From lehigh.edu!virus-l Thu Dec 3 21:17:21 1992 Date: Thu, 3 Dec 1992 15:31:23 -0500 Message-Id: <9212031945.AA10372@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #195 Status: R VIRUS-L Digest Thursday, 3 Dec 1992 Volume 5 : Issue 195 Today's Topics: WARNING - Vacsina Loader in Pkunzip.exe (PC) Newest and best scanner? (PC) using %VARIABLE% with scan (PC) re: Brain Viruses (PC) re: MtE detection tests (part 5/5) (PC) Re: Antiviral SW leftovers (PC) does McAfee SCAN remove viruses? (PC) Is this a DOS virus? (PC) Re: Untouchable (PC) Virus naming cross-reference updated (PC) Re: Developing and marketing antiviral software (PC) Not a Stupid OS/2 Question (OS/2) Re: Potentially stupid question (OS/2) (PC) Wanted: Virus Scanner for HP Apollo 9000/7XX (UNIX) RE: German FAQ Second generation problems (Philosophy) Real World Efficacy (was Mr. Slade's listings) Re: CHRISTMA: The "Card"!(CVP) Re: CHRISTMA DATA Re: CHRISTMA DATA VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 02 Dec 92 06:09:26 -0500 From: Otto Stolz Subject: WARNING - Vacsina Loader in Pkunzip.exe (PC) Hi gang, a user brought in a diskette with a driver for the Star LC24 printer. He has obtained the diskette from the German branch of Star micronics. Its sticker is labelled thus: Star LC24-10 Format: MS-DOS 720 KB Type A:\install The diskette contains two .Doc, and one .txt, files (in English and German), various .zip files, and two program files File-id length Creation date & time Install.exe 24436 26 Feb 1992 15:58h Pkunzip.exe 23660 10 Jul 1991 14:25h The latter is "infected" with the Vacsina Loader, i.e. no virus, but the preparatory step of a Vacsina infection. VIRSTOP 2.06 will not allow this file to be run. We will inform Star micronics of this fact. I think, there is no actual danger (the loader does not replicate by itself), rather an inconvenience. Still, the Vacsina loader in a program file hints at a possible Vacsina infection in one of the PCs used to produce that disk, or the Pkunzip.exe copied to it, and we will tell the supplier so. A note to Sysops of FTP servers: Please check your Pk-ware with F-Prot 2.06 (or any other scanner capable of detecting the Vacsina Loader). The user told me he had obtained a Pkunzip.exe, including the Vacsina Loader, from an Ftp server (though he cannot remember which one). The copy of Pkunzip I use personally is clean: File-id length Creation date & time Pkunzip.exe 22540 15 Mar 1990 01:10h Note that both copies of the Pkunzip.exe display 1.1 as their version number. Best regards, Otto Stolz ------------------------------ Date: Thu, 26 Nov 92 11:50:10 +0000 From: Alessandro_Del_Prete@f109.n395.z9.virnet.bad.se (Alessandro Del Prete) Subject: Newest and best scanner? (PC) Hello Vesselin! VB> As far as I know, the latest version of TbScan is 4.3. ...Try to get the latest beta version...TBAV501.ZIP and TBAVX501.ZIP. .....They've really made a good job with these packages, Vesselin, but I'd like someone else's opinion....maybe I'm wrong..... ...ciao! Simply...Axel! - --- GoldED 2.40.P0720 * Origin: U start up standing and end up crawling! (9:395/109) ------------------------------ Date: Tue, 01 Dec 92 13:32:10 +0000 From: "Craig.Williamson" Subject: using %VARIABLE% with scan (PC) I need to use a variable as an option with McAfee's scan. Right now it doesn't work. The variable name is not expanded. Is there a way to do this? Craig - -- "It just doesn't make any sense, Penfold!" - -Craig Williamson "But our adventures NEVER make any sense, DM!" Craig.Williamson@ColumbiaSC.NCR.COM -Dangermouse craig@toontown.ColumbiaSC.NCR.COM (home) ------------------------------ Date: Tue, 01 Dec 92 09:14:29 -0500 From: "David M. Chess" Subject: re: Brain Viruses (PC) > From: ec49726@uxa.cso.uiuc.edu (Manny DeSoto) > At any rate, I just wanted to know what a "brain virus" is and how it > differs from a "normal" virus. "Brain" is the name given to a small family of diskette-boot-infecting viruses that appeared very early in the history of viruses (1987/88). So a "brain virus" is just one family of viruses; nothing particularly unusual about them. They seem to be extinct in at least most of the Western world. The fact that they don't infect hard disks has a lot to do with that, I suspect. The original Brain virus was one of the first to be "stealthed" (if it's active in memory, you can't see it on diskette), but that fact doesn't seem to have done it much good! *8) DC ------------------------------ Date: Tue, 01 Dec 92 09:21:57 -0500 From: "David M. Chess" Subject: re: MtE detection tests (part 5/5) (PC) > From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > Therefore, the winners of the tests are: > > CATCHMTE (freeware), F-PROT (shareware, free for individual use), and > VIRSCAN (commercial, but cheap). Just to avoid confusion, since there are several anti-virus programs that might be associated with the name "VIRSCAN", the one that Vess was testing was IBM's Virus Scanning Program. The current incarnation of that technology in the U.S. is IBM AntiVirus/DOS and IBM AntiVirus/2 (see a recent VIRUS-L for my brief announcement of those products). Still commercial, still cheap! *8) (Users outside the U.S. should contact their country IBM to see what flavor of IBM's anti-viral software is available there.) - - -- - David M. Chess | "Master, how may I comprehend the One?" High Integrity Computing Lab | "Have you finished your coding?" "Yes." IBM Watson Research | "Then go and compile!" -- Hacker Koan ------------------------------ Date: 01 Dec 92 11:40:53 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: Antiviral SW leftovers (PC) Thus spake MC1980@mclink.it (Luca Parisi): > Since I know of no viruses made by Carmel SW, but I've found it in the > contacts list as an ANTI-virus producer, I guessed that it was a > "leftover" from their Turbo Anti-Virus integrity checker module. > The only problem is the user swears he has NEVER used Turbo A-V, but > that's his business ... :-) This is a very common support problem in our part of the world...people notice a file has grown by ~950 bytes, and send it in for analysis. Of all such calls, perhaps one or two have ever admitted to having run the TAV "immunise" utility; most deny it categorically! I don't think they intend to lie -- I think they actually have no idea what software they've used, and certainly no idea what the side-effects of its various options are. No wonder that viruses have such a strong foothold round here :-) - -- - --..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..-- Paul Ducklin duck@nuustak.csir.co.za CSIR Computer Virus Research Lab * Box 395 * Pretoria * 0001 S Africa ------------------------------ Date: Tue, 01 Dec 92 22:38:43 +0000 From: mrr1@Ra.MsState.Edu (mark r rauschkolb) Subject: does McAfee SCAN remove viruses? (PC) I recently got version 97 of SCAN and ran it on a 386 pc. The pc was STONED, and so I decided to check the disks that I had just used in it (brand new harddrive so I knew that one of the disks was infected) I did a "scan a:" on a writeprotected DOS diskette. After checking the 640 k of memory, it prints: Scanning for known viruses. Virus removed. Disk A: contains 2 directories and 7 files. No viruses found. What's going on? Thanks mrr1@ra.msstate.edu ------------------------------ Date: 02 Dec 92 02:03:47 +0000 From: echrstmn@lab4.smcm.edu (Evan Christman) Subject: Is this a DOS virus? (PC) On one of our PC's we are observing some odd behaviour of our DOS files. The symptoms are: certain DOS files, share, dosshell and a few others report that their size has been altered when I run a CHKDSK. Also we have been getting non-fatal errors during Windows sessions. In addition, one file reports that it has been "reallocated to block 505." I have ran F-prot 206, and pro-scan on it. When they read the files they report that the above files are "unreadable." I was wondering if anyone else is experiencing the same behaviour, or if anybody has some ideas of what to look at. ------------------------------ Date: Wed, 02 Dec 92 09:12:44 -0500 From: Y. Radai Subject: Re: Untouchable (PC) Rick Wirthlin writes: > I was wondering if anyone else is using the Untouchable virus scanner > and how they find it. This product was discussed here extensively about a year ago, so I'll try to make this relatively brief. First of all, Untouchable is not itself a virus scanner in the usual sense of the term, although it includes virus scanning modules (UTSCAN and UTRES). It is mainly an *integrity checking* package. I'm not sure whether you're asking specifically about those scanning modules or whether you've confused the terminology and are really interested in Untouchable as an integrity checker. UTSCAN has the ability to examine archives and compressed executa- bles (recursively), includes one of the better MtE detectors (its inability to detect some Groove mutations was corrected even before Vesselin's report appeared), and is quite fast. Moreover, the low scores of previous versions of UTSCAN in terms of percentage of viruses detected seems to be a thing of the past (the authors claim that the latest version of UTSCAN scores higher on the CARO test suite and disinfects more reliably than F-PROT 2.06a). However, UTSCAN requires a lot of RAM. The integrity checker UT is, in my opinion, excellent. It is one of the few which also perform generic disinfection. Moreover, at every stage in time, UT seems to detect some types of viruses which other integrity checkers do not. For example, even early (1988) versions of UT (under the name "VirAlarm") were able to detect companion viruses, which began to appear only in 1990 (most other integrity checkers added this capability only after such viruses appeared, and quite a few checkers can't detect them even today!), and UT still detects a couple of types of viruses which have not yet appeared. I take this opportunity to say that imho, Robert Slade's recent evaluation of Untouchable misses the mark. I won't go into details here, but in general, it gives more weight to lesser important things (like the damaged diskette which he happened to receive, rarely needed features of UT, and slowness on an XT) than to the really important ones. (I'd be glad to discuss these with you by personal e-mail, Rob, if you're interested.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 02 Dec 92 14:03:42 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Virus naming cross-reference updated (PC) Hello, everybody! I finally managed to update the virus naming cross-reference. A full listing of the files in out collection, divided into boot sector viruses, file viruses, trojans, jokes, etc.; information how the three scanners with best detection rate call the different viruses (and other pieces of malware); the standard CARO names; etc. The three scanners used are: - Dr. Solomon's FindVirus 6.07 with drivers of 19-Nov-92. - F-Prot 2.06b - McAfee's VIRUSCAN 9.0V99 The first one is a commercial product. I have no idea what is the actual version shipped to the customers; I used the latest version I have received from S & S International. The second product I have not yet seen this version on the usual ftp sites; Frisk sent it directly to me. The third product I have downloaded directly from McAfee's ftp site. The last two product are shareware, as you probably all know. A few people asked me why I do not include other scanners in these comparative reviews. The answer is that they are NOT comparative reviews. Their purpose is not to show which scanner is better (although a lot of information about the scanner can be extracted from them). Their purpose is to show the standard CARO names of all viruses known to us (i.e., to VTC-Hamburg), together with a cross-reference of how the three scanners with best detection rate are calling them. It would be useless to include other scanners with a lower detection rate, because they will give just no names for a serious part of the viruses... OK, the files are available from our ftp site, ftp.informatik.uni-hamburg.de, in the /pub/virus/texts/tests directory. Here is a short description of each of the archives: reports.zip - ASCII file, containing a multi-column listing (about 220 characters per line) of the file names, the standard CARO name of the virus in the file, the name used by Findvirus, the name used by F-Prot, and the name used by SCAN. reps_ps.zip - Same as above, but in PostScript, 4 bp. naming.zip - Four documents, describing the CARO virus naming scheme and the names of every single boot sector and file infector, known to the VTC-Hamburg. Some other forms of malware are also listed. namng_ps.zip - Same as above, but in PostScript. The listings are relatively up-to-date. They reflect the contents of out virus collection on December 1st. However, there are about half a dozen new viruses from Poland, which are not classified yet, and as I am writing this a bunch of new viruses just arrived in the mail... Sigh... :-( Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Dec 92 16:03:34 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Developing and marketing antiviral software (PC) mcafee@netcom.com (McAfee Associates) writes: > >I think I could find you a copy of the article, if you are > >interested... > If you could just give me the magazine name (it is a magazine, > correct?) I can probably locate a copy over here. Joshua Quttner, "Software Hard Sell", New York Newsday, April 5, 1992, p.68. > >> I think its fairly easy to guess that John McAfee would like his programs > >> to do better then anyone else's in a test. I'm sure that is hardly > >> unique, though. > >Don't change the wording. The article quoted him saying that he wants > >his competitors to show worse results, not him to show better > >results... This is not quite equivalent. > While the wording is not quite equivalent, the end result would be the > same. In any case, this does not mean that John McAfee had done this. > If he had, it would be very likely that we would be sued or at least > enjoined from using any such reports. As I said, John McAfee was -quoted- to have said that. Here is what the article says: "If your product competes with mine, I'd like for those customers of mine to know that your product isn't as good as mine," he [McAfee] said. > >> If possible, would you mind sending me a copy of any such reports? (Only > >> on McAfee Associates software, that is). Thank you. > >I am doing so since some time. I am sending a copy of the reports to > >Igor Grebert, as you have advised me. > I think you may have sent some to Igor and some to me. Since Igor > sometimes works away from the office, I may not have a chance to > immediately talk to him about email you've sent, or vice-versa. In the beginning I was sending them to you, since you were the person from McAfee Associates who were most present on the net. I also used to discuss the technical questions with Morgan Schweers, who was more technically competent on the subject. Some time ago, you told me that Igor is the one involved in the detection/disinfection problems, so I should report such problems to him. He also told me to send copies of such reports to him. That's what I am doing. If you insist, I'll send them to you instead. However, I definitively refuse to send them - -twice-. Is the internal communication between the employees of McAfee Associates really so bad? Isn't it enough that I am finding the bugs in your software and sending you reports about that, so that you are asking me to do it twice? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 01 Dec 92 08:55:18 -0500 From: Kevin_Haney@nihcr31.bitnet Subject: Not a Stupid OS/2 Question (OS/2) Ken De Cruyenaere asks >"What are people running OS/2 using/running as anti-viral >software? Speaking of native OS/2 applications, to my knowledge IBM has the only shipping OS/2 antiviral product available. The old version was called simply the IBM Scanning Program. They just came out with a new version with a CUA interface called IBM AntiVirus/OS/2 (and a DOS version too). I have ordered this product but haven't received it yet. Dr. Solomon was supposed to have an OS/2 version of his product available some time ago, but I don't think its seen the light of day yet (maybe now that they've introduced their Windows version...). Also, ASP says they will be coming out with an OS/2 version of their Integrity Toolkit sometime. Yes, I too wish that F-PROT, otherwise an excellent product, could be modified to recognize the fact that it may be running on an OS/2 machine (from my perch of ignorance, it seems to me that it shouldn't take more than a few lines of code). Maybe Frisk is waiting for the infamous "critical mass" of complaints. :<) Kevin Haney Internet: khv%nihcr31.bitnet@cu.nih.gov ------------------------------ Date: Tue, 01 Dec 92 23:04:14 +0000 From: bharris@hfglobe.intel.com (Bennie Harris) Subject: Re: Potentially stupid question (OS/2) (PC) KDC@ccm.UManitoba.CA (Ken De Cruyenaere 204-474-8340) writes: >I am not too familiar with OS/2 but am told its going to be very >popular soon :-(. >Our antiviral software (F-PROT) doesn't seem to run well under OS/2. > (It eventually hangs up when scanning, saying > "ERROR SCANNING DRIVE D:") > McAfee SCAN (V99) apparently gets the same results. >My question: > What are people running OS/2 using/running as anti-viral software? You can find the McAfree and Virus Scan for OS/2 (BETA!) at ftp-os2.nmsu.edu (128.123.35.151) under /pub/os2/2.0/diskutils. The file you want is os_scb97.zip. You also need to use Info-ZIP's UNZIP 5.0 to unzip the files from this ftp site. I haven't had any problems with the software on my FAT partitioned drives. Also this only runs under OS/2 2.0 not 1.x. - -- Bennie Harris ------------------------------ Date: Tue, 01 Dec 92 21:08:02 +0000 From: raj2@ra.msstate.edu (rex allan jones) Subject: Wanted: Virus Scanner for HP Apollo 9000/7XX (UNIX) I'm looking for a virus scanner for our HP 7XX Unix boxes. My friendly HP representative says that there are none available, but I find that hard to believe when IBM sends their RS/6000 out with Viruscan. Can anyone help me out? How likely is it that a virus like Stoned, Michaelangelo, or Brain (or any other DOS virus) can infiltrate HP-UX? We do a lot of transfers from PC to HP and the other way via floppy disk. Thanks a bunch. - -- Rex Jones | "After all the jacks are in their boxes, Mississippi State University | and the clowns have all gone to bed, Geographic Information Systems | you can hear happiness staggerin' on down the raj2@isis.msstate.edu | street, footprints dressed in red" J.Hendrix ------------------------------ Date: 01 Dec 92 08:06:08 +0000 From: sys_hjk@lifra.lif.de Subject: RE: German FAQ In a previous article, Malte_Eppert@f6002.n491.z9.virnet.bad.se (Malte Eppert) wrote: #I just wanted to make an offer: If there's any need for a German #document about MS-DOS viruses (kinds of, what they can and can't do, #how to fight them, which kind of antivirus-utilities exist and some #really frequently asked questions), there is something I wrote some #weeks ago. The only thing you need to get it is FIDO-Net access. Very nice, seems to be quite big too. Can any kind soul make the text available on some german ftp server? (or even mail it to me ;-), but I won't ask for too much...) ------------------------------ Date: Tue, 01 Dec 92 09:00:51 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Second generation problems (Philosophy) One of the ways I can tell what people are thinking about is by the kinds of problems they are having. First generation problems are the ones that "come with the territory" such as preventing viruses like STONED when a reboot checks the A: drive first. Second generation problems are the ones that only become apparent when a "fix" for the first generation problem is applied e.g. Some BIOSes allow selection of C: as the boot drive. Sometimes you *want* to boot from A: (to remove disk cacheing so that disk defragmentation can take place) but do not want to change the CMOS & boot several times to do so. At first glance, the problem seems easy - write a DOS program to boot from A:. On trial it becomes apparent that things do not work that way primarily because during the boot, the MBR and DBR expect certain values to be just so and they are different after DOS has loaded. As I mentioned earlier, the answer is fairly straightforward - some code in the MBR (pleanty of room) so that if a certain key is struck during boot, it will be redirected to the A: drive. This works. But it brings up a third generation problem: If this is done, is the original reason for selecting the C: drive in the first place negated since we have just reopened a window for infection OR does this provide an avenue for those who have not utilized the CMOS boot redirection because of an occasional need to boot from floppy to use the additional protection ? In other words, if this were added in conjunction with boot drive selection, would overall protection go up or down ? I *believe* it would go up for the second reason and, since it takes an overt act (pressing a key) one might have a reasonable expectation that the user checked the floppy in the drive first. Comments ? (Incidently, it is very handy at home to bring up the LAN since QEMM and the other TSRs normally loaded must be suppressed but still want to maintain my *other* protections). You *can* have your cake...) Warmer today, Padgett ps for those using 3COM 3C503 cards in early XTs, the 3C503.EXE diagnostics program has a not-very-well-documented /S switch. I had a *situation* where the card failed the diagnostics (RAM/ASIC test) but the LAN seemed to be working just fine. With the /S (slow?) switch the diagnostics passed. ------------------------------ Date: Tue, 01 Dec 92 13:04:23 -0500 From: Dennis Clouse Subject: Real World Efficacy (was Mr. Slade's listings) On 19 Nov 92 09:54:05 -0500 Dr. Fred Cohen said: > > Example: (taken from Jon David's original example several > years ago - with modifications) > > Virus 123 represents 0.12\% of reported incidents > Product X detects Virus 123 > => Product X gets 0.12\%age point toward a 100\% rating > of REAL WORLD EFFICACY! Rather than one node per virus indicating reported incidents, I'd rather see nodes for each geographic area, so that results imply (?) product A does better on common eastern European viruses, product B is better for common Australian viruses, etc. (standard Epidemiology?) As a virus spreads, it would then have more non-zero nodes affecting the composite, and a larger influence on the rating of the anti-viral product being tested. Age of the virus is moot if it doesn't spread. ("Lab animals" would have zero or one node).. The problem, of course, is the quality of reporting: - duplicate reports of a single incident must be disallowed, while multiple or recurring incidents need to be differentiated and included. How does the test site tell if these are discreet incidents? - accuracy of virus identification by the reporting sites is always suspect (but then, if they were 100% accurate, they'd be using the product we're looking for, right? :-)). - reports on the growth side of the curve may be fairly accurate, but reporting on the plateau and decline sides is erratic. What is needed is an independent site with statistically varied but controlled "tripwire" sites to sample the activity worldwide. That implies an international effort with international funding, staff, and a formal reporting protocol. (see, Padgett, someone is listening....) - -------------------------------------------------- Dennis E. Clouse Office of the President ISCDEC@UCCVMA.UCOP.EDU University of California - -------------------------------------------------- ------------------------------ Date: Tue, 01 Dec 92 14:02:04 -0500 From: Dennis Clouse Subject: Re: CHRISTMA: The "Card"!(CVP) ON 11 NOV 92 10:36:28 -0500 OTTO STOLZ SAID: >The mailstorm origined in Europe >(in the University at the small German town Clausthal-Zellerfeld, if I >am not mistaken),and wandered once around the globe,in about three days. The copy that showed up on my queue 12/9/87 (the 5th anniversary is almost upon us) used "mohn tack jeah" for "month day year" and variable names like "wer von wo ist rest", which agrees with this origin. > At that time, most Bitnet nodes sent an interactive >message back to the original sender whenever they had forwarded a >file, or a mail item (as if every post employee who handles your >letter would send you a telegram to acknowledge that fact). The REXX exec actually invoked the SendFile command with the "ACK" option, requesting delivery confirmation, adding to overall traffic. On 17 NOV 92 08:38:29 -0500 BRIDGETT RUTTY SAID: >The CHRISTMA exec did NOT destroy itself after sending copies. I >erased several from our users minidisks. The last line of the one I got was "ERASE CHRISTMA EXEC", but that only removed the file saved to disk (as the exec completed it's run). Some users saw that line and disabled it before they ran it. Others received the file, but did not run it. In those cases, it remained on user disks. - -------------------------------------------------- Dennis E. Clouse Office of the President ISCDEC@UCCVMA.UCOP.EDU University of California - -------------------------------------------------- ------------------------------ Date: Wed, 02 Dec 92 01:04:19 -0500 From: Bridget Rutty Subject: Re: CHRISTMA DATA Perhaps I can clarify the confusion about whether or not CHRISTMA erased itself, and also give justification to my classification of CHRISTMA as a Trojan Horse, not a worm or virus. The VM operating system does not lend itself to either worms (as in the Morris worm) or viruses. This is one of its strengths. Mr. Slade's description of Rexx is correct, it is an interpreter (altho a complier is available) and thus a Rexx file is a program and can be edited as data. Such a file can be sent to other users on the same computer or it can be sent to other users on different computers via the RSCS BITNET network and the VNET network. The CHRISTMA exec was distributed this way. It was not a worm because no connection was made between two systems to establish a portion of a program which, if it found the environment hospitable, would drag the rest of the program along behind it as the Morris Worm did (the same way an inch worm moves). It was not a virus, because it did not attach itself to other programs or data when it executed. The file, when sent, physically was delivered to the receiving computer's spooling system. VM maintains a common area for all users for mail and files sent to them. When a user logs on he can list the files he owns in this common area. He can display them and if he chooses, can receive them onto his minidisk. The CHRISTMA program then, appeared in users' lists of spool files as a gift from someone else (as was the Trojan Horse). If the user received the CHRISTMA exec onto his disk, (taking the Horse inside the gates in the analogy) that copy was deleted from the spooling system (which may be the origin of the idea that it destroyed itself). Then, IF the user ran the program (opening the Horse and releasing the soldiers) a christmas tree was drawn on the screen and copies of the program were distributed. The program remained on the users minidisk and could be executed any number of times. The best defense, of course, is not to take the horse inside the gates: don't receive any program files from someone you don't know, and don't run programs without reading them to find out what they do. This note and my previous one are sent in the interests of accuracy and are not intended to be flames. Bridget Rutty SYSBXR@SUVM.BITNET ------------------------------ Date: Wed, 02 Dec 92 01:04:24 -0500 From: Bridget Rutty Subject: Re: CHRISTMA DATA We deleted our reference copy of CHRISTMA just a little while ago, now I wish we hadn't so I could verify my information. We had two copies of it, one from the initial distribution and one from the second the following year. It could very well be that someone altered the original program to erase itself in order to make it more difficult to track down. I do remember erasing copies of the program from users' minidisks and also checking their netlog files to determine what other users had been sent copies. So our first version, at least, did not erase itself. Bridget Rutty SYSBXR@SUVM.BITNET ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 195] ******************************************