From: CRDGW2::CRDGW2::MRGATE::"SMTP::CUNYVM.CUNY.EDU::VIRUS-L%LEHIIBM1.BITNET" 2-OCT-1989 16:28 To: MRGATE::"ARISIA::EVERHART" Subj: VIRUS-L Digest V2 #209 Received: from pucc.Princeton.EDU by Princeton.EDU (5.58+++/2.22) id AA06898; Mon, 2 Oct 89 07:57:10 EDT Message-Id: <8910021157.AA06898@Princeton.EDU> Received: from PUCC.PRINCETON.EDU by pucc.PRINCETON.EDU (IBM VM SMTP R1.2) with BSMTP id 6862; Mon, 02 Oct 89 07:55:33 EDT Received: from PUCC.LISTSERV by PUCC.PRINCETON.EDU (Mailer R2.04) with BSMTP id 6822; Mon, 02 Oct 89 07:52:11 EDT Date: Mon, 2 Oct 89 07:45:16 EDT Reply-To: VIRUS-L%IBM1.CC.LEHIGH.EDU@pucc.Princeton.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V2 #209 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 2 Oct 1989 Volume 2 : Issue 209 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Introduction to the anti-viral archives Amiga anti-viral archive sites Apple II anti-viral archive sites Atari ST anti-viral archive sites Documentation anti-viral archive sites IBMPC anti-viral archive sites Macintosh anti-viral archive sites UNIX anti-viral archive sites Why not change OS? M-1704.EXE (PC) Follow up on Tiger Team comments. Configuring FluShot (PC) Re: Tiger Team comments Future AV software (PC) The book you've all been waiting for? --------------------------------------------------------------------------- Date: 30 Sep 89 09:23:48 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Introduction to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 30 September 1989 This posting is the introduction to the "official" anti-viral archives of virus-l/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. ------------------------------ Date: 30 Sep 89 09:25:11 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archive sites # Anti-viral archive sites for the Amiga # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow Lionel Hummel The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.54. Another possible source is uihub.cs.uiuc.edu at 128.174.252.27. Check there in /pub/amiga/virus. ------------------------------ Date: 30 Sep 89 09:27:01 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archive sites # Anti-viral archive sites for the Apple II # Listing last changed 30 September 1989 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 30 Sep 89 09:28:26 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archive sites # Anti-viral archive sites for the Atari ST # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is . panarthea.ebay Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to . uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 30 Sep 89 09:28:58 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Documentation anti-viral archive sites # Anti-viral archive sites for documentation # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is lehiibm1.bitnet Ken van Wyk new: This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: 30 Sep 89 09:29:52 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archive sites # Anti-viral archive for the IBMPC # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is ms.uky.edu Daniel Chaney This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.54. vega.hut.fi Timo Kiravuo This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 128.214.3.82. wsmr-simtel20.army.mil Keith Peterson Direct access is through anonymous ftp, IP 26.2.0.74. The anti-viral archives are in PD1:. Simtel is a TOPS-20 machine, and as such you should use "tenex" mode and not "binary" mode to retreive archives. Please get the file 00-INDEX.TXT using "ascii" mode and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@ (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ Date: 30 Sep 89 09:30:43 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites # Anti-viral archive sites for the Macintosh # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is ifi.ethz.ch Danny Schwendener Interactive access through SPAN/HEPnet: $SET HOST 20766 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via SPAN/HEPnet from 20766::DISK8:[MAC.TOP.LIBRARY.VIRUS] rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. ------------------------------ Date: 30 Sep 89 09:31:34 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: UNIX anti-viral archive sites # Anti-viral and security archive sites for Unix # Listing last changed 30 September 1989 # Note that this listing is preliminary, and will likely change. # I know the information is far from complete, but I thought it would # be a good idea to get this out now instead of wait. attctc Charles Boykin Accessible through UUCP. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index For further details send a message with the text help The administrative address is netCS Hans Huebner netCS is a public access Unix site in Berlin which is also accessible through UUCP. sauna.hut.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.3.119. (Note that this IP number is likely to change.) ucf1vm Lois Buwalda Accessible through... wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ Date: Sat, 30 Sep 00 19:89:04 +0000 From: ficc!peter@uunet.uu.net Subject: Why not change OS? Rather than go through all this trouble to keep viruses out of Macs and IBM-PCs, why not abandon the unprotected operating systems wherever possible and switch to UNIX? If you need to run DOS or MacOS software, there are ways of running it under UNIX in both cases: A/UX supports Macintosh software, and the various 80386 versions of UNIX have two DOS emulators that run in the virtual 8086 emulation mode. With no direct access to the hardware possible, and with multiuser security preventing writes to files (at least in the 80386 case), the worst the virus could do would be to infect user-written programs. When they attempted to format the hard disk, or infect installed software, they would simply trap and abort the virtual DOS image. UNIX-based software is extremely unlikely to be infected, since a UNIX virus would have to infect source code to transfer out of a machine. To defuse arguments about the Internet Worm, let us note that this program was restricted to two brands of computer: VAXes and 68000-based Suns. And it infected a network that was deliberately designed to be insecure. No, UNIX is not immune to trojan horses and viruses, but by and large this sort of program is kept uninfectious and benign by the nature of the system. [Ed. I hope that you're wearing asbestos skivvies... :-) ] ------------------------------ Date: Sat, 30 Sep 89 16:38:52 -0500 From: James Ford Subject: M-1704.EXE (PC) I recently downloaded M-1704.ZIP from the Wellspring BBS. After downloading it, I ran SCAN V35 (old, I know) and to my amazement, it said that the file M-1704.EXE was infected with the "1701/1704 Version B virus"! Does this program include a string in it that might cause SCAN to indicate a virus (a false alert) or can I assume that this file is infected?? Please reply direct to me, *not* to VALERT-L....or then again, maybe the response should be posted here. I am under the impression that the Wellspring BBS (1-714-8567996) is an anti-viral storage site. James Ford (205) 348-1713 JFORD1@UA1VM.BITNET ------------------------------ Date: Sun, 01 Oct 89 01:09:25 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Follow up on Tiger Team comments. There have been a couple messages regarding my Tiger Team suggestion, some of which have some good criticisms, others of which seem to have misread or read something into my message that wasn't there. First and foremost, I must emphasize that this would be one part of an overall anti-virus strategy, and you must take the use of Tiger Teams in a "positive manner", i.e. not to *punish* users who do not follow anti-virus procedures, but to *find* such users, and having found such users, ensure that they do follow the established anti-virus procedures in the future. Punishing users that fail to do so only gets the users mad, and mad users help no one. Second, a couple people have suggested this proposal leaves live viruses floating around desktop computers in the office, after the Tiger Team had successfully penetrated one. I believe I stated in my original proposal that the first step the Tiger Team would take is to create an *image* backup of the system they will try to infect. Regardless of the success or failure in infecting the computer, the disk would be restored from the image backup taken originally. Now should the TT successfully infect the system, the computer would be "disabled"; applying a large label over the CRT would effectively tell a user they are not to use their computer until they have gone over the anti-virus procedures with someone from the "computer services" department went over these procedures with the user. Backing away from the specific subject of Tiger Teams, I wish to emphasize the problem TTs are addressing; enactment of anti-viral procedures. As an example, it is illegal in most states to sell alcohol to adults under 21. In parts of the country which have these laws and *enforce* these laws, the ease of which an adult under 21 can purchase liquor is reduced (that is to say it is harder) over parts of the country which have the laws and do not enforce them well, or do not have the laws. It is a great first step if Acme Industries issues a set of anti-viral guidelines, but unless Acme does something to see to it the employees are following these procedures, then those policies are nothing more than pieces of paper in the users wastebaskets! ------------------------------ Date: Sat, 30 Sep 89 19:56:54 -0700 From: RSRANCH@UCLASSCF.BITNET (Ran Chermesh) Subject: Configuring FluShot (PC) I've d/l FluShot ver. 1.7 from Simtel. When I tried to install it, it looked for the FLUSHOT.DAT file in drive A. If I'm not mistaken, this kind of search was not part of FluShot in the past. I looked for instruction how to configure it to drive C, but couldn't find. Did I miss anything? Can anyone suggest a way to override this default? Temporarily I did override it by preceding the FSP instruction with an ASSIGN a=c instruction. Still, this couldn't be the appropriate solution. Ran Chermesh RSRANCH@UCLASSCF.BITNET p.s. Since I'm not a member of the VIRUS-L, I'll appreciate receiving your solution directly to me. If it is the norm on this list to summarize responses and to resubmit them to the list, please let me know and I'll be glad to comply. ------------------------------ Date: 01 Oct 89 08:23:20 +0000 From: chinet!ignatz@att.att.com Subject: Re: Tiger Team comments The author of the original "Tiger Team" concept responded to a couple of critical postings with some rebuttals. As I read them, he defended the TT concept by emphasizing, several times, that the TT would be checking compliance with anti-viral policies. I ask, if this *is* the goal, couldn't the corporation provide a configuration test program that checked for the existence of corporation-approved software and methods without introducing a virus, and requiring all the intermediate overhead of special backups, etc.? Dave Ihnat Analysts International Corporation, Chicago ignatz@homebru.chi.il.us (preferred return address) ignatz@chinet.chi.il.us ------------------------------ Date: 01 Oct 89 17:58:41 +0000 From: carroll1!tkopp@uunet.UU.NET (Tom Kopp) Subject: Future AV software (PC) I had a thought earlier about a possible future Anti-viral system. It would be software based, therefore subject to its own corruption, however it seems to me to be a mix of the work of Anti-Viral gurus McAfee and Greenberg. It works something like this: A version/variant of ViruScan would run, searching not for viral-identifying code, but rather for the interrupt calls that write to a disk (a la Flu_Shot techniques). When it finds one, it looks in a table to see if that code is allowed. This table could consist of the following format: filename;offset of interrupt;filesize CRC; with the possible inclusion of just WHICH interrupt was attempting to be invoked. The user of the software could either add to the table for software that he/she has written, or wait for updated database listings from whoever wrote/maintained such a program. Also in the vein of Flu_Shot, a list could be maintained of files to 'ignore'. I do see a problem in that setting up the original database to cover the countless programs existing is a truly arduous task, however for a purpose such as this, I would think reputable software companies would provide as much assistance as possible, which could be a lot if the code was written in assembler. Is there some other fundamental element I'm missing, or is this a plausible idea? tkopp@carroll1.cc.edu or uunet!marque!carroll1!tkopp Thomas J. Kopp @ Carroll College 3B2 - Waukesha, WI ------------------------------ Date: Sun, 01 Oct 89 17:58:04 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: The book you've all been waiting for? John McAfee of Interpath, National Bulletin Board Society, and Computer Virs (Virus, not Virs) Industry fame has written a book. Entitled _Computer Viruses, Worms, Data Diddles, Killer Programs, and Other Threats to Your System: What They Are, How They Work, and How to Defend Your PC, Mac, or Mainframe_, it is co-authored with Colin Haynes, and published by St. Martin's Press. I finished reading it today, and this is some preliminary thoughts I have on the book (this message would be more detailed, but I have to catch a plane to New Orleans tonight and I leave in thirty minutes). I do not like this book. I found it to be (at various points) contradictory, incomplete, and alarmist. Before the flame wars begin, let me emphasize that the whole book is not constantly contradictory, incomplete, and or alarmist, nor is any one section all three of those things. Some sections (most notably the first third of the book and the last chapter) are very alarmist. In the final chapter for instance, McAfee quotes some NBBS users about what type of viruses do they see "looming in the distance". One example cited is a modification to the electronic switches used by the phone company to reroute a call placed by caller n to the number dialed by called n-1. A second example would have the computers controlling the nation's traffic lights (the computers are made by one of three companies) all turn green in all directions on a given Friday. I leave it as an exercise to Virus-L readers to find where these are flawed, other than the obvious one that neither of these are viruses per se, but are examples of destructive measure viruses could be put to. In between the beginning and the end of the book, McAfee focuses on a technical discussion of viruses, and he does, alright. There are much better books (IMO) on the market about PC viruses (such as the Compute book) or viruses in general (Ralf Burger's _Computer Viruses, A High Tech Disease_), but if you are comfortable with McAfee's paradigm's, then his work is acceptable. If you are not comfortable with McAfee's paradigm, or if you are concerned with viruses in the Macintosh environment (or to a lesser degree, the mainframe environment), you will get awfully confused. The book has a very heavy PC bias, and (for example) trying to fit McAfee's generic description of viruses into the Macintosh paradigm does not work easily. I will be out of town for two weeks, and Virus-L will be on vacation by the time I get back. When I do get back into town, I will write a more comprehensive review for Virus-L. What it all comes down to is this. McAfee & Haynes' book is no great shakes; it simply is not well written. This is not to call John McAfee names or anything, but "he should not give up his day job". My advice is to buy a copy of the NIST paper (which is shorter, more concise, and has a greater proportion of useful information) and a good set of anti-virus tools for your computer. Viruscan is one of the best for the PC from what I understand, and a bargain at $15. ------------------------------ End of VIRUS-L Digest *********************