To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #109
--------
VIRUS-L Digest   Wednesday,  4 Aug 1993    Volume 6 : Issue 109

Today's Topics:

Re: Portmanteau messages
Learning how to make virus programs: Info?
Re: Unix Scanners (UNIX)
Possible CRC Check Problem with NETSHIELD V1.50 & V1.51 (PC)
NSH152.ZIP - NETSHLD 1.52V106 antivirus NLM for Novell 3.11 (PC)
SCAN 106 has problems with PKLITE -e (PC)
Info on 1530 (PC)
Re: Joshi Virus (PC)
Flash ROM BIOS and viruses. (PC)
Re: Joshi Virus (PC)
Re: Genp in partition table - what to do? (PC)
Flash ROM BIOS and viruses. (PC)
Re: Virus that damages harddrives (PC)
Totoro Dragon virus (PC)
Virus? (PC)
VirusCheck 3.0 now available (PC)
Information on the 'Trident' Virus (PC)
Faerie Virus (PC)
Vootie virus (PC)
Re: Tremor (PC)
Memoirs of an (infected) virus researcher (CVP)
Final program for 5th Incident Response Workshop

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Tue, 27 Jul 93 15:52:02 -0400
From:    Anthony Naggs <amn@ubik.demon.co.uk>
Subject: Re: Portmanteau messages

A.APPLEYARD@fs1.mt.umist.ac.uk writes: Subject: Portmanteau messages
>
> ... Portmanteau messages
> make problems for me as indexer, and to people trying to use the (running
> index that I keep) to look up all messages on a particular topic.

Now that you have revealed the existence of an index to virus-l, could you
perhaps disclose to us all how it can be accessed?

[Moderator's note: Mr. Appleyard has been maintaining a VIRUS-L index
for quite some time.  The index files are available via anonymous FTP
(and, of course, e-mail based FTP servers, such as
ftpmail@decwrl.dec.com) on cert.org (192.88.209.5) in
pub/virus-l/archives/index.appleyard/*.  Since this recent posting,
several people have asked how to get the index files, so I'll add a
note about the index service in the monthly archive listing...]

Cheers,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain

------------------------------

Date:    Sun, 01 Aug 93 13:16:59 -0400
From:    mile5057@gmi.edu (Kristian Nmi Milec)
Subject: Learning how to make virus programs: Info?

G'day!

I am interested in making virus software, and am looking for methods
in which to reach that end.  The purpose for the software is to make
network (Novell, Banyan etc.) viruses that will be capable of performing
certain tasks by a network administrator that can only be done by
approaching each machine's local drive.  For example, I have to administer
the management's policy to ensure that only legal copies of software are
located on local drives.  To go through 250+ machines is nearly impossible
to do each month on top of my other duties.  Spot checks don't work
since I need permission to get on some of the machines.  However,
all of the machines are connected to a file server and in order to 
print/mail/create purchase orders (for example) they need to attach to 
a NFS.  If I could make a virus that goes into their machine, checks for
illeagle software, I could free up about 10 hours/week of my time
(of course, management needn't know that I've free'd up time (smirk))

So, any information or guidance would be appreciated on how to make
this type of non-malicious virus.

Thank you,
Kristian Milec
GMI Engineering & Management Institute
Flint, MI, USA
mile5057@nova.gmi.edu 

------------------------------

Date:    Tue, 03 Aug 93 01:11:45 -0400
From:    spaf@cs.purdue.edu (Gene Spafford)
Subject: Re: Unix Scanners (UNIX)

volf@eb.ele.tue.nl (Frank Volf) writes:

   >Where can I get one?  Right now I have to use my PC and I can't use it
   >during that time and also it generates unnecessary network traffic.

   Yes, I would be interested too. We are using a pcnfs network in which 
   pc's mount directories on a UNIX system (Apollo).
   It is *impossible* to test these directories for viruses from the pc-side
   (there is no super user access possible over nfs), so I must test for
   virus from the UNIX side!

   So, where can I get such a scanner?

Well, you might use ftp to ftp.cs.purdue.edu and snarf a copy of
pub/spaf/security/virus-scan.PS.Z 

We intend to finish the scanner and release it to the general public
once we find someone to sponsor the remaining work necessary to make
it happen.  If you know of any companies or agencies willing to fund
a student research assistant for the time it takes to do this, let me
know. :-)

If and when we get it completed, I will be certain to post something
further to this list.
- --
Gene Spafford, COAST Project Director
Software Engineering Research Center & Dept. of Computer Sciences
Purdue University, W. Lafayette IN 47907-1398
Internet:  spaf@cs.purdue.edu	phone:  (317) 494-7825
- -- 
Gene Spafford, COAST Project Director
Software Engineering Research Center & Dept. of Computer Sciences
Purdue University, W. Lafayette IN 47907-1398
Internet:  spaf@cs.purdue.edu	phone:  (317) 494-7825

------------------------------

Date:    Wed, 28 Jul 93 19:58:31 -0700
From:    aryeh@mcafee.com (McAfee Associates)
Subject: Possible CRC Check Problem with NETSHIELD V1.50 & V1.51 (PC)

To all users of NetShield Version 1.50 and 1.51
 
To avoid potential problems, we recommend that our users either do not check
the integrity of files with the SYS extension, OR exclude the SYSTEM directory
from the list of files and directories to be CRC-checked.
 
[Moderator's note: See product update announcement in this VIRUS-L digest.]
 
BACKGROUND
 
It recently came to our attention that use of the CRC check feature available
in NETSHIELD Version 1.50 or 1.51 may potentially result in loss of the
Novell system bindery files.
 
CRC checking is a feature that is intended to protect against file infection by
noting when certain files have changed, and then deleting, overwriting, or
moving them to another location on a disk.
 
However, three of the system bindery files are regularly modified during the
normal course of operation of Novell networks which are also detected by this
feature.  These files have to be specially exempted from the CRC checking in
order to ensure continued operation of the network.  Fortunately, there two
simple methods of accomplishing this.
 
 
WHO IS AFFECTED
 
If you have selected any of the following options from the "ACTION TO TAKE ON
VIRUS DETECTION" menu:
 
        "DELETE INFECTED FILE"
        "OVERWRITE AND DELETE"
        "MOVE INFECTED FILE"
 
AND if you use the "FULL CRC CHECK" feature of NetShield on the three bindery
files (NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS) located in the SYSTEM directory
of the SYS volume of your Novell File Server then those files may be detected
as modified, and be deleted, overwritten, or moved.
 
 
SOLUTION
 
To prevent the bindery files from being changed, we recommend that our users do
EITHER of the following options:
 
1.  Do not check the integrity of files with the SYS extension.
 
OR
 
2.  Exclude the SYSTEM directory from files to be CRC-checked.
 
Option 1:  Do not check the integrity of files with the SYS extension. Select
"CONFIGURATION OPTIONS" from the main menu, select "WHAT TO SCAN", select
"CHANGE SCANNED EXTENSIONS", select "EXTENSIONS THAT WILL BE CHECKED BY CRC",
select SYS, and press the DEL key.
 
Option 2:  Exclude the SYSTEM directory from files to be CRC-checked. Select
"CONFIGURATION OPTIONS" from the main menu, select "WHAT TO SCAN", select
"NON-CRC CHECKED FILES", and insert SYS:SYSTEM as a directory to exclude.
 
 
FOR FURTHER ASSISTANCE
 
If you believe that your are experiencing symptoms of this problem on your
system, we recommend that you contact us immediately for technical assistance
by telephone at (408) 988-3832, by fax at (408) 970-9727, by Internet at
support@mcafee.com, or by CompuServe at 76702,1714 .  In most cases we can 
guide you through a quick and easy procedure to restore these files and 
return your network to normal operation.

Aryeh Goretsky
McAfee Associates Technical Support

 

- -- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
2710 Walsh Ave, 2nd Floor| FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95051-      USA          | USR HST Courier DS   | America Online: McAfee

------------------------------

Date:    Tue, 03 Aug 93 04:34:27 -0400
From:    aryeh@mcafee.com (McAfee Associates)
Subject: NSH152.ZIP - NETSHLD 1.52V106 antivirus NLM for Novell 3.11 (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
NSH152.ZIP      NETSHLD 1.52V106 antivirus NLM for Novell 3.11

NETSHIELD 1.52 (V106) RELEASED

     NETSHIELD Version 1.52 automatically ignores changes made to the
Novell NetWare bindery files NET$OBJ.SYS, NET$PROP.SYS, and NET$VAL.SYS
when performing CRC checking for unknown viruses.  This prevents
NETSHIELD from reporting that these frequently-changing data files
have been infected by a virus.
     Users of NETSHIELD 1.5 and 1.51 may upgrade to the new release
in order to prevent any possible problems related to CRC checking.
Alternatively, EITHER of the following steps can be taken with versions
1.5 and 1.51 to prevent the the bindery files from being changed:

1.  Do not check the integrity of files with the SYS
    extension.

     OR

2.  Exclude the SYSTEM directory from files to be
    CRC-checked.

Option 1:  Do not check the integrity of files with the SYS extension.
Select "CONFIGURATION OPTIONS" from the main menu, select "WHAT TO
SCAN", select "CHANGE SCANNED EXTENSIONS", select "EXTENSIONS THAT WILL
BE CHECKED BY CRC", select SYS, and press the DEL key.

Option 2:  Exclude the SYSTEM directory from files to be CRC-checked.
Select "CONFIGURATION OPTIONS" from the main menu, select "WHAT TO
SCAN", select "NON-CRC CHECKED FILES", and insert SYS:SYSTEM as a
directory to exclude.

OTHER ENHANCEMENTS AND CHANGES IN NETSHIELD 1.52 INCLUDE:

     Entries to the list of files or directories not to be CRC-checked
no longer have to be entered alphabetically.

     Re-entering information into a field with prior data in it (such as
a file or directory name) clears the field if the first key pressed is a
non-editing key (cursor, Insert, or Delete).

     Passwords are no longer case-sensitive.

     NETSHIELD will accept the SUPERVISOR password in place of the
NETSHIELD password for any password-protected options.

     NETSHIELD can now be unloaded from the system console prompt if
password protection has not been selected.

     NETSHIELD unloads in several seconds, instead of a couple minutes.

     The "Print Configuration Report" option now prints to printers
attached to the file server.

VALIDATE VALUES

NETSHIELD V1.52(V106) (NETSHLD.NLM) S:127,231  D:07-30-93   M1: 8598  M2: 0E32
NETSHIELD V1.52(V106) (VIR.DAT)     S:46,287   D:06-24-93   M1: 5209  M2: 1ED0

Regards,

Aryeh Goretsky
Technical Support
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
2710 Walsh Ave, 2nd Floor| FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95051-      USA          | USR HST Courier DS   | America Online: McAfee

------------------------------

Date:    Thu, 29 Jul 93 06:32:34 -0400
From:    pdl@rz.uni-jena.de (Lutz Donnerhacke)
Subject: SCAN 106 has problems with PKLITE -e (PC)

  Hi folks,
  ~~~~~~~~~
A friend of mine downloaded the new McAfee package from my BBS.
 (I FTPed it from mcafee.com directly.)
He tested his Lemmings II game and got the following screen:

- ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<-----
SCAN 9.17 V106 Copyright 1989-93 by McAfee Associates. (408) 988-3832
Scanning memory for critical viruses.
Scanning for known viruses.

Drive C: has no volume label.
Scanning C:.\L2.EXE

Sorry,an impossible internal error occurred.
The error code is: 8105

SCAN 9.17 V106 Copyright 1989-93 by McAfee Associates. (408) 988-3832
      [...Copyright...]
- ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----

Any comments ?

BTW there are some cases SCAN hangs up completely scanning PKLITEd EXEs ?!
  L2.EXE seems to be packed by "PKLITE -e", too.
  For testing purposes I repacked L2.EXE using DISLITE 
      (i.e. Garbo.Uwasa.Fi:pc/exepack/dislt115.*)
  and PKLITE 1.15. This procedure results in a scanable file !

    AtDhVaAnNkCsE

Lutz
  +----------------------------------------------------------------+
  | sMail: Lutz Donnerhacke; Alte Strasse 5; 07747 Lobeda; Germany |
  | eMail: {pdl@hpux.rz|Lutz.Donnerhacke@Physik}.uni-jena.de       |
  | uMail: Lutz.Donnerhacke@AS-Node.Gtc11.Gtc.Net          (urgent)|
  +----------------------------------------------------------------+
PS: I will be offline from Aug 4, 93 to Sep 5, 93.

------------------------------

Date:    Thu, 29 Jul 93 13:27:12 -0400
From:    <JVIGNOLO@ucvvm1.bitnet>
Subject: Info on 1530 (PC)

>mjmunoz@toconao.usach.cl (Marcelo J. Mun~oz C.) wrote:

>        Could u post or mail some info on 1530 and Chile Medeira Viruses
>please? It seems Viruscan106 is not detecting 1530 on files, but it does
>it when it's loaded in memory...(am I right?), please check it and post
>the results, ok?

Two versions (at least) of a virus written by someone whose initials are
CPW are pretty common in CHILE at the moment. These viruses infect COM's
(including COMMAND.COM) and EXE's and erase files under some conditions.

Both viruses are identified by SCAN106 and FPROT209. The original virus
is reported as "CPW". The variant is reported as "Mediera" by Scan and
"Mierda?" by FPROT. SCAN reports "1530" when the virus is active in
memory.

Do not panic. Just boot from a clean diskette and replace all infected
COM's and EXE's with clean originals.

BTW, the name given to the variant seems to come from the (encrypted)
string "Viva Chile mierda!" in the body of the virus. "Mierda" is not
a nice word in Spanish 8-).. IMHO the name should be changed. CPW2
perhaps?

- -----------------------------------------------------------------
 JVIGNOLO AT UCVVM1                     Juan A. Vignolo
      BITNET                          Associate Professor
                                    Electrical Engineering
PO Box 4059, Valpso.          Universidad Catolica de Valparaiso
      CHILE                                 CHILE
- -----------------------------------------------------------------


------------------------------

Date:    Mon, 26 Jul 93 10:03:00 +0200
From:    Andres_Arevalo@f0.n462.z9.virnet.bad.se (Andres Arevalo)
Subject: Re: Joshi Virus (PC)

 -=> Quoting Dennis Bayomi to All <=-

Hi Dennis!!
 DB> Hello everyone - we've recently discovered a virus called "Joshi" on a
 DB> 286  clone running MS-DOS 5.  It seems to be a classic case of a
 DB> youngster  bringing home a game disk and inadvertently infecting his
 DB> parent's computer. 
 DB> We've tried F-Prot 2.08A and it doesn't disinfect the virus.  It did
 DB> detect  and even claimed to disinfect but after rebooting and
 DB> rescanning the virus  was still there.
The McAfee CLEAN is an excellent virus killer I strongly recomend download 
it from your local BBS. In the virlist.txt file you ll find many information
about Joshi Virus.
 DB> Thanks,
You re welcome
 DB> Dennis
Greetings.			Andres.

... New Mail not found.  Start whine-pout sequence? (Y/N)
- --- FMail 0.94
 * Origin: -[ METAL KIT BBS ]-[ (91) 302-5480 ]-[ DE 24 A 10 ]- (9:345/105.0)

------------------------------

Date:    Mon, 26 Jul 93 18:03:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Flash ROM BIOS and viruses. (PC)

I wrote
 >> I'd be happy to read your opinions on the issue...

Inbar Raz answers:
 > Well, I think that this problem is nothing we can't handle. The way I
 > see it, it's just like backing up your system without virus-
 > checking it, and then, when the virus has destroyed it, restoring
 > from the infected backup set.

The question is what do we do in case such a virus will (and i'm sure it will) 
exist, and the PC you are introduced to is ALREADY infected. No backup of the 
BIOS exists at that time... Rest asure that most users with such computers 
will not take the time to backup the BIOS even if they had a program that does 
it for them!

 > However, I believe it's within the BIOS manufacturer's
 > responsibility to produce a program to either check
 > the integrity of such BIOS systems, or completely
 > restore the BIOS, not to mention version updates :-)

If I get you correctly; you mean that the FLASH BIOS will include a procedure 
that checks (for example at POST time) the BIOS's CRC or CHKSUM (or anything 
else for that matter.

Well if that's what you meant, I think the problem obviously will be that a 
virus can put this procedure to sleep since it has access to the entire BIOS 
area and the procedure is within this area.

You might say: Let`s split the BIOS into a FLASH-ROM plus another ROM-ROM, So 
the ROM-ROM's part is solely to verify the FLASH-ROM's integrity. But it even 
if this could be a nice idea it will not solve the problem (as it cannot 
restore that whi was damaged) and furthermore the FLASH-ROM technology exists 
today and works simply as one might expect: with no safety means.

Besides: The solution you suggest needs at least 64K of backup file. Even 
though it can be easily applied, this is not a practical solution (but maybe 
the only one we will be able to come up with)... 8-)

Your turn...... |-))

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 26 Jul 93 10:03:00 +0200
From:    Andres_Arevalo@f0.n462.z9.virnet.bad.se (Andres Arevalo)
Subject: Re: Joshi Virus (PC)

 -=> Quoting Dennis Bayomi to All <=-

Hi Dennis!!
 DB> Hello everyone - we've recently discovered a virus called "Joshi" on a
 DB> 286  clone running MS-DOS 5.  It seems to be a classic case of a
 DB> youngster  bringing home a game disk and inadvertently infecting his
 DB> parent's computer. 
 DB> We've tried F-Prot 2.08A and it doesn't disinfect the virus.  It did
 DB> detect  and even claimed to disinfect but after rebooting and
 DB> rescanning the virus  was still there.
The McAfee CLEAN is an excellent virus killer I strongly recomend download 
it from your local BBS. In the virlist.txt file you ll find many information
about Joshi Virus.
 DB> Thanks,
You re welcome
 DB> Dennis
Greetings.			Andres.

... New Mail not found.  Start whine-pout sequence? (Y/N)
- --- FMail 0.94
 * Origin: -[ METAL KIT BBS ]-[ (91) 302-5480 ]-[ DE 24 A 10 ]- (9:345/105.0)

------------------------------

Date:    Mon, 26 Jul 93 09:51:00 +0200
From:    Andres_Arevalo@f0.n462.z9.virnet.bad.se (Andres Arevalo)
Subject: Re: Genp in partition table - what to do? (PC)

 -=> Quoting Bryan Lee to All <=-
Hi Brian!:
 BL> How does one kill a virus residing in the partition table of a
 BL> hard drive?  I saw a message (from VSHIELD - McAfee) about
 BL> the virus Genp being found in the partition table - what can
 BL> this virus do?  How is it transfered?  How can you kill it?
Have you tryed using McAfee CLEAN? This program kills a lot of viruses;
the genp virus is a variant of generic virus. Get the clean in your BBS
and look in file virlist.txt the characteristics of this virus.
 BL> Thanks!
You are welcome.
Greetings.			Andres.

... Sorry, the Dog ate my Blue Wave packet.
- --- FMail 0.94
 * Origin: -[ METAL KIT BBS ]-[ (91) 302-5480 ]-[ DE 24 A 10 ]- (9:345/105.0)

------------------------------

Date:    Tue, 27 Jul 93 22:38:00 +0200
From:    Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem)
Subject: Flash ROM BIOS and viruses. (PC)

Amir Netiv wrote to Inbar Raz:

 > Your turn...... |-))

May I jump in?

 > Inbar Raz answers:
 >> However, I believe it's within the BIOS manufacturer's
 >> responsibility to produce a program to either check
 >> the integrity of such BIOS systems, or completely
 >> restore the BIOS, not to mention version updates :-)

Amir Writes:
 > If I get you correctly; you mean that the FLASH BIOS will include a
 > procedure that checks (for example at POST time) the BIOS's CRC or
 > CHKSUM (or anything else for that matter.

 > Well if that's what you meant, I think the problem obviously will be
 > that a virus can put this procedure to sleep since it has access to the
 > entire BIOS area and the procedure is within this area.

We can assume the that any FALSH-ROM (FR) Bios computer will also have a
ROM part. This is to assure the integrity of the FR.
Now, the RR part of the BIOS may include a VANDOR defined algorythm to check 
the integrity of the FR. This same thing is done with WD IDE Drives when 
playing with the IDE drive's serial number. When editing such a sector on the 
disk you must keep a correct checksum of the sector and write this chechsum (
or a variation of it) to a specific offset in that same sector. Implementing a 
similar algorythm in FR computers will solve the problem as long as this 
information if internal for each manufacturer.

Another way is to make the FR unself modified. This meens that as soon as the 
computer is up and running the FR does not allow any changes to be written to 
it. So, you'll ask, how can we upgrade the FLASH-ROM program? - well, the FR 
will check the following conditions (for example):

1. The computer as last COLD-BOOTED with a combination of keys pressed (line   
the INS or ALT in AMI BIOSs).
2. The computer was booted from a manufacturer supplied diskette.
3. The FR is about to be changed by a manufacturer supplied program.

This program checks the integrity of the current FR, saves it in memory, 
writes the new FR program, checks its inntegrity and only then, if everything 
is OK - boots the machine.

Hmmm... Any comments ?

Nemrod.Kedem@f138.n403.z2.fidonet.org       (Nemrod Kedem)
FidoNet: 2:403/138    VirNet: 9:972/0    CI$ ID: 100274,73
(972)3-966-7562 (14.4K)            (972)3-967-0348 (Voice)
P.O.Box 8394,     Rishon Le-Zion,   Zip 75253,     Israel.

- --- FastEcho/386 B0617/Real! (Beta)
 * Origin: <Rudy's Place - VirNet, Israel> Make Safe Hex! (9:9721/101)

------------------------------

Date:    Thu, 29 Jul 93 23:59:25 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Virus that damages harddrives (PC)

From:    Steve Mazdeh <STEVEM@sjsuvm1.bitnet>

>backup copy. I tried to reformat the hard drive but no success.  After
>the second reformat attempt the C: drive was no longer recognizable!

It sounds like a defective hard drive to me.

If it were just the FAT table corrupted, a format of C: should have 
repaired it.

>MY QUESTION IS: did I have a virus problem or just a bad harddrive.
>                How can I fix the Harddrive without sending it back
>                to the manufacturer. This hard drive is made by
>                XEBEC and is model XE3100 105.2MB AT/IDE drive.

A low level format of the hard drive may repair the drive. but contact the 
tech support department and ask them.
 
Several tech support people for IDE hard drives have said that it is 
possible to low level format an IDE hard drive with Disk Manager, but Disk 
Manager must directly support the brand and model of the hard drive.

I'm sure that you've heard rumors of viruses that damage hard ware.
 
I have examined hundreds of viruses and trojans, and haven't found one that 
damages or disables hard ware.

Bill

------------------------------

Date:    Fri, 30 Jul 93 17:13:28 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Totoro Dragon virus (PC)

There is a new virus on the loose. It is a resident .COM, and .EXE 
infector, and is 1540 bytes in length. I don't believe it is in the wild, 
but you never know.

The text below is contained in the virus

  Totoro Dragon

Hello! I am TOTORO CAT      

Written by Y.T.J.C.T
in Ping Tung. TAIWAN

Don't Worry, be Happy

   $YTIT

Totoro Dragon is neither a stealth or encrypted virus.

It has an odd method of infecting .COM files. the virus is placed at the
beginning of the file, abd adds four bytes of text at the end of the file 
YTIT.

In .EXE files, the virus is appended to the end, and again, YTIT is placed 
at the end of the file

Adding YTIT to the end of the infected files is how that Totoro Dragon 
marks files as infected.

I selected a signature for the virus. Please add this signature to F-prot 
or other scanners that allow you to add signatures.

Name: Totoro Dragon
Infects: .COM and .EXE files
Signature: B4 2A CD 21 3C 06 75 17 B8 08 35 CD 21 2E 89 1E 

I would suggest for all A-V developers to select a different signature 
string.

I have sent copies of the Totoro Dragon virus to Fridrik Skulason. and 
Wolfgang Stiller. The authors of F-Prot, and Integrity Master respectively.

Bill Lambdin

------------------------------

Date:    31 Jul 93 14:35:17 -0500
From:    00mltimmons@leo.bsuvc.bsu.edu
Subject: Virus? (PC)

Hello,

	This is my first time actually posting to any newsgroup, and of all 
of them, this is the last one I ever hoped to have to post to.  First, I'm 
posting because I believe I have a virus on my computer.

Symptoms:
	I accidently left a disk with a few zipped files in my A drive when
I rebooted my computer.  Instead of the normal "Non-System disk or disk error"
message, I get the following "Kein System oder Laufwerkfehler   Wechseln und
Taste drucken".  Where the e in drucken has two dots above it.  I'm no computer
wizard, but I know that that this isn't a good sign.  Only a few of my disks do
this.  

	So, that's the problem.  I have several anti-virus programs, but none 
of them find anything.  So, I guess that I'm asking all of you what I can do?
I have backups of everything on my computer, but now I find them suspect.  Any
suggestions or even a translation of the text would be helpful.  If I have a 
virus on my system, it doesn't seem to be doing any harm.  At least yet.  

				Thanks,
				    Mike Timmons
				    00mltimmons@leo.bsuvc.bsu.edu

------------------------------

Date:    Sat, 31 Jul 93 20:09:17 -0400
From:    jaf@jaflrn.linet.org (Jon Freivald)
Subject: VirusCheck 3.0 now available (PC)

Announcing the release of VirusCheck version 3.0.

VirusCheck is available for download on The Wizzard's Cave BBS,
(516) 483-5841, n81, 3-9600.  It is also available via e-mail
by sending mail to "mail-server@jaflrn.linet.org" containing the
text "get dos/virus/vck3.zip".  The mail-server will return it
to you in UUEncoded segments via e-mail.

For those of you not familiar with VirusCheck, the following is the
introduction page from the documentation:

- --- cut here ---

Overview:

Richard's Laws of Data Security:

1.  Don't buy a computer.
2.  If you do buy a computer, don't turn it on.

VirusCheck  was designed  for those  of us  who cannot  adhere to
Richard's laws.

What is VirusCheck?

VirusCheck is a watchdog, or security shell for McAfee Associates
ViruScan  anti-virus software.   VirusCheck  relieves users  from
needing to know the intricacies of their hardware and from having
to sit and  watch while  ViruScan searches their  system for  the
presence of viruses.   It  also allows Local  Area Network  (LAN)
managers  to enforce  corporate  anti-virus policies  in a  fully
automated manner.

VirusCheck  was originally  designed to  satisfy US  Marine Corps
security regulations,  but has proved flexible  enough to satisfy
the  requirements of  many organizations  and thousands  of users
worldwide.    This  manual  is not  intended  to  be  taken  as a
statement of policy either by or for the US Marine Corps.

Who should use VirusCheck?

Anyone who uses an  IBM PC or compatible computer system  with MS
or PC-DOS version 3.1 or higher as the operating system.

LAN managers who desire anti-virus  security for their network or
an  automated method of enforcing corporate anti-virus policies.

What does VirusCheck do?

VirusCheck  interrogates the system it is run on to determine its
hardware   configuration.      After   determining   the   proper
configuration,  VirusCheck executes McAfee's  ViruScan in  such a
manner  that the entire system  gets checked for  the presence of
viruses.  If ViruScan detects the presence of a virus, VirusCheck
will  lock the system and  warn the user,  thereby preventing the
inadvertent spread of the virus from using an infected system.

- --- cut here ---

If you wish to evaluate VirusCheck but do not have a copy of
McAfee's ViruScan, it is also available here.  Via mail-server
(in the same mail if you desire), "get dos/virus/scanv106.zip".

=============================================================================
		     Jon Freivald ( jaf@jaflrn.linet.org )
	   22A829/40 DA 9E 8E C0 A1 59 B2  46 3B 73 81 2B 7B 83 1F
		    PGP V2 public key available on request
	 Nothing is impossible for the man who doesn't have to do it.
=============================================================================

------------------------------

Date:    Sat, 31 Jul 93 21:53:09 -0400
From:    parson@coulomb.pcc.oz.au (Brenda Parsons)
Subject: Information on the 'Trident' Virus (PC)

We've recently had an attack of the 'Trident' virus, and seemed to
have gotten rid of it, but no one was able to supply us with information
as to what it would do when activated.

Any information would be appreciated.

Thanks
- -brenda
- -- 
% Brenda Parsons                  
% Currently at Prospect Electricity
% 10 Smith Street, Parramatta 2150, Australia
% +61 2 635 0300              e-mail:   parson@coulomb.pcc.oz.au        

------------------------------

Date:    Sun, 01 Aug 93 09:21:34 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Faerie Virus (PC)

I happened across another virus. This time Faerie. F-Prot 2.09 can not 
detect faerie, so please add the signature below.

I have sent a copy of Faerie along with a more indepth report to Fridrik 
Skulason and Wolfgang Stiller the authors of F-Prot and Integrity Master 
respectively.

Faerie
non resident .COM file infector. Doesn't infect COMMAND.COM
276 bytes in length. 

I have selected a signature for the virus, Please add it to F-Prot, or 
another scanners that allows additions

Name: Faerie
Infects: .COM files
Signature: B8 01 43 CD 21 8D 96 35 02 B8 02 3D CD 21 8B D8 

I tested this signature on my hard drive and didn't encounter any false 
positives. If your scanner finds the Faerie virus, look at the last sector 
of the .COM file with a HEX editor.

If it really is infected, you will see the word FAERIE.

Bill Lambdin

------------------------------

Date:    Sun, 01 Aug 93 17:14:55 -0400
From:    robert bullock <70511.3415@compuserve.com>
Subject: Vootie virus (PC)

	I have found a small virus that doesn't scan with any of the virus 
detection utilities that I have. It does infect. It is a non-resident file 
infector that overwrites both .EXE and .COM
files. The original file was 66 bytes long. It overwrites every executable 
in the current directory. It displays garbage when the file is run. The 
name of the file was VOOTIE.COM.

	The following scan string can be used to detect the virus: cd 21 2a 
2e 2a 00 56 99 93 c2 8b 90. 
	I will be sending it to Frisk, Wolfgang Stiller. 
								Robert 
Bullock

------------------------------

Date:    Wed, 28 Jul 93 16:34:10 +0300
From:    eugene@kamis.msk.su (Eugene V. Kaspersky)
Subject: Re: Tremor (PC)

> Question:      Does the Virus "Tremor" mask the interrupt 21h,function 3dh or
> how else can T. when a File is opened, which is infected by       him
> desinfect the file and then open it for the programm that

Yes, Tremor hooks several functions of INT 21h, one of it is 3Dh - OpenHandle.
If this file is infected, Tremor disinfects it and infects again on the
CloseHandle (func. 3Eh) call.

Eugene
- -- 
- -- Eugene Kaspersky, KAMI Group, Moscow, Russia
- -- eugene@kamis.msk.su +7 (095)939-4066

------------------------------

Date:    Fri, 30 Jul 93 13:40:22 -0400
From:    "Rob Slade: <roberts@decus.ca>
Subject: Memoirs of an (infected) virus researcher (CVP)

MEMOIR4.CVP   921214
 
             Memoirs of an (infected) virus researcher
 
I've just finished reviewing another antiviral program.  During the
testing, I found out something interesting.
 
My primary test machine was infected.
 
Now, this, one would think, is not necessarily remarkable.  But, you
see, I have a grave shortage of equipment.  The test machine is also
the communications machine.  And, it wasn't supposed to be infected.
 
Still, it happens from time to time.
 
There was the time, rushing the Michelangelo deadline, that I had
made the world's only copy of Michelangelo on a 3.5" diskette.  And
then booted from it.  Just after midnight on the evening of March
5th.  (Well, it was late, and all ...)  Took me another 20 minutes
to put it together again.
 
That's another thing.  The primary test machine is a laptop.  Dual
3.5" floppies.  No hard drive.  Safer that way.  When I'm using it
for communications, I simply use another diskette.  Bootable. 
Write-protected.  Except when I have to make corrections.  But I do
that on the desktop machine.  No chance of infection, if I never put
it into the test machine, unprotected.
 
But I must have.  Sometime.  And that sometime had to be more than
three weeks ago, because that was the last time I did any live
testing.
 
And what was it I was infected with?  DIR-II.  Stealth to the max. 
Fast infector with a vengeance.  I must have infected everything in
sight.
 
Except I didn't.
 
First of all, communications generally deals with either text files
or archives.  Unless the archives are self extracting, they are not
targets for infection, and neither are the test files.  So for over
three weeks, I was shuttling files from one machine to another and
the virus never had a chance to transfer.  Must have been
frustrating for it.
 
A couple of points about the DIR-II.  It *does* infect text files. 
At least, it infected one of mine.  The filename was SIGBLOCK.NTE,
for those who are wondering.  Only 340 bytes, so only the first
chunk of the viral code shows.
 
Secondly, the business of renaming your programs to non-executable
extensions, with the virus active, works like a hot darn for
disinfection.  Remember to do a CHKDSK /F, *after* you have finished
and booted clean, in order to reclaim lost disk space.  I got
everything back fine.  Except SIGBLOCK.NTE   :-)
 
copyright Robert M. Slade, 1992   MEMORI4.CVP   921214

==============                      
Vancouver      ROBERTS@decus.ca    | "Daughters of feminists love to wear
Institute for  Robert_Slade@sfu.ca |  pink and white short frilly dresses
Research into  rslade@cue.bc.ca    |  and talk of successes with boys/
User           p1@CyberStore.ca    |  It annoys/
Security       Canada V7K 2G6      |  Their Mums ..."  - Nancy White

------------------------------

Date:    Thu, 29 Jul 93 13:05:35 -0400
From:    spaf@cs.purdue.edu (Gene Spafford)
Subject: Final program for 5th Incident Response Workshop

This is the final program for the upcoming workshop.  We have a
first-rate agenda of speakers from around the world on incident
response & security.

To answer two common questions:
  1) It is still possible to register for the workshop, although
     it is at the higher rate.  The hotel still has rooms available.
     Registration at the door will be possible, but you may not
     be able to get copies of the handouts on-site unless you
     pre-register.

  2) St. Louis is not underwater....at least the workshop hotel and 
     airport are not.  A message from the St. Louis convention bureau
     is at the end of this announcement describing conditions.

Please pass this on to anyone interested!

- --gene spafford
Workshop Program Co-chair


			    FINAL AGENDA
	   5th Computer Security Incident Handling Workshop
Sponsored by the Forum of Incident Response and Security Teams (FIRST)

			  August 10-13, 1993
			    St. Louis, MO


TUESDAY, August 10, 1993  Full-day Tutorials

1.  Creating a Security Policy, presented by Charles Cresson Wood:
    Independent Information Security Consultant
   Sausalito, California

  Based on his information security consulting work with over 80
  organizations, Wood will discuss the practical aspects of information
  security policies.  He will draw heavily from his third book, entitled
  "Information Security Policies Made Easy," which contains 525
  already-written policies.  His presentation will cover risk
  assessments, the role of policies, policy needs analysis, policy
  writing, management approval, policy issuance, user training, proper
  uses of automated and manual controls, and policy enforcement.  The
  intention of the workshop will be to acquaint attendees with the need
  for policies, how they are best used, and how to handle policies
  in-house (avoiding the need to hire a consultant).  Wood will also
  discuss how policies can help move an information security effort ahead
  with velocity while at the same time keeping security costs down.
  Special attention will be paid to the people aspects of information
  security policies.  The workshop will end with critiques of the policy
  statements brought by attendees (so bring your policies).


2.  Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan
      Horses, and Things That Go Bump In The Night
    presented by A. Padgett Peterson:

  An intensive look into the architecture of the IBM-PC and MS/PC-DOS --
  What it is and why it was designed that way. An understanding of
  assembly language and the interrupt structure of the Intel 80x86
  processor is helpful.

  The day will begin with the BIOS and what makes the PC a fully
  functional computer before any higher operating system is introduced.
  Next will be a discussion of the various operating systems, what they
  add and what is masked. Finally, the role and effects of the PC and
  various LAN configurations (peer-peer and client server) will be
  examined with emphasis on the potential protection afforded by login
  scripting and RIGHTS.

  At each step, vulnerabilities will be examined and demonstrations made
  of how malicious software exploits them. Demonstrations may include
  STONED, MICHELANGELO, AZUSA, FORM, JERUSALEM, SUNDAY, 4096, and EXEBUG
  viruses depending on time and equipment available.

  On completion attendees will understand the vulnerabilities and how to
  detect attempted exploitation using simple tools included with DOS
  such as DEBUG and MEM.


3.  Unix Security
    presented by Matt Bishop:

  This tutorial will examine four areas of security critical to the
  functioning of UNIX systems:
  * user authentication, which provides the first line of defense 
    against attackers attempting to penetrate the system;
  * management of privileges, and managing access to the superuser
    account as well as programming for security;
  * defending against malicious logic, which will include a discussion
    of the workings of the Internet worm of November 1988, and several
    techniques for detecting malicious logic as well as blocking its
    effects; and
  * networking, covering the security mechanisms available in NIS, NFS,
    privacy-enhanced electronic mail, and Kerberos, as well as the
    Berkeley "trusted hosts" mechanism, Secure RPC, the network
    daemons and calls used by Berkeley's implementation of rlogin, rsh,
    and their kin, and (if time permits) both HoneyDanBer and 4.3 BSD
    UUCP.



 WEDNESDAY, August 11, 1993

 8:30 -  8:45  Opening Remarks - Rich Pethia - CERT Coordination Center 

 8:45 -  9:30  Keynote Speaker - Dr. Vinton Cerf - Corporation for Research
                                                          Initiatives

 9:30 - 10:00  Break

10:00 - 12:00  International Issues - Computer networks and communication lines
               span national borders.  This session will focus on how computer
               incidents may be handled in an international context, and on
               some ways investigators can coordinate their efforts.
               SPEAKERS:  
		 Harry Onderwater - Dutch Federal Police
		 John Austen - New Scotland Yard
		 John Neily - Royal Canadian Mounted Police

12:00 -  1:30  Lunch with Presentations by various Response Teams

 1:30 -  3:00  Professional Certification & Qualification - how do you know if
               the people you hire for security work are qualified for the
               job?  How can we even know what the appropriate qualifications
               are?  The speakers in this session will discuss some approaches
               to the problem for some segments of industry and government.
               SPEAKERS:  
		 Sally Meglathery - ISC2
		 Lynn McNulty - NIST
		 Genevieve Burns - ISSA

 3:00 -  3:30  Break

 3:30 -  6:00  Incident Aftermath and Press Relations - What happens after an
               incident has been discovered?  What are some of the
               consequences of dealing with law enforcement and the press?
               This session will feature presentations on these issues, and
               include a panel to answer audience questions.
               SPEAKERS:  
		 Laurie Sefton - Apple Computer
		 Jeffrey Sebring - MITRE
                 Terry McGillen - Software Engineering Institute
		 John Markoff - NY Times
		 Mike Alexander - InfoSecurity News

 7:00 -  9:00  Reception

THURSDAY  August 12

 8:30 - 10:00  Preserving Rights During an Investigation - During an
               investigation, sometimes more damage is done by the
               investigators than from the original incident.  This session
               reinforces the importance of respecting the rights of victims,
               bystanders, and suspects while also gathering evidence that may
               be used in legal or administrative actions.
               SPEAKERS:  
		 Mike Godwin - Electronic Frontiers Foundation
		 Scott Charney - Department of Justice
		 Frank Dudley Berry Jr. - Deputy District Attorney
                                            Santa Clara County		 

10:00 - 10:30  Break

10:30 - 12:00  Coordinating an Investigation - What are the steps in an
               investigation?  When should law enforcement be called in?  How
               should evidence be preserved?  Veteran investigators discuss
               these questions.  A panel will answer questions, time permitting.
               SPEAKER:  
		 Jim Settle - FBI
		 Jack Lewis - US Secret Service
		 John Smith - Santa Clara DA's office

12:00 -  1:30  Special Interest Lunch

 1:30 -  3:00  Liabilities and Insurance - You organize security measures but
               a loss occurs.  Can you somehow recover the cost of damages? 
               You investigate an incident, only to cause some incidental
               damage.  Can you be sued?  This session examines these and
               related questions.
               SPEAKERS:  
		 Mark Rasch - Arent Fox
		 Bill Cook - Willian, Brinks, Olds, Hoffer, & Gibson 
		 Marr Haack - USF&G Insurance Companies

 3:00 -  3:15  Break

 3:15 -  5:30  Incident Role Playing -- An exercise by the attendees
	       to develop new insights into the process of
	       investigating a computer security incident.
	       Organized by Dr. Tom Longstaff of the CERT Coordination Center.

 7:30 -  ?     Birds of a Feather and Poster Sessions


FRIDAY  August 13

 8:30 - 10:00  Virus Incidents - How do you organize a successful virus
               analysis and response group?  The speakers in this session have
               considerable experience ans success in doing exactly this.  In
               their talks, and subsequent panel, they will explain how to
               organize computer virus response.
               SPEAKERS:  
		 Werner Uhrig - University of Texas, Austin
                 David Grisham - University of New Mexico
		 Christoph Fischer - CARO
		 Karen Pichnarczyk - LLNL/DoE CIAC
		 
10:00 - 10:15  Break

10:15 - 11:15  Databases - How do you store incident, suspect, and
               vulnerability information safely, but still allow the 
               information to be used effectively?  The speakers in this
               session will share some of their insights and methods on this 
               topic.
               SPEAKERS:  
		 John Carr - CCTA
		 Michael Higgins - DISA/CISS
		
11:15 - 1:00   Threats - Part of incidence response is to anticipate risks and
               threats.  This session will focus on some likely trends and
               possible new problems to be faced in computer security.
               SPEAKERS:  
		 Karl A. Seger - Associate Corporate Consultants, Inc.
		 Craig Worstel - Boeing
                 Genevieve Burns - Monsanto

 1:00 -  1:10  Closing Remarks - Dennis Steinauer (NIST/FIRST)

 1:10 -  2:00  Lunch

 2:00 -  3:00  FIRST General Meeting and the Steering Committee Elections
 
 3:00 -  4:00  FIRST Steering Committee Meeting


^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^

INQUIRES:

Direct questions concerning registration and payment to:  Events at 412-268-653
1

Direct general questions concerning the workshop to:  Mary Alice "Sam" Toocheck
                                                      at 214-268-6933
						      st@cert.org

Return to:   Helen E. Joyce
             Software Engineering Institute
             Carnegie Mellon University
             Pittsburgh, PA  15213-3890
             Facsimile:  412-268-7401
TERMS:

Please make checks or purchase orders payable to SEI/CMU.  Credit cards are not
accepted.  No refunds will be issued, substitutions are encouraged.

The registrations fee includes materials, continental breakfast, lunches (not
included on August 13), morning and afternoon breaks and an evening reception
on August 11.  

GOVERNMENT TERMS:

If your organization has not made prior arrangements for reimbursement of 
workshop expenses, please provide authorization (1556) from your agency at the 
time of registration.
                                                 
GENERAL REGISTRATION INFORMATION:

Workshop................................. ..............$300.00
All registrations received after July 10, 1993..........$350.00
Tutorial................................................$190.00

NAME:

TITLE:

COMPANY:

DIVISION:

ADDRESS:

ZIP:

BUSINESS PHONE:

EMERGENCY PHONE:

FACSIMILE NUMBER:

E-MAIL ADDRESS:

DIETARY/ACCESS REQUIREMENTS:

CITIZENSHIP:  Are you a U.S. Citizen?    YES/NO

Identify country where citizenship is held if not the U.S.:

(Note: there will be no classified information disclosed at this workshop.  
There is no attendance restriction based on citizenship or other criteria.)


GENERAL HOTEL INFORMATION:

RATES: A block of rooms has been reserved at the Hyatt Regency at Union
Station, One St. Louis Union Station, St. Louis, Missouri 63103.  The hotel
will hold these rooms until July 10, 1993.  Hotel arrangements should be made
directly with the Hyatt, 314-231-1234.  To receive the special rate of $65.00
per night, please mention the Fifth Computer Security Incident Handling
Workshop when making your hotel arrangements.

ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including 20
suites.  All rooms have individual climate control, direct-dial telephone with
message alert, color TV with cable and optional pay movies.  Suites available
with wet bar.  Hotel offers three floors of Regency accommodations, along with
a Hyatt Good Passport floor, and a special floor for women travelers.

LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic Union
Station one mile from Cervantes Convention Center and St. Louis Convention
Center and St. Louis Arch.  Fifteen miles (30 minutes) from St. Louis Zoo.

DINING/ENTERTAINMENT:  Italian Cuisine is features at Aldo's, the hotel's 
full-service restaurant.  Enjoy afternoon cocktails in the Grand Hall, an 
open-air, six-story area featuring filigree work, fresco and stained glass 
windows.  The station Grille offers a chop house and seafood menu.

RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool.
Full health club; sauna in both men's and women's locker rooms.
Jogging maps are available at the hotel front
desk.SERVICES/FACILITIES/SHOPS:  Over 100 specialty shops throughout
the hotel, including men's and women's boutiques, children's toy shops
and train stores.


==================================================

 July 19, 1993

 TO: Meeting Planner

 FROM: St. Louis Convention & Visitors Commission

 RE: Flooding


The ongoing Midwest flooding along the Mississippi River obviously is a great
and unfortunate drama--and we in no way seek to minimize the tragedy of loss
of lives, homes and businesses.

However, in the midst of national media coverage of flooding above and below
St. Louis, people are being left with the impression that St. Louis itself is
under water. The St. Louis Convention & Visitors Commission's telephone lines
are constantly busy as our information specialists answer calls from anxious
travelers who have made plans to visit St. Louis this summer. They wonder if
the Arch is "OK," if Union Station is "submerged" as they have heard, and
where the Cardinals will be playing baseball if Busch Stadium is under water!
We're doing our best to battle these and other misperceptions, but your help
would be greatly appreciated in getting the word to your readers.

Here's the truth: A visitor to St. Louis will be able to do everything he
could have done before the floods (see baseball games, ride to the top of the
Arch, enjoy dockside riverboat gaming, visit the brewery, zoo, art museum,
etc...) with the exception of taking Mississippi River sightseeing cruises.
And all highway access to St. Louis is clear and open. The flood crested
today, and the waters are beginning to recede.

So, as you can see, it is a battle of perception versus reality in St. Louis'
hospitality industry. If you're interested in talking about this aspect of the
flood, please contact the Convention Services Department at 1-800-325-7962.

Thanks very much for the consideration.  

ST LOUIS CONVENTION & VISITORS COMMISSION
10 SOUTH BROADWAY   
SUITE 1000  
ST. LOUIS, MISS0URI 63102   
(314) 421-1023  (800) 325-7962  FAX (314) 421-0039

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 109]
******************************************
