From lehigh.edu!virus-l Fri Jan 8 03:48:34 1993 Date: Tue, 5 Jan 1993 14:35:58 -0500 Message-Id: <9301051858.AA13030@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #3 Status: R VIRUS-L Digest Tuesday, 5 Jan 1993 Volume 6 : Issue 3 Today's Topics: re: os2-stuff (OS/2) Re: Viruses in OS/2 HPFS (OS/2) Re: CHRISTMA EXEC (IBM VM/CMS) Filler virus (PC) Virus Simulator MtE Supplement (PC) Re: VSHIELD, VIRSTOP, ... comparison ? (PC) Clash between FDISK/MBR and scanners (PC) Invalid Boot Sectors (PC) Trojan detection/protection (PC) Re: Is this a new virus? (PC) ANTI-tel (PC) Info on Vascina and 1701/1704 in Novell networks wanted (PC) Does anyone have info on DAME (PC) MS-DOS CHKDSK & VER /R (PC) Good use of (possible bad) viruses Good and bad viruses (was FC on virus creation) Re: Viral Based Distribution System TBAV 5.02 and VSIG9214 upload (PC) The Internet Worm (CVP) March Virus/Security Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 23 Dec 92 02:36:37 -0500 From: KARGRA@GBA930.ZAMG.AC.AT Subject: re: os2-stuff (OS/2) Hi Vesselin, as pointed out in point 10 at least *.dll and *.drv files contain code which cannot be executed by the user, but is loaded and executed as any other *.ov? As there are viruses which infect overlays, they can be infected in a similar way. However, if the virus is not specialized on these newer formats, they shurely will be destroyed. BUT: Si vis pacem, para bellum. (If you want peace, prepare for war.) I hope things will stay too complicated for most virus- writers for the next 5 x 10^9 years. Silly me! Forget about point 4... Yesterday I downloaded the newest versions of McAfees OS2-scanning software. There is a os2-specific version for netscan, so I'll try this one too, though I do not expect it will work, as there is no network here on my poor, lonesome home-pc. :) Sorry for missing point B8. I'll look it up immediately. Thanks for info. The only mention of the /EXT= switch of F-Prot I found in NEW.206. It is definitely missing in COMMANDS.DOC. I just looked up all textfiles. Even READ_ME.DOC :-) As I go on vacation, I hope to report my results in January. A A AXA AXA OOO M E R R Y C H R I S T M A S OOO OVO OVO V and a V I I --- H A P P Y N E W Y E A R --- I I I I I I WITHOUT MICH et al. I I I I Alfred I I --- --- ------------------------------ Date: Fri, 25 Dec 92 09:12:10 +0000 From: buhr@umanitoba.ca (Kevin Andrew Buhr) Subject: Re: Viruses in OS/2 HPFS (OS/2) bjl1@Ra.MsState.Edu (Brett J.L. Landry) writes: | | There has been aa lot of talk about OS/2 not being able to be infected | from regular old DOS boot sector viruses using the HPFS. This is false | since regular old STONED can infect both logical and physical parttions | on OS/2 using HPFS. Why wait for true OS/2 viruses when you can suffer | from regular DOS viruses. Keep in mind there is at least one special consideration with respect to OS/2 and the "Stoned" variety of viri, however. Be forewarned that the following is a mixture of real knowledge and a bit of deduction. The deduction part might trip me up a bit, but I'm pretty sure most of the details are accurate. For one thing, if a boot sector virus infects your system on start up, it won't survive the OS/2 startup process. You may get the "Your computer is stoned!" message, since this is displayed (randomly approximately one out of every eight times in many cases) before the operating system is loaded. HOWEVER, OS/2's own floppy disk device drivers will take control of the floppy drive away from the boot sector virus. The virus will be neutralized, and will not spread to floppy disks. This will be true whether you are using the HPFS or the FAT file system. (In special situations, the virus may remain in a "semi-active" state. It will not be able to infect floppy disks, but it may still cause a system crash when the virus is overwritten by OS/2. See the note below for more information on this.) "Normal" DOS sessions you start under OS/2 will *not* contain copies of the virus, because they are not "booted" in the normal sense. Only special "DOS from Drive A"-style sessions, which are booted from floppies, could potentially become infected if the floppy was infected. Only in these cases would the virus be able to spread, and it would only spread during floppy drive accesses in the infected DOS sessions; accesses from other sessions would have no effect. As mentioned above, there is a special case where the boot sector could remain partially active and interfere with OS/2's operation. To allow OS/2 to work with special hard disk devices (like Bernoulli drives, I understand), OS/2 can be set up to use the built-in BIOS routines for disk control rather than its internal drivers. I'm not sure how OS/2 behaves in this situation (i.e. I don't know whether it uses the value of the INT 13 vector or generates an address in a more elementary manner), but it seems possible to me that OS/2 could mistake the virus code for the BIOS disk routines. In this case, OS/2 could attempt to operate the hard drive via the virus code. Because of the way OS/2 handles memory management, when OS/2 attempts to access the hard drive, the virus code will probably be "invisible". As a result, the operating system will immediately trap and display an error message. In summary, the worst you can expect is your system simply not working. An infected OS/2 system generally won't infect new floppy disks unless you use the special "DOS from Drive A" sessions with an infected boot floppy. Kevin ------------------------------ Date: Tue, 22 Dec 92 17:14:20 -0500 From: Subject: Re: CHRISTMA EXEC (IBM VM/CMS) Howdy! About 6-8 months ago I received a "ZEBRATELL EXEC", this was the CHRISTMA with a new hook. ( It sent tells with each letter a different color ) My copy of ZEBRATELL does not erase itself. I did read the code and send it, with a warning, to our systems administrators, they were able to prevent it from spreading to or from our node. Happy Holidays, Tom Kirke | All standard and non-standard U33515@UICVM.CC.UIC.EDU | disclaimers, declaimers, and claimers U33515@UICVM.CC.UIC.EDU@INTERNET#| apply. APPLELINK:HARDBALL | We have discovered a *therapy* (NOT a cure) for the common cold, play tuba for an hour. ------------------------------ Date: 28 Dec 92 23:21:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Filler virus (PC) Quoting from Brill@aecom.yu.edu to All About Filler virus (PC) on 12-07-92 B > Scan 99 detected "Filler" active in the memory of my computer. B > When I booted from a write-protected floppy the nasty virus was not B > found, no matter how many times I tried. By the way, I have CPAV B > constantly running and it did not detect anything wrong. You have probably already received many answers, but I will add my two cents any way. The problem is the VSAFE or VWATCH TSRs that comes with CPAV. The virus signatures are not encrypted when these TSRs are in memory, and Scan finds the signature, and assumes the rest of the virus is there. You have several options. A. Use CPAV exclusively. B. Stop using CPAV. In my tests, these scanners rank highest. F-Prot from Frisk Software VIRx from Data Watch Software (Used to be Microcom) McAfee's Scan. Bill - --- * WinQwk 2.0 a#383 * HALLOWEEN activates Oct 31st ------------------------------ Date: 23 Dec 92 03:13:17 +0000 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Virus Simulator MtE Supplement (PC) Doren Rosenthal 3737 Sequoia San Luis Obispo, CA USA 93401 To: Vesselin Vladimirov Bontchev, Virus Test Center, University of Hamburg In response to your questions posted on this forum about my Virus Simulator MtE Supplement. > 1) Does is simulate perfectly the behavior of the MtE? YES. Although safe and controlled, these dummy sample programs behave identically to those produced MtE mutation engine viruses. >I.e., are the dummy files generated by it the same as if >generated by the MtE? If not, then it is not good as a simulator, >because the simulation is not >perfect enough. YES. The dummy simulations are the same as those encrypted by the MtE mutation engine. >2) If the answer of the above question is "yes", then it means that it >uses the MtE itself to encrypt the dummy files - because using >anything else would mean imperfect simulation. If it uses the MtE, do >you include the MtE itself in the generated dummies? YES. At the hart of the simulations is an actual MtE mutation engine. >3) If the answer of the above question is "no", then the simulation is >again not good enough, since the only way a scanner could detect the >unencrypted replicants of an MtE-based virus is to scan for a scan >signature of the unencrypted body of MtE. If the answer of the above >question is "yes", then it is pretty easy to extract the MtE from the >unencrypted dummies... Therefore, you are distributing malicious >software... I disagree. Although these are real MtE viruses, steps have been taken to insure they will only infect the dummy test programs provided and modifications or reverse engineering has been discouraged. >Conclusion: regardless how you answer to the above questions, either >the simulator is useless, or you are distributing malicious >software... Hmm, I was able to draw this conclusion even without >having to look at the simulator... Pretty good, isn't it?... :-) I'm disappointed that you would pass yourself off as a fair and open scientist and researcher open to new ideas. Then ask what would appear to be legitimate questions and without giving my response a fair hearing or even examining the Virus Simulator MtE Supplement yourself, draw a conclusion and announce your findings in a public forum. I also do not appreciate being accused of distributing malicious software. If you have evidence of this you should present it before posting anything else on this forum or use the forum for a public apology. >Leaving the ethical problems aside, do you try all kinds of flags >(i.e., the contents of the AX register before calling the MtE)? >Because, if you don't, you'll be able to generate only a small subset >of the code that can be generated with the MtE... The Virus Simulator MtE Supplement exercises as may flags and options as possible. Doren Rosenthal ------------------------------ Date: Wed, 23 Dec 92 05:16:52 -0500 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: VSHIELD, VIRSTOP, ... comparison ? (PC) In VIRUS-L v5i207 Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) write s: > > 3) VShield uses much more memory than VirStop. > >But may be loaded to high memory, and then needs less then 1K of >conventional memory. Implying that Virstop cannot?! Virstop can be loaded high, and then requires no conventional memory. And still, VSHIELD will use more high memory that Virstop, reducing the number of other things you can have loaded high simultaneously. Even with loadhigh in DOS 5.0, smaller is still better when it comes to memory-resident programs. Regards, David R. Conrad David_Conrad@mts.cc.wayne.edu, dave@michigan.com ------------------------------ Date: Wed, 23 Dec 92 20:55:07 -0500 From: "Roger Riordan" Subject: Clash between FDISK/MBR and scanners (PC) The command FDISK /MBR is often recommended for removing MBR infectors (Stoned, etc) from hard disks. However in some circumstances this can cause problems with some scanners. It appears that some versions of FDISK/MBR rewrite the Master Boot Record only as far as the end of the error messages, leaving the all important partition information unchanged, but also leaving any viral code between the messages and the partition information. This will cause problems if the user later scans the disk with a scanner which uses a string in this area to detect the virus. In our case VET reported that the MBR of a PC was infected, and the recovered copy of the MBR was also infected, but the PC booted OK, the top of memory was OK, the virus was not in memory, and the PC did not infect floppies. The main part of the MBR seemde normal, but code from Stoned followed the messages. It appears that the PC had twice been infected with Stoned, and each time it had been removed using FDISK/MBR. Thus both the MBR, and the copy saved by Stoned, contained viral code, which included the template used by VET. FPROT reported the infected MBR as Master boot sector: Possibly a new varient of Stoned. SCAN, Dr. S Toolkit, did not report any virus. We understand that FDISK was definitely run on this PC, but we could not confirm that FDISK was responsible, as it cleared this part of the MBR when we used it to remove Stoned from an experimentally infected PC. Roger Riordan riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 23 Dec 92 20:55:50 -0500 From: "Roger Riordan" Subject: Invalid Boot Sectors (PC) I recently wrote >In a recent comment on a query by MOPURC01@ULKYVM.LOUISVILLE.EDU >(Michael Purcell) about a virus which allegedly made disks >unreadable I wrote. >> If you put the wrong byte in the wrong place you can get the >> symptoms described. ... It appears the original message got lost, but the gist was that, IN THEORY, it is possible to write a BS virus which is invisible on an infected PC, but impossible to detect on an uninfected PC with any existing scanner because DOS will crash if any attempt is made to access an infected disk. More seriously, we have established that neither F-Prot V2.05, nor SCAN 8.9V97 will detect QUOX on 1.44M 3.5" disks. F-Prot reports Scanning boot sector B: Error: B: not found SCAN less elegantly crashes with a critical error Scanning for known viruses. General failure reading drive B Abort, Retry, Fail? Seasons Greetings to All, (PS - I'll be away till early Jan) Roger Riordan riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Mon, 14 Dec 92 22:39:00 +0000 From: Chris_Franzen@f3060.n492.z9.virnet.bad.se (Chris Franzen) Subject: Trojan detection/protection (PC) > McAfee Associates does not make any kind of memory-resident "filter" > type program to look for Trojan horse programs because it is (1) > extremely simple to write a Trojan horse, as your batch file example > shows; and (2) prone to false alarms on legitimate actions, such as > formatting a disk or running DEBUG. Given these two conditions, it > makes it very difficult to write some sort of program that will > accurately detect malicious activity while not giving any false > alarms. Now there of course *are* memory-resident "filter" type programs (or "watchers" in the field. One of them is Thunderbyte, which does not work to well. I understand, though, that at least one vendor is beta-testing a product that looks very good and successfully keeps trojans out of the house. I am puzzled by the low number of false alarms the program generates. (Formatting a disk is one of them because the boot sector is being written. i think nobody is going to create a solution to this.) I wonder: If you guys work so hard against viruses (and you do :-), why don't you create a product in the anti-trojan field? Don't you *have* an anti-trojan type program (VSHIELD) which takes action to avoid infection by unknown viruses? Maybe you would trash your ViruScan product because any good anti-trojan were a very good anti-virus, too? (Well *that* might be a reason everyone understands...) > Regards, > Aryeh Goretsky > Technical Support Chris - --- * Origin: You wanted junk -- so I drop some. (9:492/3060) ------------------------------ Date: 24 Dec 92 07:03:27 +0000 From: tck@bend.ucsd.edu (Kevin Marcus) Subject: Re: Is this a new virus? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >tck@fold.ucsd.edu (Kevin Marcus) writes: > >> I have varients of stoned which copy to 0,0,15, and 0,0,7, as well as a >> few other locations. They do not necessarily copy to the same spot. > >And we have here variants that put the original MBR at 0,0,2 and >0,0,8. This is irrelevant. What is rellevant is that the problem with >Michelangelo occurs exactly because the "standard" Stoned variant put >the original MBR at 0,0,7 - at the same place as Michelangelo, and >because the two viruses do not recognize each other. Oh, come on, it is relevant. The original problem: Disinfection of a Stoned and MIchelangelo infection. Where they move the orig. MBR is quite important, because in one case, it is possible to remove the viruses by pulling the original MBR up, and in the other, it is not. - -- || Kevin Marcus, Computer Virologist. (619)/457-1836; RE-xxx, TSCAN || || INET: tck@bend.ucsd.edu []-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[] || tck@fold.ucsd.edu || All I wanted was a Pepsi... || || datadec@watserv.ucr.edu || And she wouldn't give it to me...|| ------------------------------ Date: Thu, 24 Dec 92 18:50:03 +0000 From: Jean_Vanhove@f108.n321.z9.virnet.bad.se (Jean Vanhove) Subject: ANTI-tel (PC) Hello all, warning!!! Anti-tel virus found on a local cite in Belgium. Reading vsum : status RARE Barcelona June 1991. Found twice removed with clean version 97b detected with scan version 89. No dataloss, partion table was damaged, but the virus was discovered in an early stade. Groetjes, Jean Vanhove Sysop De Bosbeer 2:292/124 9:321/108 - --- FMail 0.92+ * Origin: bosbeer is er bij (9:321/108) ------------------------------ Date: Wed, 30 Dec 92 08:51:28 +0000 From: haverkam@uni-duesseldorf.de (Wilhelm Haverkamp) Subject: Info on Vascina and 1701/1704 in Novell networks wanted (PC) Who has got experiences with Vascina and 1701/1704 viruses on Novell networks (SFT 286, V. 2.15)? What would be the correct reaction of the system administrator? Any help will be appreciated. Please mail directly to me. Best wishes for 1993. Wilhelm ------------------------------ Date: 29 Dec 92 06:47:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Does anyone have info on DAME (PC) Quoting from Dave Mickle X5205 to All About Does anyone have info on on 12-20-92 DM> We've got a PC which is displaying a message to the effect it's DM> infected by the "DAME" virus. Don't know what symptoms there are in DM> addition to the message. We're going to do a low level format, but DM> would like to know what we've contracted. I don't know of a DAME virus. Did yje virus display that information, or did McAfee's Scan report this? If this was reported by Scan, it found a a virus that uses the DAME (Dark Avenger Mutation Engine). The DAME also known as MtE is a routine that causes the virus to mutate. Bill - --- * WinQwk 2.0 a#383 * Viruses often make my FAT go on a crash diet. ------------------------------ Date: 29 Dec 92 06:37:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: MS-DOS CHKDSK & VER /R (PC) Quoting from A. Padgett Peterson to All About MS-DOS CHKDSK & why VER / on 12-20-92 AP> Further, COMP finds no difference between this COMMAND.COM and the on AP> just expanded from a new set of distribution disks that is dated 11-1 Just for your information, FC (File Compare) does a better job at comparing files than COMP. Bill - --- * WinQwk 2.0 a#383 * SURIV 3.0 activates Friday the 13th ------------------------------ Date: Tue, 22 Dec 92 17:04:50 -0500 From: celustka@sun.felk.cvut.cs (Celustkova-k336-doktorand(Richta)) Subject: Good use of (possible bad) viruses Hi boys and girls, (a day of inspiration,huh ?) Just one of those days...Two examples of good use of (possible bad) viruses come to my mind : 1. Viruses written to improve an A-V product The logic is simple. It is better that I write virus which can do this or that and have prepared solution to implement in my A-V product than wait that such virus arises in wild and then react. That means if I know that today exist viruses which could be stealthy, tunneling or polymorfic why shouldn't I write virus which is all that and design my A-V product to recognize such virus before it really appears in wild. (Well, maybe it is not commercial, I don't know). If such virus *by accident* escape from my lab I already have a response and there is no ethical problem at all. 2. Viruses built in an A-V product (it's just an idea, don't blame me if it is not applicable in reality) Suppose that we have an A-V product which in regular intervals or randomly send a virus in system. Virus (fast infector) infects only programs which checksum doesn't correspond to previously calculated values. If no such program is found virus deletes itself or removes from memory. If changed program found virus activates scanner to check if there is any known virus. If known virus is found message is sent to the user. If program is changed and no known virus is found the message is sent to the user to make decision. If decision is to leave program as is, virus cuts itself from the program. The whole process (except messages) takes place in background. There is no need for all A-V program (which is combination of I-checker and scanner) to be TSR, only virus is occasionally TSR. There is slight similarity in this idea with reaction of human immunity system. Anyone has ethical problem with her/his own immunity system ? Cheeeers, Suzana ____________________________________________________ / / | | / |\__/| / | We wish you Merry Christmas | /~~~~~~\ / \ | and Happy New Year ! | ~\( * * )/~~\( 0 0 )/~ |______________________________| ( O ) ( O ) \______/ \______/ @/ \@ @/ \@ - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cs Faculty of Electrical Engineering celustkova@cs.felk.cvut.cs Karlovo namesti 13 12135 Prague 2 phone : (+42 2) 293485 Czechoslovakia fax : (+42 2) 290159 ------------------------------ Date: Tue, 22 Dec 92 17:04:48 -0500 From: celustka@sun.felk.cvut.cs (Celustkova-k336-doktorand(Richta)) Subject: Good and bad viruses (was FC on virus creation) With properly defined computer virus there shoudln't be doubts what is a good and what is a bad virus. Or should be ? Let's suppose that bad virus is intended to cause some unwanted function in system. Some programs (even antiviral) can do the same thing, (what is unwanted function anyway ?) but they cannot propagate. Good virus can propagate, but it is supposed to not invoke anything unwanted. But, by definition good virus can mutate, so can become bad virus. Also, good virus on one system can be bad virus on another system (causing some unwanted function). Could all bad viruses be good viruses ? Yes, because without them many A-V producers would loose their source of money. Can all good viruses be bad viruses ? Yes, because they are viruses (something very suspicious). Confusing ? Not to anyone who ever met chinese philosophy and principles of Yin and Yang. Shortly, good and bad are inseparable and dependent one of the another (you can't define good without defining bad and vice versa). So, what to do ? Let's throw (unnecessary) philosophy and look at (poor) simple PC user. S/he finds something weird on her/his PC and suspects it could be a virus (whatever could be called by that name). S/he chooses some A-V product and tries to solve the problem. If the product solves problem and everything is like before user is satisfied. And that should be the main goal of every A-V producer. If Fred Cohen's customers are satisfied with his product why all that complaining about ethical correctness. Ask them if they have any ethical problem using that product. If they are not satisfied that is Fred Cohen's problem and he has to solve it. Simple, isn't it ? Cheeers, __________________________ | | Suzana /| I'm a good virus! |\ |\__/| /~~~~~~\ / | He's a bad virus! | \ / \ ~\( * * )/~ |__________________________| ~\( 0 0 )/~ ( \___/ ) ( /---\ ) \______/ \______/ @/ \@ @/ \@ - --------------------------------------------------------------------------- Address: Suzana Stojakovic-Celustka e-mail addresses: Department of Computers celustka@sun.felk.cvut.cs Faculty of Electrical Engineering celustkova@cs.felk.cvut.cs Karlovo namesti 13 12135 Prague 2 phone : (+42 2) 293485 Czechoslovakia fax : (+42 2) 290159 ------------------------------ Date: 24 Dec 92 22:10:21 +0000 From: ygoland@edison.SEAS.UCLA.EDU (The Jester) Subject: Re: Viral Based Distribution System bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >ygoland@edison.SEAS.UCLA.EDU (The Jester) writes: > >> If this is an >> effective means of distribution then why use a virus at all? > >The question is incorrect. According to Dr. Cohen's definition, "this" >- -is- a virus. And, since you are using it to do something you would >like to be done, it is obviously a benevolent virus. Do you see the >misunderstanding now? It's all matter of definitions... Yes.. I understand. And may I say I STRONGLY disagree with Dr. Cohen's definition. A program in the login script that checks if you have been updated and then updates you is NOT a virus. The program in the loader does NOT reproduce itself it reproduces another program which is itself NOT a virus. (Lets ignore the obvious case where the loader installs an infected program =) For me the acid test of a virus is:Can it reproduce itself? Is the login script programing trying to run around and find other login scripts or executable files to infect? No. It doesn't infect anyone! 'Damnit Jim, its not alive!' >> In conclusion, a system that changes in an unpredictable manner, >> that uses hard to track mechanisms of change, is a security >> nightmare. > >Yup... Ever tried MS Windows?... :-) After reading this line I laughed so hard I almost fell out of my chair. AS a matter of fact I have. Thats why I now run on OS/2. What do you say about a program whose most recent release has as it's main selling point "we fixed all the bugs in our previous release". Of course microsoft doesn't have 'bugs', they have 'features'. =) But I digress. >> The Jester-PGP Ver2 upon Request >Please consider this a request... :-) Actually I bet you already have it, I have yours. You can finger me but I'll send it to you anyway just to be annoying. =) Yaron (The Jester) Goland p.s. see mister moderator, I remembered!!! =) - -- The Jester "Whats a Knock Out like you doing in a computer generated Gin joint like this one?"-William Riker "I'm god, whats your excuse?"-The Jester ------------------------------ Date: Fri, 25 Dec 92 16:36:04 +0700 From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers) Subject: TBAV 5.02 and VSIG9214 upload (PC) Hi all, I just uploaded to oak.oakland.edu and garbo.uwasa.fi the following files: VSIG9214.ZIP VIRSCAN.DAT with fix for TBSCANX TBAV502.ZIP TBAV utils 5.02 (was tbscanXX.zip) TBAVU502.ZIP TBAV utils upgrade 5.01 to 5.02 TBAVX502.ZIP TBAV utils 5.02 processor optimized version BTW: Merry X-mas and a healty 1993! - -- jeroen voice: +31-2522-20908 (19:00-23:00 UTC) snail: P.O. Box 266 jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim jeroen_pluimers@f256.n281.z2.fidonet.org The Netherlands ------------------------------ Date: Fri, 25 Dec 92 00:15:35 -0800 From: rslade@sfu.ca Subject: The Internet Worm (CVP) HISVIRO.CVP 921215 The Internet Worm By the fall of 1988, VIRUS-L had been established (let's hear it for Ken!) and was very active. Issues were, in fact, coming out on a daily basis, so I was quite surprised when I didn't receive one on November 3rd. I didn't get one on November 4th, either. It wasn't until November 5th, actually, that I found out why. Most machines on the net were not of the type that the Worm would have affected. The Worm was only able to run and propagate on machine running the UNIX operating system, and then only those with specific versions and specific CPUs. However, given that the machines that are connected to the Internet also comprise the transport mechanism for the Internet, a "minority group" of machines, thus affected, impacted the performance of the net as a whole. I learned it, initially, from a newspaper report. However, by the 5th I was also starting to get mailings across the net again. During the run of the worm, a sufficient number of machines had been affected that both email and distribution list mailings were impaired. Some mail was lost, either by mailers which could not handle the large volumes that "backed up", or by mail queues being dumped in an effort disinfect systems. Most mail was not lost, but was substantially delayed. The delay could have been caused by a number, or combination of factors. In some cases mail would have been re-routed, via a possibly less efficient path, after a certain time. In other cases "backbone" machines, affected by the Worm, were simply much slower at processing mail. In still others, mail routers would either crash or be stopped, with a consequent delay in mail delivery. Ironically, electronic mail was the primary means that the various parties attempting to deal with the worm were trying to use to contact each other. By Sunday, November 6th, things were pretty much back to normal. Mail was flowing, distribution lists and electronic "periodicals" were running and the news was getting around. The one difference was the enormous volume of traffic given over to one topic: the Internet Worm. The Internet Worm is still the pre-eminent case of a viral program in our time. Even today, no "virus" story in the popular media is complete without some reference to it. It rates a mention in "The Cuckoo's Egg". Each school term brings fresh requests for bibliographic material on it (sparked, one suspects, by either choice or assignment of essay topics). Currently (December of 1992) there is a "thread" running on comp.security.misc on "Fun things to do with RTM" which occupies about half the total bandwidth. In many ways this fame (or infamy) is deserved: the Internet Worm is the story of data security in miniature. The Worm used "trusted" links, password cracking, security "holes" in standard programs, standard and default operations and, of course, the power of viral replication. copyright Robert M. Slade, 1992 HISVIRO.CVP 921215 ============== Vancouver ROBERTS@decus.ca | Slade's Law of Computer Institute for Robert_Slade@sfu.ca | Literacy: Research into rslade@cue.bc.ca | - There is no such thing User p1@CyberStore.ca | as "computer illiteracy"; Security Canada V7K 2G6 | only illiteracy itself. ------------------------------ Date: Mon, 28 Dec 92 15:57:00 -0800 From: Richard W. Lefkon Subject: March Virus/Security Conference 6th INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE AND EXPOSITION Wed thru Fri - March 10-12, 1993 - Madison Square Garden Ramada, NYC spons by DPMA Fin Ind. Ch. in coop. with ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInypc, IEEE Computer Society Box 894 NY NY 10268 (800) 835-2246 x190 NOVELL'S REKHI KEYNOTES "IDES OF MARCH" SECURITY CONFERENCE - ----------------------------------------------------------- UNIX Head for USL's New Owner Joins IBM, Apple Security Chiefs -------------------------------------------------------------- - - New York [Information on conference: Judy Brand, (800) 835-2246 x190] With increased emphasis on hacker and virus attacks across systems, the Sixth International Computer Security and Virus Conference and Exposition has announced Kanwal Rekhi, Novell, Inc.'s EVP and General Manager for Interoperability, as the March, 1993 Keynote Speaker. Tentatively titled "Seamless Security," Rekhi's talk will focus on UNIX strategies, TCP/IP, internetworking with workstations and microcomputers, and network management. His confirmation comes on the heels of Novell's UNIX Systems Laboratories coup. He will speak Thursday, March 11, middle day of the annual "Ides of March" conference, at the glass-enclosed 18th Floor of New York's Madison Square Garden Ramada Hotel. More than two thousand attendees are expected for the three days of security security courses, panels, research papers and product exhibits. Ninety speaker from seven continents will be distributed over the 46 sessions in five confer- ence tracks, and 70 vendors of computer and network protection will demonstrate their wares. This year's theme is "Global vs. Corporate Solutions." The conference is sponsored by the DPMA Financial Industries Chapter, in cooperation with ACM-SIGSAC, Boston Computer Society, Corporation for Open Systems, New York LAN Association / NetWare Users International, Communications Managers Association, local chapters of EDP Auditors association and Information Systems Security Association, and the 90,000-strong IEEE Computer Society. Because a great number of world class security authorities speak here each March, two European-based international security groups will hold one-day meetings nearby. Lead Speaker in the Research and Technical Track is Willilam Vance, computer security head for IBM Corporation. Other speakers and session chairs include Jane Paradise, security head for Apple Corp.; Gail Thackeray, leading prosecutor of toll fraud and telecom break-ins; Robert Schiffreen, British hacker who managed to invade the Queen's husband's computer mailbox, was exonerated by Parliament, and then wrote a book explaining how to protect against attacks like his; and Scott Charney, head of the U. S. Justice Department's initiative against computer crime. Mr. Rekhi of Novell previously served as President and CEO of Excelan, a $100 million per year public company which merged with Novell in 1989. Having previously overseen all product and technology development for Novell, he currently is responsible for Univel, connectivity and messaging products, internetworking products and network management products. The "Ides of March" conference, nicknamed to match the season and the effort to avoid sneak attacks on computers and networks, played a key role in combatting last year's outbreak of Michelangelo Virus on personal computers. Technician Roger Riordan of Australia first announced and named Michelangelo at this event in 1991, and subsequent collaboration by various speakers enabled most anti-virus products to recognize and defeat the electronic parasite before it could destroy too many valuable business files. CBS and ABC television spotlighted the 1992 event, as well as a variety of industry and general circulation periodicals. Press conference is scheduled for 11:00 am Wednesday, March 10, at the Ramada. A "Meet the Experts" sit-down reception for press and registrants will take place Thursday evening at the Empire State Building Obeservatory. Floor management at this year's event will be handled by Expoconsul International, which also runs computer and network conferences such as DEXPO, Open Systems Initiative, and Microcomputer Graphics. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 3] ****************************************