VIRUS-L Digest Wednesday, 16 May 1990 Volume 3 : Issue 96 Today's Topics: Re: Mainframe viruses Re: New anti-viral programs from McAfee File tranfser of software--A way to curb commercial infections? Macintosh MDEF/Garfield virus (Mac) System Protection from Virus (PC) Morris and Negligence LZEXE vs Viri (pc) Possible Anti-Virus Legislation VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 15 May 90 13:48:07 -0400 From: Arthur Gutowski Subject: Re: Mainframe viruses Dave Chess responded to Christian Reichetzeder's remarks by saying: "But viruses don't *need* to have the environment under their exclusive control, and neither do virus writers! ... All a virus needs to do is - Find out what writeable executables exist - Read from and write to one or more of them (in specific ways)" This is true, as long as you have access to those executables you want to write to. Otherwise, you either get a violation (via ACF2 or RACF or whatever), or you have to somehow circumvent the security system. Take the simplest case (although, this *rarely ever true*) of your account having no write access to any files but your own, and noone else having execute or read access to any of your files. Then, by the former, the farthest a virus can spread on it's own (notwithstanding sendfile, xmit, or whatever file transfer service is available to propogate thru the mail system) is your own account. The latter means you have to get exclusive control of the system at some point. Also, George Roberts says that you only have to restore *your* account to it's former state, and asks why restore anything if you want the virus to spread (also in response to some of Christian's comments). This is true if you never have to get control of the system itself, i.e., you have the access to infect files without having to bypass the security system. If you do have to get control of the system, then you'd better be sure that you did restore it to its former state (I'm talking core/registers here) or else you risk a system crash. Then it would be all to obvious to the systems people who would inevitably follow up by going through the logs that you were the culprit, and they would probably ask you what the hell you were doing messing with the system. This is why you have to restore the system to its former state. The same thing applies if you remain within your own account, you could easily crash your session, possibly bad enough that you can't get logged back on. >From experience (I agree with Christian), I'm more concerned with system/program bugs than I am with viruses. /Art - ------------ Murhpy's Rule #1: Don't Mess with Mrs. Murphy. - ------------ ------------------------------ Date: 15 May 90 20:05:59 +0000 From: shim@zip.eecs.umich.edu (Sam Shim) Subject: Re: New anti-viral programs from McAfee coerper@lognet2.af.mil (SSgt Elliott J. Coerper) writes: >I downloaded ACS Virus scan from simtel20 and by doing a >avs c:\ /a /e I'm told I have the 12 Trick type B virus. >However, Scan soes not show this, plus it also said this about >my brand new copy of PCTOOLS Version 6.0 > >My question, does AVS give false signals? I find it hard to belive >Central Point would be distributing a virus. It only appears in the >pc-cache.com, descktop.exe and hotkey.ovl. However, every copy I >checked showed this type of virus. For example, my masters to 5.5 and >6.0 showed this along with my back ups. > >Help. > >Elliott I believe AVS gives false signals. It said that I have the 12 Tricks type B virus on my original write-protected Microsoft MS-DOS 3.3 keyb.com file. But only when I run the program specifying "a:*.*". If I run it with the parameter as just "a:", it works fine. Maybe the same thing is happening to you. And from what little info I have on the 12 Tricks virus, it is not a virus but a Trojan horse so those files can't be infected with it anyways. I wrote mail to the auther describing this, but I haven't received a response yet. ----------------------------------------------------------------------------- | Sam Shim | "I didn't do it... | | EECS Departmental Computing Organization | It wasn't me... | | University of Michigan | Nobody saw me do it... | | Ann Arbor, MI 48109 | Nobody can prove a thing..." | | internet: shim@eecs.umich.edu | - Bart Simpson | ----------------------------------------------------------------------------- "There are no good wars with the following exceptions: The American Revolution, World War II, and the Star Wars Trilogy..." - Brat, er, I mean, Bart Simpson. ------------------------------ Date: 15 May 90 21:29:00 +0700 From: "Okay, S J" Subject: File tranfser of software--A way to curb commercial infections? Hmmm...all this talk about validating through EPROM or putting the OS in ROM got me thinking.(Hit the deck! :) ).. But seriously, isn't the problem here trying to protect yourself from floppies or cartridge tape or removable media in general? So why even bother with removable media? Why not do like a lot of people in the UNIX community do and get it via network distribution. (Note, this does not mean I'm advocating that commercial software should be put up for anon. FTP).?? It would seem to me that the vast majority of infections comes from somebody sticking an infected disk in somebody elses machine and then leaving the virus behind on their machine, or vice versa. M. Brainless decides to play Tetris on the company Mac thats used for mastering their latest program and leaves a beastie behind. This then attaches itself to the Gold/Key copy and is spread on every production run of that particular program. But if they'd left the master copy on a trusted machine, like the company mainframe and just let it be up/downloaded to/by Joe Customer, it seems like you'd stand a lot smaller chance of spreading something than if you moved it to a series of unsecured duplicating machines. I'm not saying this would cure everything, but electronic distribution would go a long way to curbing floppy exchange/swapping as a vector for virus propa gation. You might argue that its inconvenient and would take forever to get a "transmission slot", but look at it this way: Most businesses usually have to use the company's central purchasing system , which means you won't get it for a few months anyways, so what does it matter if you're waiting for it to show up on your doorstep or on your harddisk???---Plus you have a single source from which the program(s) are distributed which is a lot easier to control than trying to find machine #1316286179, fifth aisle, third row, 5th shelf from the top. You are of course welcome to praise, flame, cut to ribbons, or nominate for a Pulitzer anything I've said in here. When doing so, assume that the archive/sole distribution system is trusted and is big enough to handle a moderate user load similar to an average FTP site. Let me know what you think, - ---Steve - ----------------- Stephen Okay Technical Aide, The MITRE Corporation OKAY@TAFS.MITRE.ORG Claimer:Yes, you're right, these are *MY* opinions... ------------------------------ Date: Tue, 15 May 90 17:01:57 -0400 From: Tom Young Subject: Macintosh MDEF/Garfield virus (Mac) We have detected what I believe to be a new Macintosh virus. This virus can be referred to as the MDEF or Garfield virus, for reasons that will become clear below. I'm passing along all that I have verified about the virus. Some local folks are working on further analysis, and I will be sending samples of this virus to some of the national anti-virus experts. This virus replaces the System file's native MDEF resource with a new resource, named Garfield. MDEF is a resource that is part of the Mac's menu generation system. The original MDEF resource is apparently retained but given an ID of 5378; the substitute resource has the normal ID of zero. This new "Garfield" MDEF resource will propagate to application files, and an infected application file can spread the virus to a fresh System file. The viral MDEF resource will also attach itself to the Finder. After some period of time or after some set of actions, the viral MDEF resource will delete itself from the System, resulting in the loss of all menus generated by the System. We have not yet tracked down the details of the conditions under which this happens. The Vaccine program will successfully block an infection. When an application is launched, Vaccine will display a message asking if you wish to grant permission to add an MDEF resource. If you see this message, you have the new virus. If you use the Virus Detective DA, you can add the following two search strings to check for the new virus: Resource MDEF & Name "Garfield" Resource MDEF & ID = 5378 Using these two search strings, you should be able to scan your disks for an infection. Disinfectant WILL NOT find this virus when it scans a disk. This is a new virus that this anti-virus program doesn't know about. At present, there is no software that will automatically remove this virus. The simplest solution is to replace all files that check positive for an infection, and then use Virus Detective to rescan for any signs of the virus. More sophisticated remedies will certainly be developed in the near future. It may be possible to repair an infection by (1) deleting the "Garfield" resource from the System and changing the ID of the MDEF resource that remains from 5378 to zero; (2) simply deleting the "Garfield" resource from all other files in which it is found. There is no guarantee this will work, and it should only be attempted by the technically venturesome. Tom Young Cornell Information Technologies Workstation Systems Services ------------------------------ Date: Tue, 15 May 90 17:09:29 -0500 From: Naama Zahavi-Ely Subject: System Protection from Virus (PC) Hello! Can anybody help? Please include Dennise in your reply as she is not on this list. Thanks, - -Naama - ----------------------------Original message---------------------------- Original-From: Dennis Williams Greetings: The local PC folks agree that this is a good idea, but have no idea if anyone sells it, or how to do-it-yourself. If I am running an unproven "public domain" program, and have a floppy based PC, I write-tab protect or remove the system disk, just in case. This way I know that the program CAN'T zap my system disk (by accident or on purpose). I am looking for the same protection for a hard disk based PC, that is, a way to either write protect or turn off the hard disk. Just booting from the floppy is not enough. A dedicated virus still could damage the hard disk data. Any ideas? Thanks in advance. +--------+ DLWILLIA @ OCC | | | +-----|--- Dennis L. Williams | | | Data Base Administrator | | +--|------ | | | | Oakland Community College +--------+AKLAND 2480 Opdyke Road | | Bloomfield Hills MI 48013 +---------OMMUNITY | (313) 540-1583 +---------OLLEGE ------------------------------ Date: 16 May 90 12:58:00 +0700 From: "Okay, S J" Subject: Morris and Negligence >From: Yary Richard Phillip Hluchan >Subject: Re: Morris Sentenced - Washington Post Article > >Forget Morris, how about a negligence suit against the people who put >the trapdoors there in the first place? How about if we forget that and instead start taking responsibility for the security of our systems? Seriously, the holes that Morris exploited were well-known "features" of the sendmail and finger programs for a long time that could ultimately pose a security threat to systems which did not have them properly configured to close out these holes. IMHO, the only negligence is to be found in those who didn't take the time to secure the holes. Technical, legaloid note:If you still want to sue, you should probably go for something other than negligence since programming in a trap/backdoor requires somebody to perform the programming and is therefore more of an act of commission rather than neglect(which is just basically sitting back and doing nothing. - ------------- Stephen Okay OKAY@TAFS.MITRE.ORG Technical Aide, The MITRE Corporation Claimer:Yes, you're right, these are *MY* opinions ------------------------------ Date: Wed, 16 May 90 09:28:00 -0400 From: ZEHNER@Ruby.VCU.EDU Subject: LZEXE vs Viri (pc) Hi y'all-- I'm forwarding a message that appeared on a local BBS. I guess that it is related to the posting by James Ford (#91). Apologies if this has been hashed out earlier. I am not sure, but I think that LZEXE is a utility that compresses .exe and .com files, but still allows their execution. ========================== Start Of Message ========================== Re: LZEXE VS VIRI LZEXE is wonderful (as I think we all agree) but.... suppose the program you compress has been infected with a virus, I suspect the SCAN programs will not recognize it. Further... suppose some one else (unsuspecting) uploads a file that has been infected and compressed, it looks like a standard EXE file. Now BBS SYSOPS scan the program and certify it since SCAN missed the lurking virus. Sure you could unsqueeze every file and scan and the squeeze back. Whew! Of course maybe there is a silver lining... can a virus attach itself to a compressed file? Still will use compression but continue my fastidious backups. Anyone else with comments or experience? ======================= End Of Forwarded Message ======================== Any comments/suggestions are welcome. **************************************************************** * Rich Garzon * * * Dept. Biochemistry * * * & Molec. Biophysics * ZEHNER@VCUVAX.BITNET * * Med. Coll. Va./ VCU * Zehner@gems.vcu.edu * * Richmond, Va * * **************************************************************** ------------------------------ Date: 16 May 90 10:44:00 -0400 From: "zmudzinski, thomas" Subject: Possible Anti-Virus Legislation >From Federal Computer Week, 14 May 90, P.14 & 17 -- QUOTE -- Congress Expected to Pursue Stricter Computer Virus Laws By ROBERT SMITHMIDFORD In the wake of Robert Morris Jr.'s conviction for unleashing the Internet worm in 1988, both the House and Senate are expected to take up bills that would make computer viruses and other intentional sabotage specifically illegal. Sen. Patrick Leahy (D-Vt.) recently introduced the latest virus bill, S2476. The bill would make it a federal felony to gain access to compu- ters intentionally and to introduce distructive programs that cause a $1,000 loss over the course of a year. Sabotage that effects medical records would also be illegal. The bill also would allow people who suffer losses from a virus or other malicious program to file civil suits to get compensation. According to Ron Palenski, general counsel for the trade association Adapso, Leahy's bill is stronger than pending legislation in the House because it expands what might be considered a virus. "The strength of the Leahy proposal is that it takes an interstate commerce approach. Since virtually anything is in interstate commerce, it covers almost anything," Palenski said. Current law covers only computers owned by the government or a financial institution or cases in which viruses are spread across state lines, he said. Leahy's bill also adds viruses embedded in software to its definition of gaining access to computers. "The current statute is really written in terms of networks. It assumes that the vandalism will occur in networks, but it can also occure in distributed software," Palenski said. However, the bill might be open to modification. In proposing the bill, Leahy said, "I want to ensure that in creating a private cause of action to boost deterrence we do not open the floodgates to frivolous litigation. I also look forward to tesimony from prosecutors and compu- ter experts on the scope of the access definition, to be sure that it is technically sound and a useful tool from prosecuting computer crimes." The Computer and Business Equipment Manufacturers Association applaud- ed the legislation for focusing on criminal behavior by individuals, not by restricting technology. "It's completely proper that we make it clear that what we thought of as a prank isn't a game anymore," said Jude Franklin, a senior vice president for technology at Planning Research Corp. But finding the source of viruses can be difficult. "There are going to be problems en- forcing it because third parties aren't aware they're carrying them," he said. Hearings are expected in June. The Morris sentencing also is likely to dislodge two similar bills awaiting action on the House side. HR 55 and 287, sponsored by Rep. Wally Herger (R-Calif.) and Rep Tom McMillen (D-Md.) respectively, were on hold in the House Judiciary Committee pending comments from Justice. -- UNQUOTE -- A couple of private points: (1) Does anyone have a copy of S2476 and the time to key it in? (2) Re: "Leahy's bill ... expands what might be considered a virus." Tomatoes are VEGETABLES by an Act of Congress, never mind the fact that biologically they're FRUIT. (It has to do with tariffs; don't sweat it.) This _MIGHT_ settle the worm/virus/pest/phage/whoosis etymology at least as far as the courts are concerned. The Great Unwashed does _NOT_ care about the minutiae of technical terms. (And just to shut down some flames: Yes, thank you, I _DID_ recently pull jury duty -- and my faith in the good intentions of my fellow citizens was amply validated.) The rest of us can still do our morphology and verbifying _off_ the witness stand. Hyperenthetically yours, /z/ "HYPERENTHETICAL {adj} Characterized by being a digression (within a digression...) The variation in spelling is not arbitrary. The Indo-European root from the 'par' of parenthetical is spelled with an 'e', and means to grant reciprocally, with the idea of getting something back. The Indo-European tradition that one ought to be able to get something back, or just to get back, from a digression, perished with their culture" -- Michael Swaine ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 96] *****************************************