========================================================================= Date: Sun, 2 Oct 88 19:12:14 MEZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: Konrad Neuwirth Subject: MOIN EXEC I am not sure if all of you have heared about it, so here i go! On our net(s) a program called MOIN EXEC is loose. To the user it looks like a super CHAT program with a answering machine, you know that thing that says: I am not here.. . But in fact there is some sort of power user coded in, whom it is allowed to execute ANY CMS Command on an account running MOIN EXEC. It is already forbidden to run MOIN EXEC, and the same program under other names, The charge is loss of acoount, and even ``legal steps''. Remember. If anyone offers you MOIN EXEC, or anything he discribes as a super Chat, be extremely careful. SIGNED, AS ALWAYS I /I +---- I I +-- I I +---- "SORRY FOR LIVING, I WILL NEVER DO IT AGAIN" KONRAD NEUWIRTH (A4422DAE AT AWIUNI11) (KONRAD ON RELAY) ========================================================================= Date: Sun, 2 Oct 88 22:20:00 MST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Michael Kielsky Subject: Please send data...Please??? Dear Computer Professional: I am currently in the process of developing research for a thesis. The topic of this research is "Computer Security in the Manufacturing Environment". I am seeking your assistance in obtaining information relevant to this topic, as there currently exists no published data. Specifically, I would like to reach people in industry who have involvement in Computer Integrated Manufacturing (CIM), and related fields, and would be willing to provide me some information on their experiences with computer security in that environment. Helpful information would include policies and procedures (current or past), actual experiences, etc., regarding Computer Security (in its broadest interpretation), implemented specifically in the Computer Integrated Manufacturing (CIM), process control, and related environments. Suggestions gladly considered. The data obtained will be compiled and published in Spring 1989, as my master's thesis. I can be contacted as follows: work: home: Michael Kielsky 1902 E. St. Catherine Sr. Software Engineer Phoenix, AZ 85040 (USA) TAG Software (602) 276-4663 5420-100 W. Camelback Glendale, AZ 85301 (USA) (602) 939-3580 or 242-9401 (602) 939-9671 (Fax) or via electronic mail: BITNET address: AGMGK@ASUACVAX If you know of anyone else who might be able to help me out, please feel free to pass along a copy of this letter. Your help will be appreciated. Michael Kielsky ========================================================================= Date: Sat, 1 Oct 88 20:20:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: 2 years probation In-Reply-To: Message of 27 Sep 88 01:21 EDT from "me! Jefferson Ogata" Jefferson Ogata says: >By the way, I think it will be easy for Burleson to find another >job, as long as his name is not too widely publicized. Of course, "Crazy Stanley" was convicted of a felony, served time in jail, and then was elected a director of a professional organization. So much for the enlightened self interest of the computer fraternity. Bill Murray ========================================================================= Date: Tue, 4 Oct 88 14:11:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: TRAPDISK I found a new TSR utility floating around to protect disks from random INT 13h read/writes etc. Anyone hear of this program or have any comments? -David Bader DAB3@LEHIGH ----------------------------------------------------------------------- TRAPDISK.COM Version 1.0 PURPOSE "Trap Disk" (TRAPDISK.COM) is NOT a game! It is a further attempt to prevent pranksters from destroying your data. The proliferation of the "Trojan Horse" type programs which proport to be games but actually plant bombs in your system which format your hard disk or erase the disk directory, has prompted the writing of this program, as well as CHK4BOMB.EXE ("Check for Bomb"). This program is based on BOMBSQAD.COM by Andy Hopkins. CHK4BOMB.EXE reads the program file from disk and attempts to spot dangerous code and suspicious messages, but since code is often a function of run time memory situations, it could miss spotting the "bombs". TRAPDISK.COM is a program that intercepts calls to the BIOS code in ROM as a suspicious program is run, displays what is going to happen during the call, and asks if you want to continue. You can abort or continue as you see fit. INSTRUCTIONS FOR RUNNING TRAPDISK.COM Type "TRAPDISK" and one or more of the following letters (upper or lower): "R" to stop on a request to READ a sector "W" to stop on a request to WRITE to a sector "V" to stop on a request to VERIFY a sector "F" to stop on a request to FORMAT a track "U" to 'UNINSTALL' TRAPDISK - note that program will not be active, but memory can not be reused until the system is rebooted. "H" or "?" to display a brief command summary (will not install TRAPDISK). To change any of the instructions, just run the program again with the new letters; although TRAPDISK is a memory-resident program, once installed it will not attempt to re-install itself. Remember that TRAPDISK will stop only on those requests specified the last time it was invoked. If you start it with "F" only to stop on a FORMAT call, and later want to add "W" to stop on a WRITE call, you must specify: TRAPDISK FW on the DOS command line. IF NO LETTERS ARE SPECIFIED: TRAPDISK will remain active but will not stop on any disk calls. If TRAPDISK is not installed, a "blank" call will install it in memory. SUGGESTION: Try TRAPDISK R to stop on a READ request and then try a DIR command. Watch the operation on TRAPDISK when disk READS are called. This will give you an indication of how the program works. MESSAGES When TRAPDISK detects a call to the BIOS routines, it checks to see if the stop condition is met. If the function has not been selected, TRAPDISK will pass control directly to the BIOS disk routine. If, however, a stop has been requested before a disk function occurs, TRAPDISK will display the following message: |--------------------------------------| | DISK MONITOR | |--------------------------------------| | Break on request to READ | | | | DRIVE HEAD TRACK SECTOR NUMBER | | A: 0 26 1 9 | | Data address 0BA9:00F0 | | Return address 0070:0143 | | | | to Abort to Perform | | to perform & disable trapdisk | |--------------------------------------| DRIVE is the requested drive (A-D). HEAD is the side or head (0-1) for diskette (0-3 or more) for hard disk. TRACK is the cylinder or track in decimal (0-39 or more). SECTOR is the starting sector number in decimal (1-8 or 1-9 or more). NUMBER is the number of sectors involved in the operation. DATA ADDRESS (in HEX) is where the data is stored or read from. RETURN ADDRESS (in Hex) is the return address for the calling program (i.e. the address where execution will resume after Int 13 completes). PRESSING THE ESCAPE KEY causes TRAPDISK to return to the calling program with the error code for time out. The disk operation is NOT performed. The action the program may take on this error will vary, but the requested disk function will NOT take place. PRESSING THE RETURN KEY causes the program to carry on as if TRAPDISK did not exist for this call. Be warned that if you request a stop on a READ operation, you will press the Return key many times just to read one file as DOS searches directories and the FAT! Instructive, but not too useful. PRESSING THE DEL KEY causes the program to carry on (just like RETURN), but there is a difference. DEL will shut down any further checking. The only way to enable checking again is to call TRAPDISK with command-line arguments (as described above). This key is very useful in cases where you have forgotten that TRAPDISK is installed and want to disable it so you can get on with your work! CHANGES & IMPROVEMENTS versus BOMBSQAD.EXE "TRAPDISK" has added a command-line help that functions without installing the resident code. It corrects a bug in "BOMBSQAD" that incorrectly reported hard disk drive letters. It extends the BIOS calls beyond the diskette interrupt calls to some of the hard disk specific calls (Read Long, Write Long, Format Bad Sector, Format Whole Disk) that "BOMBSQAD" does not handle. And it has added the "RETURN ADDRESS" information and the "Del" key to the pop-up window. TECHNICAL NOTES This program can only trap access requests that go through Int 13h. All of the DOS disk calls for standard disk/diskette devices are routed through this interrupt. However, access to installed devices (like some RAM disks or OEM add-on packages like TALLGRASS & SYSGEN) is often through vendor-sipplied device drivers. These drivers are known to DOS and are used in lieu of Int 13h to access these devices. TRAPDISK CAN ONLY CAPTURE ACCESS REQUESTS FOR DEVICES THAT ARE CONTROLLED VIA INT 13h!!! Ergo, any "devices" that use installed device drivers could be compromised by a well- placed trojan horse program, even if TRAPDISK is active. The moral: DO NOT depend on TRAPDISK to protect your add-on hard disks from damage from a trojan horse algorhythm! COPYRIGHT AND DISTRIBUTION In the spirit of Mr. Hopkins original program, feel free to copy and distribute this program. We make no claim on any sort of copyright, since this program is based on BOMBSQAD! ----------------------------------------------------------------------- ========================================================================= Date: Tue, 4 Oct 88 14:56:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: TRAPDISK In-Reply-To: Your message of Tue, 4 Oct 88 14:11:15 EDT > I found a new TSR utility floating around to protect disks from > random INT 13h read/writes etc. Anyone hear of this program or have any > comments? There are a few big problems with just trapping INT 13h. First, it's rather easy to circumvent. Also, almost all programs (if not all!) that read/write to, for example, data files use INT 13h either directly or indirectly via DOS INT 21h calls. Trapping out every sector read or write can get downright annoying to the user. To illustrate this, try setting TRAPDISK to stop all disk writes, and then use your favorite editor to edit *and save* a large text file. You will slowly watch TRAPDISK count all the sectors that that one file uses. You will also learn to not trust, or just ignore, TRAPDISK every time it pops up on your screen. Ken Kenneth R. van Wyk Calvin: I'm gonna learn to ride this bike User Services Senior Consultant if it kills me! ... AAAAAUUUGGGHHH!!! Lehigh University Computing Center Hobbes: Did it kill you?! Internet: Calvin: No, it decided to maim me first. BITNET: ========================================================================= Date: Tue, 4 Oct 88 20:37:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ed Nilges Subject: Re: 2 years probation In-Reply-To: Your message of Sat, 1 Oct 88 20:20:00 EDT I need information on the Mac nVir virus. Can anybody help? All leads appreciated. ========================================================================= Date: Tue, 4 Oct 88 21:05:39 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ed Nilges Subject: nVir help appreciated Any assistance on the Macintosh nVir virus will be appreciated. ========================================================================= Date: Wed, 5 Oct 88 00:22:21 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: TRAPDISK I don't think this program is meant to PROTECT you from Trojans and viruses; I think it's intended for checking out NEW programs you've just got hold of. Using it all the time would be silly. It merely allows you to find out what sort of disk accesses a suspicious prog- ram calls for, so you can test it a bit before you let it loose. - Jeff Ogata ========================================================================= Date: Wed, 5 Oct 88 08:15:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: TRAPDISK In-Reply-To: Your message of Wed, 5 Oct 88 00:22:21 EDT > I don't think this program is meant to PROTECT you from Trojans and > viruses; I think it's intended for checking out NEW programs you've > just got hold of. Using it all the time would be silly. It merely > allows you to find out what sort of disk accesses a suspicious prog- > ram calls for, so you can test it a bit before you let it loose. That's a good point, if you make a couple of assumptions. Looking at a scenario in which some program X is being tested, if X is indeed a (fill in your favorite malicious program type), and if X either bypasses INT 13h, or perhaps sees that INT 13h is currently owned by a program other than the operating system and thus doesn't do its dirty work until sometime later, then the TRAPDISK program would be useless and would only give a false sense of safety. Also, lets say that X is a game and it uses disk files for keeping track of old scores, for overlay space, for temporary scratch space, or whatever the reason; then the TRAPDISK program would give lots of disk read/write warnings even though X may not be in the least bit malicious. In short, TRAPDISK may well be an effective program for doing quick (and dirty) tests on new programs, but the user really should take its messages (or lack thereof) with a grain of salt, and by no means consider it conclusive. Ken Kenneth R. van Wyk Calvin: I'm gonna learn to ride this bike User Services Senior Consultant if it kills me! ... AAAAAUUUGGGHHH!!! Lehigh University Computing Center Hobbes: Did it kill you?! Internet: Calvin: No, it decided to maim me first. BITNET: ========================================================================= Date: Wed, 5 Oct 88 11:35:17 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Simpson Subject: nVir virus The listserv at scfvm has a very nice suite of documented Macintosh anti-viral software, including a comprehensive hypercard documentation stack. ========================================================================= Date: Wed, 5 Oct 88 12:33:12 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Outline/Agenda Because I cannot get mail through to all conference attendies, I will put it up here. There is no need to read this if you don't wish to. Outline of Conference --------------------- I believe everyone has already made flight arrangements, if anyone needs help, please contact me (215) 865-3904. I have sent out a number of packets to people attending, some haven't gone out yet, because I'm not sure those people are coming. For those of you who don't have hotels yet, directly across from the ABE airport is the Sheraton Jetport Lehigh Valley (Phone: 215-266-1000). The conference will not be too far from the airport, so this should be a good place to stay. The prices here are a bit higher than some of the other hotels for those of you on tight budgets. Nearby the airport is an Econolodge (Believe it or not, its not a bad hotel! Phone: 215-867-8681), as well as a Macintosh Inn (Good for those of you who like Apple Equipment, I cannot find the phone number for this, I'm still looking), and the Red Roof Inn (I have heard a number of complaints about this hotel, so you may want to avoid it. It looks nice from the outside, but rumors pervade. 215-264-5404). Friday, Oct 21: Approxamately half of those coming to the conference will be there on Friday. Introductions will be in order, we will hand out copies of the book (although copies will be available to those coming Saturday). We will be holding this introduction at one of my offices. This will be held at 701 Main Street in Hellertown (a suburb of Bethlehem). Those of you who have gotten directions in the mail have gotten a small map of the area, so it will be easier for you to find things, but for those of you who might not get mail in time: Directions from Sheraton Jetport, follow Airport Rd South to Rt 22 East. Take the next exit off 22 onto Rt 378 South. Follow Rt 378 to the Hill to Hill Bridge (a large old structure where the road narrows, its the ONLY large bridge on the road so it is recognizable.). Bear left off the bridge onto 3rd Street of South Bethlehem (Its the old section of town, so please excuse its appearance, its undergoing revitalization). At any of the first four traffic lights, make a right hand turn and a left on the next major road, 4th st. Follow 4th street for about 4 miles, the road will curve to the right twice. Eventually, 4th street will become Main Street, Hellertown. Our office is a Century 21 Keim Realtors, but its new so I doubt we'll have a freestanding sign by the time of the conference. The easiest way to recognize the building: You will see a new highway being constructed OVER Main Street; this is the new I78 project that's getting so much national attention. We are DIRECTLY across from the furthest exit, at a stoplight which has not been turned on yet. We are between Gutshall Chevy and Potts Doggie Shop. 6:00 PM - 7:00 PM - Introductions with Coffee and Snacks, handing out of book. 7:00 PM - 8:30 PM - What Are Viruses? What are viruses, what forms do they take, including boot sector viruses, .EXE viruses, Unix and VMS viruses, and a look at some of the new MacIntosh woes. Reviewing and outlining the ways the Lehigh, Brain, Christmas and Israeli viruses worked. Also comparing the Brain and Yale Viruses. 8:30 PM - 9:00 PM - Questions 9:00 PM - Morning - Discussion, adjourning to a local bar or restraunt to talk. Saturday, Oct 22: Much easier directions, we'll be holding it at WALPS Restaurant at the corner of Airport Road and Union Blvd for ease. Simply follow Airport Rd South for about 2 1/2 miles to Union Blvd, Walps will be on your left. 10:00 AM - 11:00 AM - Coffee will be served, "Tracking Computer Viruses" will be the topic covering how some groups track computer viruses, and some examples. 11:00 AM - 12:00 Noon - A look at "Computer Tape Worms", their uses, how they can cause damage, and why they might be the virus of the future. The damage they can cause. How we'll have to stop damaging ones. 12:00 PM - 1:00 PM - Break for lunch. People are welcome to stay and eat lunch at Walps, but Union Blvd is a fast food lovers paradise, it also contains a major AT&T research facility. People can discuss what's been said so far. 1:00 PM - 2:00 PM - Computer Security Concerns I. Are schools in real danger of losing research? How can we protect our businesses and colleges from the dangers? 2:00 PM - 3:00 PM - Computer Security Concerns II. System Integrety in large networked environments and mainframes. Government security designs, banking systems and virus defense designs. Included will be Limited Transitivity models, Limited Functionality concerns, Bell-LaPadula Model, the Biba Model, Complexity Based Functionality, and the Separation Model. Future concerns will be discussed. We're going to break up early, although people are welcome to discuss Computers and Security, I feel this lecture will provoke a lot of conversation. You have time to wander and find dinner. 6:00 PM - 9:00 PM - Back in the Hellertown office, we will be holding demonstrations. We will be demonstrating various viruses, including a Unix virus, various anti-viral programs and hopefully a Worm program. Again Coffee and snacks (baked cookies, brownies and so on) will be provided. We will also at this time be having a panel discussion. Questions will be fielded by a panel of anti-virus program writers. Sunday, Oct. 23: 10:30 AM - 12:00 Noon - "Future Virus Concerns", closing up the lecture on Computer Security, and open forum on ideas and questions. 12:00 Noon - 1:00 PM - Lunch 1:00 PM - 4:30 PM - Some controlled discussion, some open forum. We'll be discussing possible protection schemes, reviewing some of the ideas we've gone over, hopefully working on a new conference some time next year in another part of the country, discussing the possible dangers to the ATM networks and the dangers to tele- communications. I think the main emphasis of this conference will be a pulling of ideas and hopefully getting some people to meet and discuss problems face to face rather than over a computer. Comments: University of Texas, I've had problems getting through to you, please write me at LKK0@LEHIGH or call me at 215-865-3904. We'll have a price for the book some time in the next few days. People who haven't so far, please write me and tell me what day you are coming in. Dennis Director, please call me. Also, a number of people mentioned that they would like directions to Philadelphia to see the sights and so on. I'll be making full maps of the Lehigh Valley Area, Pennsylvania and Philly available to you when you get here. If you are coming early, I will mail them to you, please let me know. If anyone wants to spend an hour and a half to trek to New York City, I will try to get you some maps. Any questions??? Loren Keim ========================================================================= Date: Tue, 4 Oct 88 19:16:28 +02 Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Ittai Klein Home 471488 Xt. 2363" Subject: Earnest request On behalf of some people that I know and many others, I am sure, that I do not know, I am voicing this earnest request: We are a group that has signed on to this Newsletter out of genuine concern about the issue at hand, and with real hope of learning about what could be done to stymie the very serious problem of computer viruses. But alas we find ourselves flooded by a torrent of material which is unnecessarily verbose, much of it simply not related at all to the subject at hand, often plain smart-alecky, and many times just plain irrelevant. Examples abound. I am including here just a short one, which I selected more or less at random: