GUBBINS@RADC-TOPS20.ARPA (Gern) (01/05/88)
29-Dec-87 04:01:14-EST,1982;000000000000
Date: 08 DEC 87 09:00 EST
From: V2002A%TEMPLEVM.BITNET@CUNYVM.CUNY.EDU
Subject: Software Vandalism
Are there any legal precedents on the books for software vandals
caught willfully propagating 'virus' or 'infectious' programs? I ask this
because I received the following on another network.
Andy Wing V2002A%TEMPLEVM.BITNET@CUNYVM.CUNY.EDU
From: Kenneth R. van Wyk, User Services Senior Consultant, Lehigh Univ.
<LUKEN@VAX1.CC.LEHIGH.EDU>
Last week, some of our student consultants discovered a virus program
that's been spreading rapidly throughout Lehigh University. We have no
idea where the virus started, but some users have told me that other
universities have recently had similar problems.
The virus: the virus itself is contained in the stack space of COMMAND.COM.
When a pc is booted from an infected disk, all a user need do to spread
the virus is to access another disk via TYPE, COPY, DIR, etc. If the other
disk contains COMMAND.COM, the virus code is copied to the other disk. A
counter is incremented on the parent. When this counter reaches a value of
4, any and every disk in the PC is erased thoroughly. The boot tracks are
wiped, as are the FAT tables, etc. This affects both floppy and hard disks.
Meanwhile, the four children that were created go on to tell four friends,
and then they tell four friends, and so on.
Detection: First, the write date of the command.com changes. Second,
if there's a write protect tab on an uninfected disk, you will get a WRITE
PROTECT ERROR... So, boot up from a suspected virus'd disk and access a
write protected disk - if an error comes up, then you're sure. Note that
the length of command.com does not get altered.
I urge anyone who comes in contact with publicly accessible disks to
periodically check their own disks. Also, exercise safe computing - always
wear a write protect tab.
-------------------------------------------------------------------------
I do not believe we have to worry about this in the Z-100 world, but
it could happen. I am not sure if a PC COMMAND.COM will even function
on a Z-100 (it should, in theory...). Let's be carefull out there!
Gern
-------LUKEN@LEHIIBM1.BITNET ("Kenneth R. van Wyk") (01/05/88)
The trojan horse COMMAND.COM which I wrote about *WAS* able to infect a Z-100 COMMAND.COM (MSDOS 2.1, and 3.1)! It was not isolated to PCs only! I sent that warning out to ADVISE-L on BITNET over a month ago, and it's been reprinted all over the world, and I continue to get dozens of calls and inquiries about it. Virus programs are the creations of sick people, and must be stopped. We, here at Lehigh, lost hundreds of disks worth of data on *OUR* disks - not counting how many of our users lost their own data. This particular virus was easy to stop because the programmer was sloppy. Lets hope that the next one is too. By the way, COMMAND.COM is the machine independent module of MS-DOS, so it runs on both Z-100's and PC's. Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = That's the news, = = BITNET: <LUKEN@LEHIIBM1> = And I'm out of here! = ------------------------------------------------------------------------