home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
misc
/
v05i009.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
34KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #9
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Wednesday, 15 Jan 1992 Volume 5 : Issue 9
Today's Topics:
Re: More Stoned virus questions (PC)
Dir-II/Other Stuff (PC)
Information on the 109 Virus (PC)
Making DIR of a contaminated floppy (PC)
Re: Looking for info on "Friday the 13th" virus (PC)
Re: 1575/1591 Virus (PC)
Re: VIRUS at AT286 in SCAN85 (PC)
Re: Joshi Virus and IDE Hard Drives (PC)
VSHIELD and MS WORD - incompatible ??? (PC)
re: DOS Virus Infects UNIX box (PC) (UNIX)
Re: New Antivirus Organization Announced
Re: New to the forum - question
Re: Gulf War "virus"
updated version of Padget's FixMBR (PC)
Report: 8th Chaos Computer Congress
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 15 Jan 92 15:30:00 +1300
From: "Nick FitzGerald" <CCTR132@csc.canterbury.ac.nz>
Subject: Re: More Stoned virus questions (PC)
JGUNDERSON@cudnvr.denver.colorado.edu writes:
>
> Another quick Stoned 3 question. At the University of Colorado
> (Denver) we got hit hard by the inadvertant mass release of the FORM virus
> last year. I found myself spearheading the process of cleaning up and
> hardening the defenses of one of our computer labs. I would like to be
> ahead of the game if the Stoned 3 release hits us.
> We have been relying on Simon McAuliffe's NoStone as an ongoing
> defense against Stoned, however I notice that the Stoned 3 variant is
> listed a stealthed variety. Does anyone know if NoStone v4.1 (released
> June 1990) will do any good?
Can't say for sure, but I suspect not. As several better-qualified than
I have already mentioned, what McAfee calls Stoned-III, others know as the
NoINT virus.
A further word of warning about NoStone - if you are at all likely to
run up against a virus from the Empire family, be very cautious in your
use of NoStone. In my tests with Empire A, NoStone reports a Stoned-II
infection. If you tell NoStone to disinfect it writes Empire's
"encrypted" message to your HD's MBR sector (Empire stores original MBR
at 0,0,6 and message at 0,0,7 - Stoned puts MBR at 0,0,7). Similar
problems occur with NoStone and Empire A on floppies. Other members of
Empire family _may_ have similar effects.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
------------------------------
Date: Tue, 14 Jan 92 22:41:00 -0500
From: <RUTSTEIN@HWS.BITNET>
Subject: Dir-II/Other Stuff (PC)
For those of you still attempting to track the spread of the DIR-II, I
had a configmed report yesterday of a single machine infected in the
country of Jordan. The actual path of infection is unknown at this
time. As most should know by now, DIR-II is not at all dangerous (
(relatively), but does spread rapidly and is a bit of a curiosity.
Removal is simple using only DOS commands....
In other news, the National Computer Security Association (NCSA) BBS
is now fully operational with 5 lines up and running. Number is (202)
364-1304, with the first four lines 9600 V.32, fifth at 2400 MNP.
On-line is virus and security info of all types, latest copies of
anti-virus sharware and P/D software, info on NCSA and other
anti-virus organizations, etc. {In the interest of full disclosure, I
should mention that I've been working on the BBS for NCSA for several
weeks now and pouring blood, sweat, and tears into it :) }
Is anyone out there using a disassembler other than sourcer which you
feel is superior in some way? If so, how about passing along some
info?ou feel
Charles
***************************************************************************
Rutstein@HWS.BITNET (Charles Rutstein)
****************************************************************************
------------------------------
Date: Sat, 11 Oct 80 06:50:11 -0800
From: Oliver.Steudler@p109.f121.n7102.z5.fidonet.org (Oliver Steudler)
Subject: Information on the 109 Virus (PC)
Virus Name : 109 Virus
Aliases : None
Discovery : January 1992
Type : File Virus
Origin : Unknown
General Comments :
The 109 Virus is a non-resident, direct action .COM file
infector isolated by the Virus Resource Centre in January
1992. It contains no text or payload and is a simple, yet
very effective replicater.
Infection :
When an infected program is executed, the 109 virus will
infect all .COM files in the current directory (this may
include COMMAND.COM), that meet the following conditions,
adding 109 bytes to the beginning of infected programs.
a) The file must be a .COM file with a file size between
2 bytes and 64 Kb.
b) If the 1st byte is BEh,assume that the file is already
infected and proceed with the next file.
c) The file must has normal attributes,so if it is marked
hidden or read-only, the virus will not infect the
program.
No critical error handling is done and the file time and
date stamps will be changed when the virus infects the
program.
Damage :
The 109 virus contains no malicious code and was designed
as a simple replicater.
The virus may however do damage to a program that is
larger than 65427 bytes. Because the infected program
would then be larger than 64 Kb, the end of the infected
program will be lost.
Detection :
The 109 virus can be found using a simple hex signature
string :
BE 00 01 56 8C C8 80 C4 10 8E C0 33 FF
Oliver Steudler, Virus Resource Centre (CT)
Mail : P.O.Box 4397, Cape Town, 8000, South Africa
Internet : Oliver.Steudler@p109.f121.n7102.z5.fidonet.org
Fidonet : 5:7102/121.109
Phone : +27 (021) 24-9504 (GMT +2)
Fax : +27 (021) 26-1911
Peter Stoffberg, Virus Resource Centre (JHB)
Mail : P.O.Box 1081, Northriding, 2162, South Africa
Fidonet : 5:7101/32
Phone : +27 (011) 787-7521 (GMT +2)
- --
uucp: uunet!m2xenix!puddle!5!7102!121.109!Oliver.Steudler
Internet: Oliver.Steudler@p109.f121.n7102.z5.fidonet.org
------------------------------
Date: Wed, 15 Jan 92 11:26:50 +0700
From: Josep Fortiana Gregori <UBAESQ01@EBCESCA1.BITNET>
Subject: Making DIR of a contaminated floppy (PC)
Can someone explain the following sequence of events:
1. Boot from a clean write-protected floppy
2. SCAN C:\ /m /chkhi
>> No viruses found
3. SCAN B:\
>> Found Anti-Tel Virus A-Vir! in boot sector
4. DIR B:
5. SCAN C:\ /m /chkhi
>> Found Anti-Tel Virus A-Vir!
active in memory
My conjecture is that the boot sector is read in one of the
DOS buffers, so that the virus is present in memory as data,
not code (so it is not active).
Is that correct?
Josep
......................................................................
Josep Fortiana
Departament d'Estadistica
(Facultat de Biologia) Phone : 34 - 3 - 4021561
Universitat de Barcelona E-mail: ubaesq01@ebcesca1.bitnet
Av. Diagonal 645
08028 - Barcelona (also ubaesq01@puigmal.cesca.es)
SPAIN
------------------------------
Date: 15 Jan 92 09:10:39 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Looking for info on "Friday the 13th" virus (PC)
frisk@complex.is (Fridrik Skulason) writes:
> There are around 20 viruses which activate on Friday the 13th, such as
> "South African" (which may not be South African at all), Jerusalem (with a
> bunch of variants), Datacrime (well, sort of...), Relzfu (Fake-VirX),
> Monxla, Leningrad and Omega.
> Unfortunately the available information is not specific enough to determine
> which virus is the cause in this case.
Yes, but the original poster said that his disk was formatted on
13-Dec-1991. This excludes the Jerusalems and the South Africans, and
also Datacrime. If I remember correctly, Monxla, Leningrad, and Omega
do not format the disk... Or am I wrong? Does any of it at least
overwrite it? Maybe this has been misinterpretted as formatting... And
I can't remember what Relzfu does when it activates... :-(
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 15 Jan 92 11:20:06 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: 1575/1591 Virus (PC)
harvey@oasys.dt.navy.mil (Betty Harvey) writes:
> QUESTION: Does anyone have any information on this virus? I am interested
> in finding more about this virus since the odds are I will see
> this little green fellow again. Thanks!
The virus is a resident COM and EXE files infector. When an infected
file is run, the virus in it first checks for a file, named
C:\COMMAND.COM and if it exists, infects it. (If the file does not
exist, the computer just hangs.) Once the virus is resident in memory,
it infects on FindFirstFCB and FindNextFCB (INT 21h/AH=11h, INT
21h/AH=12h) functions. Therefore, it infects file during the DIR
command. Only files in the directory being examined are infected. The
executable files and their types (COM or EXE) are recognized by their
extensions, and not by the magic number in the first two bytes (MZ or
ZM for EXE files, anything else means a COM file). The files that are
already infected have the last two bytes equal to 0Ch, 0Ah.
The "show" with the green caterpillar is activated when a file which
has been infected for over two months is run, COMMAND.COM is already
infected, and there is a copy of the virus already resident in memory.
Some infected EXE files may refuse to run due to a bug in the virus.
There are 6-7 variants of this virus, but they are essentially the
same.
Hope the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 15 Jan 92 11:49:58 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: VIRUS at AT286 in SCAN85 (PC)
DVORACEK@CSEARN.BITNET (Jarda Dvoracek) writes:
> In Czechoslovakia, I got some new virus with the SCANV85.ZIP from some
> BBS. It makes all .COM, .EXE and .ASM files 10 bytes longer, the first
> 6 bytes are:
> F0 FD C5 AA FF F0
> No antivirus program has i detected, except from those watching files'
> length.
:-))) C'mon, calm down, it's not a virus! Just you (or somebody else)
are running SCAN with the /AV switch. This means to add checksum
information to the files and the F0FDC5AAFFF0 is just the identifier
that SCAN usues to tell whether the file is already "certified" or
not.
You can remove those by running SCAN again, this time with the /RV
switch instead.
To the McAfee people: I have always said that messing with other
people's files is a VERY BAD idea! Don't touch them! (And, of course,
don't create hundreds of tiny hidden files, as Norton's anti-virus
does...) The checksums MUST be kept separately in a database, the name
of which must be selectable by the user.
> During 3 days it has infected all files but COMMAND.COM, some of them
Yeah, I think that SCAN is "clever enough" not to touch this file...
> worked normally, several terminated just after calling them.
Ha, this is not normal. They should run (unless they perform some kind
of self-check themselves, but I don'T believe that this is your case).
Maybe they are damaged by something else. Anyway, the problem that you
are reporting, is caused by SCAN, not by a virus.
> It is possible that it writes in FAT1 - into last sectors.
Well, at least SCAN doesn't... :-) Check it's validation codes to make
sure that it has not been tampered with (although not modified
validation codes does not prove anything).
Hope the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 15 Jan 92 08:13:55 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Joshi Virus and IDE Hard Drives (PC)
mcafee@netcom.netcom.com (McAfee Associates) writes:
> In any case, if CLEAN-UP says that a virus cannot safely be removed from
> the partition table, you have several options available to you other
> then doing a low-level format.
> 1. If you're so inclined, you can copy the partition table off of
> an identically partitioned hard disk and copy it over the PT of
> the infected hard disk.
Don't do that, unless you perfectly know what you are doing! It is
dangerous; you can destroy all your information on the disk. The
keyword here is "identically". If the other disk is not really
IDENTICALLY partitioned (and with the same size/type/etc.), then
copying it's partition table may have unpredictable rezults. The
problem is that you might not recognize that the partition is not
perfectly identical if you are not knowledgeable enough, so better
don't try it!
> 2. If you have MS-DOS 5.00, you can run the DOS FDISK command with
> the /MBR option. This is an undocumented switch in the FDISK
> command that replaces the Master Boot Record code (alias partition
> table) while leaving the data portion intact.
This is the best solution. However, it requires a DOS 5.0 system
diskette.
> 3. Use a sector editor to change the last two bytes of the partition
> table, which are "55 AA" to anything else. This will invalidate
> the partition table information, and you can then re-FDISK and
> FORMAT the disk.
This is no better than low-level formatting the disk - you'll still
lose the whole information on it.
An alternative is to use a sector editor (like Norton Utitlities), to
look at track 0, side 0, sector 9 (this is where Joshi stores the
original master boot sector), and if it contains a valid
partition table and a master boot program, to copy it over track 0,
side 0, sector 1. Again, this is dangerous and should be done ONLY if
you know what you are doing!
Of course, all this must be done ONLY after booting from a
non-infected, write-protected system diskette, since Joshi is a
stealth virus.
> Naturally, there is always a small amount of risk in doing any of this, so
One can argue about the actual amount of risk, but as you say
> it's always a good idea to make a backup of the hard disk before proceeding.
This is really a good idea.
> Another possibility is that you do not have the virus at all and instead are
> experiencing a "ghost" effect, that is, when a fragment of viral code is left
> at the end of a file somewhere on the disk that is loaded into memory with
> the file and causes a false alarm. This can be fixed by running a disk
> optimizing program to defragment the disk, or there's a program somwhere in
> the simtel archives called COVERUP or COVERUP1 that will null-out the ends
> of files.
Wait Aryeh, the original poster speaks about Joshi! And Joshi is a
master boot sector infector, so how can a ghost false positive be
fixed by optimizing the disk?! The ghost (the small amount of inactive
code which was left after the disinfection) resides in the partition
table, not in the files! BTW, when CLEAN disinfects the hard disk,
does it overwrite the whole virus or does it just write a valid master
boot program on it? Maybe this is what is causing the ghost alert?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 15 Jan 92 15:26:52 +0700
From: "Christian Fritze ( 'WonkoTheSane' )" <CKVB33@DDOHRZ11.BITNET>
Subject: VSHIELD and MS WORD - incompatible ??? (PC)
Hi to everybody!
I'm posting the following for a friend who has no net access.
(I think this is not *quite* a virus problem but related closely
enough...)
Virtually yours,
Christian Fritze ( 'WonkoTheSane' )
addresses: ofritze@nyx.cs.du.edu and wonko@m-net.ann-arbor.mi.us
until (and including) feb '92 on ckvb33@ddohrz11.bitnet as well
<fill in your favourite disclaimer here...>
********************** Original MSG follows **********************
We have problems with McAffee's VSHIELD and Microsoft Word 5.0(german)
while using the mouse. When the mouse cursor is moved rapidly, the
system hangs, except for the mouse cursor. We tried on different computers
(286 and 386, both with AMI-BIOS), with different mouse-drivers
(MS 6.25Z/7.04/8.10), different DOS Versions (MS 3.30/5.00) and with
Word 5.0 installed from different sets of installation disks.
Using DOS 5.00 and MS-mousedriver 8.10 loaded high we at least get the
error-message "Speicherzuordnungsfehler, Command kann nicht geladen
werden, System angehalten", (in english probably: memory usage-error,
command cannot be loaded, system halted).
Our actual Version of vshield is 4.3V84, but the problem appeared also
using V82. Starting parameters are /cv /chkhi /contact.
Trying to remove vshield in a batch and then starting word is
possible, vshield gets inactive, but it's not removed completely.
Using mem /c one can see a 34kByte area of free memory which formerly
belonged to vshield.
Does anybody know the reason for this and/or a way to get around it?
Thanx in advance
------------------------------
Date: Wed, 15 Jan 92 08:31:11 -0500
From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson)
Subject: re: DOS Virus Infects UNIX box (PC) (UNIX)
>From: bear@fsl.noaa.gov (Bear Giles 271 X-6076)
>Unfortunately, that system had been infected with the 'Stoned' virus.
>This virus overwrote the UNIX BOOT TRACK when the infected DOS was
>booted.
>Result -- no more SVR5. We will probably have to perform a low-level
>format of the disk and rebuild the UNIX from original media.
I posted an in-depth reply to RISKs so will not bother to do so again
since everyone here knows the difference between file infectors and
MBR infectors (besides I deleted the reply being chronically short of
disk space).
In short, while certainly STONED can damage an intel-based UNIX
machine using an IBM-type (what is the proper term anyway ?) BIOS, it
cannot per se infect it since the machine cannot boot properly & so
cannot spread. Whether repair is as simple as booting with DOS and
running my FixMBR (which should be compatable as should SafeMBR)
depends on whether or not there was anything important in absolute
sector seven just like a DOS Stoned recovery depends on the type of
FDISK used to format the disk.
The real message though is that while a DOS MBR or BR infector could
DAMAGE SOME intel-based UNIX boxes, at least at the moment, these are
no DOS/Unix viruses that I know of.
Cooly (43 this morning)
Padgett
------------------------------
Date: 15 Jan 92 09:15:14 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New Antivirus Organization Announced
RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes:
> Virus Busters Join Hands -- The Antivirus Methods Congress, a
> newly formed organization to combat computer viruses, was announced
> last week with the goal of bringing users, vendors and researchers
> together to tackle virus attacks on networks in the private and
> government sectors.
> Dick Lefkon, associate professor at New York University and chair-
> man of the new group, said the organization already has 50 members,
> including representatives from Martin Marietta Corp., the
> insurance industry, the state of Arizona's legal department,
Well, I see that they have already got the users... :-)
> Northern Telecom, Inc. and universities in Hamburg, Germany, and
> Iceland.
Aha, here are some researchers... :-)
> Any typos are without a doubt mine! (BTW, anyone have a list/whatever of
> existing antivirus orgs? Just curious.)
Well, to be honest, I have never heard about that. But, I can speak
only about myself; I'll ask Prof. Brunnstein whether he knows
something on the subject (he is the head of the Virus Test Center at
the Hamburg University) and will inform you.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 15 Jan 92 16:11:21 +0000
From: geoffb@coos.dartmouth.edu (Geoff Bronner)
Subject: Re: New to the forum - question
LUSTIG@wsmc-mis.af.mil (LUSTIG, ROB L.) writes:
>Greetings, I am new to this area and wonder how often people actually
>come across virui? I have found only a couple per year crop up and
>haven't had one actually do any real damage (except to people's egos).
This is something that varies from site to site, I'm sure. Dartmouth
is a site that is very prone to viruses, we have many inexperienced
mac users on the campus who have the ability to share files all the
time. Viruses get here very quickly on visitors disks or via ftp and
spread rapidly once they do arrive. How often you find them depends.
I would say that the avergage user here who is running Disinfectant
INIT (most do) sees viri very rarely. A couple times a year maybe.
Since I run a cluster and support dozens of macs and ibms directly I
see them more often. Even so, things are better. 3 or 4 years ago I
could expect to see an infected disk or hard disk every day. After
several years of spreading inits like Disinfectant INIT and Gatekeeper
Aid around I see an infected disk maybe once a week. Usually on the
anti-viral scanning station at the entrance to the cluster I run.
- -Geoff
- --
geoffb@Dartmouth.EDU - Computing Support Technician, Tuck School of Business
"The powers not delegated to the United States by the Consititution, nor
prohibited by it to the States, are reserved to the States respectively,
or the people." - United States Constitution, Amendment X.
------------------------------
Date: Wed, 15 Jan 92 00:04:45 +0000
From: mcafee@netcom.netcom.com (McAfee Associates)
Subject: Re: Gulf War "virus"
fstuart@eng.auburn.edu (Frank Stuart) writes:
<Moderator's note deleted>
>CNN is reporting that a computer "virus" was used during the Gulf War.
>Reportedly, the virus was used to blank the screens of Iraq's air
>defense computers. The alleged virus was supposed to have been hidden
>in a printer chip that was smuggled in from Jordan. I (and many
>others, I'm sure) would be very interested if anyone has further
>information.
Hi Frank,
The original "source" of this virus is an article that appeared in the
April 1st, 1991 (April Fools' Day) issue of InfoWorld Magazine as a
gag. Maybe a reporter or some other person came across the article
and thought it was serious.
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- --
- - - -
McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business)
4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator
Santa Clara, California | BBS (408) 988-4004 | farm..."
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
------------------------------
Date: Tue, 14 Jan 92 19:12:00 -0500
From: HAYES@urvax.urich.edu
Subject: updated version of Padget's FixMBR (PC)
Hello.
just received and will make available tonight the new version of A. Padgett
Peterson FixMBR. The archive file is FIXMBR22.ZIP.
As usual, the file will be located in:
Site: urvax.urich.edu, IP# 141.166.1.6
Directory: msdos.anonymous
User: anonymous
Password: your_email_address.
As usual, once logged on, the user will be in the anonymous directory. TYping
cd msdos.antivirus should move you in the directory where FIXMBR22 resides.
Thanks to Padgett for another very useful utility.
Best, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond hayes@urvax.urich.edu (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: Tue, 14 Jan 92 06:27:31 -0800
From: Eric_Florack.Wbst311@xerox.com
Subject: Report: 8th Chaos Computer Congress
The following message was copied from RISKS-L. Of particular interest to
VIRUS-L reader will be where the writer inserts 'comment #1'. That such
gatherings are becoming more sparsely populated is a positive step. But is
it, perhaps, time for people such as the UN , or perhaps the ITU, to invoke
sanctions against countries that allow such groups to thrive? ( Comments are my
own....I don't expect anyone else to have the guts to agree with me. ) (Grin)
- -=-=-=--=-=-=
Date: 9 Jan 92 16:37 +0100
From: Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
Subject: Chaos Congress 91 Report
Report: 8th Chaos Computer Congress
On occasion of the 10th anniversary of its foundation, Chaos Computer Club
(CCC) organised its 8th Congress in Hamburg (Dec.27-29, 1991). To more than 400
participants (largest participation ever, with growing number of students
rather than teen-age scholars), a rich diversity of PC and network related
themes was offered, with significantly less sessions than before devoted to
critical themes, such as phreaking, hacking or malware construction. Changes
in the European hacker scene became evident as only few people from Netherlands
(see: Hacktick) and Italy had come to this former hackers' Mecca.
Consequently, Congress news are only documented in German. As CCC's founding
members develop in age and experience, reflection of CCC's role and growing
diversity (and sometimes visible alienity between leading members) of opinions
indicates that teen-age CCC may produce less spectacular events than ever
before.
This year's dominating theme covered presentations of communication techniques
for PCs, Ataris, Amigas and Unix, the development of a local net (mousenet.txt:
6.9 kByte) as well as description of regional (e.g. CCC's ZERBERUS;
zerberus.txt: 3.9 kByte) and international networks (internet.txt: 5.4 kBytes),
including a survey (netzwerk.txt: 53.9 kByte). In comparison, CCC'90 documents
are more detailed on architectures while sessions and demonstrations in CCC'91
(in "Hacker Center" and other rooms) were more concerned with practical
navigation in such nets.
Phreaking was covered by the Dutch group HACKTIC which updated its CCC'90
presentation of how to "minimize expenditures for telephone conversations" by
using "blue" boxes (simulating specific sounds used in phone systems to
transmit switching commands) and "red" boxes (using telecom-internal commands
for testing purposes), and describing available software and recent events.
Detailed information on phreaking methods in soecific countries and bugs in
some telecom systems were discussed (phreaking.txt: 7.3 kByte). More
information (in Dutch) was available, including charts of electronic circuits,
in several volumes of Dutch "HACKTIC: Tidschrift voor Techno-Anarchisten"
(=news for techno-anarchists).
Remark #1: recent events (e.g. "Gulf hacks") and material presen ted on
Chaos Congress '91 indicate that Netherland emerges as a new European center of
malicious attacks on systems and networks. Among other potentially harmful
information, HACKTIC #14/15 publishes code of computer viruses (a BAT-virus
which does not work properly; "world's shortest virus" of 110 bytes, a
primitive non-resident virus significantly longer than the shortest resident
Bulgarian virus: 94 Bytes). While many errors in the analysis show that the
authors lack deeper insigth into malware technologies (which may change), their
criminal energy in publishing such code evidently is related to the fact that
Netherland has no adequate computer crime legislation. In contrast, the advent
of German computer crime legislation (1989) may be one reason for CCC's less
devotion to potentially harmful themes.
Remark #2: while few Netherland universities devote research and teaching
to in/security, Delft university at least offers introductory courses into data
protection (an issue of large public interest in NL) and security. Professors
Herschberg and Aalders also analyse the "robustness" of networks and systems,
in the sense that students may try to access connected systems if the adressed
organisations agree. According to Prof. Aalders (in a recent telephone
conversation), they never encourage students to attack systems but they also do
not punish students who report on such attacks which they undertook on their
own. (Herschberg and Alpers deliberately have no email connection.)
Different from recent years, a seminar on Computer viruses (presented by Morton
Swimmer of Virus Test Center, Univ. Hamburg) as deliberately devoted to
disseminate non-destructive information (avoiding any presentation of virus
programming). A survey of legal aspects of inadequate software quality
(including viruses and program errors) was presented by lawyer Freiherr von
Gravenreuth (fehlvir.txt: 5.6 kByte).
Some public attention was drawn to the fact that the "city-call" telephone
system radio-transmits information essentially as ASCII. A demonstration
proved that such transmitted texts may easily be intercepted, analysed and even
manipulated on a PC. CCC publicly warned that "profiles" of such texts (and
those adressed) may easily be collected, and asked Telecom to inform users
about this insecurity (radioarm.txt: 1.6 kByte); German Telecom did not follow
this advice.
Besides discussions of emerging voice mailboxes (voicebox.txt: 2.8 kBytes), an
interesting session presented a C64-based chipcard analysis systems
(chipcard.txt: 3.3 kBytes). Two students have built a simple mechanism to
analyse (from systematic IO analysis) the protocol of a German telephone card
communicating with the public telephone box; they described, in some detail
(including an elctronmicroscopic photo) the architecture and the system
behaviour, including 100 bytes of communication data stored (for each call, for
80 days!) in a central German Telecom computer. Asked for legal implications
of their work, they argued that they just wanted to understand this technology,
and they were not aware of any legal constraint. They have not analysed
possibilities to reload the telephone account (which is generally possible, due
to the architecture), and they didnot analyse architectures or procedures of
other chipcards (bank cards etc).
Following CCC's (10-year old charta), essential discussions were devoted to
social themes. The "Feminine computer handling" workshop deliberately excluded
men (about 25 women participating), to avoid last year's experience of male
dominancy in related discussions (femin.txt: 4.2 kBytes). A session (mainly
attended by informatics students) was devoted to "Informatics and Ethics"
(ethik.txt: 3.7 kByte), introducing the international state-of-discussion, and
discussing the value of professional standards in the German case.
A discussion about "techno-terrorism" became somewhat symptomatic for CCC's
actual state. While external participants (von Gravenreuth, Brunnstein) were
invited to this theme, CCC-internal controversies presented the panel
discussion under the technical title "definition questions". While one
fraction (Wernery, Wieckmann/terror.txt: 7.2 kByte) wanted to discuss
possibilities, examples and dangers of techno-terrorism openly, others (CCC
"ol'man" Wau Holland) wanted to generally define "terrori
Downloaded From P-80 International Information Systems 304-744-2253