User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

VIRUS BULLETINPage 2 August 1991

EDITORIAL

Network Experiments

A large proportion of this month’s edition of VB is devoted to

the propagation of computer viruses on Novell NetWare PC

networks. The paper Virus Propagation and NetWare Secu-

rity, submitted by Dr. Jan Hruska and Richard Jacobs of

Sophos Ltd, provides some revealing insights into the interac-

tion between various viruses and network software. VB is also

indebted to Eric Babcock, Novell’s software security special-

ist, both for his efforts in peer-reviewing this paper and for

supplying a short report on the GP1 virus (see page 9) which

arrives at conclusions rather different from our initial specula-

tions published in June 1991. In the absence of evidence to the

contrary, Mr. Babcock’s report should be regarded as the

definitive functional analysis of the GP1 virus.

Offsets Out

An editorial decision has been taken to discontinue publishing

offsets for virus search patterns. It is the technical editor’s

opinion that offsets should be removed from any virus

scanning data despite the fact that this will result in a degrada-

tion of scan run-times. The reasons for this are twofold:

firstly, the removal of offsets substantially increases the

likelihood of detecting virus variants, which are appearing at

an exponential rate. Secondly, misinterpretation of offset data

by at least one programmer involved in the development of a

commercial anti-virus product, resulted in VB search patterns

being invalidated - the scanner was looking for the right

patterns but in the wrong places.

Spanish Telecom, Tequila, 2100

End-users of virus-specific scanning software in the United

Kingdom should take note that any memory-resident or non-

resident scanning software in use ought reliably to detect the

Spanish Telecom, Tequila and 2100 viruses. These viruses are

in the wild but despite the fact that one of them (Spanish

Telecom) was analysed some eight months ago, only four of

the thirteen scanners tested in the July 1991 edition of VB

detected it. The appearance in April of the Tequila virus,

which spread across Europe via an infected shareware master

diskette, underlines the need to update scanning software on a

very regular basis. In light of the rapidity with which new

virus infections can spread and take hold, virus-specific

software which is updated less than monthly now appears to

be of questionable value.

Plagiarism

An Italian boy calling himself ‘Cracker Jack’ has claimed

responsibility for a number of recent computer viruses, some

of which we report in this edition.

The samples themselves do not merit detailed technical

reporting but examination has revealed that many of this

young man’s rather amateurish programming efforts have

been copied from virus code developed by the Bulgarian virus

writer who calls himself Dark Avenger. This obvious plagia-

rism has almost certainly occurred due to the mushrooming of

the virus ‘exchange’ Bulletin Board Systems which VB

reported in May this year.

It would appear that cooperation between virus writers is now

at an all-time high - the Bulletin Boards are being used as

forums to swap ideas, upload and download object and source

code as well as the more popular anti-virus public domain and

shareware tools (presumably so that they may be subverted).

These virus exchange Bulletin Boards are without doubt the

single area of greatest concern to the anti-virus community.

Scotland Yard Arrests ‘8LGM’ Hacking Ring

The City & Metropolitan Police’s Computer Crimes Unit, in a

complex combined operation with British Telecom, has

arrested the three UK-based members of an international

hacking ring known as ‘8LGM’. The operation, the largest of

its type and involving eight regional police forces, was

mounted during the early hours of Thursday 27th June 1991.

Officers simultaneously arrested Neil Woods of Oldham, Karl

Austin Strickland of Liverpool and Paul Daniel Bedworth of

Ilkley, West Yorkshire, and charged them with conspiracy to

contravene the Computer Misuse Act 1990 and with con-

spiracy to commit false accounting. They are bailed to appear

before Bow Street Magistrates Court on 24th July.

The court case is expected to be delayed for several months to

allow investigators to sift through the enormous volume of

hardcopy and over a gigabyte of disk-based material, in a

variety of formats, seized at the defendants’ homes. Using the

conspiracy charges will enable the Crown’s Prosecutor to

demonstrate to the Court the full enormity of this case as all

three defendants will face trial together.

New Scotland Yard sources reveal that a number of the victim

sites were unaware that they had been targeted; detectives will

be contacting all known victims over the next few weeks.

While the police are confident they have rounded up all

8LGM’s UK members, they know that this group has mem-

bers in other countries.

Long-standing VB readers will know that New Scotland Yard’s

Computer Crimes Unit is also responsible for the collation of

evidence regarding computer virus attacks. The unauthorised

modification of computer systems is an offence under Section

3 of the Computer Misuse Act; this has been interpreted to

cover computer viruses, which by necessity modify programs

and/or boot sectors.

The Computer Crimes Unit can be contacted by telephone on

071 230 1176 or 1177.