VIRUS-L Digest   Tuesday, 27 Jul 1993    Volume 6 : Issue 106

Today's Topics:

Virus Calendar
Re: Viruses that cost $$$
Portmanteau messages
Type 4 virus (Mac)
Re: Type 4 virus (Mac)
Re: Unix Scanners (UNIX)
Re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)
Arj-virus? (PC)
how to kill virus in boot sector ? (PC)
Please help! (Removing Generic Boot Virus) (PC)
Flash ROM BIOS and viruses. (PC)
Tremor (PC)
Re: WARNING: Stoned/Dir-2 infection in Israel (PC)
re: First hard drive (PC)
Re: Misc. things (PC)
Re: "Victor Charlie" (PC)
WARNING: A false alarm..(PC)
Shareware Novel-on-the-Net - Terminal Compromise
Other viral vectors (CVP)
Other "resting" places (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Sun, 18 Jul 93 22:27:00 +0200
>From:    Schwartz_Gabriel@f101.n9721.z9.virnet.bad.se (Schwartz Gabriel)
Subject: Virus Calendar

TO: axtlp@acad2.alaska.edu
I think VSUM from Patricia Hoffman has all the viruses database including 
viruses dates.  
 
- --- FastEcho/386 B0617/Real! (Beta)
 * Origin: >> Rudy's Place << VirNet, Israel (9:9721/101)

------------------------------

Date:    Fri, 23 Jul 93 07:23:12 -0400
>From:    Olivier MJ Crepin-Leblond <o.crepin-leblond@ic.ac.uk>
Subject: Re: Viruses that cost $$$

>From:    bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
>
>Donald G Peters (Peters@DOCKMASTER.NCSC.MIL) writes:
>
>> I was the one that started this thread, and now I ran some
>> Beta software from Lotus (it was explicitly not warranted to
>> work) that switched my video from one mode to another about
>> once per second for 30 seconds. Ever since then, for the last
>> few days, my monitor has made a high pitched squeal. I consider
>
>Well, I am still not convinced that it has been the software that has
>damaged your monitor. Maybe the monitor was already faulty and would
>have failled sooner or later - the software has just triggered the
>fault.

I am also not convinced that switching a monitor from one video mode
to another for as little as 30 seconds would kill it. Donald's monitor
must have been in a poor condition to start with. The high pitched
squeal is a typical fault affecting old tubes.

It is however possible to destroy the monitor with faster switching
(say 3 mode changes a second) from VGA to 1024x768 if the monitor
requires hardware internal switching of curcuitry. This happens when
you hear a "click" in your monitor when changing modes. The high
voltage power supply, & the tube are briefly put at strain. Switching
quickly between the two modes may kill either in more or less time,
depending on how robust your monitor is.
TVs & monitors don't like having either `no signal' or a floating
input. It often happens that a PC in a lab here is switched off,
and the monitor left on. On one particular brand, we've had
100% failure rate when that happens. Each time, we've had to have
the Power supply replaced. 
In another incident, we left one of our router's monitors on by mistake
overnight. The router crashed, the video card sent `god-knows-what'
to the monitor and next day when we came-in the monitor had blown its
fuse, and there was a distinctive burning smell emanating from
its vents. We had to trash it. Not a faulty monitor to start-with:
it was working perfectly fine every day before the incident.

- -- 
Olivier M.J. Crepin-Leblond, Digital Comms. Section, Elec. Eng. Department
 Imperial College of Science, Technology and Medicine, London SW7 2BT, UK
       Internet/Bitnet: <foobar@ic.ac.uk> - Janet: <foobar@uk.ac.ic>



------------------------------

Date:    Mon, 26 Jul 93 06:53:09 -0400
>From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: Portmanteau messages

  A message of over 100 lines in Virus-L vol6 #105 says:-
  > a short report about some things that we have done ...
  > ===========
  > ... a program that was supposed to destroy the hardware ...
  > ===========
  > ... CPAV gets such a bad score in the virus detection tests because ...
  > ===========
  > I am aware that there is a newer version of CPAV - 2.0 ...
  > ============
  > Yisrael Radai's paper on integrity checking ...
  > ===========
  > Frisk's F-Prot 2.09 is out and available from our ftp site ...
  > ===========
  > ... CARO naming scheme and the comparative virus naming lists ...
  > ===========
  > An updated version of Eugene Kaspersky's program AVP ...
  > ===========
  > Well, that was I could think about ...

  covering six different topics. Please do not send portmanteau messages,
but rather please send a separate message per topic. Portmanteau messages
make problems for me as indexer, and to people trying to use the (running
index that I keep) to look up all messages on a particular topic.


------------------------------

Date:    23 Jul 93 14:15:19 -0500
>From:    cfkfb@uxa.ecn.bgu.edu (Karl Bridges)
Subject: Type 4 virus (Mac)

   I have a virus on my Mac Classic II.  My trusty virus checker
Interferon defines it as a Type 4 virus.  What exactly is that?  Any
recommendations.  I haveen't noticed any adverse effects yet I want it
gone.

------------------------------

Date:    Mon, 26 Jul 93 22:11:02 -0400
>From:    mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: Re: Type 4 virus (Mac)

> I have a virus on my Mac Classic II.  My trusty virus checker
> Interferon defines it as a Type 4 virus.  What exactly is that?  Any
> recommendations.  I haveen't noticed any adverse effects yet I want it
> gone.

"Trusty" and "effective" are not necessarily the same thing when it
comes to virus protection. :-) While Interferon was a wonderful tool
for its time, that was several years ago... and outdated antiviral
software is worse than none at all.

The only way to be certain of what's on your hard drive is to use a
current antiviral utility, such as Disinfectant 3.1.  This is
available free from most user groups and online services, and from
many dealers and other organizations.  You can also retrieve it from
several ftp sites on the Internet, including sumex-aim.stanford.edu
and rascal.ics.utexas.edu.

There are also a variety of other utilities, some free, some
shareware, and some commercial, but Disinfectant is a good
general-purpose utility, and it's certainly a good place to start.
Once you've determined for sure whether there's a virus on your
system, you should read up on current antiviral utilities and select
one that best fits your needs.  (One option is Virex, the commercial
utility from Datawatch, Inc., that evolved from Interferon.)

Please feel free to let me know if you have any other questions or
need further help in diagnosing the problem.

=========================================================================
 Mark H. Anbinder                  |       Technical Support Coordinator
 BAKA Computers Inc.               |               mha@baka.ithaca.ny.us
 200 Pleasant Grove Road           |                (or) mha@tidbits.com
 Ithaca, New York 14850 USA        |    Phone 607-257-2070  Fax 257-2657
=========================================================================
Cartoon Law 8: Any violent rearrangement of feline matter is impermanent.
=========================================================================

------------------------------

Date:    Fri, 23 Jul 93 01:21:15 -0400
>From:    Craig Williamson <craig.williamson@columbiasc.ncr.com>
Subject: Re: Unix Scanners (UNIX)

frisk@complex.is (Fridrik Skulason) writes:
>Martin@salig.demon.co.uk (Martin Overton) writes:
>>2. Are there any virus scanners available for UNIX?

>There are several, but many of them only scan Unix File servers for PC 
>viruses.  Those that attempt to scan for UNIX viruses are much better at
>finding "suspicious things" in general, than in finding the above "research"
>viruses ... in fact, they may totally miss them.

Where can I get one?  Right now I have to use my PC and I can't use it
during that time and also it generates unnecessary network traffic.

Craig
                                           "Behind every dark cloud, 
- -Craig Williamson                           there's usually rain." 
 Craig.Williamson@ColumbiaSC.NCR.COM      - Mike Nesmith,  The Monkees
 craig@toontown.ColumbiaSC.NCR.COM (home)

------------------------------

Date:    Fri, 23 Jul 93 08:35:52 -0400
>From:    "David M. Chess" <chess@watson.ibm.com>
Subject: Re: Are a-v products "boot-manager"-aware? (PC - OS/2,UNIX)

>From:    mcafee@netcom.com (McAfee Associates)
>
>The Master Boot Record and operating system Boot Sector(s) typically
>reside on different parts of the hard disk.  The major difference with
>dual-boot systems is that the MBR code pauses and allows an operating
>system (boot sector) to be selected.

Well, not exactly.  Dual Boot and BootManager are two different
things, neither of which work quite that way.  There are some
boot-selection programs that actually live in the MBR, but I
don't know of any that are in wide use.  Here's how Dual
Boot and BootManager work:

  - On a dual boot system that's currently running OS/2, when
    you type "BOOT DOS", it saves the current system boot
    record of the bootable partition in a file "BOOT.OS2",
    and saves the current AUTOEXEC.BAT in "AUTOEXEC.OS2"
    (probably CONFIG.SYS as CONFIG.OS2 also; I forget).  Then
    it takes the file "BOOT.DOS" and writes that to the
    system boot record, and takes the file "AUTOEXEC.DOS"
    and copies it to AUTOEXEC.BAT (probably CONFIG, too).
    Then it reboots the machine, and you're in DOS.  When
    in DOS, "BOOT OS2" does the obvious opposites.  None of
    this does anything to the Master Boot Record as far as
    I know.

  - On a BootManager machine, the Master Boot Record is again
    normal; the partition that's marked Bootable in the partition
    table contains a system boot record and other code to run
    the BootManager program.  That program reads the MBR and
    its own internal tables, gives you a choice as to which
    system you want to boot, mungs the partition table  as
    necessary to reveal/hide any partitions that need it,
    and then loads the relevant system boot record and passes
    control to it normally.  (Ah; maybe that's what you
    meant by "the MBR code" giving you a choice of partitions!)

There are some viruses that will infect whatever partition
is currently marked bootable, regardless of whether or not
it's a DOS partition.  The FORM virus is particularly inept
in this regard: it will infect whatever's marked bootable,
and it will assume that the partition it's infecting is a
FAT-formatted partition for purposes of finding unused
space to hide itself.  This can wreak havoc when the
bootable partition is actually BootManager or HPFS, for
instance.

(Note: this posting is just my understanding of the situation;
it doesn't constitute official IBM documentation, and almost
certainly contains at least one error...)

- - -- -
David M. Chess                                 "Hello!"
High Integrity Computing Lab                      -- A. Einstein
IBM Watson Research


------------------------------

Date:    Sun, 18 Jul 93 10:53:00 +0200
>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Arj-virus? (PC)

 >>Hi! I use Arj verision 2.41 (The best). Well, i have a memory-resident
 >>program, that says if files are being changed. Everytime i access .exe
 >>files that belong to arj the program warns me that the file has
 >>changed.  Has this happened to you? Will you test the problem?

If you are using a program that has the "Protect executable files" option in 
it, don't be surprised by these alarms, it usually simply a false alarm made 
by it, I'd reccomend using another TSR instead, (you'l be just as safe).
Do not however, exclude the posibility that your PERSONAL copy of ARJ might be 
infected, but if it helps, I dont have any problem with my copy...

Warmly

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Sun, 18 Jul 93 11:04:00 +0200
>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: how to kill virus in boot sector ? (PC)

 > I have a IBM compatible PC with DOS 6 and windows 3.1.
 > My scanning-only anti-virus software found recently a
 > virus named Michelongelo
 > in the boot sector on my hard drive D. I tried to use
 > other antivirus
 > softwares to kill it but failed, because they cannot
 > even find the virus
 > in the boot sector !

if you are using MS-DOS 6 with DoubleSpace, its a bit of a problem, however, 
to my opinion heres what you should do:

a. Boot from a clean DOS floppy (original DOS setup floppy acceptable, use F3 
and "Y" to get to DOS prompt).
b. Use your Anti Virus to check the disk. You'l see only a part of drive C: is 
checked but this is OK.
c. If the program finds nothing (provided you use a good and updated program) 
you can sleep well. The only way a damage could happened to your disk is by 
the BootSector of the first partition (the one you boot from). The other 
BootSector's DPBs are used only for DOS to determin the volume characteristics 
(generally speaking).
For your information: most A-V products do not even check the other 
BootSectors as it is not necessary.

It could be that the product you are using is checking a compressed sector so 
that it sees garbage and by accident suspects it to be a virus, or that the 
DOS SWAP module is pulling a trick on that test. The booting from a clean 
floppy, should be reliable enough, try it.

BTW: It is common practice to recover a drives boot-sector by the most generic 
action of all: Transfer system to it.
note that in this case the other boot sectors (if available) arn't touched 
also!

Warmly

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Sun, 18 Jul 93 11:12:00 +0200
>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Please help! (Removing Generic Boot Virus) (PC)

sbuffler@cs.uct.ac.za (Simon Buffler) asks:

 > A friend's computer was recently infected by the
 > Generic Boot Virus.
 > I gave him a copy of Clean106 which is supposed to
 > remove [Genb].
 > When booting from a clean system disk and running
 > Clean (from floppy)
 > on his hard- drive, he receives a "No viruses
 > detected" message.
 > However, [Genb] IS still sitting on his hard-drive, as
 > when he
 > reboots, the virus is loaded into memory ...and Clean
 > picks up a
 > "critical virus" when scanning RAM.

More information is needed to really point the problem. But it seems there is 
no real problem on your friend's PC (concerning the BootSector). If SCAN finds 
nothing when booting from a CLEAN DOS floppy, it means that something (or 
someone :-) ) is pooling a trick on the program... Could it be that you use 
another TSR that hides the boot-sector? the warning SCAN gives (if I got you 
correctly) is at the memory scan time, which means that there is a program 
that is/was loaded to the memory and contains the series of bytes that 
designates a Boot Sector virus, it could be a virus scanner, a benign program, 
or a real virus, but one should expect the virus will be found when booting 
from the floppy. Try to remove SMARTDRV for a test, and see if it still 
happeneds..

BTW: a way to clean generally every boot sector virus is simply by 
transferring SYSTEM to the infected drive.

Warmly

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Sun, 18 Jul 93 11:29:00 +0200
>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Flash ROM BIOS and viruses. (PC)

Hello everyone,

I've reacently published an article about what viruses might do to computers 
that has a FLASH ROM BIOS, (meaning that the BIOS can be changed by software).

It is obviouse that such a virus CANNOT be cleaned unless a
copy of the "CLEAN BIOS" is saved someware, as the BIOS routines
might be patched with the virus's calles, and the original information might 
not be saved anywhare.

This sets a new front to us Anti-Virus developers, that may be easy to solve 
at first look (simply backing up the BIOS) but what if our product is applied 
to an already infected PC. In such a case those of us that rely on the BIOS's 
integrity ;-) (not to mention those who doesn't) might never detect a virus 
that infected the PC as the operating system will inherit the virus as a 
foundamental feature.

The number of possibilities is huge, the only problem will be to the virus 
writer to fing the place the way and the tings that the virus might be written 
into and modify.

So far I know of few companies that use this technique, aming them is INTEL.

I'd be happy to read your opinions on the issue...

Regars

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Tue, 20 Jul 93 23:33:23 +0200
>From:    Thomas_Roedel@f3150.n494.z9.virnet.bad.se (Thomas Roedel)
Subject: Tremor (PC)

Hallo You,

I got here a question from an online-user, is there anybody out who can help 
him ???

===========================================================
Question:      Does the Virus "Tremor" mask the interrupt 21h,function 3dh or  
how else can T. when a File is opened, which is infected by       him 
desinfect the file and then open it for the programm that
               originally opened it like scanners......
                                               ERRIK
===========================================================

- --- FMail 0.94
 * Origin: Mikado Munich (9:494/3150)

------------------------------

Date:    Fri, 23 Jul 93 03:39:58 -0400
>From:    hjstein@sunrise.huji.ac.il (Harvey J. Stein)
Subject: Re: WARNING: Stoned/Dir-2 infection in Israel (PC)

amn@ubik.demon.co.uk (Anthony Naggs) writes: 

   Harvey J. Stein, <hjstein@math.huji.ac.il>, reports:
   >
   >                    ***  W A R N I N G !!!  ***
   >
   > The Co-op Supermarket of Israel has been distributing a virus infected
   > computer game called ZOOM.  DO NOT USE THIS DISK!!!  It is infected
   > with both the STONED virus and the DIR-2 virus.  ...

   Presumably the distributor of the game supplied the disks to the shop,
   perhaps you could advise them of the problem too?

I informed the supermarket chain, and they informed the distributer
and the manufacturer.

   > ... The STONED virus
   > causes infected computers to periodically display the message "This
   > computer is stoned", and then to crash, thus causing the loss of
   > unsaved data.  ...

   Most versions of Stoned are relatively benign.  While the most common
   variants may display "Your PC is now Stoned" (about 1 in 8 times) when
   booting from an infected floppy disk, it does not 'crash' or harm your data.

Well, I never actually contracted the virus, so I could be wrong as to
it's action.  But what I said is what I remember hearing.

   > and two of the executable files (bug.exe and scottex.exe) are infected
   > with the DIR 2 virus.

   Curious, DIR-II on a floppy disk usually infects all executables, (because
   they are placed there by an infected computer).  I don't remember any other
   reports of it in Israel, so it may be a false alarm.

These were the only two executables on the disk, so we're not
contradicting each other.  I knew from SCAN that the viruses were in
thse two files, but I hadn't checked a directory listing, so I didn't
know if there were other executables.
- --
Harvey Stein
Department of Mathematics
Hebrew University
hjstein@math.huji.ac.il

------------------------------

Date:    Fri, 23 Jul 93 08:44:20 -0400
>From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: First hard drive (PC)

>From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
>
>                           What happens is that IO.SYS (IBMIO.COM) simply
>"walks" interrupt 13 looking  for drives beginning with 0, each drive found
>is assigned a letter starting with A:. When Int 13 generates a CY flag
>indicating a failure of the drive to respond, DOS flips the high order
>bit and starts counting again: 80, 81, etc. For each responding device, a
>block is created in the device chain residing in low memory.

Another complication that Padgett didn't mention, no doubt for the
sake of simplicity, is a diskette drive (generally an external one)
that's supported by a block device driver.  For instance, the external
720K drive on my old AT is supported via EXDSKBIO.DRV and DRIVER.SYS;
it has a BIOS id of 02, but DOS thinks of it as drive F:.  The 02
assignment is made by the INT13-handler component of the device
driver (I assume; I've never dug it out), and the F: assignment is
made by DOS while it's loading block device drivers (IBMBIO.COM
has assigned A: and B: to the internal floppy, and C: and D: to
the partitions of the hard disk; then in CONFIG.SYS E: is the
RAMdisk, F: is the external floppy, and G: is the Bernoulli).
Fascinating, eh?    *8)           DC


------------------------------

Date:    Fri, 23 Jul 93 12:38:59 -0400
>From:    <RADAI@vms.huji.ac.il>
Subject: Re: Misc. things (PC)

   Vesselin writes:
> Yisrael Radai's paper on integrity checking (in PostScrip format) is
> available from our ftp site as
>
> ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/hashn60.zip

Sorry, but I have a couple of reasons for making my paper available
only by personal e-mail and not by anonymous ftp for the time being.
I have asked Vesselin to remove it from his server and he has done so.
(By the way, in case anyone managed to download it meanwhile, the
version which he uploaded was not the latest version.)  Eventually it
will be made available by anon ftp, not only at his site, but on other
sites as well, and an announcement will be made at that time.  (How-
ever, the filename will *not* be that mentioned above.)

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL


------------------------------

Date:    Wed, 21 Jul 93 00:26:17 -0400
>From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: "Victor Charlie" (PC)

>1993 Volume 6 : Issue 102, which referred to the "Victor Charlie"
>anti-virus program.  I am very interested in this program and would
>like to kow where I can obtain a copy of this program.  Unfortunately
>I can not access "News" on my account here at the University of

Victor Charlie is  from Bangkok Security Associates. and programmed bt John 
Dehaven, and Alan Dawson.

If you wish, you may contact either of them at the address below.

Bangkok Security Associates
P.O. Box 5-121
Bangkok 10330
Thailand

Victor Charlie 5.0 was recently released as share ware, and you should be 
able to find Victor Charlie on BBSs near youin the file VC50.ZIP.

If you're unable to find a copy, contact me, at the address below, and I 
will be happy to send you a copy of Victor Charlie that I received directly 
from the authors. Please mention that you want a copy of Victor Charlie in 
the note.

Bill Lambdin
P.O. Box 577
East Bernstadt, Ky. 40729-0577

I am in the process of setting up an Anti-virus BBS, and placiing several 
anti-virus programs on line for callers.
 
I will post the number here when the BBS is ready for callers.

Bill



------------------------------

Date:    Tue, 27 Jul 93 06:35:23 -0400
>From:    frisk@complex.is (Fridrik Skulason)
Subject: WARNING: A false alarm..(PC)

Several scanners, including our F-PROT (version 2.09) and SCAN (104) will
generate a false alarm on all CRYPTCOM-encrypted files.

CRYPTCOM is a small program that will add simple xor-based encryption to
COM files.   Although easily broken by single-stepping through the code with
a debugger, this encryption will prevent the casual user from finding or
modifying text messages within the program.

CRYPTCOM has in the past been used to create virus droppers - that is,
a regular infected file is encrypted, but it can also be used to encrypt
legitimate programs.

The problem is that F-PROT will report them as containing "New or modified
variant of PS-MPC", and SCAN 104 (I haven't tested later versions) will
report the files as containing DROPPER [OW].

Both are wrong, however - the files should not automatically be considered
infected.  We will fix this in the next version of F-PROT, and I guess 
our competitors :-) will do the same (if they have not done so already).

- -frisk


------------------------------

Date:    Thu, 22 Jul 93 09:58:25 -0400
>From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Shareware Novel-on-the-Net - Terminal Compromise

Some of you may recall a year or so ago when I posted a review of this
book in Virus-L. IMHO it is an excellent read and its extensive basis
on computer viruses make it particularly appropriate (though you will
have to forgive Winn his use of the DATACRIME, the terror of 1989).

Just as an aside, NONE of the technology or software techniques mentioned
are fanciful, *I have seen every one demonstrated*.

ARCHIE found it as TERMCOMP.ZIP (612k) on knot.queensu.ca in directory 
/wuarchive/doc/misc.

(Archie only reported TERMCOMP.ZIP at knot.queens.ca but the opening
screen there recommends that outsiders use wuarchive.wustl.edu. I can
verify that right now it is there as /doc/misc/termcomp.zip)

                     !!!!POST EVERYWHERE!!!!
                                
      THE WORLD'S FIRST NOVEL-ON-THE-NET (tm) SHAREWARE!!!
                       By Inter.Pact Press
                                
                      "TERMINAL COMPROMISE"
                        by Winn Schwartau
                                
     A high tech thriller that comes from today's headlines!

"The Tom Clancy of computer security."
          Assoc. Prof. Dr. Karen Forcht, James Madison University

"Terminal  Compromise" is a highly praised novel about the  inva-
sion of the United States by computer terrorists.

Since  it was first published in conventional print form,  (ISBN: 
0-962-87000-5)  it has sold extremely well world-wide,  but  then 
again,  it never hit the New York Times Bestseller  List  either.  
But that's OK, not many do.

Recently,  someone we know very well came up with a  real  bright 
idea.   They suggested  that INTER.PACT Press take  the  unprece-
dented,  and maybe slightly crazy, step to put "Terminal  Compro-
mise" on the Global Network thus creating a new category for book 
publishers.   The  idea is to offer  "Terminal  Compromise,"  and 
perhaps  other titles at NOVEL-ON-THE-NET SHAREWARE(tm) rates  to 
millions  of people who just don't spend a lot of time  in  book-
stores.   After  discussions with dozens of people -  maybe  even 
more than a hundred - we decided to do just that.   We know  that 
we're  taking a chance, but we've been convinced by  hackers  and 
phreakers and corporate types and government representatives that 
putting "Terminal Compromise" on the net would be a fabulous step 
forward  into  the Electronic Age, (Cyberspace if you  will)  and 
would encourage other publishers to take advantage of  electronic 
distribution.   (It's still in the bookstores, though.)


NOVEL-ON-THE-NET SHAREWARE Fees For The People:

The suggested donation for individuals is $7.  If you hate Termi-
nal Compromise after reading it, then only send $6.50.  If you're
really, really broke, then tell a hundred other people how  great 
it was, send us a rave review and post it where you think  others 
will enjoy reading it, too.  If you're only a little broke,  send 
a few dollars.  After all, this is how we stay in business.  With 
each  registration, we will also send a FREE! issue of  "Security 
Insider Report," a monthly security newsletter also published  by 
Inter.Pact Press.


GETTING TERMINAL COMPROMISE:

     You  can get your copy of Terminal Compromise from a lot  of 
sites; if you don't see it, just ask around.

It  consists of either 2 or 5 files, depending upon how  you  re-
ceive it. (Details at end of this file.)

Feel  free to post all five files of "Terminal  Compromise"  any-
where  on the net or on public or private BBS's as long  as  this 
file accompanies it as well.  


Please forward all NOVEL-ON-THE-NET SHAREWARE fees to: 

     INTER.PACT PRESS
     11511 Pine St. N.
     Seminole, FL., 34642

Communications:

     Phn: 813-393-6600
     Fax: 813-393-6361
     E-Mail: p00506@psi.com
             wschwartau@mcimail.com


------------------------------

Date:    Thu, 22 Jul 93 04:58:52 -0400
>From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: Other viral vectors (CVP)

  Rob Slade <roberts@decus.ca> wrote on Fri 16 Jul 93 12:35:06 -0400 (Subject:
Other viral vectors (CVP)):-
  > ... [most] current viral programs spread via disk boot sectors or the
infection of programs ... other means for replication and spread ... possible
for terminals, peripherals and network devices to operate as viral vectors.
. the "Iraqi/Desert Storm/printer" and "modem carrier" viral myths ...

  I read in Virus-L once about a virus that was carried from Europe to USA in
a sailor's laptop computer. This seems like an increasingly likely sort of
virus carrier, with the multiplication of laptop and 'notebook' portable PC's
and Macs that are around.


------------------------------

Date:    Sat, 24 Jul 93 14:24:41 -0400
>From:    "Rob Slade" <roberts@decus.ca>
Subject: Other "resting" places (CVP)

FUNGENC.CVP   930713
 
                      Other "resting" places
 
Peripherals are not the only unusual vectors for viral programs. 
Consider the common boot sector.  Although a knowledge of the
structure of the boot (and "master boot") sectors, and boot
sequence, is practically a pre-requisite for any serious viral
study, VIRUS-L no less than the Fidonet echoes is still inundated
with postings that state the user has contracted Stoned (or
Michelangelo, or Monkey, or ... ), but has deleted all the files on
the disk and it is still there!  To the vast majority of users the
fact that a program can be located at a *physical* position on the
disk, and is *not* referenced by the file directory list is a
foreign concept.  This confusion may contribute to the enormous
"success" of boot sector viri.
 
The sector, and even the partition boot record on a hard disk, are
accessible to dedicated amateurs armed with utility software. 
However, there are other places to "hide" on a disk which are not as
easily examined.  It is quite possible to format an additional track
outside the normal range used.  The software does not "push" the
limits of the hardware in order to avoid problems between different
drives with variations in tolerance.  I recall special programs for
the Apple II computer which provided thirty eight tracks rather than
the normal thirty five.  There are various programs for MS-DOS, as
well, which provide greater storage on the same sized disks.
 
In addition to tracks outside of, and between, normal formats, there
is substantial space between the sectors on a disk.  There are
programs which can increase the number of sectors so as to increase
the space on disk.  However, it is also possible to use the
additional space without formatting additional sectors, simply by
writing information to the space between.  This fact has
occasionally been used for the purposes of copy protection with
commercial software.
 
Both of these "hiding places" are so well hidden that viral programs
infecting them would never have a chance to become active. 
Therefore viri using them would have to "start" with normally
infected files or boot sectors.  The initial viral code would have
to provide the means to access the extra tracks or "extra-sector"
space, and then use the "hiding space" in order to store additional
code.  (This is, in fact, already happening to a limited extent. 
The Joshi virus stores part of itself and the original boot sector
on an "additional" track.)
 
Some "hiding places", as mentioned above, are definitely a part of
the system, while not being, necessarily, obvious.  The Mac system,
for example, associates at least fourteen "resources" with each
program and data file.  Most of these resources can have code
associated with them, and therefore provide a number of additional
"hooks" for viral access.
 
copyright Robert M. Slade, 1993   FUNGENC.CVP   930713

==============                      _________________________
Vancouver      ROBERTS@decus.ca    |    |     |\^/|     |    | swiped
Institute for  Robert_Slade@sfu.ca |    |  _|\|   |/|_  |    | from
Research into  rslade@cue.bc.ca    |    |  >         <  |    | Alan
User           p1@CyberStore.ca    |    |   >_./|\._<   |    | Tai
Security       Canada V7K 2G6      |____|_______^_______|____|

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 106]
******************************************

