|
Computer virus pranks
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
COMPUTER VIRUS PRANKS
---------------------
Recently, there have been a few computer virus "rumors" which appear to have
been started as pranks. Given the current climate, and almost paranoid fear
many computer users have of viruses, trojans horses and other badware, I, for
one, don't find such pranks very funny. To save others from having to go
through various stages of panic if they come across these "rumors" I have put
together a small collection from the BITNET VIRUS-L conference.
--SteveClancy, Sysop Wellspring RBBS, 714-856-7996
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
THE "MODEM" VIRUS
-----------------
Date: Mon, 12 Dec 88 22:02 EST
From: <LACUREJ@IUBACS>
Subject: more on modem virus
A report of the so-called modem virus was posted to a local BBS here
in Bloomington, Indiana, about a month ago. I know nothing about
sub-carriers on 2400 baud modems, but I found the idea of a virus
inhabiting the registers of a modem to be so fantastic that I
dismissed the report as nothing more than a prank. Below is a copy of
the first message in the report, it was followed by a series of
messages as the virus allegedly spread through Washington State.
Jon LaCure
Indiana University
lacurej@iubacs
Report:
- ----------------------------------------------------------------------------
The following messages were found in the SnoBbs'ers echo
Message #21191 "SnoBbs'ers"
Date: 06-Oct-88 00:57
From: Tom Cooper
To: All
Subj: Worlds worst virus
I found the following message thread on a Seattle board. Looks like a really
bad virus is out now. TC
- -------------------------------------------------------------------- a
#1153 OF 1165 TIME: TUE 10-04-88 03:17:41 FROM: MIKE ROCHENLE TO: ALL
SUBJ: Really nasty virus
AREA: GENERAL (1)
I've just discovered probably the world's worst computer virus yet.
I had just finished a late night session of BBS'ing and file trading
when I exited Telix 3 and attempted to run pkxarc to unarc the
software I had downloaded. Next thing I knew my hard disk was seeking
all over and it was apparantly writing random sectors. Thank god for
strong coffee and a recent backup. Everything was back to normal, so
I called the BBS again and downloaded a file. When I went to use ddir
to list the directory, my hard disk was getting trashed agaion. I
tried Procomm Plus TD and also PC Talk 3. Same results every time.
Something was up so I hooked up my test equipment and different modems
(I do research and development for a local computer telecommunications
company and have an in-house lab at my disposal). After another hour
of corrupted hard drives I found what I think is the world's worst
computer virus yet. The virus distributes itself on the modem
sub-carrier present in all 2400 baud and up modems. The sub-carrier
is used for ROM and register debugging purposes only, and otherwise
serves no othr purpose. The virus sets a bit pattern in one of the
internal modem registers, but it seemed to screw up the other
registers on my USR. A modem that has been "infected" with this virus
will then transmit the virus to other modems that use a subcarrier (I
suppose those who use 300 and 1200 baud modems should be immune). The
virus then attaches itself to all binary incoming data and infects the
host computer's hard disk. The only way to get rid of the virus is to
completely reset all the modem registers by hand, but I haven't found
a way to vaccinate a modem against the virus, but there is the
possibility of building a subcarrier filter. I am calling on a 1200
baud modem to enter this message, and have advised the sysops of the
two other boards (names withheld). I don't know how this virus
originated, but I'm sure it is the work of someone in the computer
telecommunications field such as myself. Probably the best thing to
do now is to stick to 1200 baud until we figure this thing out.
Mike RoChenle
------------------------------
------------------------------
Date: Tue, 13 Dec 88 10:29:10 EST
From: Don Alvarez <boomer@space.mit.edu>
Subject: More on modem virus
Quoting from issue 44:
I've just discovered probably the world's worst computer virus yet.
I had just finished a late night session of BBS'ing and file trading
when I exited Telix 3 and attempted to run pkxarc to unarc the
software I had downloaded. Next thing I knew my hard disk was seeking
...END Quote
I'm a Mac user and don't recognize those words. Is the
speaker talking IBM-PC words, Amiga words, VMS words, etc.
What kind of computer did he have?
If the virus is real, it must be writing itself into the
on-board storage space used in high-speed modems and then
instructing the modem to run that portion of memory (good way
to check if this virus is real: Does anyone know if high
speed modem chips are designed on Harvard-type architectures
(separate Program/Data), I think many DSP chips are now
designed that way). If my guess is right, the virus could
not propagate on modems with Harvard-Architecture as they
would be unlikely to have sufficient "program" memory for
a virus (the speaker mentions setting a "bit pattern in an
internal modem register," I can't believe that alone is enough
to make a hard-disk crashing virus).
The reason why I ask what kind of PC the author is using is that
it is EXTREMELY unlikely in my opinion that a virus of this sort
could infect different kinds of computers... Mac boot blocks dont
look anything like PC boot blocks.
Also, as I understand it, a good 9600baud modem is completely
transparent to the user... once you configure it, it looks like
a 9600 baud cable connected to a computer. Sounds to me like
this virus must be keyed not only to a specific computer but
also to a specific PC based file-capture program, and will probably
not propagate if all you do is 9600 baud terminal emulation.
- Don Alvarez
Disclaimer: "He's not the messiah, he's just a very naughty boy
(who of course isn't speaking for himself, his employer, or the
local dry-cleaner)."
+ ----------------------------------------------------------- +
| Don Alvarez MIT Center For Space Research |
| [email protected] 77 Massachusetts Ave 37-618 |
| (617) 253-7457 Cambridge, MA 02139 |
+ ----------------------------------------------------------- +
[Ed. I think that the first report of this purported virus was
referring to a PC environment.]
------------------------------
------------------------------
Date: Tue, 13 Dec 88 11:02:52 PST
From: Marty Cohen <[email protected]>
Subject: re: modem virus
This really seems implausible!
1. how could all, or even a large number of, higher speed modems
be compatible enough so the virus could store itself in them all?
2. Do these modems have enough internal memory to store all the
infirmation needed?
3. No mention is made of what computer or operating systems
are being used (probably default=ms-dos on a pc clone).
Paranoid conjecture: there is >>>no<<< modem virus!!!
It is just a rumor being spread by a modem company that
either (1) does not sell fast modems or (2) will be coming
out shortly with a "virus-proof" modem.
Marty Cohen ([email protected], 128.99.0.1)
------------------------------
------------------------------
Date: Wed, 14 Dec 88 14:27:54 CST
From: "Rich James" <MATHRICH@UMCVMB>
Subject: Re: modem virus
It looks to me like the initial announcement of this purported virus was
itself a virus attack against human hardware! It cleverly exploits the
current pitch of fear about viruses, and has a phenomenal infection rate.
Thanks goodness it's relatively benign!
Think of it now folks:
How could a self replicating virus become embedded in registers which are
used to hold data, not program instructions? The only memory used to hold
program instuctions in a modem is ROM. Data registers are treated as DATA.
Getting a modem to treat a data register as program input would require
the exploitation of a known bug in the modem's ROM program. Such ROMs
are anything but standard .. they vary between manufacturers and
between models and revisions of modems from the same manufacturer.
How likely is it that an industry standard modem protocol would have an
'unused bandwidth' sufficient to allow simultaneous transmission of a
separate data stream? It wouldn't be much of a protocol if it ignored
such potentially useful bandwidth.
How could such a virus convince the terminal program running on the
computer to modify system files, especially in a user-transparent way?
(it's easy enough to clobber a file by writing over it, but patching a
machine code file or RAM resident code in a transparent way is pretty
non trivial) Remember, incoming modem data is treated as DATA, not
program information. Again, this would require exploitation of a known
bug common to all or many modem programs, and all or many error
correcting protocols. Seems a tad unlikely.
Education=immunization.
------------------------------
------------------------------
From: [email protected]
Subject: Modem virus
Date: Wed, 14-Dec-88 18:18:12 PST
From the description of the remedies given by the person who
purportedly found this alleged virus, I'd have to guess that it could
be an attempt to cut down on modem traffic by making people scared to
use their modems. I can think of several reasons why someone would
want to cut down on transfers of programs and data freely over phone
lines.
Dan Hankins
------------------------------
------------------------------
Date: Wed, 21 Dec 1988 9:11:09 EST
From: Ken van Wyk <[email protected]>
Subject: followup on alleged modem virus (PC)
It's been brought to my attention that the report of a modem virus
here on VIRUS-L a couple weeks ago was a hoax. After looking at the
original announcement of the virus, I'm inclined to agree with that.
Specifically:
> TIME: TUE 10-04-88 03:17:41
> FROM: MIKE ROCHENLE
> TO: ALL
> SUBJ: Really nasty virus
> AREA: GENERAL (1)
>
> I've just discovered probably the world's worst computer virus yet.
> ...[Body of text deleted]
> do now is to stick to 1200 baud until we figure this thing out.
>
> Mike RoChenle
In addition to the fact that the reported virus is highly incredible,
as was pointed out by several of our readers, it's even more unlikely
that someone would have the name Mike RoChenle (read: Micro Channel).
Thus, unless someone can come forward with some substantial evidence
on this matter, I'd like for everyone to assume that the reported
virus was a hoax.
Obviously, I can't follow up on every message that gets sent to
VIRUS-L, but I would like to ask all persons submitting messages,
particularly when forwarding messages from other sources (as was the
case here), to confirm their sources of information, within reason. I
certainly don't want VIRUS-L to become a source of disinformation, and
I'm sure that the readers don't want that either.
Thanks in advance for everyone's cooperation on this. Oh, and Happy
Holidays to all!
Ken
---------------------------------------------------------------------------
---------------------------------------------------------------------------
THE "POWER LINE" VIRUS
----------------------
Date: Tue, 10 Jan 89 08:01:13 EST
From: [email protected] (Mark Robert Smith)
Subject: A Humorous? Virus Report from Security List
[Ed. The following forwarded message is obviously another prank, like
the modem virus. I'm including it here because a) it was sent in by a
reader, and b) it serves as yet another perfectly good example that we
can't trust everything that we read. I suppose the appropriate caveat
here is that we have to take *any* report of a virus until it can be
verified.]
Forwarded from the VirusBoard BBS at (225) 617-0862 [sic]
Date: 11-31-88 (24:60) Number: 32769
To: ALL Refer#: NONE
From: ROBERT MORRIS III Read: (N/A)
Subj: VIRUS ALERT Status: PUBLIC MESSAGE
Warning: There's a new virus on the loose that's worse than anything
I've seen before! It gets in through the power line, riding on the
powerline 60 Hz subcarrier. It works by changing the serial port
pinouts, and by reversing the direction one's disks spin. Over
300,000 systems have been hit by it here in Murphy, West Dakota alone!
And that's just in the last twelve minutes.
It attacks DOS, Unix, TOPS-20, Apple II, VMS, MVS, Multics, Mac,
RSX-11, ITS, TRS-80, and VHS systems.
To prevent the spread of this dastardly worm:
1) Don't use the powerline.
2) Don't use batteries either, since there are rumors that this virus
has invaded most major battery plants and is infecting the positive
poles of the batteries. (You might try hooking up just the
negative pole.)
3) Don't upload or download files.
4) Don't store files on floppy disks or hard disks.
5) Don't read messages. Not even this one!
6) Don't use serial ports, modems, or phone lines.
7) Don't use keyboards, screens, or printers.
8) Don't use switches, CPUs, memories, microprocessors, or mainframes.
9) Don't use electric lights, electric or gas heat or airconditioning,
running water, writing, fire, clothing, or the wheel.
I'm sure if we are all careful to follow these 9 easy steps, this
virus can be eradicated, and the precious electronic fluids of our
computers can be kept pure.
- --RTM III
------------------------------
|
|
