From lehigh.edu!virus-l Thu Dec 3 00:25:41 1992 Date: Wed, 2 Dec 1992 16:58:15 -0500 Message-Id: <9212022112.AA08661@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #194 Status: R VIRUS-L Digest Wednesday, 2 Dec 1992 Volume 5 : Issue 194 Today's Topics: Vshield vs Virstop (PC) Filler Virus (PC) TBAVX501.ZIP and VSIG9211.ZIP uploaded (PC) Re: MODE.COM vs. DAME virus (PC) Re: Need Info about INVOLVE virus (PC) Re: norton antivirus bbs (PC) Re: Brain Viruses (PC) AntiViral SW Leftovers (PC) Re: Reviewing reviews (PC, probably) Re: Untouchable (PC) Re: VSUM Listing (PC) Re: Scanner Wars (was MtE Wars) (PC) Re: WARNING: Clean V97 and Freddy (PC) Which program works? (OS/2) (PC) Re: Potentially stupid question (OS/2) (PC) Re: ViruScan v99 and OS/2 (OS/2) Amiga AV FTP (Amiga) IBM mainframes and virus = possible (IBM Mainframe) Re: Alan Solomon CHRISTMA - Trusted source VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 28 Nov 92 17:22:05 +0000 From: as789@cleveland.Freenet.Edu (Francisco J. Diaz) Subject: Vshield vs Virstop (PC) Hi All! I have a small question, Which antivirus TSR would you recommend me to use? Vshield or Virstop? I have seen them both but the big difference is the memory used by them...Which one has better performance catching viruses? Virstop seems awfully small to have all those signatures inside itself, as opposed to Vshield which is big and (probably) has all the signatures inside. I don't have memory constraints but the smaller the better as long as it performs well...Anyone has any scan benchmarks done on these 2 programs? I would to see some suggestions...Thanks! :-) - -- | Francisco J. Diaz Rivera | | | University of Puerto Rico | If the shoe fits, buy it! | | "I hate MATH classes!" :-) | - Imelda Marcos | | STUD137@CUTB.UPR.CLU.EDU | | ------------------------------ Date: Sat, 28 Nov 92 18:48:12 -0400 From: lin@ug.cs.dal.ca (David Lin) Subject: Filler Virus (PC) Hello, We have a mild problem here. Scan v97b detected the [Filler] virus with the command line: scan c: /chkhi The program instructed us to power down and then reboot with a floppy. We did this but then we could not detect the virus again. This of course meant that Clean failed. We opened some applications and then closed them. After trying scan again, the virus reappeared. Next we tried f-prot v206a and it told us that we had a possible Stoned virus. wouldn't run unless we bypassed the memory check. Any clean attempts failed here too. Does anyone out there know how we can get rid of the [Filler] virus? ANY help would be appreciated. dave,vik,mike & john - -------------------- It came from Nova Scotia... ------------------------- I stayed up all night playing poker with Tarot cards. I got a full house and four people died. - Steven Wright - --------- lin@ug.cs.dal.ca ----------------- 01dave@ac.dal.ca ------------ ------------------------------ Date: Sun, 29 Nov 92 20:08:04 +0700 From: jeroenp@rulfc1.LeidenUniv.nl (Jeroen W. Pluimers) Subject: TBAVX501.ZIP and VSIG9211.ZIP uploaded (PC) I just uploaded the following files to Garbo and Oak: tbavx501.zip TB AV specific processors/registers users 5.01 vsig9211.zip Virus signatures for TBAV/HTSCAN - nov 1992 TBAVX501.ZIP is a companion to TBAV501.ZIP. It contains processor specific versions of the antivirus programs and works only if you have a registration key. VSIG9211.ZIP contains the updated virus signature list that can be used by HTSCAN and The TBAV utils. Please note that TBSC*.*, TBRESC*.* are obsolete since TBAV501.ZIP. - -- jeroen voice: +31-2522-20908 (19:00-23:00 UTC) snail: P.O. Box 266 jeroenp@rulfc1.LeidenUniv.nl 2170 AG Sassenheim jeroen_pluimers@f256.n281.z2.fidonet.org The Netherlands ------------------------------ Date: Wed, 25 Nov 92 20:49:15 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: MODE.COM vs. DAME virus (PC) Hello Woody, you write: >We got a positive indication of the DAME virus on an old compaq dos disk. >mode.com is the only file identified. It appears to have a length of about >4k or so. Dame was not found in memory, just on this disk. Dumping the >file with psa Dump utility, shows a batch of strings at offset c60.. >"The compaq...version 3.1" etc. The file ends at offset 1050. This is [...deleted...] This is a false alarm from VIRUSCAN V97. It has been fixed in VIRUSCAN V99, which incorporates a new DAME (MtE) detector. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Mon, 30 Nov 92 17:47:37 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Need Info about INVOLVE virus (PC) Hello Mr. Nguyen, When you ran VIRUSCAN (SCAN.EXE), did you use the /A switch with it? Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ dhnguyen@vmsclst1.sc.csupomona.edu writes: >hello, I am new here. I hope someone could give me some information >about the INVOLVE virus. I know that it changes the date on the files >that it infects. One thing I ran across that bothers me. I deleted >all the files that SCAN reports and rescan the system with "No virus >found" message. Then about a month after, close to the same date, >SCAN reported "INVOLVE virus found." I have not load any new file to >the system during that one month period. Any information wil be >greatly appreciated. - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Mon, 30 Nov 92 13:03:11 -0500 From: Fritz Schneider <71043.1117@compuserve.com> Subject: Re: norton antivirus bbs (PC) On Sat, 21 Nov 92, gene shackman asked: > I am trying to update my Norton Antivirus program. I want to call >their Symantec BBS to get the most recent virus definitions file, >and the phone number I have is (408) 973-9834 for the 9600 baud >line. I cant seem to connect, however. Is there a different >number at this time? The number that I have been using for the Symantec BBS is 408-973-9767. This line does run at 9600 using v.32. I get the impression, however, that if it goes down overnight or on a weekend, you have to wait for the next business day for somebody to bring it back up. Fritz. ------------------------------ Date: 30 Nov 92 18:21:08 +0000 From: tck@fold.ucsd.edu (Kevin Marcus) Subject: Re: Brain Viruses (PC) ec49726@uxa.cso.uiuc.edu (Manny DeSoto) writes: >I'm new to this newsgroup and I don't read it often. Further yet, I am >not very updated on viruses in the 90's. > >At any rate, I just wanted to know what a "brain virus" is and how it >differs from a "normal" virus. Well, you are probably referring to the Pakistani Brain virus (ashar brain, whatever you wanna call it). It is a VERY old boot sector infector (some of the newer varients can infect the MBR). This means they infect disks, and not files. It uses some steath techniques, so that it hides the it's infection by redirecting calls to read in the boot sector to the location of the real boot sector, while in memory. I supose you could say a normal virus wouldn't do that. ------------------------------ Date: Mon, 30 Nov 92 13:21:37 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: AntiViral SW Leftovers (PC) Luca Parisi asks about a leftover string "Carmel" plus other oddities in files. It is my understanding that the Central Point Anti-Virus program was originally obtained from a company called "Carmel" in Isreal with an interesting background. I *suspect* this is the source. Warmly, Padgett ------------------------------ Date: 30 Nov 92 18:19:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Reviewing reviews (PC, probably) rslade@sfu.ca writes: > I note a psoting through Newsbytes today, regarding an announcement by > International Data Security (whose initials, interestingly, turn out to be ID C > ranking the world's antiviral software. > Now, I don't know how badly this got garbled by Newsbytes, but we only have > Dr. Sol's AVT, CPAV, NAV, and McAfee listed. McAfee gets off with highest > marks at 95%. The tests were supposed to have been conducted over 15 months If you look in the file AGENTS.TXT that comes with the SCAN suite, you'll get a surprise! It turns out that International Data Security is an official agent of McAfee Associates... Maybe when you see that, you won't be that much surprised by the published results... I guess that the message in Newsbytes did not say that it is a publicity, did it? > by Virus Bulletin, VSUM library, NCSA (ah, but which one?) and the Hamburg > Virus Test Center (Vesselin?). Me? What about me? I have several times complained in this forum that McAfee's agents are misusing our results for incorrect advertising... This has happened four or five times... McAfee Associates always have a nice excuse about it... You should ask them, not me... > Although IDC is reporting this as "test results", it looks an awful lot like > they just went and added up everyone elses results. Yup, and they have arranged them in a way that suits their needs... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 30 Nov 92 18:38:34 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Untouchable (PC) cs105ta2@scs.carleton.ca (Rick Wirthlin) writes: > I was wondering if anyone else is using the Untouchable virus scanner > and how they find it. Versions 20 and below of the scanner (UTScan) are very bad. Versions 23 (the latest one is 25, I think) are good enough. Remember - the scanner is not the main feature of the package. It is used mainly during the installation, to ensure that the main part - the integrity checker - is installed on a virus-free system. > Any comments on this package would be appreciated as I have some > concerns about its ability to detect new viruses. The main feature of the package is its off-line integrity checker. It is one of the best in its category - secure, fast, unobtrusive, easy to use and with a nice user interface. Very few of the integrity packages I know are as secure as it... Off the top of my head, I can recall only Fred Cohen's ASP Integrity Toolkit, but it belongs to a different class, since it is a resident integrity checker. Another thing that the authors of Untouchable are very proud of, is its ability to do "generic disinfection", i.e. to disinfect an unknown virus. The disinfection is based on some information about the uninfected file, stored in a database and on some heuristic rules (that's why I prefer to call it "heuristic disinfection"). One important thing to have in mind is that the product is very good, but not as good as the advertisements are trying to suggest you. Some advertisements (in France) say that it is "the absolute weapon against computer viruses" and that no virus, even an unknown one, is able to bypass it. This is not true; even some of the known one do. For instance, the integrity checker will not detect the replication of Brain (because it infects only floppies) or of Darth Vader (because it infects only on modification). Other ads say that "it guarantees 100% disinfection of the infected files". Don't be fooled to think that this means that 100% of the infected files can be disinfected. It doesn't. What it means is that if the product happens to disinfect a file, it guarantees that the file is 100% restored to its original state (which is not that bad; most of the current disinfectors cannot achieve this even with Jerusalem). There are about 17 ways a virus can infect a file, and the generic disinfector can handle about one third of them. The authors have promised to achieve about two thirds soon. (Some viruses just cannot be disinfected heuristically.) As far as I know, the authors are working on a very powerful virus description language (e.g., they can easily write an MtE detector in it). I am not aware whether this language is already available in the commercial versions of the product. There are two features that would definitively improve the product. The first one is a resident integrity checker, compatible with the current off-line one. The second feature is true generic virus removal, the kind of thing that is provided by TbClean from the ThunderByte Anti-Virus package. This is a very nice idea and I would really like to see it more widely used... Well, maybe some kind of monitoring program will be useful too (they already have a resident scanner), regardless that such programs are usually trivial to bypass... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 30 Nov 92 18:02:24 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: VSUM Listing (PC) Hello Mr. Marcus, tck@fold.ucsd.edu (Kevin Marcus) writes: >Patricia Hoffman doesn't have the viruses she writes about, and gets >most of her information from McAfee Associates. And, since we already >know that (as Vess has pointed out...) most of the info in VIRLIST.TXT >isn't accurate, neither is the info in VSUM. Incorrect. While Ms. Hoffman does receive information about computer viruses from us, we are neither the sole nor primary source of information about computer viruses for her. Most of the information in VIRLIST.TXT is correct. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: 30 Nov 92 19:06:39 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanner Wars (was MtE Wars) (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > In the meantime, the integrity managers continue to languish on the > shelf. There are several which meet my requirements for notification > when needed, keeping quiet when not, some of which I have been using > for some time: Enigma-Logic's PC Virus-Safe, Dr. Panda's Physical, > and Leprechaun's Virus Buster. I have not had the opportunity to try > Fred's ASP but have no reason to doubt its effectiveness. Obviously, one of your requirements is that the integrity checker must be resident (i.e., to be an integrity shell), otherwise you would probably have mentioned Untouchable... Also, I have not seen the first two product, but don't think that Virus Buster's integrity checker is secure enough... VDS is also a robust system, but unfortunately it is not compatible with user-installable volumes like Stacker... > These are the "something" detectors that are essential in determining > that changes have occurred and each has the capability to check every > file on the disk for changes as well as unknown files. Your scanner says > the MtE is present ? A change detector will identify every file that has > changed - not identify the infection but will identify the change. > Worried about Commander Bomber ? The file changed. Not to say that there Not that I disagree with you - integrity checking is indeed a much stronger line of anti-virus defense than known-virus scanning. However, it also has its place... For instance, before installing an integrity checker, you must ensure that you are installing it on a virus-free system, otherwise you might get some bad surprises... Currently, the only known way to do that is to -scan- the system before installation... Furthermore, when the "something detector" detects that "something has changed", you still need a program that tells you -what- has caused the changes (hey, it might format the disk after 30 seconds!). You also need a way to detect all infected files. Integrity checking helps, but it cannot always determine the source of the infection. And, if you cannot find it, you are running the risk to get infected again... At last, the examples used by you are not very correct. MtE and Commander Bomber are attacks against known-virus scanning, not against integrity checking. Is it surprising then that they defeat the scanners and not the integrity checkers? How about that: worried that your integrity checker cannot detect Brain, or Darth Vader, or fails to detect the replication of StarShip, if it is already present in the system? No problem, get a recent scanner/remover - it will identify the infected files/diskettes and will remove the virus... :-) > The simple fact is that it is trivial to write a virus to get around a > scanner and only slightly more difficult to get around all of the common > ones. At the same time it is very difficult to write an intrusion > program that can get around a good layered set of integrity management > routines. Yes, the multi-layered approach is the best solution. But you still need a known-virus scanner as one of the levels. Not a very strong level, but a necessary one... > As far as hardware is concerned, selection of the boot drive (C:) is > sufficient. If you really want to boot from a floppy, 20 bytes in the > MBR (software) will let you hold down the Ctrl key while booting to redirect > the boot to A: instead of C:. A few more bytes and you can restore the > interrupt table even if you do manage to become infected first. In a single Unfortunately, it also takes about 50 bytes to locate these 20 bytes and to change them to "do nothing" or "shut up"... :-) Otherwise, no disagreement with your main points... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 01 Dec 92 03:39:07 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: WARNING: Clean V97 and Freddy (PC) Hello Mr. Ferreira, you write: >Clean v97 does not work disinfecting the Freddy virus. Scan v97 reports: > The Jeru [Jeru] virus was found... [...deleted...] Thank you for the report of CLEAN-UP not disinfecting files infected with the Freddy virus correctly. I have forwarded a copy of your report to our programmers so that we may fix this in a future version of CLEAN-UP (CLEAN.EXE). Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Mon, 30 Nov 92 09:47:24 +0000 From: schwille@informatik.uni-stuttgart.de (Juergen Schwille) Subject: Which program works? (OS/2) (PC) We are looking for an anti virus program which works in the DOS Box of OS/2. The program should be memory resident and check automatically every disk that is inserted in the disk drive. Any suggestions? Our dealer recommended CP Anti-Virus 1.1. Has anybody experience with this program? Please email your response to schwille@informatik.uni-stuttgart.de Thank you in advance! Juergen ------------------------------ Date: 30 Nov 92 18:23:47 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Potentially stupid question (OS/2) (PC) KDC@ccm.UManitoba.CA (Ken De Cruyenaere 204-474-8340) writes: >I am not too familiar with OS/2 but am told its going to be very >popular soon :-(. >Our antiviral software (F-PROT) doesn't seem to run well under OS/2. > (It eventually hangs up when scanning, saying > "ERROR SCANNING DRIVE D:") if you have to scan HPFS partitions with F-PROT, try using the /NOBOOT switch or disable "Boot" in the menu. - -frisk ------------------------------ Date: 30 Nov 92 19:00:19 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ViruScan v99 and OS/2 (OS/2) Brian_Hampson@f115.n101.z9.virnet.bad.se (Brian Hampson) writes: > There is an apparent problem with SCAN 9.0V99 running in a DOS session > under OS/2 using HPFS file system [stuff deleted] > Here, on the OTHER hand, is what scan97B reported: [more stuff deleted] Seems to me that by removing the "feature" that allowed SCAN 97 to work on networked drives, McAfee Associates have removed a bit too much... :-) Just kidding, of course, but those two things might be indeed related... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 30 Nov 92 10:15:47 -0500 From: A.J. Subject: Amiga AV FTP (Amiga) does anybody know where i can ftp the lates BootX anti virus prog for the amiga, and where to get the latest on anti virus progs in general ...... the latest list of sites were absoulete ....? -aj. ------------------------------ Date: Sun, 29 Nov 92 04:56:00 +0000 From: ce_rupn@pavo.concordia.ca (RUPNIK, CHRISTOPHER E.) Subject: IBM mainframes and virus = possible (IBM Mainframe) Hi Some people at the institution where i work believe it is impossible for an IBM mainframe 43xx series computer to become infected by any kind of virus, due to the unique operating system setup at each site. I believe otherwise, If you have known of a case that a definite virus has been discovered in a similar class machine, please e-mail me the details, as i would greatly appreciate it. Thank you ce_rupn@pavo.concordia.ca ------------------------------ Date: Tue, 01 Dec 92 04:30:35 +0000 From: cs125b41@dcl-nxt02.cso.uiuc.edu (cs125 student) Subject: Re: Alan Solomon Does anybody know Dr. Solomon's Internet address? ------------------------------ Date: Fri, 27 Nov 92 21:13:23 -0800 From: rslade@cyberstore.ca Subject: CHRISTMA - Trusted source HISVIRK.CVP 921022 CHRISTMA - "Trusted" source Commentary prompted by the CHRISTMA EXEC ranged over many topics. One subject was that of the "trusted source". That is, that you only run a program when you "know where it's been". This is a good principle for data security in general, but it is interesting that it came up in discussion of this particular outbreak, since the messages, after the initial spread, would have all come from "known", and presumably trusted, sources. Also interesting, in view of the fact that the EXEC actually contained the source code, was the "opinion piece" which suggested that only source code should be trusted. This piece seems to have been written by someone firmly settled, not only into the UNIX community, but also into the UNIX culture. It states that there is no reason for not having the source code for everything you run. The author further asserts that there is no reason for software producers and publishers not to give you the source code to every program you buy. (One can only surmise that he was a tad frustrated at having to deal with some piece of commercial software. One can also surmise that he wasn't, himself, a software producer or publisher. :-) However, most interesting of all was that this latter poster had included an error in his posting, and thus killed his own argument almost as soon as he made it. (You can check this out. I think it is one of the most amusing threads in the whole archives of virus research.) The first article appeared in Issue 6, number 2 of the RISKS-FORUM Digest, Monday, January 4th, 1988. (Another mistake was made in that number: PGN had included the year 1987 in the masthead.) The posting is not exactly fanatical, but certainly strident, and includes the "adage", "IF YOU CAN'T READ IT, DON'T RUN IT". It also contains the statement that testing unknown programs on "write-only harddisks" is useless. Well, I'd agree. In fact, I'd say a "write-only harddisk" was a pretty useless piece of equipment. However, two further respondents, the next day, quoted that exact passage (one defending the thesis, one attacking it), without commenting on the error. It wasn't until a few days later that another posting pointed this out. It also pointed out that the original poster did not catch this error in the three paragraph "source"; that two further authors quoted the error without noting it; and that the moderator, known for his love of pun-laden editorial comment, missed it all three times. Obviously, the ability to catch a loophole hidden in several thousand lines of source code is not a defense. copyright Robert M. Slade, 1992 HISVIRK.CVP 921022 ============= Vancouver ROBERTS@decus.ca | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into rslade@cue.bc.ca | trustworthiness." User p1@CyberStore.ca | - Tony Buckland, UBC Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 194] ******************************************