From lehigh.edu!virus-l  Wed Apr 14 18:25:59 1993 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Thu, 15 Apr 93 08:01:24 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
	id AA07561; Thu, 15 Apr 1993 04:57:53 +0200
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA50032
  (5.67a/IDA-1.5 for <mikael@vhc.se>); Wed, 14 Apr 1993 22:25:59 -0400
Date: Wed, 14 Apr 1993 22:25:59 -0400
Message-Id: <9304150033.AA10019@first.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@first.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@first.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #62

VIRUS-L Digest   Wednesday, 14 Apr 1993    Volume 6 : Issue 62

Today's Topics:

Re: Should viral tricks be publicized? (was: Integrity checking)
New program chair for IDES-of-March Virus Conference
Beneficial/Non-Destructive
Re: New (?) virus ? (2294) (PC)
Thunderbyte Update Status (PC)
Anyone have something like this? (PC)
DOS 6, two good things (PC)
Re: Help with Michelangelo! (PC)
RE: Censorship/40-Hex (PC)
New PC Virus? (PC)
Virus Buster (PC)
Re: Scanners and exe/com (PC)
ghost positives (PC)
Status of victor charlie (PC)
"DIR" infection, or "Can internal commands infect" (PC)
Re: Help with Michelangelo! (PC)
Central Point Anti-Virus Updates (PC)
McAfee latest version (PC)
Re: gerbil.doc virus (PC)
TBAV v5.04 Anti-virus software uploads to SIMTEL20 (PC)
"Naive" users (CVP)
IFIP Call for Papers
Survey

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Fri, 09 Apr 93 03:39:57 +0000
From:    sara@gator.rn.com (Sara Gordon)
Subject: Re: Should viral tricks be publicized? (was: Integrity checking)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

>My experience shows me that the bad guys are less knowledgeable but
>better organized and learning faster than the good guys... And I am
>not excluding even us, when I am speaking about "better organized".

as someone who does study this, i am sorry to have to agree with you.
the organization of the 'bad guys' is really extraordinary considering
the usual problems of such organizational efforts...

>Yes. I am getting virus collections from all over the world. Do you
>know how many of them bear the signature of being downloaded from
>Todor Todorov's BBS?


but wait!! this does not necessarily mean they came from that bbs,
of course. i have viruses sent to me from all over the world that
have the names of anti-virus companies, anti-virus researchers, even
my OWN name...this does not mean they originated here. why, i even
have seen them from the VTC at Hamburg...i.e., when they are
unzipped, they say 'Virus Test Center, University of Hamburg' in
the A-V marking!

of course, viruses did come from that bbs in sofia. its fortunate
that bbs is no longer in operation; and unfortunate that many more
have taken its place, mainly in the USA....and no one seems to
care....

>Burger's and Ludwig's books are crap - they don't teach you anything,
>even how to write good viruses. They don't contain useful information,

i assume you meant to write viruses well, not to write good viruses :)

- -- 
           #  "talk to me about computer viruses............" 
           #  fax/voice:    219-277-8599     p.o. 11417 south bend, in 46624 
           #  data          219-273-2431     SGordon@Dockmaster.ncsc.mil
           #  fidomail      1:227/190        vfr@netcom.com

------------------------------

Date:    Fri, 09 Apr 93 09:40:29 -0400
From:    Judy S. Brand <jsb@well.sf.ca.us>
Subject: New program chair for IDES-of-March Virus Conference

It appears that someone who had been on the 1993 New York
"Ides of March" program committee mistakenly reported to 
Virus-L that there were no significant changes for 1994.

The person does not seem to have read my letter last week
to "Ides of March" attendees.  It contained this announcement:

    "Next year, for the first time, the specialists
     on our greatly expanded Program Committee will
     take complete charge of organizing the presen-
     tations and sessions."

Each program objective or topic will have multiple session
presiders and be chaired by a member of the Program Committee
who is a specialist in that area.  For practical reasons, a
topic occupying more than one track will have co-chairs,
and in one case one pair of unrelated topics of two or three
sessions may be chaired by the same individual who knows both.

For some weeks, the in-formation 1994 Program Committee has
been hard at work selecting these "track" chairs and a new
overall Program Chair.  Professor Richard G. Lefkon, who
has been Program Chair for a few years running, will devote 
most of his effort at the 1994 conference to making sure the
registration and premises are well-run.  Dick deserves the 
thanks of us all for his excellent past contributions in 
assembling and overseeing the sessions.

Computer virus and security specialists visiting the Northeast
to attend other meetings are invited to come as well to the
mid-March SEVENTH INTERNATIONAL COMPUTER SECURITY & VIRUS
CONFERENCE.  Because of our practical but technical orientation,
there is often an overlap of some attendees and speakers between 
this conference and others with similar names.  Regardless of
affiliations elsewhere, papers are encouraged from all.  Since   
1989 there have always been at least 2 dozen scheduled speakers
about computer viruses, with multiple tracks since 1990, and
in recent years there have been nearly 100 scheduled speakers.

The 1994 base price will still be $325 for 2-1/2 days, plus an
optional $40 for half-day beginner courses in different fields.
Attendees receive a bound proceedings, usually distributed
before the meeting begins.  Nearly all the speakers are first 
required to have their papers pass an expert quality review
where both the judges and the authors remain anonymous.  

As by far the oldest, best known - and the largest - conference
treating computer viruses extensively, "Ides of March" is an
annual "must" for many specialists in the security field to meet,
swap samples and anecdotes, and make new business contacts.  In the
past two years we have provided caucus rooms as a courtesy to computer
security groups, whether or not they are formal sponsors of the
conference.  There are many "open" get-together opportunities as well.

Among non-speakers, the main population consists of managers whose
responsibility includes the security unit, telecom and application
managers whose products have a security component, technical specialists
in viruses and security, and those interested in related legal, awareness
and social issues.  For many, this is their only computer/network security
conference all year, and so we offer five tracks with full topic coverage.

Anyone who wants to be kept posted about progress of the March, 1994,
SEVENTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE in New York,
is requested to send me a physical mail address.  This applies to
potential speakers and prospective registrants alike.

                            Sincerely,

                            Judy S. Brand

------------------------------

Date:    10 Apr 93 22:59:00 +0000
From:    kari.laine@compart.fi (Kari Laine)
Subject: Beneficial/Non-Destructive

Hello Christopher,

I think you should first consider is it possible to have a beneficial
virus ? What makes a virus to a virus is that it spreads by itself
from one executable to the other or using some other mechanism.

First if virus would come to my system and start infecting my
programs I wouldn't like that all and when I noticed it I would
SWAT it. Because I am sure it would cause some problems with
my existing hardware and software and if for example it would
have some problems with my cache-program and I wouldn't notice
that it would possibly ruin my data - and that not so nice thing
to do.

Second If we think we would have such a beneficial virus (huh)
there is a problem with support. What do you think would happen
If I have this 'beneficial' virus in my system and everything
is working fine. Then after some period I am starting to get
problems with other software. When I call the supportline of
this software maker I am sure they will say "Hey get first rid
of that virus and THEN after that call here when you have
a clean system".

Other point to this is that if there is a need for certain
kind of a software why not make 'normal' version of that
and distribute it like ShareWare or PD.

So actually I am asking you what would be that kind of a need
that you have to do it viruslike? I can't thing of any. And
the benefits of using viruslike methods have to be so big
that they make up for the trouble caused by viruslike distribution
of software.

And lets take an example if there is that kind of a beneficial
program that is distributed like a virus. Then when I got
software from someone they have to tell me whether they are
infected by this 'beneficial' virus or not otherwise I would
sue them.

If you want information about this subject try to locate
material from Fred Cohen who has been writing about this
a long time and then there has been articles in Virus Bulletin
and Virus News International and I have a feeling that Vesselin wrote
something about this a some time ago.

Regards
Kari Laine
LAN Vision Oy - Agent for Dr. Alan Solomon's Anti-Virus Toolkit
klaine@clinet.fi
                                                             
- ----
+-----------------------------------------------------------------------+
| Delivered by: ComPart BBS  Finland  +358-0-506-3329  19 lines V.32bis |
+-----------------------------------------------------------------------+

------------------------------

Date:    Thu, 08 Apr 93 11:21:51 +0000
From:    v922340@kemp.si.hhs.nl (Ivar Snaaijer)
Subject: Re: New (?) virus ? (2294) (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
|> v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) writes:
|> 
|> > TBscan v5.10 Beta finds it, but this one says that it's the 2294 virus
|> > Could you tell me more ?
|> 
|> Well, it -is- 2294 bytes long. Uses variable encryption, memory
|> resident, takes 2448 bytes of memory, uses tunnelling (interrupt
|> tracing), has a critical error handler, infects COM and EXE files,
|> stealth, fast infector.
|> 
|> Infects only files that don't contain "SCAN" in their name and that
|> are bigger than 1388 bytes. The last two bytes of the infected files
|> are set to 1000h and the seconds field in their time of last update is
|> set to 56 - the virus uses these criteria for self-recognition.
|> Triggers about two months after the infection (the condition is a bit
|> complex; I haven't figured it exactly), slows down the computer,
|> gables the printer output (again, from a fast browsing of the code I
|> couldn't tell what exactly gets changed), hooks the keyboard interrupt
|> (changes "0"s to "9"s?), overwrites parts of the hard disk, wipes the
|> CMOS, displays something ("TERMINATOR"?), etc. You'd better get rid of
|> it before it becomes too late...
|>

 Thanx, I hope i am clean of this one.. it doesn't apear to be friendly
 I also posted a copy to Mario Rodriguez (EM436861@ITESMVF1.BITNET)
 He also analized it. Here comes some aditional info :

 The name of this virus is Terminator 2294. F-Prot can't detect it
 and scan v100 recognizes it as Terminator 2. The virus seems to intercept INT
 13h and INT 21h and point them to 9f67:08f7 and 9f67:029C. The virus is
 encripted skipping one byte, so it's one encrypted, one not and so on. It also
 changes the encrypting number is some parts so it's almost imposible to 
 uncrypt it without debugging the virus, but it contains tricky code to avoid
 that and it also hangs the system. When running an infected file for the first
 time the virus hang the system and it seems to stay resident after pressing
 CTRL-ALT-DEL so it can infect at boot time and then keep infecting normally
 without hanging. The problem is that I didn't infected my hard disk but a
 Ramdisk and it seems to interfere with boots from floppys at boot time. The only
 thing a know for shure is that this virus only infects REAL .EXE's, not
 disguized .COM's.

Greetings, Ivar.

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Thu, 08 Apr 93 11:40:42 +0000
From:    v922340@kemp.si.hhs.nl (Snaaijer)
Subject: Thunderbyte Update Status (PC)

I took this form the Thunderbyte Support BBS (thursday 8.00 am)

IMPORTANT!!!
Signature file expired? Desperately searching for a new VirScan.Dat file?
There isn't a new one..
We noticed time ago that the VirScan.Dat file was not updated adequate and
frequently enough, so we decided to develop our own signature file.
The new signature file contains about 750 signatures, and is already included
in the TBAV beta package TBAVB510.ZIP
Within a few days we hope to release TBAV 5.10. The signature file TbScan.Sig
is now included in the TBAV distribution archive. Updates will be released in
both the TBAV distribution archives and in a file named TBSIG###. The ###
represents digits: the first one is the least significant digit of the current
year, the other two are release sequence numbers. The first signature file
update will therefore be named TBSIG301.ZIP.
The new signature file will be updated at least once a month.


This probably makes clear why i posted the message that no vsigs ar available.
BUT I can provide you with a new one. I have downloaded a new version from
the same BBS (strange isn't it). This file is probably checked by but not
produced by Frans Veldman.

Hope to informed you enoug.

Ivar.

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Thu, 08 Apr 93 23:18:15 +0000
From:    sali@undergrad.math.uwaterloo.ca (Sayf Ali)
Subject: Anyone have something like this? (PC)

Here's the problem:

I just installed DOS V6 on my pc. Now the problem I'm having is
that parts of the disk I have written to are becoming bad sectors
It seems to be getting worse. I recently put some shareware windows
stuff on my PC and some of this may have had some kind of virus.
The shareware was recent stuff from wuarchive and garbo (I think)
so the virus may be new.

Sometimes I can hear my hard drive buzzing for long periods with
no light flashing.

Has anyone had similar problems? Remedy?

Please Help!

------------------------------

Date:    Fri, 09 Apr 93 01:49:33 +0700
From:    micke@qainfo.se (Micke Larsson)
Subject: DOS 6, two good things (PC)

After all said about DOS 6.0 there are at least two good things:

1. the first diskette of the Upgrade set is bootable
   (as opposed to the Upgrade 5.0)
2. SYS.COM is uncompressed on the distribution diskette
   (which means that you can fix Form from it)

The fact that this was not possible in DOS 5 have caused major pain
etc. for our support dept. We have at least 10 calls a day from
customers or non-customers with an infected hd. AND they have DOS 5
- -Upgrade- and no boot diskette... AND they do not have SYS at hand...
(not that it is a problem but it takes more time on the phone).

Whatever MS complicates with Doublespace, MSAV, etc. they should
get some credit for changing this.

  Micke Larsson QA Informatik AB, PO Box 596 S-175 26 Jarfalla Sweden
Tel +46-8-7602600 Fax +46-8-7602605 BBS +46-8-7602615 2:201/370@FidoNet
           e-mail micke.l@qainfo.se Compuserve Id 100135,1742
  QA Informatik distributes Dr Solomon's Anti-Virus Toolkit in Sweden

------------------------------

Date:    09 Apr 93 02:31:45 +0000
From:    acw@calmasd.Prime.COM (Alan Wilson)
Subject: Re: Help with Michelangelo! (PC)


Thanks to everyone who replied to my request for help
in trying to help the high school kids here recover from 
a Michelangelo attack.

Everyone seems to be running again.  Some kids had 
backups and others did not, and are slowing rebuilding.

The "trick" which was needed to get going was the command
fdisk /mbr.  It was not obvious that this was needed 
prior to reformatting the hard disk, and so delayed
the recovery.

thanks mucho.

Alan


------------------------------

Date:    Fri, 09 Apr 93 03:32:41 -0400
From:    David Hanson <afrc-mis@augsburg-emh1.army.mil>
Subject: RE: Censorship/40-Hex (PC)

How about distribution of a "clean" version of 40-Hex to the "good" guys?
ie., Strip it of code, but leave comments and pseudocode.

The "bad" guys already have the info, so the "good" guys should have access
to it, right?  And removing the actual code "leaves the exercise up to the
student", if anyone wants to spend the time and effort to write the code
(which most neutral/good folk wouldn't bother with if the flow of the 
program is explained).  Remember, the "bad" guys already have the code.

This would be censorship, of course, but it certainly has an element of
reason missing from the fear response of total censorship.

Comments?

------------------------------

Date:    Fri, 09 Apr 93 13:35:50 +0000
From:    wlim@gdstech.grumman.com (Willie Lim)
Subject: New PC Virus? (PC)

I'm new to this newsgroup but have to send in this urgent request for
another person who doesn't have Internet access.  Here is the story:

He found a virus in a PC that displays a fish (the "fish" virus?).
Using several virus disinfectant tools, including PCRX (sp??), he
thought he got rid of the virus.  But instead of the fish he got a
smiley face.  He suspects that the virus is a "mutating virus."

Anybody knows about this virus and how to remove it?  Also I seem to
recall that there is a national site somewhere (CMU perhaps) that
serves as a central repository for such things.  Does such a thing
exist?  If so does it have a hot line (what's the phone number) for
reporting new (or suspected to be new) viruses?

Thanks in advance.

Willie

------------------------------

Date:    09 Apr 93 15:15:36 +0000
From:    hq!fhi0055@dsac.dla.mil (Marc Poole)
Subject: Virus Buster (PC)

 In reviewing the software VIRUS BUSTER, I came across some very
 interesting circumstances that might be of some interest to those
 looking for Anti-viral software.

 When installing the software, there is a watchdog capability which does
 not allow the document to be changed.  This feature causes a redundant
 hassle when modifying files.

 The watchdog feature also creates a large problem when trying to use
 some executable files, for example the exe files to run a program (i.e.
 windows, modem software, word processors).  I allows the execution to
 take place as far as loading the software, but does not allow the
 software to actually run.  On occasions, the software will run with no
 problem, other times it just quits.

 On modem software, for example Quick Link II, it will not allow
 uploading of any files.  It also, more than often, will not let the
 program run at all.

 That's as far as I got, after the few hassles, I cleaned off the virus
 software and replaced it with another.

 Hope this helps.

------------------------------

Date:    09 Apr 93 18:24:00 +0000
From:    shakib.otaqui@almac.co.uk (Shakib Otaqui)
Subject: Re: Scanners and exe/com (PC)


JC>   > ...
  >   >  Investigation showed that the file was compressed with PKLite
  >   >  1.15, and that a hex editor was used to replace the PKLite
  >   >  signature with null characters.  This apparently defeated SCAN,
  >   >  which treated it as an ordinary file.  After uncompressing the
  >   >  file with PKLite, one user said SCAN apparently identified it as a
  >   >  virus, though I suspect it's more likely to be a trojan.

JC>   I would like to make you aware of the DISLITE program that I wrote.
  >   This program is able to undo ANY pklite compression, regardless of
  >   the "PKLITE" signature. Also, you are able to recognise PKLITEd
  >   executables using this program.

  That's very useful, though the program in question was compressed
  with the standard PKLite 1.15 and can be uncompressed with it.

  Further reports on Fido-Net say that once uncompressed, SCAN
  identifies the Taiwan virus in the file.  F-Prot 2.07 says it has
  ACAD.

  For anyone new to the thread, the file in question claimed to be a
  tiny disk cache and was distributed as a Debug script on the
  Fido-Net Batchpower and Debug conferences.  There are two variants
  of the script:  each produces a file called TNYCACHE.LZH, but the
  executable within it is a COM file in one case and an EXE in the
  other.  There's a consensus that the COM version is a virus but
  some disagreement about the EXE:  some people have reported it as
  harmless and others have said it also is infected.

  The script was posted several times by at least two persons (or
  the same person using several names).  Since then, there have been
  dozens of messages reporting trashed systems.

 * PQ 2.15 189 * Is a PC with a virus a bobby with the flu?
                                                      

------------------------------

Date:    Sat, 10 Apr 93 05:27:03 -0400
From:    Christian Burger <BURGER@DMRHRZ11.HRZ.Uni-Marburg.DE>
Subject: ghost positives (PC)

   Recently, a co-worker gave me a disk with some data files on it, and
upon typing 'dir a:' virstop 2.07 with /boot switch found it infected
with the Form virus (very nice...)
   What followed was mostly dominated by ghost positives remaining in
the buffers as discussed some while ago on this list. scan v1.02 yelled
loudly that Form be active in memory and that I should power down
immediately. f-prot 2.07 at least mentions the possibility of a false
positive.
   What I would consider the appropriate action by the scanner is to
figure out that the pattern was found in the buffers (that must be
possible) and then say something like: 'Found the soandso pattern in
your buffers. Most likely the virus is not active in memory but one of
the disks you accessed during this session is infected. Scan them! Hit y
if you want to continue scanning.'
   Until you get reliable make it optional so that folx who don't read
the manual are on the safe side. It would also be nice to (optionally)
provide additional information for the curious and/or knowledgable like:
'Found the pattern at position xxxxx in memory. (No | theses...) int
vectors pointing (near this spot | to some strange location). Memory
size (seems | seems not) ok. (And so on.) Decide for yourself if you
continue scanning or boot from your write-protected trouble disk.'

Christian Burger  -- burger@dmrhrz11.hrz.uni-marburg.de


------------------------------

Date:    Sat, 10 Apr 93 09:11:04 -0400
From:    John Kida (jhk) (Vienna) <jhk@washington.ssds.COM>
Subject: Status of victor charlie (PC)

Ken or anyone....
	Seeking verification that Victor Charlie 5.0 is in fact
	shareware?  Any infor is welcomed.


 +----------------------------------+----------------------------------------+
 |  John H. Kida                    |  Voice:   (919) 867-7738               |
 |  Network Administrator           |  Data :   (919) 867-0754               |
 |  SSDS, Inc. (Remote)             +----------------------------------------+
 |  601 Dashland Ave.               |  Internet:  jhk@washington.ssds.com    |
 |  Fayetteville, N.C.  28303       |  UUCP    :  !uunet!ssds!jhk            |
 +----------------------------------+----------------------------------------+


------------------------------

Date:    Thu, 08 Apr 93 12:18:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: "DIR" infection, or "Can internal commands infect" (PC)

Hello everyone.

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
in an answer to anlyyao@igc.apc.org (An-Ly Yao) writes:

ALY:
 >> But if your PC used a COMMAND.COM on that disk for the DIR, and if the
 >> COMMAND.COM was infected, than now perhaps also your PC might be infected.
VB:
 > DIR is an internal command and is executed by the currently loaded
 > command interpreter. It DOES NOT require reloading of the command
 > interpreter. Thus, even if the command interpreter on the floppy
 > is infected, it WILL NOT be loaded (and executed) if you
 > do a DIR on that floppy. Therefore, you CANNOT get infected this way.

This is only partialy true because of the following:

COMMAND.COM is devided into 3 major parts:
TSR, INIT & TRANSIENT as follows:

- - The TSR part is the one located at the bottom of the memory,
(the one you can see with memory mapping utilities and is about 3K in DOS 5.0).

- - The second part (INIT) has a role only in the booting
operation (first time COMMAND.COM is called).

- - And the thired part (which is the most important to this
article) called the TRANSIENT part is loaded to the upper part of the 640K 
boundary however un reported in DOS MCB (the memory occupied by it is 
unreported). There is a reason for all that: every program that needs more 
memory MAY overwrite the TRANSIENT part in memory (so more memory is available 
to programs). It is in the TSR part's responsibility to check the TRANSIENT 
and refresh it if it was overwritten (this is when you see DOS's message: "
Insert diskette with COMMAND.COM and strike a key...").

The job of the TSR is to help maintain the TRANSIENT in memory, to support 
program termination and to display critical error messages.

The TRANSIENT's job is to support *INTERNAL COMMANDS*, Batch
files and external commands.
(for more information please read Microsoft's "The MS-DOS Encyclopedia" page 
76-79).

In conclusion: If you use a floppy drive system (assuming you've booted from 
it) and you type "DIR" it is possible (but not likelly) that the TSR part of 
COMMAND.COM will try to load the TRANSIENT part from the infected floppy. 
However: to infect the TRANSIENT part alone in such a way
that the TSR will load exactly what you want is an un-easy task (however 
possible), but the *INFECTED* COMMAND.COM should be present at boot time since 
the TSR knows the file it is using to refresh the TRANSIENT by meens of a 
CHECKSUM generated at first loading.
Thus: simply switching COMMAND.COM to an infected one (after the system is 
already booted) will not sufice.

My conclusion si also that it is not possible (in normal conditions) to get 
infected just by typing "DIR".

VB:
 > Regarding the original question - can you get infected
 > if you do a DIR on a (possible infected) floppy. In order to get
 > infected, you must execute some viral code. Therefore, the question is
 > equivalent to whether you can execute some code by executing the DIR
 > command on a floppy.
I think I explained above how you *might* execute some code by "DIR".

Warmly

* Amir Netiv. V-CARE Anti Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Wed, 07 Apr 93 12:22:00 +0100
From:    Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: Help with Michelangelo! (PC)

Hello Malte,

 ME> [Michelangelo]
 >> memory). He owerwrite first 255 tracks oFSC-Control: #<Krd-disk 0 
completly >> (all sectors on all heads).
 ME> Other voices say Mikey just kills head 0 to 3 of tracks 0-255. Who is
 ME> right?

the second one is correct.
But the result is the same : you have to format your drive.

Ciao, greetings from karlsruhe
      Robert

- ---
 * Origin: Make BACKUPS ! Virus Help Service Karlsruhe, (9:492/2170)

------------------------------

Date:    Mon, 12 Apr 93 13:16:22 +0000
From:    lindsas@ecf.toronto.edu (LINDSAY STUART JOHN)
Subject: Central Point Anti-Virus Updates (PC)

I'm just wondering if there is an ftp site that supports updated virus lists
for the Central Point Anti-Virus program.  Thanks a lot.

*******************************************************************
* Stuart Lindsay    Electrical Engineering, University of Toronto *
* Address all Internet Correspondence to lindsas@ecf.utoronto.ca  *
*******************************************************************

------------------------------

Date:    12 Apr 93 15:42:08 -0400
From:    lastort@access.digex.com (Mike Lastort)
Subject: McAfee latest version (PC)


I was just wondering if there was an address where McAfee's programs are
available through Internet. I used to subscribe to Compu$$erve but have
given up that habit when I got this account. Any info on how to ftp
McAfee's programs would be greatly appreciated.

Mike


------------------------------

Date:    06 Apr 93 19:35:51 +0000
From:    duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: gerbil.doc virus (PC)


Thus spake colcloug%helios.usq.edu.au@zeus.usq.edu.au (Steven Colclough):

>anyone come across this one?  The gerbil.doc virus?

>takes a text file, turns it into rubbish and at the top it says
>gerbil.doc.

This was one of the early Crazy Stories About Viruses which made it
into print -- in Computers and Security about three years back, as
I recall, under a title like "The Case of the Gerbil Virus That 
Wasn't", or some such.

[Moderator's note: I remember it now; the article was written by Ray
Glath, and it described a (non)incident that was reported to him.  The
bottom line was that no such virus existed.]

Software problem combined with an old, internal pre-release name
["gerbil"] never mentioned in the manual, if my memory serves me.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    Sat, 10 Apr 93 04:36:37 -0400
From:    bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt)
Subject: TBAV v5.04 Anti-virus software uploads to SIMTEL20 (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
TBAVU504.ZIP    TBAV Anti-virus software (update from v5.03)
TBAVX504.ZIP    TBAV Anti-virus software (optimized *.EXE's)
VSIG9303.ZIP    Virus signatures for TBAV software (March 93)

Replaces:
pd1:<msdos.virus>
TBAV503.ZIP
TBAVU503.ZIP
TBAVX503.ZIP
ASIG9301.ZIP
VSIG9301.ZIP
                and any older files (= lower version)

Also replaces the following files, which can therefore be deleted:
pd1:<msdos.virus>

VSIG92??.ZIP    Old signatures files ('92)
ASIG92??.ZIP    Old emergency-additions
TBSCAN??.ZIP    Now in TBAV package
TBSCNX??.ZIP    same
TBRESC??.ZIP    same (now 'tbutil')

Greetings,

Piet de Bondt                   E-mail: bondt@dutiws.twi.tudelft.nl
===================================================================
FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl


------------------------------

Date:    11 Apr 93 12:18:00 -0600
From:    "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decu
	  s.arc.ab.ca>
Subject: "Naive" users (CVP)

PRTAVS3.CVP   930404
 
                           "Naive" users
 
Also of very high importance, in testing antiviral systems, is the
fact that the proportion of computer users who have a thorough
understanding of viral operations in comparison to the total user
population is so small that it is statistically insignificant. 
Therefore, it is vital that any antiviral program be judged on the
basis of installation and use by "naive" users.  A "naive" user in
this case may be one with significant technical skills, but little
background in regard to viral programs.
 
(I realize that my statement regarding the naivete of computer users
may be extremely controversial.  Recall, however, that there are
about one hundred million users of MS-DOS, and then compare that
with the number of people who take an active interest in prevention
of computer viral programs.  Note that less than a quarter of
computers have any defense against viral attack.  Note a "clipping
file" covering 30 general computer industry periodicals over a
period of two years with only eleven articles on computer viral
programs.  Note also the very high sales of some highly publicized
programs known by the virus research community to have very definite
shortcomings.)
 
It is critical, therefore, to judge the interaction of the program
with the user.  Again, this interaction is not simply the presence
or absence of a menu, but the total intercourse between the program
and the user, by way of the documentation, installation, and user
interface and messages.  It is important to note how the total
package "comes to" the user.  Given that the user's system may
already be infected, what can the package do to remedy the
situation?  Also, while the package may have significant strengths
if installed correctly, is the "normal" user likely to be able to do
the setup and installation properly?
 
As I write this, I am still delaying final publication of one
particular review.  Although I highly respect the people behind the
main programming of the package, I have "marked down" the program
because of the inclusion of a "graphical user interface.  Am I
opposed to GUIs?  By no means: it is just that I do not perceive, in
this particular case, that the GUI actually does anything to assist
the user to increase the level of security.  In fact, it is my
perception that the inclusion of the GUI may be responsible for some
sloppy design and documentation.  In that case, the user may be
given a false sense of security, thinking that the system is using a
variety of protection methods, when, in fact, the user may have
failed to invoke some of them because their use is not "intuitive"
or obvious.
 
Remember that, for the seeming simplicity of some programs,
antiviral software is still a part of computer security.  Security
is not now, has never been and never will be, obvious to the
majority of the population.
 
copyright Robert M. Slade, 1993   PRTAVS3.CVP   930404

==============
Vancouver      ROBERTS@decus.ca         | "If you do buy a
Institute for  Robert_Slade@sfu.ca      |  computer, don't
Research into  rslade@cue.bc.ca         |  turn it on."
User           p1@CyberStore.ca         | Richards' 2nd Law
Security       Canada V7K 2G6           | of Data Security

------------------------------

Date:    Mon, 12 Apr 93 14:04:11 -0400
From:    "Dr. Harold Joseph Highland, FICS" <Highland@DOCKMASTER.NCSC.MIL>
Subject: IFIP Call for Papers

*****************************************************************
                        CALL FOR PAPERS
*****************************************************************

        TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE

                     IFIP SEC '94  -  ARUBA

ORGANIZED   BY   IFIP  TECHNICAL  COMMITTEE  11  *  Security  and
Protection in Information  Processing  Systems  *  IN COOPERATION
WITH  THE SPECIAL INTEREST GROUP ON INFORMATION SECURITY  OF  THE
DUTCH COMPUTER  SOCIETY  AND  CO-HOSTED  BY  THE  ARUBA  COMPUTER
SOCIETY.


                        MAY 23 - MAY 27, 1994

                PALM BEACH, ARUBA, DUTCH CARIBBEAN



The  purpose  of  the  Tenth  International  Information Security
Conference  IFIP  SEC  '94   --  "Dynamic  Views  on  Information
Security in Progress" -- is to provide an international forum and
platform  sharing  experiences and interchanging ideas,  research
results,  development   activities   and   applications   amongst
academics,  practitioners, manufacturers and other professionals,
directly or indirectly  involved  with  information  security and
protection.   It  will  be  held  at  Palm  Beach,  Aurba,  Dutch
Caribbean on May 23rd-27th, 1994.

Those  interested  in  presenting  papers are invited to do so by
September  30, 1993.  The papers may  be  practical,  conceptual,
theoretical,  tutorial  or  descriptive in nature, addressing any
issue, aspect or topic of information security.  Submitted papers
will be refereed, and those presented  at  the conference will be
included  in  the conference proceedings.  Submissions  must  not
have been previously  published  and must be the original work of
the author(s).

The  International Program Chair is  particularly  interested  in
papers on:

  Information security aspects in developing nations

  Security of health care systems

  Aspects of transborder data flow

  Fraudulent aspects and networks

  Security in banking and financial industry

  Evaluation criteria in information security

  Cryptology

  Risk management and analysis

  Contingency planning and recovery


Instructions to Authors

Five (5) copies of the complete paper, which should not exceed 25
double-spaced,   typewritten   pages,   including   diagrams,  of
approximately  5,000  words, must be received by  NO  LATER  THAN
September 30, 1993.
^^^^^^^^^^^^^^^^^^

Diskettes  and  electronically transmitted  papers  will  not  be
accepted.  Papers  must  be  sent  to  the  International Program
Chairman [address noted below].

Each paper must have a title page which includes the title of the
paper, full name(s) of all author(s) and their title(s), complete
address(es)  including  affiliation(s),  employer(s),   telephone
number(s), telefax number(s) and e-mail address(es).

To   facilitate  the  blind  refereeing  process  the  author(s)'
particulars  should  only  appear  on  the  separate  title page.
Furthermore,  the  first  actual  page  of  the manuscript should
include  the  title  and  a  100  word  abstract  of  the  paper,
explaining its contents.

Note:    The   language  of  the  conference  is  English.    All
submissions and  presentations  must  be written and delivered in
the  English  language.   However,  at  the   conference  Spanish
translation will be available for the audience.

Notification of acceptance of submitted papers  will be mailed on
or  before  December  31, 1993.  At that time author(s)  will  be
instructed  to prepare final  camera-ready  manuscripts  and  the
final deadline  for  submission of the camera-ready manuscript is
February 28, 1994.

Papers should be submitted  to the International program Chair at
the Secretariat [address noted  later].  All authors of submitted
papers will enjoy special benefits at the Conference.


The Referee Process

All  papers  and  panel  proposals  received  by  the  submission
deadline will be considered for presentation  at  the conference.
To ensure acceptance of high quality papers, each paper submitted
will be double and blind refereed.  All papers presented  at IFIP
SEC '94 will be included in the conference proceedings, copies of
which will be provided to the attendees.  All papers will also be
included  in  the formal proceedings of IFIP TC11 to be published
by Elsevier Science Publishers (North Holland).


About the Conference

IFIP SEC '94 will  consist of a five day/five stream program with
advance  seminars,  tutorials,   open  forums,  special  interest
workshops  and technical sessions.   The  conference  will  offer
world-renowned  and most distinguished speakers as its keynoters,
and the highest quality  of  refereed  papers.  There will be far
over  100 different presentations.  This special conference  will
be held  at  the  convention  space situated at Palm Beach on the
Dutch Protectorate island of Aruba in the Caribbean.

During  the  worlds'  most  comprehensive   information  security
conference,  the  second  Kristian Beckmann Award,  honoring  the
first chairman of IFIP TC 11, will be presented.

IFIP  SEC  '94  is intended for  computer  security  researchers,
security managers,  advisors,  consultants, accountants, lawyers,
edp auditors, IT and system managers  from  government,  industry
and  the  academia,  as  well  as  individuals  interested and/or
involved in information security and protection.

The  Tenth  International  Information  Security  Conference   is
organized   by   Technical  Committee  11  of  the  International
Federation for Information  Processing,  in  cooperation with the
Special  Interest  Group  on Information Security  of  the  Dutch
Computer  Society, and will  be  hosted  by  the  Aruba  Computer
Society.


Conference Information

Aside from  the  submission  of  papers,  which  should be to the
International Program Chair, information about all other matters,
including participation registration, travel, hotel  and  program
information,  is  available from the General Organizing Chair  at
the Secretariat.

  SECRETARIAT IFIP SEC '94 ARUBA
  Postoffice Box 1555
  6201 BN   MAASTRICHT   THE NETHERLANDS

  or

  SECRETARIAT IFIP SEC '94 ARUBA
  Wayaca 31a
  Suite 101/104
  ARUBA  -  DUTCH WEST INDIES

  Telephone:  +31 (0)43 618989
  Telefax:   +31 (0)43 619449
  Internet E-mail: TC11@CIPHER.NL


Local Limited Contact

If you want you may communicate with:

        Highland@dockmaster.ncsc.mil

and I'll help if I can.  HJH




------------------------------

Date:    Tue, 13 Apr 93 04:06:22 +0000
From:    mdallin@lamar.ColoState.EDU (ABCDefghIJKLm)
Subject: Survey

I am currently in the process of writing a two part paper concerning computer
viruses.  The first part deals with the general problem (statistics, et al),
and the second part deals more with how the public percieves what a virus is.
To research it, I decided to throw together a survey, and send it to three
places - a general all interest network, a bbs with frequent up/downloads,
and to the experts on viruses (here).

So, if I may be as bold as to ask you to complete the survey below - I tried
to make the questions short and easy to answer (most are yes/no questions):

PLEASE SEND THIS BACK TO ME VIA EMAIL TO ONE OF THE FOLLOWING ADDRESSES:

		   mdallin@lamar.colostate.edu
		   dallin@beethoven.colostate.edu

DON'T CLUTTER UP THE NEWS SERVICE WITH YOUR ANSWERS!  THANKS!


PART I:  Misc. Info/Statistics

1.  What virus detection/prevention software do you use?


2.  How many times (different occasions) have you been infected with a
    virus?  (if only a few times, list the viruses)


3.  On a scale of 1 to 10, how would you rate the virus danger
    (1 = Nonexistant, 5 = Moderate, 10 = Extreme, etc)?


4.  Do you believe that the media over-hypes viruses?



PART II:  Urban Myths

(Note:  Some of the ideas presented below are myths, some are not - I just
        want to get an idea of how high the level of education about viruses 
        is.)

1.  Do you believe that some countries write viruses to "punish" computer
    hackers?


2.  Do you believe that some countries write viruses designed to infiltrate
    computers in other countries?


3.  Do you see/predict any useful applications of viruses in the future?
  

4.  Do you believe that the law enforcement community has been properly    
    trained to deal with virus-related crimes?
  

5.  Do you believe that it is possible for a virus to cause hardware damage
    (ie, 'burn' itself into chips, cause short ciruiting, etc etc)?


6.  Do you believe that viral code should be available to those who would
    use it in a responsible manner (ie, research purposes, etc)?


7.  Do you believe that it is possible for a virus to work on machines with
    different operating systems (eg, a virus that will attack MSDOS machines
    AND Macs) either now or in the future?



Ok, that's all folks.  The statistics will be posted (hopefully) around 
Monday, April 19th (or so).  Thanks for your reply!


Mdd            
- --

"Ah, Ah, Ah, Ah, AAAAAAAAAAAH!!!!"            mdallin@lamar.colostate.edu
 -- Queen, Ogre Battle                        dallin@beethoven.colostate.edu

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 62]
*****************************************


