VIRUS-L Digest Thursday, 5 Sep 1991 Volume 4 : Issue 157 Today's Topics: Re: Viruses more common in Mac environment? Frequency of PC vs. Mac Viruses Re: Virus Simulator (long) (PC) Re: Disassembler Info Re: Norton Anti Virus (PC) Re: Viruses more common in Mac environment? Re: Virus Simulators RE: FPROT 2.0/MIRROR conflict (PC) Re: Virus Simulator available (PC) PC Strategy to avoid infection Invitation to the EICAR / CARO conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 05 Sep 91 09:32:17 +0100 >From: Norman Paterson Subject: Re: Viruses more common in Mac environment? David Chess (Vol 4 issue 155) points out I may be answering the wrong question. True - I hadn't thought of that. Unfortunately it's much more difficult to answer the more interesting question. But first let me improve my first answer - how many different Mac viruses are there? The help text in Disinfectant 2.5.1 lists just 10: Scores, nVIR, INIT 29, ANTI, MACMAG, WDEF, ZUC, MDEF, Frankie and CDEF. Some of these are going to be historical curiosities (eg MacMag deletes itself) but others have one or two strains (eg nVIR has A and B). I thought 20 was a generous round number in my previous letter. Now to the more difficult question: how many copies of each are there out there. What exactly should we try to count? The number of Macs are infected with each kind, allowing that an infected machine will probably have many copies of the infecting virus? Or infected discs? Or should we count reports of infection (assuming that each report is followed automatically by disinfection so we don't count things twice)? However you define it, I think the only way to get a reliable (but not necessarily useful) figure would be to set up a register of people who would take part in the survey. For example, I am responsible for software security on about 100 Macs, but only about 50 of them are in a situation where I can easily keep track of them. The rest are in people's offices, and I can't control what they do to them. So I would register my 50 easy Macs. Then every month I could send in the number of infections or whatever, even if it is zero. If we had a base of say 10 000 Macs around the world we'd soon get a consistent and meaningful picture building up. The trouble with the reports that come in just now, without this formality, is that they are sent in at the whim of whoever has just seen a virus. After a few viruses they don't bother reporting and nobody reports if they have no viruses. (ok, perhaps we should assume no report = no infection, save network traffic.) Disadvantages of the formal system are: it's a lot of work, and it's not obvious how to interpret the results. (Suppose we find that nVIR is not reported for six months. Is it extinct?) On the other hand, the advantage is that we'd have some very interesting numbers to look at. Would it be worth the effort? Is anyone willing to take it on? In any case, of the Mac viruses I mentioned at the start, I have only ever seen nVIR and WDEF, and neither of these for many months. We zap 'em as soon as they show. Norman Paterson ------------------------------ Date: Wed, 04 Sep 91 13:44:17 -0500 >From: ROsman%ASS%SwRI05@D26VS046A.CCF.SwRI.EDU Subject: Frequency of PC vs. Mac Viruses Aaron Delwiche (in vol 4 issue 152) wrote: > Somebody recently tried to convince me that viruses were more > widespread in the Macintosh environment than the PC environment. > Is this true? It seems to me that the opposite would be true. ZZZZZZZZZZZip! *>snick<* SNAP!, Okay, the flame suit is on... The overwhelming number of posted responses seems to indicate that this is not true. My (limited) experience directly supports the original assertion. My wife is in the publishing/page layout business and heavily dependent on Macs. Both she and her employer religiously practice "safe computing" and rarely have troubles. I'm forever hearing about serious damage to other Mac users in the area. Most of the problem seems to come from the limited, but rather common set of viruses that have been around for years. My theory (as an occaisional Mac user and regular PC user) is that Mac users tend to be less aware of the machine and the OS (generally a *good* thing). This seems to allow greater viral propagation before detection. This coupled with more built-in OS hooks for propagation tends to make them more common. I just ran this by a local Mac guru who agrees completely (whew!). Comments to: Oz@SwRI.edu Flames to: /dev/null The opinions expressed are my own, SwRI will disavow any knowl- edge of my existance. ------------------------------ Date: 05 Sep 91 09:48:00 -0500 >From: "William Walker C60223 x4570" Subject: Re: Virus Simulator (long) (PC) The most heated discussions occur when the participants' opinions are extremely opposite each other. Such is the case with the Virus Simulator. >From: as194@cleveland.Freenet.Edu (Doren Rosenthal) [the author] > So far the response and cooperation from producers of anti-virus > products to my Virus Simulator 2.0 has been overwhelmingly positive. The major players in the anti-virus arena who participate in this list are Fridrik Skulason, Aryeh Goretsky (McAfee), Dave Chess (IBM), Ross Greenberg (Microcom) and Vesselin Bontchev. Also of significant contribution to this list are Tim Martin, Padgett Peterson, and Rob Slade (sorry if I left someone out). So far, Aryeh, Ross, and Rob Slade have not expressed their opinions. Of those that have: >From: Fridrik Skulason > I fail to understand why the author of this program believes that > anyone might find it of any use whatsoever. >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) > ... The virus simulator is NOT of ANY USE > I can see, and will simply generate false security and false paranoia, > not to mention horribly inaccurate reviews in already inaccurate > magazines and journals. >From: "David.M.Chess" > ... The results obtained from testing any anti-virus > product with this "simulator" will be essentially meaningless. >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) > Consequently, I consider a sigmature simulator to be of limited value > as a scanner validator. >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > It would be a good idea to quote some names and how much professional > experience do these people have in the anti-virus field indeed. > Currently I've not seen even one positive oppinion from the most > well-known anti-virus researchers... Well, I've quoted some names. Looks like Vesselin summed it up pretty accurately. It seems to me that the real basis for the disagreements about the Virus Simulator are its effects in the real world. Most of the comments are concerning whether or not a "good" virus scanner will identify the output of the simulator as "real" virus infections. Some comments have dealt with the problems of unscrupulous people using the simulator to leave simulated viri lying around. But one subject which both sides have missed is cleanup. >From: as194@cleveland.Freenet.Edu (Doren Rosenthal) > Virus Simulator generates controlled programs infected with the > signatures (only) of every known virus available. If the "bait" files contain only the signatures, then how can one test the removal capabilities of an anti-virus package? You can't. An anti-virus package may be able to detect 100% of all known viri, and maybe even the simulated viri in the "bait" files, but if it's recommended cleanup action is "ERASE *.*" or "FORMAT C:," how useful is it? I think that the more useful package is one which could detect 90% (or whatever) of all known viri, and 100% of the most common viri, AND REMOVE THEM ALL without deleting the files outright (well, the parasitic ones, at least). Suppose this useful package couldn't detect ANY of the simulated viri, because it used different signatures and/or an algorithmic approach. Should it be punted in favor of the less useful one? NO! Our service license for ViruScan is about to expire. I am evaluating several anti-virus packages (including ViruScan again) to determine which ones will be selected for the next service license. One thing that I am considering is a complaint by several people that at least one version of ViruScan did not successfully remove Jerusalem-B or TP-44 from .EXE files. Fortunately, I have copies of those viri that I can use for testing a package's ability to clean them up. If I did not, I would either have to get the viri, have someone else test the packages, or take the vendors' word. Virus Simulator would be totally useless in this evaluation; however, this comes back to Virus Simulator's original premise. >From: turtle@darkside.com (Fred Waller) > Quite a few people would like to test virus scanners but are unable > to do so because they do not have access to the large collection of > viruses that is necessary to perform such tests. Not everyone who uses an anti-virus package has access to several genuine viri, and some don't have access to ANY. Therefore, their evaluations of a package's effectiveness would have to depend largely on vendors' claims and media reviews. Vendors' claims will, by their very nature, be biased. Media reviews, as has been pointed out many times on this list, also have sources of bias, in spite of their attempts at objectivity. An independent source of information and product reviews would be greatly welcomed. Patricia Hoffman's VSUM document is an excellent starting point. In addition to the virus information it contains, it also lists which major (and some minor) anti-virus packages detect and remove each virus, even indicating which is the earliest version which will detect a given virus. But, VSUM is difficult to use in this manner, as there is no index to this part of the list. There is also a person or two (forgive me for not mentioning names - I don't remember them right now) who regularly post product reviews and/or tests to this list. While I don't know their affiliations to anti-virus vendors, I would wager that they are relatively bias-free. A compilation of these reviews/tests could be put together and made available via anonymous FTP from CERT and wherever. >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > ... My oppinion is > that such collection should be available at some central organization > (VTC?, CERT?, NIST?, NCSC?), and this organization should perform an > objective test of different anti-virus products. This is a much better idea than making a virus simulator. NCSC maintains an Evaluated Products List for security products, which indicates their ability to perform prescribed security functions. There is no reason why they ( or another group (Ken??) ) couldn't maintain a similar list for anti-virus products. Testing in this manner could be accomplished by someone much more familiar with viri and anti-virus packages than, for example, an MIS director of some company. The results would be unbiased, and would probably be more reliable that if the products were tested in-house. Finally, one last comment about Virus Simulator. >From: as194@cleveland.Freenet.Edu (Doren Rosenthal) > It's now available from a number of sources if you'd > reconsider actually trying it. > Compuserve as "VIRSM2.COM", EXEC-PC and several other BBS ( including > SLO-BYTES (805) 528-3753 ) as "VIRSIM20.COM". Bad move. Even if Virus Simulator was of some use, letting any Tom, Dick, and Harry download it is an EXTREMELY POOR way of distributing it. Providing it to vendors of anti-virus software to distribute to licensed customers would have been much more logical. As it is: >From: dkarnes@world.std.com (Daniel J Karnes) > It is great for upsetting network administrators etc when those > silly bogus virii start popping up at the hands of those who are > jerks. I spent a lot of time verifying that there were no REAL ones > under just such circumstances recently. People who are tasked with finding and removing viri do not like wasting time tracking fake viri (for that matter, they don't like tracking REAL ones, but that's a necessary evil). Companies who pay people to find and remove viri don't like having to pay for that time, either. I and others have recently put in a total of about a man-month chasing down some real viri. Imagine how bad managers would be hacked- off if they found that they paid to track down fake ones. Well, enough of that. It's someone else's turn. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "Non sequitur -- your facts are Arnold Engineering Development Center | un-coordinated." M.S. 120 | -- NOMAD Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 05 Sep 91 15:29:23 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disassembler Info d89-zke@nada.kth.se (Zoltan Kelemen) writes: > The best disassembler is your own brain, aided by DEBUG. I don't > understand how on earth normal disassemblers can handle > encrypted/self-modifying/bizarre code. Well, in general this is true, but some disassemblers aid the brain better than DEBUG... :-) SOURCER being one of them. As to the encrypted viruses, I usually force them to decrypt themselves in memory (each encrypted virus has to have a decryption routine), then I save the whole thing in a file and submit this file to the disassembler. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN Bontchev@Informatik.Uni-Hamburg.de Schlueterstrasse 70, D-2000 Hamburg 13 New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 05 Sep 91 11:47:41 -0400 >From: "John D. Hopkins" Subject: Re: Norton Anti Virus (PC) > I have a question (probably asked earlier but I was not here). Is NAV > known for finding AIDS virus in error? I recall seeing this > - -somewhere- but cannot find reference. This information would help me > restore peace of mind (or utter terror) to the mind of a local sysop. As near as we have been able to tell, Norton DOES give false alarms of the AIDS II virus. Whether it does the same for the original AIDS, I can't say. We have a disk that Norton reported infected by AIDS II, but that McAfee, TBScan, and FPROT have all reported to be clean. I believe Norton is outvoted on that one. +-------------------------------------------------------------------------+ | John D. Hopkins, Operational Support | jhopkins@cbacc.cba.uga.edu | | Terry College of Business Computer Ctr. | or | | University of Georgia, ph.(404)542-3829 | JHOPKINS@UGA.BITNET | |-------------------------------------------------------------------------| | "Laugh and the world laughs with you. Sneeze and it's goodbye Seattle."| | -- Steve Martin | | | +-------------------------------------------------------------------------+ ------------------------------ Date: 05 Sep 91 15:46:47 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses more common in Mac environment? CHESS@YKTVMV.BITNET (David.M.Chess) writes: > different strains of virus. It's certainly true that there are more > different viruses for PCs than for Macs. But that doesn't tell us > whether or not there are more infected PCs than infected Macs, or a > higher percentage. I'd be very interested in any data that anyone has > on that question. Well, according to my statistics, only in Bulgaria alone, the PC viruses are more widespread than the MAC ones in whole the world... > (Remember: the vast majority of 'known' PC viruses have never been > known to infect a real user. Is that also true for the Mac?) This can be argued too. For instance, the 605 varian of the stupid AntiPascal viruses was first detected in the wild in Bulgaria... It's the same with many other viruses that come from there and that others (e.g., Patti Hoffman) consider as "research", "extinct" or "rare" ones - - they are often quite common in Bulgaria. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN Bontchev@Informatik.Uni-Hamburg.de Schlueterstrasse 70, D-2000 Hamburg 13 New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 05 Sep 91 16:04:21 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Simulators turtle@darkside.com (Fred Waller) writes: > > I fail to understand why the author of this program believes that > > anyone might find it of any use whatsoever. > > Currently, there is no independent means of testing and verifying > virus software. Simply having the word of a seller/producer has, of > course, never been enough, and is not likely to ever be; the danger > of collusion is simply too great for any reasonably-cautious > consumer to accept it blindly. Yes, indeed, and this is a quite old and well-known problem. It is still unsolved, and I don't see it solved in the near future. And the notorious virus simulator is certainly not a step towards the solution. It just shows that simple scanning may cause false positives (something that everybody knows... or doesn't?). > apply to themselves), outfits such as Rosenthal Engineering perceive > the obvious need for some sort of "test method" without using hard-to- > get actual virus samples. Of course, it is not enough. However, Yes, there is a need of such method. Of course, Rosenthal's program is NOT such method. Of course, it is "not enough" and of no use at all. > instead of complaining about its inadequacy, we might have addressed > the reason for the appearance of such software. I fear we are not > doing that at all, but should. Once again? But wasn't addressed it wide enough? At least I've seen this problem addressed in most proffessional journals that test anti-virus products... Virus Bulletin comes to mind at once. > viruses that is necessary to perform such tests. Virus Simulator > doesn't test accuracy, but it does something else that's very > interesting. It doesn't "test" anything. It just fools some (stupid) scanners and that's all. > > .....the Virus Simulator does not create viruses - therefore there > > is no reason why an anti-virus program should report any of the > > files it creates to be infected. > > But they do. Every one of the hundreds of "fake virus" files produced > by the Virus Simulator succeed in triggering every virus scanner > commonly used: SCANV, F-PROT, VIRX, IBM VIRASCAN, TBSCAN, etc. etc. > They all denounce its "fake virus" files as if they indeed contained > true viruses, though not all scanners report the same virus in the It's normal for SCANV (true name is VIRUSCAN, as far as I know), IBM's VIRSCAN, TBSCAN, HTSCAN - all these are not virus scanners - they are pattern matching engines that verify the presence of a pattern (possibly including wildcards) in the files. Don't have enough information about VirX. However, F-Prot and Dr. Solomon's Anti-virus Toolkit are anti-virus tools, that also cerefully check whether a file that is found to contain a virus signature is really infected. I am pretty sure that if you test carefully these on the fake "infected" files, you'll notice that they do not tell you that the file is INFECTED by a KNOWN virus and do not try to disinfect it. (If they do, this is a bug, and you should report it to the authors of these programs.) Especially F-Prot probably says that the file is "Possibly infected" or "seems to be infected by a new variant of..." and refuses to disinfect the file. Check it again, and you'll see that I'm right. > same file . If nothing else, Rosenthal's Virus Simulator is a > sobering educational tool which demonstrates how easy it is to fool > all of the current scanners into producing false alarms, and how > little uniformity there exists in virus nomenclature! Oh, well, but this is rather well known... Do we need a special program that demonstrates it? I have even heard about the exsistence of a program in Bulgaria (or a set of programs) that get a known virus, a copy of SCAN.EXE, and after a few tries reports the scan string that is used by SCAN (or any other anti-virus program), and even suggests where it should be modified, in order to make the virus not detectable by this particular scanner. > Precisely. In reality, the files are not infected at all, but as far > as the scanners are concerned, those files *appear* infected and are Again, a good scanner (or a good anti-virus tool more exactly) shouldn't report that these files are infected by a KNOWN virus. If you insist, I can send you my anti-virus program (with a list of the viruses that it detects), and I'm pretty sure, that it will not get fooled by any of the "simulated" viruses. > reported as such. And that points out a weakness of the scanning > method better than any theoretical consideration I've seen. This only means that you are unable to understand the appropriate theory and need such childish example. Well, maybe you're right after all - there certainly exist other people that will need it too... > Probably not by chance. The code used in Rosenthal's fake viruses > seems to trigger the scanners reliably every time... as intended. It DOES NOT trigger RELIABLY any RELIABLE anti-viru program. > Not `some scanners', and not `in some cases'. They cause all scanners > (which I tried) to trigger in all cases, every time. It's remarkable. What is remarkable is the fact that you consider it as some kind of wonder... :-) > Of course. And as soon as somebody invents this "perfect virus > detector", Rosenthal's Virus Simulator will cease to be of interest. I repeat. F-Prot and Dr. Solomon's Anti-virus Toolkit. None of them will disinfect any of the test files. The same goes for my anti-virus program, although it is far from perfect and cannot compare with the two listed above. > Until then, it remains a remarkable and interesting program which > demonstrates how imperfect the virus scanners really are. > How can an obvious fact be so "remarkable"? > Not misleading. The signatures don't need to be specially "provided > by the author of the anti-virus program"?. The signatures are > contained in each issue of each scanner. Sometimes, they are modestly > encrypted for reasons that were never satisfactory to me but, in any > case, it's child's play to decrypt them. If not decrypted, they may > be otherwise simply derived. I do not think that Rosenthal's Yes. All this means that Rosenthal has fished these signatures from the different scanners. Therefore, they have been provided by the scanners' authors (since he didn't bother to find these signatures from the live viruses). > statement was misleading at all. In my experience, his program does > what he announced, and does it very competently, although some of the This would be true, if the program simply states that it generates files, which cause false positives and fool some of the popular scanners. Is this what is stated exactly in the program's documentation? I have the impreesion, that the author claims that his program is some kind of "test". It isn't. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN Bontchev@Informatik.Uni-Hamburg.de Schlueterstrasse 70, D-2000 Hamburg 13 New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Thu, 05 Sep 91 10:43:46 -0600 >From: Diskmuncher Subject: RE: FPROT 2.0/MIRROR conflict (PC) >Date: Wed, 04 Sep 91 16:11:49 +0000 >From: Fridrik Skulason >Subject: F-PROT 2.00 and MIRROR conflict (PC) >Several people have informed me of a conflict between VIRSTOP.EXE (a >part of version 2) and MIRROR from Central Point Software. >This will be corrected in version 2.01, but until then don't load both >programs at the same time. There are other conflicts that VIRSTOP sseems to have with Central Point Software's PC Tools Deluxe programs. During the beta-test phase (I haven't tried it since receiving the official release) I discovered that if VIRSTOP is loaded AFTER PC-SHELL goes resident (TSR), the PC will crash when you load a program of any significant size (i.e. FORMAT worked, but DOSSHELL (DOS 5.0) crashed). The MIRROR conflict happens with both the PC Tools version and the DOS 5.0 version. The solution I found was to load VIRSTOP AFTER MIRROR but before PC-SHELL and other TSR's. In fact, if I remember correctly the PC-Tools manual explicitly states that MIRROR must be loaded first in the AUTOEXEC.BAT John-David Childs Consultant, University of Montana con_jdc@lewis.umt.edu ------------------------------ Date: 05 Sep 91 15:52:47 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Simulator available (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > technicians how to recognize virual activity. For example if a scanner > detects the STONED virus in memory yet "655360 total bytes memory" is > reported, one might logically expect that there has been a false negative. Nope... This might be a Stoned variant that installs itself in memory in a different way. Say, by not decreasing the total amount of memory at all (like the Stupid virus), or by waiting until COMMAND.COM is loaded and increasing its MCB right before any other program is loaded (as a new Bulgarian virus - Compiler - does)... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN Bontchev@Informatik.Uni-Hamburg.de Schlueterstrasse 70, D-2000 Hamburg 13 New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 05 Sep 91 09:13:06 +0000 >From: cssr@hippo.ru.ac.za ( Mr S. Rahim ) Subject: PC Strategy to avoid infection STRATEGY TO AVOID INFECTION =========================== 1. Backup often and keep multiple copies of the backups. Virus infections can be present for a long time before becoming obvious. Keep a log of dates for the copies and try to trace the most possible way of infection. 2. Donot run programs with dubious origins. These include illegally copied software, shareware, programs which have been downloaded from a BBS where they havent been tested. Note that a program which have been around is a likely candidate for viruses. 3. Test all software before insatlling on to the harddisk. this should be carried out on the floppies. 4. Beware of software and floppy disks sent in mail which were not ordered. Check if the software has the following: - The developers name and address. - Appropriate documentation. An example of this was the AIDS trojan. This was supposed to be an expert system but it turned out to be a blackmailing scheme. 5. Change .COM and .EXE file attributes to Read Only. This will work against the first generation viruses although the Second and Third generation viruses will have no problem getting through it. 6. Use write protect tabs on all the floppies. Remove them temporarily if you wish to write to disk but replace them when finished. 7. Never boot your machine from a floppy disk if you have a hard disk. If you do boot from the floppy make sure that the floppies are clean. 8. Handle lowlevel tools carefully. They are excellent for viruses but can lead to damage if not used carefully. 9. Run a complete check on your computer periodically. This is sure to catch a virus that might have got through before it has any chance to unleash its payload. This is due to the fact that the you cannot be confident that the prevention system installed has worked. - -- ============================================================================ Computer Science Dept, Rhodes University, Grahamstown, South Africa Internet : cssr@hippo.ru.ac.za - ---------------------------------------------------------------------------- ------------------------------ Date: Thu, 05 Sep 91 17:56:24 +0600 >From: ry15@rz.uni-karlsruhe.de Subject: Invitation to the EICAR / CARO conference Finally I can send the invitation to the European anti virus conference of EICAR / CARO. We hope to see many of you in Brussels! Trends in computer viruses The virus threat has clearly not lessened over the past years and it will continue to get worse. The number of MS-DOS viruses will reach 1000 this year. Managers as well as PC specialists ask: "Are viruses just a good story or are they really dangerous to the valuable information on PCs?" Many companies have already had virus accidents and lost data, time and money. Managers are not always aware that this is happening. The virus threat, and actions against viruses are often just talked about until the first appearence of a virus, and sometimes the discussion even continues until the first damaging virus. It is possible to formulate a sensible anti-virus strategy, consisting of Procedures, Organisational rules, Education and Technical Means. This seminar is designed to help you to do that. EICAR and CARO It is necessary for research groups and manufacturers of hard- and software - especially of anti-virus products - to cooperate, because of the rapidly growing number of viruses. So the first meeting of European virus experts was organized together with a seminar and workshop in Hamburg at the beginning of December 1990. The participants of this conference founded the worldwide CARO (Computer Anti-Virus Research Organization) and EICAR (European Institute for Computer Anti-Virus Research). The formal foundation of EICAR will take place in Brussels just before this seminar. The seminar and the workshop The seminar offers an up-to-date introduction to computer viruses and similar malicious software. Trends as well as methods and tools for virus detection and cleaning of systems will be presented first. Special topics will be discussed in working groups (second day). What you will take with you After an interesting seminar it is very helpful to have printed material and tools available which gives also an important support by introducing new methods or tools. Each participant will get: Seminar proceedings and slides, EICAR information, Dr. Solomon's Anti-Virus Toolkit, Anti-Virus package F-PROT, BFKTools, Back issues of Virus News International, Virus Catalogue (VTC Hamburg), Belgian PC-magazine The participants will get some more publications and products which are not fixed yet. Meet the experts in Brussels Meetings of CARO and EICAR special technical committees will take place in Brussels during the seminar. This means that the participants at the workshop will be able to discuss their problems with all of the European virus experts. They will have the possibility to meet for example: Vesselin Bontchev, Prof. Dr. Klaus Brunnstein, Dave Chess, Ruediger Dierstein, Christoph Fischer, Roger Gustafsson, Steve Hill, Joe Hirst, Detlev Hoppenrath, Prof. Dr. Joerg Muehlbacher, Tony Naggs, Christian Schmidt, Fridrik Skulason, Dr. Alan Solomon, Franz Swoboda, Morton Swimmer, Michael Weiner. This is the greatest concentration of anti-virus expertise ever assembled - if these experts cannot help you, no-one can. Who should attend the seminar? The participants of the seminar should have some experience in using personal computers but no special know-how is required. A wide range of managers and professionals will be addressed: PC support professionals, LAN managers and supervisors, DP management staff, managers responsible for data security, PC users receiving or mailing software, etc. The speakers The introduction to the virus threat will be presented by Dr. Alan Solomon, S&S International, on the first day of the seminar. He is one of the outstanding professionals in this area. Other experts like Prof. Dr. Klaus Brunnstein, Ruediger Dierstein, Prof. Dr. Bart De Schutter and virus experts from different countries will present special topics. All lectures and discussions will be given in English language; no simultaneous translation will be prepared. Your contribution to the seminar Due to the fact that presentations will given in plenary sessions as well as sessions of small working groups it will be possible to concentrate discussions on special topics which are proposed by participants. Therefore please write down your suggestions for topics of interest. You can use the application form for this purpose. You can also bring with you for example suspect diskettes or PCs. They can be checked during the seminar. More information on products Sometimes it is not so easy to get enough information about products. Therefore some manufacturers of hard- and software will be present during the seminar and exhibit their products. Furthermore some PCs will be available in order to demonstrate anti-virus products and to check out possibly infected diskettes. Belgian evening For those who will arrive already on Monday 23, a coming together meeting will be arranged. Most of the virus experts will participate. One of the very important objectives of such a seminar will be to make new contacts. Therefore the participants and the virus experts will have an informal meeting on the evening of September 24. Seminar Programme September 24, Seminar The first day consists of a survey about the present situation as well as new problems which are coming up. Mostly, on day one, PC viruses will be covered PC-viruses today How a PC works with respect to malicious software How a virus works: present techniques like stealth Damages done by viruses including side-effects Detection of viruses and cleaning of systems Precautions: techniques using soft- and/or hardware Other malicious software like worms and Trojans Virus scene in European countries and worldwide What's going on in 1992? Many demonstrations will lead to interesting discussions and exchange of experience. While the major meeting take place, the experts will be convening in workshops to cover various topics in considerable depth. September 25, Workshop Mainly working groups will meet. The topics will also cover viruses on computers other than PCs. Viruses and mainframes, UNIX-viruses, Viruses and PC- networks, EICAR The results of the working groups as well as the EICAR meetings will be presented in a final plenary session. Fees The seminar fee is 1.800,- DM for the first participant of a company or organization. Additional attendees will get a reduction of 10%. Members of scientific institutes and handicapped will pay 1.200,- DM only. VAT is not included! The fees are mainly used to be able to pay the travelling expenses for the virus experts coming from scientific institutes. Registration Please send the attached form to the address printed on this form. If you have received the seminar leaflet from one of our associates please write a short remark on your application form. Please use the address printed on the form. In case of any question or if you are missing the registration form please contact the organizer of the seminar: Guenter Musstopf, perComp-Verlag GmbH Holzmuehlenstr. 84, D-2000 Hamburg 70 phone: 0049 (40) 6932033, fax: 0049 (40) 6959991 e-mail: percomp@infohh.rmi.de The number of participants is restricted. Reservations are taken in the order they arrive at perComp-Verlag or MU-Innovation. Therefore you should send your registration form as soon as possible. The confirmation of your registration and the invoice will be posted to you. Cancellations can only be accepted after a written notification received at least September 06, 1991. An administration fee of 150,- DM will be accounted. If the seminar is cancelled by the organizers for any reason or by circumstances beyond their control, any pre-paid fees will be refunded in full. Accommodation: We will send you a list of hotels in different price categories. Please make your reservation as soon as possible und add a notice that the seminar will be held at the European Community as an expert meeting. This gets you a special price. This holds only true for the hotels which are on this list. We are looking forward to meeting you in Brussels. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 157] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253