To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #158 -------- VIRUS-L Digest Monday, 13 Dec 1993 Volume 6 : Issue 158 Today's Topics: Vessselin-L (Philosophy) Re: Netware Approved Virus Protection? (Novell) Possible virus (PC) Info needed on HideNowt Virus. (PC) MBR/FBR viruses (PC) Re: New (?) variant of Stoned virus (PC) Running F-PROT 2.10 in DOS Window? (PC) New virus (PC)??? 'Anti-viral' Viruses (PC). Re: MS-DOS 6.2 is not a virus (it just acts that way) (PC) Re: New version of stoned virus & DOS 3.3 (PC) Windows viruses? (PC) Re: Another false positive with SCAN (PC) Re: Commercial Virus Scanners in the dark??? (PC) Re: Monkey is not cute! (PC) Re: QUESTION: F-PROT virstop (PC) Re: NAV Clinic 2.0 false alarm or bd SCAN 108? (PC) Re: Using A-V software to remove vir (PC) Form & boot sector (PC) Re: Scanning archives with F-PROT (PC) SDSCAN (NWDOS 7) (PC) Attention!!! VIRUS!!! (PC) F-PROT 2.10c is out (PC) Re: Save all you can (CVP) Getting information (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 09 Dec 93 14:48:06 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Vessselin-L (Philosophy) In 6.154, Vesselin makes quite a number of points most of which have a common factor. Laws are usually made by Sheep to protect them from the Wolves since they cannot protect themselves. Occasionally the Wolves take over in which case you get the repressions Vesselin alluded to provided the chief Wolf practices the first law of political survival: "After the revolution, shoot the revolutionaries". Even so, it is rare for a dictatorship to last beyond two generations unless other factors are operating - the third generation just is not hungry enough. Laws then are generally enacted as a reaction to natural and self-centered impulses. Whether pro or con depends on who happens to be in charge. With the Internet, suddenly we have worldwide (well close to) communications that, for the moment, are essentially unrestricted. As a consequence, cultural conflict is inevitable. For the moment, the bulk of the population is wolvish in nature. I'net access is something that must be mastered to a certain extent and it is much easier to gain a usenet feed than to create a POP-Mailer. Personally, I do not believe that anti-virus legislation will work - we (the "experts") cannot even decide what a virus is. Malicious activity could be legislated against, particularly if it causes damage, but then to be effective it must be enforced and this is the hard part. The gun analogy IMHO is a bad one. A gun is a physical object that can only be in one place at a time. It is legally traceable. Software such as a virus has no such restriction any more than an idea does. Against a disease, containment is the only solution and the world in 1993 is proving unwilling to practise effective containment against real diseases so it is unlikely to do so against soft ones. This discussion is going on in one group concerning the virus boards and their publications. Since these contain actual virus source code, it was felt that while an FTP site in one country might be against the law, in another it would be perfectly legal and as far as net access is concerned, it really does not make any difference where it is. Thus countries have three options: 1) Seal the borders (but can it be done electronically ?) 2) Customs Inspections (possible but would take massive computing power to check everything including .ZIPs and .UUEs to say nothing of encryption. 3) Do nothing and hope it goes away (the usual political answer today). In the future, I expect the "free ride" to stop and the Internet to become a toll road. (not what I want to see but what I expect) *This* will have more of a stifling effect than any attempt to quarentine. IMHO the IRS (Internal Revenue Service - Inland Revenue to those in the UK) would be much more effective against drug traffic than the DEA - just look at the violent reaction the Surgeon General got for suggesting it and the speed which Billiary distanced from the idea - would put a big crimp in a lot of cash flow. - --------------- The dual-state nature of networks and PCs is something I've been pushing for a few years now and while a "Guardian" would certainly be possible, IMHO it just would not work. A PC is single state and I can make it respond to anything properly, whether or not I am actually complying. It is interesting to see someone else pointing out that "if I own the server, you either play by my rules or you don't play". I am able to monitor *everything* and whether or not I do is at *my* discretion. Further, should I decide to monitor, *you* will never know it unless I tell you. This is neither fair nor unfair, it just is a fact. Anyone who does not want this to occur can take their toys elsewhere. Lately there have been a couple of court cases, a DOJ advisory, and even a segment on L.A.Law dealing with it but the bottom line concerns ownership of property in this country. To say otherwise would not only involve deprivation but also (an more importantly) free the system owner from "due care" requirements. (No, I am not a lawyer and the sad thing in this country is that I feel required to say so...). One thing I am certain of: this will not change in the near future and the only thing that monitoring warnings are going to do is to keep you from having to go to court in the first place (not a small thing though). Point is that the way our society is stuctured (and through extension, the Internet population), viruses are going to spread. Easily. And legislation will have no effect on it other than to tie up resources better used elsewhere. The responsibility for controlling viruses must rest with the system owners and the only means is adequate defenses at every point of entry. Can it be done ? Yes. Can it be done without effort ? No. Will many ? No. Sheep, being sheep, cannot protect themselves from wolves, you need a sheep-dog for that (and a good one is not much removed from a wolf). What sheep do a lot of is bleat. Obviously my own opinions, Padgett ------------------------------ Date: Thu, 09 Dec 93 18:51:46 -0500 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Netware Approved Virus Protection? (Novell) martyz@netcom.com (Marty Zigman) writes: >Has anyone heard of a Netware approved NLM virus Protection program? McAfee has recently had Novell Test and Approved their anti-virus NLM's for NetWare 3.11, 3.12, SFT-III and a version for 4.01 and NetWare for OS/2 4.01. It's available via ftp mcafee.com or from any of the authorized agents or from McAfee's BBS, CompuServe, America On-Line, etc. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. #2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Thu, 09 Dec 93 12:45:35 -0500 From: Marilyn Scott {CMSD} Subject: Possible virus (PC) Whenever our PCs have a problem the first thing we think of is a virus. Several machines (both 386 & 486) have developed a severe case of cross-linked files and may or not reboot subsequently. They are not necessarily from the same manufacturer; all are running windows 3.1 but are not necessarily set up in the same way. On campus the most prevalent viruses are Spanish Telecom & Form but neither of these can be detected on affected machines nor is any other virus found. If anyone has any thoughts or suggestions we would be very grateful. Marilyn Scott - ---------------------------------------------------------------------- Computing Adviser, University of Stirling, Stirling FK9 4LA SCOTLAND mbn1@stirling.ac.uk - ----------------------------------------------------------------------- ------------------------------ Date: Thu, 09 Dec 93 13:23:12 -0500 From: amn1@cornell.edu (Alex) Subject: Info needed on HideNowt Virus. (PC) I recently encountered the HideNowt Virus in a couple of our PC Clones. This was found when running Vshield during startup. Actually Vshield was one of the infected programs, and it alerted us to the fact that something was wrong. To double check I ran F-prot 2.09f and this reported the HideNowt (?) Virus. It could not remove the virus, so I know I have to delete and restore the infected files. No problem there. So My question is: What is the HideNowt Virus, how does it travel, what files will it infect ? I looked through F-prot's Virus Info and there was nothing available there. I don't remember seeing this crossing the list, so I'm looking thru the back issues of Virus-l and the FAQ just in case I missed something. Alex Nemeth College of Human Ecology/Divison of Nutritional Sciences Cornell University ** Alex Nemeth == Microcomputer Guru ** ** amn1@cornell.edu == Internet Junkie ** ------------------------------ Date: Thu, 09 Dec 93 13:25:58 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: MBR/FBR viruses (PC) Once more I am seeing an incredible number of people talking about not being able to use FDISK/MBR for MBR viruses (usu because they still do not have DOS 5) and SYS not working for floppies. This is exactly why I wrote the FixMBR/FixMBR pair of FREEWARE programs (now in FixUtil6). True there are other commercial versions (with the logo of the purchaser and some other options) but the basic capability is there for the effort of a downloaded .ZIP. While considerably more capable than FDISK/MBR (FixMBR will search for the original and tell you if everything looks ok) or SYS for a floppy (FixFBR just repairs the boot record - no boot files needed) there is a caveat, corruption caused by a virus is not corrected - but then the same can be said about FDISK or SYS. No not quite: with FixMBR you can put the disk back the way it was if the fix doesn't work. You can't with FDISK. Along the same lines DiskSecure II v2.4 should be out this weekend with a major change: It will now be free to individuals (though a postcard would be nice) and otherwise available only on a site licensing basis. See the .DOCs for details. Warmly, Padgett ------------------------------ Date: Thu, 09 Dec 93 18:23:50 +0000 From: du4@mace.cc.purdue.edu (Ted Goldstein) Subject: Re: New (?) variant of Stoned virus (PC) du4@mace.cc.purdue.edu (Ted Goldstein) writes: >F-PROT 2.10 reports that it has found a new variant of the Stoned virus >on one my PC's. It does not try to disinfect it. > >Mcaffee SCAN 109 does not see any infection at all. > >After manually repairing the partition table, and reformatting the >hard disk, F-PROT still reports the infection. In the 5 day delay between when I posted, and when my post showed up in news, I have found out that my PC had the Monkey virus. The best way to remove it is with an excellent program called KILLMONK. I am sorry, but I do not know where this is available on the net, I got it from someone local. Again, I would like to point out that Mcafee SCAN, Nortan Antivirus, Microsoft Antivirus (all latest versions) all failed to see it at all. F-PROT 2.10 did see something, but mis-identified it as a new varient of stoned. Hope this helps someone else out there. - -- Ted Goldstein E-mail: du4@mace.cc.purdue.edu Network and Systems Administrator Phone : (317) 494-9070 Purdue University School of Technology Office: Knoy Hall, Rm G009 ------------------------------ Date: Thu, 09 Dec 93 13:43:15 -0500 From: BOB CONN Subject: Running F-PROT 2.10 in DOS Window? (PC) I want to know if F-PROT 2.10 is as effective running in a DOS Window (Windows 3.1). I have created a PIF to run a batch file which calls F-PROT. I am just checking a floppy disk(s). I do not want to exit Windows nor do I trust MS virus software as much as F-PROT. Thanks! Bob Conn Lan Admin. Penn State School of HRRM ------------------------------ Date: Thu, 09 Dec 93 17:00:09 -0500 From: tweaver@cs.umd.edu (Tom Weaver) Subject: New virus (PC)??? One of our computers apparantly has a (harmless?) virus - the users download biological data/progs from a network, and occasionally while running some standard application (WP 5.1), the message "GENE!" appears in the upper left corner of the screen... I have run both F-PROT 2.10 and SCAN 9.20 V109 from a clean disk after a clean boot and find nothing (including using heuristic searching), but the resident copy of f-prot prints a corrupted program warning when run... Suggestions? Heckling from the audience? Tom Weaver - -- ****************************************************************************** * I would put a disclaimer here, but noone important at U Maryland takes me * * seriously anyway... * ****************************************************************************** ------------------------------ Date: Thu, 09 Dec 93 18:09:27 -0500 From: csc2u2bn@sun.leeds.ac.uk Subject: 'Anti-viral' Viruses (PC). I'm working on a final year research project investigating 'useful' computer viruses. The project aims to assess the feasibility of incorporating simple anti-virus tools into virus code. I've seen mention of such viruses once or twice on this newsgroup and wondered if anybody has any information or ideas that they think I might find useful. I am aware of the moral implications underlying such viruses. Thanks..... - ---------------------------------------------------------------- Dan Lynch. (csc2u2bn@sun.leeds.ac.uk) (isxdsl@scs.leeds.ac.uk) (csc2l2bn@gps.leeds.ac.uk) - ---------------------------------------------------------------- ------------------------------ Date: 09 Dec 93 18:38:09 -0600 From: kkruse@matt.ksu.ksu.edu (Korey J. Kruse) Subject: Re: MS-DOS 6.2 is not a virus (it just acts that way) (PC) latim912@crow.csrv.uidaho.edu (Jerry E. Latimer) writes: >A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) wrote: >: 3) The installation found *something* wrong with mode.com and memmaker.exe >: & refused to update them (told the setup to continue anyway & would >: suggest this - see last two sentances in (2). (Both were originals dated >: 3-10-93) I ended up having to do the setup procedure 3 times to get all of the files updated. I had numerous files that had changed subtly because I had used an executbale packer and unpacker on various programs. The 6.2 set up requires complete originals. After re-installing the exact originals from ms-dos 6.0 the set-up program ran just fine without complaining at all. - -- _ _ _ _ _ _ kkruse@ksuvm.bitnet |/ | | |_) |_ \ / | |/ |_) | | (_` |_ kkruse@ksuvm.ksu.edu |\ |_| | \ |_ | (_| |\ | \ |_| ._) |_ kkruse@matt.ksu.edu ------------------------------ Date: Thu, 09 Dec 93 22:42:08 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: New version of stoned virus & DOS 3.3 (PC) Karen Pulliam wrote: >We have been hit with a new version of stoned (detected with f-prot 2.10). >Unfortunatedly, f-prot is unable to disinfect it. I tried using DOS 5.0 >fdisk /mbr, but received the expected wrong dos version error (the computer >is a 286 running DOS 3.3). You could have booted from a DOS 5.0 formatted system disk which has a copy of fdisk (and is write protected, of course :) ) and then used fdisk /mbr, or you could also use a program called, "setver" - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science, University of California, Riverside. ------------------------------ Date: Fri, 10 Dec 93 04:48:27 -0500 From: cs05050@s1.csuhayward.edu (Bradley) Subject: Windows viruses? (PC) I've been following Virus-L for about 6 months now, and this is my first post! :) Someone on a local BBS just told me that a Windows Zine reported 2 Windows viruses. I asked what the viruses were supposed to do, but I didn't get a reply. I hadn't remembered hearing about any "true" Windows viruses so I checked the FAQ. Quoted from FAQ.Virus-L 18 November 1993 update > too. And currently there exists at least one Windows-specific > virus which is able to properly infect Windows applications (it is > compatible with the NewEXE file format). What is the name of that one? The names that I was given are: Winvir and Twitch. I looked in the F-PROT definitions, but they weren't listed. I figure it might just be a stretch on the part of the journalist to define a "Windows virus". Thanks, Bradley Maris Permanent E-mail address: bmaris@snlndro.noca.fred.org (use after 12/13/93) ------------------------------ Date: Fri, 10 Dec 93 05:13:33 -0500 From: iano@ncp.gpt.co.uk Subject: Re: Another false positive with SCAN (PC) SCAN 109 also gives false posivive's with the English version of DOS 3.30 with the MODE.COM file. This is true for DOS provided by both HP and UNISYS. - -- - ------------------------------------------------------------------------- | Ian Overton | Email UKNET iano@ncp.gpt.co.uk | | GPT Ltd., | Email GPT iano@cvsq01 | | | Tel (44) 0203 563402 | | New Century Park | GNET 740 3402 | | Coventry | Compuserve 100034,2674 | | CV3 1HJ | | | UK | | - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 10 Dec 93 08:18:09 -0500 From: "R. Wallace Hale" Subject: Re: Commercial Virus Scanners in the dark??? (PC) > >bondt@dutiws.twi.tudelft.nl (Piet de Bondt) wrote: >> >>Two months (or thereabouts) is a long time? >> >Well, the guys at Thunderbyte consider more than *one* month a long time. >If they haven't released a new TBAV within about a month, they will at >least release a new signature-file. Good point; one I have to concede. With the exploding numbers of catalogued viruses, yes, even a month could be considered a long time. R. Wallace Hale "Thinking is the hardest work there is, halew@nbnet.nb.ca which is the probable reason why so few BBS (506) 325-9002 engage in it." - Henry Ford ------------------------------ Date: Fri, 10 Dec 93 10:40:57 -0500 From: trimm@netcom.com (Trimm Industries) Subject: Re: Monkey is not cute! (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >would be to e-mail me directly. But, please, anybody who does this - >ask short and particular questions. I am already getting about 50 >messages per day and my task here is to write my Ph.D., not to be a >free net.virus.consultant. IMO, you're doing a fine job making time available to post the advice here on comp.virus. How's the dissertation coming? Are you considering posting it here or putting it up for anon ftp when it is complete? I know that a lot of people would be interested in reading it. BTW, have you done any work on Windows NT or NT AS vis a vis resistance to viruses? Do you need a copy of either for testing? - -- Gary M. Watson Trimm Industries Internet: trimm@netcom.com North Hollywood, CA 91605 Compuserve 72242,3437 * If Clinton's the answer it must be a real stupid question. * ------------------------------ Date: Fri, 10 Dec 93 12:17:58 -0500 From: oep@colargol.edb.tih.no (Oeyvind Pedersen) Subject: Re: QUESTION: F-PROT virstop (PC) Ken De Cruyenaere (kdc@ccu.umanitoba.ca) wrote: : kwakely@uoguelph.ca (Kent J Wakely) writes: : >I run in MS Windows most of the time. I know that F-PROT's virstop : >scanning utility won't pop infection alerts into Windows. I'm : ^^^^ ?? : I just double checked and VIRSTOP (2.10) does indeed pop an infection : alert into Windows (3.0). Top left corner of my screen: : VIRSTOP alert! BOOT SECTOR VIRUS on diskette. : Press [ENTER] to continue. : : Ken De Cruyenaere U of Manitoba Computer Services Yes, VIRSTOP will display this message, but not on all types of videocards. More important however, is that VIRSTOP stops execution and copying (if you use the /COPY switch) of infected files, even is you are using MS-Windows. You will then get a "access denied" message from Windows. The commercial version of F-PROT, F-PROT professional, has a built in Windows device-driver that handle messages in Windows. - - oep ------------------------------ Date: Fri, 10 Dec 93 16:41:54 +0000 From: cotton@vms.ucc.okstate.edu (Greg Cotton) Subject: Re: NAV Clinic 2.0 false alarm or bd SCAN 108? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Mads Syrak Larsen (msyrak@emma.ruc.dk) writes: >> A friend of mine has told me that his antivirus program Norton Antivirus >> Clinic ver. 2.0, has found virus in som PK-ware files he has received >> from me. >> The virus is the Maltese Amoeba . >This is a known false positive with a (very) old version of NAV. >Tell your friend to update his scanner and the problem will go away. >> I just wanted to know whether anybody knows if it is a known bug in >> NAV Clinic 2.0 or whether the other 2 simply dont do their jobs properly. >It is a known, rather old, and fixed since a long time bug in NAV 2.0. This FALSE report was also eliminated by PKWARE in versions after 2.04c. (BTW, my sources indicate the NEWEST version of PKZIP to be 2.04g) L8r. Greg ------------------------------ Date: Fri, 10 Dec 93 12:33:42 -0500 From: oep@colargol.edb.tih.no (Oeyvind Pedersen) Subject: Re: Using A-V software to remove vir (PC) vfreak@aol.com wrote: : Everyone has two good sources to prevent this type of mess from happening to : you. : : 1. Write protected originals : 2. A recent backup. I would suggesr at least two complete backups. : If you find that you have some infected files, delete them, then restore the : files from original diskettes, or backup. : : Bill How about using a better A-V product ....... - - oep ------------------------------ Date: Fri, 10 Dec 93 08:34:36 -0800 From: Ted Matsumura Subject: Form & boot sector (PC) Can anyone give me information on the FORM virus? Norton Anti-Virus detects it, but does not remove it. If possible please fax this info. to 011-813-5276-9884, attn.: Ted Matsumura, However, I will try to check into this group from Japan somehow. Thanks. Ted ------------------------------ Date: Fri, 10 Dec 93 18:41:13 -0500 From: carterm@spartan.ac.BrockU.CA (Mark Carter) Subject: Re: Scanning archives with F-PROT (PC) alm@sotona.phys.soton.ac.uk wrote: : I am looking for a program which will allow me to scan inside : archives (ZIP, ARJ, ZOO etc.) with F_PROT. I have found a number which : will use McAfee's SCAN, but are not configurable. Use Fscan. It aborts when F-Prot detects a virus. Mark ------------------------------ Date: Wed, 08 Dec 93 00:21:18 +0200 From: Jochen_Heicke@f4060.n491.z9.virnet.bad.se (Jochen Heicke) Subject: SDSCAN (NWDOS 7) (PC) Hallo, Hi, HOLA All! SDSCAN is sometimes not able to check an archive include in an archive. This is due tio the amount of memory needed to expand the files. It checks all files on Disk and Netware Volumes, which are not in use (locked) or password protected. I recently used it to check disinfected floppies (ParB). They could not clean it automatically but gave the advice to use SYS A: MfG, best regards, saludos Jochen (9:491/4060) Wednesday December 08 1993, 00:21 - --- GoldED 2.41 * Origin: JHL Informations-Systeme +49-2204-54732++ (24h) (9:491/4060) ------------------------------ Date: Thu, 11 Nov 93 17:12:11 +0200 From: Eyal_Shoabi@f106.n9721.z9.virnet.bad.se (Eyal Shoabi) Subject: Attention!!! VIRUS!!! (PC) Hello Amir! 24 Oct 93 08:42, Amir Netiv wrote to Schwartz Gabriel: AN> Well, just to enlight you: Some nonexecutable files CAN infect your PC, I saw once Anti-Visrus that found virus in CONIFG.SYS file could it be? Eyal - --- FMail 0.96 * Origin: (((((((((( Eyal`s Point )))))))))) (9:9721/106) ------------------------------ Date: Thu, 09 Dec 93 13:09:09 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.10c is out (PC) I just released a new version. The main reason was to fix a false alarm in 2.10 (Keypress virus in a program called EMSLOAD.EXE), but we also added identification/detection/disinfection of 50 new viruses or so. I am right now uploading the program to the usual distribution sites (primarily oak.oakland.edu). - -frisk ------------------------------ Date: Fri, 10 Dec 93 11:37:17 -0500 From: Ellen Carrico Subject: Re: Save all you can (CVP) > From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > > Ellen Carrico (ecarrico@spl.lib.wa.us) writes: > > > > program cost you, anyway? $500? Even if you don't have the > > > original disks toinstall it again, you can run down to the store > > > If you have a legal copy, you *should* have the disks, shouldn't you? > > You should, but they wouldn't necessarily be of any use to you. Many > vendors still distribute their software on floppies that are not > permanently write-protected. Chances are, that the victim of a virus > infection has managed to infect them too. I obviously spoke too soon. Today - the user (a department manager) infected disks with stoned and then proceded to install it on two new hard drives. He had a scanner available, he just didn't use it because "they were the original disks". Sigh. We've had one experience of receiving disks from a vendor that were infected. That wasn't the problem this time. He had brought an infected disk with data on it from home and booted the machine with the disk in. I've fixed them so they won't boot from A, but I find it frustrating that I can't seem to get everyone to follow a simple procedure: 1) scan it 2)write-protect it 3) back it up to a clean disk 4) *then* install the software. Now wouldn't it be nice if I could find some way to charge off my time to *his* department? ------------------------------ Date: Fri, 10 Dec 93 17:20:09 -0500 From: "Rob Slade" Subject: Getting information (CVP) BEGPAN7.CVP 931103 Getting Information My ego does not extend so far that I think this is the only source of information on viral programs that you will ever need. I am only too well aware of the limitations of my material. Having reviewed most of the rest, however, I am also aware of their limitations. I perhaps overstated the case regarding the necessity for online information sources, but not by much. There are two monthly journals, Virus Bulletin and Virus News International. Both are for the very serious researcher, and academic in tone, with subscription prices in the $150 to $250 range. (My own V.I.R.U.S. Monthly and V.I.R.U.S. Weekly, unfortunately, fall into a similar price range, although concentrating more on news and gossip.) Of the two, VB has somewhat the higher reputation and promotes an annual conference which also has a good name. Be aware, though, that both publications have links to product vendors, and thus product reviews may be slightly suspect. Other vendors produce newsletters on a less ambitious scale. The ones I have seen here had very sporadic publication schedules and very little information of value, being confined to announcements of new product releases. In any case, you have to be a customer to get the mailings. You will probably want information on the various specific viral programs. This is a constant battle, given the thousands of known viral programs and variants, and the hundreds of new ones produced each month. In the MS-DOS world, the reference usually mentioned first is the "Virus Summary List" maintained by Patricia Hoffman. This is a shareware data base, which goes under the name VSUMXymm.ZIP, where ymm is the last digit of the year and a two- digit month. Thus, VSUMX309.ZIP is the file for September, 1993. VSUM is probably the most extensive list of MS-DOS viral programs, but has an unfortunate reputation for inaccuracy. A rival program, the "Virus Information Door," is suspected of being linked to virus exchange groups and is, in any case, almost unavailable apart from a direct call to the author's BBS. An alternate source of information is the good, but aging, list in "PC Viruses" by Alan Solomon (published by Springer-Verlag). An updated and more comprehensive version is contained in the documentation for "Dr. Solomon's Anti- Virus Toolkit." For Mac users, there is a hypertext virus encyclopedia which should be available on many boards. However, for any of the other microcomputer systems, or for the most accurate listings, the best source is the "Computer Virus Catalog" produced by staff associated with the Computer Antivirus Research Organization (CARO) and the Virus Test Center (VTC), and available from the ftp site at the University of Hamburg. This has had unfortunately limited distribution outside of the Internet, and is quite restricted in the number of MS-DOS samples catalogued, but is generally most reliable. copyright Robert M. Slade, 1993 BEGPAN7.CVP 931103 ============== Vancouver ROBERTS@decus.ca | "In questions of science, the Institute for Robert_Slade@sfu.ca | authority of a thousand is not Research into rslade@cue.bc.ca | worth the humble reasoning User p1@CyberStore.ca | of a single individual." Security Canada V7K 2G6 | - Galileo ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 158] ******************************************