The following text is copyright (c) 1987-1990 CompuServe Magazine and may not be reproduced without the express written permission of CompuServe. CompuServe Magazine's Virus History Timeline CompuServe Magazine is published monthly by the CompuServe Information Service, the world's largest on-line information service with over 600,000 subscribers worldwide. If you would like to become a CompuServe subscriber, call 1-800-848-8199 to receive a copy of the CompuServe Information Service membership kit. - 1989 - VIRUS STRIKES UNIVERSITY OF OKLA. (Jan. 11) Officials at the University of Oklahoma in Norman, Okla., blame a computer virus for ruining several students' papers and shutting down terminals and printers in a student lab at the university library. Manager Donald Hudson of Bizzell Memorial Library told The Associated Press that officials have purged the library computers of the virus. He said the library also has set up extra computers at its lab entrance to inspect students' programs for viruses before they are used on other computers. The wire service said the library's virus probably got into a computer through a student's disk, but the student may not have known the virus was there. Hudson said the library's computers are not linked to any off-campus systems. However, the computers are connected through printers, which he said allowed the virus to spread. --Charles Bowen "FRIDAY THE 13TH" VIRUS STRIKES (Jan. 13) Data files and programs on personal computers throughout Britain apparently were destroyed today by what was termed a "Friday the 13th" computer virus. Alan Solomon, managing director of S and S Enterprises, a British data recovery center, told The Associated Press that hundreds of users of IBM and compatible PCs reported the virus, which he said might be a new species. Solomon, who also is chairman of an IBM users group, told the wire service that phone lines to the center were busy with calls for help from businesses and individuals whose computers were struck by the virus. "It has been frisky," he said, "and hundreds of people, including a large firm with over 400 computers, have telephoned with their problems." S and S hopes to figure out how the virus operates and then attempt to disable it. "The important thing is not to panic and start trying to delete everything in a bid to remove the virus," Solomon said. "It is just a pesky nuisance and is causing a lot of problems today." --Charles Bowen "FRIDAY THE 13TH" VIRUS MAY BE NEW VERSION OF ONE FROM ISRAEL (Jan. 14) Investigators think the "Friday the 13th" virus that struck Britain yesterday might be a new version of the one that stymied computers at the Hebrew University in Jerusalem on another Friday the 13th last May. As reported here yesterday (GO OLT-308), hundreds of British IBM PCs and compatibles were struck by the virus, which garbled data and deleted files. Jonathan Randal of The Washington Post Foreign Service reports the program is being called the "1,813" variety, because of the number of unwanted bytes it adds to infected software. He says the specialists are convinced the program "is the brainchild of a mischievous -- and undetected -- computer hacker at Hebrew University." Alan Solomon, who runs the IBM Personal Computer User Group near London, told the Post wire service that 1,813 was relatively benign, "very minor, just a nuisance or a practical joke." Solomon said he and other specialists first noted the virus in Britain several months ago when it began infecting computers. Solomon's group wrote security software with it distributed free, so, he said, the virus basically struck only the unlucky users who didn't take precautions. --Charles Bowen LIBRARY OF CONGRESS VIRUS VICTIM (Jan. 27) An official with the US Library of Congress acknowledges that the institution was struck by a computer virus last fall. Speaking to a delegation of Japanese computer specialists touring Washington, D.C., yesterday, Glenn McLoughlin of the library's Congressional Research Service disclosed that a virus was spotted and killed out of the main catalog computer system before it could inflict any damage to data files. Associated Press writer Barton Reppert quoted McLoughlin as saying, "It was identified before it could spread or permanently erase any data." McLoughlin added the virus was found after personnel logged onto computers at the library and noticed they had substantially less memory space to work with than they had expected. He said the virus apparently entered the system through software obtained from the University of Maryland. "We don't know," he said, "whether it was a student at Maryland, or whether Maryland had gotten it from somebody else. That was simply the latest point of departure for the software." Meanwhile, Reppert also quoted computer security specialist Lance J. Hoffman of George Washington University as saying the world may be heading toward a catastrophic computer failure unless more effective measures are taken to combat viruses. Comparing last November's virus assault on the Pentagon's ARPANET network to a nuclear accident that "could have had very disastrous consequences for our society," Hoffman told the visitors, "It wasn't Chernobyl yet, it was the Three Mile Island -- it woke a lot of people up." Online Today has been following reports of viruses for more than a year now. For background files, type GO OLT-2039 at any prompt. And for other stories from The Associated Press, type GO APO. --Charles Bowen CHRISTMAS VIRUS FROM FRANCE? (Jan 30) A little noticed software worm, the so-called Christmas Decnet virus, may have originated from Germany or France. Apparently released at the end of December, the worm replicated itself only onto Digital Equipment Corp. computers that were connected to Decnet, a national communications network often accessed by DEC users. At least one system administrator has noticed that the worm collected identifying information from the invaded terminals and electronically mailed that information to a nedw�rk`����J��2�ancen T�e ass�mptZ�J́that the French node collected the information and, subsequently, used it to propagate the worm throughout the network. The so-called German connection came about because of the way the worm presents text information on invaded terminals. Though written in English, the worm message is said to contain strong indications of Germanic language syntax. Predictably, a German "connection" has led to speculation that Germany's Chaos Computer Club may have had a role in worm's creation. --James Moran SPLIT SEEN ON HOW TO PROSECUTE MAN ACCUSED OF ARPANET VIRUS (Feb. 2) Authorities apparently are divided over how to prosecute Robert T. Morris Jr., the 23- year-old Cornell University graduate student suspected of creating the virus that stymied the national Arpanet computer network last year. The New York Times reports today these two positions at issue: -:- US Attorney Frederick J. Scullin in Syracuse, N.Y., wants to offer Morris a plea bargain to a misdemeanor charge in exchange for information he could provide. Scullin reportedly already has granted Morris limited immunity in the case. -:- Some in the US Justice Department want Morris charged with a felony in hopes of deterring similar computer attacks by others. They are angry over Morris's receiving limited immunity. Confirming a report in The Times, a source who spoke on condition of anonymity told Associated Press writer Carolyn Skorneck the idea of granting Morris limited immunity has "caused a lot of consternation down here." Skorneck notes the 1986 Computer Fraud and Abuse Act makes unlawful access to a government computer punishable by up to a year in jail and a $250,000 fine. If fraud is proved, the term can reach 20 years in prison. The source told AP, "As far as we're concerned, the legal problem was still (Morris's) intent." In other words, officials apparently are uncertain whether Morris had planned to create and spread the virus that infected some 6,000 government computers on the network last Nov. 2. As reported earlier, Morris allegedly told friends he created the virus but that he didn't intend for it to invade the Unix- based computers linked to Arpanet. Skorneck says Mark M. Richard, the Justice Department official who is considering what charges should be brought in the case, referred questions to the FBI, which, in turn, declined to discuss the case because it is an ongoing investigation. 0H�weverl S۷]�֭�� ����-�said he understood the FBI was extremely upset over the limited immunity granted to Morris. Meanwhile, Morris's attorney, Thomas Guidoboni of Washington, D.C., said no plea bargain had been worked out, "They have not told me," he said, "what they've recommended, and I've not offered on behalf of my client to plead guilty to anything. I have told p(Y[�W����t plead guilty to a felony. I'm very emphatic about that." --Charles Bowen FEDERAL GROUP FIGHTS VIRUSES (Feb. 3) The Computer Emergency Response Team (CERT) has been formed by the Department of Defense and hopes to find volunteer computer experts who will help federal agencies fight computer viruses. CERT's group of UNIX experts are expected to help users when they encounter network problems brought on by worms or viruses. A temporary group that was formed last year after Robert T. Morris Jr. apparently let loose a bug that infected the Department of Defense's Advanced Project Agency network (ARPANET), will be disbanded. The Morris case has some confusing aspects in that some computer groups have accused federal prosecutors with reacting hysterically to the ARPANET infection. It has been pointed out that the so-called Morris infection was not a virus, and that evidence indicates it was released onto the federal network accidentally. CERT is looking toward ARPANET members to supply its volunteers. Among those users are federal agencies, the Software Engineering Institute and a number of federally-funded learning institutions. Additional information is available from CERT at 412/268- 7090. --James Moran COMPUTER VIRUSES HOT ISSUE IN CONGRESS (Feb. 3) One of the hottest high-tech issues on Capitol Hill is stemming the plague of computer viruses. According to Government Computer News, Rep. Wally Herger (R-Calif.) has pledged to reintroduce a computer virus bill that failed to pass before the 100th Congress adjourned this past fall. The measure will create penalties for people who inject viruses into computer systems. "Unfortunately, federal penalties for those who plant these deadly programs do not currently exist," said Herger. "As a result, experts agree that there is little reason for a hacker to even think twice about planting a virus." (Herger then later corrected himself saying those who plant viruses are not hackers but rather criminals.) GCN notes that the bill calls for prison sentences of up to 10 years and extensive fines for anyone convicted of spreading a computer virus. It would also allow for civil suits so people and businesses could seek reimbursement for system damage caused by a virus attack. If the bill is referred to the Judiciary Committee, as is likely, it stands a reasonable chance of passage. Rep. Jack Brooks, a longtime technology supporter, is the new head of that committee and he has already stated that the new position will not dampen his high-tech interests. -- Cathryn Conroy CONGRESS LOOKS AT ANOTHER COMPUTER PROTECTION BILL (Feb. 27) The Computer Protection Act (HR 287) is the latest attempt by Congress to battle computer viruses and other forms of sabotage on the high-tech machines. Introduced by Rep. Tom McMillan (D-Md.), the bill calls for a maximum of 15 years in prison with fines of $100,000 to $250,000 for those convicted of tampering with a computer, be it hardware or software. "With the proliferation of various techniques to tamper with computers, we need to fill the void in federal law to deal with these criminals," said McMillan. "This legislation will send the clear signal that infiltrating computers is not just a cute trick; it's against the law." The bill, which has been referred to the Judiciary Committee, is written quite broadly and is open to interpretation. -- Cathryn Conroy VIRUS CREATOR FOUND DEAD I�!39 (March 17) A Californian who said he and one of his students created the first computer virus seven years ago as an experiment has been found dead at 39 following an apparent aneurysm of the brain. Jim Hauser of San Luis Obispo died Sunday night or Monday morning, the local Deputy Coroner, Ray Connelly, told The Associated Press. Hauser once said he and a student developed the first virus in 1982, designing it to give users a "guided tour" of an Apple II. He said that, while his own program was harmless, he saw the potentially destructive capability of what he termed an "electronic hitchhiker" that could attach itself to programs without being detected and sneak into private systems. --Charles Bowen HOSPITAL STRUCK BY COMPUTER VIRUS (March 22) Data on two Apple Macintoshes used by a Michigan hospital was altered recently by one or more computer viruses, at least one of which apparently traveled into the system on a new hard disk that the institution bought. In its latest edition, the prestigious New England Journal of Medicine quotes a letter from a radiologist at William Beaumont Hospitals in Royal Oak, Mich., that describes what happened when two viruses infected computers used to store and re!d)nuclear scans that are taken to diagnose patients' diseases. The radiologist, Dr. Jack E. Juni, said one of the viruses was relatively benign, making copies of itself while leaving other data alone. However, the second virus inserted itself into programs and directories of patient information and made the machines malfunction. "No lasting harm was done by this," Juni wrote, because the hospital had backups, "but there certainly was the potential." Science writer Daniel Q. Haney of The Associated Press quoted Juni's letter as saying about three-quarters of the programs stored in0t�e`��j��II@PCs were infected. Haney said Juni did not know the origin of the less harmful virus, "but the more venal of the two apparently was on the hard disk of one of the computers when the hospital bought it new. ... The virus spread from one computer to another when a doctor used a word processing program on both machines while writing a medical paper." Juni said the hard disk in question was manufactured by CMS Enhancements of Tustin, Calif. CMS spokesman Ted James confirmed for AP that a virus was inadvertently put on 600 hard disks last October. Says Haney, "The virus had contaminated a program used to format the hard disks. ... It apparently got into the company's plant on a hard disk that had been returned for servicing. James said that of the 600 virus-tainted disks, 200 were shipped to dealers, and four were sold to customers." James also said the virus was "as harmless as it's possible to be," that it merely inserted a small piece of extra computer code on hard disks but did not reproduce or tamper with other material on the disk. James told AP he did not think the Michigan hospital's problems actually were caused by that virus. --Charles Bowen MORE HOSPITALS STRUCK BY VIRUS (March 23) The latest computer virus attack, this one on hospital systems, apparently was more far- reaching than originally thought. As reported here, a radiologist wrote a letter to the New England Journal of Medicine detailing how data on two Apple Macintoshes used by the William Beaumont Hospital in Royal Oak, Mich., was altered by one or more computer viruses. At least one of the viruses, he said, apparently traveled into the system on a new hard disk the institution bought. Now Science writer Rob Stein of United Press International says the virus -- possibly another incarnation of the so-called "nVIR" virus -- infected computers at three Michigan hospitals last fall. Besides the Royal Oak facility, computers at another William Beaumont Hospital in Troy, Mich., were infected as were some desktop units at the University of Michigan Medical Center in Ann Arbor. Stein also quoted Paul Pomes, a virus expert at the Universh�y of Illinois in Champaign, as saying this was the first case he h�@`�YX.z��J�������� ������5Rh��$Vkɭ�ѕ��a computer used for patient care or diagnosis in a hospital. However, he added such disruptions could become more common as personal computers are used more widely in hospitals. The virus did not harm any patients but reportedly did delay diagnoses by shutting down computers, creating files of non-existent patients and garbling names on patient records, which could have caused more serious problems. Dr. Jack Juni, the radiology who reported the problem in the medical journal, said the virus "definitely did affect care in delaying things and it could have affected care in terms of losing this information completely." He added that if patient information had been lost, the virus could have forced doctors to repeat tests that involve exposing patients to radiation. Phony and garbled files could have caused a mix-up in patient diagnosis. "This was information we were using to base diagnoses on," he said. "We were lucky and caught it in time." Juni said the virus surfaced when a computer used to display images used to diagnose cancer and other diseases began to malfunction at the 250-bed Troy hospital last August. In October, Juni discovered a virus in the computer in the Troy hospital. The next day, he found the same vir�s2in a similar computer in the 1,200-bed Royal Oak facility. As noted, the virus seems to have gotten into the systems through a new hard disk the hospitals bought, then spread via floppy disks. The provider of the disk, CMS Enhancements Inc. of Tustin, Calif., said it found a virus in a number of disks, removed the virus from the disks that had not been sent to customers and sent replacement programs to distributors that had received some 200 similar disks that already had been shipped. However, CMS spokesman Ted James described the virus his company found as harmless, adding he doubted it could have caused the problems Juni described. "It was a simple non-harmful virus," James told UPI, "that had been created by a software programmer as a demonstration of how viruses can infect a computer." Juni, however, maintains the version of the virus he discovered was a mutant, damaging version of what originally had been written as a harmless virus known as "nVIR." He added he also found a second virus that apparently was harmless. He did not know where the second virus originated. --Charles Bowen GOVERNMENT PLANS FOR ANTI-VIRUS CENTERS (March 24) Federal anti-virus response centers that will provide authentic solutions to virus attacks as they occur will be developed by the National Institute of Standards and Technology, reports Government Computer News. The centers will rely on unclassified material throughout the federal government and provide common services and communication among other response centers. NIST will urge agencies to establish a network of centers, each of which will service a different use or technological constituency. They will offer emergency response support to users, including problem-solving and identification of resources. GCN notes they will also aid in routine information sharing and help identify problems not considered immediately dangerous, but which can make users or a system vulnerable to sabotage. A prototype center called the Computer Emergency Response Team is already operational at the Defense Advanced Research Projects Agency and will serve as a model for the others. Although NIST and the Department of Energy will provide start-up funds, each agency will have to financially support its response center. --Cathryn Conroy MORRIS "WORM" WAS NEITHER GENIUS NOR CRIMINAL, COMMISSION SAYS (April 2) A Cornell University investigating commission says 23- year-old graduate student Robert Morris acted alone in creating the rogue program that infected up to 6,000 networked military computers last Nov. 2 and 3. In addition, the panel's 45- page report, obtained yesterday by The Associated Press, further concludes that while the programming by the Arnold, Md., student was not the work of a genius, it also was not the act of a criminal. AP says Morris, who is on a leave of absence from Cornell's doctoral program, declined to be interviewed by the investigating commission. Speculating on why Morris cre{�fd the rogue program, the panel wrote, "It may simply have been the unfocused intellectual meanderings of a hacker completely absorbed with his creation and unharnessed by considerations of explicit purpose or potential effect." Incidentally, the panel also pointed out what others in the industry observed last November, that the program technically was not a "virus," which inserts itself into a host program to reproduce, but actually was a "worm," an independent program that endlessly duplicates itself once placed in a computer system. As reported, Morris still is being investigated by a federal grand jury in Syracuse, N.Y., and by the US Justice Department in Washington, D.C. AP says the university commission rejected the idea that Morris created the worm to point out the need for greater computer security. Says the report, "This was an accidental byproduct of the event and the resulting display of media interest. Society does not condone burglary on the grounds that it heightens concern about safety and security." The report said, "It is no act of genius or heroism to exploit such weaknesses," adding that Morris, a first-year student, should have reported the flaws he discovered, which would "have been the most responsible course of action, and one that was supported by his colleagues." The group also believes the program could have been created by many students, graduate or undergraduate, particularly if they were aware of the Cornell system's well-known security flaws. The wire service quotes thg�eport`�.����ձ�ѥ���j��ɥ�Bp�K����wanted to spread the worm without detection, but did not want to clog the computers. In that regard, the commission said Morris clearly should have known the worm would replicate uncontrollably and thus had a "reckless disregard" for the consequences. However, the Cornell panel also disputed some industry claims that the Morris program caused about $96 million in damage, "especially considering no work or data were irretrievably lost." It said the greatest impact may be a loss of trust among scholars who use the research network. AP says the report found that computer science professionals seem to favor "strong disciplinary measures," but the commission said punishment "should not be so stern as to damage permanently the perpetrator's career." --Charles Bowen ETHICS STUDY NEEDED IN COMPUTING (April 4) A Cornell University panel says education is more effective than security in preventing students from planting rogue programs in research networks. As reported earlier, the panel investigated the work of Cornell graduate student Robert Morris Jr., concluding the 23-year-old Maryland man acted alone and never intended permanent damage when he inserted a "worm" into a nationwide research network last November. Speaking at a press conference late yesterday in Ithaca, N.Y., Cornell Provost Robert Barker said, "One of the important aspects of making the report public is that we can now use it on campus in a much fuller way than we have before." United Press International says Cornell has taken steps to improve its computer security since the incident, but members of the committee noted that money spent on building "higher fences" was money that could not be spent on education. Barker said Cornell will place a greater emphasis on educating its students on computer ethics, and might use the recent case as an example, instead of relying primarily on increased security to prevent similar incidents. Said the provost, "It was the security of the national systems, and not of Cornell, that was the problem here." As reported, Morris's worm infected up to 6,000 Unix-based computers across the country. A federal grand jury in Syracuse, N.Y., investigated the case and Justice Department officials in Washington now are debating whether to prosecute Morris. --Charles Bowen ILLINOIS STUDIES VIRUS LAW (April 15) The virus panic in some state legislatures continues as anti- virus legislation is introduced in Illinois. Illinois House Bill 498 has been drafted by Rep. Ellis B. Levin (D-Chicago) to provide criminal penalties for loosing a so-called computer virus upon the public. The bill is similar to one that has been introduced in Congress. Rep. Levin's bill provides that a person commits "'computer tampering by program' when he knowingly: inserts into a computer program information or commands which, when the program is run, causes or is designed to cause the loss, damage or disruption of a computer or its data, programs or property to another person; or provides or offers such a program to another person." Conviction under the legislation would result in a felony. A second conviction would bring harsher penalties. Currently, the bill is awaiting a hearing in the Illinois' House Judiciary II Committee. It is expected that testimony on HB 498 will be scheduled sometime during April. --James Moran ERRORS, NOT CRACKERS, MAIN THREAT (April 28) A panel of computer security experts has concluded that careless users pose a greater threat than malicious saboteurs to corporate and government computer networks. Citing the well-publicized allegations that Cornell University graduate student Robert T. Morris Jr. created a worm program last November that swept through some 6,000 networked systems, Robert H. Courtney Jr. commented, "It was a network that no one attempted to secure." According to business writer Heather Clancy of United Press International, Courtney, president of Robert Courtney Inc. computer security firm, said the openness of Internet was the primary reason it was popular among computer crackers, some of whom are less talented or more careless than others. "People making mistakes are going to remain our single biggest security problems," he said. "Crooks can never, ever catch up." Sharing the panel discussion in New York, Dennis D. Steinauer, a computer scientist with the National Institute for Standards and Technologies, added that network users should not rely only on technological solutions for security breaks. "Not everyone needs all security products and mechanisms out there," he said. "The market is not as large as it is for networking equipment in general." He added that a standard set of program guidelines, applicable to all types of networks, should be created to prevent mishaps. "There has been a tremendous amount of work in computer (operating) standards. The same thing is now happening in security." Fellow panelist Leslie Forman, AT&T's division manager for the data systems group, said companies can insure against possible security problems by training employees how to use computers properly and tracking users to make sure they aren't making potentially destructive errors. "It's not a single home run that is going to produce security in a network," she said. "It's a lot of little bunts." --Charles Bowen EXPERTS TESTIFY ON COMPUTER CRIME (May 16) Electronic "burglar alarms" are needed to protect US military and civilian� qomputer systems, Clifford Stoll, an astronomer at the Harvard- Smithsonian Center for Astrophysics, told a Senate Judiciary subcommittee hearing on computer crimes, reports United Press International. Stoll was the alert scientist who detected a 75-cent accounting error in August 1986 in a computer program at Lawrence Berkeley Laboratory that led him to discover a nationwide computer system had been electronically invaded by West Germans. "This was a thief stealing information from our country," he said. "It deeply bothers me that there are reprobates who say, `I will steal anything I can and sell it to whoever I want to.' It opened my eyes." Following his discovery, Stoll was so immersed in monitoring the illegal activity that he was unable to do any astronomy work for a year. "People kind of look at this as a prank," Stoll said. "It's kind of funny on the one hand. But it's people's work that's getting wiped out." The West German computer criminals, who were later determined to have been working for Soviet intelligence, searched the US computer network for information on the Strategic Defense Initiative, the North American Defense Command and the US KH-11 spy satellite. They also withdrew information from military computers in Alabama and California, although no classified information was on any of the computer systems. William Sessions, FBI director, also appeared before the Senate subcommittee and said the bureau is setting up a team to concentrate on the problem. He explained that computer crimes are among "the most elusive to investigate" since they are often "invisible." The FBI has trained more than 500 agents in this area. UPI notes that Sessions agreed to submit his recommendations to Sen. Patrick Leahy (D-Vt.), the subcommittee chairman, for new laws that could be used to protect sensitive computer networks from viruses. Currently, there are no federal laws barring computer viruses. The FBI is working with other federal agencies to assess the threat of such crimes to business and national security. William Bayes, assistant FBI director, told the senators he likens a computes� to a house with locks on the door. He explained that he has placed a burglar alarm on his computer at Berkeley, programming it to phone him when someone tries to enter it. He said more computer burglar alarms may be needed. -- Cathryn Conroy MASS. CONSIDERS NEW INTRUSION LAW (May 21) In Boston, a state senator has offered a bill that would make it a violation of Massachusetts law to enter a computer without authorization. It also would level penalties against those caught planting so-called computer "viruses." Sen. William Keating, the bill's sponsor, told The Associated Press his measure considers this new category of crime to be analogous to breaking into a building. "It's an attempt," Keating added, "to put on the statutes a law that would penalize people for destruction or deliberate modification or interference with computer properties. It clarifies the criminal nature of the wrongdoing and, I think, in that sense serves as a deterrent and makes clear that this kind of behavior is criminal activity." The senator credits a constituent, Elissa Royal, with the idea for the bill. Royal, whose background is in hospital administration, told AP, "I heard about (computer) viruses on the news. My first thought was the clinical pathology program. Our doctors would look at it and make all these decisions without looking at the hard copy. I thought, what if some malevolent, bright little hacker got into the system and changed the information? How many people would be injured or die?" Keating's bill would increase penalties depending on whether the attacker merely entered a computer, interfered with its operations or destroyed data. In the most serious case, a person found guilty of knowingly releasing a virus would be subject to a maximum of 10 years in prison or a $25,000 fine. AP says the bill is pending in committee, as staff members are refining its language to carefully define the term "virus." --Charles Bowen COMPUTER VACCINE MARKET THRIVES ON USER FEAR (May 23) The computer protection market is thriving. The reason? Fear. Fear of the spread of computer viruses and worms has caused a boom in products that are designed to protect unwitting users from the hazards of high- tech diseases. According to the Dallas Morning News, there is a surging cottage industry devoted to creating "flu shots" and "vaccines" in the form of software and hardware; however, many of these cures are nothing more than placebos. "There's a protection racket springing up," said Laura A. DiDio, senior editor of Network World, the trade publication that sponsored a recent executive roundtable conference in Dallas on "Network Terrorism." Last year alone, American businesses lost a whopping $555.5 million, 930 years of human endeavor and 15 years of computer time from unauthorized access to computers, according to statistics released by the National Center for computer Crime Data in Los Angeles, Calif. The most difficult systems to protect against viruses are computer networks since they distribute computing power throughout an organization. Despite the threat, sales are thriving. Market Intelligence Research says sales of ��sonalM com�utѶ�5�ݽ���q��equipment grew 50 percent last year and are expected to grow another 41 percent this year to $929.5 million. Meanwhile, the Computer Virus Industry Association says that the number of computer devices infected by viruses in a given month grew last year from about 1,000 in January to nearly 20,000 in November and remained above 15,000 in December. -- Cathryn Conroy MORRIS SUSPENDED FROM CORNELL (May 25) Robert T. Morris, the 23-year-old graduate student whose "worm" program brought down some 6,000 networked government and scientific computers last November, has been suspended from Cornell University. The New York Times reported today Cornell officials have ruled that Morris, a first-year graduate student, violated the school's Code of Academic Integrity. The paper quoted a May 16 letter to Morris in which Alison P. Casarett, dean of Cornell's graduate school, said the young man will be suspended until the beginning of the 1990 fall semester. Casarett added that if Morris wants to reapply, the decision to readmit him will be made by the graduate school's computer science faculty. The Times says the letter further states the decision to suspend Morris was an academic ruling and was not related to any criminal charges Morris might face. No criminal charges have been levied against Morris so far. A federal grand jury earlier forwarded its recommendations to the US Justice Department, but no action has been taken. As reported last month, a Cornell University commission has said Morris' action in creating and accidentally releasing the worm program into the ARPANET system of Unix-based computers at universities, private corporations and military installations was "a juvenile act that ignored the clear potential consequences." While the Morris worm did not destroy data, it forced the shut- down of many of the systems for up to two days while they were cleared of the rogue program. --Charles Bowen PENDING COMPUTER LAWS CRITICIZED (June 18) Computer attorney Jonathan Wallace says that the virus hystY�ZX�ѥ���hasn't quieted down and that legislation that will be reintroduced in Congress this year is vague and poorly drafted. Noting that at least one state, New York, is also considering similar legislation, Wallace says that legislators may have overlooked existing laws that apply to "software weapons." In a newsletter sent out to clients, Wallace notes p(X��ѡ�the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA) cover the vast majority of software crimes. Wallace points out that both the ECPA and the CFAA already impose criminal penalties on illegal actions. Even the Senate Judiciary Committee has refutted the idea that more federal laws are needed. "Why don't we give existing laws a chance to work, before rushing off to create new ones," Wallace asks. Wallace is the editor of Computer Li�!Letter and is an Assistant System Administrator on CompuServe's Legal Forum (GO LAWSIG). --James Moran NEW VIRUS HITS THAI COMPUTERS (June 27) A newspaper in Bangkok is reporting that a new computer virus, said to be the most destructive yet discovered, has struck computer systems in Thailand. According to the Newsbytes News Service, computer security specialist John Dehaven has told The Bangkok Post, "This is a very subtle virus that can lay dormant, literally, for years." The wire service says that two Thai banks and several faculties at Chulalongkorn University were hit by the rogue program -- called the "Israeli virus," because it was first detected there -- at the beginning of last month. Newsbytes says the infection spreads quickly through any computer once it is activated. --Charles Bowen CONGRESS STUDIES COMPUTER VIRUSES (July 21) The Congress is taking a hard look at a new report that says major computer networks remain vulnerable to computer viruses that are capable of crippling communications and stopping the nation's telecommunications infrastructure dead in its tracks. Rep. Edward Markey (D-Mass.), chairman of the House telecommunications subcommittee, told a hearing earlier this week that federal legislation may be needed to ease the threats posed by computer viruses. "The risk and fear of computer-based sabotage must be reduced to an acceptable level before we can reasonably expect our national networks to accomplish the purposes for which they were created," Markey said during a hearing Wednesday on the new congressional study. "We must develop policies that ensure (network's) secure operation and the individuals' rights to privacy as computer network technologies and applications proliferate," he added. The report by the General Accounting Office examined last year's virus attack that shut down the massive Internet system, which links 60,000 university, government and industry research computers. The GAO found that Internet and other similar systems remain open to attack with much more serious results than the temporary shutdown experienced by Internet. The GAO warned that the Internet virus, a "worm" which recopied itself until it exhausted all of the systems available memory, was relatively mild compared to other more destructive viruses. "A few changes to the virus program could have resulted in widespread damage and compromise," the GAO report said. "With a slightly enhanced program, the virus could have erased files on infected computers or remained undetected for weeks, surreptitiously changing information on computer files," the report continued. The GAO recommended the president's science advisor and the Office of Science and Technology Policy should take the lead in developing new security for Internet. In addition, the report said Congress should consider changes to the Computer Fraud and Abuse Act of 1986, or the Wire Fraud Act, to make it easier to bring charges against computer saboteurs. Joining in sounding the alarm at the hearing was John Landry, executive vice president of Cullinet Software of Westwood, Mass., who spoke on behalf of ADAPSO. "The range of threats posed by viruses, worms and their kin is limited only by the destructive imagination of their authors," Landry said. "Existing computer security systems often provide only minimal protection agaif�u a determined attack." Landry agreed the Internet attack could have been much worse. He said viruses have been found that can modify data and corrupt information in computers by means as simple as moving decimal points one place to the left or right. One recently discovered virus, he said, can increase disk access speed, resulting in the wearing out of disk drives. They also have been linked to "embezzlement, fraud, industrial espionage and, more recently, international political espionage," he said. "Virus attacks can be life threatening," Landry said, citing a recent attack on a computer used to control a medical experiment. "The risk of loss of life resulting from infections of airline traffic control or nuclear plant monitoring systems is easily imaginable," he said. Landry said ADAPSO endorses the congressional drive toward tightening existing law to ensure that computer viruses are covered along with other computer abuses. --J. Scott Orr GLOSSARY OF VIRUS-RELATED TERMS (July 21) Until last year's computer virus attack on the massive Internet network made headlines, computer sabotage attracted little attention outside computer and telecommunications circles. Today "computer virus" has become a blanket term covering a wide range of software threats. ADAPSO, the computer software and services industry association, believes the term has been thrown around a little too loosely. Here, then, is ADAPSO's computer virus glossary: -:- COMPUTER VIRUS, a computer program that attaches itself to a legitimate, executable program, then reproduces itself when the program is run. -:- TROJAN HORSE, a piece of unauthorized code hidden within a legitimate program that, like a virus, may execute immediately or be linked to a certain time or event. A trojan horse, however, does not self-replicate. -:- WORM, an infection that enters a computer system, typically through a security loophole, and searches for idle computer memory. As in the Internet case, the worm recopies itself to use up available memory. -:- TRAPDOOR, a program written to provide future access to computer systems. These are typical entryways for worms. -:- TIME BOMB, a set of computer instructions entered into a system or piece of software that are designed to go off at a predetermined time. April Fool's Day and Friday the 13th have been popular times for time bomb's to go off. -:- LOGIC BOMB, similar to a time bomb, but linked instead to a certain event, such as the execution of a particular sequence of commands. -:- CHAOS CLUB, a West German orc!�ization that some have alleged was fn�med to wreak havoc on computer systems through the use of viruses and their kin. --J. Scott Orr MORRIS INDICTED IN WORM INCIDENT (July 27) A federal grand jury has indicted the 24-year-old Cornell University graduate student who is alleged to have released a "worm" program that temporarily crippled the massive Internet computer network last November. Robert Tappan Morris of Arnold, Md., becomes the first person to be indicted under the federal Computer Fraud and Abuse Act of 1986 in connection with the spread of a computer virus. In convicted, Morris faces a maximum sentence of five years in federal prison and a $250,000 fine. Morris' attorney, Thomas A. Guidoboni, said his client will fight the charges. The virus, a worm that sought out unused memory throughout the system and recopied itself to fill the vacant space, infected at least 6,000 computers nationwide. Internet is an unclassified, multinetwork system connecting 500 networks and more than 60,000 computers around the world. The indictment, handed up yesterday in Syracuse, N.Y., charges Morris "intentionally and without authorization, accessed ... federal interest computers." The action, the indictment continued, "prevented the authorized use of one or more of these federal interest computers and thereby caused a loss to one or more others of a value aggregating $1,000 or more." The indictment said the illegally accessed computers included those at the University of California at Berkeley, the Massachusetts Institute of Technology, the National Aeronautics and Space Administration, Purdue University and the US Air Force Base Logistics Command at Wright Paterson Air Force Base in Dayton, Ohio. "Mr. Morris will enter a plea of not guilty and contest the charge against him," Guidoboni said. He said his client "looks forward to his eventual vindication and his return to a normal life." Morris, a Harvard graduate and computer science graduate student at Cornell, is about to begin a one-year suspension from Cornell that stemmed from the incident. His father is chief computer scientist for the National Computer Security Center near Baltimore. The indictment comes less than a week after the General Accounting Office found that Internet and other similar systems remain open to attack with much more serious results than the temporary shutdown experienced last year. The GAO warned the Internet virus was relatively mild compared to other more destructive viruses. It went on to recommend the President's Science Advisor and the Office of Science and Technology Policy take the lead in developing new security for Internet. In addition, the report said Congress should consider changes to the Computer Fraud and Abuse Act, or the Wire Fraud Act, to make it easier to bring charges against computer saboteurs. The GAO said the Internet worm spread largely by exploiting security holes in system software based on the Berkeley Software Distribution Unix system, the most commonly used operating system on Internet. The report from the GAO said the virus moved with startling speed. It was first detected at 9 p.m. on Nov. 2. Within an hour it had spread to multiple sites and by the next morning had infected thousands of systems. According to GAO, the virus had four methods of attack. It used: -:- A debugging feature of the "Sendmail" utility program to allow the sending of an executable program. After issuing a debug command, the virus gave orders to copy itself. -:- A hole in another utility program -- "Fingerd," which allows users to obtain public information about other users -- to move on to distant computers. -:- Different methods to guess at user passwords. Once successful, the virus "masqueraded" as a legitimate user to spread and access other computers. -:- "Trusted host" features to spread quickly though local networks once one computer was penetrated. --J. Scott Orr RESEARCHER UNCOVERS OCT. 12 VIRUS (July 31) An official with a British firm that markets anti-virus software says the company has uncovered a new virus called "Datacrime" is set to attack MS-DOS systems starting O�t< 12. Dr. Jan Hruska of Sophos UK tells Computergram International the virus apparently appends itself to .COM (command) files on MS-DOS systems. "Operating on a trigger mechanism," CI says, "the virus reformats track 0 of the hard disk on or after Oct. 12. It has no year check and so will remain active from Oct. 12 onwards destroying or losing programs and data." Hruska told the publication this is a relatively new virus and that its encrypted form reveals its name ("Datacrime") and its date of release, last March 1. Sophos markets a program called Vaccine version 4 designed to detect known viruses. --Charles Bowen MORRIS TO PLEAD INNOCENT (Aug. 2) Robert T. Morris Jr., the former Cornell University graduate student who was indicted last week by a federal grand jury, will plead innocent in federal court to charges he planted a computer worm that wrecked havoc with some 6,000 computers nationwide, reports United Press International. As reported, the 24-year-old Arnold, Md., resident was indicted by the grand jury on charges of breaking a federal statute by gaining unauthorized access to a nationwide computer network and causing damage in excess of $1,000. Both federal investigators and a Cornell University panel claim Morris created the computer worm, which spread from the Cornell campus in Ithaca, N.Y., on Nov. 2 to computers around the country, notes UPI. The worm infiltrated a Department of Defense computer system and forced many federal and university computers to shut down. The exact amount of damage has not been determined. If convicted, Morris could be sent to prison for five years and fined up to $250,000. In addition, the judge could order him to make restitution to those who were adversely affected by the incident. -- Cathryn Conroy NIST FORMS COMPUTER SECURITY NETWORK (Aug. 3) The National Institute of Standards and Technology is working with other federal agencies to establish a government-wide information network on security incidents and issues, reports Government Computer News. Organized by NIST's Computer Security Division, the network would supply the latest information to agencies on security threats, develop a program to report and assess security incidents as well as offer assistance. Dennis Steinauer, evaluation group manager of the Computer Security Division, said the plan is a response to the communications problems federal agencies suffered during last November's worm attack on Internet b9 Jornell University graduate student Robert T. Morris Jr. In addition to NIST, the departments of Energy, Justice and Transportation as well as the National Science Foundation and NASA are participating in the project, which calls for each agency to organize a security incident response and resource center. NIST's network would connect the centers electronically, allowing them to communicate with one another. Steinauer said he wants to set up a master database of contacts, phone numbers and fax numbers to ensure communications. One aspect of the plan calls for each center to become expert in some specific area of the technology, such as personal computers, local area networks or multiuser hosts. "The answer is not some monolithic, centralized command center for government," Steinauer told GCN. "Problems occur in specific user or technology communities, and we see the solutions evolving where the reaction is by people who know the user community and the environment." He explained that the Computer Security Act has helped increase security awareness within the government, but the emergence of computer viruses, worms and other sophisticated threats has demonstrated the need for more advanced security tools. -- Cathryn Conroy AUSTRALIAN CHARGED WITH CRACKING (Aug. 14) Australia is reporting its first computer cracking arrest. A Melbourne student is charged with computer trespass and attempted criminal damage. Authorities allege 32-year-old Deon Barylak was seen loading a personal computer with a disk that was later found to possess a computer virus. "Fortunately, it was stopped before it could spread, which is why the charge was only attempted criminal damage," senior detective Maurice Lynn told Gavin Atkins for a report in Newsbytes News Service. The wire service said Barylak could face a maximum of 100 years' jail and a fine. Also police expect to make further arrests in connection with the case. Authorities said Barylak also faces charges of possessing computer equipment allegedly stolen from a community center. --Charles Bowen INTERNET VIRUS BACK? (Sept. 4) Apparently, neither the threat of criminal sanctions nor the hazards of investigation by the FBI is enough to keep the Internet computer communications network secure from intrusion. The Department of Defense agency responsible for monitoring Internet security has issued a warning that unauthorized system activity recently has been detected at a number of sites. The Computer Emergency Response Team (CERT) says that the activity has been evident for some months and that security on some networked computers may have been compromised. In a warning broadcast to the Internet, CERT says that the problem is spreading. Internet first came to general attention when a came to much of the computing communities attention when a 23-year-old Cornell University student was said to be responsible for inserting a software "worm" into the network. The Department of Defense's Advanced Project Agency network (ARPANET) also was infected and CERT was formed to safeguard networks used or accessed by DoD emplyees and contractors. In its warning about recent intrusions, CERT says that several computers have had their network communications programs replaced with hacked versions that surreptitiously capture passwords used on remote systems. "It appears that access has been gained to many of the machines which have appeared in some of these session logs," says a broadcast CERT warning. "As a first step, frequent telnet [communications program] users should change their passwords immediately. While there is no cause for panic, there are a number of things that system administrators can do to detect whether the security on their machines has been compromised using this approach and to tighten security on their systems where necessary." CERT went on to suggest a number of steps that could be taken to verify the authenticity of existing programs on any individual UNIX computer. Among those was a suggestion to reload programs from original installation media. --James Moran AIR FORCE WARNS ITS BASES OF POSSIBLE "COLUMBUS DAY VIRUS" (Sept. 10) The US Air Force has warned its bases across the country about a possible computer virus reportedly set to strike MS-DOS systems Oct. 12. Warning of the so-called "Columbus Day virus" was issued by the Air Force Communications Command at Scott Air Force Base, Ill., at the request of the Office of Special Investigations. OSI spokesman Sgt. Mike Grinnell in Washington, D.C., told David Tortorano of United Press International the advisory was issued so computer operators could guard against the alleged virus. "We're warning the military about this," Grinnell said, "but anybody that uses MS-DOS systems can be affected." As reported here July 31, Dr. Jan Hruska, an official with a British firm called Sophos UK, which markets anti-virus software, said his company had uncovered a new virus called "Datacrime." Hruska told Computergram International at the time that the virus apparently appends itself to .COM (command) files on MS-DOS systems. Said CI, "Operating on a trigger mechanism, the virus reformats track 0 of the hard disk on or after Oct. 12. It has no year check and so will remain active from Oct. 12 onwards destroying or losing programs and data." Hruska told the publication this was a relatively new virus and that its encrypted form revealed its name ("Datacrime") and its date of release, last March 1. Meanwhile, Air Force spokeswoman Lynn Helmintoller at Hurlburt Field near Fort Walton Beach, Fla., told UPI that computer operators there had been directed to begin making backup copies of files on floppy disks just in case. She said the warning was received at the base Aug. 28. Staff Sgt. Carl Shogren, in charge of the small computer technology center at Hurlburt, told Tortorano no classified data would be affected by the possible virus attack because the disks used for classified work are different from those that might be struck. UPI quoted officials at Scott Air Force Base as saying the warning was sent to every base with a communications command unit, but that they did not know how many bases were involved. --Charles Bowen COMPUTER VIRUSES PLAGUE CONGRESS (Sept. 11) Although Congress recently passed the Computer Security Act to force federal agencies to guard against high-tech break- ins and computer viruses, the legislators may soon realize they made a costly mistake. The law applies to all federal agencies -- except Congress itself. And according to Government Computer News, Capitol Hill has been the victim of several recent virus attacks. One virus, for instance, emerged about a year ago in the Apple Macintosh computers of several House offices causing unexplained system crashes. A steep bill of some $100,000 was incurred before experts were confident the plague, now known as Scores, was stopped. However, it does still lurk in the depths of the computers, notes GCN, causing occasional malfunctions. Dave Gaydos, Congress' computer security manager, says the sources of many viruses may never be known, since some 10,000 programmers are capable of producing them. Capitol Hill legislators and staff members are only now becoming aware of the potential danger of viruses as more offices are exploring ways to connect with online database services and with each other through local area networks. GCN reports that last February, a California congressional office was the victim of a virus, caught while using a so-called vaccine program meant to detect intruders into the system. "I used to laugh about viruses," said Dewayne Basnett, a systems specialist on Capitol Hill. "But now when you ask me about them, I get very angry. I think of all the time and effort expended to repair the damage they do." According to GCN, many of the 3,000 House employees with computers are ignorant of the risks and unable to take basic precautions. Although various computer specialists are trying to inform Hill users of computer security issues and offer training sessions, there is no broad support from the legislators themselves for such actions. "We are working to alert people to the dangers," said Gaydos, "but it may take an incident like a destructive virus to move [Congress] to take precautions." -- Cathryn Conroy VIRUS HITS AUSTRALIA (Sept. 12) Australian authorities are said to be confused about the origin of a supposed computer virus that has been making the rounds of computer installations in the South Pacific. An Australian newspaper, The Dominion, says that sensitive data in Defense Department computers has been destroyed by the virus. Dubbed the Marijuana virus because of the pro-drug message that is displayed before any data is erased, it is thought that the misbehaving bug originated in New Zealand. Some have even suggested that the program was purposely introduced into Australian Defense computers by agents of New Zealand, a contention that a Defense Department spokesman branded as "irresponsible." The two South Pacific nations have had strong disagreements about defense matters, including recent joint maneuvers in the area by Australian and US forces. A more likely explanation for the intrusion into Defense computers is the likelihood that Australian security specialists were examining the virus when they inadvertently released it into their own security system. The Marijuana virus is known to have been infecting computers in the country for at least three months and its only known appearance in government computers occurred in a Defense sub-department responsible for the investigation and prevention of computer viruses. --James Moran VIRUS THREAT ABSURDLY OVERBLOWN, SAY EXPERTS (Sept. 18) The so-called "Columbus Day Virus" purportedly set to destructively attack MS-DOS computers on Oct. 13 has computer users -- including the US military -- scampering to protect their machines. But according to The Washington Post, the threat is absurdly overblown with less than 10 verified sightings of the virus in a country with tens of millions of computers. "At this point, the panic seems to have been more destructive than any virus itself," said Kenneth R. Van Wyk, a security specialist at Carnegie-Mellon University's Software Engineering Institute, who has been taking some 20 phone calls daily from callers seeking advice on the subject. Bill Vance, director of secure systems for IBM Corp., told The Post, "If it was out there in any number, it would be spreading and be more noticeable." He predicted Oct. 13 is not likely to be "a major event." As reported in Online Today, this latest virus goes by several names, including Datacrime, Friday the 13th and Columbus Day. It lies dormant and unnoticed in the computer until Oct. 13 and then activates when the user turns on the machine. Appending itself to .COM (command) files, the virus will apparently reformats track 0 of the hard disk. The Post notes that the federal government views viruses as a grave threat to the nation's information systems and has set in motion special programs to guard computers against them and to punish those who introduce them. Centel Federal Systems in Reston, Va., a subsidiary of Centel Corp. of Chicago, is taking the threat seriously, operating a toll-free hotline staff by six full-time staff members. More than 1,000 calls have already been received. Tom Patterson, senior analyst for Centel's security operations, began working on the virus five weeks ago after receiving a tip from an acquaintance in Europe. He said he has dissected a version of it and found it can penetrate a number of software products designed to keep viruses out. Patterson told The Post that he found the virus on one of the machines of a Centel client. "The virus is out there. It's real," he said. Of course, where there's trouble, there's also a way to make money. "The more panicked people get," said Jude Franklin, general manager of Planning Research Corp.'s technology division, "the more people who have solutions are going to make money." For $25 Centel is selling software that searches for the virus. Patterson said, however, the company is losing money on the product and that the fee only covers the cost of the disk, shipping and handling. "I'm not trying to hype this," he said. "I'm working 20-hour days to get the word out." -- Cathryn Conroy SICK SOFTWARE INFECTS 100 HOSPITALS NATIONWIDE (Sept. 20) When a hospital bookkeeping computer program could not figure out yesterday's date, some 100 hospitals around the country were forced to abandon their computers and turn to pen and paper for major bookkeeping and patient admissions functions, reports The Washington Post. Although there was no permanent loss of data or threat to treatment of patients, the hospital accounting departments found themselves at the mercy of a software bug that caused major disruptions in the usual methods of doing business. The incident affected hospitals using a program provided by Shared Medical Systems Corp. of Pennsylvania. The firm stores and processes information for hospitals on its own mainframe computers and provides software that is used on IBM Corp. equipment. According to The Post, the program allows hospitals to automate the ordering and reporting of laboratory tests, but a glitch in the software would not recognize the date Sept. 19, 1989 and "went into a loop" refusing to function properly, explained A. Scott Holmes, spokesman for Shared Medical Systems. The firm dubbed the bug a "birth defect" as opposed to a "virus," since it was an accidental fault put into the program in its early days that later threatened the system's health. At the affected hospitals around the country, patients were admitted with pen and paper applications. Hospital administrators admitted the process was slower and caused some delay in admissions, but patient care was never compromised. -- Cathryn Conroy ARMY TO BEGIN VIRUS RESEARCH (Sept. 21) Viruses seem to be on the mind of virtually every department administrator in the federal government, and the US Army is no exception. The Department of the Army says it will begin funding for basic research to safeguard against the presence of computer viruses in computerized weapons systems. The Army says it will fund three primary areas of research: computer security, virus detection and the development of anti-viral products. Research awards will be made to US businesses who are eligible to participate in the Small Business Innovation Research (SBIR) program. The Army program, scheduled to begin in fiscal year 1990, is at least partially the result of Congressional pressure. For some months, Congressional staffers have been soliciting comments about viruses and their potential effect on the readiness of the US defense computers. Small businesses who would like to bid on the viral research project may obtain a copy of Program Solicitation 90.1 from the Defense Technical Information Center at 800/368-5211. --James Moran SO-CALLED "DATACRIME" VIRUS REPORTED ON DANISH POSTGIRO NET (Sept. 22) The so-called "Datacrime" virus, said to be aimed at MS-DOS system next month, reportedly has turned up on the Danish Postgiro network, a system of 260 personal computers described as the largest such network in Scandinavia. Computergram International, the British newsletter that first reported the existence of the Datacrime virus back in July, says, ""Twenty specialists are now having to check 200,000 floppy disks to make sure that they are free from the virus." Datacrime is said to attach itself to the MS-DOS .COM files and reformats track zero of the hard disk, effectively erasing it. However, as reported, some experts are saying the threat of the virus is absurdly overblown, that there have been fewer than 10 verified sightings of the virus in a country with tens of millions of computers. --Charles Bowen IBM RELEASING ANTI-VIRUS SOFTWARE (Oct. 4) In a rare move, IBM says it is releasing a program to check for personal computer viruses in response, in part, to customer worries about a possible attack next week from the so-called "Datacrime" virus. "Up until the recent press hype, our customers had not expressed any tremendous interest (in viruses) over and above what we already do in terms of security products and awareness," Art Gilbert, IBM's manager of secure systems industry support, told business writer Peter Coy of The Associated Press. However, reports of a "Datacrime" virus, rumored to be set to strike MS-DOS systems, have caused what Coy describes as "widespread alarm," even as many experts say the virus is rare and a relatively small number of PCs are likely to be harmed. IBM says it is releasing its Virus Scanning Program for MS-DOS systems that can spot three strains of the Datacrime virus as well as more common viruses that go by names such as the Jerusalem, Lehigh, Bouncing Ball, Cascade and Brain. The $35 program is available directly from IBM or from dealers, marketing representatives and remarketers and, according to Gilbert, will detect but not eradicate viruses. Gilbert added that installing a virus checker is not a substitute for safe-computing practices such as making backup copies of programs and data and being cautious about software of unknown origin. Meanwhile, virus experts speaking with Coy generally praised IBM's actions. "It's about time one of the big boys realized what a problem this is and did something about it," said Ross Greenberg, a New York consultant and author of Flu-Shot Plus. "To date, all the anti-virus activity is being done by the mom and pops out there." In addition, Pamela Kane, president of Panda Systems in Wilmington, Del., and author of a new book, "Virus Protection," called the move "a very important and responsible step." As noted, experts are differing widely over whether there is truly a threat from the Datacrime virus. The alleged virus -- also dubbed The Columbus Day virus, because it reportedly is timed to begin working on and after Oct. 12 -- supposedly cripples MS-DOS- based hard disks by wiping out the directory's partition table and file allocation table. Besides the IBM virus scanning software, a number of public domain and shareware efforts have been contributed online, collected on CompuServe by the IBM Systems/Utilities Forum (GO IBMSYS). For more details, visit the forum, see Library 0 and BROwse files with the keyword of VIRUS (as in BRO/KEY:VIRUS). --Charles Bowen DUTCH COMPUTERISTS FEAR 'DATACRIME' VIRUS (Oct. 7) The "Datacrime"/Columbus Day virus, which is being widely down-played in the US, may be much more common in the Netherlands. A Dutch newspaper reported this week the virus had spread to 10 percent of the personal computers there. "Those figures are possibly inflated," police spokesman Rob Brons of the Hague told The Associated Press. Nonetheless, police are doing brisk business with an antidote to fight the alleged virus. Brons said his department has sold "hundreds" of $2.35 floppy disks with a program that purportedly detects and destroys the virus. As reported, Datacrime has been described as a virus set to destroy data in MS-DOS systems on or after Oct. 12. AP notes that in the US there have been fewer than a dozen confirmed sightings of the dormant virus by experts who disassembled it. The wire service also quotes Joe Hirst, a British expert on viruses, as saying some now believe the virus was created by an unidentified Austrian computerist. He added that as far as he knew the Netherlands was the only European country in which the virus had been spotted. --Charles Bowen