To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #72
--------
VIRUS-L Digest   Monday,  3 May 1993    Volume 6 : Issue 72

Today's Topics:

Sending Viruses
Re: Virus Signatures
Re: Beneficial/Non-Destructive
Damaging monitors by software
Integrity Check
Re: Forwarded message from Scotland Yard
need help removing flip virus (PC)
MPHTI (PC)
Re: Viruses which cost $$$ (PC)
FPROT: Virus scanner (PC)
Re: Viruses which cost $$$ (PC)
Re:Integrity Check(PC)
Copyright of Virus Signatures (PC)
Re: On the merits of VSUM (PC)
??Hidden file: 386spart.par?? What is this? (PC)
What is "form" virus? (PC)
FProt207/208 broken on Os2MarBeta (PC)
Possible unknown virus (PC)
Re: COMMAND.COM Vaccination (PC)
Norton Antivirus question (PC)
Re[2]: NAV Updates (was CPAV updates) (PC)
Re: V-Sign? (PC)
Form virus? (PC)
New anti-virus (PC)
IFIP TC11 SEC '94 ARUBA Call f. Papers

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Sun, 25 Apr 93 17:10:00 +0000
From:    norman.wong@synapse.org (Norman Wong)
Subject: Sending Viruses


<<***** On 04-21-93, DONALD G PETERS wrote *****>>
DG>Message-ID: <0001.9304221059.AA24917@first.org>
DG>From: Peters@DOCKMASTER.NCSC.MIL (Donald G Peters)
DG>     [stuff deleted]
DG>Third, PC's and guns and potatos are all readily available in this
DG>country, so instructions on how to do bad things with each of these items

DG>should fall into the same category.  The question is, which takes
DG>precedence, the first amendment or human decency?  Indeed, would you
DG>choose between the first amendment or national security???

Both.  The first amendment gives one the right to say and publish.  It does
not OBLIGATE someone to do so.  If one wants to publish virus code, then one
can.  If one does not, then one doesn't have to.

Also, the first amendment does not obligate me to help this person by
letting him/her use my computer, BBS, or printing press to publish virus
code.

Therefore, I don't see any problem if virus researchers refuse to help
people create viruses by not distributing certain information.  They are
under no obligation to give out virus source code and 40-HEX to anyone that
asks for it.

Norman Wong
norman.wong@synapse.org


                                                                            
                             
                                                                               
                                                
- ---
 ~ VbReader V1.41~ Damn the baud rate, full speed ahead.



------------------------------

Date:    Sun, 25 Apr 93 16:57:38 -0400
From:    007 <sbonds@jarthur.Claremont.EDU>
Subject: Re: Virus Signatures

Information.Security@Forsythe.Stanford.EDU (Info Security 3-9797) writes:
>In volume 6 issue 65, Alan Jones wrote:
>
>> I was wondering why there is not anyone that periodically post NEW
>> virus Signatures.  This would be very helpful to people in between
>> releases of different virus scanners.
>
>It seems to me that there is a big risk here.  If I post a false
>signature, but one that will register a hit on some popular piece
>of software, and this signature accidently gets incorporated into
>one or more anti-viral software packages, then some people are
>going to get false-positives.  What a waste of time for everyone.
>But, given the opportunity, I have no doubt that people will try
>this ploy.  Even if the phoney signature is only used by individuals,
>those individuals may be tricked for awhile to think they have a
>virus when they don't.

F-prot at least uses very specific wording when reporting a virus that the
user has defined the signature to.  It reports "File contains the XXXX
pattern" where XXXX is the name you gave.  This reporting carefully avoids
the use of the word "virus", so it is unlikely to cause panic, though it
will certainly arouse suspicion!

I wouldn't mind seeing some virus signatures posted occassionally, especially
if the viruses have become widespread fairly quickly-- i.e. they have somehow
found their way into a popular piece of software available via anon. FTP.
F-prot gets updated about every two months, which is quite a while for new
viruses to pop up-- it would be nice to be able to add signatures to it.
(This is also another good reason to use an integrity checker as a supplement
to your array of scanners!)

  -- 007
- -- 
 000   000  7777 | sbonds@jarthur.claremont.edu
0   0 0   0   7  |----------------------------------------------------------- 
0   0 0   0  7   | Childhood is short...            [Calvin & Hobbes]
 000   000   7   | ...but immaturity is forever.



------------------------------

Date:    Sun, 25 Apr 93 03:58:51 -0400
From:    DONNY@iris.netcom.com
Subject: Re: Beneficial/Non-Destructive

Vesselin Bontchev (20 Apr 93 10:23:07) writes:

> You don't understand - this -is- the virus. The anti-virus package
> plus the relevant part of the system login script. When you install
> the virus (as a supervisor), it modifies the system login script, by
> including in it a (possibly modified) part of itself. At workstation
> login, this part is executed and spreads another part of the virus
> (the anti-virus package) to the workstation that logs in. The whole
> process matches exactly Dr. Cohen definition for a virus and is
> clearly beneficial.

But it only "spreads" in two levels ("install" "infects" login script,
login script "infects" AV on station). The second level never continues
to "infect". I don't really think this should fit the definition of a
virus (and if it does, IMHO the definition is flawed). I would consider
this as the "install" program ("trojan horse" in itself) planting a "trojan
horse" in the login script which places a non-replicating program in the
various computers.

A possible correct test for whether something is a trojan horse (and not a
virus) is whether you can give instructions (on a system which you do not
"scan") what exact file (name) not to run (in this case the install program) or
what commands to remove from a *specific* command file (login script).

I know this is a fuzzy definition ("Don't run the 'boot sector program file'"
(that's the "name") "and you won't get infected with the Michelangelo virus"
or "Remove the batch_file virus (which infects only the autoexec.bat) commands
from the 'autoexec.bat' batch file and you won't be "infected"), but you could
add the fact that the initial "infection" has been caused by a specific program
that you ran on your "system" (network) and won't be "spread" to another
"system" and perhaps you could come up with a more exact definition.

Sounds confusing...

Donny Gilor (Dr. Virus)    donny@iris.ilnet.net
- -----------------------------------------------
Development manager, Iris Software (Israel)
Iris produces software for Text-Retrieval, Anti-Virus, and Copy-Protection.
Telephone: (972)-3-5715319     Fax: (972)-3-318731



------------------------------

Date:    Wed, 28 Apr 93 00:34:25 -0400
From:    RON MURRAY <NMURRAYR@cc.curtin.edu.au>
Subject: Damaging monitors by software

   I have a suspicion that the horizontal deflection cicuitry of quite a few
(older?) monitors didn't contain the usual horizontal oscillator/sync circuits;
instead, they looked more like a straight amplifier (with the horizontal sync
pulses as the input). This was probably cheaper to implement, but if the
sync pulses were lost for any reason (or their frequency was outside the
bandwidth of the "amplifier"), the horizontal output transistor was left
without any drive, resulting in its early demise (the bias circuitry depended
on drive being present, it seems). This certainly used to happen with old
valve-type (tube-type for you Americans) TVs, where the horizontal output
valve would usually overheat and fail if the horizontal oscillator valve
failed.

 .....Ron

                                 ***
 Ron Murray
 Internet: nmurrayr@cc.curtin.edu.au
   "Women are like elephants to me -- I like to look at 'em, but I wouldn't
       want to own one."     -- W. C. Fields


------------------------------

Date:    Wed, 28 Apr 93 06:32:35 -0400
From:    yue@numbat.cs.rmit.OZ.AU (Paul Yue)
Subject: Integrity Check

I am currently writing my master's thesis and am doing something about an
integrity check for computer viruses. If anyone has any information about
this subject I would appreciate it if they could e-mail it to me. Any
information whatsoever would be of great help and thank you in anticipation
for your submissions.

Paul Yue



------------------------------

Date:    28 Apr 93 10:57:48 +0000
From:    Sam Wilson <ercm20@festival.edinburgh.ac.uk>
Subject: Re: Forwarded message from Scotland Yard

David Bath (dtb@otto.bf.rmit.oz.au) wrote:
: aryeh@mcafee.com (McAfee Associates) writes:
: >I was recently contacted by DC Noel Bonczoszek of the Computer Crimes Unit
: >at New Scotland Yard in London.  ...

: Computer Crimes *Unit* ???  What, they aren't putting it in the miscellaneous
: bucket along with lost dogs and bent fenders?  Congratulations to the
: Brits !!!!

Don't go overboard.  The last time I heard it had 3 members of staff,
though that may have changed by now.  (I'd be glad to hear that it had
changed by now!)  I believe they cover the whole of the UK (pop ~55M),
not just London (pop ~10M), though again I could be wrong.

Sam Wilson
Network Services Division
Computing Services, The University of Edinburgh
Edinburgh, Scotland, UK




------------------------------

Date:    Fri, 23 Apr 93 13:29:38 -0400
From:    xzwang@casbah.acns.nwu.edu (Xiaozhong Wang)
Subject: need help removing flip virus (PC)

Now my question is:
1. Is there a safe way to clean the flip virus without destroying the FAT
of the boot sector.
2. If it destroys the FAT again, is there anyway I can retrieve all the
files on that hard disk?
BTW: CPAV identified the virus as Omicrom, if this information helps.

------------------------------

Date:    Mon, 26 Apr 93 11:35:38 -0400
From:    "Jean F. Coppola" <SSAT@pacevm.bitnet>
Subject: MPHTI (PC)


Does anyone have any information about a
"MPHTI" virus ?  Please send information to
me directly, I am writing for someone else.
Thanks in advance.
Regards,
Jean

EMAIL: SSAT@PACEVM.bitnet


------------------------------

Date:    Mon, 26 Apr 93 07:08:01 -0400
From:    v922340@brouwers.si.hhs.nl (Snaaijer)
Subject: Re: Viruses which cost $$$ (PC)

I did cause something like damage with a tchenglab 512Kb vga card and
a hitatchi monitor, This VGA card comes with some programs that enable
you to change some hardware like stuff on your card. I let the program
do all kind of triks with the scanrate and interlase of my monitor and
than ... Bang, nothing more It frigtend me rather a lot (i paid it
myself) but after i turned off the monitor and turned it on again,
nothing was wrong.  I have this theory about this, the hitatchi isn't
the cheapest one so there mightbe something in the monitor that
prevents it from blowing up.

I know that not every VGA card is capable of this and i don't think
there is something like a standard for this eigter s this is probably
not a real threat but if there are some programs that make my monitor
break down, why can't those programs not be so smal and copy
themselves (I shurely don't hope so)

Ivar.

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------



------------------------------

Date:    Mon, 26 Apr 93 07:00:22 -0400
From:    sys_hjk@lifra.lif.de
Subject: FPROT: Virus scanner (PC)


\dos\virus\fprot208.exe

F-PROT is able to find practically all known viruses, by a method known as
"scanning".  This involves searching for a virus pattern or "signature" - a
sequence of bytes which is very unlikely to be found anywhere but in this
particular virus.

The virus signatures are stored in a file named SIGN.DEF, which must be present
in the current directory or the same directory as F-PROT.EXE. The number of
signatures contained in this file is not an indication of the number of viruses
F-PROT is able to detect, however - as most new viruses are created by making
small changes to older viruses, the same signature can often be used to detect
many different viruses.

Secure Scan, Quick Scan or Heuristic Analysis ?

F-PROT can use three different methods when scanning for viruses.  The first
method ("Secure Scan") uses two different signatures for each virus.  It will
also search for the signatures in a large block of data - usually (but not
always) located either at the beginning or the end of the file.  This improves
the chances of detecting any virus which might have been created by modifying
an older one - any change might cause a signature to be located at a different
position within the virus, or it might even corrupt the signature itself, but
the chances of a single change invalidating both of the signatures are
practically zero.

"Quick Scan" is, as the name implies, a faster method than "Secure Scan", but
it is also less secure.  This is because it only uses a single signature for
each virus, and to speed things up further, "Quick Scan" does not spend time on
an accurate identification of any virus it might find.

"Quick Scan" will just report a "Jerusalem" infection, while "Secure Scan"
might report an infection by the "Anarkia-2B" variant of Jerusalem, for
example.  Most users are not concerned with the accurate identification of any
virus which might strike - all they want to know is if they have a virus or
not, and "Quick Scan" is almost as good at finding known variants as "Secure
Scan" (There are a few "dead" viruses which "Quick Scan" will not detect).  If
you select "Quick Scan", you cannot select any disinfection, as it requires an
accurate identification, so the "Action" option is disabled.  As "Quick Scan"
will not search for Trojans or user-defined strings, the "Targets" option is
disabled as well.

The third method uses a set of rules, instead of a signature database. It is
still only experimental, but its purpose is to detect suspicious code.  It is
not foolproof - it will not detect all viruses and may easily produce false
alarms, so it should be used with care - not recommended for the casual user.
However - unlike the other two methods, it is not limited to existing viruses
or variants of them - it is equally effective against new viruses.  For further
information on this method see ANALYSE.DOC



------------------------------

Date:    Mon, 26 Apr 93 06:52:36 +0000
From:    joedal@dfi.aau.dk (Lars Joedal)
Subject: Re: Viruses which cost $$$ (PC)

>From the documentation of the Atari ST anti-virus program 
Virendetektor (translated from German):


In chapther 1 I have already mentioned some fundamental effects that 
can be caused by viruses.  But there exist also very vicious viruses 
which can even partly cause damage on the hardware, because they e.g. 
repeatedly move the read/write-head of the disk-drive/harddisk 
against the stop, or (for IBM-compatible computers with Hercules 
card) program the graphics card in such a way that it can be 
irreparably damaged.

Another danger threatens owners of colour monitors!  One can even in 
colour mode induce the ST at changing the frame frequency to the 
(monochrome) frequency of 71 Hz.  By this the row frequency is 
changed from 16 MHz to 36 MHz.  The "emergency reset", which the ST 
normally execute in such case, can be blocked by software.  If you 
one day happen to have a dozen of colour monitors left you can 
quietly test how long a colour monitor survives this procedure.  
Present extrapolations vary from a second to a few minutes.  In any 
case it is sure that within a rather short time your colour monitor 
will opt out for ever.  (The latest tests with original ATARI colour 
monitors have shown that some monitors were unruffled for as long as 
half an hour.)  A virus that wants to cause damage to your hardware 
might make use of these circumstances.  That no such virus has yet 
been made is probably because of the difficult program- technical 
realization of the above scheme.

+------------------------------------------------------------------------+
| Lars J|dal                | Q: What's the difference between a quantum |
| email: joedal@dfi.aau.dk  |    mechanic and an auto mechanic?          |
| Physics student at the    | A: A quantum mechanic can get his car into |
| University of Aarhus      |    the garage without opening the door.    |
| Denmark                   |                    -- David Kra            |
+------------------------------------------------------------------------+



------------------------------

Date:    Mon, 26 Apr 93 07:48:03 +0000
From:    wolfgang.stiller@rose.com (wolfgang stiller)
Subject: Re:Integrity Check(PC)

ST29701@VM.CC.LATECH.EDU writes:

ST>I am looking for a program like Integrity Master that will store all the
ST>data in one file.

Yes, there is such a program...and it's called Integrity Master <g>.
Seriously, I think you can accomplish what you want by using SetupIM to
ask Integrity Master to keep the integrity data on diskette.  This will
place all the integrity data in a secure place and will not change anything
in your hard disk directories.  At present, we don't support a single
data base on the hard disk to describe all your files and system
sectors.

Integrity Master did have a single data base in the original (1988 beta)
version of the product. This was perceived much less convenient by our
original user base.  The integrity data would not follow the files and
it was much more difficult to extract a subset of Integrity Data to
correspond to a set of files.

ST>Are there any plans to add this feature to integrity Master?

We are considering making a single database an option but we have no
firm plans for this at this point.  One problem with this is keeping
the code size of Integrity Master down.  If we do this it will probably
have to a be a separate version of the product.  Having tried both versions
in the past, we've found that most people strongly prefer the current
architecture.  People that don't like integrity data in each directory
of their hard disk simply choose to keep the integrity data on floppy.

Regards, Wolfgang

Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A.
- ---
   SLMR 2.1a  
   RoseMail 2.10 :



------------------------------

Date:    Sun, 25 Apr 93 22:44:36 -0400
From:    CS193560223@lusta.latrobe.edu.au (ENRIQUEZ,L)
Subject: Copyright of Virus Signatures (PC)

	When a virus is found, it does not usually contain a copyright, because
as far as I can tell, to claim copyright your real name must appear with it.  
Obviously, most virus writers dont want to do this. However, if sometime did
extract a piece of code (signature) from the virus, and included it in their
virus scanner, and recieved a fanancial advantage from this inclusion, and the
author came forth to claim copyright, would such a case be legal?

Please remember I am no lawyer..:)

Regards,
Luke






------------------------------

Date:    Sun, 25 Apr 93 17:27:55 -0400
From:    007 <sbonds@jarthur.Claremont.EDU>
Subject: Re: On the merits of VSUM (PC)

mikael@vhc.se (Mikael Larsson) writes:
> 007 <sbonds@jarthur.Claremont.EDU> writes:
>
>> Isn't there enough misinformation out there already?  Of course VSUM will
>> be fine for the "common-people"-- they don't know any better!  I find it
>> very upsetting that you would be willing to knowingly spread information
>> that is just plain WRONG.  You are preying on the ignorance of these
>> common people.
>
>No, that is not correct, but since most of the common-users get infected
>by viruses like form, cascade etc.. and wants to read about THOSE
>viruses, then I think VSUM is good.

Very true, most people will want to read about these viruses.  But wouldn't
it be nice if they could also read CORRECT information?

One of my ideas from last time was to incorporate a novice/expert type switch.
Were VSUM more structured, with fields for some of the more technical aspects
of virus activity, these could be easily left out at the "novice" setting.
Just backing up what VSUM says about viral activity with a few facts about
what the virus does will increase the credibility of VSUM immeasurably.

For example, saying "This virus is incompatible with Novell" is strengthened
greatly by adding "since this virus uses the Novell print spooling interrupts
as its installation check".  Users who select "novice" would only see the
first part.  Users who select expert could see all of it, and go "oh, that
makes since then", rather than just going, "now why is that??".

>> It is one thing to be wrong, admit you were wrong, and correct any mistakes
>> possible, and entirely another to be wrong, know you are wrong, and just 
>> not care that many people will have just enough information to get into
>> trouble.  Ignorance, at least, inspires caution.
>
>Sure, there are incorrect info in VSUM, but the users get the general
>idea of what the virus does/does not. The COMMON user aren't interested
>in all the technical stuff about that virus that they got infected by,
>they wanna see if it does any harm or not, how it spreads.

True, but occasionally VSUM even gets this wrong.  Generally speaking, though
the very basic information VSUM is correct about-- such as file infector vs.
boot sector infector.  Viral payloads can sometimes be incorrect.

If there is technical information that "commoners" aren't interested in, and
it is known to be wrong, why not erase it?  The common people won't know the
difference and it'll help keep the rest of us off Ms. Hoffman's back.

>Hope you get my point,

I would understand your point if the incorrect info were just not included.
But I cannot understand the deliberate inclusion of inaccurate and/or
misleading information.

  -- 007
- -- 
 000   000  7777 | sbonds@jarthur.claremont.edu
0   0 0   0   7  |----------------------------------------------------------- 
0   0 0   0  7   | Childhood is short...            [Calvin & Hobbes]
 000   000   7   | ...but immaturity is forever.



------------------------------

Date:    Sun, 25 Apr 93 15:49:01 +0000
From:    skank@leland.Stanford.EDU (Forked Tongue Redlich)
Subject: ??Hidden file: 386spart.par?? What is this? (PC)

I noticed this while playing solitaire on my PC (a 386).
Nothing else was running, and I noticed that my hard disk had
started doing something - I heard the noise it makes and saw
the light buzzing.

Since I found this unusual, I ran a virus check.  Found nothing.
Except there was a new hidden file - in the root directory - 386spart.par
I did a binary file edit but found mostly text and junk.  I couldn't
find anything that hinted at a virus hidden in this 10 megabyte
file.  I wonder if it may just be a dump from shutting off the
computer in haste and having some program backup what's on - but
why a hidden file in the root directory.

Any help would be appreciated.

Thanks,  Warren Redlich
skank@leland.stanford.edu



------------------------------

Date:    Mon, 26 Apr 93 12:56:51 -0400
From:    csyphers@uafhp..uark.edu (Chris Syphers)
Subject: What is "form" virus? (PC)

Can anyone out there tell me what the "form" virus is/does? Three of the
machines in my office caught it recently. Scan89 detectd it in the boot
sector and re-loading the system files got rid of it - but I'm curious.

Chris Syphers
University of Arkansas
csyphers@uafsysa.uark.edu




------------------------------

Date:    Tue, 27 Apr 93 08:31:42 -0400
From:    wdence@relay.nswc.navy.mil (Walter Dence)
Subject: FProt207/208 broken on Os2MarBeta (PC)

     When you try to "begin", you get a "Disk Error on Drive c:".
This worked on the DecBeta of Os2.  Neither FProt-v107 or v108 
work in a Dos window (or full screen).  They will work from a 
Dos5 floppy boot, but only on the FAT drive, not on the HPFS 
drive.

=====================================================================
                       WALTER E. DENCE, JR.
                   Data Acquisition Specialist
                 Influence Mechanisms Branch, G95

Commander, Dahlgren Division                        
Naval Surface Warfare Center     Office:          (301) 394-1707/1960
Dahlgren Division Detachment     Fax:             (301) 394-4510/4727
White Oak, G95 (W. Dence)        DSN (AutoVoN):         290-1707/1960
10901 New Hampshire Ave.         MilNet: wdence@nswc-wo.nswc.navy.mil
Silver Spring, MD 20903-5000     Home:                 (301) 229-7394

         (This is personal opinion, not official opinion.)
=====================================================================


------------------------------

Date:    Tue, 27 Apr 93 11:44:08 -0400
From:    mccormij@hazelnut.ENMU.EDU (James McCormick)
Subject: Possible unknown virus (PC)

Hi, I am new to this group and have a couple of questions.

1. Where can I get a copy on the FAQ for viruses?

[Moderator's note: Anonymous FTP from cert.org (192.88.209.5) in
pub/virus-l.]

2. I recently installed DOS 6.0 and when I did my Nortin Anitvirus went off.
   It said I had Two files my Command.Com and Qbasic.exe file length had 
   been altered. I passed this off as the new version of DOS changing the
   file lengths, but when I talked too a guy at Microsoft he said that there
   where alot more files than that changed in the upgraded and told me he 
   had no clue. Could this be a virus

3. I went in and compressed my drive with DOS 6 and have started to have
   some wierd things happen.  Last night I went into Norton desktop and 
   noticed there were some of my file groups missing.  I ran norton Disk
   Doctor and It said one of my file alocation tables had been destroyed.
   Could a virus that I do not know about gone in and destroyed it?

4. Another thing I noticed was that when I commpressed my drive the last
   cluster on my harddrive was full and unmoveable.  I found this to be kind
   of weird because only a week before I had ran Speed Disk on my Harddrive
   and this cluster was empty. Dont some viruses rewrite the boot table and 
   put it there until they are ready to go off?

I guess my question really is, Is it possible I have an unknown virus.  Any  
help would be appreciated.

James McCormick
Easter New Mexico University
mccormij@almond.enmu.edu  
  


------------------------------

Date:    Tue, 27 Apr 93 11:46:53 -0400
From:    ac999512@umbc.edu (ac999512)
Subject: Re: COMMAND.COM Vaccination (PC)

>Executables that have been compressed with PKLITE are basically immune
>to infection by viruses that infect executables, including COMMAND.COM
>in this case.  The PKLITE file can still be infected externally (as
>reported by McAfee's SCAN), but the actual executable cannot be infected
>in this form.
 
  I think that's silly. It will be infected. It will foil the attempts of
a few viruses that look for contiguous zero bytes (the stack space) to
implant themselves, but any overwriting or parasitic viruses (parasites 
are by far the most common file infectors) will still be able to infect it. 
it doesn't matter whether the infection is "internal" or "external", it's 
still an infection!
 
  I see things like this very often. People have an experience with one
particular virus, and find a way to stop it, or think up an idea that 
seems logical to them without really knowing anything about it, and they
think they're an instant expert on the subject. 
 
 
>Hello All!
>
>What do you think about this? Will it work against most of the command.com 
>infecting viruses?
> 
>- -Jani
 
  Well, there's my thoughts. It may stop a few (such as Lehigh). And a few
of the dumb viruses can be stopped using the Read-Only attribute. But it 
will not save you from the majority of the viruses.
 
 


+------------------------------------------------------+
| Ed T. Toton III,          Virus Researcher           |
| Temporary E-mail address: ac999512@umbc.edu          |
| Permanent E-mail address: wwiv!1-4079@tfsquad.mn.org |
|        Press any key.. Except THAT one!              |
+------------------------------------------------------+







------------------------------

Date:    Tue, 27 Apr 93 12:19:50 -0400
From:    mccormij@hazelnut.ENMU.EDU (James McCormick)
Subject: Norton Antivirus question (PC)

Hi, I am new to this group so do you think someone could answer a few  
questions for me.  Where can I get a FAQ for this group. Sense I installed  
DOS 6.0 I have had three reprots of unknown viruses by Norton Antivirus 2.0  
The first came when I installed DOS and the other two a couple of weeks  
later.  Last night I went into Norton Desktop for the second time that day  
and a few things were different.  All of my file groups had been changed  
back to what they were origanlly when I installed the program.  Norton Disk  
Doctor said that one of my file alloction tables had been destroyed.  Could  
I have an unknown virus or is this just a problem with DOS 6.0 and windows  
existing on a commpessed drive?

[Moderator's Note: The FAQ is available via anonymous FTP from
cert.org (192.88.209.5 in pub/virus-l.]

Thanks,
James McCormick
Mccormij@almond.enmu.edu



------------------------------

Date:    Tue, 27 Apr 93 14:31:21 -0400
From:    cjkuo@symantec.com (Jimmy Kuo)
Subject: Re[2]: NAV Updates (was CPAV updates) (PC)

Vesselin asks:
>cjkuo@symantec.com (Jimmy Kuo) writes:

>Mr. Slade mentioned ftp servers. Will Symantec permit the distribution
>of the updates via ftp servers?

Yes.

>>They can be available through anyone who wishes to redistribute.

>I wish to distribute them via anonymous ftp. May I do so?

Yes.

>> Basically, NAV definition file updates are and can be freely distributed in
>> its present form (note lack of copyrights).

>Even via anonymous ftp?

Yes.

>If you don't support ftp access, would you allow to others to do it
>for you?

Yes.

I guess Vesselin wanted to be real sure.  :-)

Jimmy Kuo                                       cjkuo@symantec.com
Norton AntiVirus Research

------------------------------

Date:    Tue, 27 Apr 93 17:00:09 -0400
From:    aryeh@mcafee.com (McAfee Associates)
Subject: Re: V-Sign? (PC)

Hello Vesselin,

You write:

>Side question - could somebody with MS-DOS 6.0 verify whether the
>FDISK/MBR trick still works and post the results? Thanks.

The command still appears inside FDISK.EXE.  Running the MS-DOS 6.0
FDISK with the /MBR switch didn't give any error messages either.

Then again, it doesn't give any messages at all. :-)

Regards,

Aryeh Goretsky
Technical Support

- -- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
3350 Scott Blvd, Bldg 14 | FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714


------------------------------

Date:    Wed, 28 Apr 93 01:32:10 -0400
From:    alsu@uclink.berkeley.edu (Alan Su)
Subject: Form virus? (PC)

Can someone enlighten me on the specifics of this virus.  How does it
spread, what does it do, how do I get rid of the thing?

On a more general note, can someone explain to me the general mechanism by
which a boot sector or FAT virus spreads?

Thanks...
- -- 
- -alan su
- -alsu@uclink.berkeley.edu


------------------------------

Date:    Tue, 27 Apr 93 07:43:02 +0000
From:    wolfgang.stiller@rose.com (wolfgang stiller)
Subject: New anti-virus (PC)

The new Integrity Master(tm) (V1.43) is now available.

                              What is it?
                              -----------

Easy to use, anti-virus and data integrity system.  You get a powerful
virus scanner combined with generic virus detection capability and
complete data integrity protection.  Do you have a virus?  An erratic
hard disk?  Did someone change a file while you were out?  Are software
conflicts damaging your files? Integrity Master answers all these
questions. Unlike most products, it will also detect files damaged but
not infected by a virus.  Integrity Master is available as ASP shareware
from many BBSes and shareware vendors.

(Integrity Master is the ONLY ASP product capable of scanning for viruses)

                              What's new?
                              -----------
Version 1.43 released April 16, 1993:

1) We've made virus naming corrections to adhere more closely to the CARO
   naming standard and reduced size of some text files.

2) IM identifies over 250 new viruses by name and characteristic
   including: the following viruses: Tiny128 2 minutes, A&A,ARCV1-9,
   Albanian, Alien, Barrotes, Beer, Benoit, BitAddict, Bubbles, CCCP,
   Chemnitz, Cinderella2, Costeau, Cpw, DIR3, DemoEXE, Demon,
   Diamond.620, EXEbug, Experiment, Explode, FichvE1, GotchaF, Grunt2,
   Interceptor, IntruderB, Joanna, Jos, Joshua, Kamikaze2, Kiwi,
   Kthulhu, L.Bro3, LPToff, Loki, Lovechild, Loz693, Luca, Lythyum,
   MD499, Malaise, Malign, Marauder, Mayak, Minimax, Ministry, Mix1b,
   Mr.Virus, NCU LI, Necropolis, Not586, Oxana, Pitch, PopooLar,
   Problem, Sandwich, Shadow, Shirley, SillyCR-178, Silly Willy, Silver
   Surfer, Skew, Stasi, Storm, Strange, SwissArmy, Tankard, Telecom3,
   Timemark, Todor, Tremor, Trvl Jack, Warrior, Wilbur, Wizard,
   Wolverine, X-2, X-1, Yeke.  IM now has improved algorithmic detection
   for viruses generated using the mutation engine (AKA mte or DAME) or
   with PS-MPC.  IM uses similar techniques to recognize Tremor and the
   V2P6 or V2P6z series of viruses.

3) You can now change directories by using the "/P" command line parameter.
   (e.g., "IM /P\DOS" /CR"  will check files in the \DOS subdirectory.)

4) You can now use the form "IM /Da:b:c:" to check disk a, b and then c.
   The older form of "IM /Dabc" is, of course, still supported for this.

5) We eliminated all remaining pauses in the screen display when you use
   the "/NE" command line parameter or if you have the "Halt" option set
   to "emergencies only".  This makes IM easier for sysops to run
   automatically to check uploads for viruses.

The following is a summary of enhancements since release of V1.41:

1) Integrity Master will now display dates in a variety of formats to
   suit national preference.

2) We've added the extended file/directory checks formerly found in only
   IM itself to IM's stand alone file checker (IMcheck) which now
   checks for corruption or suspicious values in the directory entries
   and supports IM's enhanced date format.

3) Integrity Master now supports the "/VM" command line option to scan
   multiple diskettes.

4) You now have greatly expanded control over your integrity data.
   Using SetupIM, you can ask IM to give these files the DOS read-only
   or hidden attributes and you have several new naming options
   including variably named files (each file will have a different
   unpredictable name). This makes it very difficult for someone to
   recognize your integrity data files if you keep them on your hard
   disk.

You can make sure you have a legitimate copy of Integrity Master by
checking the PKzip CRC values:

Here are the CRC values for the important files displayed by PKzip
(either 2.04 or older versions) for version 1.43c:

 Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
 ------  ------   ----- -----   ----    ----   -------- ----  ----
   2183  Implode   2151   2%  04-19-93  01:43  3da7f740 --w-  GENVIR.EXE
 118597  Stored  118597   0%  04-19-93  01:43  e7022eb6 --w-  IM.EXE
   4582  Implode   2581  44%  04-19-93  01:43  3b074f35 --w-  IMCHECK.EXE
   1118  Implode   1011  10%  04-19-93  01:43  515b8205 --w-  IMVIEW.COM
  60128  Stored   60128   0%  04-19-93  01:43  97636c7e --w-  SETUPIM.EXE
 ------          ------  ---                                  -------
 538960          313198  42%                                       24

There's also an older version 1.43b which has some text revisions
relative to 1.43c:

 Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
 ------  ------   ----- -----   ----    ----   -------- ----  ----
 118197  Stored  118197   0%  04-14-93  01:43  bb9b3cc7 --w-  IM.EXE
  59888  Stored   59888   0%  04-14-93  01:43  930d7fa2 --w-  SETUPIM.EXE
 ------          ------  ---                                  -------
 550191          316942  43%                                       24

Regards, Wolfgang

Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A.

- ---
   SLMR 2.1a  
   RoseMail 2.10 :


------------------------------

Date:    Tue, 27 Apr 93 14:31:00 +0100
From:    Bertil Fortrie - IT SECURITY <fortrie@CIPHER.NL>
Subject: IFIP TC11 SEC '94 ARUBA Call f. Papers

========important=====relay======the======following=========


from: TC11@CIPHER.NL
to: all major networks, listservices, bulletin boards
date: April 27, 1993


***************************************************************
                      CALL FOR PAPERS
***************************************************************


        Technical Committee 11 - Security and Protection
        of Information Processing Systems - of the
        International Federation for Information Processing -
        I.F.I.P.

        I.F.I.P. is affiliated with UNESCO, the United Nations
        Educational, Scientific and Cultural Organization.

        I.F.I.P. is headquartered in Geneva, Switzerland.

        The federation consists of 14 Technical Committees and
        close to 100 specialist Working Groups.

        Technical Committee 11 is responsible for all matters
        related to information security.

        Its annual conference is considered the most important
        and largest event on the globe.

***************************************************************
                     ANNOUNCES:

ITS TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE,
IFIP SEC'94, TO BE HELD ON THE DUTCH PROTECTORATE ISLAND OF
ARUBA IN THE CARIBBEAN BASIN, FROM MAY 23 THROUGH MAY 27, 1994.

***************************************************************

Organized by Technical Committee 11 of IFIP, in close co-operation
with the Special Interest Group on Information Security of the
Dutch Computer Society (NGI) and hosted by the Aruba Computer Society,
the TENTH International Information Security Conference IFIP SEC'94
will be devoted to advances in data, computer and communications
security management, planning and control. The conference will encompass
developments in both theory and practise, envisioning a broad perspective
of the future of information security. The event will be lead by its
main theme "Dynamic Views on Information Security in Progress".


        CALL FOR PAPERS
        Papers are invited and may be practical, conceptual, theoretical
tutorial or descriptive in nature, addressing any issue, aspect or topic
of information security.
        Submitted papers will be refereed, and those presented at the
conference, will be included in the conference proceedings.
        Submissions must not have been previously published and must be
the original work of the author(s).
        Both the conference and the tutorial mini conferences are open
for refereed presentations.


        AUDIENCE
        The purpose of IFIP SEC'94 is to provide the most comprehensive
international forum and platform, sharing experiences and interchanging
ideas, research results, development activities and applications
amongst academics, practitioners, manufacturers and other
professionals, directly or indirectly involved with information security.
The conference is intended for computer security researchers, security
managers, advisors, consultants, accountants, lawyers, edp auditors, IT
and system managers from government, industry and the academia, as well
as individuals interested and/or involved in information security and
protection.


        ABOUT THE PROGRAM
        IFIP SEC'94 will consist of a four day - five parallel streams -
enhanced conference, and a cluster of five full day tutorial mini
conferences. In total over 100 presentations will be held.
During the event the second Kristian Beckman award will be presented.

The conference will address virtually all aspects of computer and
communications security, ranging from viruses to cryptology, legislation
to military trusted systems, network security to theoretical design, etc.
Over 75 timeslots will be made available for the conference part of
the event.

The five EXTRA tutorial mini conferences, each a full day, will cover the
following issues:

TUTORIAL A:
        Medical Information Security -
Theme:  The Computerized Surgeon

TUTORIAL B:
        Information Security in the Developing Nations -
Theme:  The Need for Education

TUTORIAL C:
        Risk Analysis and Risk Management -
Theme:  Controlling Risks

TUTORIAL D:
        IT Security Evaluation Criteria -
Theme:  Harmonizing the World

TUTORIAL E:
        Information Security in the Financial and Banking Industry -
Theme:  Cards Unlimited, Accounts Unlimited ?

Each tutorial mini conference will be chaired by a most senior and
internationally respected expert.

        PROCEEDINGS
        The formal proceedings will be published by Elsevier North Holland
Publishers, including all presentations, accepted papers, key note talks,
and invited speeches.


        VENUE
        The venue for IFIP SEC'94 is the combined convention facilities
of ARUBA's Palm Beach Resort Area.


        SPECIAL PROMOTIONS
        To celebrate this TENTH event, the organizers have managed to
agree with the major credit card companies for the creation of a special
Discover ARUBA/IFIP TC11 credit card.
        Early 1994 the government of Aruba will introduce a stamp, specially
created for this major conference.

        SOCIAL PROGRAM
        A truly unique social program, including a formal banquet,
giant 'all you can eat' beach BBQ, island Carnival night, and much
more will take care of leisure and relax time.

        PARTNERS PROGRAM
        A vast partners program is available, ranging from island
crossing, boating, snorkeling, etc. to guided children's kindergarten.

        LANGUAGE SERVICE
        The conference will be held in the English language.
For the audience Spanish translation will be made available.

        HOTEL ACCOMODATIONS
        Special arrangements with a wide range of hotels, and appartment
complexes in all rate categories have been made to accomodate the delegates
and accompanying guests.

        FLIGHT INFORMATION
        The host organizer has made special arrangements with KLM Royal
Dutch Airlines for a worldwide promotional fare in both business and
tourist class. Our own IFIP SEC'94 inhouse travel agency will be able to
serve from any city/airport.


*****************************************************************************

If you want to submit a paper, or you want more information on participating
in this enormous event, please write to:

        IFIP SEC'94 Secretariat
        Postoffice Box 1555
        6201 BN   MAASTRICHT
        THE NETHERLANDS - EUROPE

or fax to:

        IFIP SEC'94 Secretariat
        +31 43 619449  (Netherlands)
        +32 87 461481  (Belgium)

or email (internet) to:

        < TC11@CIPHER.NL >

you may also write to:

        The Aruba Computer Society
        Wayaca 31a, suite 101/104
        ORANJESTAD
        ARUBA
        DUTCH WEST INDIES

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 72]
*****************************************
