|
VIRUS- L Digests - Apr, '88
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
=========================================================================
Date: Fri, 22 Apr 88 07:48:39 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject: Welcome!
Welcome to this new LISTSERV group, VIRUS-L. This list is intended to
be a vehicle for discussing computer viruses. I'd like to not limit
it to just microcomputers, even though the current "crop" of viruses
seems to be aimed at micros. Valid discussion topics *include*:
1) Current status of known viruses (e.g., the virus at Lehigh has
never been reported anywhere else, but the "Brain" virus has spread
rampant to a number of Universities and businesses).
2) Means of detection (e.g., the Lehigh virus (for lack of a better name)
changed the write date on the COMMAND.COM file; the "Brain" virus
generally changes your volume label to read (C) Brain). I see that
at least two of the four student consultants who isolated the
Lehigh virus are present on this list, so hopefully they'll toss in
some useful tidbits.
3) Means of stopping (e.g., the Lehigh virus could be stopped by merely
setting your COMMAND.COM file read only!).
4) How particular (and non-particular) viruses propogate (e.g., did you
know that the "Brain" virus cannot infect a 3 1/2" disk or a hard disk?).
5) Any other relevant topic. Did you know that the authors of the "Brain"
virus left their names, addresses, and phone numbers in ASCII within
the virus itself?!?!?! They say that it was meant purely as a joke
among friends - it was not intended to do any harm. The joke got carried
away... :-(
Hopefully, by making this information public here where we're free from
media hype, we'll at least be able to stop the spread of existing viruses
and maybe learn something in the process. Viruses are not a joke (although
joking a bit about them is fine by me :-) and we should make every effort
to at least stop the ones that are known - that's what this list is for.
As a suggestion, I say we make the "Brain" virus our first topic. I've just
heard that it's gone as far as Miami (it was first seen at the Univ. of
Delaware back in October 1987). So far, most people that I've spoken with
are "curing" it by re-formatting disks. Does anyone have a program to counter
the effects of this virus? If so, let's make it public *NOW*! This
virus has spread way too far. Let's hear about some experiences that
people have had with it.
Comments and suggestions are always welcome. One side note: I won't tolerate
any abuse of this list; it will be dealt with swiftly by removing any
offender(s) from the list permanently.
Thanks for signing up and, hey, let's be careful out there! (I know it's
trite, but such is life... :-)
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Mon, 25 Apr 88 10:47:44 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject: Virus seminar at local University
I don't have real good details on this (I saw a flyer on it, but don't
remember all the details), but there's going to be a free virus seminar
(that is, open to the public...) at LaSalle University in Philadelphia, PA
on either April 27 or 28. Perhaps someone out there on the net has
better descriptions and could let us all know? I'm not sure of the
agenda either, but it could be worth attending for anyone that's interested.
On another matter, we're up to 92 subscribers on the list, and growing
rapidly! Hopefully, this will turn into a worthwhile discussion group
once people start using it. Let's see some participation...
How about a discussion on the "Brain" virus to start things off? I have
reports of it getting as far as Miami now. How about someone out there
sending to the list some details on how it works so that we can try to
contain it a bit better?
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Mon, 25 Apr 88 11:25:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: GILL@QUCDNAST
Subject: Anti-viral agents spread
I joined this discussion as I got a message through the HZ-110
internet discussion, and started thinking hard about viruses as I was
playing around with FLUSHOT on the weekend. Queen's University is
dedicated to IBM-PCs (well actually Zeniths and PS/2s) as the micro of
choice for undergrad engineers. With the sale of a machine, the
students are given a comprehensive software package that they will be
using during the year in their classes. However, there are no anti-virus
programs included in this package! At a time when virus programs are
beginning to proliferate, this seems to me to be a major oversight.
Hence, I am giving Computing Services copies of all of the anti-
virus programs that I have obtained over the last few months, and
promoting the inclusion of these programs in the engineer's software
package (if not in the operating system package so everyone has it).
Since these are all public domain, if not completely free, similar steps
should be taken at all universities cross North America that support
some type of microcomputer for student usage.
Since this is a virus forum, I would suggest that everyone attempt
to introduce a similar program at their affiliated institution. For
access to these anti-viral programms, I suggest you check out the
SIMTEL20 public domain libraries (MSDOS only as far as I know). These
can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I
am not sure what the ARPANET location is, but I believe that it may
actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of
the library for BITNET users.) For those in the know about ARPANET,
perhaps they could supply the missing information.
In case anyone is wondering, the programs that I will be pushing
are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with
the authors of any of these programs, but they are all I got!
Arnold Gill
Queen's University at Kingston
=========================================================================
Date: Mon, 25 Apr 88 12:32:30 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: -=*REB*=- <RB00@LEHIGH>
Subject: Anti-virus programs
> In case anyone is wondering, the programs that I will be pushing
>re BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with
>he authors of any of these programs, but they are all I got!
As far as I know, BombSqad and Chk4Bomb are *NOT* public domain or
ShareWare programs! There was an unathorized release of them a while
back. I believe the programmer released them without the consent of his
employer. Also, these two programs are not designed to squash the
spread of viruses. They are aimed at programs (viruses or not) which
intentionally try to wipe out data. BombSqad traps disk writes.
Chk4Bomb checks a program to see if it contains code to do absolute disk
writes.
Richard Baum
_______________________________________________________________
/ From: -=*REB*=- ",
/FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ",
/InterNet: [email protected] BitNet: [email protected] ",
/ SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ",
!----------------------------------------------------------------------!
! The Brent Z*ne! !
"----------------------------------------------------------------------"
=========================================================================
Date: Mon, 25 Apr 88 13:11:53 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject: Re: Anti-viral agents spread
In-Reply-To: Message of Mon, 25 Apr 88 11:25:00 EST from <GILL@QUCDNAST>
> Hence, I am giving Computing Services copies of all of the anti-
>virus programs that I have obtained over the last few months, and
>promoting the inclusion of these programs in the engineer's software
>package (if not in the operating system package so everyone has it).
>Since these are all public domain, if not completely free, similar steps
>should be taken at all universities cross North America that support
>some type of microcomputer for student usage.
Not completely true. Only a few of the anti-virus packages, to date, are
in the public domain; most of them are relatively simple. Some of the
more thorough packages, like Data Physician, cost money (!) and may or
may not meet your needs. Dr. Fred Cohen feels that no anti-virus software
could work 100% of the time; they merely reduce the risk of virus infection.
> Since this is a virus forum, I would suggest that everyone attempt
>to introduce a similar program at their affiliated institution. For
>access to these anti-viral programms, I suggest you check out the
>SIMTEL20 public domain libraries (MSDOS only as far as I know). These
>can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I
>am not sure what the ARPANET location is, but I believe that it may
>actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of
>the library for BITNET users.) For those in the know about ARPANET,
>perhaps they could supply the missing information.
The LISTSERV up there is great for BITNET only sites to get files from
SIMTEL20, but it's very slow, and not very reliable. Still, it's
worth looking into.
> In case anyone is wondering, the programs that I will be pushing
>are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with
>the authors of any of these programs, but they are all I got!
BOMBSQAD and CHK4BOMB are actually unauthorized public domain releases
of non-public domain programs written by Panda Systems, Inc. Both are
quite easy to fool. Look out for FLUSHOT 4 - it is a TROJAN! The last
official release of FLUSHOT is 3!
The ideas here are great - certainly more care must be taken at different
sites in protecting against viruses. But, I'm not sure whether public domain
programs - particularly when distributed without source code - is the answer.
You get what you pay for!
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Mon, 25 Apr 88 14:05:23 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: Re: Anti-viral agents spread
In-Reply-To: <[email protected]> ([email protected])
Actually, the newest release of FLUSHOT is FLUSHOT+. FLUSHOT4 is a
TROJAN! He renamed it especially to avoid the trojan.
Mark Smith
----
Mark Smith (alias Smitty) "Be careful when looking into the distance,
RPO 1604, CN 5063 that you do not miss what is right under your nose."
New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith
[email protected] <This space for rent, I can't think of anything>
=========================================================================
Date: Mon, 25 Apr 88 15:27:50 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Mark Powers <MP14STAF@MIAMIU>
Subject: Virus at Miami University
As someone noted earlier, Miami University has been infected by the BRAIN
virus. We have also noticed a Macintosh virus on campus. We have experienced
some data loss. We are still looking in to the situation and will report
back to the list when we have more concrete information.
Mark Powers
Miami University Academic Computer Service
=========================================================================
Date: Mon, 25 Apr 88 15:51:46 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject: Re: Virus at Miami University
In-Reply-To: Message of Mon, 25 Apr 88 15:27:50 EST from <MP14STAF@MIAMIU>
>We have also noticed a Macintosh virus on campus.
What are the symptoms of the Mac virus; perhaps there's a Mac expert
(certainly not me!) out there who might be able to help out?
The Brain virus hides in the boot tracks of your disk. Perhaps someone
on the list has a program that'll remove the Brain virus without having
to re-format the infected floppy? If not, the only thing that other
places have done so far is to re-format any infected disk(s). FYI, the
authors' names, addresses, and phone numbers are stored in ASCII within
the virus code itself - you can use Norton (or another disk utility program)
to look at it... Also, the Brain virus can only infect a 5 1/4" floppy;
it currently won't affect a 3 1/2" or a hard drive.
Has anyone disassembled the Brain virus? If so, what system interrupts
does it use to propogate? Chances are fairly good that even one of the
simpler anti-virus packages would be able to stop it - if anyone has
tested FLUSHOT+, or another program, against it, let's hear about it!
> Mark Powers
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Mon, 25 Apr 88 17:49:20 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Loren K Keim -- Lehigh University <LKK0@LEHIGH>
Well Folks,
There have been quite a few comments made to start off the list, let
me try to reply to a few of them, answer a few questions and correct
a few statements made so far.
Definitions Department:
Virus: Some program which attaches itself to other programs
generally to do some sort of damage later on. Its a
program which replicates itself.
Trojan Horse: A program which pretends to have some useful
function, and usually just destroys your hard drive
or files somehow.
Time Bomb: A program which runs several times before "blowing
up" and taking something with it.
Although these are simple definitions, for people who didn't understand,
I think they are necessary.
Commercially available anti-viral programs: There are MANY!
The problem is that most of the public domain programs are very
limited in ability and aren't going to protect your files against
all of the present damaging viruses. Flushot is not bad, but
it does not take care of most viruses. It does a nice job wiping
the Lehigh Virus and several others, but I don't believe it is
general enough to take care of most viruses. Testing it, I've
found a few problems. There are two public domain programs
being circulated called Vaccine. One of them isn't bad. The
name is in trouble though. A company called "FoundationWare" out
of Ohio has the name Trademarked.
There are a few good packages for sale. The aforementioned
Vaccine package by FoundationWare is quite good. I would never
use it however. It is indicative of most anti-viral packages.
What they do is lock up the system so that no executable or
command file can change. Whether they do it by CRC check or
some other check, they keep the user from editing programs.
You cannot write programs in such an environment. Although
this is great for businesses.
We of Lehigh Valley Innovative Technologies have been working for
several months on the 'perfect' anti-virus design. We should
be releasing it in the next 2 - 3 weeks. We would like feedback
on it when it is released. We will have versions for MS-DOS
and Macintosh's as well.
Comments:
I'd like to explain the quote of Fred Cohen made by Ken. Fred,
incidently, is the premier name in viruses. He has fashioned
his career on working on them. I knew him when he used to teach
at Lehigh University. A brilliant man, although I never got
along with him. What he was saying was that you may be able
to create a package which wipes out all present viruses, but someone
will always be able to find a way around it if they spend enough
time working on it.
That brings my next point up. Its our job to create a virus
busting program which will stop every currently known virus, AND
be as hard as possible to crack or to find a way around.
Which brings up my third point: I read your comment, Ken, about
ten times, and I still don't understand it. I don't believe
public domain programs are the answer at all. I believe we should
use commercially available fixes. But, likewise, you mention
that public domain virus-fixes should be given with source code.
If we want to make the perfect fix... one that will take the
virus writer infinitely long to break, then we do NOT want source
code EVER given out, or even the details of how the system works!
Viruses:
Let me go over some existing viruses, so people know what to watch
out for:
Lehigh Virus: The Lehigh Virus injects itself into MS-DOS Command.Com.
I, along with Chris Bracy, Joe Sieczkowski, and Mitchel Ludwig solved
this particular virus for Lehigh University. The virus will copy
itself 4 times into other command.com files, and after the fourth,
will explode, taking with it any files on any disks in the drives and
your hard disk too. What to watch for? Watch the write date on
command.com, it changes when the Lehigh Virus goes. To protect against
it, attrib +r your command files, and you won't have a problem.
Israeli Virus: Not much is known. It apparently attaches itself
to all executable files, appending itself to the end of the file.
Watch for growing files.
Brain Virus: The brain virus has hit everywhere. We have seen
examples of it out at UCSF and UCB, as well as the east coast.
All the brain virus does is change the label of the disk to (C)
Brain, and mark floppy sectors as bad (unused sectors). It is
not incredibly destructive but very annoying.
PKArc: There is a bad version of PKArc floating around that
wipes your hard disk.
MacKiller: Is a nasty little virus that was apparently written
by an MS-DOS lover. The problem isn't yet widespread, but its
a Mac virus we have now encountered.
And many others. BE CAREFUL!
Loren K Keim
.----------------------------------------------------------------------------.
| Loren K Keim |
|----------------------------------------------------------------------------|
| Keim Enterprises - Consulting / Programming |
| Lehigh Valley Innovative Technologies - Software and Hardware |
| Century 21 Loren Keim - Commercial / Industrial / Residential |
| Lehigh University - Consulting / Programming |
|----------------------------------------------------------------------------|
| Virus Busting Team: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig |
|____________________________________________________________________________|
=========================================================================
Date: Mon, 25 Apr 88 18:17:46 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: Bad PKARC
In-Reply-To: <QUCDN.X400GATE:LKUK1py7*>
How can you tell if you have a bad PKARC? I just got one from
and, although I'm sure it's reputable, was just wondering if there
was any obvious way to tell the difference.
=========================================================================
Date: Mon, 25 Apr 88 18:19:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Mitchel Ludwig <[email protected]>
Loren Keim writes :
> I'd like to explain the quote of Fred Cohen made by Ken. Fred,
> incidently, is the premier name in viruses. He has fashioned
> his career on working on them. I knew him when he used to teach
> at Lehigh University. A brilliant man, although I never got
> along with him. What he was saying was that you may be able
> to create a package which wipes out all present viruses, but someone
> will always be able to find a way around it if they spend enough
> time working on it.
I was unaware of this. From what I have heard concerning
this, I thought Fred's main point was that there was *NO* way to wipe
out all present viruses. To do so, he said, would require one hell of
a computer and one hell of alot of time. From knowing him, and the
way he taught his courses, and the things he told me, his biggest push
was in the very area you seem to put down, that of preventative
maintenence. It was always (In class) a stressed point that the best
offense against these things was a good defense. I took a course with
him one semester where he would daily express his distastes for us to
hear. His biggest was that the Lehigh software loan out system was
the way it was, so vulnerable. Had we defended against a virus
beforehand, perhaps the problem would never have occurred.
> That brings my next point up. Its our job to create a virus
> busting program which will stop every currently known virus, AND
> be as hard as possible to crack or to find a way around.
Go for it. You'll never do it though. Don't mean to sound
the pessimest, but you'll never do it. An hour after you release your
program there will be 100 ways around it. It's the nature of things.
Look at copy protection. Have the increased efforts of the software
manufacturing companies done any good? No, all they have done is
bring rise to a better class of pirates. The challenge is just too
great to be ignored.
> Which brings up my third point: I read your comment, Ken, about
> ten times, and I still don't understand it. I don't believe
> public domain programs are the answer at all. I believe we should
> use commercially available fixes. But, likewise, you mention
> that public domain virus-fixes should be given with source code.
> If we want to make the perfect fix... one that will take the
> virus writer infinitely long to break, then we do NOT want source
> code EVER given out, or even the details of how the system works!
Granted (Sorry Ken, but he *HAS* got a point :-)
Tag... You're it
____________ ____/--\____ //-n-\\
\______ ___) ( _ ____) _____---=======---_____
__\ \____/ / `--' ====____\ /.. ..\ /____====
) `|=(- - - - - - - - - - -*// ---\__O__/--- \\
\------------' \_\ /_/
BITnet : [email protected] Phonet : 215-758-1381
INTnet : [email protected] Slonet : Box 72 Lehigh Univ.
Bethlehem, PA 18015
=========================================================================
Date: Mon, 25 Apr 88 18:25:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Mitchel Ludwig <[email protected]>
Subject: RE: Bad PKARC
>How can you tell if you have a bad PKARC? I just got one from
>and, although I'm sure it's reputable, was just wondering if there
>was any obvious way to tell the difference.
You could run it... But seriously, try it on a machine
without a hard drive, that won't cause problems for your whole world
if it *is* a bad boy.
No other way except is you had a good copy and did a compare.
From what I know, the bad copy is exactly the same size and stuff so
that wont be of any help...
Mitch
Tag... You're it
____________ ____/--\____ //-n-\\
\______ ___) ( _ ____) _____---=======---_____
__\ \____/ / `--' ====____\ /.. ..\ /____====
) `|=(- - - - - - - - - - -*// ---\__O__/--- \\
\------------' \_\ /_/
BITnet : [email protected] Phonet : 215-758-1381
INTnet : [email protected] Slonet : Box 72 Lehigh Univ.
Bethlehem, PA 18015
=========================================================================
Date: Mon, 25 Apr 88 18:37:17 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: RE: Bad PKARC
In-Reply-To: <[email protected]>
([email protected])
From what I know, the bad version of PKARC is called PKX35B35.EXE,
while the real PKARC is PKX35A35.EXE. X stands for Xtract, and A for
Archive, so the person who made this thought A was a revision mark,
and named his B.
Mark
----
Mark Smith (alias Smitty) "Be careful when looking into the distance,
RPO 1604, CN 5063 that you do not miss what is right under your nose."
New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith
[email protected] <This space for rent, I can't think of anything>
=========================================================================
Date: Mon, 25 Apr 88 19:15:07 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Loren K Keim -- Lehigh University <LKK0@LEHIGH>
I think you misunderstood some of my point Mitch,
I agree that it is very hard, if not impossible, to eliminate all
existing viruses. I do think that its possible to stop all viruses
I have encountered to date with one package.
It is not possible, as Fred Cohen has pointed out, to stop viruses
as a genre. The reason is that a virus can always be written to
get around any program. If was make a good enough program,
however, it will stop most (I hope) of those people out there
from writing them, simply because we'll make it too difficult
for some people to figure out ways around those viruses.
The reason we cannot stop viruses is, according to Fred,
because any string indeterminably carries a virus. What this
means is that any data string could carry a virus, we do
not know whether or not it does because a computer interprets
everything to be data.
The only way to stop viruses is to deal with the ways they
effect the system, and stop them from happening. That is why
most anti-viral programs lock up your system and don't allow
you to develop.
We have a few alternatives that we've been working on for a
while, and hopefully, they will slow down the spread of
viruses.
Any comments I make here concerning Fred are either from my
memory or from his text on Computer Security. If I misquote
him in any way, I apologize, but I don't believe I have.
Loren Keim
=========================================================================
Date: Mon, 25 Apr 88 23:50:00 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Roger Gonzalez <USERABFY@CLVM>
In-Reply-To: Your message of Mon 25 Apr 88 19:15:07 EDT
Hello. I am a virus writer. I have never unleashed any of my nasties
into the public, and don't intend to either. I'm willing to share
some of my knowledge of my MS-DOS (Zenith, specifically) viruses,
although I'm sure that my methods are pretty common.
First: The motivation of this particular programmer
My viruses don't destroy, they annoy. I wrote the programs as a challenge
to myself, and to get back at a friend who played a practical joke on me.
My 3 viruses:
1st: Spam
Quite a simple program. It hooks into the disk read interrupt. When the
code runs, it checks the length of command.com and copies itself onto the
end. After generating 5 times, it prints "spam" at a random location on the
screen. Programs like this are nastry, because when you do even a simple
directory, the virus spreads.
WHAT TO WATCH FOR IN THIS TYPE OF VIRUS: Abnormally long disk reads. If
your instincts (you have to develop them) say that the light is on too
long, watch out!
2nd: Cookie Monster
The idea was stolen from probably the very first virus. Same as Spam, with
the following exceptions: It hooks into the FAT, it generates 10 times, and
prints out "Gimme cookie" at random intervals. If you don't type OREO or
CHOCOLATE CHIP it changes the name of command.com to "munched" and prints
"never mind. found cookie". My first version deleted it, but this seemed
cruel.
3rd: Pac Man
This little gem gets appended to MSDOS.SYS. It watches the vertical sync
interrupt, and makes a pac-man come out and eat a character off the screen.
The character reappears if you scroll the screen, but its highly irritating.
Some points: Many viruses attach themselves to system files (IO.SYS, MSDOS.SYS,
COMMAND.COM) Record the lengths of these files each time you upgrade. Its
difficult to detect viruses attached to a normal program, but these are less
dangerous because they don't appear until you run that specific program. Disk
read interrupts are probably the most common way to "activate" the code. These
are also rarely changed by programs. The disk read is ideal for viruses because
they can sneak a check to see if there already is a virus on the disk. Vertical
sync, the timer, and the keyboard interrupts are all good activation candidates
so it seems to me that a vaccine program could be made for each version of DOS
to check that the interrupts are pointing where they ought to. Of course, if
you use TSR's, this would foul it all up, so you would have to run it on a
"unchanged" system. Also, watch for bad sectors. If you think that they look
suspicious, get a clean disk. I recommend using a clean disk rather than trying
to simply innoculate the old. I feel fairly confident that I could hide a
virus in such a way that it either could not be found by a program, or would
fool the program into thinking that it was important. Oh, one last thing. This
is pretty simple, but watch for invisible files. They are easy to detect using
many methods.
I hope this stuff helps a little. Yeesh, I must be growing up or something :-)
-rg-
PS anyone want to hire me?
=========================================================================
Date: Tue, 26 Apr 88 01:02:36 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: -=*REB*=- <RB00@LEHIGH>
Subject: Nettiquite
> -rg-
>
> PS anyone want to hire me?
FLAME ON!
Do you *really* think that this is appropriate here? I thought this was
a list for virus DISCUSSION. Not an employment agency. Let's face it,
it's not terribly difficult to write a virus. Unfortunately, your
pastime is not unique. But let's not discuss THIS forever. I think we
can safely let the employment subject die off...
FLAME OFF!
Richard Baum
[Boy, this list's first real flame :-) :-) :-) ]
_______________________________________________________________
/ From: -=*REB*=- ",
/FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ",
/InterNet: [email protected] BitNet: [email protected] ",
/ SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ",
!----------------------------------------------------------------------!
! The Brent Z*ne! !
"----------------------------------------------------------------------"
=========================================================================
Date: Tue, 26 Apr 88 01:13:00 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Roger Gonzalez <USERABFY@CLVM>
Subject: Re: Nettiquite
In-Reply-To: Your message of Tue 26 Apr 88 01:02:36 EDT
Perhaps I should have said
*Wistful tone of voice* Anyone want to hire me?
It was a joke...
I really don't think that one bloody line was worth a flame.
Please humbly excuse me for imposing on your excellencies.
I know that some people find viruses simple, but obviously
some people don't, or this list wouldn't have been created.
If you find them so simple, why don't you just get rid of
them all yourself? I've never had any problems.
Once again, try to find it deep within your superior skull
to forgive me for my incredibly offensive postscript.
=========================================================================
Date: Tue, 26 Apr 88 01:37:33 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: Gimme Cookie
In-Reply-To: <[email protected]> ([email protected])
This is the famous "Gimme Cookie" story as I heard it about 6 years
ago.
At the Los Alamos Labs, there was a computer. Someone decided to play
a pratical joke, or a hacker placed it there. One day, Appearing on
all users consoles:
GIMME COOKIE
typing anything but "Cookie" did nothing but get the prompt back.
When you typed "COOKIE", everything ran fine again. Then, it went
dormant for a while. Later:
GIMME COOKIE
GIMME COOKIE
To which you had to answer "COOKIE COOKIE" or it would stay there.
Then, a shorter time later:
GIMME COOKIE
GIMME COOKIE
GIMME COOKIE
This continued until the number of Cookies was large and the time
between prompts very short.
As I heard, they had to kill the ROM to get rid of this thing, it was
so strong.
Mark
----
Mark Smith (alias Smitty) "Be careful when looking into the distance,
RPO 1604, CN 5063 that you do not miss what is right under your nose."
New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith
[email protected] <This space for rent, I can't think of anything>
=========================================================================
Date: Tue, 26 Apr 88 01:40:57 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: -=*REB*=- <RB00@LEHIGH>
Subject: Nettiquette
Okay, *whistful tone of voice* :-) Sorry to flame, but other lists
have in the past degenerated into employment agencies... I wanted to
avoid this. (Anyone remember when the VAX list turned into a "do
we digest or not" discussion for a month or so? - don't answer that!)
REB
_______________________________________________________________
/ From: -=*REB*=- ",
/FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ",
/InterNet: [email protected] BitNet: [email protected] ",
/ SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ",
!----------------------------------------------------------------------!
! The Brent Z*ne! !
"----------------------------------------------------------------------"
=========================================================================
Date: Tue, 26 Apr 88 02:38:17 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Loren K Keim -- Lehigh University <LKK0@LEHIGH>
Richard (excuse me, REB),
No, the problem with other lists generally has not been that they
become places for people to place job offers. Some people have,
and that is very helpful to the individual looking for the job.
Rather what has ruined many lists is that they become taught
with people complaining about small parts of other people's
letters not belonging in the list. Instead of your last two
letters (one I believe cut up Arnold Gill for thinking that
two programs were public domain, and the second to complain about a le
sentence in a very interesting letter from Roger Gonzalez),
you might try to add something useful to this list if you
are capable of such thought.
I found Roger's comments to be very interesting. Realize that
several "PacMan" viruses have been found floating around, as well
as one I recall that sent random characters to the screen at
certain intervals.
Incidently, the LaSalle talk will be given on the 28th. I will
upload information when I can locate it. I will be there, although
I won't be speaking.
Loren
.----------------------------------------------------------------------------.
| Loren K Keim |
|----------------------------------------------------------------------------|
| Lehigh Valley Innovative Technologies: Software / Hardware (215) 865-4253 |
4253 |
| Century 21 Loren Keim: Com / Ind / Res (215) 395-0393 |
0393 |
| Keim Enterprises: Consulting / Programming (215) 865-
3904 | 3904 |
| Lehigh University: Consulting / Programming |
|----------------------------------------------------------------------------|
| The Virus Busters: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig |
|____________________________________________________________________________|
=========================================================================
Date: Tue, 26 Apr 88 02:53:55 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Loren K Keim -- Lehigh University <LKK0@LEHIGH>
Subject: Speaking
Well Folks,
I am quite surprized at the number of personal letters I received
over this list over the last day. Comments should probably
be sent to the list directly, instead of sending them just to
me.
Because such a large number of users asked me if we do
speeches, I will reply to that question here on the list.
I, along with Chris Bracy and Joe Sieczkowski, have been
to a few conventions in the last couple weeks to speak
about, or help discuss viruses in general, ways of avoiding
them, their implications, and so on.
If you are interested in having us speak, yes it is possible,
please send me your name, your groups name, a phone number
I can call and where you are located, and we'll see what
we can do.
I'm glad to see such overwhelming responses over this list,
because viruses are such a serious problem at this point in
time.
Again, general comments should probably go to the list,
and not just to me, although I would refrain from sending
in depth information about any particular virus to this
list because it tends to help people think up new ways of
writing viruses.
Loren
.-----------------------------------------------------------------------.
| Loren K Keim |
|-----------------------------------------------------------------------|
| Lehigh Valley Innovative Technologies: Software / Hardware |
| (215) 865-4253 |
| Century 21 Loren Keim: Com / Ind / Res (215) 395-0393 |
| Keim Enterprises: Consulting / Programming (215) 865-3904 |
| Lehigh University: Consulting / Programming |
|-----------------------------------------------------------------------|
| Virus Busters: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig |
|_______________________________________________________________________|
=========================================================================
Date: Tue, 26 Apr 88 02:42:00 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Roger Gonzalez <USERABFY@CLVM>
Subject: Virus types
In-Reply-To: Your message of Tue 26 Apr 88 01:37:33 EDT
Does the now infamous XMAS EXEC that munched up all the IBMs
on Bitnet really qualify as a virus? Technically, it DID
reproduce, but it seems almost more Trojan Horsey. Frankly,
I'm a bit scared about the future of viruses... Imagine 5 years
from now, when we all have incredibly fast 586 machines with
256 parallel processing CPUs! Have fun tracking the little
bugger down then!
I agree with you... I think its pretty safe to say that nothing
will ever be a cure-all for viruses. I may be growing out of my
destructive tendencies, but I can certainly understand how much
fun it can be to thwart trends toward complete user-friendliness.
Its the same thing with software piracy.. it's FUN to crack copy
protection schemes.
I just heard of a nasty virus starting to circulate on IBM pcs.
Its on BATTLEZNE and I'm told that it randomly causes warm boots
to occur until you shut the silly thing off. Fortunately for
"serious" users, a virus on a game shouldn't be too threatening.
If anyone really wants the details, I'll track 'em down, but I
wouldn't worry about it.
Pax etc, Roger
=========================================================================
Date: Tue, 26 Apr 88 09:26:00 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: MITCH MITCHELL ROSEN <MRR2607@RITVAX>
Subject: Fuddy-duddies unite
> From: -=*REB*=- <RB00@LEHIGH>
> Subj: Nettiquite
>> PS anyone want to hire me?
> FLAME ON!
> Do you *really* think that this is appropriate here?
That flame was the most inappropriate gripe I've come across for
a while. The writer's tongue was clearly in cheek when asking about
employment.
Chill out a bit. Its not healthy to take everything so seriously.
- Mitchell Rosen
> [Boy, this list's first real flame :-) :-) :-) ]
I guess I'm number two.
=========================================================================
Date: Tue, 26 Apr 88 13:38:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Mitchel Ludwig <[email protected]>
Subject: RE: Fuddy-duddies unite
>From: MITCH MITCHELL ROSEN <MRR2607%[email protected]>
>
>> From: -=*REB*=- <RB00@LEHIGH>
>> Subj: Nettiquite
>
>>> PS anyone want to hire me?
>
>> FLAME ON!
>> Do you *really* think that this is appropriate here?
>
>That flame was the most inappropriate gripe I've come across for
>a while. The writer's tongue was clearly in cheek when asking about
>employment.
>
>Chill out a bit. Its not healthy to take everything so seriously.
>
>- Mitchell Rosen
>
>> [Boy, this list's first real flame :-) :-) :-) ]
>
>I guess I'm number two.
>
Guys, please?!?!?
This is getting a little crazy. Both REB and whoever the writer
was were both
a) A little overzealous
and b) Joking.
Let's let it lie.
Mitch
Tag... You're it
____________ ____/--\____ //-n-\\
\______ ___) ( _ ____) _____---=======---_____
__\ \____/ / `--' ====____\ /.. ..\ /____====
) `|=(- - - - - - - - - - -*// ---\__O__/--- \\
\------------' \_\ /_/
BITnet : [email protected] Phonet : 215-758-1381
INTnet : [email protected] Slonet : Box 72 Lehigh Univ.
Bethlehem, PA 18015
=========================================================================
Date: Tue, 26 Apr 88 13:51:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Mitchel Ludwig <[email protected]>
Subject: RE: Speaking
>From: Loren K Keim -- Lehigh University <LKK0%[email protected]
>Well Folks,
>
>I am quite surprized at the number of personal letters I received
>over this list over the last day. Comments should probably
>be sent to the list directly, instead of sending them just to
>me.
> [Erronious kaka eliminated]
>
>Loren
>
>|-----------------------------------------------------------------------|
>| Virus Busters: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig |
>|_______________________________________________________________________|
Loren,
As one of the 'Virus Busters' I am beginning to get a bit
annoyed at the constant back patting you seem to be giving yourself.
None of the rest of us involved in the Lehigh virus affair have gone
out of our way to let the world know how great we are.
Yes, I agree with you that the public needs to know exactly
what they are dealing with in respect to virus's in general, but I do
not agree with your methods. Richard Baum may have been wrong in his
flame earlier when he complained about job hunting here, but he was
wrong because the request should have been taken as a joke. You, on
the other hand are using the net as a way, not to educate the public
concerning virus's, but rather to educate them concerning the fact
that *YOU* know all about virus's.
Now, enough of this, if you wish to let the world know how
much you know about computer virus's, do it in one long letter that we
can all ignore. Then get down to the business of what the list is
about, helping others.
Now, for everyone :
I am looking for information (for a second party not
on the network) concerning virus's (is this right or is it viruses?)
that cause problems on the mac. He is concerned because his workplace
uses primarily mac's for publishing needs.
Any help?
Mitch (I may have helped solve a virus but
that's no reason to brag) Ludwig
Tag... You're it
____________ ____/--\____ //-n-\\
\______ ___) ( _ ____) _____---=======---_____
__\ \____/ / `--' ====____\ /.. ..\ /____====
) `|=(- - - - - - - - - - -*// ---\__O__/--- \\
\------------' \_\ /_/
BITnet : [email protected] Phonet : 215-758-1381
INTnet : [email protected] Slonet : Box 72 Lehigh Univ.
Bethlehem, PA 18015
=========================================================================
Date: Tue, 26 Apr 88 14:30:00 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Joe Ogulin -- 'Milamber' <P12I1798@JHUVM>
Subject: Re: Nettiquite
In-Reply-To: Your message of Tue 26 Apr 88 01:02:36 EDT
come on, rich...anyone can tell it's a joke...
--Joe
=========================================================================
Date: Tue, 26 Apr 88 15:14:07 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: Macintosh viruses
I would also be interested in Macintosh virus information as our lab
uses a fat Mac. Does anyone remember the article in the Computing
Recreation section of Scientific American about two or three years back
where he talked about worms and battling programs, one pro-computer and
one anti-computer? It's sort of tangent to this discussion, but reading these
comments made me think of it and I'd like to read it again soon.
=========================================================================
Date: Tue, 26 Apr 88 16:15:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: RE: Speaking
>>From: Loren K Keim -- Lehigh University <LKK0%[email protected]
>
>>Well Folks,
>>
>>I am quite surprized at the number of personal letters I received
>>over this list over the last day. Comments should probably
>>be sent to the list directly, instead of sending them just to
>>me.
>>
>>Loren
>>
>
>From: Mitchel Ludwig <[email protected]>
>
>Loren,
>
> As one of the 'Virus Busters' I am beginning to get a bit
>annoyed at the constant back patting you seem to be giving yourself.
>None of the rest of us involved in the Lehigh virus affair have gone
>out of our way to let the world know how great we are.
>
> Yes, I agree with you that the public needs to know exactly
>what they are dealing with in respect to virus's in general, but I do
>not agree with your methods. You are using the net as a way,
>not to educate the public concerning virus's, but rather to
>educate them concerning the fact that *YOU* know all about virus's.
>
>Mitch
FFFFFFFF LL AAAA MM MM EEEEEEE OOOOO NNN N
FF LL AA AA MMM MMM EE OO OO NNNN N
FFFFF LL AA AA M MM MM M EEEE OO OO NN NN N
FF LL AAAAAAAA M MM M EE OO OO NN NN N
FF LL AA AA M M EE OO OO NN NNN
FF LLLLLL AA AA M M EEEEEEE OOOOO NN NN
Enough is Enough!
This pointless bickering is getting out of hand. Mitch, if you have a
gripe with Loren send mail to him directly. There is no point making it
nationwide. Moreover, Loren's letter was perfectly pertinent. Yesterday
he received numerous letters that were very appropriate for the list.
So he stated the fact. I don't think he was practicing conceit.
*Flame off*
Athough I feel its inappropriate to bring such quarrels to the list, I
felt this particular letter was neccessary to clear the air of any
misconceptions. I'm sorry for those of you that had to wade though
it.
Now let's talk about viruses....
------------------------------------------------------------------------------
[email protected] Joe Sieczkowski
{ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department
[email protected] Lehigh University
Packard Lab #19
Bethlehem, PA 18015
--------------------------------------------------------------------
"Yes...It was a dark and stormy night that a party of three
and myself found, tracked, and destroyed the Lehigh Virus."
---------------------------------------------------------
=========================================================================
Date: Tue, 26 Apr 88 16:40:30 ECT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Art Weisenseel <PR0032@BINGVMB>
Subject: RE: Speaking
In-Reply-To: Message of Tue,
26 Apr 88 13:51:00 EST from <[email protected]>
Actually this is not in reference to Speaking, but to Mac viruses. Anyhow,
in this week's Infoworld (the April 25 issue) on page 8 there is an article
on a Mac virus which looks for the programming signatures "ERIC" and "VULT"
in Electronic Data Systems' proprietary programs. According to the article
the virus is unruly enough to cause printing and system problems and
occasionally destroy data, although its real purpose is to destroy Mac
applications which have those two signatures. The article says the Killscores
program available on Compuserve Macintosh b-boards and elsewhere will knock it
off infected disks. Hope I got it right; I'm not an Mac user.
Art Weisenseel
Computer Services
State University of NY - College at Purchase
[email protected]
"Twenty Seconds Ahead of the Past"
=========================================================================
Date: Tue, 26 Apr 88 21:29:34 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Loren K Keim -- Lehigh University <LKK0@LEHIGH>
Emergency: In case of emergency, contact me at 865-4253 or 865-3904.
A few things:
I have had quite a bit of difficulty finding information about the
new slew of Mac Viruses that have arrived. Here is some of what I
HAVE been able to locate:
The NASA virus: NASA has kept very quiet about how this virus works, and
replicates. From what I've been able to decipher (someone correct me if
they have more knowledge), it doesn't actually damage the system in any
way, but slows down programs and increases their length, makes it very
hard to print things, crashes the system, as well as typing some sort of
obnoxious message. Apparently the virus has no effect on data files, but
it injects itself into every program file and makes itself very hard to
eliminate. I believe that the virus probably appends itself to the end of
the program file. It "goes off" every 2, 4 and 7 days after infected.
Another Christmas Tree Virus: A Mac version that simply copies itself to
any existant hard drive and any disks in any drives attached to the
system. It does no actual damage, and appears in the directory as a
program file. The way to know if you have this virus is if you have a
file XMAS in your directory.
Unnamed virus: According to the April 11 issue of Infoworld, a virus
exists that "transmits itself from Mac to Mac by invading a standard
executable application file". This virus destroys files. "The easiest
way to spot this virus is by looking at the icons tht represent the Note
Pad File and Scrapbook File in the Macintosh System Folder". "These
icons normally resemble small Macintoshes, but when infected, the icons
become a rectangle with a bent corner.
More as I get it. I believe the NASA virus and the Unnamed one (found in
Washington and Boston so far) will be taken care of by the new anti viral
program for the Mac that we'll (LVIT'll) be releasing in the next few
weeks. Also, if you missed Art W.'s letter, go back and read it!
Also, I must apologize. Mitch tells the world that:
>> As one of the 'Virus Busters' I am beginning to get a bit
>> annoyed at the constant back patting you seem to be giving yourself.
>> None of the rest of us involved in the Lehigh virus affair have gone
>> out of our way to let the world know how great we are.
If I have upset anyone, I am quite sorry. I was not trying to pat
myself on the back. And Mitch, we argue constantly; lets try to keep
it off the listservs. Incidently, the trailer that I put on my message
is a direct copy of the trailer Chris Bracy's been using for a while.
Gotta Run,
Loren
=========================================================================
Date: Tue, 26 Apr 88 14:52:20 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Lou Surface <LBS100S@ODUVM>
Subject: Re: Nettiquite
In-Reply-To: Message of Tue, 26 Apr 88 14:30:00 EDT from <P12I1798@JHUVM>
Can we please get back to the discussion at hand?
This should be the last message of its kind please.
=========================================================================
Date: Wed, 27 Apr 88 17:04:40 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: Worms, viruses, and so on
Does anyone remember the article in Scientific American 2-3 years back
called "Core Wars"? It dealt with the basics of program destruction/saving
and I was wanting to reread it. If anyone knows of any other basic
introductions to virus theory, I would also appreciate knowing about them.
=========================================================================
Date: Wed, 27 Apr 88 19:47:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: RE: Worms, viruses, and so on
>If anyone knows of any other basic introductions to virus
> theory, I would also appreciate knowing about them.
>
As a matter of fact, Fred Cohen wrote several booklets on viruses and
system security matters. They were quite good. By now, he must have
comprised into a book (or several).
------------------------------------------------------------------------------
[email protected] Joe Sieczkowski
{ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department
[email protected] Lehigh University
Packard Lab #19
Bethlehem, PA 18015
--------------------------------------------------------------------
"Yes...It was a dark and stormy night that a party of three
and myself found, tracked, and destroyed the Lehigh Virus."
---------------------------------------------------------
=========================================================================
Date: Wed, 27 Apr 88 22:38:29 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Loren K Keim -- Lehigh University <LKK0@LEHIGH>
Regarding that talk on viruses to be held at La Salle U:
Its Thursday Arpill 28... 7 pm to 9 pm, and will be done by
John Hagman, Donald Montabana, and Steve Weissman.
It covers what viruses are, how theye detected, what the cures
available are and do they require changes in computer management.
Loren
=========================================================================
Date: Thu, 28 Apr 88 07:42:08 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
In-Reply-To: Message of Mon, 25 Apr 88 17:49:20 EDT from <LKK0@LEHIGH>
> Which brings up my third point: I read your comment, Ken, about
> ten times, and I still don't understand it. I don't believe
> public domain programs are the answer at all. I believe we should
> use commercially available fixes. But, likewise, you mention
> that public domain virus-fixes should be given with source code.
> If we want to make the perfect fix... one that will take the
> virus writer infinitely long to break, then we do NOT want source
> code EVER given out, or even the details of how the system works!
I guess I didn't phrase myself very clearly. I didn't mean that people
should not use commercial packages; quite the contrary. I have little
faith in the public domain anti-viral packages because of things like
FLUSHOT - it's too easy to put a virus in one. That, and I believe that
all public domain software should be distributed with source code. Not
because they're anti-viral programs, but because they're in the public
domain. I feel that most of the commercial packages are more thorough
than any of the public domain packages at this time. They should *NOT*
be distributed with source code. A user should be safer using a commercial
package - yes, we all know about Aldus... I don't think that *ANY* software
solution to the virus problem can be 100% effective, though. I hope that
clears things up a bit...
Which brings me to my next point. I've just been out of town for a couple
days on a business trip. When I read my mail last night, I was very surprised
about all the traffic that we've gotten on VIRUS-L - thanks to *ALL* who
submitted! Let's keep it going! I wasn't too happy to see flames and
commercial plugs, though. As the listowner, I will tolerate none of either.
Differences of opinion are one thing, but flames are not acceptable or
proper. If anyone *REALLY* feels the need to flame someone, then reply to
that person directly - NOT TO THE LIST! That way, I won't have to read
it, unless it's me getting flamed; but, hey, I can purge a message as fast
as the next guy... :-) Commercial plugs are against BITNET policy. 'Nuff
said. Anyone sending a flame or a commercial plug to the list does so
knowing that it is his/her final submission to the list - you *WILL* be
removed permanently. Which leaves only melodrama - there's no official
BITNET policy against melodrama unfortunately. I just hope that all of
our readers have a grain or two of salt handy... :-)
Oh yeah, one general guideline - when intending to be "tongue in cheek"
or anything like that, please bear in mind that it is difficult to interpret
something as tongue in cheek. A shortcoming of computer mail I'm afraid.
It's easy enough to *EMPHASIZE* something, but how do we put inflection
into it? How about @tongue_in_cheek(this is tongue in cheek)? :-)
Thanks for the info on La Salle, Loren. Hope someone out there will
be making use of it. And thanks to everyone who has submitted!
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Thu, 28 Apr 88 08:11:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: J_CERNY@UNHH
Subject: virus in Aldus Freehand self-training disks
I just received my copy of the Aldus Freehand demo disk.
As I understand it, this runs a muscial script to show off what
Freehand can do.
Just before I got around to putting it in my hard-disk SE system
for the first time, however, I read in the March 15, 1988 issue of
MacWEEK that the Aldus Freehand training disk is infected with a
virus!! I'd previously heard that some copies of the actual program
were infected, but this was the first I'd heard about the training
disk. Does anyone know more about this, specifically:
(1) Is what the article calls the "training disk" the same thing
as this scripted, musical demo disk? Or is the training disk
something you get when you order the full-blown program?
(2) Are ALL copies of the training disk believed to be infected?
Jim Cerny, University Computing, University of N.H.
J_CERNY@UNHH
=========================================================================
Date: Thu, 28 Apr 88 15:59:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Joe Simpson <JS05STAF@MIAMIU>
Subject: Purpose of this list.
I am about to send a description of the computer virus epidemic that
surfaced at Miami University to this list. I hope this is an
appropriate place to distribute the information.
I subscribed to the list three days ago and am a little confused about
the purpose of virus-l. My interest is in obtaining information
about active viruses discovered in the computing community and in
recommendations for combating/defending/managing. If this is not
appropriate would someone direct me to the appropriate forum?
Thank You Joe Simpson
=========================================================================
Date: Thu, 28 Apr 88 16:02:55 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Joe Simpson <JS05STAF@MIAMIU>
Subject: A description of computer virus epidemic at Miami U.
THIS IS A FIRST DRAFT OF A POSTING TO THE VIRUS-L LISTSERV GROUP.
PLEASE RESPOND WITH EDITORIAL COMMENTS.
MIAMI UNIVERSITY WAS HIT BY AN OUTBREAK OF MS-DOS AND MACINTOSH
VIRUS APPROXIMATELY 10 DAYS BEFORE THE END OF SEMESTER. VIRUS
APPEARED IN VIRTUALLY EVERY MICRO LAB ON CAMPUS WITHIN 2 DAYS OF
FIRST NOTICE. THE IBM VIRUS APPEARED TO BE A VARIANT OF BRAIN.
THE MAC VIRUSES APPEARED TO BE IDIOT AND SCORES.
SCREENING PROCEDURES WERE INSTITUTED IN THE LABS TO DETECT AND
QUASH VIRUS INFECTED DISKETTES. DETECTION BECAME MORE ACCURATE
OVER TIME. THE PROCEDURE USED TO DISINFECT DISKETTES IS:
1) COPY DATA FILES (WP, SPREADSHEET, DATABASE) TO "CLEAN MEDIA"
2) FORMAT INFECTED DISKETTE ABANDONING ANY DOS AND OTHER EXECUTABLE
FILES.
3) COPY DATA FILES BACK ONTO THE USER DISKETTE.
THERE IS SOME REASON TO BELIEVE THAT THIS PROCEDURE IS OVERLY CAUTIOUS.
IN THE MS-DOS WORLD:
SCREENING PROCEDURES STARTED WITH LOOKING FOR THE WORD BRAIN IN THE
DISKETTE LABEL. NOW WE LOOK FOR THREE OR MORE CONTIGUOUS BAD SECTORS
USING SOMETHING LIKE THE NORTON UTILITIES.
A STUDENT HAS WRITTEN A PROGRAM TO LOOK FOR VIRUS IN RAM. THE SAME
STUDENT IS ATTEMPTING TO REVERSE ENGINEER A SOLUTION. FRED COHEN
FROM UNIV. CINN. HAS BEEN UP TO ASSIST US AND WOULD PROBABLY HAVE
GOOD INFORMATION ON THE VIRUS IF HE HADN'T CONTRACTED ONE OF THE
HUMAN VARIETY LAST NIGHT. INFECTED DISKETTES HAVE BEEN POSTED TO
BOWLING GREEN FOR STUDY (AND OF COURSE TO FRED). AT THIS POINT WE
ARE NOT SURE HOW LONG THE DORMANT PHASE OF THIS VIRUS WAS. IT MAY
HAVE BEEN SEVERAL MONTHS.
SUBJECT TO FRED'S AND THE STUDENT'S NEW INFORMATION HERE IS WHAT
WE BELIEVE ABOUT THE MS-DOS VIRUS.
IT IS A VERSION OF PAKISTANI BRAIN.
IT PROBABLY CANNOT INFECT A HARD DISK. MORE ON THIS WHEN WE REALLY
KNOW.
PROPERLY INSTALLED LAN'S APPEAR TO OFFER PROTECTION(BECASE OF THE
ABOVE?)
IT LIVES IN THREE (OR IN SOME CASES POSSIBLY FIVE) CONTIGUOUS
SECTORS MARKED BAD IN THE FAT.
THE THREE SECTOR VERSION INSTALLS IN HIGH RAM AND CAN BE DETECTED
THERE USING STANDARD DOS CALLS.
IF THERE IS A FIVE SECTOR VERSION (THIS MAY BE DAMAGE AND NOT VIRUS),
IF IT IS A VIRUS, IT DOESN'T PERMANENTLY INSTALL IN HIGH RAM.
THE THREE SECTOR VERSION APPEARS TO INSTALL BOOTSTRAP CODE INTO AT LEAST
THE FOLLOWING FILES: COMMAND.COM, PRINT.COM, FORMAT.COM. FRED HAS
A CHECKSUM PROGRAM THAT WE USED TO DIAGNOSE THIS BEHAVIOR.
THE THREE SECTOR VIRUS WILL PLACE BRAIN IN THE DISKETTE VOLUME LABEL AND
REMOVE IT PERIODICALLY. THUS, ABSCENCE OF BRAIN IS NOT ASSURANCE OF A
CLEAN DISKETTE.
SOME OF THE THINGS THAT THE PRUDENT COMPUTER USER SHOULD DO IN THE
COMPUTER AGE (SAGE WISDOM SUBJECT TO FREQUENT REVISION):
USE ATTRIB TO MAKE COMMAND.COM AND MANY OTHER FILES READ ONLY.
THIS LIST SHOULD PROBABLY INCLUDE PROGRAMS.
BACKUP, BACKUP, BACKUP, BACKUP. I KEEP A 3 WEEK ROLLING BACKUP
TO PROTECT MYSELF FROM DORMANT PHASE VIRUSES AS OBSERVED IN THE
MAC WORLD.
WRITE PROTECT ALL ORIGIONAL DISKETTES WITHIN SECONDS OF OPENING THE
SHRINK WRAP.
WHEN TRANSFERRING INFORMATION BETWEEN COMPUTERS USE DISKETTES THAT
CONTAIN NO EXECUTABLES (SYSTEM AND APPLICATIONS SOFTWARE).
WHERE POSSIBLE BOOT FLOPPIES SHOULD BE WRITE PROTECTED. IT IS NOT
KNOWN AT THIS TIME WHETHER WRITE PROTECTION IS HARDWARE OR SOFTWARE
MEDIATED. WE ARE FOLLOWING UP WITH IBM.
IN THE MACINTOSH WORLD WE SUSPECT THAT WE WERE INFECTED BY SCORES AND
IDIOT. MAC USERS ARE MUCH MORE ATONOMOUS AND OUR INFORMATION IS NOT
AS GOOD. WE ARE STILL TRYING TO OBTAIN COPIES OF INFECTED MACINTOSH
DISKETTES. IN THE MEAN TIME WE ARE DISTRIBUTING KILLVIRUS, VACCINE,
AND FERRET 1.1.
DIAGNOSIS RELIES UPON FINDING CHARACTERISTIC SIGNATURE FILES.
PRESENT RECOMMENDATIONS FOR PREVENTION INCLUDE ALL OF THE ABOVE
RECOMMENDATIONS FOR THE MS-DOS WORLD PLUS RUNNING KILLVIRUS OR
VACCINE.
SOME THINGS WE ARE CONSIDERING FOR NEXT YEAR.
ENCOURAGE STUDENTS TO EXCHANGE INFORMATION ON DATA DISKETTES THAT
DO NOT INCLUDE EXECUTABLES.
MORE WRITE PROTECTION AT DOS ATTRIB LEVEL AND HARDWARE LEVEL.
INVESTIGATE VIRUS PROTECTION SOFTWARE. IN THE MAC WORLD WE ARE
USING VACCINE AND LOOKING AT VIRUSDETECTIVE AND KILLVIRUS.
INVESTIGATE VIRUS PROTECTION IN THE MS-DOS WORLD? USE LOCAL
HACKS TO PERIODICALLY LOOK FOR RAM RESIDENT SOFTWARE THAT SHOULDN'T
BE THERE?
=========================================================================
Date: Thu, 28 Apr 88 16:16:02 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject: Re: Purpose of this list.
In-Reply-To: Message of Thu, 28 Apr 88 15:59:00 EST from <JS05STAF@MIAMIU>
>I am about to send a description of the computer virus epidemic that
>surfaced at Miami University to this list. I hope this is an
>appropriate place to distribute the information.
This list is definitely an appropriate place for that discussion!
>I subscribed to the list three days ago and am a little confused about
>the purpose of virus-l. My interest is in obtaining information
>about active viruses discovered in the computing community and in
>recommendations for combating/defending/managing. If this is not
>appropriate would someone direct me to the appropriate forum?
While the list is less than a week old, I think that you're definitely
on target with what you expect. I'd like to see the same things, and
a bit more. Discussing existing viruses alone is somewhat limiting, and
probably an uphill battle. While information on them should definitely
be available here, we shouldn't limit ourselves to that. Some theoretical
discussions on future virus possibilities, and how to prevent them,
should also be found. Hope that clears it up...
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Thu, 28 Apr 88 16:54:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Loren Miller,
Senior Large-Systems Consultant" <[email protected]>
Subject: MAC VIRUS info -- relayed from INFO-MAC
Date: Tue 26 Apr 88 03:36:16-EDT
From: "Vin McLellan" <SIDNEY.G.VIN%[email protected]>
Subject: Virus Sores and Scores
Relayed from:
INFO-MAC Digest Saturday, 23 Apr 1988 Volume 6 : Issue 40
From [email protected] Mon Apr 18 10:11:09 1988
Subject: The Scores Virus
Date: 18 Apr 88 16:11:09 GMT
My colleague Bob Hablutzel got a copy of the Scores virus last Thursday and
disassembled it, and I've been studying and testing it ever since. So far I've
reverse-engineered about half the code and have a thorough understanding of how
it works. This note is a preliminary report on what I know so far, after four
days of research. It also outlines plans for a disinfectant program.
The virus is definitely targeted against applications with signatures VULT and
ERIC. I don't know if any applications with these signatures exist or are
planned to be released.
The virus infects your system folder when you run an infected program.
The virus lies dormant for two days after your system folder is first infected.
After two, four, and seven days various parts wake up and begin doing their
dirty work.
Two days after the initial infection the virus begins to spread to other
applications. I haven't completely finished figuring out this mechanism, but
it appears that only applications that are actually run are candidates for
infection.
After four days the second part of the virus wakes up. It begins to watch for
the VULT and ERIC applications. Whenever VULT or ERIC is run it bombs after 25
minutes of use. If you don't have a debugger installed you'll get a system
bomb with ID=12. If you have MacsBug installed you'll get a user break.
After seven days the third part of the virus wakes up. Whenever VULT is run
the virus waits for 15 minutes, then causes any attempt to write a disk file to
bomb. If you don't do any writes for another 10 minutes the application will
bomb anyway, as described in the previous paragraph. There's also more code to
force a bomb after 45 minutes, but I can't see any way that this code can be
reached, given the forced bomb after 25 minutes.
The virus identifies VULT and ERIC by checking to see if the application
contains any resources of type VULT or ERIC. Applications with signatures VULT
and ERIC normally contain these resources, but other applications normally
don't.
I verified the behaviour of the virus by using ResEdit to add empty resources
of types VULT and ERIC to the TeachText application. TeachText bombed as
described above on an infected system, even though TeachText itself was not
infected! While running my experiments I was in ResEdit on the infected system
and heard the disk whir. Sure enough, ResEdit was infected. I've been running
on an infected system with an infected ResEdit for three days. I reset the
system clock to fool the various parts of the virus into thinking it was time
for them to wake up. The Finder has also become infected. ResEdit, Finder,
and the rest of the system seem to be functioning normally. Only my version of
TeachText modified to look like VULT or ERIC has been affected by the virus.
If you repeat any of these experiments be very careful to isolate the virus.
I'm using a separate dual floppy SE to perform my experiments, and I've
carefully labelled and isolated all the floppies I'm using. My main machine is
an SE with a hard drive, where I have MPW and my other tools installed. It's
OK to look at infected files on the main machine (e.g. with ResEqual, DumpCode,
etc.), but don't run any infected applications on the main machine - that's how
it installs itself and spreads. Children should not attempt this without adult
supervision :-)
An infected application contains an extra CODE resource of size 7026, numbered
two higher than the previous highest numbered CODE resource. Bytes 16-23 of
CODE resource number 0 are changed to the following:
0008 3F3C nnnn A9F0
where nnnn is the number of the new CODE resource.
You can repair an infected application by replacing bytes 16-23 of CODE 0 by
bytes 2-9 of CODE nnnn, then deleting CODE nnnn. I've tried this using ResEdit
on an infected version of itself, and it works. The MPW utility ResEqual
reports that the result is identical to the original uninfected version.
The virus creates two new invisible files named Desktop (type INIT) and Scores
(type RDEV) in your system folder, and adds resources to the files System, Note
Pad File, and Scrapbook File.
Note Pad File and Scrapbook File are created if they don't already exist. Note
Pad File is changed to type INIT, and Scrapbook File is changed to type RDEV.
Both of these files normally have file type ZSYS. The icons for these two
files change from the usual little Macintosh to the generic plain document
icon. Checking your system folder for this change is the easiest way to detect
that you're infected.
Copies of the following five resources are created:
Type ID Size Files
----- ----- ----- -------------------------------------
INIT 6 772 System, Note Pad File, Scrapbook File
INIT 10 1020 System, Desktop, Scores
INIT 17 480 System, Scrapbook File
atpl 128 2410 System, Desktop, Scores
DATA -4001 7026 System, Desktop, Scores
A disinfectant program would have to repair all infected applications and clean
up the system folder, undoing the damage described above. I don't yet know
exactly which files can be infected, but I know for sure that Finder (file type
FNDR) can get infected, and that applications (file type APPL) can get
infected. For safest results the disinfectant should examine and disinfect the
resource forks of all the files on the disk. I recommend the following
algorithm:
Scan the entire file hierarchy on the disk, and for each file on the disk check
it's resource fork. Delete any and all resources whose type, ID, and size
match the table above. Delete all files whose resorce forks become empty after
this operation. If the resource fork's highest numbered CODE resource is
numbered two more than the next highest numbered CODE resource, and if it's
size is 7026, then patch the CODE 0 resource as described above, and delete the
highest numbered CODE resource. Also examine all files named Note Pad File and
Scrapbook File. If their file type is INIT or RDEV, change it to ZSYS.
I'm fairly confident that a disinfectant program implemented using the
algorithm above would sucessfully eradicate the virus from a disk, restore all
applications to their original uninfected state, and not harm any non-viral
software on the disk. It should work even on disks with multiple infected
system folders. I also believe that it should work even if run on an infected
system, and even if the disinfectant program becomes infected itself! There's a
small chance that it could delete too many resources, and hence damage some
other application, but that's a small price to pay for a clean system.
Getting rid of a virus is tricky, even with a disinfectant program. The
disinfectant program should be placed on a floppy disk along with a system
folder. Make a backup copy of this disk. The machine should be booted using
the startup disk you just made, and then the disinfectant should be run on all
the hard drives and floppies in your collection, including the backup copy of
the startup disk you just made. Don't run any other programs or boot from any
other disks while disinfecting - you might get reinfected. When you're all
done, reboot from some other (disinfected) disk and immediately erase the
startup disk you used to do the disinfecting, which may be (and probably is)
infected itself. This should absolutely, positively get rid of all traces of
the virus. The backup disk you made and disinfected should contain an
uninfected copy of the disinfectant program in case you need to use it again.
There are at least two red herrings in the virus. It uses a resource of type
'atpl', which is usually some sort of AppleTalk resource. As far as I can
tell, however, the virus does not attempt to spread itself over networks. The
'atpl' resource is used for something else entirely. This is not a bug. Also,
the virus creates the file Desktop in your system folder. This is done on
purpose. It is not a failed attempt to modify the Finder's Desktop file in the
root directory. The file is used by the virus, and has nothing to do with the
Finder.
I don't know why the virus seems to cause reported problems with MacDraw,
printing, etc. Perhaps it's a memory problem - the virus permanently allocates
16,874 bytes of memory at system startup (four blocks in the system heap of
sizes 772, 40, 8, and 334, and one bock at BufPtr of size 15360). I've only
found one possible bug in the virus code, and it looks pretty harmless. The
code is very sophisticated, however, and I can easily understand how I might
have overlooked a bug, or how it might interact in strange unintended ways with
other applications and parts of the system.
When we've finished completely cracking this virus we'll probably distribute
another report. I've posted these preliminary results now to get the
information out as quickly as possible. We also hope to write the disinfectant
program, if someone else doesn't write it first.
I've decided not to distribute detailed information on how this virus works.
I'll distribute detailed technical information about what it does and how to
get rid of it, but not internal details. This was a very difficult decision to
make, because normally I firmly believe in the enormous benifit of the free
exchange of code and information. The Scores virus is a very interesting and
complicated piece of code, I've learned a great deal about the Mac by studying
it, and I'm sure other people could learn a great deal from it too. But I
don't want to teach twisted minds how to write these incredibly nasty bits of
code. If I write the disinfectant program, however, I will distribute its
source, because I do want to teach untwisted minds how to get rid of them.
So please don't bombard me with requests for more information. You may be the
nicest, most honest, incredibly important person, but I won't tell you how it
works. I'll make only two exceptions, and that's for a very few of my
colleagues at Northwestern University, and for qualified representatives of
Apple Computer.
Thanks to Howard Upchurch for giving us a copy of the virus, and to Bob
Hablutzel for helping me crack it.
John Norstad
Northwestern University
Academic Computing and Network Services
2129 Sheridan Road
Evanston, IL 60208
Bitnet: JLN@NUACC
Internet: [email protected]
Monday morning, April 18, 1988.
------------------------------
=========================================================================
Date: Thu, 28 Apr 88 20:12:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: RE: A description of computer virus epidemic at Miami U.
>SCREENING PROCEDURES WERE INSTITUTED IN THE LABS TO DETECT AND
>QUASH VIRUS INFECTED DISKETTES. DETECTION BECAME MORE ACCURATE
>OVER TIME. THE PROCEDURE USED TO DISINFECT DISKETTES IS:
>1) COPY DATA FILES (WP, SPREADSHEET, DATABASE) TO "CLEAN MEDIA"
>2) FORMAT INFECTED DISKETTE ABANDONING ANY DOS AND OTHER EXECUTABLE
> FILES.
>3) COPY DATA FILES BACK ONTO THE USER DISKETTE.
>THERE IS SOME REASON TO BELIEVE THAT THIS PROCEDURE IS OVERLY CAUTIOUS.
>IN THE MS-DOS WORLD:
>SCREENING PROCEDURES STARTED WITH LOOKING FOR THE WORD BRAIN IN THE
>DISKETTE LABEL. NOW WE LOOK FOR THREE OR MORE CONTIGUOUS BAD SECTORS
>USING SOMETHING LIKE THE NORTON UTILITIES.
>
Be very careful here... Suppose you follow steps 1, 2, & 3, if you
miss even one disk, you could be back where you started in a week.
After you analyze the assmembly, I would suggest the you implement a
screening proceedure and vaccination procedure in a program. Install
that program in the autoexec of every bootable disk, so that on bootup
you automatically check whether or not the disk is infected and if it
is infected you kill the virus. This way your disks become
"vaccinated" against that particular strain. This is what we did at
Lehigh.
Of course, write protecting all disks (maybe even notch-less) is
probably a better solution, but sometimes that isn't appropriate.
>MORE WRITE PROTECTION AT DOS ATTRIB LEVEL AND HARDWARE LEVEL.
DOS Attribing doesn't do much and its very easy for a virus to by-pass
this. I'm unfamiliar with any attrib at the HARDWARE level.
It's hard to say much more without knowing specifically how
the virus comunicates itself, how it finds its hiding spot, and
so forth. Decipering the assembly is very important, otherwise
you might miss something. Good Luck
------------------------------------------------------------------------------
[email protected] Joe Sieczkowski
{ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department
[email protected] Lehigh University
Packard Lab #19
Bethlehem, PA 18015
--------------------------------------------------------------------
"Yes...It was a dark and stormy night that a party of three
and myself found, tracked, and destroyed the Lehigh Virus."
---------------------------------------------------------
=========================================================================
Date: Thu, 28 Apr 88 21:10:50 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: -=*REB*=- <RB00@LEHIGH>
Subject: Core Wars
Someone asked about Core Wars. The idea for Core Wars appeared in
Scientific American in May of 1984. It is a rudimentary
mathematical game based on writing small programs whose mission is to
survive while annihilating other similar programs in the same
workspace.
The programs are written in a language called "redcode."
They are in memory at random positions, and neither knows the location
of the other. They take turns at executing instructions.
Methods of operation are described whereby programs "bomb" certain
areas of memory, copy themselves around to give the other program "the
slip", etc. The article is definitely worth checking out.
The entire game has many similarities to the current virus problem.
There was also a IBM PC based public domain program floating around
which played the game. I think I have a copy of it somewhere.
Richard Baum
_______________________________________________________________
/ From: -=*REB*=- ",
/FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ",
/InterNet: [email protected] BitNet: [email protected] ",
/ SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ",
!----------------------------------------------------------------------!
! The Brent Z*ne! !
"----------------------------------------------------------------------"
=========================================================================
Date: Fri, 29 Apr 88 08:33:42 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Joe Simpson <JS05STAF@MIAMIU>
Subject: Hardware write protection
Does anyone know whether the write protect hardware in commonly used
microcomputers is
a) merely a sensor that operates through software mediatation (and is
thereby at risk to hostile software)
- or -
b) or be operated purely at the hardware digital logic gate, for example
via a hardware "or" gate?
Of course answers to this question must be specific to hardware. I'll
start off with the old Apple II 5.25 disk drives. It's hardware here.
=========================================================================
Date: Fri, 29 Apr 88 08:55:56 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Jim Eshleman <LUJCE@LEHIIBM1>
Subject: Testing
Please ignore this test.
Jim Eshleman
Lehigh University Computing Center
=========================================================================
Date: Fri, 29 Apr 88 09:39:16 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject: More info on Miami U's virus woe's
I just spoke with Fred Cohen, who was helping Miami University
with their Brain virus problems. He gave me some additional information
to pass along to the list.
First, their PC virus is indeed a *NEW* strain of the Brain virus. It
is quite a lot more sophisticated than its ancestor, however. Major
differences:
1) It infects COM files as well as system files. The COM files
show no changes in file size or in write date when a DIR command
is issued.
2) The virus appears to move around a bit. For example, the ASCII
message displaying the Pakistani authors' names and addresses
*sometimes* appears in the boot sectors, sometimes not.
3) The new Brain virus can now infect hard drives. The previous one
could not infect *anything* other than 5 1/4" disks.
At Miami U., some BAT files were found which contained commands to
copy some infected COM files to the C: drive.
Trying to stop a virus like this from spreading, particularly in a
typical university computing environment, is proving to be very difficult
indeed. They're currently running a program which checks for any of the
standard interrupt addresses to change; whereupon they halt the system.
This way, at least they get flagged that the virus is on that system.
Placing write protect tabs on most of the disks helps, but is not always
feasible - particularly in the case of copy protected software like Lotus
1-2-3.
That brings me to another point. It seems that, with the current crop
of viruses, copy protected software is presenting a serious security
problem. If you cannot write protect a disk, then that disk runs a
real threat of becoming infected. So, if you must use copy protected
software, make sure you boot the system (power down/up - not just
ctrl-alt-del; that's easy to fake!) from a write-protected system disk,
and then only use your copy protected program. Do not introduce any
outside disks into the system during this time.
The original Brain virus spread all over the place fairly quickly. This
one is much more elaborate, and has been spotted at more than one
university already. The need to be extremely cautious cannot be overstressed.
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Fri, 29 Apr 88 10:10:27 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1>
Subject: another Miami update
One more thing on the new Brain virus - IT CAN INFECT DATA DISKS. That
is, non-system disks containing NO EXECUTABLE FILES. It has been found
that, if you try to boot an infected data disk, the pc will respond with
NON SYSTEM DISK (or something similar). If you then place a bootable
disk in the system and press any key, the bootable disk will boot, and
the virus will be resident in memory, even if the bootable disk was
previously uninfected. Note that this may not work on all pc clones,
depending upon how they boot. That is, not all machines will try to
boot another disk if you just press any key after getting a NON SYSTEM
DISK message. Also, if you CTRL-ALT-DEL to re-boot, the virus will not
remain in memory in this case.
Hopefully we'll get yet more information on this new virus in the near
future...
Ken
------------------------------------------------------------------------
= Kenneth R. van Wyk = If found wandering aimlessly, =
= User Services Senior Consultant = please feed and return... =
= Lehigh University Computing Center =-------------------------------=
= Internet: <[email protected]> = This just in: =
= BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! =
------------------------------------------------------------------------
=========================================================================
Date: Fri, 29 Apr 88 09:57:52 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: DG5EOPER@MIAMIU
We've been discussing how to thoroughly clean up a viral infection
so that there aren't any remaining copies hangning around to infect
the labs all over again. Why not introduce a virus-killer VIRUS?
A program that spreads itself just like a virus with a sole purpose
of hunting down a particular virus and nullifying it? It would propigate
itself and spread just as quickly as a virus and would clean up up
student's disks even if they didn't know they were infected. Maybe
this is not a good idea. I am rather new to the subject, but find it
interesting. Anyone's comments on this idea would be welcomed.
David Geis
=========================================================================
Date: Fri, 29 Apr 88 12:55:00 EST
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: [email protected]
Subject: NO "Virus Killer" Viruses
>Why not introduce a virus-killer VIRUS?
>A program that spreads itself just like a virus with a sole purpose
>of hunting down a particular virus and nullifying it? It would propigate
>itself and spread just as quickly as a virus and would clean up up
>student's disks even if they didn't know they were infected.
>Maybe this is not a good idea.
No, its not a good idea... "Vaccines" should not be viruses
themselves. I agree that a program should be developed that would
hunt down and kill a particular strain of virus. But the program
should not be a virus itself otherwise your wonderful cure, in the
future, might become an annoying pain in the ?#s. Once administered,
you have no control of it. A virus uncontrollably propagating through
computer systems could, as a side effect, cause software to malfunction,
take up computing resources, etc. Moreover, you have to put out a new
"killer vaccine virus" for every new regular virus, and soon systems
would be overloaded with protection viruses that would probably fight
amonst themselves and prevent a computer from functioning optimally.
------------------------------------------------------------------------------
[email protected] Joe Sieczkowski
{ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department
[email protected] Lehigh University
Packard Lab #19
Bethlehem, PA 18015
--------------------------------------------------------------------
"Yes...It was a dark and stormy night that a party of three
and myself found, tracked, and destroyed the Lehigh Virus."
---------------------------------------------------------
=========================================================================
Date: Fri, 29 Apr 88 14:27:21 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Jim Eshleman <LUJCE@LEHIIBM1>
Subject: MAC VIRUS info - from Loren Miller
The XWell Mailer does not like addresses that span lines so Loren's
posting got sent to me:
From: "Loren Miller,
Senior Large-Systems Consultant" <[email protected]>
Please refrain from using addresses like this until I can get the beast
fixed. I am working on it. Many thanks. Here's Loren's posting below.
Sorry for the delay in getting this to the list.
/jce
------------------ Start of mail from Loren Miller -------------------
Subject: MAC VIRUS info -- relayed from INFO-MAC
Date: Tue 26 Apr 88 03:36:16-EDT
From: "Vin McLellan" <SIDNEY.G.VIN%[email protected]>
Subject: Virus Sores and Scores
Relayed from:
INFO-MAC Digest Saturday, 23 Apr 1988 Volume 6 : Issue 40
From [email protected] Mon Apr 18 10:11:09 1988
Subject: The Scores Virus
Date: 18 Apr 88 16:11:09 GMT
My colleague Bob Hablutzel got a copy of the Scores virus last Thursday and
disassembled it, and I've been studying and testing it ever since. So far I've
reverse-engineered about half the code and have a thorough understanding of how
it works. T(iz note is a preliminary report on what I know so far, after four
days of research. It also outlines plans for a disinfectant program.
The virus is definitely targeted against applications with signatures VULT and
ERIC. I don't know if any applications with these signatures exist or are
planned to be released.
The virus infects your system folder when you run an infected program.
The virus lies dormant for two days after your system folder is first infected.
After two, four, and seven days various parts wake up and begin doing their
dirty work.
Two days after the initial infection the virus begins to spread to other
applications. I haven't completely finished figuring out this mechanism, but
it appears that only applications that are actually run are candidates for
infection.
After four days the second part of the virus wakes up. It begins to watch for
the VULT and ERIC applications. Whenever VULT or ERIC is run it bombs after 25
minutes of use. If you don't have a debugger installed you'll get a system
bomb with ID=12. If you have MacsBug installed you'll get a user break.
After seven days the third part of the virus wakes up. Whenever VULT is run
the virus waits for 15 minutes, then causes any attempt to write a disk file to
bomb. If you don't do any writes for another 10 minutes the application will
bomb anyway, as described in the previous paragraph. There's also more code to
force a bomb after 45 minutes, but I can't see any way that this code can be
reached, given the forced bomb after 25 minutes.
The virus identifies VULT and ERIC by checking to see if the application
contains any resources of type VULT or ERIC. Applications with signatures VULT
and ERIC normally contain these resources, but other applications normally
don't.
I verified the behaviour of the virus by using ResEdit to add empty resources
of types VULT and ERIC to the TeachText application. TeachText bombed as
described above on an infected system, even though TeachText itself was not
infected! While running my experiments I was in ResEdit on the infected system
and heard the disk whir. Sure enough, ResEdit was infected. I've been running
on an infected system with an infected ResEdit for three days. I reset the
system clock to fool the various parts of the virus into thinking it was time
for them to wake up. The Finder has also become infected. ResEdit, Finder,
and the rest of the system seem to be functioning normally. Only my version of
TeachText modified to look like VULT or ERIC has been affected by the virus.
If you repeat any of these experiments be very careful to isolate the virus.
I'm using a separate dual floppy SE to perform my experiments, and I've
carefully labelled and isolated all the floppies I'm using. My main machine is
an SE with a hard drive, where I have MPW and my other tools installed. It's
OK to look at infected files on the main machine (e.g. with ResEqual, DumpCode,
etc.), but don't run any infected applications on the main machine - that's how
it installs itself and spreads. Children should not attempt this without adult
supervision :-)
An infected application contains an extra CODE resource of size 7026, numbered
two higher than the previous highest numbered CODE resource. Bytes 16-23 of
CODE resource number 0 are changed to the following:
0008 3F3C nnnn A9F0
where nnnn is the number of the new CODE resource.
You can repair an infected application by replacing bytes 16-23 of CODE 0 by
bytes 2-9 of CODE nnnn, then deleting CODE nnnn. I've tried this using ResEdit
on an infected version of itself, and it works. The MPW utility ResEqual
reports that the result is identical to the original uninfected version.
The virus creates two new invisible files named Desktop (type INIT) and Scores
(type RDEV) in your system folder, and adds resources to the files System, Note
Pad File, and Scrapbook File.
Note Pad File and Scrapbook File are created if they don't already exist. Note
Pad File is changed to type INIT, and Scrapbook File is changed to type RDEV.
Both of these files normally have file type ZSYS. The icons for these two
files change from the usual little Macintosh to the generic plain document
icon. Checking your system folder for this change is the easiest way to detect
that you're infected.
Copies of the following five resources are created:
Type ID Size Files
----- ----- ----- -------------------------------------
INIT 6 772 System, Note Pad File, Scrapbook File
INIT 10 1020 System, Desktop, Scores
INIT 17 480 System, Scrapbook File
atpl 128 2410 System, Desktop, Scores
DATA -4001 7026 System, Desktop, Scores
A disinfectant program would have to repair all infected applications and clean
up the system folder, undoing the damage described above. I don't yet know
exactly which files can be infected, but I know for sure that Finder (file type
FNDR) can get infected, and that applications (file type APPL) can get
infected. For safest results the disinfectant should examine and disinfect the
resource forks of all the files on the disk. I recommend the following
algorithm:
Scan the entire file hierarchy on the disk, and for each file on the disk check
it's resource fork. Delete any and all resources whose type, ID, and size
match the table above. Delete all files whose resorce forks become empty after
this operation. If the resource fork's highest numbered CODE resource is
numbered two more than the next highest numbered CODE resource, and if it's
size is 7026, then patch the CODE 0 resource as described above, and delete the
highest numbered CODE resource. Also examine all files named Note Pad File and
Scrapbook File. If their file type is INIT or RDEV, change it to ZSYS.
I'm fairly confident that a disinfectant program implemented using the
algorithm above would sucessfully eradicate the virus from a disk, restore all
applications to their original uninfected state, and not harm any non-viral
software on the disk. It should work even on disks with multiple infected
system folders. I also believe that it should work even if run on an infected
system, and even if the disinfectant program becomes infected itself! There's a
small chance that it could delete too many resources, and hence damage some
other application, but that's a small price to pay for a clean system.
Getting rid of a virus is tricky, even with a disinfectant program. The
disinfectant program should be placed on a floppy disk along with a system
folder. Make a backup copy of this disk. The machine should be booted using
the startup disk you just made, and then the disinfectant should be run on all
the hard drives and floppies in your collection, including the backup copy of
the startup disk you just made. Don't run any other programs or boot from any
other disks while disinfecting - you might get reinfected. When you're all
done, reboot from some other (disinfected) disk and immediately erase the
startup disk you used to do the disinfecting, which may be (and probably is)
infected itself. This should absolutely, positively get rid of all traces of
the virus. The backup disk you made and disinfected should contain an
uninfected copy of the disinfectant program in case you need to use it again.
There are at least two red herrings in the virus. It uses a resource of type
'atpl', which is usually some sort of AppleTalk resource. As far as I can
tell, however, the virus does not attempt to spread itself over networks. The
'atpl' resource is used for something else entirely. This is not a bug. Also,
the virus creates the file Desktop in your system folder. This is done on
purpose. It is not a failed attempt to modify the Finder's Desktop file in the
root directory. The file is used by the virus, and has nothing to do with the
Finder.
I don't know why the virus seems to cause reported problems with MacDraw,
printing, etc. Perhaps it's a memory problem - the virus permanently allocates
16,874 bytes of memory at system startup (four blocks in the system heap of
sizes 772, 40, 8, and 334, and one bock at BufPtr of size 15360). I've only
found one possible bug in the virus code, and it looks pretty harmless. The
code is very sophisticated, however, and I can easily understand how I might
have overlooked a bug, or how it might interact in strange unintended ways with
other applications and parts of the system.
When we've finished completely cracking this virus we'll probably distribute
another report. I've posted these preliminary results now to get the
information out as quickly as possible. We also hope to write the disinfectant
program, if someone else doesn't write it first.
I've decided not to distribute detailed information on how this virus works.
I'll distribute detailed technical information about what it does and how to
get rid of it, but not internal details. This was a very difficult decision to
make, because normally I firmly believe in the enormous benifit of the free
exchange of code and information. The Scores virus is a very interesting and
complicated piece of code, I've learned a great deal about the Mac by studying
it, and I'm sure other people could learn a great deal from it too. But I
don't want to teach twisted minds how to write these incredibly nasty bits of
code. If I write the disinfectant program, however, I will distribute its
source, because I do want to teach untwisted minds how to get rid of them.
So please don't bombard me with requests for more information. You may be the
nicest, most honest, incredibly important person, but I won't tell you how it
works. I'll make only two exceptions, and that's for a very few of my
colleagues at Northwestern University, and for qualified representatives of
Apple Computer.
Thanks to Howard Upchurch for giving us a copy of the virus, and to Bob
Hablutzel for helping me crack it.
John Norstad
Northwestern University
Academic Computing and Network Services
2129 Sheridan Road
Evanston, IL 60208
Bitnet: JLN@NUACC
Internet: [email protected]
Monday morning, April 18, 1988.
=========================================================================
Date: Fri, 29 Apr 88 14:46:30 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "David M. Chess 862-2245" <CHESS@YKTVMV>
Subject: Viruses in MS-DOS / PC-DOS
I know of five actual viruses:
- The "brain" virus, that spreads between boot sectors of
floppy diskettes, and apparently does no intentional
damage (although I've heard that it has a bug or two
that can sometimes cause cross-linked FATs).
- The "Jerusalem" virus, that spreads between executable
files (both COM and EXE), and that will erase any file
that you try to execute on Friday the 13th (starting
on May 13 this year). It has a bug, in that it will
install a copy of itself in any EXE file you run, even
if the file is already infected, so your EXE files will
grow very quickly. (COM files get infected only once.)
- The COMMAND.COM virus that showed up at Lehigh, and led
to this list; it spreads between COMMAND.COMs, changes
the date on infected COMMAND.COMs, and trashes all the
data it can find after spreading four times. (I've
never actually seen a copy of this one.)
- Two "april fools" viruses (one for COM files and one for
EXE files), that cause your machine to hang up at various
intervals, and print annoying messages (one of them will
print the message "HA HA HA YOU HAVE A VIRUS" every time
you execute any file). I haven't heard any reports of
these two showing up in the real world.
The COMMAND.COM virus is in a sense the worst, in that it seems to
be the only one that will really destroy valuable information. Has
anyone heard of it appearing anywhere since it was first Busted?
Has anyone heard of any other viruses (not just Trojan Horses) for
this environment? I'd especially like more details about the
Miami variant of "Brain" that Ken reported above. Has it been
isolated and disassembled?
Various people asked about write-protection; I'm not a hardware
techie, but I know that the write protection on all the genuine
IBM floppy drives that I know of is in fact in hardware. A
program can write to a write-protected floppy only if the
drive itself is broken, or has been modified. There's a
microswitch of some kind that, I believe, disables the Write
line on the drive.
Dave Chess
Watson Research Center
* Any opinions or information contained herein are my own,
* and not Official Statements of any company I might happen
* to work for.
=========================================================================
Date: Fri, 29 Apr 88 13:12:00 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: "Joseph M. Beckman" <[email protected]>
In-Reply-To: Message of 27 Apr 88 22:38 EDT from "Loren K Keim -- Lehigh
University"
I recently listened to the ABC broadcast on viruses. Fred Cohen stated
that the Hebrew U. virus propagated to the Mossad (Israeli intelligence
agency) and to the United States. Anybody else here of this happening?
Any ideas on where in the United States the infection is alleged to have
occurred?
Will someone who attended the LaSalle talk post a summary to this forum?
Which Mac virus is the "Idiot" virus?
Joseph
=========================================================================
Date: Fri, 29 Apr 88 15:39:56 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Comments: Resent-From: [email protected]
Comments: Originally-From: [email protected] (William Phillips)
From: [email protected]
Subject: Flushot Plus - anti-virus/anti-trojan
The following is a response from Ross Greenberg, author of Flushot+,
to several complaints posted to the comp.binaries.ibm.pc newsgroup
over the past few days:
" After examining the FLUSHOT+ code, I noticed that a comment was left in
which would allow the brief bug to bite. That has since been fixed.
The current release of FLU_SHOT+ is at Version 1.2, coming to a USENET
site near you soon. As to the character who thinks that me charging ten
bucks is absurd, please tell him I agree. His option, of course, is to
not use the code. The $10 fee entitles him to use it. Obviously, he's
using an unregistered copy. Tell him I sincerely hope that he has good
luck using the $200 commercial protection programs. Oh! And please have him
tear up my phone number!"
According to Ross, Flushot+ v 1.2 will be posted via SIMTEL20 within the
next few days.
--
William Phillips {allegra,philabs,cmcl2}!phri\
Big Electric Cat Public Unix {bellcore,cmcl2}!cucard!dasys1!wfp
New York, NY, USA !!! JUST SAY "NO" TO OS/2 !!!
=========================================================================
Date: Fri, 29 Apr 88 15:52:45 EDT
Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1>
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
From: Terry Sanderson <SANDERS@UTORONTO>
Subject: Re: Viruses in MS-DOS / PC-DOS
In-Reply-To: Message of Fri, 29 Apr 88 14:46:30 EDT from <CHESS@YKTVMV>
Hi,
I would just like to clarify a point about write-protecting IBM PC type
floppy disks.
If they are write-protected, they CANNOT be written to. A microswitch
or a photo-transistor senses whether or not the copy protect hole is
covered. If it is, no matter what you do, the hardware logic disables
the "write mechanism" (as I will call it), and you cannot write to the
disk. This logic is simple TTL-type stuff, which is NOT programmable
by any type of fancy programming.
Hope this helps.
---------------------------------------------------------------------------
Terry Sanderson P. Eng.
Micro Systems Analyst
University of Toronto Computing Services
[email protected]
[email protected]
Just Remember.....It's all fun until somebody loses an eye.
|
|
