VIRUS-L Digest Friday, 3 Feb 1989 Volume 2 : Issue 35 Today's Topics: Hardware lock (PC) Re: Anti-virus viruses The Media and Viruses Review of antenna program Ethical issues. Gatekeeper Report (Mac) nVIR Assassin... (Mac) VIRUS WARNING: Lehigh Virus version II (PC) --------------------------------------------------------------------------- Date: Wed, 01 Feb 89 16:06:25 CST From: James Ford Subject: Hardware lock (PC) On a computer with a hard drive, is there any way to (hardware) fix drive "A" so that the computer will always boot from "C" and yet still have the use of "A"? (boot from C always, read/write from A and C) This may/may not be the correct list to post this to, but I would be interested in your comments. (I guess you could stop SOME destructive programs from spreading this way....) James Ford JFORD1@UA1VM.BITNET ------------------------------ Date: Wed, 1 Feb 89 17:50 EST From: "Mark H. Anbinder" Subject: Re: Anti-virus viruses One of the ways viruses cause problems is the incidence of accidental memory-related or incompatibility-caused crashes or similar situations, simply when they propogate. Viruses don't need to intentionally DO something to cause a disk crash or a system crash. An anti-virus virus would probably cause the same types of problems as it replicated itself trying to seek out nasties. It would be nearly impossible to write such a program that guarded against MOST possible incompatibilities or memory-management problems, much less against ALL possible such problems. Releasing an anti-virus virus upon the world would be similar to the MacMag virus, which was (theoretically) intended to bring the possible threat of viruses to the attention of the computing world. It would also be similar to the motive some people claim for Robert Morris (one fellow Cornellian of whom I am NOT proud), of warning people of what a virus might do if someone MEAN had written it. It would be irresponsible in the extreme, and would, most likely, cause more problems than it would solve, even if no one tried to modify it to be intentionally harmful. Mark H. Anbinder THCY@CRNLVAX5 THCY@VAX5.cit.cornell.edu Department of Media Services Cornell University ------------------------------ Date: Thu, 02 Feb 89 02:46:38 EST From: Greg Brail Subject: The Media and Viruses There's been a lot of complaining recently about how "The Media" has been misleading the public about viruses. As a semi-legitimate member of The Media and as someone who considers himself knowledgeable about computers, I think some clarification is in order. Basically, reporters try to write stories that people are going to want to read. If a story for a non-technical publication gets bogged down in techno-speak, readers can just as easily read something else. Writing an accurate article about a technical subject like computer viruses that the average reader can understand can be difficult, to say the least. I know this because I just wrote an article about viruses for the Brown Daily Herald, the student newspaper here. Perhaps I should assume that Brown students would have an easier time with such an article than an "average person." I didn't. In my article, I referred to the Internet worm as a "virus." The day the article ran, I read in this mailing list that the proper term for the program was "worm," not "virus." Had I known that, I would have corrected the terminology in the article. But the truth is that it probably wouldn't have made much of a difference. To the "average person," a virus is a nasty program that spreads itself from one computer to another and can do bad things. That's probably all anyone needs to know. What computing professionals must understand is that they must be careful when explaining viruses, or any computer-related issue for that matter, to a reporter. Even if the reporter doesn't ask, "What's a virus," you should probably explain it anyway. If a reporter asks you about the "Internet virus," you should point out that that program was a worm, not a virus. Reporters don't (usually) make things up. If you don't give them the correct information, they will assume something that looks like a virus is, in fact, a virus, whether they're right or not. I, too, objected to Newsweek's insinuation that the games spreading through Germany are viruses, although a one-sentence clarification near the top of the article would have been fine. I also wondered why the New York Times and other publications didn't realize that when people hear that "defense department computers were the victim of a virus," the think that the computers that launch nuclear missiles were infected. And the improper use of the term "hacker" really ticks me off. However, the truth is that many journalists are not stupid, ignorant, or "J-school morons." The best rule for journalists writing about technical issues is to pretend you don't know anything so your sources will explain it for you. When talking to journalists, computing professionals should use the same rule. Don't assume the reporter knows everything about computers, unless you know that particular reporter's work. Take the time to clarify what you're talking about. Many reporters will not stop you if you go too fast, although they should. Of course, none of this can happen if the computing community cannot decide upon and spread the word about the proper definition of "virus" and other terms. Unfortunately, today's computer users have to know how to protect themselves from viruses. If the computing community takes the responsibility of spreading accurate information to reporters, good reporters will take the responsibility of spreading it to the public. Greg Brail ST601396@brownvm.brown.edu ST601396@brownvm.BITNET P.O. Box 1020 Brown University Providence, RI 02912 ------------------------------ Date: Thu, 2 Feb 89 10:32:18 GMT From: David.J.Ferbrache Subject: Review of antenna program [Ed. The following message was sent to the United Kingdom distribution of VIRUS-L. Apologies to our UK readers who are reading this for the second time.] For anyone interested, there was an Antenna presentation on Computer viruses on BBC2 last night. Here is a brief review of the material covered. I guess anyone interested in obtaining a transcript of the program should contact the BBC. This program provided an overview of the topic of computer viruses, the risk and the possible cures. The concept of a computer virus was explained using the traditional biological analogy, by both Dr A Solomon (IBMPCUG) and Ian MacKay a biologist from Glasgow University. Parallels were drawn between the AIDS virus' ability to disguise itself by changing surface characteristics and that of the computer virus by changing host program. (This ability is extended in newer viruses such as the 1701-Blackjack virus in which the majority of the virus object code is encrypted when on secondary storage). Examples were presented of infection of IBM PC compatibles (by the Italian virus), the Apple Mac (by nVIR a) and the Amiga (by the SCA virus). The program demonstrated the use of Turin university anti-viral software and the use of Interferon and Vaccine. The conclusion seemed to be that it is a continuous battle between the vaccine developers and the hacker virus writers. In such a battle vaccine writers are at an obvious disadvantage as they strive to obtain information on, and develop countermeasures for new virus strains. Interviews were given with a number of computer "hackers", and included footage of the Vaxbusters interest group of the Chaos Computer Club; together with demonstrations of actual breakins to the computer systems of Singapore Airlines and NASA. The integrity of a number of commercial bank computer systems was also questioned, including that of Chase Manhatten. The program gave a frightening, and emotive portrayal of computer viruses, trojan horses (including Larry the Lounge Lizard), and the insecurity of mainframe systems. The program enumerated three possible courses of action against computer viruses, namely: vaccine development, change computer and legislation. The conclusion was that vaccines will become impractical as the threat from, and diversity of viruses grows. (Since the source of two viruses has now been published, the threat seems certain to grow). The inference that legislation is necessary with greater restrictions on computer access seemed obvious. Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ Date: Thu, 02 Feb 89 09:23:01 EST From: "John P. McNeely" Subject: Ethical issues. Currently there are a wide variety of viruses infecting various machines across the world. We know the names of the virues and the damage that they do. But, with the exception of a few viruses and WORMS, we don't know who the culprits are behind this. What are the ethics behind writing viruses and WORMS? The controversey still surrounds Robert Morris jr. and his motives; the Pakistani brothers wanted to teach people lessons about software piracy. What about the others? We probably will never know who started what, but we can ponder the questions as to why a person would want to write a computer virus or WORM. Any thoughts on this? Respond to me either directly or to the list. Thank you. John P. McNeely BITNET Address: JMCNEELY@UTCVM.BITNET ------------------------------ Date: Thu, 02 Feb 89 20:22:22 PST From: SPOCK@CALSTATE.BITNET (Commander Spock) Subject: Gatekeeper Report (Mac) Although I am *NOT* the author of the program, I would like to post a notice to those who are currently or will be using Gatekeeper, this notice may come in handy. Aside from the notices that the author has published (from what I can count, currently: 2 posted), I find the program quite useful in performing searches for various "virus attacks". At any rate, I will let you folks (not to mention the author) know of any problems that I've run acrossed when using Gatekeeper. I hope that other users/developers/authors will reciprocate with their findings. Current system setup is as follows: - Macintosh Plus == 1MB RAM configuration - RAM cache OFF - 1 Jasmine 100MB hard drive - 1 external 800K floppy drive - various CDEV's including Gatekeeper - Suitecase II Release 1.0.2 Finding: 1. Have recently upgraded System file to 6.0.3 2. Have recently upgraded Finder file to 6.1 3. Have recently upgraded Control Panel to 3.3.1 Observed Problems: 1. Gatekeeper *DOES NOT* register inside the Control Panel 2. Miscellaneous error dialogs keep popping up: - ID = 02 - ID = 03 - ID = 22 - ID = 15 I realize that the 22 and 15 errors may (or may not) have been directly or indirectly related to the execution of Gatekeeper within the Control Panel, provided of course that the close option within the box (the square) has *NOT* been initiated; otherwise, the resulting error is an ID = 02. Could I possibly be doing something wrong? Second, is there a chance that I may be able to obtain a copy of the program (source not necessary) to debug myself (to those who have Gatekeeper 1.0.1)? Three, any further findings that I find unusual simply by having Gatekeeper within my System Folder, I will let you folks know. I feel that sharing information with those who may be directly or indriectly affected by the proper executing and dependance of this file is a must, not a necessity. I hope that others can feel the same about any quirks that they may find with this file and others for the Macintosh and/or IBM. Should I stand to be corrected (and I have been known to make mistakes...), please let me know what I might be doing wrong. With best regards, Robert S. Radvanovsky spock%calstate.bitnet@cunyvm.cuny.edu California Polytechnic Univ. spock@calstate.bitnet Pomona, California P.S. I admit, I'M HUMAN! Kind of a bad position for me, wouldn't you think? ------------------------------ Date: Thu, 02 Feb 89 20:43:22 PST From: SPOCK@CALSTATE.BITNET (Commander Spock) Subject: nVIR Assassin... (Mac) Need some help here. I have "nVIR Assassin", version 1.0. I've used it on various machines and removed copies of "nVIR", supposedly. What happened was this: of the 6 applications that were checked, only 2 worked correctly. The programs checked were: - Microsoft Excel 1.05 - Microsoft Works 2.0 - Reflex Plus - Filemaker 4 - Font/DA Mover 3.6 - Hypercard 1.2.1 Of the programs that worked, only Font/DA Mover and and Filemaker 4 worked. All other programs simply exited to the Finder. Have I done something wrong? I've performed all the necessary steps needed as outlined by the author. What happened? Robert S. Radvanovsky spock%calstate.bitnet@cunyvm.cuny.edu California Polytechnic Univ. spock@calstate.bitnet Pomona, California ------------------------------ Date: Fri, 3 Feb 89 07:58:56 EST Sender: Virus Alert List From: Ken van Wyk Subject: VIRUS WARNING: Lehigh Virus version II (PC) A new version of the Lehigh Virus has appeared on our campus; it is almost identical to the first one, but has a couple of notable differences. Yesterday, one of our microcomputer labs reported several students' disks being destroyed. We were able to determine that a virus which appeared identical (at first) to the Lehigh Virus had indeed infected some of the disks in the public lab. Disassembly of the virus was quick and painless because it beared so much resemblance to the original Lehigh Virus. The important differences are: 1) "Version II" waits until its generation counter hits 10 before doing any destruction. 2) II does not store the generation counter on disk, as version I did in the case of hard disk machines. That is, a system reboot starts the generation counter back at 0. Because of these seemingly minor differences, the virus has a greater potential for spreading. Both versions can be referred to as FEVs (Feature Exploiting Viruses) since they use MS-DOS Interrupt 21H functions for propagating, and a slightly lower level routine, Interrupt 26H (Absolute Disk Write) to destroy the boot track of disks (floppy and fixed) once the generation counter hits 10 (for version II, 4 for version I). Any/all followups will be posted on VIRUS-L. Ken van Wyk Lehigh University Computing Center [Ed. Editor's apologies for taking so long to get this VIRUS-L digest together. The above message should explain why we've been a bit busy around here... :-) With the help of a *very* talented and willing crew, things seem to be pretty much under control. Thanks to all!] ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253