VIRUS-L Digest Wednesday, 21 Feb 1990 Volume 3 : Issue 46 Today's Topics: AIDS Copy Prtection System Copyright restrictions WDef problems - it doesn't go away (Mac) Effects on checksum programs (PC) New variant of Cascade/1704 (PC) F-PROT news (PC) Certus (FoundationWare) Gatekeeper 1.1.1? WDEF details (Mac) SCAN and the Brain (PC) RE: Disinfectant 1.6 (Mac) RE: Trojan Horses != Copy Protection VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 19 Feb 90 16:22:43 -0500 From: munnari!mqccsunc.mqcc.mq.oz.au!ifarqhar@uunet.UU.NET (Ian Farquhar) Subject: AIDS Copy Prtection System My article about the PC Cyborg AIDS Copy Protection System has caused quite a bit of discussion, and I would like to publicly reply to many issues that were raised. 1) FREE MARKET Many writers pointed out that the program itself was garbage, and justified their position (that it was a Trojan) with the argument that the money for the program was far too much and thus the program was an extortion racket. Being an Australia, I am used to being charged extortionate prices for software by both amateurs and professional companies. The point that must be made, however, is that in a free market economy the supplier can charge what they like. The idea is that supply and demand will weed out the excessively priced garbage from the reasonably priced quality items. Using this principle, PC Cyborg can charge what they like. This is not an effective argument either way. 2) THE ABSENCE OF THE REGISTRATION DISKS It is presumed that PC Cyborg would have sent the defuser program on receipt of the registration fee. Many people have pointed out that this did not happen. I imagine that the US Military rolling into Panama may have had something to do with that. 3) THE DEFINITION OF COPY PROTECTION Copy protection, by my definition, is a device, system or technique whereby the copyright holder can guarantee that the terms of the license are followed. Let us take the example of the color-bar system. The color bar is a small sheet or sheets of pages containing a series of codes that are matched to colors. The program, when started, asks the user what color is found on page 2, row 4 column 19. If the user answers correctly, then the program proceeds. If not, the program usually asks a couple of times more, then takes action. By the definitions of many of the writers, this would not be a copy protection system (because it allows you to copy the disk). However, it maintains the license agreements as only the person in possession of the color-bar sheet can run the program, and it is hard to cheaply copy a colored sheet. The AIDS CP System was simply an extension of this. It allowed copying of the distribution disk, and it allowed backing up of the hard disk. All it did was to ensure that people who were unregistered (and which were, I hasten to add, involved in a criminal activity) would have a lot of trouble. As for the concept of the user having legal control over what was deleted from his/her hard disk, I cannot see this as a problem. Multi-user systems have traditionally provided mechanisms for the superuser to control the user's files with far more privileges than the users themselves. This has never, to my knowledge, caused any legal problems. 4) INAPPLICABILITY OF US LAWS Many correspondents have quoted US laws and precedents at great length. These are totally irrelevant, as the license agreement prohibited importation into the US. 5) PRESUMPTION OF INNOCENCE Under British law, there is a concept called the "presumption of innocence". Put basically, someone is innocent until they are proven guilty. It would be nice to know that this basic concept is still followed, though I really do have my doubts. If I were the defense lawyer with access to this newsgroup, the first thing that I would have done is to take all of the relevant articles that have appeared, and present them as evidence prejudicial to the fair conduct of the trial. 6) CONCLUSION I am left wondering about the motives of many of the writers. There seems to be a fanatical, indeed almost religious zeal to see anyone concerned with the generation of viruses and Trojans convicted irregardless of the evidence (or its lack). There certainly seems to be a panic mentality at work here - the illusion that quick action is necessary regardless of the advisability of that action. There also is a strong reluctance to change an opinion in the light of new evidence, which is very worrying indeed. I have always maintained that computer security experts and employees of the intelligence services share many things in common, primarily the huge and quite unwarranted sense of paranoia. This whole discussion has only strengthened this view. Disclaimer: My opinions are my own. Ian Farquhar Phone : (612) 805-7420 Office of Computing Services Fax : (612) 805-7433 Macquarie University NSW 2109 Also : (612) 805-7205 Australia Telex : AA122377 ACSNet ifarqhar@macuni.mqcc.mq.oz.au ifarqhar@suna.mqcc.mq.oz.au ------------------------------ Date: Sun, 18 Feb 90 16:29:00 -0500 From: IA88000 Subject: Copyright restrictions When an item like a computer program is first created, it is my understanding that it is immediately copyrighted. It is NOT REGISTERED with the Copyright office until such time as you pay the ten dollar fee and file the appropriate forms. However, in the past some software has been released with a copyright notice similar to: XYZ DATABASE PROGRAM Copyright 1987 as an UNPUBLISHED work I have read the manual the copyright office will send you and find that this is a legal way to copyright a program. The questions are: 1) Was the AIDS program copyrighted? Did anyone bother to check to see if an application was filed? 2) Assume for a moment that it was copyrighted. Can the copyright be enforced and can the author collect damages? 3) Does the fact that a program appears to be and may be capable of damaging a disk allow give anyone the right to violate a copyright? If you feel that statement three allows someone to violate a copyright, consider this for a moment. One of the major copy protection companies uses a scheme which encrypts one or more tracks of a hard disk drive when someone installs a copy protected program. Until such time as the copy protected program is removed the encrypted tracks are useless,(in fact some people may even call them damaged) to any program other than the copy protected program which was installed. It really is the same thing. If a program is copyrighted, the fact that it may be a virus, a trojan horse or a legitimate copy protection package does not imply that it is fair game for some people to hack apart and provide information about at will. If in fact the same discussions and information were disclosed regarding a major company in the spreadsheet market, that company might (and has in the past) taken legal action against people who disclosed information or transfered copies of the program. Do not get me wrong, I think what was done by the creator of the AIDS trojan was wrong, and he/she should be punished. However the assumption that just because a copyrighted program happens to be a virus or a trojan, and as such copyright law may be ignored is also wrong. *****************************DISCLAIMER************************* The views expressed are my own! I do not speak for, nor do I represent any other person, company or educational institution. *****************************DISCLAIMER************************* ------------------------------ Date: Mon, 19 Feb 90 01:22:00 -0600 From: "Paul Duckenfield (Consultant, User Services)" Subject: WDef problems - it doesn't go away (Mac) As I mentioned in a previous message, we have had (and probably still have) WDef B running about Carleton College's Macintosh community. So far, it appears to have restricted itself to the public labs and has yet to break into the general computing community. I have found that RAM disks on public Macintosh Pluses have greatly limited the spread of the virus because no single machine can have the virus for very long (invariably, we have to reboot each machine every couple of hours). Even if a RAM disk is infected, it is unlikely to infect many other users since the RAM disk will be reset in a matter of hours. This is our first line of protection. At the moment, we are redoing the master RAM startup disks so that they have WDef protection as well. That will be our second line of defense. Our final line of defense is (hopefully) the responsibility of the individual user to obtain virus protection from the Micro Lab and put it on his Macintosh. With a good bit of publicity, this might be successful. Another problem which we have had to deal with is recurring system crashes on our AppleShare servers even after the eradication of WDef. Although WDef if "officially" gone thanks to Disinfectant v1.6, the servers still seem to crash regularly. It appears that WDef, like polio can be cured, but it leaves lasting damage. The only solution I have found is to delete the unused DESKTOP file on all server volumes. This brought the number of crashes down from four a day to zero for a week. Paul Duckenfield Carleton College CC User Services Micro Consultant DUCKENFP@CARLETON.EDU ------------------------------ Date: Mon, 19 Feb 90 10:13:57 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Effects on checksum programs (PC) I wonder if the readers of this group have considered the effects of viruses like "The Number of the Beast" (alias "512" or "666") on checksum programs. As Vesselin Bontchev has pointed out, if the virus is active in memory, no changes to the infected program will be seen, since the virus will redirect any attempts to read the file so the original, non-infected file will be read instead. This means that with the virus active in memory no checksum program will be able to detect infection of files, NO MATTER HOW STRONG THE ALGORITHM used. All the discussion on which algorithm to use is therefore rather pointless... This is not a problem if the computer is first booted from a non-infected diskette, but how can one be sure that COMMAND.COM on the diskette was not infected ? - -- Fridrik Skulason, University of Iceland E-Mail: frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK). Fax: 354-1-28801 ------------------------------ Date: Mon, 19 Feb 90 10:10:20 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: New variant of Cascade/1704 (PC) Some time ago I reported that 1704 seemed able to infect the same file over and over on a Novell network. I now have a copy of the virus in question, and it appears that this has nothing to do with Novell networks - it is just a new variant of the virus. It is possible that this virus was created by a random mutation, which seems to have changed one JA instruction into JNE, but it is not certain. Because the author of 1704 did not include self-correcting Hamming code in the virus :-), the mutation spread - and spread faster than the original, "healthy" variant. All programs which are able to detect and remove the "standard" 1704 virus should also be able to handle this variant. - -- Fridrik Skulason, University of Iceland E-Mail: frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK). Fax: 354-1-28801 ------------------------------ Date: Mon, 19 Feb 90 10:12:12 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT news (PC) A week ago I reported that version 1.08 of F-PROT would become available in a day or two - but unfortunately I have not been able to get it out the door until now. I apologize to everybody who has been waiting (in particular the 50 persons or so that I have promised a copy by E-mail), but I believe it was worth the wait. The reason for the delay was the arrival of 30 different virus variants from Bulgaria. As 26 of them were previously unknown, I had to write a number of new disinfectors - which has taken up most of my spare time the past week. I have also added code to detect and remove some other new viruses, like Devil's Dance, "1260", "E.D.V." and "Hallochen". Those of you having a copy of 1.07 can update it by adding the following new entries to the SIGN.TXT file: Dance BERj85djAtm5nmjXFAufHKK9H85FJcdKH9hO0Mn5adeD0535Ip New Vienna CVRmsm3je7W2jWGfkBBzbMdVnf7r9Ai3sYcyCyduVhSKEO New Vienna pVBmtjP5WtsnGfkb1Xwu1mfb5j7EqqOAAIvdFBIrkRjuxUZmcZZvR2 Pixel fBTMD5a5KdRMGEI4nROAAeJMhnDtHqQMpmNMU25MnME7Yq+Zfr Eddie-2 X7Jjsmsm7euUMCFun90jkFfuSISWK6icEfuo4KP97ul4MNwlObmt 512 JENmS5rMi5PFbjjjCdYV4-UjAUguForRGswWc8jf6ZyhE81rEMPo3V Old Yankee iEpMSjsmEmEY4Am4-upjU5357XVcxXA2mMDTG4TRUctKfNq-Wh E.D.V. 87u5djDjddmmFZ-d8MiRxONMAdTMBM7V5fgAAeJwNbZ4QMK6jmwLit Hallochen S7UjF5PMiiTm74Mo6RMqYY65jnm57KlIt8lqPKWm4ETQi3R5pMmBMf3u Version 1.07 is not able to handle the 1260 virus, since no ordinary identification string can be provided for it. I had to make some changes to the program itself. Other changes from 1.07 to 1.08: The F-DRIVER.SYS program did not display a message saying it had been installed, as stated in the documentation. This has been corrected. This answers the question from Scott D. Gregory - yes, it is working, even though it is only 1.5K in size. Well, actually version 1.08 is a bit longer, it is closer to 2K, but I just finished testing it and it stops every single virus in my collection, (which is one of the largest around). F-DLOCK.EXE contained a bug that prevented it from working with the CHKDSK program. This program could also cause some problems in other cases. This has now been corrected. F-OSCHK would display a warning message in Icelandic, if it found that a change had been made to the operating system - I has forgotten a "#ifdef ENGLISH" somewhere. This has been corrected. SIGN.TXT does no longer have to be in the current directory - it may also be located in the same directory as the F-FCHK program. Finally - a reply to Ron Warren Evans. > He points out that F-PROT is virtually unknown in the U.S., That's true - I only finished the English version a short time ago, but the Icelandic version has been on sale for several months now and has been very successful here in Iceland. The market here is however very small, only 0.1 % of the U.S. market. > is produced by a lone Icelandic programmer, How true - sometimes I wish I was a huge multinational corporation :-) > is untested here Well, not quite - several people have been playing with it for a few months. Anyhow - most of the bugs should be gone by now - the people here in Iceland who bought versions 1.00 to 1.06 probably managed to find most of them. :-) > and may not be well-supported. Well, that depends on what kind of support you want - If you are looking for a product that comes with a 24-hour hotline support and on-site servicing you should look elsewhere. However - you would have to pay more than what I am asking for. I am just trying to provide powerful programs, able to catch all known viruses and remove them. I believe my programs contain some useful features, not found elsewhere, although they are not perfect. They could be made easier to install, perhaps intergrated in one package, but I will not make changes like that until I write version 2.0. Support - well, for now, E-mail will just have to do.... :-) - -- Fridrik Skulason, University of Iceland E-Mail: frisk@rhi.hi.is Technical Editor, Virus Bulletin (UK). Fax: 354-1-28801 ------------------------------ Date: 19 Feb 90 22:07:40 +0000 From: rymon@eniac.seas.upenn.edu (Ron Rymon) Subject: Certus (FoundationWare) I need information about a product named Certus (man. and dist. by FoundationWare). Have anybody heard/used it? I would appreciate sharing your experience. Particularly I am interested in the type of instalation (single PC? LAN?), how many used in the site? For how long? and how friendly it is? How effective? Thanks a lot, Ron Ron Rymon ------------------------------ Date: 20 Feb 90 18:55:25 +0000 From: Paul Andrews Subject: Gatekeeper 1.1.1? I have a couple of questions: 1) What is different about gatekeeper 1.1.1 and the previous version (1.0?)? 2) Where can I get it? The problem here is that UUNET (or EUNET or whatever) has a message size limit of 100k. The INFO-MAC archive file for gatekeeper 1.1.1 is >100k and we can't use ftp from this side of the pond. (In case your wondering, I would normally use a listserv which fetches files from INFO-MAC for me). 3) Does gatekeeper aid 1.0.1 NEED gatekeeper 1.1.1 or will it work with 1.0.? - - Paul. - -- - ------------------------------------------------------------------ | Paul Andrews | Post: Tenset Technologies Limited, | | paul@tenset.uucp | Norfolk House, | | Phone: +44 223 328886 | 301 Histon Road, | | Fax: +44 223 460929 | Cambridge CB4 3NF, UK. | - ------------------------------------------------------------------ ------------------------------ Date: Tue, 20 Feb 90 14:19:00 -0600 From: "Paul Duckenfield (Consultant, User Services)" Subject: WDEF details (Mac) >From: wcpl_ltd@uhura.cc.rochester.edu (Wing Leung) >Subject: More about WDEF > Can someone tell me is WDEF an illegal string in the resource code? > How about the program called WDEF uploaded in comp.binaries.mac? > In fact, I've found some WDEF code in system version 6.0.3 > Please tell me more about this resource code. WDef is a system resource which (basically) tells the Mac how to draw its windows. There are several programs in the FREE/SHAREware market which change how the window appear on your Macs screen. They make it look like a NeXT or MS Windows or some other form other than the "standard Apple"-look. They take advantage of the WDef resource in the SYSTEM file. The virus WDef is a little trickier. It infects the invisible DESKTOP file in the root directory of any disk. You can't seem this file, but it is there, keeping track of all your files. That is the difference between WDef SYSTEM resource and WDef DESKTOP resource (for the layman). Incidentily, I have heard reports that it is possible (although not easy) for someone to rename the WDef virus's resource to CDef. Potentially this will create another virus, exactly the same as the first except for the name, which can propogate quickly as well. Anyone know anything about this? Paul Duckenfield CC User Services Micro Consultant DUCKENFP@Carleton.Edu ------------------------------ Date: Tue, 20 Feb 90 16:49:32 -0800 From: Alan_J_Roberts@cup.portal.com Subject: SCAN and the Brain (PC) The following is forwarded from John McAfee: ============================================================================ Michael Kapfer stated in yesterday's posting that SCAN will not identify the Brain virus in memory. This is not entirely correct. If you specifically ask for a memory scan (/M) then SCAN will identify the virus if it is active. If you do not ask for a memory scan, then SCAN will in any case scan memory for the "critical" viruses like 4096, Dark Avenger, 512 etc. It is this default memory scan that Michael is talking about, and it indeed will not look for the Brain. John McAfee ------------------------------ Date: Tue, 20 Feb 90 15:31:00 -0400 From: Ivy Anderson Subject: RE: Disinfectant 1.6 (Mac) I am brand new to VIRUS-L and to virus protection in general. I have just read the posting which mentioned Disinfectant 1.6, a free ant-virus program. Can someone advise me where we can obtain more information about this program? Is there a PC version as well? Thanks very much, Ivy Anderson Brandeis University Libraries Bitnet: anderson@brandeis Internet: anderson@binah.cc.brandeis.edu ------------------------------ Date: 21 Feb 90 15:28:30 +0000 From: rigel!wjm@bellcore.bellcore.com (23384-mitchell) Subject: RE: Trojan Horses != Copy Protection In an earlier posting, someone attempted to justify the reprehensible behavior of the author(s) of the AIDS Trojan Horse as a copy protection system. IMHO, I beg to differ - there is a key differences between the behavior of legitimate copy protection systems and the AIDS Trojan. It would be legitimate for a copy protection system to remove the protected program from the disk or otherwise render it unusable to unauthorized users, but it is NOT legitimate (at least in the USA) for the copy protection system to destroy, encrypt, or otherwise render unuseable programs or files that are totally unrelated to the protected program. An analogy: Under the laws of the USA, if I loan you the money to pay for an automobile, the standard loan contract that I will have you sign gives me the legal right to recover "repossess" the automobile if you fail to make the loan payments on time. However, it does NOT give me the right to confiscate your lawn mower, snow blower, wheelbarrow, and whatever else you happen to be keeping in your garage along with the said automobile. Removing any other personal property is considered to be THEFT and is strongly discouraged, to say the least, by the authorities. IMHO (this is only my opinion, however I am not an attorney, you should consult with legal counsel for legal advice) the poster who said that the magazines that published information about how to work around the problems caused by the Trojan Horse were liable for damages to the work of the Trojan Horse author(s) and his/their alleged company's reputation was totally off base. IMHO, these magazines performed a valuable service to the computing community and their behavior was totally consistent with recogized computing community codes of ethics (e.g. ACM, IEEE). We are not talking about legitimate copy protection here, rather I think the appropriate term is "Extortion," which seems to be the term used by the legal authorities in the UK who are bringing criminal charges in this matter. IMHO, swift prosecution followed by a stiff penalty, if convicted, is the best way to put an end to such incidents. While I certainly favor using the USENET as a forum for the free expression of ideas, IMHO postings calling outright extortion a valid form of copy protection do no one any good and give the net a bad name. Regards, Bill Mitchell Disclaimer: These are strictly my personal opinions and not necessarily those of my employer or any other person. I am not an attorney and am not providing any legal opinions or advice here. Consult with your attorney for legal advice. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253