From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #10 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 21 Jan 1992 Volume 5 : Issue 10 Today's Topics: WARNING - Michelangelo Virus (PC) Kennedy virus (PC) UK mag (PC Fun) distributes Stoned (PC) Dir-II/Other Stuff (PC) Re: Untouchable (PC) ENIGMA virus (PC) Smulders-virus found? (PC) NO VIRUS in SCANV85 !!!!! (PC) Re: Dir-II/Other Stuff (PC) Joshi virus removal with FDISK /MBR (PC) i/o ports (was re: Iraqi virus) (PC) QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC) Re: Looking for info on "Friday the 13th" virus (PC) Re: Form virus infected Dos 5.0 diskettes (PC) Virus detectors for Unix? (UNIX) Gulf War Virus & "Softwar" VS920109.ZIP - Virus signatures for HTSCAN/TBSCAN - 920109 (PC) Reviews and request (PC + Amiga) "Desert Storm" viral myths VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 17 Jan 92 13:10:17 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: WARNING - Michelangelo Virus (PC) From all reports this destructive virus is spreading world- wide very rapidly. Unlike the DataCrime "fizzle" in 1989 which contained similar destructive capability but never spread, the Michelangelo appears to have become "common" in just ten months following detection. I have encountered three cases locally in just the last few weeks. Three factors make this virus particularly dangerous: 1) The virus uses similar techniques as the "STONED" virus which while first identifies in early 1988 remains the most common virus currently reported. Since the virus infects only the Master Boot Record on hard disks and the boot record of floppy disks, viral detection techniques that rely on alteration of DOS executable files will not detect the virus. Similarly, techniques that monitor the status of the MBR may only provide users with a single warning that, if execution is permitted to continue, may not be repeated. 2) Michelangelo was first discovered in Europe in mid-1991 consequently many virus scanners in use today will not pick up the virus unless more recent updates have been obtained. 3) Unlike the Stoned and Jerusalem (the most common viruses in the past) which are more annoying than dangerous, the Michelangelo virus will, on its trigger date of March 6th, attempt to overwrite vital areas of the hard disk rendering it unreadable by DOS. Further, since the FATs (file allocation tables) may be damaged , unless backups are available recovery will be very difficult and require someone who is able to rebuild a corrupt FAT (also a very time-consuming process). Fortunately, the Michelangelo virus is also very easy to detect: when resident in a PC, the CHKDSK (included with MS-DOS (Microsoft), PC-DOS (IBM), and DR-DOS (Digital Research) {all names are registered by their owners}) program will return a "total bytes memory" value 2048 bytes lower than normal. This means that a 640k PC which normally returns 655,360 "total bytes memory" will report 653,312. While a low value will not necessarily mean that Michelangelo or any other virus is present, the PC should be examined by someone familiar with viral activity to determine the reason. If the Michelangelo virus is found, the PC should be turned off until disinfected properly. All floppy disks and other machines in the area should then also be examined since the Michelangelo virus is spread in the boot record (executable area found on all floppy disks including data-only disks). Padgett Peterson Internet: padgett%tccslr.dnet@mmc.com Note: the opinions expressed are my own and not necessarily those of my employer. Comments refer only to the specific example of the virus that I have examined. Other strains may exist. ------------------------------ Date: 15 Jan 92 21:04:13 +0000 From: sph0301@utsph.sph.uth.tmc.edu (Kate Wilson) Subject: Kennedy virus (PC) We have just been infected by the Kennedy virus. McAfee's SCANV85 finds it but CLEAN V85 does not. Is there any way to remove this virus other than deleting the infected files? Kate Wilson UT School of Public Health, Houston sph0301@utsph.sph.uth.tmc.edu ------------------------------ Date: Thu, 16 Jan 92 15:49:00 +1300 From: "Nick FitzGerald Subject: UK mag (PC Fun) distributes Stoned (PC) Following all the reports we've had of hardware and software vendors distributing virus infected diskettes or programs, the following was reported in my local paper this morning. It is, perhaps, interesting to note the degree of _accuracy_ in this report. On matters of fact I only noted three errors, and these are all minor to trivial (and all in the same paragraph - dare I hazard suggesting that this accuracy is at the price of content?) From: The Press, Christchurch, NZ, 16/2/92, p.9 Free disk proves a flop - NZPA, London. A New Zealand computer virus has embarrassed organisers of a British magazine promotion in which 18,000 floppy disks were offered free to readers. Each January issue of "PC Fun" included a giveaway disk, but the editor, Mr Adrian Pumphrey, siad the "Stoned" virus was found to have infilitrated the batch. "It is bad news,' he said. "The magazines had already been on the shelves for two weeks before the virus was discovered." The virus - which prints out the message "Your PC is now stoned" - originated at Victoria University in Wellington about five years ago. A computer expert, Dr Alan Solomon, who was consulted by "PC Fun", described the virus as extremely common, but said it was a nuisance more than anything else. "We first saw it in Britain in 1988 and it is now probably the commonest virus here. It is certainly the commonest virus in New Zealand. "It is not terribly seruious; more an annoyance and a nuisance." However, he said computer users still had to get rid of it. This was so as not to pass it on and because, in some rare instances, it could lead to loss of data. "It will have been a real pain for `PC Fun'," Dr Solomon said. "But the virus is quite easy to get rid of if you do it right." +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 ------------------------------ Date: 16 Jan 92 10:47:16 +0000 From: RUTSTEIN@hws.bitnet Subject: Dir-II/Other Stuff (PC) For those of you still attempting to track the spread of the DIR-II, I had a configmed report yesterday of a single machine infected in the country of Jordan. The actual path of infection is unknown at this time. As most should know by now, DIR-II is not at all dangerous ( (relatively), but does spread rapidly and is a bit of a curiosity. Removal is simple using only DOS commands.... In other news, the National Computer Security Association (NCSA) BBS is now fully operational with 5 lines up and running. Number is (202) 364-1304, with the first four lines 9600 V.32, fifth at 2400 MNP. On-line is virus and security info of all types, latest copies of anti-virus sharware and P/D software, info on NCSA and other anti-virus organizations, etc. {In the interest of full disclosure, I should mention that I've been working on the BBS for NCSA for several weeks now and pouring blood, sweat, and tears into it :) } Is anyone out there using a disassembler other than sourcer which you feel is superior in some way? If so, how about passing along some info?ou feel Charles *************************************************************************** Rutstein@HWS.BITNET (Charles Rutstein) **************************************************************************** ------------------------------ Date: Thu, 16 Jan 92 13:41:00 +0200 From: Y. Radai Subject: Re: Untouchable (PC) Dusty Flory asks: > Can anyone comment on the anti-virus package 'Untouchable' by Fifth > Generation Systems, Inc? It claims to be able to detect both known > and future viruses without upgrades. First of all, if all it did were to *detect* known and unknown virus- es, there would be nothing new in that. The whole point is that it can also *restore* the original file in almost every case where the modification is due to a virus. Actually, your question was answered here a month ago. I'll repeat the first part: >> Untouchable consists of three modules. The main one, UT, is an >>extension of a program, V-Analyst, which I have been using for several >>years. V-Analyst is a generic detection program (modification detec- >>tor), which, in my opinion, is the best of its kind, partly because in >>addition to checking for modifications, it takes into account several >>ways in which a virus can propagate without modifying existing files. >>(It's the only program I've heard of which was ready for companion >>viruses two years before they appeared, and it's ready for other such >>methods too.) UT is essentially V-Analyst augmented to include >>*generic disinfection*. That is, UT stores enough information to be >>able to restore a file infected by any virus, even an unknown one. >>(Of course, that doesn't hold for overwriting viruses, and it's possi- >>ble that there are a few non-overwriting viruses on which it won't >>work.) Additional comments: 1. When I said "overwriting viruses", I was referring to those which overwrite program code. It turns out that Ver. 1.0 also doesn't work on viruses which overwrite stack space, such as ZeroHunt and Lehigh, but I'm told that the next version will. I have not yet found any other virus on which it doesn't work. 2. The program will *never* restore a file incorrectly since it compares the checksum of the restored file with that of the original one. > I received a mailing offering for $99 (normally $165) until 2/1/92. > Is it worth it? Imho, yes. (Btw, I heard the official price was $175. Who's offering it for $99?) Disclaimer: While I know the authors and we exchange ideas, I have no commercial interest whatsoever in this product. I'm simply a sa- tisfied (and experienced) user of the product. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Thu, 16 Jan 92 15:11:57 +0700 From: avi enbal Subject: ENIGMA virus (PC) Hello There ! Does anyone know's how to handle with the ENIGMA virus? none of our anti viral softwer's do it.(McAfee's v85 only SCAN it). Thank's in edvance Avi. *================================================================* | Avi Enbal - | TL. 972-4-240777 | | Computers Communication & Service Dep' | 972-4-240925 | * Computer Center * * | UNIVERSITY OF HAIFA | | | mt'carmel, HAIFA - 31905, ISRAEL | FAX. 972-4-342097 | *================================================================* ------------------------------ Date: Thu, 16 Jan 92 14:21:47 +0000 From: a0522457@let.rug.nl (L.E. Plat) Subject: Smulders-virus found? (PC) From: Automatiseringsgids (Dutch weekly concerning computer matters; serious) Wednesday 15 January 1992 (w/o permission, I'm afraid) "Tangram finds virus: Tangram in Utrecht (NL) warns about the recently found 'Smulders'-virus. This virus renames all directories up tto two levels deep to Criminal.XXX. In these directories all files are renamed to this name [that's a bit weird, isn't it? MS-Dos wouldn't allow that, as far as I know]. After that follows a message stating that the user should call the nearest police station. Virusscanners do not [as yet, I suppose] recognize this virus. The CRI [Dutch Criminal Investigations Bureau] has been notified." Dunno if I'm telling anything new with this; I don't read this group regularly. & please no flames about the lousy ('cause on-line) translation. ________________ ______________________________________________________ Bert Plat 'Things as they are / are played upon the blue guitar' a0522457@let.rug.nl (Wallace Stevens) ------------------------------ Date: Thu, 16 Jan 92 12:40:59 -0600 From: Jarda Dvoracek Subject: NO VIRUS in SCANV85 !!!!! (PC) !!! APOLOGY !!! !!! NO VIRUS IN SCANV85 !!! Many thanks to all those responding with information on my last msg. My difficulties were caused not by virus, but by on-error running SCAN with /AV option, what at least one program (T602.exe) does not accept. I apologize to anyone, to whom I might have caused any troubles with my warning and to the firm McAfee and its agent: ##### adresa: AEC Ltd., Sumavska 33, ### ### ################ 61264 Brno, Czechoslovakia ### ### ### ### Tel: +42-5-7112 linka 502 ################### ### Fax: +42-5-744984 ### #### ########## BBS: +42-5-749889 ########## FidoNet: 2:421/16 Association for Electronics & Computers VirNet: 9:421/101 authorized agent of InterCom: 83:425/1 (NCN mail) McAFEE ASSOCIATES Jarda Dvoracek 1st.Internal Clinic Faculty Hospital I.P.Pavlova 6 772 00 Olomouc Czechoslovakia E-mail(bitnet): dvoracek @ csearn Phone: 0042 68 474, ext. 3201(secretary) ------------------------------ Date: Thu, 16 Jan 92 16:21:16 +0000 From: bdh@gsbsun.uchicago.edu (Brian D. Howard) Subject: Re: Dir-II/Other Stuff (PC) RUTSTEIN@HWS.BITNET writes: >In other news, the National Computer Security Association (NCSA) BBS Is this affiliated in any way with the NCSA (National Center for Super- computing Applications)? _______________________________________________________________________________ This space intentionally left what would otherwise be blank were this not here. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Thu, 16 Jan 92 12:39:21 -0500 From: Eric Carlson Subject: Joshi virus removal with FDISK /MBR (PC) We have a group of 4 computer labs that often get JOSHI. On a lot of these machines we couldn't get rid of JOSHI on the hard drives. We tries CLEANv84, F-prot 2.01, CPAV, and NAV with no luck. (it did work on a few machines) We would: - - Cold boot with a clean write protected floppy - - Clean the hard drive - - Cold boot with a clean floppy again - - Scan and find JOSHI still there The machines are a mix of 8088, 286, 386sx. MS-DOS 3.30 and 4.01. We had to low-level format the drives to clean them and restore from our clean backups. We finally solved the problem by using IBM-DOS 5.0 FDISK /MBR even with MS-DOS 3.30 and 4.01 on the hard drives. The lab supervisor is very happy now. - Eric Carlson - Microcomputer Software Support - - Northern Virginia Community College System - - NOVA BBS 703-323-3321 - 14,400 BPS - - - - ------------------------------ Date: Thu, 16 Jan 92 14:19:31 -0500 From: stus5239@mary.cs.fredonia.edu (Kevin Stussman) Subject: i/o ports (was re: Iraqi virus) (PC) >> Virus on a chip?? How and when did it go off? What type virus? >> (it probably wasn't a real virus (not self replicating) but nasty >> screen killing code on a chip) So now hacking is now legal, but only >> during wartime against an enemy. (goes with killing) > >Nonsense, complete nonsense. If it is in the printer, it cannot force >you to execute it. It cannot copy itself to the computer. It cannot >exist. Period. This brings up an interesting problem. Can it happen via a serial / parallel port? This would mean there has to be direct control over the CPU from a device attached to the port. Usually there is software driving the IO of the port, but can an device sieze control and send instructions without driving software? Now if this isn't possible then I can see that it would be impossible. But just saying NO because it's on a chip is nonsense. There is nothing saying I cant place an EPROM in a strategic place that will place a virus of my choice on a hard drive or floppy, OR DO ANYTHING without even striking a key. If that chip has code to blank the screen, it will be blank before any control is given the user. (how do you think a PC knows where to look for DOS Startup Code -- hardware) >The whole story is a rumor, just as the "modem virus", an excellent >article about which was posted by Rob Slade just in time. >And the rumor in this case is based on an April 1st joke, made by a >computer magazine. Where is this article? And it seems strange to me that CNN wouldn't have known this. Then again, don't believe everything you hear. K. +*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ _ __ | | / / -*> stus5239%mary.cs.fredonia.edu@cs.buffalo.edu | | / / stus5239@mary.cs.fredonia.edu | |< < UUCP:...{ucbvax,rutgers}!sunybcs!mary!stus5239 | | \ \ |_| \_\ evin Stussman -*>Never has so many known so little about so much.<*- +*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ ------------------------------ Date: Thu, 16 Jan 92 21:48:22 +0000 From: hendee%3338.span@Sdsc.Edu (Jim Hendee) Subject: QEMM386's LOADHI with VSHIELD1 and/or VIRSTOP (PC) I've noticed that you can use Quarterdeck's QEMM386 and LOADHI to load VSHIELD1.EXE in high memory, as well as FPROT's VIRSTOP.EXE, but you can't load VSHIELD.EXE high (so far as I'm aware). My questions are: 1) When you load these two small anti-viral programs high, do they still work? 2) I noticed that when I tried loading both VSHIELD1.EXE and VIRSTOP.EXE they seem to load okay back to back. In this case, what happens when they *both* detect a virus at the same time? Will they detect it? Is their any percentage in configuring like this (you've mentioned that you should always use more than one virus checker, whenever possible). 3) Why can't you load VSHIELD.EXE high, or can you? Will it still work? Many thanks for your guidance! Jim Hendee Data Manager Ocean Chemistry Division National Oceanic and Atmospheric Administration Atlantic Oceanographic and Meteorological Laboratories ======================== No "official" opinions here, just my own. ------------------------------ Date: Thu, 16 Jan 92 22:07:49 +0200 From: Tapio Keih{nen Subject: Re: Looking for info on "Friday the 13th" virus (PC) >also Datacrime. If I remember correctly, Monxla, Leningrad, and Omega >do not format the disk... Or am I wrong? Does any of it at least >overwrite it? Maybe this has been misinterpretted as formatting... And >I can't remember what Relzfu does when it activates... :-( Omega overwrites first sectors of hard disk when infected file is executed on Friday the 13th. Relfzu displays a message saying VirX 3/90 on Friday the 13th and then hangs the computer. - -- Tapio Keih{nen | Mesihein{nkatu 2 B 6 | 33340 Tampere | Finland - ------------------========tapio@nic.funet.fi========--------------- "You've got some stairs to heaven, you may be right I only know in my world, I hate the light I speed at night!" -R.J. Dio, 1984- ------------------------------ Date: 17 Jan 92 10:23:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Form virus infected Dos 5.0 diskettes (PC) root@itnsg1.cineca.it (Valter Cavecchia) writes: > were running Dos 5.0. We tried to remove the virus using M-DISK but > found that Dos 5.0 is not yet supported. Is there a new version of > M-DISK available? Is there any other way to clean up the diskettes > (without formatting :-)) ? No need for that. Just run DOS 5.0 FDISK with the (undocumented) /MBR option, and you'll get the same results as with M-DISK and even better. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 15 Jan 92 17:24:54 +0000 From: paulf@ci.deere.com (Paul A. Fisher) Subject: Virus detectors for Unix? (UNIX) Are there any virus detectors for unix? The PC's in our company are very carefully watched, but our corporate security department wants to make sure we are covered for Unix as well. In case it matters we are running Suns, IBM R/S-6000's, and a few DECstations. Any suggestions or pointers would be greatly appreciated. - -- Paul A. Fisher paulf@ci.deere.com Deere Tech Services ...uunet!deere!paulf John Deere Road (309) 765-4547 Moline, Illinois 61265 ------------------------------ Date: Thu, 16 Jan 92 14:47:00 -0700 From: "Rich Travsky" Subject: Gulf War Virus & "Softwar" Regarding the Gulf War virus: Anyone remember the book "Softwar", by Thierry Breton and Denis Beneich? Came out in 1984. Been a while since I read it, goes something like this: The U.S. allows the Soviets to buy a super-computer. The chips were, uh, slightly modified. Or something like that. You can guess the rest. Fair reading as I recall. Too bad the Gulf War version seems to an April Fool's story. (We coulda had a sequel to the book!) +-----------------+ Richard Travsky | | Division of Information Technology | | University of Wyoming | | | | RTRAVSKY @ CORRAL.UWYO.EDU | U W | (307) 766 - 3663 / 3668 | * | "Wyoming is the capital of Denver." - a tourist +-----------------+ "One of those square states." - another tourist Home state of Dick Cheney, Secretary of Defense of these here UNITED STATES! ------------------------------ Date: Tue, 14 Jan 92 05:48:41 +0100 From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers) Subject: VS920109.ZIP - Virus signatures for HTSCAN/TBSCAN - 920109 (PC) (Reposted by Keith Petersen) I have uploaded to SIMTEL20: pd1: VS920109.ZIP Virus signatures for HTSCAN/TBSCAN - 920109 It replaces the existing VS911114.ZIP in the same directory. o _ _ _ _ _ voice: +31-2522-20908 (18:00-24:00 UTC) / (_' | (_) (_' | | snail: P.S.O. __/ attn. Jeroen W. Pluimers P.O. Box 266 jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim jeroen_pluimers@f521.n281.z2.fidonet.org The Netherlands ------------------------------ Date: Wed, 15 Jan 92 22:39:28 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Reviews and request (PC + Amiga) per recent requests for reviews, the following is my current list (in order): EliaShim's ViruSafe Worldwide's Vaccine Solomon AntiVirus Toolkit Sophos Vaccine Fifth Generation's Untouchable (Of course, any more rumours like this past week, and this could be delayed a long time.) Now, a request. We haven't heard much from the Amiga people lately. Can I get some feedback on the top Amiga antiviral shareware of recent date? ============== Vancouver p1@arkham.wimsey.bc.ca | "A ship in a harbour Institute for Robert_Slade@sfu.ca | is safe, but that is Research into CyberStore Dpac 85301030 | not what ships are User rslade@cue.bc.ca | built for." Security Canada V7K 2G6 | John Parks ------------------------------ Date: Wed, 15 Jan 92 22:41:58 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: "Desert Storm" viral myths This was pretty much forced on me by the press. There have also been a lot of messages on the topic in alt.folklore.computers. DEFMTH7.CVP 920115 "Desert Storm" viral myths The recent spate of reports of a virus which shut down Iraq's air defence system during "Desert Shield/Storm" seems to have started with the series "Triumph Without Victory: The Unreported History of the Persian Gulf War" by U. S. News and World Report. The articles are being rerun in many papers (as well, apparently, as CNN and ABC Nightline), and the article on the virus run in my local paper is specifically credited to USN&WR. The bare bones of the article are that a French printer was to be smuggled into Iraq through Jordan, that US agents intercepted the printer, replaced a microchip in the printer with one reprogrammed by the NSA, that a virus on the reprogrammed chip invaded the air defence network to which the printer was connected and erased information on display screens when "windows" were opened for additional information on aircraft. The first question is: could a chip in a printer send a virus? Doesn't a printer just accept data? Both parallel/Centronics and serial RS-232 ports are bidirectional. (Cabling is not always, and I well remember having to deal, in the early days of PCs, with serial ports which had been used as printer ports, and could not be used as modem ports because the "return" pin had been sheared off, a common practice to "fix" balky printers.) However, the "information" which comes back over the line is concerned strictly with whether or not the printer is ready to accept more data. It is never accepted as a program by the "host". The case of "network" printers, is somewhat more complex. There are two possible cases: network printer servers and "network printers (such as the Mac Laserwriters): and they are quite distinct. The print server (on, say, DECnet) is actually a networked computer acting as a print server; accepting files from other network sources and spooling them to a printer. True, this computer/printer combo is often referred to simply as a printer, but it would not, in any case, be able to submit programs to other hosts on the net. The Mac case is substantially different, since the Mac laser printers are attached as "peers". Mac Laserwriters, at least, do have the ability to submit programs to other computers on the network, and one Mac virus uses the Laserwriter as a vector. However, it is unlikely that the Iraqi air defence system was Mac based, and few other systems see printers as peers. Second question: if it *was* possible to send some kind of program from the printer to the computer system/network, was it a virus? Given the scenario, of a new printer coming into an existing system, any damaging program would pretty much have had to have been a virus. In a situation like that, the first thing to do when the system malfunctions after a new piece of equipment has been added is to take out the new part. Unless the "chip" could send out a program which could survive, in the network or system, by itself, the removal of the printer would solve the problem. Third question: could a virus, installed on a chip, and entered into the air defence computer system, have done what it was credited with? Coming from the popular press, "chip" could mean pretty much anything, so my initial reaction that the program couldn't be large enough to do much damage means little. However, the programming task involved would be substantial. The program would first have to run on the printer/server/peripheral, in order to get itself transferred to the host. The article mentions that a peripheral was used in order to circumvent normal security measures, but all systems have internal security measures as well in order to prevent a printer from "bringing down" the net. The program would have to be able to run/compile or be interpreted on the host, and would thus have to know what the host was, and how it was configured. The program would then have to know exactly what the air defence software was, and how it was set up to display the information. It would also have to be sophisticated enough in avoiding detection that it could masquerade as a "bug" in the software, and persistent enough that it could avoid elimination by the reloading of software which would immediately take place in such a situation. The Infoworld AF/91 prank article has been mentioned as the "source" for the USN&WR virus article. There was, however, another article, quite seriously presented in a French military aerospace magazine in February (which possibly prompted the Infoworld joke.) This earlier article stated that a virus had been developed which would prevent Exocet missiles, which the French had sold to Iraq, from impacting on French ships in the area. The author used a mix of technobabble and unrelated facts, somehow inferring from the downloading of weather data at the last minute before launch, the programmability of targets on certain missiles and the radio destruct sequences used in testing that such a "virus" was possible. It has also been rumoured, and by sources who should know, that the US military has sent out an RFP on the use of computer viri as Downloaded From P-80 International Information Systems 304-744-2253