VIRUS-L Digest Thursday, 11 Apr 1991 Volume 4 : Issue 59 Today's Topics: AF/91 - John Gantz "joke" in Infoworld New virus (PC) ? ("evil empire") Re: virus infection by inserting a floppy (Mac) Re: Am I subject to viruses? SNEFRU and other hash algorithm weaknesses Unix and viruses (UNIX) Need help with Beijing Virus (PC) Am I subject to viruses? How big is the virus problem ?? re: Possible hypercard virus (Mac) Virus in disk-validator (Amiga) virus infection by inserting a floppy (Mac) Detection of viruses (PC) Boot sector viruses on IDE hard disks (PC) Unix viruses (UNIX) Re: Possible hypercard virus? (Mac) Call for papers--3rd Workshop on Computer Security Incident Handling VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 10 Apr 91 18:08:00 +0000 >From: sharp@mizar.usc.edu (Malcolm Sharp) Subject: AF/91 - John Gantz "joke" in Infoworld In the April 1, 1991 issue of Infoworld, John Gantz in his column "Tech Street" warned of a virus called "AF/91" which he said was developed by the NSA to be used against Iraqui defense computers. After describing the virus and telling that it started spreading uncontrolled, he told that windowing technology was "doomed." In the same issue, columnist Robert Cringely discussed Windows 3.0 vulnerability to viruses saying it "has lots of holes for custom viruses to slip through." In the April 8 issue, Mr. Gantz's column begins with a note from the Editors saying AF/91 was all an April Fools joke. I'm not laughing. I'm searching for the adjectives to describe this irresponsible act. Anyone else spend time investigating this virus from the 4/1 columns? I'm *seriously* considering a class action suit for compensatory (small $) and punitive (BIG $$$) damages. Interested in hearing from others. Malcolm Sharp, U.S.C. (Opinions are my own and don't reflect those of my employer... though we did just double the size of our Law Center.) ------------------------------ Date: Wed, 10 Apr 91 22:13:13 +0000 >From: martin@cs.UAlberta.CA (Tim Martin; FSO; Soil Sciences) Subject: New virus (PC) ? ("evil empire") Has anyone else found a DOS boot sector virus that gives an eight line message about the USA being the real "evil empire" in the "impending war with Iraq"? It is on several of our more public computers at U of Alberta, and we are wondering whether it was locally written. The virus is a "new stoned" variant, according to the F-DISINF and F-SYSCHK programs. Please notify myself, and also Peter Johnston. Peter is at usergold@mts.ucs.ualberta.ca. Thanks, Tim Martin Soil Science U of Alberta tmartin@vm.ucs.ualberta.ca martin@menaik.cs.ualberta.ca ------------------------------ Date: 11 Apr 91 01:03:03 >From: Y301E05@AWITUW01.BITNET Subject: Re: virus infection by inserting a floppy (Mac) I can only provide an answer for Macs. It is possible, and in fact there is a virus called "WDEF" which uses this method. This virus infects the invisible Desktop file which resides on every floppy and hard disk. This file is examined by the Finder when the floppy is mounted and the virus resource gets loaded into memory. On the other hand there are a lot of anti virus tools (commercial and free) which address this problem an wipe out all known viruses that use this method. One of them (called SAM Intercept) can be configureds to scan every floppy that is inserted into the Mac, and will give you an alert and the option to kill the virus. Since the invisible Desktop file will not be used in System 7.0, i can+t say, if viruses will be able to infect Macs running with System 7.0. I hope this helps Stephan Bublava y301e05@awituw01.bitnet ------------------------------ Date: 10 Apr 91 23:35:03 +0000 >From: news@umd5.umd.edu (USENET) Subject: Re: Am I subject to viruses? Pandy Holmberg writes: >pcsbbs!fff@uunet.uu.net writes: > >> I know that this is the kind of question that only a novice would ask. >> Well, I am a *rank* novice in Usenet, UUCP, and telecommunications in >> general. Please bear with me. The question is: >> >> If I connect to a site where I always initiate the call, only exchange >> email and receive netnews, am I subject to receiving a virus. My >> modem is never left on and the port is not enabled for a login. > >The answer is NO. As long as you just use your computer as a terminal. >As soon as you start downloading files, the danger appears... HOLD IT! IF he uses his computer only as a terminal then he is safe. However, it is not clear that is what he does. He mentions USENET and UUCP. He says that he initiates the call to exchange email and netnews. He says that the port is not enabled for login. That implies to me that he is running his own Unix machine and uses UUCP to send and receive email and netnews. That means that he is transferring files. Even worse it means that he allows "rmail" and "rnews" to be remotely executed on his machine. I don't know what software and version he is running, but it is possible that there may be deliberate or accidental trapdoors in that software. Just after the Internet worm incident, there was some discussion on whether or not something similiar to the sendmail or fingerd attack could take place via UUCP. I don't remember the conclusion, but I wouldn't want to guarantee that he is safe. If he is concerned, taking a few minutes to look at the source code for "rmail" and "rnews" would not be unreasonable. Bill Bogstad ------------------------------ Date: Thu, 11 Apr 91 03:35:00 +0000 >From: William Hugh Murray <0003158580@mcimail.com> Subject: SNEFRU and other hash algorithm weaknesses James Kirkpatrick writes: > - SNEFRU was discussed on this list, but I was dismayed to find it > had been broken, and that Merkle's response was to increase the > number of passes. This worries me because of the experience of > knapsack cryptosystems, where a single-iteration system was first > broken, followed by the introduction of multiple-iteration systems, > which were in turn broken (at least, that is my recollection; I may > have some details wrong). Well, with the same limitations on "details," and without commenting on SNEFRU, the following may be helpful. The DEA is an iterative system. There is a demonstration (Adelman?) that its strength goes up rapidly with the number of iterations, such that at sixteen (the number required by the standard) its strength reaches the point where an analytic attack is as expensive as an exhaustive attack against the key. (My recollection is that Adelman was attempting to demonstrate the power of his analytic attack rather than the strength of the algorithm.) Hellman set out to demonstrate the general inadequacy of the length of the 56 bit DES key; in the process he demonstrated its adequacy for many applications. I have always been grateful to him for his explication of the work required to break it, which is, conversely, a measure of its strength. (It should be noted that while the length of the key in the DES is specified to be 56 bits, the effective key length in DEA implementations is arbitrarily long. For example, IBM uses a 112 bit key in some applications.) While recovering a great deal of ENIGMA encoded traffic, ULTRA demonstrated that, with reasonable key management, ENIGMA is a formidable mechanism. Anything hit with a sufficiently large hammer will fall to pieces. The cost of the hammer is a measure of the strength of the thing. If the cost of the attack exceeds the value of its success, then the thing is economically unbreakable. For most purposes, that is good enough. ____________________________________________________________________ William Hugh Murray email: 315-8580@MCIMAIL.COM Information System Security WHMurray@DOCKMASTER.NCSC.MIL Consultant to Deloitte & Touche MCI-Mail: 315-8580 ------------------------------ Date: Thu, 11 Apr 91 03:36:00 +0000 >From: William Hugh Murray <0003158580@mcimail.com> Subject: Unix and viruses (UNIX) >a. That MS-Dos viruses (is this an all-encompassing term for things >that tamper with and destroy the OS and programs?) Perhaps, yes, but inappropriately so. True viruses are a special case. >have conceptual >parallels in the Unix o/s. i.e. the kernel is equivalent to >COMMAND.COM, the file system superblock is equivalent to the FAT, etc. Not true. There are no successful live viruses in the Unix environment. There are four necessary conditions for the success of a virus: 1) (very) large population of similar machines; 2) sharing among members of that population; 3) the ability of the user to execute an arbitrary program of his own choice; 4) storage into which write a modified executable. Unix does not appear to meet conditions 1 and/or 2. Other Trojan Horse attacks might be aimed at a specific Unix machine; these would be several orders of magnitude less serious than a successful virus. >b. That all "security" to read and write as a superuser has already >been breached and that this breach has gone undetected. Viruses and all other Trojan Horse attacks rely upon user privileges for their success. There is no requirement to bypass security. In fact, a virus that depended for its success on such a condition, clearly would not meet condition 1 above. On the other hand, if your b. is the case, then viruses and other Trojan Horse attacks are the least of your concerns. Viruses are Trojan Horses that wish to spread their influence. Trojan Horses are attacks against good security. In the absence of good security, neither is indicated or necessary. >c. That one workstation with a bootable hard disk is accessible to the >individual planning to damage the system. This condition is easily met in the MS-DOS environment; much less so in in the Unix environment. (You should note that viruses depend upon the fact that the same program will run in all systems in the target environment. While one can conceive of a virus that might spread from an MS-DOS workstation to a Unix workstation or multi-user system (if that is what you have in mind), it is highly unlikely that such a program would meet the conditions for success.) While some kinds of Trojan Horse attacks might target such a device, viruses are aimed at the population as a whole rather than to any specific machine. >d. That the individual is sufficiently sophisticated to avoid leaving >obvious clues (file sizes, dates, etc.). Well, that excludes all viruses. It is possible to conceive of a virus that was so subtle that it left no evidence; on the other hand, if you never notice that you have been damaged, then you have not been damaged. No such virus has ever been detected, for obvious reasons. All the reported viruses have done something noticeable. Since the intent of a virus is to spread, and since if it has no symptoms, the author cannot know if it is successful, few people would write such a virus. >e. We should consider that the individual may have access to the o/s >source code. I assume that you mean that an attacker would have special knowledge of the operating system, since if he has WRITE access to such code, no other attack is necessary. While it is likely that some virus authors have such special knowledge, few exploit it and, since viruses need only exploit user privileges, it is neither necessary nor even particularly useful. >I am particularly interested in comments about: > >a. Known attacks on Unix o/s involving tampering with the o/s kernel >and commands. Indeed, you may well be. (Of course, attacks against the kernel are substantively different from those involving commands.) Given the mode of operation of many Unix systems, sophisticated attacks are rarely needed. I suggest that you read Ken Thompson's Turing Award lecture and Cliff Stoll's "The Cuckoo's Egg." They have already recorded far more than I am likely to tell you. ____________________________________________________________________ William Hugh Murray 203-966-4769 Information System Security 203-326-1833 (CELLULAR) Consultant to Deloitte & Touche 203-761-3088 Wilton, Connecticut email: 315-8580@MCIMAIL.COM WHMurray@DOCKMASTER.NCSC.MIL MCI-Mail: 315-8580 TELEX: 6503158580 FAX: 203-966-8612 Compu-Serve: 75126,1722 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A ------------------------------ Date: Wed, 10 Apr 91 16:53:34 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Need help with Beijing Virus (PC) EMERSON@TURING.SDC.TASC.COM writes: > this? I have something that may work, but I need a SIGN.TXT file to > run it with. Could I get a copy of this? Any help is greatly Your statement indicates that what you have is FPROT. If you have been given only the F-FCHK program, you do not have the full package, as SIGN.TXT is included in it. The file FPROT114.ZIP should contain the entire suite, and is available on many servers and local bulletin boards. (frisk has also been promising 1.15 RSN for a while now, and it may be available by the time you read this. :-) ============= Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?" Institute for Robert_Slade@mtsg.sfu.ca | "I can't see." Research into (SUZY) INtegrity | "Why not?" User Canada V7K 2G6 | "The power's off Security | here." ------------------------------ Date: Wed, 10 Apr 91 16:41:53 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Am I subject to viruses? pcsbbs!fff@uunet.uu.net writes: > If I connect to a site where I always initiate the call, only exchange > email and receive netnews, am I subject to receiving a virus. My > modem is never left on and the port is not enabled for a login. Actually, your question, even as specific as you have made it (and thank you for all the details you *have* given) is not completely straightforward. First point: what is your local machine? If it is a PC, and you are using it just as a terminal, you should be almost completely safe. I say "almost", because there are instances of codes imbedded in text that can gain "access" to the low levels of your machine, but they would be very much subject to the specific terminal program you are using, and the configuration both of it and of your PC. As these codes have so far been seen only in "trojan" situations, and given the configuration specific nature, this is highly unlikely to be of concern to you. If you are using a workstation, and connecting in a network or pseudonetwork configuration (I am extrapolating from your comment about the port not being enabled for a login) you may possibly be at greater risk If you are simply using a terminal, you may still be subject to a "denial of access" viral situation, although you would be safe from local data loss. Some terminals (and I won't go into details because they are available in back issues of VIRUS-L) will accept text as commands to "remap" the keybaord, and then to "send" the remapped commands. These "new" commands can, of course, be of the nature of "forward this message to everyone I know", and thus create a mail virus. ============= Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?" Institute for Robert_Slade@mtsg.sfu.ca | "I can't see." Research into (SUZY) INtegrity | "Why not?" User Canada V7K 2G6 | "The power's off Security | here." ------------------------------ Date: Wed, 10 Apr 91 16:48:01 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: How big is the virus problem ?? UMCKA04@VAXA.CC.IMPERIAL.AC.UK writes: > hit :-), but I would be very interested in hearing peoples estimates of > the SCALE of the problem, and reading any material that people may The last few issues of Information Week have published scattered excerpts of a study by Certus International. Although no details of methodology are given, beyond the statement that 150 corporations were surveyed, they state that 26% of companies were hit by an infection (on one or more PC's) in January of 1991. Over half of the companies had been affected at one time. Certus is also stating that the problem (in terms of number of infections) is growing at the rate of 160% per quarter. The figures may be inflated by "self selection" factors, or they may be lowered because of privacy concerns. ============= Vancouver p1@arkham.wimsey.bc.ca | "Is it plugged in?" Institute for Robert_Slade@mtsg.sfu.ca | "I can't see." Research into (SUZY) INtegrity | "Why not?" User Canada V7K 2G6 | "The power's off Security | here." ------------------------------ Date: Thu, 11 Apr 91 08:18:24 -0400 >From: "Christopher T. Anderson" Subject: re: Possible hypercard virus (Mac) A Suggestion for your "possible HyperCard virus." Running 6.0.5 on those Macs suggests to me that you may be running into a heap-stack collision. If you are running a moderate number of INITs, you may wish to get Heap Tool (available at Sumex). This adjusts the size of your heap upwards, avoiding such collisions. Write back with any questions. - ------------------------------------------------------------------------------- Name: Christopher T. Anderson (Chris) Mail Address: Computer Services Annex Electronic Addresses: University of Georgia Bitnet: CAnderso@uga Athens, GA 30602 Internet: CAnderso@uga.cc.uga.edu Telephone: Work (404) 542-5162 EasyLink: 74730.3306@compuserv.com Home (404) 549-8958 America Online: CTAnderson C A R P E D I E M ! ! ! - ------------------------------------------------------------------------------- ------------------------------ Date: Thu, 11 Apr 91 12:24:53 +0000 >From: leeuw@fwi.uva.nl (Jacco de Leeuw) Subject: Virus in disk-validator (Amiga) A disk which contained a virus-killer I needed because of the 'Noname'-virus, also contained a very nasty virus (!). It was located in the 'disk-validator' program in the L directory. This one is a real problem, because you don't even have to boot from an infected disk or run a program! Just insert it in any drive and it will put itself in memory. A friend of mine said that this was because of a bug in Kickstart, because when a disk is damaged somehow (by this virus for example), the disk-validator on this disk is used, and not the one in L:. I don't know for sure what this virus does, except writing itself to any disk inserted. I DO know how to identify it: VirusX4.0 says that "The Australian Parasite virus" was found in memory and the ColdCapture pointer was altered. After that, VirusX says it has removed it from memory, but actually it's still there. You can easily check if your disk-validator has been infected: just 'type opt h df1:l/disk-validator' (for example) will do. The normal disk-validator contains a lot of text (several errors), whereas the virus only has the text 'Checksum error' at the end. You can't see the difference from the size of the disk-validator. So, is it a new virus? Which virus-killer can recognize this one and future versions? And where can I find it? Thanks, Jacco (leeuw@fwi.uva.nl) - -- Jacco de Leeuw | Email: leeuw@fwi.uva.nl J.C. van Wessemstr. 54 | Department of Computer Science 1501 VM Zaandam, Holland | Plantage Muidergracht 24 Room 106a Home phone: +31-75-352068 | 1018 TV Amsterdam, Holland ------------------------------ Date: Thu, 11 Apr 91 08:23:44 -0400 >From: "Christopher T. Anderson" Subject: virus infection by inserting a floppy (Mac) Yes, On the macintosh, WDEF spreads quite nicely on insertion of a floppy. Any virus which infects the desktop file will likely infect on disk insertion. - ------------------------------------------------------------------------------- Name: Christopher T. Anderson (Chris) Mail Address: Computer Services Annex Electronic Addresses: University of Georgia Bitnet: CAnderso@uga Athens, GA 30602 Internet: CAnderso@uga.cc.uga.edu Telephone: Work (404) 542-5162 EasyLink: 74730.3306@compuserv.com Home (404) 549-8958 America Online: CTAnderson C A R P E D I E M ! ! ! - ------------------------------------------------------------------------------- ------------------------------ Date: Wed, 10 Apr 91 16:59:37 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Detection of viruses (PC) >From: "Mark Aitchison, U of Canty; Physics" >(1) It would be best to check a few key interrupt vectors (via their >low memory locations, not via DOS), as well as the memory size... Agree & should do this before DOS loads while interrupt vectors are still predictable. >(3) Does any virus take interrupts by not changing the vector but by >changing the first few bytes of the present routine to be a far jump >to the virus? Boot sector infectors that grab Int 13 do this backwards: The virus takes 13 from the BIOS but when DOS loads, the vector is repointed to DOS and after its check, a far call is made to the previous vector (virus). Joshi & Stoned look like this after DOS loads. >However, IMHO, non-boot sector viruses will probably >eventually win over the best efforts of anti-virus software... I am not sure about this. A good integrity management system will be able to block anything that tries to take power after DOS but an BSI has the opportunity to go resident on any accidental boot. Unless a BIOS level checker is in place (like my experiment), this can be very difficult to detect given some techniques we (thankfully) have not seen, yet. ------------------------------ Date: Wed, 10 Apr 91 16:59:37 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Boot sector viruses on IDE hard disks (PC) >From: LYNNE@vax.oxford.ac.uk > >In the way of preventative measures we think that a solution would be >to advise our users who are purchasing IDE drives to take several >backup copies of the boot sector... I think you are talking about the Master Boot Record (aka Partition Table), DOS Boot Records are relatively easy to restore & FORMAT works if nothing else. >Does anyone know of a simple (and optimally free) utility that >provides a fool-proof mechanism for copying and writing the boot sector? I use DEBUG to do this all the time - the necessary code fragment is: MOV AX,201 MOV BX,200 MOV CX,1 MOV DX,80 INT 13 INT 20 After execution, the MBR will reside in locations 200h-3ffh for you to store in a .DAT file. Restoration just requires changing one byte. If you want the DOS Boot Record, "L 200 2 0 1" will put that in the same location. >As far as curative measures are concerned (where a copy has not >been taken of the BS) we are stymied! Has anyone any suggestions? If you have a number of similar machines, all partitioned the same way, you should find that the MBR and BR are the same between machines (no guarentees though). A good tech should be able to rebuild a lost MBR in about 15 minutes if the drive is known & familiar. ------------------------------ Date: Wed, 10 Apr 91 16:59:37 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Unix viruses (UNIX) >From: spaf@cs.purdue.edu (Gene Spafford) > >First of all, Unix viruses are definitely possible, and they aren't >all that difficult to write. Entirely true, though it is more difficult to get one to spread in a properly implimented (managerial problem NOT technical) unix environment than in DOS. Given access, unix will take care of the structure of a file header, etc. provided the unix virus uses properly implimented high level calls. The low level stuff (under the OS) found in many DOS viruses is rather difficult to impliment. The unix access controls are adequate against this type of attack are adequate (viruses are possible but worms or spoofs are easier). Essence of next comment also From: ethan@thinc.COM (Ethan.Lish@THINC.COM) >So, the answer to the question of, is it possible to write a Unix >virus, is a definite "yes." It can easily be done as a shell script, >which makes it portable to any form of Unix... This is a possibility but the infection process would have to be a bit convoluted - a spoof would be simpler. You would have to invoke a "cut and paste" operation to infect other scripts and write or root access would be required. The main difficulty would be that script files are readable, kind of like patching AUTOEXEC.BAT in DOS & easy to detect (if anyone looks). Would also be limited to legal commands (annoying but not likely to be permanently destructive). In the VAX world, use of version numbers in file calls (does anyone else ?) would make such script spoofs more difficult. Key here is that "good" multi-user systems (e.g. unix) already have good defense mechanisms built in but rarely used. Warmly, Padgett ------------------------------ Date: Wed, 10 Apr 91 17:35:33 -0400 >From: Joe McMahon Subject: Re: Possible hypercard virus? (Mac) >I'm hoping someone out there can help me. I have a user (I'm a >consultant) who thinks he may have a virus. When he is using >HyperCard 1.2.5 with a stack that is 300-400 K in size (it is just one >specific stack) he is getting a lot of bombs. When he tries to script >a new card for the stack he gets a bomb at various times as follows: > As soon as he starts scripting > When he tries to end the scripting THis sounds more like a corrupted stack than a virus. Your user may want to (okay, *need* to) copy the old cards into a new stack. There's a stack called "Cheesy Recovery" on sumex (I think) that should do the job. >Is it possible for a virus, trojan, worm, etc. to infect a hard disk >or RAM simply by inserting an infected floppy into a drive without >execution?? Yes. There are several Mac viruses which take advantage of a feature in the operating systenm which allows you to substitute your own code for system code. The substitute code spreads via a resource file which the Finder always opens when a disk is inserted. --- Joe M. ------------------------------ Date: Wed, 10 Apr 91 15:12:40 -0700 >From: gschultz@cheetah.llnl.gov (Gene Schultz) Subject: Call for papers--3rd Workshop on Computer Security Incident Handling ____________________________________________________________________________ Call for Papers Third Workshop on Computer Security Incident Handling ____________________________________________________________________________ Location and Dates: Hyatt Dulles August 6-8, 1991 At Dulles International Airport Herndon, Virginia Description: The Third Workshop on Computer Security Incident Handling will consist of tutorials, invited addresses, paper sessions, and workshop/ discussion sessions on topics relevant to responding to computer security incidents. The presentations will provide a forum to discuss advances in theory and practice that improve the state of this field. Theoretical, applied, tutorial, or descriptive papers selected for presentation will appear in the conference proceedings to be published after the Workshop. The Third Workshop on Computer Security Incident Handling is sponsored by Carnegie Mellon University's Software Engineering Institute. Submissions are solicited for the following sessions: Tutorials (half-day): Tutorials should cover topics such as network security and methodologies/strategies for incident handling. The purpose of each tutorial should be to allow someone who has little or no knowledge about incident handling to learn the basic issues/concepts in this arena. Paper Sessions: Proposals for paper sessions (approximately 30 minutes in length) should address one of the following areas: o Network intrusions (including case studies, etiologies, and intrusion detection efforts) o Vendor activities o Procedures and policies for responding to incidents o Threats (including threat and attack models, descriptions of coordinated efforts to intrude into networks, and cracking tools) o Legal issues o Tools o Vulnerabilities and malicious code o Ethical issues Workshops (half-day): Proposals to lead workshop sessions covering topics such as network security, relationships between incident response teams, and lessons learned from responding to incidents are also solicited. Submissions: Proposals should be 300 - 500 words in length. Please do not send submissions that are significantly shorter or longer. Papers must not have been previously presented or published, nor currently submitted for journal publication. Each manuscript will be submitted to a rigorous refereeing process. Proposals should have a title page that includes the title of the paper, full name of its author(s), affiliation(s), complete physical and electronic address(es), telephone number(s), and a 300-500 word description of the purpose and major ideas to be presented. Deadlines: May 17, 1991 Deadline for receipt of proposal June 7, 1991 Notification of accepted proposals July 15, 1991 Camera-ready manuscripts must be received Address for Submissions: Send all submissions and questions to one of the Workshop Co-Chairs: Richard Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 E-mail: rdp@cert.sei.cmu.edu Phone: (412) 268-7739 or Eugene Schultz Lawrence Livermore National Laboratory P.O. Box 808, L-303 Livermore, CA 94550 E-mail: gschultz@cheetah.llnl.gov Phone: (415) 422-7781 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 59] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253