 
     /~~~~~~\    ***********                        *********** 
  ~\(  * *   )/~ ***********                        ***********  
    ( \___/  )   ***     ***                        *** 
     \______/    *********** ***          ***   *** *******   
    @/       \@  ***     *** ***          ***   *** *** 
                 ***     *** ***          ***   *** *********** 
                 ***     *** ***           *** ***  ***********  |\__/| 
                             ******** ***   *****               /      \  
                             ******** ***    ***             ~\(  0 0   )/~ 
                                      ***                      ( /---\  ) 
                                      ***                       \______/  
                                      ***                      @/      \@  
                                      ***                                   
 
                                 
                                                                            
                                         
       ============================================================== 
        
         March, 1994.                           Volume I, Issue 0 
 
       ============================================================== 
 
                                CONTENTS:                                   
 
 
   1. "ALIVE" next host to you (a word of introduction)                  
   2. Results of Contest for the Best Virus Definition in technical 
      categories 
   3. Puzzle - is this piece of (pseudo)code a sign of "life" ? 
   4. A comment on Cohen's theorem about undecidability of viral detection 
      ..................................Dr Franz X. Steinparz 
 
 
 
       %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
       %                                                               % 
       %  ALIVE, Copyright 1994. By Suzana Stojakovic-Celustka         % 
       %  This magazine may be archived and reproduced without charge  % 
       %  throughout Cyberspace under the condition that it is left    % 
       %  in its entirety. Send submissions, comments, etc. to         % 
       %  celust@cslab.felk.cvut.cz and subscription requests to       % 
       %  mxserver@ubik.demon.co.uk                                    % 
       %                                                               % 
       %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
 
 
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+* 
 
1. "ALIVE" next host to you (a word of introduction) 
==================================================== 
 
Dear Readers! 
 
I guess you are already impatient to find out what "Alive" is. Calm down till 
I tell you something about its history. 
 
So, once upon a time...actually about a year ago I started a long search for 
the best definition of a computer virus. Surprisingly, it wasn't an easy 
task. Discussions on Virus-L and some private discussions didn't bring any 
satisfying results. I even started the Contest for the Best Virus Definition 
in despair. Well, the prizes were rather symbolic and probably it caused a 
low response. Never mind. All those attempts to answer the question : "What 
is a computer virus ?" only opened new questions. It appeared that computer 
viruses could be considered as members of a big family of so called 
"artificial life". Naturally, new questions were: "What is artificial life?", 
then "How to define a life?", etc. 
 
This magazine is one more try to find answers to some questions. The search 
for the best definition of computer virus will be continued. It is a general 
opinion that computer viruses are inherently malicious software. The 
possibility of viruses to be beneficial will be (hopefully) discussed here. 
However, protection against malicious viruses will not be neglected. This 
magazine will try to introduce new ways of protection, e.g. "immune systems". 
The question "What can be 'alive' in a computer environment ?" will be 
repeated in all possible variations as long as wish to find answers exists. 
The examples or descriptions of "liveware" will be presented here as soon as 
they appear. Probably some new topics will arise as "Alive" progresses. And, 
of course, I expect a lot of fun for both readers and contributors. 
 
About this issue: 
----------------- 
 
This is 0th issue or beta version of "Alive". It means - feel free to 
criticise every detail in it (in a civilized and constructive way, of 
course). 
 
The first topic is presentation of results from Contest for the Best Virus 
Definition in technical categories. The Contest was announced in April last 
year on Virus-L. Originally it had 8 categories: 1. Technical definition in 
plain language, 2. Technical definition - mathematical, 3. Legislative 
definition, 4. Ethical definition, 5. Philosophical definition, 6. Poetical 
definition, 7. Funny definition and 8. Other definitions. The response was 
significant only in the first two categories and (surprisingly) in the 
poetical one.The jury for technical categories worked hard and the results 
of its voting are presented here. Regretfully, it will not be possible to 
publish many of the valuable comments that members of the jury gave during 
their work. I wish to thank the members of the jury again for their efforts 
and to all contributors to the Contest for their contributions. 
 
The second topic is a kind of puzzle. It concerns one of the standard 
distributed algorithms which could be possibly considered as a sign of 
"life". The readers are asked to help to find a solution. 
 
The third contribution is an article which is rewritten here without 
permission from something which looks like a copy of an internal document 
from Johannes Kepler University, Linz. I hope that one day I will find the 
author's address and that he will have nothing against publishing his article 
in "Alive". The article has a very interesting conclusion and I am not going 
to tell you anything in advance. Just read it! 
 
 
About contributions and subscriptions: 
-------------------------------------- 
 
Preferred form of contributions are short articles or previews. Comments on 
contributions will be deeply appreciated, but will be published only if they 
have a convenient form. This is -not- a place for polemics or blames, so 
please don't send your comments if you have nothing constructive to say. The 
preferred form of code examples is pseudo-code. The code of existing viruses 
which somebody could consider beneficial will not be published here. Send 
your contributions and comments to celust@cslab.felk.cvut.cz 
 
Subscriptions requests should be sent to mxserver@ubik.demon.co.uk 
 
 
Ftp sites: 
---------- 
 
The magazine will be available for anonymous ftp from following sites: 
 
ftp.informatik.uni-hamburg.de in /pub/virus/texts/alive 
ftp.demon.co.uk in /pub/antivirus/journal/alive 
 
Any offer from other sites will be appreciated. 
 
About editor: 
------------- 
 
The editor is currently a Ph.D student on Computer Department, Faculty of 
Electrical Engineering, Czech Technical University in Prague. Is working on 
her Ph.D thesis and hoping that "Alive" will bring a lot of useful material 
and a lot of fun. 
 
 
So, dear readers, enjoy the reading and make your copy of "Alive" really 
alive: SPREAD IT WIDELY! 
 
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+* 
 
          "Life is all memory, except for the one present moment 
           that goes by so quick you can hardly catch it going." 
 
                        - Tennessee Williams - 
 
*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+*=*+* 
 
 
2. The results of the Contest for the Best Virus Definition in technical 
======================================================================== 
   categories 
============== 
 
The members of jury for the first two categories from Contest for the Best 
Virus Definition (1. Technical definition in plain language, 2. Mathematical 
technical definition) were: 
  
1. Vesselin Bontchev, VTC Hamburg, Germany 
   e-mail bontchev@informatik.uni-hamburg.de 
 
2. Anthony Naggs, consultant, UK 
   e-mail amn@ubik.demon.co.uk 
 
3. Yaron Goland, U.C.L.A, USA 
   e-mail ygoland@SEAS.UCLA.EDU 
 
4. Roberto Reymond, IBM C.E.R.T., Italy 
   e-mail rreymond@vnet.IBM.COM 
 
The guidelines were: 
-------------------- 
 
1. Technical definition (in plain language - preferably English) 
 
- The definition should be concise, without reference to the user's state 
of mind and free of value judgements, e.g. "good", "bad", "beneficial". 
The definition should be unambiguous, and include a statement of the 
environment to which it applies, (e.g. the operating system). 
 
2. Technical definition (mathematical) 
 
- The meaning of every symbol in mathematical formula(s) should be clearly 
explained. 
 
The jury used the following evaluation scale: 
--------------------------------------------- 
 
1 - useless 
2 - has serious problems 
3 - must be improved 
4 - good enough 
5 - very good 
6 - excellent 
 
 
Results in category 1.: Technical definition in plain language 
---------------------------------------------------------------------------- 
 
1. Author: William Walker  Submitted by: author  Source: Contest posting 
 
[            ENGLISH LANGUAGE DEFINITION OF A COMPUTER VIRUS 
 
     A "COMPUTER VIRUS" is a sequence (or set of sequences) of symbols  
     which, when executed or interpreted under certain conditions or in  
     certain environments, will make a possibly altered, functionally  
     similar copy of this sequence (or set of sequences) and will place  
     this copy where it will intercept execution or interpretation at a  
     later time under certain conditions.  This is called "REPLICATION,"  
     and the copy retains AT LEAST the capability to recursively  
     replicate further.  A virus may also have an additional function (or  
     functions) not related to replication, sometimes called a "payload,"  
     but this is NOT necessary for something to be a virus.  ] 
 
Comments on the above definition: 
 
1.   This definition is not tied to any specific machine or operating  
system.  The phrase "sequence of symbols" is used rather than "sequence  
of instructions" or "program" to help keep the definition as generic as  
possible. 
 
2.   A computer virus may not be restricted to a single sequence of  
symbols, but may consist of two or more sequences that individually do  
not constitute a virus, but working together satisfy the criteria of  
being a virus. 
 
3.   The phrase "intercept execution or interpretation" refers to the  
fact that a computer virus must somehow be placed on a host machine where  
it will be executed or interpreted in order to survive.  This is done by  
forcing the host machine to execute or interpret the virus before,  
during, after, or instead of some other sequence of symbols on that  
system; in other words, "intercept execution or interpretation."  
 
4.   "Replication" (or "spreading"), as defined above, is the key point  
in defining a computer virus.  A sequence of symbols which does not  
replicate cannot be a virus.  Likewise, every virus must replicate, or it  
is not a virus.  On the other hand, the inclusion of a "payload"  
is not essential for something to be a computer virus.   
 
Jury's decision : 4 (good enough) 
 
----------------------------------------------------------------------------- 
 
2. Author : Vesselin Bontchev  Submitted by : Suzana Stojakovic-Celustka 
   Source : e-mail conversation 
 
[ A computer virus is a sequence of symbols, which, when interpreted by 
computer, attaches itself to other computer interpretable symbol 
sequences in such a way that they become able to recursively spread 
the (possibly modified) initial sequence further. ] 
 
Additional explanations of used terms: 
 
"Infection" is the process of attaching a computer virus to other computer 
interpretable symbol sequences. 
"Attaching" means that the interpretation of the infected symbol sequences 
causes the interpretation of (possibly part of) the computer virus. 
"Interpretable" is anything that a computer can interpret. 
"Able to spread recursively" means when a virus infects an executable object, 
this object is able to spread virus to another object, which in turn is able 
to cause the infection of another object and so on. 
 
Jury's decision : 3 (must be improved) 
 
-------------------------------------------------------------------------- 
 
3. Author: Fred Cohen  Submitted by: Suzana Stojakovic-Celustka  
   Source: Article "Computational Aspects of Computer Viruses", Computers & 
           Security, 8 (1989.), pp 325-344 
 
[ We informally define a "computer virus" as a program that can "infect" 
other programs by modifying them to include a, possibly evolved, copy of 
itself. With the infection property, a virus can spread throughout a computer 
system or network using the authorizations of every user using it to infect 
their programs. Every program that gets infected may also act as a virus and 
thus the infection spreads. ] 
 
Jury's decision : 3 (must be improved) 
 
----------------------------------------------------------------------------- 
 
4. Author: Greg Hale  Submitted by: author  Source: Contest posting 
 
[ For a program to qualify as computer virus, the program must meet two 
qualifications: 
1. The virus must replicate itself and all subsequent reproductions 
(exempting unsuccessful infections) must be able to replicate. 
2. The virus must execute by replacing or redirecting the user's 
request for the computer to start the normal operating system or 
execute a familiar program. ] 
 
Jury's decision : 3 (must be improved) 
 
----------------------------------------------------------------------------- 
 
5. Author: Roberto Reymond  Submitted by: author  Source : Contest posting 
 
[ A set of instructions that, once executed or interpreted, gains the control 
of the environment. 
That done, those instructions will, in specific circumstances, make at least 
one copy of the initial set, identical or modified, placing it/them somewhere 
in the environment, with the intention that, if and when executed or 
interpreted, it/they will repeat at least one time the above cycle. ] 
 
Additional explanation of terms: 
 
Environment: it means the whole system, that is the combination of all the 
             hardware (fixed and removable) and the software presents at the 
             moment of the virus actions. 
 
Jury's decision : 3 (must be improved) 
 
----------------------------------------------------------------------------- 
 
6. Author : Fred Cohen   Submitted by : author  Source : Contest posting 
 
[ A program that reproduces.] 
 
Jury's decision : 2 (has serious problems) 
 
----------------------------------------------------------------------------- 
 
Results in category 2. : Mathematical technical definition 
 
----------------------------------------------------------------------------- 
 
1. Author: Fred Cohen  Submitted by: Vesselin Bontchev  Source: Short article 
   "Formal Definition" written by Vesselin Bontchev, based on private       
    discussion with the author 
 
   (The contribution is not presented here, because of mathematical symbols). 
 
As in this category were no other contributions, this one was considered as 
a winner without jury's voting. 
 
 
Editor's note: 
-------------- 
 
Either the jury was too severe or plain language is not suitable to define 
computer virus properly. The winning definition is evaluated as "good enough" 
only. The others must be improved. However, it seems that the key point in 
defining a computer virus is a "replication" (as stated by W. Walker). 
Personally, I found comment 2. in W. Walker's definition very interesting for 
possible future development of computer viruses. 
 
 
***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^*** 
 
 
                      "A virus is a virus!" 
 
- Nobel laureate Andre Lwoff's answer on the question "What is a virus?" 
  (1959.) - 
 
 
***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^***^^*** 
 
 
3. Puzzle - is this piece of pseudo(code) a sign of "life" ? 
============================================================= 
 
I was wondering if Misra's algorithm for regenerating token in logical  
ring could be considered as a sign of "life". Help me to solve this puzzle! 
 
Some explanations: 
------------------ 
 
Distributed algorithm - it has two basic elements: the processes that       
                        receive, manipulate, transform and output data and  
                        the links along which these data flow and which form  
                        a network having both structural and dynamic        
                        properties. 
 
Ring - each process is aware of its two immediate neighbours, called for the 
       convenience the left and right neighbour respectively. 
 
Token - special message which the processes hand from one to another around 
        the ring. 
 
 
The method uses two tokens, each of which serves to detect the possible  
loss of the other, by this means: a token T1 arriving at the process Pi  
can guarantee that the other token T2 has been lost - and can therefore  
regenerate it - if neither it nor Pi has encountered T2 since T1's last  
passage through Pi. 
 
The loss of a token is detected by the other in one passage round the  
ring; and the algorithm works only when one token having been lost, the  
other makes a complete turn round the ring without itself being lost. 
 
 
The algorithm: 
-------------- 
 
Let us call the tokens Ping and Pong, and with these associate numbers  
NPing and NPong, equal in absolute value but opposite in sign, that record  
the number of times the tokens have met; these numbers are therefore  
related by the constraint: 
 
NPing + NPong = 0 
 
Initially the two tokens are both in an arbitrarily chosen process and the  
values are: 
 
NPing = 1, NPong = -1 
 
Each process Pi carries an integer variable Mi, initialized to 0, that  
records the number, NPing or NPong, associated with the token that last  
passed through Pi. The behaviour of Pi is as follows: 
 
when received Ping(NPing) do 
 if M = NPing                  {Pong is lost, regenerate it} 
 then 
   begin 
     NPing:=NPing + 1; 
     NPong:=-NPing 
   end 
 else   
   M:=NPing 
    
when received Pong(NPong) do 
 if M = NPong                  {Ping is lost, regenerate it} 
 then 
   begin 
     NPong:=NPong - 1; 
     NPing:=-NPong 
   end 
 else 
   M:=Npong 
    
when meeting (Ping, Pong) do    {Meeting Ping and Pong} 
 begin 
   NPing:=NPing + 1; 
   NPong:=NPong - 1 
 end 
  
In practical realization of algorithm numbers NPing and NPong should be  
limited by modulo P where P > or = N+1 (number of processes in logical ring  
+ 1). 
 
Literature: 
----------- 
 
1. Janacek J., Distributed systems, 1993., Vydavatelstvi CVUT, (in Czech) 
2. Raynal M., Distributed Algorithms and Protocols, 1988., John Wiley & Sons 
 
 
Editor's hypothesis: 
-------------------- 
 
Consider that each process itself is "alive" by consuming, transforming and 
extracting data as a "food". Then regeneration of token(s) is necessary for 
its "life-time" and above algorithm is vital to keep a process "alive". Here 
we have the following signs of "life": "metabolism", ability to produce new 
"living" entities (tokens which help in their reproduction themselves) and 
ability to communicate with "neighbours".  
 
 
/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*= 
 
                Ikite iru                      Simply alive  
                bakari zo ware to              me - 
                keshi no hana                  and poppy-flower     
 
                                 - Issa - 
 
/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*=/\=*= 
 
4. Article: 
=========== 
 
 
                     A COMMENT ON COHEN'S THEOREM ABOUT 
                      UNDECIDABILITY OF VIRAL DETECTION 
 
                            Dr Franz X. Steinparz 
                      Johannes Kepler University, Linz 
                               October, 1991. 
 
 
Abstract: 
 
This paper shows that Cohen's Theorem, stating the undecidability of viral 
detection does not hold. It is shown that each algorithm discerning a virus 
from other program by examining its code must be a virus itself. 
 
Keywords: computer viruses 
 
Introduction: 
 
In [2] Cohen introduces Computer Viruses and summarizes some work he did on 
this topic. Aside other results of his work, he gives a rather informal 
definition of Computer Viruses and the proof of his well known theorem 
stating that a program discerning a virus from any other program by examining 
its appearance is infeasible. In [1] Burger expressed his doubt about this 
theorem. However, to our knowledge, no fault in Cohen's proof has been 
published, and in discussions about viruses, the theorem is widely ( [3], 
[4], [5] and others) referred to. 
 
Cohen's Theorem: 
 
In Section 2 of [2] Cohen defines: 
 
"..a computer virus as a program that can 'infect' other programs by 
modifying them to include a possibly evolved copy of itself." 
 
In Section 4.1. of [2] Cohen states the undecidability of viral detection. 
His proof follows a well known proof technique. He argues: 
 
"In order to determine that a given program 'P' is a virus, it must be 
determined that P infects other programs. This is undecidable since P could 
invoke any proposed decision procedure 'D' and infect other programs if and 
only if D determines that P is not a virus. We conclude that a program that 
precisely discerns a virus from any other program by examining its appearance 
is infeasible. In the following ... program ..., we use the hypothetical 
decision procedure D which returns "true" if its argument is a virus to 
exemplify the undecidability of viral detection. 
....., we have assured that, if the decision procedure D determines (the 
following program contradictory-virus) CV to be a virus, CV will not infect 
other programs and thus will not act as a virus. If D determines that CV is 
not a virus, CV will infect other programs and thus be a virus. Therefore, 
the hypothetical decision procedure D is self contradictory, and precise 
determination of a virus by its appearance is undecidable. 
 
program contradictory-virus := 
{.... 
main-program := 
  {if D(contradictory-virus) then 
      {infect-executable; 
       if trigger-pulled then 
            do-damage; 
 
       } 
    goto next; 
    } 
 
} 
 
Fig..Contradiction of decidability of a virus.." 
 
 
Discussion: 
 
First, we notice an inaccuracy in Cohen's paper in defining a virus as a 
program, which -can- infect other programs and using this term in his proof 
for a program which actually -does- it. However, this inaccuracy can be 
corrected by adjusting the definition. 
 
But even if we adjust the definition, the proof in its generality is wrong: 
It is based on the implicit assumption that the decision procedure D is not 
a virus itself. 
 
Suppose the decision procedure D is a virus itself. Then contradictory-virus 
infects an executable by calling D and consequently is a virus too. Now D, 
when deciding that contradictory-virus is a virus, gives a correct result 
even if contradictory-virus, based on D's decision does not execute its own 
viral code. 
 
However, under the restriction, that only non-virus decision procedures are 
permitted, Cohen's proof holds. Consequently, each decision procedure D must 
be a virus. 
 
References: 
 
[1] R. Burger: Das Grosse Computer-Viren Buch, ISBN 3-89011-200-5, DATA     
               BECKER, Duesseldorf, 1987. 
 
[2] F. Cohen: Computer Viruses Theory and Experiments, Computers & Security  
              6 (1987) pp 22-35, North-Holland, 1987. 
 
[3] G. Futschek: Computerviren fuer LOGO Programme Bauanleitung,            
                 Wirkungsweise und Abwehrmechanismen, interner Bericht,     
                 Technische Universitat Wien, 1988. 
 
[4] F. Hoffmeister: Sicherheitsrisken durch Computerviren - erste           
                    Losungansatze, Bericht Nr. 232 der Abteilung Informatik  
                    der Universitat Dortmund, Dortmund, 1987. 
 
[5] C.A. Neumann: Computerviren und verwandte Anomalien, GI Symposium "PC's  
                  in kleineren und mittleren Unternehmungen", Leipzig 17-19  
                  September 1991., Tagungsbad der Fachgruppe 2.0.1. Personal  
                  Computing der GI, 1991. 
 
 
 
 
(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)** 
 
                        The Virus Syllogism: 
 
                  Computers are made to run programs. 
                Computer viruses are computer programs. 
         Therefore, computers are made to run computer viruses. 
 
                        - Peter S. Tippett - 
 
(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)**(:)** 
 
                                                                    
 
 
 
 
              ____________________________________________________  
             /                /    |                              | 
            /         |\__/| /     |      THAT'S ALL FOLKS !!     | 
       /~~~~~~\      /      \      |  NEW "ALIVE" IS COMING NEXT  | 
    ~\(  * *   )/~~\(  0 0   )/~   |      HOST TO YOU SOON !!     |  
      (   O    )    (   O    )     |______________________________| 
       \______/      \______/                         
      @/       \@   @/      \@ 
 
 
 