BGU@NIHCU.BITNET ("Bruce Guthrie") (09/18/89)
"Computer Virus Sparks a User Scare"
"Some Analysts Say the 'Friday the 13th' Fears Are Overblown"
by John Burgess
Washington Post, Sep 17 1989, pg H3
A computer "virus" that springs to life destructively on
Friday the 13th is on the loose, and across the country computer
users are rushing helter-skelter to protect their machines
against it.
Yet, with fewer than 10 verified sightings in a country with
tens of millions of computers, some experts are saying the threat
is being absurdly overblown.
"At this point, the panic seems to have been more
destructive than the virus itself," said Kenneth R. Van Wyk, a
security specialist at Carnegie-Mellon University's Software
Engineering Institute. He has been taking 20 phone calls a day
for advice on the subject.
Written as pranks or tools of sabotage, viruses are software
programs designed to spread surreptitiously through computer
interconnections and the exchange of the floppy magnetic storage
disks on which computer programs and data are recorded.
Once introduced into a machine, they transmit their own
instructions to the computer, causing it to destroy data or
display a surprise message on the screen.
The new one is known variously as the Datacrime, Columbus
Day, and Friday the 13th virus. Aimed at IBM-compatible personal
computers, it is designed to lie dormant and unnoticed in a
machine until Oct. 13, a Friday, and then activate as soon as an
unwitting user turns on the machine and "executes" a program.
(Many computers have internal calendars that make such
date-activated instructions possible.)
At that time, a message flashes on the screen:
DATACRIME VIRUS.
RELEASED 1 MARCH 1989.
Simultaneously, the virus erases a section of the machine's
disk storage unit that serves as an index to the information on
the disk [the FAT]. People with something more than basic
technical knowledge can fix the problem and recover the data,
however.
The federal government views viruses as a grave threat to
the nation's information systems and has set in motion special
programs to guard computers against them and to punish people who
introduce them.
The phenomenon received widespread public attention last
fall, when a virus written by a Cornell University graduate
student swept through the federally supported Internet research
network, replicating itself automatically over and over and
temporarily tying up 6,000 machines in one day.
The Datacrime virus, however, is targeted at computers that
for the most part are not linked in networks.
And it comes at a time when publicity has led many users to
take the basic precautions of "safe computing," avoiding free
software that is posted on bulletin boards, where the viruses may
lurk, and using only programs that come in factory-sealed
containers.
The Software Engineering Institute knows of fewer than 10
cases, Van Wyk said.
International Business Machines Corp. said Thursday is it
not directly aware of any. "If it was out there in any number,"
said Bill Vance, director of secure systems for IBM, "it would be
spreading and be more noticeable." October 13, he said, is not
likely to be "a major event."
At Centel Federal Systems of Reston, however, a different
mood prevails. It has been operating a toll-free hotline on the
virus, with six people working full-time. It has received more
than 1,000 calls, according to Tom Patterson, senior analyst for
security operations at the federal systems unit, which is owned
by independent telephone company Centel Corp. of Chicago.
Patterson said he began working on the virus about five
weeks ago, after receiving a tip from an acquaintance in Europe
that hackers there were planning to modify an existing virus and,
by dialing up electronic bulletin boards across the Atlantic,
release it in this country.
Subsequent investigation turned up specimens in this country
fitting the description he had received. Patterson said he had
dissected a version of it and, in tests, found that it could
penetrate a number of software products that are supposed to keep
viruses out. In recent days, he found one on the machines of a
Centel client. "The virus is out there," Patterson said. "It's
real."
Also active in the campaign is John McAfee, a
virus-protection specialist based in Santa Clara, Calif., who
runs a bulletin board on which he offers anti-viral programs.
His phone line has been constantly busy in recent days.
Concern has heightened with each new report of the virus in
the computer trade press and on at least one wire service, the
Associated Press, leading some security specialists to see the
panic as a self-fulfilling prophecy by the media.
Others wonder whether companies that make anti-viral
products are not happy to see the scare being pumped up.
"The more panicked people get," said Jude Franklin, general
manager of Planning Research Corp.'s technology division, "the
more people who have solutions are going to make money."
For $25, which it says is necessary to cover the cost of a
disc, shipping, and handling, Centel is offering software written
by McAfee that searches for the virus.
Patterson said Centel would be losing money on the discs [!]
but is doing it anyway. "I'm not trying to hype this," he said.
"I'm working 20-hour days... to get the word out."drv@cbnewsj.ATT.COM (dennis.r.vogel) (09/22/89)
In article <KPETERSEN.12527529029.BABYL@WSMR-SIMTEL20.ARMY.MIL>, BGU@NIHCU.BITNET ("Bruce Guthrie") writes: > > "Computer Virus Sparks a User Scare" > "Some Analysts Say the 'Friday the 13th' Fears Are Overblown" > by John Burgess > Washington Post, Sep 17 1989, pg H3 > > [Article on virus deleted] > > For $25, which it says is necessary to cover the cost of a > disc, shipping, and handling, Centel is offering software written > by McAfee that searches for the virus. As with all viruses, etc. that are triggered on a certain date, you can attempt to flush them out by resetting the system date to the suspected trigger date, Oct. 13 in this case. (A disk backup is strongly suggested before doing this.) Depending on how long the virus takes to manifest itself after the date, you can judge whether you have it or not. This might be useful *before* sending someone $25. If you find you've got it, then get the anti-viral program to determine which of your program(s) are infected so you can remove them. No need to send me anything for this advice--it's free. The virus gurus should be telling everyone this, too, rather than just asking for money for their products especially if the chances of having the virus are rather small. Dennis R. Vogel AT&T Bell Laboratories Lincroft, NJ
jwi@cbnewsj.ATT.COM (Jim Winer @ AT&T, Middletown, NJ) (09/22/89)
dennis.r.vogel writes: > As with all viruses, etc. that are triggered on a certain date, you > can attempt to flush them out by resetting the system date to the > suspected trigger date, Oct. 13 in this case. (A disk backup is > strongly suggested before doing this.) > > Depending on how long the virus takes to manifest itself after the > date, you can judge whether you have it or not. This might be > useful *before* sending someone $25. If you find you've got it, > then get the anti-viral program to determine which of your program(s) > are infected so you can remove them. > > No need to send me anything for this advice--it's free. The virus > gurus should be telling everyone this, too, rather than just asking > for money for their products especially if the chances of having the > virus are rather small. If you bothered to check your facts (perhaps by reading comp.virus), you'd have known that most of the virus detecting and correcting programs are available free from the Home Base BBS. You'd also have discovered that if youwant somebody to take the time to copy programs for you, you would generally be expected to pay for their time and for the media. Further, you'd probably have discovered that there is at least one company out there who is distributing some of the free virus software written by one of the "gurus" and charging for it. No need to send me anything for this advice -- save it for your dentist Jim Winer
dross@umn-d-ub.D.UMN.EDU (david ross) (09/23/89)
In article <762@cbnewsj.ATT.COM> drv@cbnewsj.ATT.COM (dennis.r.vogel) writes: > >No need to send me anything for this advice--it's free. The virus >gurus should be telling everyone this, too, rather than just asking >for money for their products especially if the chances of having the >virus are rather small. Hear hear! Actually, I'd like to see virus detect/protect software distributed as *source code*, preferably in GW Basic (or FORTH, if sector reads are absolutely necessary). This certainly holds for PD programs, which themselves have a nasty habit of picking up viri.
drv@cbnewsj.ATT.COM (dennis.r.vogel) (09/23/89)
In article <787@cbnewsj.ATT.COM>, jwi@cbnewsj.ATT.COM (Jim Winer @ AT&T, Middletown, NJ) writes: > > If you bothered to check your facts (perhaps by reading comp.virus), > you'd have known that most of the virus detecting and correcting > programs are available free from the Home Base BBS. You'd also have I don't read comp.virus. I wasn't commenting about the state of virus programs in general. I was only responding to the article that was posted that described the virus and then said (in effect) send us $25 for our anti-viral program. My only comment was that there's an easier and cheaper way to detect these timed viruses. I'm glad there are other programs available for free. Since I don't read comp.virus I was not aware of them. > discovered that if youwant somebody to take the time to copy programs > for you, you would generally be expected to pay for their time and > for the media. Further, you'd probably have discovered that there > is at least one company out there who is distributing some of the > free virus software written by one of the "gurus" and charging for > it. I don't know where this came from. I don't recall saying that I expected free software. If people take the time to copy things they should certainly be reimbursed for the time and the media. And I'm not at all surprised that someone is charging for software that is available for free elsewhere. Again, all I wanted to say was that there's an easy way to detect this timed type of virus and that *I* think the vendors of anti-viral programs should make that fact known. *From the article I read here*, I got the impression that one vendor (at least) was implying that you need their $25 program if you wish to detect this virus. Sorry if I offended anyone's sensibilities. > No need to send me anything for this advice -- save it for your dentist This one went by me completely. If it's meant to be humorous, I'll laugh. If it's meant to be wise, I'll remember it. If it's meant to be a dig, I'll ignore it. > Jim Winer Dennis R. Vogel AT&T Bell Laboratories Lincroft, NJ
jcsewell@disk.UUCP (Jim Sewell) (10/01/89)
In article <762@cbnewsj.ATT.COM> drv@cbnewsj.ATT.COM (dennis.r.vogel) writes: >In article <KPETERSEN.12527529029.BABYL@WSMR-SIMTEL20.ARMY.MIL>, BGU@NIHCU.BITNET ("Bruce Guthrie") writes: >> >> [Article on virus deleted] >> >As with all viruses, etc. that are triggered on a certain date, you >can attempt to flush them out by resetting the system date to the >suspected trigger date, Oct. 13 in this case. (A disk backup is >strongly suggested before doing this.) > >Depending on how long the virus takes to manifest itself after the >date, you can judge whether you have it or not. This might be >useful *before* sending someone $25. If you find you've got it, >then get the anti-viral program to determine which of your program(s) >are infected so you can remove them. Unfortunately you have missed the point of the virus checkers. Their MAIN function is not to rid a machine of a virus, but rather to detect and notify you of ANY virus that can be detected by that program. There are few programs designed to eliminate a virus; many more to notify you of their presence. There are as many as, I believe, 20 viruses that can be detected by some of the programs which is being updated daily as new information becomes available. The Virus checkers are nice things to have around running in the background. It is like wearing a facemask before going into a sick person's room rather than counting on medicine to cure you after you are infected. Later--> ============================================================================= J. C. Sewell jcsewell@disk " 1800 So. 2nd St jim@coplex Louisville KY 40208 jim@panthr (If I can ever find UUPC)
dmt@pegasus.ATT.COM (Dave Tutelman) (10/09/89)
In article <574@disk.UUCP> jcsewell@disk.UUCP (Jim Sewell) writes: > ... [ about virus checkers ] ... Their MAIN >function is not to rid a machine of a virus, but rather to detect and notify >you of ANY virus that can be detected by that program. There are few programs >designed to eliminate a virus; many more to notify you of their presence. Right! >It is like wearing a facemask before going into a sick person's room rather >than counting on medicine to cure you after you are infected. Close, but not quite. Practicing "safe computing" is like wearing a facemask. Using a virus-checking program (to extend your analogy) is like having regular physicals to catch diseases early (before you show their symptoms and suffer their effects). If a virus-checker shows up a virus on your machine, you may know before it blows away your FAT, but you still have to do something to get rid of it. +---------------------------------------------------------------+ | Dave Tutelman | | Physical - AT&T Bell Labs - Lincroft, NJ | | Logical - ...att!pegasus!dmt | | Audible - (201) 576 2194 | +---------------------------------------------------------------+
simon@ms.uky.edu (G. Simon Gales) (10/09/89)
According to an article in Info World (I think it was in there) the DataCrime
virus cannot be triggered by simple changing the current date to Oct. 13.
The date has to be advanced one day at a time, up to 10/13/89, to trigger the
virus. There is a program for detecting/removing the critter available for
anonymous ftp from s.ms.uky.edu.
-----
No guarantees, this is Monday after all.
--
Simon Gales@The University of Kentucky
simon@ms.uky.edu | 'Fate... protects fools, little children,
simon@UKMA.BITNET | and ships named Enterprise.'
{rutgers, uunet}!ukma!simon | - Riker, ST:TNGncperson@ndsuvax.UUCP (Brett G. Person) (10/14/89)
In article <12877@s.ms.uky.edu> simon@ms.uky.edu (G. Simon Gales) writes: > There is a program for detecting/removing the critter available for >anonymous ftp from s.ms.uky.edu. >----- >No guarantees, this is Monday after all. > >-- >Simon Gales@The University of Kentucky > simon@ms.uky.edu | 'Fate... protects fools, little children, > simon@UKMA.BITNET | and ships named Enterprise.' > {rutgers, uunet}!ukma!simon | - Riker, ST:TNG Where is the file? In fact, where is ANYTHING on this site? dir and ls report nothing. -- Brett G. Person North Dakota State University uunet!ndsuvax!ncperson | ncperson@ndsuvax.bitnet | ncperson@plains.nodak.edu