From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #3 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 7 Jan 1992 Volume 5 : Issue 3 Today's Topics: Re: Novell distributes Stoned-3 (PC) F-PROT 2.x and Cascade (PC) Question re Stoned (PC) Latest version of F-Prot? (PC) List of Viruses (PC) DOS 5.0 FDISK & older O/Ses (PC) New strain of Murphy? Amilia (PC) Help with virus (PC) Re: Macs Running Soft PC (Mac) (PC) General questions about viruses theoretical literature on viruses? Re: Virus capable of infecting Mainframes and PCs Re: Hardware damage Re: General questions about viruses WSCAN85.ZIP - Windows 3.0 version of VIRUSCAN V85 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 06 Jan 92 11:55:00 +1300 From: "Nick FitzGerald" Subject: Re: Novell distributes Stoned-3 (PC) Further to postings from Karyn Pichnarczyk (karyn@cheetah.llnl.gov) and James Ford in VL 5 #1 on Novell's distribution of the Stoned-3 virus, the following article was posted (way off-charter) in Usenet newsgroup comp.binaries.ibm.pc.archives. Note the interesting number of mis-conceptions and/or poorly described pieces of "information". The article only describes how file infecting viruses work, implying that they are the only kind (and getting it mostly wrong!), yet the incident it reports involved a boot sector virus. Finding the other gaffs is left as an exercise to the reader. :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ::::::::::::::::::::: Begin included message ::::::::::::::::::::: From: markoff@nyt.com (John Markoff) Date: 31 Dec 91 20:03:40 GMT By JOHN MARKOFF (from the New York Times, 20 Dec 1991) The nation's largest supplier of office-network software for personal computers has sent a letter to approximately 3,800 customers warning that it inadvertently allowed a software virus to invade copies of a disk shipped earlier this month. The letter, sent on Wednesday to customers of Novell Inc., a Provo, Utah, software publisher, said the diskette, which was mailed on Dec. 11, had been accidentally infected with a virus known by computer experts as "Stoned 111." A company official said yesterday that Novell had received a number of reports from customers that the virus had invaded their systems, although there had been no reports of damage. But a California-based computer virus expert said that the potential for damage was significant and that the virus on the Novell diskette frequently disabled computers that it infected. 'Massive Potential Liabilities' "If this was to get into an organization and spread to 1,500 to 2,000 machines, you are looking at millions of dollars of cleanup costs," said John McAfee, president of McAfee & Associates, a Santa Clara, Calif. antivirus consulting firm. "It doesn't matter that only a few are infected," he said. "You can't tell. You have to take the network down and there are massive potential liabilities." Mr. McAfee said he had received several dozen calls from Novell users, some of whom were outraged. The Novell incident is the second such case this month. On Dec. 6, Konami Inc., a software game manufacturer based in Buffalo Grove, 111. wrote customers that disks of its Spacewrecked game had also become infected with an earlier version of the Stoned virus. The company said in the letter that it had identified the virus before a large volume of disks had been shipped to dealers. Source of Virus Unknown Novell officials said that after the company began getting calls earlier this week, they traced the source of the infection to a particular part of their manufacturing process. But the officials said they had not been able to determine how the virus had infected their software initially. Novell's customers include some of nation's largest corporations. The software, called Netware, controls office networks ranging from just two or three machines to a thousand systems. "Viruses are a challenge for the marketplace," said John Edwards, director of marketing for Netware systems at Novell. "But we'll keep up our vigilance. He said the virus had attacked a disk that contained a help encyclopedia that the company had distributed to its customers. Servers Said to Be Unaffected Computer viruses are small programs that are passed from computer to computer by secretly attaching themselves to data files that are then copied either by diskette or via a computer network. The programs can be written to perform malicious tasks after infecting a new computer, or do no more than copy themselves from machine to machine. In its letter to customers the company said that the Stoned 111 virus would not spread over computer networks to infect the file servers that are the foundation of networks. File servers are special computers with large disks that store and distribute data to a network of desktop computers. The Stoned 111 virus works by attaching itself to a special area on a floppy diskette and then copying itself into the computer's memory to infect other diskettes. But Mr. McAfee said the program also copied itself to the hard disk of a computer where it could occasionally disable a system. In this case it is possible to lose data if the virus writes information over the area where a special directory is stored. Mr. McAfee said that the Stoned 111 virus had first been reported in Europe just three months ago. The new virus is representative of a class of programs known as "stealth" viruses, because they mask their location and are difficult to identify. Mr. McAfee speculated that this was why the program had escaped detection by the company. Steps Toward Detection Novell has been moving toward adding new technology to its software to make it more difficult for viruses to invade it, Mr. Edwards said. Recently, the company licensed special digital-signature software that makes it difficult for viruses to spread undetected. Novell plans to add this new technology to the next major release of its software, due out at the end of 1992. In the past, courts have generally not held companies liable for damages in cases where a third party is responsible, said Susan Nycum, a Palo Alto, Calif., lawyer who is an expert on computer issues. "If they have been prudent it wouldn't be fair to hold them liable," she said. "But ultimately it may be a question for a jury." ------------------------------ Date: Mon, 16 Dec 91 11:29:03 +0000 From: "Vaughan.Bell" Subject: F-PROT 2.x and Cascade (PC) I have been testing F-PROT 2.01 with various virus samples and I have found that I didn't detect cascade in memory (identified as cascade 1701-A) although it does detect the infection in a .COM file. Pre 2.x versions did detect the virus in memory and as a .COM infection. Various other anti-virus programs do detect it in memory includin McAfee SCAN, Dr Solomons AVTK, VISCAN and IBM's Virscan. Also is it possible to get the virus info supplied with F-PROT 2.01 as an ASCII text file (like FILVIR-1.TXT etc) ??? Thanks in advance . . . *************************************************************************** * Vaughan Bell - Polytechnic South West - U.K. - vaughan@cd.psw.ac.uk * *************************************************************************** * You can take a horse to water, but if you can make it float on it's * * back you've got something ! * *************************************************************************** ------------------------------ Date: Thu, 02 Jan 92 20:45:00 -0500 From: HAYES@urvax.urich.edu Subject: Question re Stoned (PC) Hello. As a co-sysop of the virus discussion board I received the following message. I thought it was interesting enough, and asked more details which will show in the second forwarded message (in fact, long excerpts of both messages). I myself came with no good reason why the system (details in msg #2) does not get infected. Any guru out there with some explanation(s)? Best, Claude. - ----- begin forwarded messages -- Message #1 More of a curiosity than an emergency here: Our academic PC lab had a protracted battle with the Stoned virus last Summer and Fall, which we dealt with fairly aggressively and with good success. [...] At any rate, "Stoned" seems to be history in our lab, if only because it does not seem to infect 3.5" diskettes (which we've recently switched to). My question is this. For the benefit of many users who only have 5.25" drives at home and want to use one of our 3.5" PC's, we set up a 3-floppy PC with menu-driven software for file copying and diskette formatting. A: & B: drives are 360K and 1.2M (respectively); C: is 1.44M. D: is the hard drive. If ever a PC would be succeptable to "Stoned" it would be this one, considering the amount and nature of its use--or so it would seem! Periodic checks for the virus on the hard drive have always been negative over four months of heavy use. (Like I say--I know "Stoned" is still around here.) Is there something about the four-disk controller setup (or the drive name "D:") that creates an immunity to "Stoned"? Or have we been incredibly lucky? - ----- Message #2 [...] The format-copy box I referred to was an old IBM-PC (8088) outfitted with 2 5.25 floppy drives (one for ea. density) and 1 3.5" high density drive (A,B & C). The hard drive is a 40 meg. (brand or type unknown--I'm not that familiar with the types), and as I said, it was designated D: as per the requirements of the JDR (or is it JRD?) Microdevices 4-floppy controller card I used. I wrote a snazzy menu-driven batch program (with BATMAN and ANSWER enhancements) walking users through any of the 4 floppy formats and permitting copying of files ("All" or selected) between any two of the floppy drives. The "selected" copying option would list the directory of the source floppy before copying (prime infection activity!) No virus protection installed. (I'd check it periodically by running Clean-Up on the D: drive. As I mentioned, Clean-Up never found Stoned when I ran it on this drive, and I haven't been getting the kind of complaints I would get if users were getting re-infected at home. (So I think Clean-Up is checking properly.) I might add that this hard drive in this computer had picked up Stoned more than once when it was an office machine with just a 5.25" A: drive (and the hard drive was C:). So there's nothing inherantly immune about the drive. Oh, DOS is 3.30, and the hard drive is not segmented. Because this box is the only one we have that does this job in a busy lab and a lot of our users on 5.25-only PC's, it gets a lot of use. So I would have considered frequent infection a near certainty, it only takes one careless user or one old neglected floppy. (Don't ask me why I didn't install protection on this one. I guess I was concerned about the slowness of the 8088 processor.) At any rate, I hope this is enough information. (Watch! As soon as I report this, the PC will turn up "stoned"!) Any clues? - ---- end forwarded messages -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Thu, 02 Jan 92 19:38:10 From: hoisve@Public.Access.CC.UTAH.EDU (David Hoisve) Subject: Latest version of F-Prot? (PC) Where can I find the latest version of F-Prot? The version on beach.gal.utexas.edu now displays something like "This version is rather old. You should get a new one.". I also noticed that this version does not include license information. Is the F-Prot "site license" still available? (The terms were something like $0.75 per machine for non-profit orgs. Very reasonable!) Thanks! - -- Dave. Dave Hoisve, HOISVE@XANADU.CC.UTAH.EDU ------------------------------ Date: Fri, 03 Jan 92 14:09:42 -0600 From: THE GAR Subject: List of Viruses (PC) Someone faxed me a list of viruses, that I believe he got from Center Point, with codes for him to enter to update his virus information for the package. He sent it to me to show how many viruses Center Point protected him from that McAfee fails to protect me from. My question (McAfee rep?) is whether these are actually detected by McAfee but called something else. Also, can anyone identify any of the following that are especially prevalent? Or are these mostly "laboratory" viruses? In case anyone out there cares, the only viruses I have SEEN in Birmingham AL are Stoned, Ping-Pong, Ping-Pong B, Dark Avenger, and Jerusalem, with Stoned and Ping being the only ones that really seem to have staying power. 1590 Golden Gate 1 740 Golden Gate 2 805 HIV Amoeba 2 Horse II Anarkia Justice Anthrax PT Kylie April 15 Lunch Beast C Omicron PT Beast D PC Bandit Cascade YAP Phoenix Dark Lord Stoned III Decide Suomi Den-Zuk 2 Tequila Diamond Twelve Tricks Doctor Vienna 656 Drug Virdem 792 Faggot Vriest France Zapper /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: Fri, 03 Jan 92 15:12:42 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: DOS 5.0 FDISK & older O/Ses (PC) Y. Radai writes: >.., and those who >do seem to be unaware that it can also be used on machines running >DOS *prior to Ver. 5*. All that is necessary is to find a (clean) DOS >5 system diskette, to copy FDISK.EXE from DOS 5 onto that diskette, to >cold boot the infected machine from the diskette, and then to perform >FDISK /MBR . Works beautifully. One caveat: Certain older Zenith DOS versions (think 3.0 3.1 & 3.2) & possibly some others have boot records that seem to expect some registers to be passed intact from the MBR to the BR code. After using a "generic" MBR replacement I have occasionally encountered an "Unformatted Partition" message & lockup from the BR on these machines when booting from the fixed disk. In this case booting from a floppy executes ok & the C: drive is then accessable. Should this occur you will need to either SYS the fixed disk, patch in a new "generic" Boot Record (not that difficult - five minutes with a bootable floppy & debug)), FDISK the fixed disk with the original O/S (lose all data, do not pass Go), replace the MBR with the original (if you have a back-up), or upgrade to a different O/S version. Or you could use FixMBR. Warmly, Padgett Isn't diversity wonderful ? ------------------------------ Date: Fri, 03 Jan 92 20:28:41 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: New strain of Murphy? Amilia (PC) I have received a new virus, originally reported to Delta Base Enterprises here. I have not been able to examine it in detail, but telephone reports indicate it is unidentified by any scanners except FPROT 2.01, which identifies it as Murphy HIV. Delta Base has already done fairly extensive testing of the virus. It appears to be a "fast file infector", infecting every file that is opened. (A sweep of the system with a commercial antivirus product was apparently responsible for the infection of all 361 program files.) It appears to infect both .COM and .EXE files. To this point, no bounds have been found on the size of programs infected. The text string "AmiLia I Viri - [NukE] i99i" appears at the beginning of the infection. The text section also refers to "Released Dec91 Montreal". This indicates that the virus has spread extensively since its release. In Vancouver, it appears to have been obtained, in one instance, from a BBS known as Abyss. Notification to the sysop revealed that he had had trouble with the infected file and subsequently deleted it. However, there are other indications that the infection may have come from several sources in Vancouver. ============= Vancouver p1@arkham.wimsey.bc.ca | "Remember, by the Institute for Robert_Slade@mtsg.sfu.ca | rules of the game, I Research into CyberStore | *must* lie. *Now* do User (Datapac 3020 8530 1030)| you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: 05 Jan 92 08:03:13 -0700 From: "Taisir.Jawberah" Subject: Help with virus (PC) I found new virus called "Amobiaii" I formated my hrddisk but still their i try with scan&clean84 but didnt clean it How can i remove this virus please more information about this virus Any help appreciated Taisir Jawberah king abdul aziz unversity jeddah ------------------------------ Date: Tue, 07 Jan 92 00:57:00 +0000 From: lev@amarna.gsfc.nasa.gov (Brian S. Lev) Subject: Re: Macs Running Soft PC (Mac) (PC) fprice@itsmail1.hamilton.edu (Frank Price) writes... >SoftPC does such a good job of emulating an MS-DOS machine that many >(most? virtually all?) viruses WILL infect it. SoftPC uses a (big) >data file for the contents of the simulated PC's hard drive. I believe >Mac antiviral programs consider this to be a data file and do not >check it. Even if they did, they would not know how to recognize >MS-DOS viral code. Ummm... I'm not 100% positive, but I seem to remember the more recent versions of the Mac's "Big 4" (Disinfectant, Virex, SAM, SUM) all _do_ look at data files if you tell 'em to scan your disk... - -- Brian Lev +----------------------------------------------------------------------------+ | Brian Lev/Hughes STX Task Leader 301-286-9514 | | NASA Goddard Space Flight Center DECnet: SDCDCL::LEV | | Advanced Data Flow Technology Office TCP/IP: lev@dftnic.gsfc.nasa.gov | | Code 930.4 BITNET: LEV@DFTBIT | | Greenbelt, MD 20771 TELENET: [BLEV/GSFCMAIL] | | X.400 Address: (C:USA,ADMD:TELEMAIL,PRMD:GSFC,O:GSFCMAIL,UN:BLEV) | +----------------------------------------------------------------------------+ ------------------------------ Date: Fri, 03 Jan 92 20:06:15 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: General questions about viruses nkjle@locus.com (John Elghani) writes: > Can someone help me with the following questions: Perhaps, but you seem to be confusing the types of operations that go on in a microcomputer, and those which are more common in "linked mainframes". > 1- A virus obviously is a program that is CPU bound, io bound, ..etc. > i.e. it occupies system's resources. Some could probably delete > all files on a system? right? Once a virus has been invoked on a system, it can do anything that is possible through software. It is possible to delete all the files on a system through software, therefore it is possible for a virus to do it. > 2- How does it transfer across networks. How does it know a phone number > (modem #) of a remote node. In a PC situation, a virus is transfered by some (usually unknowing) person. This can be through a file transfer, email, or simple disk swapping. Mainframe networks, such as Usenet or the Internet, have procedures whereby programs can be automatically transferred from one machine to another, and started on the remote machines. Network viri (sometimes referred to more specifically as worms) use these functions. Some, such as the CHRISTMA EXEC, rely on advanced email functions and high level language interpretters. These use the "directorie files" to "find" other machines. > 3- How does it get tracked down. By program name? if so, then what if > this virus changes its name? are we in trouble? Viri get tracked down in a number of ways. Program names have little to do with it, since viri "attach" to existing programs. > 4- When it makes it to disk, how does it tell the Kernel that it wants > to run the system. It it something like a daemon tht sleeps and > wakes up? How it wakes up depends upon what type of system it is in and how it got there. These answers were done quickly, and are simplistic to the point of inaccuracy. They are only meant as a starting point. (Ken, are the CVP files available yet?) ============= Vancouver p1@arkham.wimsey.bc.ca | "Remember, by the Institute for Robert_Slade@mtsg.sfu.ca | rules of the game, I Research into CyberStore | *must* lie. *Now* do User (Datapac 3020 8530 1030)| you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: Mon, 06 Jan 92 15:50:17 +0000 From: ctika01@mailserv.zdv.uni-tuebingen.de (George Kampis) Subject: theoretical literature on viruses? Is there any work out there on a *theoretical* treatment of computer viruses? Such as, for instance, description of virus computation, what kind of viruses are possible etc, how to test them, is there a virus that escapes every test, or, is there a test that catches every virus, and so on... I suspect the latter will lead to halting-problem-like questions - would be interested to see if anybody did work on that (pls don't mix it with self-reproducing automata a la von Neumann etc) Thanks, George Kampis Tubingen FRG ------------------------------ Date: 06 Jan 92 17:14:47 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus capable of infecting Mainframes and PCs AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) writes: > > Question for all: Is there a virus that can infect BOTH PCs and > >Mainframes? The place where I am working is networking and I am trying > >to find out what possible threats can arise from this. > Not yet. And I don't think there could be. Not with the major differences Sorry to disagree. Such viruses are relatively easy to write and they'll appear sooner or later. > between program execution, and for that matter, operation codes on these > different platforms. For example, X'D20750006000' in MVS translates to > MVC 0(8,R5),0(,R6) which moves 8 bytes from a location pointed to by > register 6 into a location pointed to by R5. This hex string, even if > it could be downloaded to a PC in its origional form without get translated > by whatever protocol you happen to be using, is *probably* (I'm not a PC The example you gave might be meaningless indeed, but it is possible to write a program which runs on two different processors. Anybody who has installed a CP/M card in an Apple ][ computer probably knows this. (If not, just think - there are -two- processors present, 6502 and 8080, but only the first is active on boot-up. So, the boot sector of a CP/M diskette for such computers -must- contain code which executes on 6502. Obviously, it has at some time activate the 8080 and transfer control to it. When the 8080 gets activated, the code which begins to get interpretted -must- be valid for it. So...) Even the well-known Internet worm contained code for two different kinds of computers - SUNs and VAXes... So, it -IS- possible. And, since it is possible, it - -WILL- be done - sooner or later. > assembler guru) meaningless once it gets there. The effort expended in > trying to get something on a mainframe downloaded to a PC and executed there > would be wasted. Right, but the opposite is not true, and that's what we'll probably see in the near future. It is possible to design a virus, which spreads on PCs, and, as soon as it detects that the PC is used as a terminal to connect to mainframe, releases a virus (or worm) to the mainframe. It can be done. It will be. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 20 Dec 91 10:04:40 -0400 From: wood@covax.commerce.uq.oz.au (Malcolm Wood) Subject: Re: Hardware damage > There is also a story, likely apocryphal, that one computer > company set up a "portable" computer, including banks of disk > drives, in a semi-trailer for demos. The first time the truck > took a turn with all the drives running, it flipped over due to > the enormous stored angular momentum of the spinning platters.) Can I stop this myth before it gets around? The banks of disk drives you refer to would be of the old 'washing-machine' cabinet style, with vertical axes. There would be no strange torque effects while cornering because the truck's turn would also be about a vertical axis. Also, even with the old-style drives, the spinning mass is not 'enormous', they were always thin aluminium platters whose mass is negligible compared to, eg, the flywheel of the truck. The most likely problem would be vibration-induced head crashes. "The world's biggest portable computer" is an interesting thought, though ... power supply? Cooling system? Operator's console? A trailer full of TTY's for the users? - ------------------------------------------------------------------------- Malcolm Wood, Faculty of Commerce and Economics, University of Queensland WOOD@COMMERCE.UQ.OZ.AU - ------------------------------------------------------------------------- ------------------------------ Date: 06 Jan 92 22:42:13 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: General questions about viruses nkjle@locus.com (John Elghani) writes: 1- A virus obviously is a program that is CPU bound, io bound, ..etc. i.e. it occupies system's resources. Some could probably delete all files on a system? right? right. anything that any other program can do can possible be done by a virus. 2- How does it transfer across networks. How does it know a phone number (modem #) of a remote node. a virus, as opposed to other computer nasties like worms, attach themselves to other programs. People transferring programs either by diskette or modem or networks are the transmission vector for viruses. 3- How does it get tracked down. By program name? if so, then what if this virus changes its name? are we in trouble? Virus scanners typically work by looking for particular "signature" strings in programs and memory of known viruses. Some viruses could try to "mutate" themselves to thwart this and new viruses are not detected by these kinds of detection programs. Then there are "stealth" viruses that attempt to hide their existence by trapping system calls. To answer specifically: new viruses get "tracked down" when their symptoms are detected by carefully disassembling the code on infected files and disks. Once identified, their signature strings can be added to the virus scanners. Since most viruses exist in the system boot sectors or in executable programs tracking my a particular program name is not useful. 4- When it makes it to disk, how does it tell the Kernel that it wants to run the system. It it something like a daemon tht sleeps and wakes up? viruses get their execution thread when their "host" program is executed. they can then install themselves in memory or just do their work before passing control on to the "host" program. if the virus installs itself in memory it may get executed based on a timer but more frequently by trapping operating system calls (BIOS and DOS calls on a PC). hope this helps... jv "Always Mount a Scratch Monkey" _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: Fri, 03 Jan 92 16:20:59 -0800 From: mcafee@netcom.com (McAfee Associates) Subject: WSCAN85.ZIP - Windows 3.0 version of VIRUSCAN V85 (PC) I have uploaded to SIMTEL20: pd1: