V.I.R.U.S. Weekly - November 26, 1993
A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade
15   Getting Resources
16   "Using McAfee Associates Software for Safe Computing" by Jacobson
F-Prot 2.10 (MS-DOS)
I received the long awaited version 2.10 of F-Prot this week.  Haven't been
able to look at in in detail yet due to some downloading problems.
Tricky Dicky Virus (MS-DOS)
A direct action COM file infector, based on a rather disjointed report from
someone known to have contacts in the vx community.  There is a report of a
"Bad command or filename" message after each infection, but this may refer to
corruption of the infected program.  A signature is said to be
"B44E33C9BA8101CD21E81B00EB01", while text in the virus code is "The Tricky
Dicky  [TrickyDicky] Created in the city of Toronto", "Bad command or file
name", "Fail on INT 24 .. NOT!!".  (Single report from vx contact.)
Sterculius (MS-DOS)
A COM file infector which uses the fairly simple and widely known code to
disable the memory resident protection program VSAFE from Turbo, Central Point
or Microsoft Anti-Virus.  A signature is reported to be
"5E83EE0356FC83C65D90BF0001A5".  (Single report from vx contact.)
Michelangelo COM (MS-DOS)
A memory resident COM infector.  Reported signature and ASCII strings are
"B42ACD21B403B0063BD07401C3BE", "It is March 6th, time for MICHELANGELO ][ to
trigger.", "YES! Another one.  This virus is brought to you by:", "HAVE PHUN... 
:->".  (Single report from vx contact.)
Jasmine (MS-DOS)
A memory resident COM and EXE infector.  Said to disable both VSAFE and the NAV
memory resident protection.  A text message is displayed when infecting files. 
Reported signature and text strings are "B42CCD2180FD00750AB002B90500", "The
Jasmine Virus is loose, better protect your computer.", "Beware! There now it
works!"  (Single report from vx contact.)
VSI '94
The Virus Security Institute is presenting a conference in Philadelphia,
Pennsylvania on March 29-30, 1994.  Presented as "A Different Kind of
Information Security Conference", the symposium will involve a high degree of
participation in challenging models of security as applied to the "real world". 
Papers are solicited by the conference chair padgett@tccslr.dnet.mmc.com (A.
Padgett Peterson).   For more information, E-Mail or Fax:
VSI94_info@dockmaster.ncsc.mil  (case sensitive) or (302)764-6186 (include
E-Mail address, please).
Thoughts ...
With the new releases and new viri in the past few weeks, I just haven't had
the space for gossip.  Now that I've got some space for a breather: is this a
bad sign?  Is the problem getting worse?  When I started (good grief, is it
already more than a year ago?), I sometimes had to scramble to get four items a
week.  Now I'm getting into the double digits easily each week, and having to
combine and even discard items.  This week I'm trying to include most of the
"time sensitive" gossip, and even at that some of it is stale.  Something to
think about ... 
Pretty Good Privacy in Pretty Deep Trouble
American authorities are going after the principals of the PGP encryption and
message authentication scheme.  PGP is being charged under American laws
regarding export of encryption technology.  Also affected are ViaCrypt, which
will be selling a commercial version of PGP in November, and Austin Code Works,
which is planning an encryption "textbook" on disk, which will contain source
code for related algorithms.  Pretty G______ Paranoid, if you ask me ... 
Infect this magazine ...
PC Computing is carrying an ad for live viral code.  This time, though, the
material is apparently being sold on CD-ROM, along with information on
"phreaking" (using various devices to circumvent telephone security and make
long distance calls without paying).  One poster on Fidonet feels that this is
cause to write the magazine and complain.  This is really getting to be too
much ... 
YASVWG (Yet another stupid virus writing group)
Another bunch of kids with too much time on their hands has taken to calling
themselves the Electronic Evil Virus Research Group.  They are shilling for
membership with a list of BBSes that they would like to see hit.  Crash a board
and win a free membership.  Rather silly ...
Virus U
The University of Michigan annually holds a "Computer Kickoff Sale", an
opportunity for students to buy personal computer systems through UM for
reduced prices.  This year the Macs on offer came equipped with nVIR.  The
virus had infected the standard software distribution disks prepared by the U
of M Information Technology Division as an aid to students to get them up and
running.  The original source of the virus infection is still unknown. 
Ironically, the distribution disks contained copies of Disinfectant, and warned
users about the possibility of viral infection ... 
Swiss antivirus law
Switzerland is looking for input to try and "tune" its new statute trying to
ban malicious software.  The pertinent section is:
"Anyone, who, without authorization
   - erases, modifies, or destructs electronically or similarly saved or data,
or anyone who,
   - creates, promotes, offers, makes available, or circulates in any way means
destined for unauthorized deletion, modification, or destruction of such data,
will, if a complaint is filed, receive ... punishment." 
Cracker/Phreak sentenced
Mark Abene, who used the alias Phiber Optik with the computer "underground"
community, was sentenced this week for "conspiracy to commit computer crime" to
one year and one day (eligible for release in 10 months), 600 hours of
community service, and 3 years probation.  Although charged with "theft" of
documents which he copied from credit reporting agencies, the only "damage"
shown from the trial were erasure of files on an educational system.  As could
be predicted, opinion is divided over the severity and appropriate nature of
the sentence.
No, it wasn't NuKE ...
Nuclear Electric, in Britain, has been severely embarrassed.  They are
currently having problems getting approval for the computer safety systems for
the new pressured water reactor Sizewell B.  Yankee Doodle has been playing
tunes on the PCs at Sizewell.  A man found with unauthorised software has been
dismissed.  A local newspaper report says: "An anonymous group, or person,
styled Bulgaria 50 is believed to be responsible."
Vancouver      ROBERTS@decus.ca    | "I finally realized why Windows is truly
Institute for  Robert_Slade@sfu.ca |  multitasking.  I find myself keeping some
Research into  rslade@cue.bc.ca    |  secondary task (like ... mail) handy so I
User           p1@CyberStore.ca    |  can make good use of the time I spend 
Security       Canada V7K 2G6      |  waiting for Windows."    -Steve Edelson