From lehigh.edu!virus-l Wed Apr 14 18:25:59 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Thu, 15 Apr 93 08:01:24 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA07561; Thu, 15 Apr 1993 04:57:53 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA50032 (5.67a/IDA-1.5 for ); Wed, 14 Apr 1993 22:25:59 -0400 Date: Wed, 14 Apr 1993 22:25:59 -0400 Message-Id: <9304150033.AA10019@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #62 VIRUS-L Digest Wednesday, 14 Apr 1993 Volume 6 : Issue 62 Today's Topics: Re: Should viral tricks be publicized? (was: Integrity checking) New program chair for IDES-of-March Virus Conference Beneficial/Non-Destructive Re: New (?) virus ? (2294) (PC) Thunderbyte Update Status (PC) Anyone have something like this? (PC) DOS 6, two good things (PC) Re: Help with Michelangelo! (PC) RE: Censorship/40-Hex (PC) New PC Virus? (PC) Virus Buster (PC) Re: Scanners and exe/com (PC) ghost positives (PC) Status of victor charlie (PC) "DIR" infection, or "Can internal commands infect" (PC) Re: Help with Michelangelo! (PC) Central Point Anti-Virus Updates (PC) McAfee latest version (PC) Re: gerbil.doc virus (PC) TBAV v5.04 Anti-virus software uploads to SIMTEL20 (PC) "Naive" users (CVP) IFIP Call for Papers Survey VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Fri, 09 Apr 93 03:39:57 +0000 From: sara@gator.rn.com (Sara Gordon) Subject: Re: Should viral tricks be publicized? (was: Integrity checking) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >My experience shows me that the bad guys are less knowledgeable but >better organized and learning faster than the good guys... And I am >not excluding even us, when I am speaking about "better organized". as someone who does study this, i am sorry to have to agree with you. the organization of the 'bad guys' is really extraordinary considering the usual problems of such organizational efforts... >Yes. I am getting virus collections from all over the world. Do you >know how many of them bear the signature of being downloaded from >Todor Todorov's BBS? but wait!! this does not necessarily mean they came from that bbs, of course. i have viruses sent to me from all over the world that have the names of anti-virus companies, anti-virus researchers, even my OWN name...this does not mean they originated here. why, i even have seen them from the VTC at Hamburg...i.e., when they are unzipped, they say 'Virus Test Center, University of Hamburg' in the A-V marking! of course, viruses did come from that bbs in sofia. its fortunate that bbs is no longer in operation; and unfortunate that many more have taken its place, mainly in the USA....and no one seems to care.... >Burger's and Ludwig's books are crap - they don't teach you anything, >even how to write good viruses. They don't contain useful information, i assume you meant to write viruses well, not to write good viruses :) - -- # "talk to me about computer viruses............" # fax/voice: 219-277-8599 p.o. 11417 south bend, in 46624 # data 219-273-2431 SGordon@Dockmaster.ncsc.mil # fidomail 1:227/190 vfr@netcom.com ------------------------------ Date: Fri, 09 Apr 93 09:40:29 -0400 From: Judy S. Brand Subject: New program chair for IDES-of-March Virus Conference It appears that someone who had been on the 1993 New York "Ides of March" program committee mistakenly reported to Virus-L that there were no significant changes for 1994. The person does not seem to have read my letter last week to "Ides of March" attendees. It contained this announcement: "Next year, for the first time, the specialists on our greatly expanded Program Committee will take complete charge of organizing the presen- tations and sessions." Each program objective or topic will have multiple session presiders and be chaired by a member of the Program Committee who is a specialist in that area. For practical reasons, a topic occupying more than one track will have co-chairs, and in one case one pair of unrelated topics of two or three sessions may be chaired by the same individual who knows both. For some weeks, the in-formation 1994 Program Committee has been hard at work selecting these "track" chairs and a new overall Program Chair. Professor Richard G. Lefkon, who has been Program Chair for a few years running, will devote most of his effort at the 1994 conference to making sure the registration and premises are well-run. Dick deserves the thanks of us all for his excellent past contributions in assembling and overseeing the sessions. Computer virus and security specialists visiting the Northeast to attend other meetings are invited to come as well to the mid-March SEVENTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE. Because of our practical but technical orientation, there is often an overlap of some attendees and speakers between this conference and others with similar names. Regardless of affiliations elsewhere, papers are encouraged from all. Since 1989 there have always been at least 2 dozen scheduled speakers about computer viruses, with multiple tracks since 1990, and in recent years there have been nearly 100 scheduled speakers. The 1994 base price will still be $325 for 2-1/2 days, plus an optional $40 for half-day beginner courses in different fields. Attendees receive a bound proceedings, usually distributed before the meeting begins. Nearly all the speakers are first required to have their papers pass an expert quality review where both the judges and the authors remain anonymous. As by far the oldest, best known - and the largest - conference treating computer viruses extensively, "Ides of March" is an annual "must" for many specialists in the security field to meet, swap samples and anecdotes, and make new business contacts. In the past two years we have provided caucus rooms as a courtesy to computer security groups, whether or not they are formal sponsors of the conference. There are many "open" get-together opportunities as well. Among non-speakers, the main population consists of managers whose responsibility includes the security unit, telecom and application managers whose products have a security component, technical specialists in viruses and security, and those interested in related legal, awareness and social issues. For many, this is their only computer/network security conference all year, and so we offer five tracks with full topic coverage. Anyone who wants to be kept posted about progress of the March, 1994, SEVENTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE in New York, is requested to send me a physical mail address. This applies to potential speakers and prospective registrants alike. Sincerely, Judy S. Brand ------------------------------ Date: 10 Apr 93 22:59:00 +0000 From: kari.laine@compart.fi (Kari Laine) Subject: Beneficial/Non-Destructive Hello Christopher, I think you should first consider is it possible to have a beneficial virus ? What makes a virus to a virus is that it spreads by itself from one executable to the other or using some other mechanism. First if virus would come to my system and start infecting my programs I wouldn't like that all and when I noticed it I would SWAT it. Because I am sure it would cause some problems with my existing hardware and software and if for example it would have some problems with my cache-program and I wouldn't notice that it would possibly ruin my data - and that not so nice thing to do. Second If we think we would have such a beneficial virus (huh) there is a problem with support. What do you think would happen If I have this 'beneficial' virus in my system and everything is working fine. Then after some period I am starting to get problems with other software. When I call the supportline of this software maker I am sure they will say "Hey get first rid of that virus and THEN after that call here when you have a clean system". Other point to this is that if there is a need for certain kind of a software why not make 'normal' version of that and distribute it like ShareWare or PD. So actually I am asking you what would be that kind of a need that you have to do it viruslike? I can't thing of any. And the benefits of using viruslike methods have to be so big that they make up for the trouble caused by viruslike distribution of software. And lets take an example if there is that kind of a beneficial program that is distributed like a virus. Then when I got software from someone they have to tell me whether they are infected by this 'beneficial' virus or not otherwise I would sue them. If you want information about this subject try to locate material from Fred Cohen who has been writing about this a long time and then there has been articles in Virus Bulletin and Virus News International and I have a feeling that Vesselin wrote something about this a some time ago. Regards Kari Laine LAN Vision Oy - Agent for Dr. Alan Solomon's Anti-Virus Toolkit klaine@clinet.fi - ---- +-----------------------------------------------------------------------+ | Delivered by: ComPart BBS Finland +358-0-506-3329 19 lines V.32bis | +-----------------------------------------------------------------------+ ------------------------------ Date: Thu, 08 Apr 93 11:21:51 +0000 From: v922340@kemp.si.hhs.nl (Ivar Snaaijer) Subject: Re: New (?) virus ? (2294) (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: |> v922340@hildebrand.si.hhs.nl (Ivar Snaaijer) writes: |> |> > TBscan v5.10 Beta finds it, but this one says that it's the 2294 virus |> > Could you tell me more ? |> |> Well, it -is- 2294 bytes long. Uses variable encryption, memory |> resident, takes 2448 bytes of memory, uses tunnelling (interrupt |> tracing), has a critical error handler, infects COM and EXE files, |> stealth, fast infector. |> |> Infects only files that don't contain "SCAN" in their name and that |> are bigger than 1388 bytes. The last two bytes of the infected files |> are set to 1000h and the seconds field in their time of last update is |> set to 56 - the virus uses these criteria for self-recognition. |> Triggers about two months after the infection (the condition is a bit |> complex; I haven't figured it exactly), slows down the computer, |> gables the printer output (again, from a fast browsing of the code I |> couldn't tell what exactly gets changed), hooks the keyboard interrupt |> (changes "0"s to "9"s?), overwrites parts of the hard disk, wipes the |> CMOS, displays something ("TERMINATOR"?), etc. You'd better get rid of |> it before it becomes too late... |> Thanx, I hope i am clean of this one.. it doesn't apear to be friendly I also posted a copy to Mario Rodriguez (EM436861@ITESMVF1.BITNET) He also analized it. Here comes some aditional info : The name of this virus is Terminator 2294. F-Prot can't detect it and scan v100 recognizes it as Terminator 2. The virus seems to intercept INT 13h and INT 21h and point them to 9f67:08f7 and 9f67:029C. The virus is encripted skipping one byte, so it's one encrypted, one not and so on. It also changes the encrypting number is some parts so it's almost imposible to uncrypt it without debugging the virus, but it contains tricky code to avoid that and it also hangs the system. When running an infected file for the first time the virus hang the system and it seems to stay resident after pressing CTRL-ALT-DEL so it can infect at boot time and then keep infecting normally without hanging. The problem is that I didn't infected my hard disk but a Ramdisk and it seems to interfere with boots from floppys at boot time. The only thing a know for shure is that this virus only infects REAL .EXE's, not disguized .COM's. Greetings, Ivar. - ----------------------------------------------------------------------------- Rule one in program optimization : Don't do it. Rule two in program optimization (for experts only) : Don't do it yet. Rule three in program optimization (for athlets only) : Just do it. - -- E-mail : v922340@si.hhs.nl ... i can't help it, i'm born this way ... - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 08 Apr 93 11:40:42 +0000 From: v922340@kemp.si.hhs.nl (Snaaijer) Subject: Thunderbyte Update Status (PC) I took this form the Thunderbyte Support BBS (thursday 8.00 am) IMPORTANT!!! Signature file expired? Desperately searching for a new VirScan.Dat file? There isn't a new one.. We noticed time ago that the VirScan.Dat file was not updated adequate and frequently enough, so we decided to develop our own signature file. The new signature file contains about 750 signatures, and is already included in the TBAV beta package TBAVB510.ZIP Within a few days we hope to release TBAV 5.10. The signature file TbScan.Sig is now included in the TBAV distribution archive. Updates will be released in both the TBAV distribution archives and in a file named TBSIG###. The ### represents digits: the first one is the least significant digit of the current year, the other two are release sequence numbers. The first signature file update will therefore be named TBSIG301.ZIP. The new signature file will be updated at least once a month. This probably makes clear why i posted the message that no vsigs ar available. BUT I can provide you with a new one. I have downloaded a new version from the same BBS (strange isn't it). This file is probably checked by but not produced by Frans Veldman. Hope to informed you enoug. Ivar. - ----------------------------------------------------------------------------- Rule one in program optimization : Don't do it. Rule two in program optimization (for experts only) : Don't do it yet. Rule three in program optimization (for athlets only) : Just do it. - -- E-mail : v922340@si.hhs.nl ... i can't help it, i'm born this way ... - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 08 Apr 93 23:18:15 +0000 From: sali@undergrad.math.uwaterloo.ca (Sayf Ali) Subject: Anyone have something like this? (PC) Here's the problem: I just installed DOS V6 on my pc. Now the problem I'm having is that parts of the disk I have written to are becoming bad sectors It seems to be getting worse. I recently put some shareware windows stuff on my PC and some of this may have had some kind of virus. The shareware was recent stuff from wuarchive and garbo (I think) so the virus may be new. Sometimes I can hear my hard drive buzzing for long periods with no light flashing. Has anyone had similar problems? Remedy? Please Help! ------------------------------ Date: Fri, 09 Apr 93 01:49:33 +0700 From: micke@qainfo.se (Micke Larsson) Subject: DOS 6, two good things (PC) After all said about DOS 6.0 there are at least two good things: 1. the first diskette of the Upgrade set is bootable (as opposed to the Upgrade 5.0) 2. SYS.COM is uncompressed on the distribution diskette (which means that you can fix Form from it) The fact that this was not possible in DOS 5 have caused major pain etc. for our support dept. We have at least 10 calls a day from customers or non-customers with an infected hd. AND they have DOS 5 - -Upgrade- and no boot diskette... AND they do not have SYS at hand... (not that it is a problem but it takes more time on the phone). Whatever MS complicates with Doublespace, MSAV, etc. they should get some credit for changing this. Micke Larsson QA Informatik AB, PO Box 596 S-175 26 Jarfalla Sweden Tel +46-8-7602600 Fax +46-8-7602605 BBS +46-8-7602615 2:201/370@FidoNet e-mail micke.l@qainfo.se Compuserve Id 100135,1742 QA Informatik distributes Dr Solomon's Anti-Virus Toolkit in Sweden ------------------------------ Date: 09 Apr 93 02:31:45 +0000 From: acw@calmasd.Prime.COM (Alan Wilson) Subject: Re: Help with Michelangelo! (PC) Thanks to everyone who replied to my request for help in trying to help the high school kids here recover from a Michelangelo attack. Everyone seems to be running again. Some kids had backups and others did not, and are slowing rebuilding. The "trick" which was needed to get going was the command fdisk /mbr. It was not obvious that this was needed prior to reformatting the hard disk, and so delayed the recovery. thanks mucho. Alan ------------------------------ Date: Fri, 09 Apr 93 03:32:41 -0400 From: David Hanson Subject: RE: Censorship/40-Hex (PC) How about distribution of a "clean" version of 40-Hex to the "good" guys? ie., Strip it of code, but leave comments and pseudocode. The "bad" guys already have the info, so the "good" guys should have access to it, right? And removing the actual code "leaves the exercise up to the student", if anyone wants to spend the time and effort to write the code (which most neutral/good folk wouldn't bother with if the flow of the program is explained). Remember, the "bad" guys already have the code. This would be censorship, of course, but it certainly has an element of reason missing from the fear response of total censorship. Comments? ------------------------------ Date: Fri, 09 Apr 93 13:35:50 +0000 From: wlim@gdstech.grumman.com (Willie Lim) Subject: New PC Virus? (PC) I'm new to this newsgroup but have to send in this urgent request for another person who doesn't have Internet access. Here is the story: He found a virus in a PC that displays a fish (the "fish" virus?). Using several virus disinfectant tools, including PCRX (sp??), he thought he got rid of the virus. But instead of the fish he got a smiley face. He suspects that the virus is a "mutating virus." Anybody knows about this virus and how to remove it? Also I seem to recall that there is a national site somewhere (CMU perhaps) that serves as a central repository for such things. Does such a thing exist? If so does it have a hot line (what's the phone number) for reporting new (or suspected to be new) viruses? Thanks in advance. Willie ------------------------------ Date: 09 Apr 93 15:15:36 +0000 From: hq!fhi0055@dsac.dla.mil (Marc Poole) Subject: Virus Buster (PC) In reviewing the software VIRUS BUSTER, I came across some very interesting circumstances that might be of some interest to those looking for Anti-viral software. When installing the software, there is a watchdog capability which does not allow the document to be changed. This feature causes a redundant hassle when modifying files. The watchdog feature also creates a large problem when trying to use some executable files, for example the exe files to run a program (i.e. windows, modem software, word processors). I allows the execution to take place as far as loading the software, but does not allow the software to actually run. On occasions, the software will run with no problem, other times it just quits. On modem software, for example Quick Link II, it will not allow uploading of any files. It also, more than often, will not let the program run at all. That's as far as I got, after the few hassles, I cleaned off the virus software and replaced it with another. Hope this helps. ------------------------------ Date: 09 Apr 93 18:24:00 +0000 From: shakib.otaqui@almac.co.uk (Shakib Otaqui) Subject: Re: Scanners and exe/com (PC) JC> > ... > > Investigation showed that the file was compressed with PKLite > > 1.15, and that a hex editor was used to replace the PKLite > > signature with null characters. This apparently defeated SCAN, > > which treated it as an ordinary file. After uncompressing the > > file with PKLite, one user said SCAN apparently identified it as a > > virus, though I suspect it's more likely to be a trojan. JC> I would like to make you aware of the DISLITE program that I wrote. > This program is able to undo ANY pklite compression, regardless of > the "PKLITE" signature. Also, you are able to recognise PKLITEd > executables using this program. That's very useful, though the program in question was compressed with the standard PKLite 1.15 and can be uncompressed with it. Further reports on Fido-Net say that once uncompressed, SCAN identifies the Taiwan virus in the file. F-Prot 2.07 says it has ACAD. For anyone new to the thread, the file in question claimed to be a tiny disk cache and was distributed as a Debug script on the Fido-Net Batchpower and Debug conferences. There are two variants of the script: each produces a file called TNYCACHE.LZH, but the executable within it is a COM file in one case and an EXE in the other. There's a consensus that the COM version is a virus but some disagreement about the EXE: some people have reported it as harmless and others have said it also is infected. The script was posted several times by at least two persons (or the same person using several names). Since then, there have been dozens of messages reporting trashed systems. * PQ 2.15 189 * Is a PC with a virus a bobby with the flu? ------------------------------ Date: Sat, 10 Apr 93 05:27:03 -0400 From: Christian Burger Subject: ghost positives (PC) Recently, a co-worker gave me a disk with some data files on it, and upon typing 'dir a:' virstop 2.07 with /boot switch found it infected with the Form virus (very nice...) What followed was mostly dominated by ghost positives remaining in the buffers as discussed some while ago on this list. scan v1.02 yelled loudly that Form be active in memory and that I should power down immediately. f-prot 2.07 at least mentions the possibility of a false positive. What I would consider the appropriate action by the scanner is to figure out that the pattern was found in the buffers (that must be possible) and then say something like: 'Found the soandso pattern in your buffers. Most likely the virus is not active in memory but one of the disks you accessed during this session is infected. Scan them! Hit y if you want to continue scanning.' Until you get reliable make it optional so that folx who don't read the manual are on the safe side. It would also be nice to (optionally) provide additional information for the curious and/or knowledgable like: 'Found the pattern at position xxxxx in memory. (No | theses...) int vectors pointing (near this spot | to some strange location). Memory size (seems | seems not) ok. (And so on.) Decide for yourself if you continue scanning or boot from your write-protected trouble disk.' Christian Burger -- burger@dmrhrz11.hrz.uni-marburg.de ------------------------------ Date: Sat, 10 Apr 93 09:11:04 -0400 From: John Kida (jhk) (Vienna) Subject: Status of victor charlie (PC) Ken or anyone.... Seeking verification that Victor Charlie 5.0 is in fact shareware? Any infor is welcomed. +----------------------------------+----------------------------------------+ | John H. Kida | Voice: (919) 867-7738 | | Network Administrator | Data : (919) 867-0754 | | SSDS, Inc. (Remote) +----------------------------------------+ | 601 Dashland Ave. | Internet: jhk@washington.ssds.com | | Fayetteville, N.C. 28303 | UUCP : !uunet!ssds!jhk | +----------------------------------+----------------------------------------+ ------------------------------ Date: Thu, 08 Apr 93 12:18:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: "DIR" infection, or "Can internal commands infect" (PC) Hello everyone. bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) in an answer to anlyyao@igc.apc.org (An-Ly Yao) writes: ALY: >> But if your PC used a COMMAND.COM on that disk for the DIR, and if the >> COMMAND.COM was infected, than now perhaps also your PC might be infected. VB: > DIR is an internal command and is executed by the currently loaded > command interpreter. It DOES NOT require reloading of the command > interpreter. Thus, even if the command interpreter on the floppy > is infected, it WILL NOT be loaded (and executed) if you > do a DIR on that floppy. Therefore, you CANNOT get infected this way. This is only partialy true because of the following: COMMAND.COM is devided into 3 major parts: TSR, INIT & TRANSIENT as follows: - - The TSR part is the one located at the bottom of the memory, (the one you can see with memory mapping utilities and is about 3K in DOS 5.0). - - The second part (INIT) has a role only in the booting operation (first time COMMAND.COM is called). - - And the thired part (which is the most important to this article) called the TRANSIENT part is loaded to the upper part of the 640K boundary however un reported in DOS MCB (the memory occupied by it is unreported). There is a reason for all that: every program that needs more memory MAY overwrite the TRANSIENT part in memory (so more memory is available to programs). It is in the TSR part's responsibility to check the TRANSIENT and refresh it if it was overwritten (this is when you see DOS's message: " Insert diskette with COMMAND.COM and strike a key..."). The job of the TSR is to help maintain the TRANSIENT in memory, to support program termination and to display critical error messages. The TRANSIENT's job is to support *INTERNAL COMMANDS*, Batch files and external commands. (for more information please read Microsoft's "The MS-DOS Encyclopedia" page 76-79). In conclusion: If you use a floppy drive system (assuming you've booted from it) and you type "DIR" it is possible (but not likelly) that the TSR part of COMMAND.COM will try to load the TRANSIENT part from the infected floppy. However: to infect the TRANSIENT part alone in such a way that the TSR will load exactly what you want is an un-easy task (however possible), but the *INFECTED* COMMAND.COM should be present at boot time since the TSR knows the file it is using to refresh the TRANSIENT by meens of a CHECKSUM generated at first loading. Thus: simply switching COMMAND.COM to an infected one (after the system is already booted) will not sufice. My conclusion si also that it is not possible (in normal conditions) to get infected just by typing "DIR". VB: > Regarding the original question - can you get infected > if you do a DIR on a (possible infected) floppy. In order to get > infected, you must execute some viral code. Therefore, the question is > equivalent to whether you can execute some code by executing the DIR > command on a floppy. I think I explained above how you *might* execute some code by "DIR". Warmly * Amir Netiv. V-CARE Anti Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Wed, 07 Apr 93 12:22:00 +0100 From: Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner) Subject: Re: Help with Michelangelo! (PC) Hello Malte, ME> [Michelangelo] >> memory). He owerwrite first 255 tracks oFSC-Control: #> (all sectors on all heads). ME> Other voices say Mikey just kills head 0 to 3 of tracks 0-255. Who is ME> right? the second one is correct. But the result is the same : you have to format your drive. Ciao, greetings from karlsruhe Robert - --- * Origin: Make BACKUPS ! Virus Help Service Karlsruhe, (9:492/2170) ------------------------------ Date: Mon, 12 Apr 93 13:16:22 +0000 From: lindsas@ecf.toronto.edu (LINDSAY STUART JOHN) Subject: Central Point Anti-Virus Updates (PC) I'm just wondering if there is an ftp site that supports updated virus lists for the Central Point Anti-Virus program. Thanks a lot. ******************************************************************* * Stuart Lindsay Electrical Engineering, University of Toronto * * Address all Internet Correspondence to lindsas@ecf.utoronto.ca * ******************************************************************* ------------------------------ Date: 12 Apr 93 15:42:08 -0400 From: lastort@access.digex.com (Mike Lastort) Subject: McAfee latest version (PC) I was just wondering if there was an address where McAfee's programs are available through Internet. I used to subscribe to Compu$$erve but have given up that habit when I got this account. Any info on how to ftp McAfee's programs would be greatly appreciated. Mike ------------------------------ Date: 06 Apr 93 19:35:51 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: gerbil.doc virus (PC) Thus spake colcloug%helios.usq.edu.au@zeus.usq.edu.au (Steven Colclough): >anyone come across this one? The gerbil.doc virus? >takes a text file, turns it into rubbish and at the top it says >gerbil.doc. This was one of the early Crazy Stories About Viruses which made it into print -- in Computers and Security about three years back, as I recall, under a title like "The Case of the Gerbil Virus That Wasn't", or some such. [Moderator's note: I remember it now; the article was written by Ray Glath, and it described a (non)incident that was reported to him. The bottom line was that no such virus existed.] Software problem combined with an old, internal pre-release name ["gerbil"] never mentioned in the manual, if my memory serves me. Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Sat, 10 Apr 93 04:36:37 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: TBAV v5.04 Anti-virus software uploads to SIMTEL20 (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: TBAVU504.ZIP TBAV Anti-virus software (update from v5.03) TBAVX504.ZIP TBAV Anti-virus software (optimized *.EXE's) VSIG9303.ZIP Virus signatures for TBAV software (March 93) Replaces: pd1: TBAV503.ZIP TBAVU503.ZIP TBAVX503.ZIP ASIG9301.ZIP VSIG9301.ZIP and any older files (= lower version) Also replaces the following files, which can therefore be deleted: pd1: VSIG92??.ZIP Old signatures files ('92) ASIG92??.ZIP Old emergency-additions TBSCAN??.ZIP Now in TBAV package TBSCNX??.ZIP same TBRESC??.ZIP same (now 'tbutil') Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl ------------------------------ Date: 11 Apr 93 12:18:00 -0600 From: "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" Subject: "Naive" users (CVP) PRTAVS3.CVP 930404 "Naive" users Also of very high importance, in testing antiviral systems, is the fact that the proportion of computer users who have a thorough understanding of viral operations in comparison to the total user population is so small that it is statistically insignificant. Therefore, it is vital that any antiviral program be judged on the basis of installation and use by "naive" users. A "naive" user in this case may be one with significant technical skills, but little background in regard to viral programs. (I realize that my statement regarding the naivete of computer users may be extremely controversial. Recall, however, that there are about one hundred million users of MS-DOS, and then compare that with the number of people who take an active interest in prevention of computer viral programs. Note that less than a quarter of computers have any defense against viral attack. Note a "clipping file" covering 30 general computer industry periodicals over a period of two years with only eleven articles on computer viral programs. Note also the very high sales of some highly publicized programs known by the virus research community to have very definite shortcomings.) It is critical, therefore, to judge the interaction of the program with the user. Again, this interaction is not simply the presence or absence of a menu, but the total intercourse between the program and the user, by way of the documentation, installation, and user interface and messages. It is important to note how the total package "comes to" the user. Given that the user's system may already be infected, what can the package do to remedy the situation? Also, while the package may have significant strengths if installed correctly, is the "normal" user likely to be able to do the setup and installation properly? As I write this, I am still delaying final publication of one particular review. Although I highly respect the people behind the main programming of the package, I have "marked down" the program because of the inclusion of a "graphical user interface. Am I opposed to GUIs? By no means: it is just that I do not perceive, in this particular case, that the GUI actually does anything to assist the user to increase the level of security. In fact, it is my perception that the inclusion of the GUI may be responsible for some sloppy design and documentation. In that case, the user may be given a false sense of security, thinking that the system is using a variety of protection methods, when, in fact, the user may have failed to invoke some of them because their use is not "intuitive" or obvious. Remember that, for the seeming simplicity of some programs, antiviral software is still a part of computer security. Security is not now, has never been and never will be, obvious to the majority of the population. copyright Robert M. Slade, 1993 PRTAVS3.CVP 930404 ============== Vancouver ROBERTS@decus.ca | "If you do buy a Institute for Robert_Slade@sfu.ca | computer, don't Research into rslade@cue.bc.ca | turn it on." User p1@CyberStore.ca | Richards' 2nd Law Security Canada V7K 2G6 | of Data Security ------------------------------ Date: Mon, 12 Apr 93 14:04:11 -0400 From: "Dr. Harold Joseph Highland, FICS" Subject: IFIP Call for Papers ***************************************************************** CALL FOR PAPERS ***************************************************************** TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE IFIP SEC '94 - ARUBA ORGANIZED BY IFIP TECHNICAL COMMITTEE 11 * Security and Protection in Information Processing Systems * IN COOPERATION WITH THE SPECIAL INTEREST GROUP ON INFORMATION SECURITY OF THE DUTCH COMPUTER SOCIETY AND CO-HOSTED BY THE ARUBA COMPUTER SOCIETY. MAY 23 - MAY 27, 1994 PALM BEACH, ARUBA, DUTCH CARIBBEAN The purpose of the Tenth International Information Security Conference IFIP SEC '94 -- "Dynamic Views on Information Security in Progress" -- is to provide an international forum and platform sharing experiences and interchanging ideas, research results, development activities and applications amongst academics, practitioners, manufacturers and other professionals, directly or indirectly involved with information security and protection. It will be held at Palm Beach, Aurba, Dutch Caribbean on May 23rd-27th, 1994. Those interested in presenting papers are invited to do so by September 30, 1993. The papers may be practical, conceptual, theoretical, tutorial or descriptive in nature, addressing any issue, aspect or topic of information security. Submitted papers will be refereed, and those presented at the conference will be included in the conference proceedings. Submissions must not have been previously published and must be the original work of the author(s). The International Program Chair is particularly interested in papers on: Information security aspects in developing nations Security of health care systems Aspects of transborder data flow Fraudulent aspects and networks Security in banking and financial industry Evaluation criteria in information security Cryptology Risk management and analysis Contingency planning and recovery Instructions to Authors Five (5) copies of the complete paper, which should not exceed 25 double-spaced, typewritten pages, including diagrams, of approximately 5,000 words, must be received by NO LATER THAN September 30, 1993. ^^^^^^^^^^^^^^^^^^ Diskettes and electronically transmitted papers will not be accepted. Papers must be sent to the International Program Chairman [address noted below]. Each paper must have a title page which includes the title of the paper, full name(s) of all author(s) and their title(s), complete address(es) including affiliation(s), employer(s), telephone number(s), telefax number(s) and e-mail address(es). To facilitate the blind refereeing process the author(s)' particulars should only appear on the separate title page. Furthermore, the first actual page of the manuscript should include the title and a 100 word abstract of the paper, explaining its contents. Note: The language of the conference is English. All submissions and presentations must be written and delivered in the English language. However, at the conference Spanish translation will be available for the audience. Notification of acceptance of submitted papers will be mailed on or before December 31, 1993. At that time author(s) will be instructed to prepare final camera-ready manuscripts and the final deadline for submission of the camera-ready manuscript is February 28, 1994. Papers should be submitted to the International program Chair at the Secretariat [address noted later]. All authors of submitted papers will enjoy special benefits at the Conference. The Referee Process All papers and panel proposals received by the submission deadline will be considered for presentation at the conference. To ensure acceptance of high quality papers, each paper submitted will be double and blind refereed. All papers presented at IFIP SEC '94 will be included in the conference proceedings, copies of which will be provided to the attendees. All papers will also be included in the formal proceedings of IFIP TC11 to be published by Elsevier Science Publishers (North Holland). About the Conference IFIP SEC '94 will consist of a five day/five stream program with advance seminars, tutorials, open forums, special interest workshops and technical sessions. The conference will offer world-renowned and most distinguished speakers as its keynoters, and the highest quality of refereed papers. There will be far over 100 different presentations. This special conference will be held at the convention space situated at Palm Beach on the Dutch Protectorate island of Aruba in the Caribbean. During the worlds' most comprehensive information security conference, the second Kristian Beckmann Award, honoring the first chairman of IFIP TC 11, will be presented. IFIP SEC '94 is intended for computer security researchers, security managers, advisors, consultants, accountants, lawyers, edp auditors, IT and system managers from government, industry and the academia, as well as individuals interested and/or involved in information security and protection. The Tenth International Information Security Conference is organized by Technical Committee 11 of the International Federation for Information Processing, in cooperation with the Special Interest Group on Information Security of the Dutch Computer Society, and will be hosted by the Aruba Computer Society. Conference Information Aside from the submission of papers, which should be to the International Program Chair, information about all other matters, including participation registration, travel, hotel and program information, is available from the General Organizing Chair at the Secretariat. SECRETARIAT IFIP SEC '94 ARUBA Postoffice Box 1555 6201 BN MAASTRICHT THE NETHERLANDS or SECRETARIAT IFIP SEC '94 ARUBA Wayaca 31a Suite 101/104 ARUBA - DUTCH WEST INDIES Telephone: +31 (0)43 618989 Telefax: +31 (0)43 619449 Internet E-mail: TC11@CIPHER.NL Local Limited Contact If you want you may communicate with: Highland@dockmaster.ncsc.mil and I'll help if I can. HJH ------------------------------ Date: Tue, 13 Apr 93 04:06:22 +0000 From: mdallin@lamar.ColoState.EDU (ABCDefghIJKLm) Subject: Survey I am currently in the process of writing a two part paper concerning computer viruses. The first part deals with the general problem (statistics, et al), and the second part deals more with how the public percieves what a virus is. To research it, I decided to throw together a survey, and send it to three places - a general all interest network, a bbs with frequent up/downloads, and to the experts on viruses (here). So, if I may be as bold as to ask you to complete the survey below - I tried to make the questions short and easy to answer (most are yes/no questions): PLEASE SEND THIS BACK TO ME VIA EMAIL TO ONE OF THE FOLLOWING ADDRESSES: mdallin@lamar.colostate.edu dallin@beethoven.colostate.edu DON'T CLUTTER UP THE NEWS SERVICE WITH YOUR ANSWERS! THANKS! PART I: Misc. Info/Statistics 1. What virus detection/prevention software do you use? 2. How many times (different occasions) have you been infected with a virus? (if only a few times, list the viruses) 3. On a scale of 1 to 10, how would you rate the virus danger (1 = Nonexistant, 5 = Moderate, 10 = Extreme, etc)? 4. Do you believe that the media over-hypes viruses? PART II: Urban Myths (Note: Some of the ideas presented below are myths, some are not - I just want to get an idea of how high the level of education about viruses is.) 1. Do you believe that some countries write viruses to "punish" computer hackers? 2. Do you believe that some countries write viruses designed to infiltrate computers in other countries? 3. Do you see/predict any useful applications of viruses in the future? 4. Do you believe that the law enforcement community has been properly trained to deal with virus-related crimes? 5. Do you believe that it is possible for a virus to cause hardware damage (ie, 'burn' itself into chips, cause short ciruiting, etc etc)? 6. Do you believe that viral code should be available to those who would use it in a responsible manner (ie, research purposes, etc)? 7. Do you believe that it is possible for a virus to work on machines with different operating systems (eg, a virus that will attack MSDOS machines AND Macs) either now or in the future? Ok, that's all folks. The statistics will be posted (hopefully) around Monday, April 19th (or so). Thanks for your reply! Mdd - -- "Ah, Ah, Ah, Ah, AAAAAAAAAAAH!!!!" mdallin@lamar.colostate.edu -- Queen, Ogre Battle dallin@beethoven.colostate.edu ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 62] *****************************************