disinfectant, a free program that combats the virus -- told Newsbytes that WDEF infects the invisible Desktop files used by the Mac's Finder. It does not infect applications, document files or other system files. "Unlike the other viruses," Woods reported, "it is not spread through the sharing of applications, but rather through the sharing and distribution of disks, usually floppy disks." Norstad says the virus can be removed easily: hold down the option and command keys until the complete desktop has appeared on screen; this procedure rebuilds the desktop and eradicates the virus, he said. Also, his free Disinfectant 1.5 now is appearing in the libraries of most major Macintosh services online. According to Norstad, the virus doesn't intentionally do damage, but it can cause performance problems on Appleshare networks with Appleshare servers. Newsbytes said there have been at least two reports that WDEF can damage disks. "The virus is known to create havoc at the Desktop level of a computer," the wire service said, "but also causes crashes when a file is saved under Multifinder. It causes problems with the proper display of font styles, the outline style in particular. When an infected disk is loaded into a Mac IIci or Portable, the computer will crash."