VIRUS-L Digest Monday, 11 Feb 1991 Volume 4 : Issue 26 ****************************************************************************** Today's Topics: Hepnet or Wank worm (VAX VMS) Re: Help with Mac virus Re: Virus questions (PC) STONED virus/ McAfee Associates (PC) Detecting modified bootsectors (was:Re: Boot sector self-check (PC)) Re: Hard Disks (PC) Two recent articles on computer networking Book review - "Consumer Report: Virus Scanners" (PC) Computing & Values Conference, N C C V / 91, Aug 12-16 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 23 Jan 91 02:21:00 +0000 From: andrew.mckendrick@f854.n681.fido.oz.au (Andrew McKendrick) Subject: Hepnet or Wank worm (VAX VMS) Having not had access to a DEC mainframe and ACSnet for a year or so, I've lost track of what was happening with the Hepnet/Wank worm that had been reported to be screaming around mainframe nets. Can anyone update me on what has happened to that worm?? Andrew Mckendrick [Ed. Two versions of WANK were seen on SPAN and other DECNET networks in October 1989. Both versions seemed to run their course within a couple of days. CERT put out an advisory (filename CA-89:04.decnet.wank.worm) on October 17, 1989 - available by anonymous FTP on cert.sei.cmu.edu in pub/cert_advisories. The advisory provides an analysis of the WANK worms.] - --- LED ST 0.10 * Origin: 520StE... Is Modula-2 wirth it?. (3:681/854.3) ------------------------------ Date: Sun, 10 Feb 91 18:10:16 -0500 From: dg@titanium.mitre.org Subject: Re: Help with Mac virus >Hi, all! > >I'm a reporter at the Middlesex News in Framingham, Mass. The new >governor here had some trouble getting his budget to the Legislature this >week, allegedly because of a virus, and I'd be most grateful if somebody >could help me out with a story. > >... > >Adam Gaffin Far cry from the Justice, eh? Observation number 1: Interferon is outdated. Many of the applications that are around now did not exist when Bob Woodhead first wrote Interferon. Furthermore, some of the applications that were around then (notably TOPS) caused Interferon to issue erroneous messages. The aide in question should be using the much more recent Disinfectant (freeware), SAM 2.0 (from Symantec), Virex (from HJC), or Rival (Microseeds I think). Observation 2: Mac viruses are not easier to write than PC viruses for the same reason Mac application are not easier to write than PC applications. Apple has a varied & well defined set out routines (together they comprise something called the Macintosh Toolbox) for things like opening and closing files, drawing windows on the screen, creating buttons and menu items and so on. There's a five volume, several hundred page tome devoted to documenting these routines! It is much easier to write viruses for DOS based systems (and I suspect Windows is included here) because DOS has a much simpler set routines available from the operating system. If I've confused you there, take a good look at the number of different viruses and strains of viruses that infect each platform. When I last checked (and this was awhile ago), there were some 5 different Mac viruses, with no more than five variations on a particular strain: total of about a dozen Mac viruses. At the time, the number of PC viruses numbered 23 distinct strains and over a 100 total viruses. Alot of has to do with the number of vandals writing viruses for the Mac vs. DOS, but it also has to do the relative ease with which viruses can be written for DOS vs. the Mac. Observation 3: The only way a virus can infect a clean system is (as you correctly surmised) someone has to bring an infected application on to the clean system. The infected application does not have to come from home though. There have been cases (mentioned here) where applications are bought off-the-shelf, shrink wrap intact, that are infected. This is a fundamental characteristic of all viruses, although some viruses are smart enough to use the facilities of the target machine's operating system to infect the machine without a specific application being run. They use facilities that are always "running" on the computer. Trivia: Former Gov. Dukakis is the only political figure to have a virus named for him. In the early days of the '88 Presidential campaign, a teenager in Florida wrote a virus that infected Hypercard stacks. The virus in question would flash a message "Dukakis in '88" or some-such. There is no connection between the young man and Dukakis or Dukakis' Presidential campaign. David Gursky ------------------------------ Date: 11 Feb 91 01:16:47 +0000 From: millerje@holst.tmc.edu (jeffrey scott miller) Subject: Re: Virus questions (PC) While I am by no means a virus expert, I hope these answers help... boone@athena.cs.uga.edu (Roggie Boone) writes: >I have 4 questions regarding computer viruses. I am rather new to the >study of compuer viruses and the texts that I have read have not answered >these questions for me. > >1) I have seen the SCAN software (MaAffee) scan a computer's memory for > viruses and noticed that it only scanned the base 640K of RAM. Do > viruses typically not infect or use extended/expanded memory? Are there > virus scanning packages that will scan the additional memory? I raise > this question, because it seems I read somewhere that some computers > with certain memory management drivers may not erase the contents of > extended memory on a warm boot, and hence may not erase any virus that > may be sitting in extended memory. (My memory isn't too good on this > topic). It would seem to be a waste for any virus to affect EMS, as not all pc users have exp/ext memory, while ALL users (I hope!) have 1 MB. Furthermore, I would assume that any hi memory managers would be able to detect a change in high memory, as they usually intercept the vectors. >2) Are there anti-virus packages (for PC or any computer) that use > artificial intelligence techniques to protect the system, or is such > an effort overkill? Artifical intelligence? For what purpose. 99% of scanning for viruses just requires looking for a "search string". The only way AI might help is to see if there is more disk activity than normal, but how do you define "more disk activity"? >3) Not meaning to plant ideas, but I was talking with a facutly member > in the dept. where I work, and the question arose as to whether a virus > could be transmitted to an orbiting satellite and cause the same havoc > that viruses cause us PC users. Is this possible? Any thing is possible... whether it's likely or not is another story... >4) I have also noticed that SCAN, for instance, scans basically the .EXE, > .COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or > .DOC files or maybe C (Pascal, Basic) source code? True. Viruses cannot infect text files, as they are never executed. Viruses CAN look to see if a certain filetype is being accesses (i.e. .DBF), but since there is no executable code in a text file, there is no way a virus can "latch" onto the file. _____________________________________________________________________________ | | | "NUKE THE UNBORN GAY WHALES!" | Jeff Miller | | - graffiti | millerje@handel.CS.ColoState.Edu | |_____________________________________________________________________________| ------------------------------ Date: Sun, 10 Feb 91 21:45:01 +0000 From: Dale Fraser Subject: STONED virus/ McAfee Associates (PC) We had a bit of trouble with PC's here around the university with the stoned virus. Luckily we had a write-protected and clean copy of McAfee Accociates Scan and Clean programs. It is very easy to use and if you are a registered user, there is a help line in case you have any problems or questions. My computer was infected but I cleaned the virus out before anything could happen. This product is highly recommended by myself and a couple other PC users around campus. Dale ------------------------------ Date: 11 Feb 91 10:55:14 +0000 From: merckens@dbf.kun.nl (Merckens A) Subject: Detecting modified bootsectors (was:Re: Boot sector self-check (PC)) The last few days I have read the discussion about detecting bootsector and partitiontable viruses. What struck me was, that the solution I use for over one year now, is still unknown to the net. The solution, which can be found in BOOTCOMP.ZIP, is based on methods used by these viruses (to catch a thief ....) Just like William A. Gatliff (gt154@prism.gatech.edu), I have created a program to read and save the bootsector and partition table to a file. But what is new, or at least what I have not seen from others, is that the program - BOOTCOMP.exe - that compares the "current" bootsector and partition table with the saved one, uses the ORIGINAL BIOS interrupts. "How does the program know where the original BIOS interrupts are?", you may ask, "since they are different for each machine, depending on the Bios and Harddisk controller". Well, the answer it is surprisingly simple. Eventhough I am not a assembler whiz, I managed to write a piece of code in assembler. This piece of code replaces the bootsector of a floppy disk, and should be written to the bootsector of this disk. This can be done by a program in the BOOTCOMP package (BOOTPUT.exe). Of course, before doing this, the computer should have been booted from an uninfected system disk. The file BOOTCOMP.exe should also be copied to the disk with the new bootsector. After this has been done, the computer should be booted from this floppy. The code in the bootsector then catches the original BIOS interrupts and patches them to the file BOOTCOMP.exe. Since no software, except in ROM, will be executed before executing the bootsector-code, it is 100% sure that the interrupts saved are the original BIOS interrupts (assuming installation of the new bootsector in an uninfected system). When the program BOOTCOMP.exe is called, it uses the original interrupts to get the "current" bootsector and partition table. So even if a virus has taken the interrupts, we will indeed get the true information, and comparison is correct. I am sure that this method can detect ALL bootsector and partition table viruses, also the ones that have yet to be developed by malicious persons. However, since I only have access to one bootsector-virus, maybe other netters will test if this statement holds true. I will upload the BOOTCOMP package to SIMTEL. As should be done more often, the complete source code is included. Arjen Merckens Internet: ambase@rugr86.rug.nl, merckens@cana.can.nl Bitnet : hgrrug5@ambase ------------------------------ Date: Mon, 11 Feb 91 15:38:07 +0700 From: Karl Keyte Subject: Re: Hard Disks (PC) ...but it's _highly_ unlikely that two PCs with the same type of disk have both the same number of bad sectors and IN THE SAME PLACE. In fact, it's so unlikely that it's very suspicious. That's not to say that it's unlikely that there's a similar disk somewhere with exactly the same bad sectors, but just two side-by-side PCs... no way! ------------------------------ Date: Mon, 11 Feb 91 09:48:28 -0600 From: "Fred Davidson" Subject: Two recent articles on computer networking Two recent articles on computer networking: (1) Pierce, et al. 1990. Computer networking for educational researchers on BITNET. **Educational Researcher** 20:1, Jan/Feb 1991, pp. 21-23. [Information on LISTSERV -- e.g. how to subscribe to LISTSERVers, how to get listst of LISTSERVers, etc. Nb. This is a LISTSERVer] (2) Coursey, David. 1991. Riding the internet: the vast collection of networks is a mystery even to people who call it home. **InfoWorld** 13:5, Feb 4,1991. Pp. 48-49. [Overview of INTERNET w/schematic map of main nodes, information on Usenet (the information service) and commercial links to academic/research networks] ------------------------------ Date: Mon, 11 Feb 91 14:50:47 -0500 From: Gene Spafford Subject: Book review - "Consumer Report: Virus Scanners" (PC) I finished reading "Consumer Report: Virus Scanners" by Dr. David Stang of the National Computer Security Association. This is an *extensive* report of tests done on various virus scanning software. Included in the test were: Cterus LAN 2.0, EliaShim ViruSafe 3.06 and 3.08, Fink AntiVirus 9.0, HTScan 1.11, IBM's VirScan 1.3, McAfee Scan V73, Skulason's F-Prot 112, and Trend's PC-cillin 2.95B. The test gives comprehensive results of scanning against 95 different viruses, boot sector infectors, and stealth viruses. The report also discusses issues of speed, accuracy, configurability, virus removal and integrity protection as features, batch mode operation, and price. My own personal conclusions are that the combination of F-PROT and IBM's VirScan is by far the most effective (and most cost-effective) combination you could possibly have. The combined cost of the two for a site license would be $26. Compare that with a site license fee that may run into several tens of thousands of $$ for McAfee's products, which (in my opinion) don't work as well. (It's a mystery to me why people continue to use McAfee's products.) The cited report, along with an excellent guide to virus characteristics and statistics entitled "Computer Viruses," is available from NCSA at: NCSA Suite 309 4401-A Connecticut Ave. NW Washington, DC 20008 phone: 202-364-1304 fax: 202-244-7875 Note that these reports apply ONLY to IBM-PC-type viruses and software, not to Macs, Amigas, etc. I have no direct or financial association with NCSA, and I've never even met Dr. Stang, but I am very impressed by his efforts. If you have some budget for well-researched virus information, I'd say to check these out. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: 09 Feb 91 17:36:38 +0000 From: bgsuvax!maner@cis.ohio-state.edu (Walter Maner) Subject: Computing & Values Conference, N C C V / 91, Aug 12-16 FIRST CALL FOR PARTICIPATION NCCV/91 THE NATIONAL CONFERENCE ON COMPUTING AND VALUES AUGUST 12-16, 1991 NEW HAVEN, CONNECTICUT The National Conference on Computing and Values will address the broad topic of Computing and Values by focusing attention on six specific areas, each with its own working groups. - Computer Privacy & Confidentiality - Computer Security & Crime - Ownership of Software & Intellectual Property - Equity & Access to Computing Resources - Teaching Computing & Values - Policy Issues in the Campus Computing Environment CONFERENCE HIGHLIGHTS -- Details follow o Active role for all attendees o Free associate membership in the Research Center on Computing and Society o Valuable take-home materials o A user-friendly conference o A family-friendly conference o Unique aspects o Members of the Planning Committee o Partial list of confirmed speakers o Modest cost o Further information and registration ACTIVE ROLE FOR ALL ATTENDEES A special feature of the National Conference on Computing and Values will be the active role of all attendees. Each attendee will belong to a small working group which will "brainstorm" a topic for two mornings, then recommend future research. On the third morning, each group will report the results of its activities to the assembled conference. (Group reports will be incorporated into the published proceedings of the conference.) In addition, each person will be able to attend five keynote addresses, three track addresses, three track panels, two evening kick-off events, two evening enrichment events, and four days of exhibits and demonstrations. FREE ASSOCIATE MEMBERSHIP IN THE RESEARCH CENTER ON COMPUTING AND SOCIETY Every attendee can become an Associate of the Research Center on Computing and Society for two years free of charge. Associates receive the Center newsletter, announcements of Center projects, lower registration fees at Center sponsored events, and access to the Center's research library on computing and values. VALUABLE TAKE-HOME MATERIALS The conference will provide a wealth of materials on computing and values, including articles, government documents, flyers about organizations and publications, a special "Resource Directory on Computing and Society," and a "track portfolio" of materials for each of the six tracks. Every attendee will receive a copy of the resource directory, the track portfolios, plus many other useful materials. A USER-FRIENDLY CONFERENCE The conference will be held on a residential campus at a quiet time between semesters. Adequate time for meals, conversations, and relaxation is scheduled. There will be social events, such as an ice cream social and a conference barbecue. In addition, various lounges will have coffee, tea, juice, and snacks all day to encourage conversation among participants. The conference will include individuals from six different professional groups: Computer Professionals, Philosophers, Social Scientists, Public Policy Makers, Business Leaders, and Academic Computing Administrators. A FAMILY-FRIENDLY CONFERENCE Family members of attendees will be able to use university facilities, such as the swimming pool, playing fields, tennis courts, and TV lounges. In addition, a day-care center, baby sitting service, and bus trips to local tourist attractions will be available. Attendees' spouses will be welcome at conference social events; and both spouses and children may attend the conference barbecue. UNIQUE ASPECTS The National Conference on Computing and Values will be one of most significant assemblies of thinkers on computing and values ever to gather in one place. Among the nearly 50 speakers who will address the 500 conference attendees are philosophers, computer scientists, lawyers, judges, social scientists, researchers in artificial intelligence, and experts in computer security. The conference also will feature one of the most comprehensive exhibits of materials ever assembled on computing and values. The exhibit will including books, journals, articles, government documents, films, videos, software, curriculum materials, etc. Hosted by Southern Connecticut State University, including the Research Center on Computing and Society, Philosophy Department, Computer Science Department, Adaptive Technology Laboratory, and the journal Metaphilosophy. Planned in cooperation with: The American Association of Philosophy Teachers, the American Philosophical Association, the Association for Computing Machinery, the Canadian Philosophical Association, Computer Professionals for Social Responsibility, and the Institute of Electrical and Electronics Engineers. Funded, in part, by grants from the National Science Foundation (DIR-8820595 and DIR-9012492). MEMBERS OF THE PLANNING COMMITTEE Terrell Ward Bynum, Co-chair Walter Maner, Co-chair Ronald E. Anderson Gary Chapman Preston Covey Gerald Engel Deborah G. Johnson John Ladd Marianne LaFrance Daniel McCracken Michael McDonald James H. Moor Peter Neumann John Snapper Eugene Spafford Richard A. Wright PARTIAL LIST OF CONFIRMED SPEAKERS Ronald E. Anderson, Chair, A C M Special Interest Group on Computing and Society; Co-Editor, SOCIAL SCIENCE COMPUTER REVIEW Daniel Appelman, Lawyer for the USENIX Association, Specialist in Computer and Telecommunications Law Leslie Burkholder, Staff Member of the Center for the Design of Educational Computing, Carnegie-Mellon University; Editor, COMPUTERS AND PHILOSOPHY David Carey, Author and Speaker on Software Ownership; Doctoral Dissertation on Software Ownership; Assistant Professor, Whitman College, WA Gary Chapman, Executive Director, Computer Professionals for Social Responsibility; Editor, JOURNAL OF COMPUTING AND SOCIETY Marvin Croy, Author and Researcher on Ethical Issues in Academic Computing; Associate Professor of Philosophy, University of North Carolina at Charlotte Gerald Engel, Vice-President of Education, Computer Society of the I E E E; Member, Computing Sciences Accreditation Board; Editor, COMPUTER SCIENCE EDUCATION Batya Friedman, Co-Editor of Computer Professionals for Social Responsibility Anthology of Computer Ethics Syllabi; Teacher of Computer Ethics at Mills College, CA Don Gotterbarn, Researcher and Speaker on Computer Ethics; Associate Professor of Computer and Information Sciences, East Tennessee State University Barbara Heinisch, Co-Director, Adaptive Technology Computer Laboratory, Southern Connecticut State University; Associate Professor of Special Education Deborah G. Johnson, Chair, Committee on Computers and Philosophy of the American Philosophical Association; Author of the textbook COMPUTER ETHICS John Ladd, Professor Emeritus of Philosophy, Brown University; Author of articles on Ethics and Technology Marianne LaFrance, Project Director, "Expert Systems: Social Values and Ethical Issues Posed by Advanced Computer Technology"; Associate Professor of Psychology, Boston College Doris Lidtke, Editorial Staff, Communications of the A C M; Professor of Computer and Information Sciences, Towson State University Walter Maner, Director of the Artificial Intelligence Project, Bowling Green State University; Author of Articles on Computer Ethics Dianne Martin, Researcher and Curriculum Developer in Computers and Society; Co-Chair of "Computers and the Quality of Life 1990", A C M / S I G C A S conference Keith Miller, Computer Science, the College of William and Mary; Author and Speaker on Integrating Values into the Computer Science Curriculum James H. Moor, Member, Subcommittee on Computer Technology and Ethics, American Philosophical Association, Author of Articles on Computer Ethics William Hugh Murray, Consultant and Management Trainer in Information Systems Security; Past Fellow on Information Security with Ernst & Young Accountants Peter Neumann, Senior Researcher in Computer Science, S R I International; Chair, A C M Committee on Computers and Public Police; Editor, Software Engineering Notes; Moderator of COMP.RISKS George Nicholson, Judge of the California Superior Court, Head of the "Courthouse of the Future" Project Judith Perolle, Researcher on "Ethical Reasoning about Computers and Society"; Associate Professor of Sociology, Northeastern University John Snapper, Illinois Institute of Technology; Author and Editor in COMPUTER ETHICS; Member of the Center for the Study of Ethics and the Professions Eugene Spafford, Member A C M - I E E E Joint Task Force on Computer Science Curriculum; Author of Articles and Reports on Computer Viruses and Security Willis Ware, Researcher, Author and Speaker on Computers and Privacy Terry Winograd, Past President of Computer Professionals for Social Responsibility; Author and Researcher in Artificial Intelligence Richard A. Wright, Executive Director, American Association of Philosophy Teachers; Director, Biomedical and Healthcare Ethics Program, University of Oklahoma Bryant York, Professor of Computer Science, Boston University; Director of the Programming by Ear Project for visually handicapped individuals MODEST COST Registration Fee - ---------------- Before 7/1/91 After 7/1/91 regular $175.00 $225.00 student $ 50.00 $100.00 Food (entire conference) - ------------------------ $90.00 (adult) $50.00 (child) Dormitory Room (entire conference) - ---------------------------------- Before 7/1/91 After 7/1/91 adult (double occupancy) $100.00 $110.00 adult (single occupancy) $150.00 $175.00 child $40.00 $50.00 There are a limited number of single occupancy rooms available. A few Room & Board Scholarships are available. FURTHER INFORMATION AND REGISTRATION Registration for the National Conference on Computing and Values is limited to 500 people (about 85 from each professional group). It is highly recommended that you pre-register well in advance to ensure a place in the conference. To receive a set of registration materials, please supply the requested information (see "coupon" below) to Professor Walter Maner, the conference co-chair: By E-Mail: BITNet MANER@BGSUOPIE.BITNET InterNet maner@andy.bgsu.edu (129.1.1.2) CompuServe [73157,247] By Fax: (419) 372-8061 By Phone: (419) 372-8719 (answering machine) (419) 372-2337 (secretary) By Regular Mail: Professor Walter Maner Dept. of Computer Science Bowling Green State University Bowling Green, OH 43403 USA /------------------------- COUPON ---------------------------\ First Name: Last Name: Job Title: Phone: Institution or Company: Department: Building: Street Address: City: State: Zip: Country: Email Address(s): All attendees will be part of a working group that "brainstorms" a topic and suggests further research for the next five years. PLEASE INDICATE YOUR PREFERENCES BELOW (1 = first choice, 2 = second choice, 3 = third choice): [ ] Privacy & Confidentiality [ ] Equity & Access [ ] Ownership & Intellectual Property [ ] Security & Crime [ ] Teaching Computing & Values [ ] Campus Computing Policies PLEASE MARK *ONE* OF THE FOLLOWING: [ ] Send me registration information ONLY. I'll decide later whether or not to register. [ ] Register me NOW. Enclosed is my check (made payable to "B G S U") for $ to cover all of the following (PLEASE ITEMIZE): Quantity [ ] regular registration(s) [ ] student registration(s) [ ] meal ticket(s) for adult [ ] meal ticket(s) for child [ ] room(s) for adult (double occupancy) [ ] room(s) for adult (single occupancy) [ ] room(s) for child Note that rates change on July 1, 1991. \---------------------- END OF COUPON -----------------------/ InterNet maner@andy.bgsu.edu (129.1.1.2) | BGSU, Comp Science Dept UUCP ... ! osu-cis ! bgsuvax ! maner | Bowling Green, OH 43403 BITNet MANER@BGSUOPIE | 419/372-2337 Secretary Relays @relay.cs.net, @nsfnet-relay.ac.uk | FAX is available - call ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 26] *****************************************