GUBBINS@RADC-TOPS20.ARPA (Gern) (01/05/88)
29-Dec-87 04:01:14-EST,1982;000000000000 Date: 08 DEC 87 09:00 EST From: V2002A%TEMPLEVM.BITNET@CUNYVM.CUNY.EDU Subject: Software Vandalism Are there any legal precedents on the books for software vandals caught willfully propagating 'virus' or 'infectious' programs? I ask this because I received the following on another network. Andy Wing V2002A%TEMPLEVM.BITNET@CUNYVM.CUNY.EDU From: Kenneth R. van Wyk, User Services Senior Consultant, Lehigh Univ. <LUKEN@VAX1.CC.LEHIGH.EDU> Last week, some of our student consultants discovered a virus program that's been spreading rapidly throughout Lehigh University. We have no idea where the virus started, but some users have told me that other universities have recently had similar problems. The virus: the virus itself is contained in the stack space of COMMAND.COM. When a pc is booted from an infected disk, all a user need do to spread the virus is to access another disk via TYPE, COPY, DIR, etc. If the other disk contains COMMAND.COM, the virus code is copied to the other disk. A counter is incremented on the parent. When this counter reaches a value of 4, any and every disk in the PC is erased thoroughly. The boot tracks are wiped, as are the FAT tables, etc. This affects both floppy and hard disks. Meanwhile, the four children that were created go on to tell four friends, and then they tell four friends, and so on. Detection: First, the write date of the command.com changes. Second, if there's a write protect tab on an uninfected disk, you will get a WRITE PROTECT ERROR... So, boot up from a suspected virus'd disk and access a write protected disk - if an error comes up, then you're sure. Note that the length of command.com does not get altered. I urge anyone who comes in contact with publicly accessible disks to periodically check their own disks. Also, exercise safe computing - always wear a write protect tab. ------------------------------------------------------------------------- I do not believe we have to worry about this in the Z-100 world, but it could happen. I am not sure if a PC COMMAND.COM will even function on a Z-100 (it should, in theory...). Let's be carefull out there! Gern -------
LUKEN@LEHIIBM1.BITNET ("Kenneth R. van Wyk") (01/05/88)
The trojan horse COMMAND.COM which I wrote about *WAS* able to infect a Z-100 COMMAND.COM (MSDOS 2.1, and 3.1)! It was not isolated to PCs only! I sent that warning out to ADVISE-L on BITNET over a month ago, and it's been reprinted all over the world, and I continue to get dozens of calls and inquiries about it. Virus programs are the creations of sick people, and must be stopped. We, here at Lehigh, lost hundreds of disks worth of data on *OUR* disks - not counting how many of our users lost their own data. This particular virus was easy to stop because the programmer was sloppy. Lets hope that the next one is too. By the way, COMMAND.COM is the machine independent module of MS-DOS, so it runs on both Z-100's and PC's. Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = That's the news, = = BITNET: <LUKEN@LEHIIBM1> = And I'm out of here! = ------------------------------------------------------------------------