ct:   VIRUS-L Digest V6 #101
--------
VIRUS-L Digest   Friday,  9 Jul 1993    Volume 6 : Issue 101

Today's Topics:

Virus/Anti-Virus - Internet Talk Radio (fwd)
Arj-virus? (PC)
SatanBug infection (PC)
Re: F-prot false idetification (PC)
Re: Need help for possible virus! (PC)
Re: Help...my B: drive is dead ??? (PC)
Viruses that cost $$$ (PC)
Re: Tremor (PC)
Re: FORM virus (PC)
Re: FORM Virus (PC)
FIRST Incident Handling Workshop agenda

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Wed, 07 Jul 93 09:36:47 -0700
From:    Gleason Sackman <sackman@plains.nodak.edu>
Subject: Virus/Anti-Virus - Internet Talk Radio (fwd)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded by Gleason Sackman, net-happenings moderator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- ---------- Text of forwarded message ----------
Date: Wed, 7 Jul 93 10:15:22 -0400
From: Carl Malamud <carl@trystero.malamud.com>
To: announce@trystero.malamud.com
Subject: Virus/Anti-Virus

Station: Internet Multicasting Service
Channel: Internet Talk Radio
Program: TechNation ... Americans & Technology
Release: July 7, 1993
Content: Virus/Anti-Virus

On this week's "TechNation ... Americans & Technology," hosted by
Dr. Moira Gunn:

     Moira interviews Urnst Kouch, publisher of the "Crypt Newletter,"
an electronic newsletter for computer virus writers, anti-virus 
writers, and the computer security industry.  The discussion describes 
computer viruses, how to gain access to underground networks in order
to collect libraries of virus code, how to place your virus, and, 
from a virus writer's standpoint, how susceptible a user is to viruses.

     In the second half, Moira speaks with John McAfee, founder and CEO
of McAfee Associates, the leading manufacturer of anti-virus software.
McAfee describes the techniques that anti-virus software uses, who should
have anti-virus software, whether the publication of virus code should
remain legal, and how the anti-virus writers stay ahead of the virus
writers.

     Network connectivity for Internet Talk Radio is provided by 
UUNET Technologies.  Support for "local" broadcast of TechNation is
made possible by Sun Microsystems and by O'Reilly & Associates.

ITR Program Files: 

Size           Name                      Description
28,813,667     070793_tech_01_ITR.au     TechNation Program File
               070793_tech_ITR.readme    (This File)

TechNation Program ID: 93-T19-00026

For information about Internet Talk Radio, send mail to info@radio.com.
For information about Internet Town Hall, stand by for more details.
For a listing of some distribution sites, send mail to sites@radio.com.

------------------------------

Date:    Wed, 07 Jul 93 08:18:06 -0400
From:    oenglund@bilbo.abo.fi (Olof Englund)
Subject: Arj-virus? (PC)

Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident
program, that says if files are being changed. Everytime i access .exe
files that belong to arj the program warns me that the file has
changed.  Has this happened to you? Will you test the problem?

Ok....write to this article if you find out something....

Thanks!

                                Olof Englund

------------------------------

Date:    Thu, 08 Jul 93 13:15:29 -0400
From:    castillo@media.mit.edu (Brian Anderson)
Subject: SatanBug infection (PC)

I'm trying to disinfect a machine that appears to have come down with
the [SatanBug] virus.  At least this is what McAfee Scan v106 reports.
Unfortunately v106 of Clean doesn't seem to be able to rid my .exe and
com files of this menace.  The name [SatanBug] also does not appear in
the VIRLIST.TXT file.  Anybody had any experience eradicating this pest?

- -- 
"make lots of money",  "enjoy the work",  "operate within the law":  choose 2
- -----------------------------------------------------------------------------
Brian Anderson                    | "It's difficult to work in a group when
castillo@media-lab.media.mit.edu  |  you're omnipotent." - Q, ST-tng "Deja-Q"

------------------------------

Date:    Thu, 08 Jul 93 17:10:44 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: F-prot false idetification (PC)

From:    frisk@complex.is (Fridrik Skulason)

Arie_Zilberstein@f0.n462.z9.virnet.bad.se (Arie Zilberstein) writes:

>Well, you are probably right.  In fact, as a general rule of thumb - If 
the
>heuristics only report a single file as suspicious, it is almost always
>a false alarm....if you had a new virus it would be found all over the 
machine.

Unless it is a slow replicator like the Iceland Variants, or a brain dead 
virus like Power Pump.

>I could probably fix this if I had a copy of the file in question.

Since Smooth was released in PC-Magazine, I should be able to find it 
fairly easily, and will be happy to send you a copy.

Bill

------------------------------

Date:    Fri, 02 Jul 93 19:06:13 +0100
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Need help for possible virus! (PC)

marks@mentor.cc.purdue.edu (deb marks) writes:
>1.  Only on machines running Dos 6
>2.  Normal execution of programs except for slow run-time...gets slower 
>  everytime a program is run.
>3.  Filesize of program does not change.
>4.  By dumping a file to debug we can compare uninfected against infected
>  files and see that the first hundred bytes or so have been stripped.  
Again,
>  file execution isn't affected other than being slowed down and filesize 
>  never alters. 
>5.  We attempted to upload two files, one infected, one uninfected to to a 

BBS.
>  When they got there, they were identical, even though we have the 
hardcopy 
>  proof that one had been altered.
>6.  Nothing shows on any virus detection program we run...we have tried 
vsafe,
>  viruscan 106, and virex 2.8.
>7.  Only goes after .exe and .com files, however, no changes have been 
made to 
>  .com files...only attempts...the .exe files have been changed.  

It sounds like you may have an unknown stealth infector. I would 
deffinately recommend for you to send some of the affected files to a virus 
researcher for study.

1. I am running DOS 6.0 as well, and I have not experienced any problems 
other than DBLSPACE. ;-) 
3. If there is a stealth infector resident, the filesize will remain the 
same. One quick way to find out for certain would be to copy some of the 
affected files to diskette, then take that diskette to an unaffected 
machine, and view the directory of the diskette. If the files are larger 
than they are supposed to be, it's a safe bet that a virus is present.
5: It deffinately sounds like a fully stealthed virus that is capable of 
disinfecting the host files when they are opened for any reason. When you 
uploaded the files, the virus could have disinfected the host files prior 
to the upload process, and re-infected them after the host files were 
closed.
6: Try F-Prot 2.08a. It is a very good scanner, and it can detect new or 
modified variants that other scanners may miss.
7: I haven't heard of a new stealth virus that only infects .EXE files, but 

it's possible.

I hope it helps.

Bill

------------------------------

Date:    Thu, 08 Jul 93 20:16:13 -0400
From:    Harold Wyzansky <0005462823@mcimail.com>
Subject: Re: Help...my B: drive is dead ??? (PC)

UC532838@mizzou1.missouri.edu (handy) writes:

>Help...
>my B: drive (1.44) is not working anymore.. a couple of days ago
>it was fine.. now that I needed to retrieve some files from floppy
>it's dead. I checked & run CMOS set up & CMOS diagnostics, & all
>CMOS data looks OK to me.. I also cleaned that drive w/ cleaner disk
>'cos I thought there was some dust in the way.. but it didnt help..
>Please anybody help..
>What might cause this.. & how to fix it ?
> I've tried a dozen of disks & it still gave me General Failure Error..

I had a similar problem with my A: drive and it turned out that the cable
had worked loose a bit and wasn't making good contact.  Open the case and
make sure that the controller and power cables are tightly connected.  Try
switching the cables (and CMOS) to make the the A: into B: and vice versa.
If they both work switched, then switch back again and try again.  That
should isolate any drive or controller problems.

Harold Wyzansky

------------------------------

Date:    Sun, 04 Jul 93 19:44:10 +0200
From:    Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Viruses that cost $$$ (PC)

Hi Inbar!

 >> great security watchdog. Robert _is_ a well-known german anti-virus
 >> researcher. I guess he'll test it for you. Or even Frisk or Vess may,
 >> because - if successful - it would be a great sensation :-)

 > Yes, I can kill modern WD IDE drives. No, you can't try, because
 > I can't give you sources or executables to do that, for obvious reasons.

Alright, I accept. What about the other guys I mentioned? You see, one can't 
believe you if no one confirmes :-)

cu!
eppi

- --- GEcho 1.00
 * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050)

------------------------------

Date:    Sun, 04 Jul 93 21:18:00 +0200
From:    Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: Tremor (PC)

You needed Informations about TREMOR :

        Name      : TREMOR
        Original  : Germany
        Known since march 1993
        infects   : EXE und COM
        SCANNER   : F-PROT 2.07+ finds it
                    TREMEX,TFIND.
        CLEANER   : TBCLEAN cleans it
                    TREMEX Scans for and cleans it
                    TFIND scans for and cleans it


    infected files grow 4000 byte
    the files date is set to year:=(old-year+100)
    intercepts int 21h,15h,9,24h

    Tremor-self-recognition :

        MOV     AH,2Ah
        int     21h
        MOV     AH,30h
        INT     21H
        MOV     AX,0F1E9H
        INT     21H
        CMP     AX,0CADEh
        JE      _tremor_im_speicher

    the virus is polymorphic with a build-in code generator.
    you cannot find a classical scanstring.


    tremor starts trying to get upper memory and to copy itself to this region.
    first tries the DOS-way then the XMS-way.

    it traces to int21-entry

    it patches the master-psp in such a way, that on every termination of a 
program the commandinterpreter itself gives control to the resident virus.
    it always tries first to infect the commandinterpreter as defined in 
COMSPEC.
    the computer seems to be "lame" with tremor in memory, everything needs 
more time.

    CHKDSK always shows the correct numbers.
    If CLEAN,SCAN,MEM,CHKDSK,F-PROT,MIRROR,SYS,HB*,SI,ARJ is started then 
these files will be desinfected ON THE HARDDISK == physically.

    if a scanner runs, the opend files are "desinfected" in RAM.


    it extensively looks for VIRSTOP/VIREX and tries to refuse any actions, 
that could cause warnings.

    it simply switches "OFF" vsafe/mcvsafe.

    you cannot detect an infected file if tremor is actice.
    what you can do is : perform its selftest :)

    the filesystem itself is not attacked by tremor (no FAT-attacks, no writes 
directly to any sektor). it infects only files _as_ files.

    pressing ctrl_alt_del may simetimes result in displaying the following 
text         -=> T.R.E.M.O.R was done by NEUROBASHER / May-June'92, Germany <=-

                   .MOMENT.OF.TERROR.IS.THE.BEGINNING.OF.LIFE.

    the text will be moved some bits in a circle (frequest DEMOVIR.EXE to see 
it). after this it will reboot. this text is separately encrypted.

    to find the virus in memory you can use the following sequence of chars :

        "CHMEMIF2F-SYSIPMRJKZAH"

    these are frgments of filenames who are handled specially by tremor (
desinfection).

    desinfections are made with every "open-file"-command with AH=3D02.
    closing the file will result in  re-infection.

    you can frequest this report in german as TREMOR.RPT at my bbs.
    you can frequest TREMEX*.* at my bbs, too.
    I wrote an additional scanner : TFIND.EXE (same bbs :)

    greetings, stop this beast :)
    Robert

- ---
 * Origin: This origin is unregistered shareware. (9:492/2170)

------------------------------

Date:    Wed, 07 Jul 93 16:39:00 -0400
From:    Brian Seborg <seborg@csrc.ncsl.nist.gov>
Subject: Re: FORM virus (PC)

In reply to Yves Riedrich's request for help with the FORM virus:

I hate to keep bringing this up, but cleaning software is bogus!  You
do not I repeat NOT need it, and it does NOT, I repeat NOT work 100%
of the time.  Yves problem is an example of this.  Okay, so you have
FORM, now what do you do?  Well, FORM is a DOS Boot sector virus
meaning that if you reboot the system from a clean DOS diskette with
the same version of DOS as that of the infected computer and execute
the SYS C: command, this will wipe it out since FORM will be
overwriten by a new DOS Boot sector.  That's it!  You're done!

Since I am on the soap-box, let me go on for a bit more on the topic
of cleaning software.  Most cleaning software will clean a specific
known virus from a hard disk or program file.  There are some that do
generic cleaning, and this is preferred, but still not worth it.
Let's look at some examples in defense of my position.

Your hard disk becomes infected with FORM, you try to use cleaning
software after re-booting the system from a clean DOS disk, and the
cleaning software fails.  If you knew about the virus, then you could
have simply run sys to clean the system once and for all.

Your hard disk becomes infected with the Michelangelo virus, you
reboot from a clean DOS diskette and (if running DOS 5.0 or above) you
run FDISK /MBR and viola, the virus is dead!  Again, nothing up my
sleeves, and no cleaning software.

Your hard disk becomes infected with an unknown MBR or DOS boot sector
virus.  Cleaning software doesn't know what to do, or if it does it
only performs a FDISK /MBR or SYS command respectively anyway so why
not do it yourself?

Your hard disk becomes infected first with Stoned and then with
Michelangelo (don't laugh, it's happened more than once as Virus-l can
attest).  Your system becomes non-bootable.  Upon scanning the
hard-drive, you find that it is infected with Michelangelo (no, not
Stoned and Michelangelo, just Michelangelo) so you clean it for
Michelangelo.  The cleaning software knows where the Michelangelo
virus puts the old MBR so it copies it from that location without
checking to see whether it's even valid.  You try to reboot, the
system still hangs, when you re-scan it, what a surprise, you find
that you are infected with Stoned and the cleaning software is unable
to clean it.  Eventually, you have enough sense to run FDISK /MBR and
your system is functional again.

A program becomes infected with a virus.  Who cares what it is?  Not
me, since I simply reboot from a clean DOS disk, run a CRC and delete
any programs which have changed and should not have.  I replace the
erased programs from originals or clean back-ups and I'm done.  I
don't care if the virus is MtE, TPE, Phoenix or King Kong's
Illegitimate Love Child, it's dead, gone, kaput!  No doubt, and no
cleaning software.

You get a program that is infected with two viruses, your scanner
detects the latest infection, you clean the program of this virus, and
you still have the other virus to contend with.  If you had deleted
the file and replaced it from a clean backup you'd be done by now, but
instead you have to repeat the whole process over and over again.

You get another program that is infected with a virus recognized as
the BOGUS virus.  You clean the program using cleaning software,
unfortunately, the virus was a varient of the BOGUS virus that the
cleaning software does not know about and it trashes the file.  You
end up erasing it and replacing it with a clean back-up.

Last example, you get a virus, the scanner identifies it, the cleaning
software attempts to clean it and thinks it has done so successfully.
The program will not run, however, when you attempt to run it.  So you
end up erasing it and replacing it from an original.

Is the light-bulb beginning to go on?  Any cleaning of viruses from
other than the MBR and DOS boot sector is a decision made under
uncertainty.  So why not be certain and do it right the first time?
Cleaning software?  Just say NO!

Brian Seborg

VDS Advanced Research Group

P.S. If you still want to buy some cleaning software, I'll be glad to
sell you a copy!  In the words of P.T. Barnum ...

------------------------------

Date:    Mon, 05 Jul 93 17:15:00 +0200
From:    Jan_Van_De_Wouw@f117.n311.z12.virnet.bad.se (Jan Van De Wouw)
Subject: Re: FORM Virus (PC)

 > From: riedrich@socrates.umd.edu (Yves Riedrich)

 > While using the McAfee virus scanner, I discovered the
 > "form" virus in my boot sector.
 > I tried to clean this virus off the hard drive...and
 > got the message "Virus can not be safely removed from boot
 > sector"

 > If this has happened to you before or if you have any
 > ideas how to remove this from my hard drive...please send me
 > e-mail

Well Yves, if someone has the answer will you drop me a note, because I have 
the same problem. McAffee can't remove the virus safely. Which virusscanner 
can do the Job???

[Moderator's note: See Brian Seborg's posting in this digest; it
provides a _very_ simple method of removing the FORM virus, that EVERY
DOS owner has access to...]

Bye,
Jan.

- --- FMail 0.94
 * Origin: The Wouw-Board (+31-13441206) 14k4 ofcourse. (9:313/18)

------------------------------

Date:    Thu, 08 Jul 93 20:01:59 -0500
From:    Gene Spafford <spaf@cs.purdue.edu>
Subject: FIRST Incident Handling Workshop agenda

  ** NOTE: July 10 is the deadline for discounted registration!! **

			  PRELIMINARY AGENDA
	   5th Computer Security Incident Handling Workshop
Sponsored by the Forum of Incident Response and Security Teams (FIRST)

			  August 10-13, 1993
			    St. Louis, MO


TUESDAY, August 10, 1993  Full-day Tutorials

1.  Creating a Security Policy
    presented by Charles Cresson Wood:

      [no abstract available at time of posting]

2.  Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan
      Horses, and Things That Go Bump In The Night
    presented by A. Padgett Peterson:

  An intensive look into the architecture of the IBM-PC and MS/PC-DOS --
  What it is and why it was designed that way. An understanding of
  assembly language and the interrupt structure of the Intel 80x86
  processor is helpful.

  The day will begin with the BIOS and what makes the PC a fully
  functional computer before any higher operating system is introduced.
  Next will be a discussion of the various operating systems, what they
  add and what is masked. Finally, the role and effects of the PC and
  various LAN configurations (peer-peer and client server) will be
  examined with emphasis on the potential protection afforded by login
  scripting and RIGHTS.

  At each step, vulnerabilities will be examined and demonstrations made
  of how malicious software exploits them. Demonstrations may include
  STONED, MICHELANGELO, AZUSA, FORM, JERUSALEM, SUNDAY, 4096, and EXEBUG
  viruses depending on time and equipment available.

  On completion attendees will understand the vulnerabilities and how to
  detect attempted exploitation using simple tools included with DOS
  such as DEBUG and MEM.

3.  Unix Security
    presented by Matt Bishop:

  Unix can be a secure operating system if the appropriate controls and
  tools are used.  However, it is difficult for even experienced system
  administrators to know all the appropriate controls to use.  This
  tutorial covers the most important aspects of Unix security
  administration, including internal and external controls, useful
  tools, and administration techniques to develop better security.

  Upon completion, Unix system administrators will have a better understanding
  of vulnerabilities in Unix, and of methods to protect their systems.

WEDNESDAY, August 11, 1993

 8:30 -  8:45  Opening Remarks - Rich Pethia (CERT/CC)

 8:45 -  9:30  Keynote Speaker - Dr. Vinton Cerf (XXXX)

 9:30 - 10:00  Break

10:00 - 12:00  International Issues - Computer networks and communication lines
               span national borders.  This session will focus on how computer
               incidents may be handled in an international context, and on
               some ways investigators can coordinate their efforts.
               SPEAKERS:  
		 Harry Onderwater (Dutch Federal Police)
		 John Austien (New Scotland Yard)
		 other speakers pending 

12:00 -  1:30  Lunch with Presentations by various Response Teams

 1:30 -  3:00  Professional Certification & Qualification - how do you know if
               the people you hire for security work are qualified for the
               job?  How can we even know what the appropriate qualifications
               are?  The speakers in this session will discuss some approaches
               to the problem for some segments of industry and government.
               SPEAKERS:  
		 Sally Meglathery ((ISC)2)
		 Lynn McNulty (NIST)
		 Genevieve Burns (ISSA)

 3:00 -  3:30  Break

 3:30 -  6:00  Incident Aftermath and Press Relations - What happens after an
               incident has been discovered?  What are some of the
               consequences of dealing with law enforcement and the press?
               This session will feature presentations on these issues, and
               include a panel to answer audience questions.
               SPEAKERS:  
		 Laurie Sefton (Apple Computer)
		 Jeffrey Sebring (MITRE)
	         Terry McGillen (Software Engineering Institute)
		 John Markoff (NY Times)
		 Mike Alexander (InfoSecurity News)

 7:00 -  9:00  Reception

THURSDAY  August 12

 8:30 - 10:00  Preserving Rights During an Investigation - During an
               investigation, sometimes more damage is done by the
               investigators than from the original incident.  This session
               reinforces the importance of respecting the rights of victims,
               bystanders, and suspects while also gathering evidence that may
               be used in legal or administrative actions.
               SPEAKERS:  
		 Mike Godwin (Electronic Frontiers Foundation)
		 Scott Charney (Department of Justice)
		 other speaker pending		 

10:00 - 10:30  Break

10:30 - 12:00  Coordinating an Investigation - What are the steps in an
               investigation?  When should law enforcement be called in?  How
               should evidence be preserved?  Veteran investigators discuss
               these questions.  A panel will answer questions, time permitting.
               SPEAKER:  
		 Jim Settle (FBI)
		 other speakers pending 

12:00 -  1:30  Special Interest Lunch

 1:30 -  3:00  Liabilities and Insurance - You organize security measures but
               a loss occurs.  Can you somehow recover the cost of damages? 
               You investigate an incident, only to cause some incidental
               damage.  Can you be sued?  This session examines these and
               related questions.
               SPEAKERS:  
		 Mark Rasch (Arent Fox)
		 Bill Cook (Willian, Brinks, Olds, Hoffer, & Gibson) 
		 Marr Haack (USF&G Insurance Companies)

 3:00 -  3:15  Break

 3:15 -  5:30  Incident Role Playing -- An exercise by the attendees
	       to develop new insights into the process of
	       investigating a computer security incident.
	       Organized by Dr. Tom Longstaff of the CERT/CC.

 7:30 -  ?     Birds of a Feather and Poster Sessions


FRIDAY  August 13

 8:30 - 10:00  Virus Incidents - How do you organize a sussessful virus
               analysis and response group?  The speakers in this session have
               considerable experience ans success in doing exactly this.  In
               their talks, and subsequent panel, they will explain how to
               organize computer virus response.
               SPEAKERS:  
		 Werner Uhrig (Macintosh Anti-virus Expert)
		 David Grisham (University of New Mexico)
		 Christoph Fischer (MicroBIT Virus Center/CARO)
		 Karen Picharczyk (LLNL/DoE CIAC)
		 Ken van Wyk (DISA/Virus-L)

10:00 - 10:15  Break

10:15 - 11:15  Databases - How do you store incident, suspect, and
               vulnerability information safely, but still allow the 
               information to be used effectively?  The speakers in this
               session will share some of their insights and methods on this 
               topic.
               SPEAKERS:  
		 John Carr (CCTA)
		 Michael Higgins (DISA)
		 speaker pending 

11:15 - 12:15  Threats - Part of incidence response is to anticipate riska and
               threats.  This session will focus on some likely trends and
               possible new problems to be faced in computer security.
               SPEAKERS:  
		 Karl A. Seeger
		 speakers pending 


12:15 - 12:30  Closing Remarks - Dennis Steinauer (NIST/FIRST)

12:30 -  2:00  Lunch

 2:00 -  3:00  FIRST General Meeting and the Steering Committee Elections
 
 3:00 -  4:00  FIRST Steering Committee Meeting

^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^

INQUIRES:

Direct questions concerning registration and payment to:  Events at 412-268-6531

Direct general questions concerning the workshop to:  Mary Alice "Sam" Toocheck
                                                      at 214-268-6933

Return to:   Helen E. Joyce
             Software Engineering Institute
             Carnegie Mellon University
             Pittsburgh, PA  15213-3890
             Facsimile:  412-268-7401
TERMS:

Please make checks or purchase orders payable to SEI/CMU.  Credit
cards are not accepted.  No refunds will be issued, substitutions are
encouraged.

The registrations fee includes materials, continential breakfast,
lunches (not included on August 13), morning and afternoon breaks and
an evening reception on August 11.  Completed registration materials
must be received by the SEI no later than July 10, 1993.

A minimum of 7 attendees are needed for each tutorial and there will
be limit o f 50 attendees. You MUST indicate which tutorial you would
like to attend and an alternate if your first choice is full.

GOVERNMENT TERMS:

If your organization has not made prior arrangements for reimbursement
of workshop expenses, please provide authorization (1556) from your
agency at the time of registration.
                                                 
GENERAL REGISTRATION INFORMATION:

Workshop................................. ..............$300.00



All registrations received after July 10, 1993..........$350.00

Tutorials (Must be registered by July, 10, 1993)........$190.00

NAME:

TITLE:
COMPANY:

DIVISION:

ADDRESS:

CITY:

STATE:

ZIP:

BUSINESS PHONE:

EMERGENCY PHONE:

FACSIMILE NUMBER:

E-MAIL ADDRESS:
DIETARY/ACCESS REQUIREMENTS:

CITIZENSHIP:  Are you a U.S. Citizen?    YES/NO

Identify country where citizenship is held if not the U.S.:

(Note: there will be no classified information disclosed at this
 workshop.  There is no attendance restriction based on citizenship or
 other criteria.)

GENERAL HOTEL INFORMATION:

RATES: A block of rooms has been reserved at the Hyatt Regency at
Union Station, One St. Louis Union Station, St. Louis, Missouri 63103.
The hotel will hold these rooms until July 10, 1993.  Hotel
arrangements should be made directly with the Hyatt, 314-231-1234.  To
receive the special rate of $65.00 per night, please mention the Fifth
Computer Security Incident Handling Workshop when making your hotel
arrangements.

ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including
20 suites.  All rooms have individual climate control, direct-dial
telephone with message alert, color TV with cable and optional pay
movies.  Suites available with wet bar.  Hotel offers three floors of
Regency accomodations, along with a Hyatt Good Passport floor, and a
special floor for women travelers.

LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic
Union Station one mile from Cervantes Convention Center and St. Louis
Convention Center and St. Louis Arch.  Fifteen miles (30 minutes) from
St. Louis Zoo.

DINING/ENTERTAINMENT: Italian Cuisine is features at Aldo's, the
hotel's full-service restaurant.  Enjoy afternnon cocktails in the
Grand Hall, an open-air, six-story area featuring filigree work,
fresco and stained glass windows.  The station Grille offers a chop
house and seafood menu.

RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool.
Full health club; suana in both men's and women's locker rooms.
Jogging maps are available at the hotel front desk.

SERVICES/FACILITIES/SHOPS: Over 100 specialty shops throughout the
hotel, including men's and women's boutiques, children's toy shops and
train stores.

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 101]
******************************************
