V.I.R.U.S. Weekly - November 26, 1993 A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and newsletter is prepared by the Vancouver Institute for Research into User Security. For those without online service feeds, both V.I.R.U.S. Weekly and Monthly are available in hardcopy. For more information contact Robert Slade or CyberStore. copyright 1993, Robert M. Slade 15 Getting Resources 16 "Using McAfee Associates Software for Safe Computing" by Jacobson NEW ANTIVIRALS F-Prot 2.10 (MS-DOS) I received the long awaited version 2.10 of F-Prot this week. Haven't been able to look at in in detail yet due to some downloading problems. NEW VIRAL PROGRAMS Tricky Dicky Virus (MS-DOS) A direct action COM file infector, based on a rather disjointed report from someone known to have contacts in the vx community. There is a report of a "Bad command or filename" message after each infection, but this may refer to corruption of the infected program. A signature is said to be "B44E33C9BA8101CD21E81B00EB01", while text in the virus code is "The Tricky Dicky [TrickyDicky] Created in the city of Toronto", "Bad command or file name", "Fail on INT 24 .. NOT!!". (Single report from vx contact.) Sterculius (MS-DOS) A COM file infector which uses the fairly simple and widely known code to disable the memory resident protection program VSAFE from Turbo, Central Point or Microsoft Anti-Virus. A signature is reported to be "5E83EE0356FC83C65D90BF0001A5". (Single report from vx contact.) Michelangelo COM (MS-DOS) A memory resident COM infector. Reported signature and ASCII strings are "B42ACD21B403B0063BD07401C3BE", "It is March 6th, time for MICHELANGELO ][ to trigger.", "YES! Another one. This virus is brought to you by:", "HAVE PHUN... :->". (Single report from vx contact.) Jasmine (MS-DOS) A memory resident COM and EXE infector. Said to disable both VSAFE and the NAV memory resident protection. A text message is displayed when infecting files. Reported signature and text strings are "B42CCD2180FD00750AB002B90500", "The Jasmine Virus is loose, better protect your computer.", "Beware! There now it works!" (Single report from vx contact.) CONFERENCES AND COURSES VSI '94 The Virus Security Institute is presenting a conference in Philadelphia, Pennsylvania on March 29-30, 1994. Presented as "A Different Kind of Information Security Conference", the symposium will involve a high degree of participation in challenging models of security as applied to the "real world". Papers are solicited by the conference chair padgett@tccslr.dnet.mmc.com (A. Padgett Peterson). For more information, E-Mail or Fax: VSI94_info@dockmaster.ncsc.mil (case sensitive) or (302)764-6186 (include E-Mail address, please). RESEARCH GOSSIP Thoughts ... With the new releases and new viri in the past few weeks, I just haven't had the space for gossip. Now that I've got some space for a breather: is this a bad sign? Is the problem getting worse? When I started (good grief, is it already more than a year ago?), I sometimes had to scramble to get four items a week. Now I'm getting into the double digits easily each week, and having to combine and even discard items. This week I'm trying to include most of the "time sensitive" gossip, and even at that some of it is stale. Something to think about ... Pretty Good Privacy in Pretty Deep Trouble American authorities are going after the principals of the PGP encryption and message authentication scheme. PGP is being charged under American laws regarding export of encryption technology. Also affected are ViaCrypt, which will be selling a commercial version of PGP in November, and Austin Code Works, which is planning an encryption "textbook" on disk, which will contain source code for related algorithms. Pretty G______ Paranoid, if you ask me ... Infect this magazine ... PC Computing is carrying an ad for live viral code. This time, though, the material is apparently being sold on CD-ROM, along with information on "phreaking" (using various devices to circumvent telephone security and make long distance calls without paying). One poster on Fidonet feels that this is cause to write the magazine and complain. This is really getting to be too much ... YASVWG (Yet another stupid virus writing group) Another bunch of kids with too much time on their hands has taken to calling themselves the Electronic Evil Virus Research Group. They are shilling for membership with a list of BBSes that they would like to see hit. Crash a board and win a free membership. Rather silly ... Virus U The University of Michigan annually holds a "Computer Kickoff Sale", an opportunity for students to buy personal computer systems through UM for reduced prices. This year the Macs on offer came equipped with nVIR. The virus had infected the standard software distribution disks prepared by the U of M Information Technology Division as an aid to students to get them up and running. The original source of the virus infection is still unknown. Ironically, the distribution disks contained copies of Disinfectant, and warned users about the possibility of viral infection ... Swiss antivirus law Switzerland is looking for input to try and "tune" its new statute trying to ban malicious software. The pertinent section is: "Anyone, who, without authorization - erases, modifies, or destructs electronically or similarly saved or data, or anyone who, - creates, promotes, offers, makes available, or circulates in any way means destined for unauthorized deletion, modification, or destruction of such data, will, if a complaint is filed, receive ... punishment." Cracker/Phreak sentenced Mark Abene, who used the alias Phiber Optik with the computer "underground" community, was sentenced this week for "conspiracy to commit computer crime" to one year and one day (eligible for release in 10 months), 600 hours of community service, and 3 years probation. Although charged with "theft" of documents which he copied from credit reporting agencies, the only "damage" shown from the trial were erasure of files on an educational system. As could be predicted, opinion is divided over the severity and appropriate nature of the sentence. No, it wasn't NuKE ... Nuclear Electric, in Britain, has been severely embarrassed. They are currently having problems getting approval for the computer safety systems for the new pressured water reactor Sizewell B. Yankee Doodle has been playing tunes on the PCs at Sizewell. A man found with unauthorised software has been dismissed. A local newspaper report says: "An anonymous group, or person, styled Bulgaria 50 is believed to be responsible." ============== Vancouver ROBERTS@decus.ca | "I finally realized why Windows is truly Institute for Robert_Slade@sfu.ca | multitasking. I find myself keeping some Research into rslade@cue.bc.ca | secondary task (like ... mail) handy so I User p1@CyberStore.ca | can make good use of the time I spend Security Canada V7K 2G6 | waiting for Windows." -Steve Edelson