From: jadestar@netcom.com (JaDe)
Date: Wed, 13 Dec 1995 10:20:22 +0800
To: WheatonB@603cs.croughton.af.mil
Subject: Re: F. Y. I.
In-Reply-To: <9511128188.AA818815409@603cs.croughton.af.mil>
Message-ID: <199512130009.QAA16527@netcom.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


> 
>      To all.  This is something I received from a fellow Internet user in 
>      the States.  I don't know where he got this info, but I thought we may 
>      all benefit from this warning.
>      
>      SrA Lounsbury sends...
> 
> >>>>>>SUBJECT:  VIRUSES--IMPORTANT PLEASE READ IMMEDIATELY 
> >>>>>>line "Good  Times",   DO NOT  read  the  message,  DELETE  it 

	I've been employed by two of the largest and most well-known
	Anti-Virus software companies in the world (Symantec and now
	McAfee).

	I've supported a wide variety of anti-virus products.

	I can assure you that this is a hoax.  There is currently 
	no known mechanism by which an e-mail message could "infect"
	and "propagate" independent of OS and MUA.  In other words
	it would require a specific combination of operating system
	and platform and/or a specific mail reading program 
	to transparently execute code (macros whatever) inside of a
	mail message.

	Java, LiveScript, and Microsoft's transparent MSN hooks
	could allow these sorts of things in the future (through
	suitably *bad* client software.  Also I've heard that 
	the e-mail package included with WordPerfect Office can
	execute some binary attachments, automatically.

	Other than those two exceptions I know of know way that this
	would be feasible.

	On comp.virus (or was it alt.comp.virus??) there was considerable
	(and heated) debate about the feasibility (and possible 
	*desirability <g>) of a trojan horse that would be specific to
	a client (like AOL's proprietary access software) and would
	pipe in some data to exploit some as yet undiscovered bug
	(like the famous fingerd buffer overflow) to force execution
	of CPU specific machine code.

	In any event these would not be "viruses" in the traditional
	computer sense of the term.  Virus researchers naturally have
	to distinguish between worms, logic bombs, trojan horses,
	droppers, and various types of virus.  There is considerable
	literature on these distinctions (which I have neither the
	time nor the expertise to attempt to duplicate here).

		(and there was much rejoicing).

	All of this has little to do with cryptography.  

	The cryptography used in computer viruses is generally not very
	sophisticated.  the primary constraints are compactness of
	algorithm and convenience of the implementation with respect to
	a given processor.  The only purpose is to obuscate the code --
	try to limit the efficiency or effectiveness of signature based
	scanning engines.  Mostly they use self-modifying code loops
	with XOR's and simple ADD's and SUB's.   I heard of one that
	PUSHed all it's code onto the stack and then did a simple FAR
	JMP to it (apparently quite compact).

	Finally I'd like to recommend that people please restrain
	themselves from forwarding press releases from various	
	sources to other mailing lists that "might be interested."

	Most of us are big boys and girls.  If our interest is
	sufficiently broad, we'll go subscribe to those other lists
	or newsgroups.

	If you insist on referring to things from other sources --
	perhaps a short query (like "Say does anyone here think the
	'Good Times' virus has anything to do with with cryptography?"
	and "Well, if your interested you can find out more about it
	on foo -- or ask and I'll forward a copy") will be more 
	conservative of our time and bandwidth.

	(Now y'all can flame me for wasting this much on a largely
	off-topic response -- but please feel free to direct those
	flames to /dev/null or to *just me*).