Return-Path: Received: from IBM1.CC.Lehigh.EDU ([128.180.2.1]) by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA05760; Thu, 2 Apr 92 21:29:33 +0200 Message-Id: <9204021929.AA05760@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 4151; Thu, 02 Apr 92 14:12:32 EST Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 8988; Thu, 02 Apr 92 14:12:07 EST Date: Thu, 2 Apr 1992 14:03:03 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #82 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Thursday, 2 Apr 1992 Volume 5 : Issue 82 Today's Topics: Re: Increasing CBCS Security (PC) Elated virus (PC) Re: McAfee V89B anti-virals uploaded to SIMTEL20 (PC) MDISK & FDISK - Are they the same? (PC) OMICROM virus (PC) Novell Virus? (PC) Vshield vs Word (PC) virus classification? (PC) Re: warning about mutation engine (PC) help on writing scanner (PC) Re: Wanted: Info about "Form" virus (PC) Re: Which Package is Best? (PC) Heuristic scanner flaws (PC) Re: 639k on PS/2s (PC) XCOPY under OS/2 (OS/2) Printer, printer, sing a song... International virus symbol. Research help...Please :) Virus "Hot Days" BEACH is still alive!! VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 30 Mar 92 23:13:39 -0800 From: Toria@cup.portal.com Subject: Re: Increasing CBCS Security (PC) bontchev@fbihh.informatik.uni-hamburg.de writes: >> it's what I had to do on MC-link, the computer-based conference system >> I work for. We have a shareware library of some 300 Mb, about 100 of >> which are Ms-Dos. And our paying subscribers expect us to keep it free >> from viruses. So we have set up a regular routine by which every .ZIP > >Hmm.... it's a very difficult problem, especially if somebody >deliberately decides to attack your system... He could use an unknown That is just part of the problem. I hope that nobody is going to be so deliberately distructive; anyway the identity of my users is verified with a fairly strict procedure, and I hope this will discourage such attempts. >virus (so the scanners won't catch it, and if he's clever enough, >he'll avoid the heuristic analyser of F-Prot too), a clever tunnelling >virus (so that it will be able to bypass a monitoring program) and a What do you exactly mean by a "tunnelling" virus? >> consists in running SCAN against it. This procedure has not kept us >> from stumbling in a sample of "September 18th", which was not >> acknowledged by SCAN (but was found by one of the users who ran CPAV >> against one of our newest additions). > >Have you actually kept the file? This is a very silly virus and I >somehow doubt that it can spread in the wild... Maybe it was just yet >another false positive caused by CPAV? Have you tried to disinfect the >file? Did it work after being disinfected? Yes, I have kept the file, and I can send it to you if you wish. Please send me e-mail stating if you want it sent to your mailing address or give me a different procedure. It was not a false positive caused by CPAV, because I made two separate checks, one with VIRex and the other with VB's scan string. Both were positive. And no, I have not tried to disinfect the file because I did not have CPAV myself yet. ------------------------------ Date: 31 Mar 92 08:01:59 -0600 From: wjh0265@tamsun.tamu.edu (William Hobson) Subject: Elated virus (PC) Has anyone heard of a virus called 'Elated'. The victim claims to have been infected by this virus and said that VSHIELD reported it. This virus is not listed in any information I have and I have no idea of removal procedures. Thanks for any info you have. ------------------------------ Date: 01 Apr 92 09:28:22 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee V89B anti-virals uploaded to SIMTEL20 (PC) mcafee@netcom.com (McAfee Associates) writes: > the United States. In the past month two additional mutated viruses have > appeared--the Fear virus and the Dedicated virus. It seems certain that many > more such viruses will appear in the near future, since the object code for Let's hope that they won't appear. If SCAN is really able to detect any MtE 0.90-beta based virus, then the virus writers won't be tempted to create such viruses... BTW, Fear is just a trivial text patch of the Dedicated virus. > Also added in this release is capability to detect nonspecific (new > or unknown) file-infecting viruses. When a file is detecting containing > an unknown virus, SCAN will report the presence of a Generic File Virus A heuristic analyser? Sigh... :-(( > Version 89 of SCAN now includes a "save option" feature that allows > systems administrators to pre-configure SCAN to default to scanning specific > drives, checking or not-checking memory, creating a specific report, or any > other command line setting for their end users. The /SAVE option will save > all of the other options that are specified on the command line, or will reset > to the original SCAN defaults if no other options are specified on the command > line. The saved options will be added to the SCAN.EXE file. This option > should be set up by the systems administrator prior to distribution to the > end-users and installation on the end-users' machines. A new VALIDATE.COM > has been included in this release. It must be used instead of the old version > if the /SAVE option is used. Otherwise, the validation results before and > after /SAVE will not match. Sigh.... :-((( Yet another self-modifying program... I really didn't expect that from an anti-virus producer... You are trying to create more difficulties for your competitors who produce integrity checkers or what? Self-modifying programs are a VERY BAD IDEA! Couldn't you just use a configuration file or an environment variable to store all those options?! > Version 89 of VSHIELD adds the /SAVE option (see SCAN for details), So this makes -two- new self-modifying programs... I strongly discourage anybody from using such things... Maybe if the users put enough pressure to the program developpers, they'll stop to use this bad practice. > Version 0.4 of VALIDATE has been released. This version is able > to validate the software after the /SAVE switch has been used to store > options in SCAN and VSHIELD. (VALIDATE.COM is included in the .ZIP Does this mean that VALIDATE is now specific to your products only and cannot be used to validate other programs? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 01 Apr 92 10:12:00 -0600 From: SWAYZED@BrandonU.CA Subject: MDISK & FDISK - Are they the same? (PC) I just picked up CLEAN89B from Simtel20 and when looking through the documentation noticed that to fix some viruses MDISK is required. I picked up M-DISK.ZIP from Simtel20, however it only appears to work with versions of DOS up to 4.01. I have DOS 5.0. Is there a more recent version of M-DISK available somewhere? I also noticed on this group that there is discussion of FDISK, already bundled with DOS 5.0. Does FDISK perform the same function as MDISK? Thanks! - -- David Swayze | swayzed@brandonu.ca | Reading furnishes the mind only Brandon University | Canada (pokey) Post: | with materials of knowledge; it Brandon, Manitoba | 56 Wilnor Bay | is thinking which makes what we Canada | Brandon, MB, R7B 3H1 | read ours. John Locke ------------------------------ Date: Wed, 01 Apr 92 17:10:08 +0700 From: Antonio Joao Nunes Cardoso Subject: OMICROM virus (PC) Hello A friend of mine asked me to ask this : How to remove the NEW OMICROM virus reported by CPAv ? He used CPAV to remove it and he couldn't remove that properly. Another thing is that someone told him that the OMICROM virus is a mutating virus wich can be traced as FRODO or 4096. Can some one help me so I could help my friend ? Any desifector is Welcome ! - ------------------------------------------------------------------------- Antonio Cardoso: - BITNET - Internet Faculdade de Ciencias da Universidade de Lisboa, Portugal. - ------------------------------------------------------------------------- ------------------------------ Date: Wed, 01 Apr 92 12:58:34 +0000 From: G J Scobie Subject: Novell Virus? (PC) Last year I ftp'd an article which apparently had been published in Computers and Security Nov 1990 issue (I forget which site). This paper written by Jon David outlines a virus which seemed to infect a Netware server without the appropriate rights to do so. Anyone any upto date info on this given the recent discussion on this topic? Garry Scobie LAN Support Edinburgh University Scotland ------------------------------ Date: Wed, 01 Apr 92 14:25:00 -0500 From: RICHARDS@NRCBSC.NRC.CA Subject: Vshield vs Word (PC) We are running VSHIELD (4.8 B86) on 386's in an area of shared computers (free access to all staff). It is run as VSHIELD /chkhi/m/lh. We are getting conflicts with WORD 5.0 (Microsoft), WORD will run for several minutes and then the computer will hang, gives message "cannot access COMAND.COM" or something similar. Usually happens when you are using a WORD command, not when you are just typing. We are now running WORD from a batch file which removes VSHIELD, uses WORD and when you quit WORD reinstalls VSHIELD. Any other suggestions? THANKS. Robert A. Leitch LEITCH@BIOLOGYSX.LAN.NRC.CA IBS, N.R.C. of Canada (613) 990-0824 ------------------------------ Date: Wed, 01 Apr 92 12:28:38 -0800 From: rsr@garnet.berkeley.edu (Roger Rosenblum) Subject: virus classification? (PC) Are viruses that use the Mutating Engine classified as "stealth" viruses or as "polymorphic" viruses? Or either? Roger Rosenblum Internet: rsr@garnet.berkeley.ed u University of California at Berkeley ------------------------------ Date: Thu, 02 Apr 92 10:29:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: warning about mutation engine (PC) mike.opzoomer@canrem.com (Mike Opzoomer) writes: > VB>mcafee@netcom.com (McAfee Associates) writes: > VB>C'mon, let's be serious. There is no such virus against which there is > VB>no protection. Any integrity checker that is worth the price of the > > Yes.. the Pogue was detected and cleaned (most of the time) but the > NEW polymorphic engine (not the one that spawned Pogue and the others) > has a way of wiggling its way through vshield or any other memory > resident checker. > > The polymorphic engine is just that, and once infected it mutates on > an ongoing basis, rendering any scan utility useless (unless you have > a copy of the size of the original file) I tend to agree that there cannot be a virus for which there is no protection, but it looks like we are starting to see viruses for which the vast majority of conventional methods fail. I can understand scanners failing on mutating viruses - that's "old hat" , but the claim it can wiggle past "any other memory resident checker" has me worrying; does that mean only memory-resident scanners or *any* memory resident checker? I suspect that these viruses, even if their code differs greatly, will still always use just one or two methods of infecting - it should be stoppable at that stage, with a checker that looks at what it does, rather than the code it uses to do that. Rememberring that there are more ways of stopping a virus than simply scanning for it, what other anti-viral methods (e.g. change detectors, software write-protection, anything) actually succeed? Has anyone carried out the tests? If not, could someone with the engine do so - quick, please! Mark (with a bit of panic in his voice) Aitchison. ------------------------------ Date: Wed, 01 Apr 92 17:54:55 +0000 From: astlp@acad2.alaska.edu Subject: help on writing scanner (PC) Hi I need information about writting a scanning program for an IBM pc/xt/at. Nothing fancy, just bare bones and all it has to find is one or two viruses. Request: could anyone who's worked with writting scanners please send me a note just letting me know what all is involved with writing a scanner and what needs to be taken into consideration? Thanks for the time. Tam astlp@alaska.bitnet astlp@acad2.alaska.edu ------------------------------ Date: Wed, 01 Apr 92 18:30:00 +0100 From: "Olivier M.J. Crepin-Leblond" Subject: Re: Wanted: Info about "Form" virus (PC) >Date: 26 Mar 92 17:53:14 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: Wanted: Info about "Form" virus (PC) > >magnus@thep.lu.se (Magnus Olsson) writes: [...] >> 2) What is the simplest method of disinfecting the HD? Will it be >> enough to just do a SYS command from a floppy, and is there any risk >> of damage if I do that? > >Yes, SYS C: will do the job. In the worst case, you'll have to use >Norton Disk Doctor's "make a disk bootable" option. May I add that in these times, where versions of DOS seems to be shared between 3.3, 4.1, and 5.0, that you must make sure that you are using the same DOS version on your floppy as on your Hard Disk. I have seen several cases where the SYS C: command has loaded a DOS 3.3 or 4.01 to a 5.0 Hard disk. In this case, the disk crashes with an error of some type. Worse still, if you use Norton Disk Doctor's program, you may end-up with invalid media descriptors, etc. etc. Thus, take care to use the same DOS version, or you'll have to re-format the drive from start. >> 3) No files seem to have been damaged (yet). However, the virus list >> enclosed with SCANV86 said something about Form damaging data files. >> In what way does it damage files? If the virus is not properly removed, YOU can damage all your files. Olivier M.J. Crepin-Leblond, Comms. Sys. & Sig. Proc.,Elec. Eng. Dept. Imperial College of Science, Technology and Medicine, London, UK. ------------------------------ Date: 01 Apr 92 18:01:14 -0500 From: Wolfgang Stiller <72571.3352@CompuServe.COM> Subject: Re: Which Package is Best? (PC) Y. Radai writes (in two separate postings): > Now to the point raised by Donny (and one of those raised by Wolf- >gang). It is true that UT's full check is slower than IM's, and I can >certainly understand why both of you, and probably many others, felt >that my comparison of UT's quick check with IM's full check was un- >fair. However, when I answered Vesselin's question, my criterion in >comparing the two checkers for speed was to use the *fastest* mode >which each product provides. Come on now! If we're comparing two products like this, it makes sense to compare the modes of operation that are most alike. If in full check mode, Integrity Master reads and checks each and every byte on each and every file (or just executables). This would seem the most "apples to apples" basis for comparison, since UT does basically the same thing. Will UT check ALL files (not just executables) like IM? Will UT check source files (intended for programmers) along with executables? > My claim that UT's quick check is for all practical purposes just as >secure as a full check was challenged by Vesselin and Wolfgang. You don't seriously still maintain that UT's quick check is as secure as a full check????? Consider if a single file is infected or corrupted, UT's quick check will miss this, while Integrity Master's full check will certainly detect it. > In any case, both UT and IM assume that the user will not depend on >quick checks alone, but will perform a full check in a clean system >from time to time. The difference is that unlike almost all other >products, which at best *advise* the user to periodically perform a >full check after booting from a clean diskette, UT does its best to >*make* the user do this by periodically displaying a large red notice >telling him it's time to perform a safe test using the diskette which >was created during installation and which contains everything necessa- >ry to perform the task with almost zero effort on the user's part. I agree this is a very nice feature of UT. >I think what you're trying to describe is what I referred to as an >"ambiguity" virus in my paper. It can't be detected by a checksummer >*alone*, but there are other measures which can be taken in this case, >and who says that the burden must be on a checksummer alone? I believe the fifth generation folks say this ;-)! Their ads claim that once you buy UT you will not need to update or buy another product and be safe forever. Or do I misunderstand? Regards, Wolfgang Wolfgang Stiller Stiller Research 2625 Ridgeway St. Tallahassee, FL 32310 U.S.A. ------------------------------ Date: Wed, 01 Apr 92 13:44:00 -0500 From: Ron Whittle Subject: Heuristic scanner flaws (PC) >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) >Subject: Fprot & 2to1 (PC) > >Most good systems are gravitating toward a tree based heuristic analysis >for speed - first determine if a program is "suspicious", then try to >identify a specific signature if something is questionable. The text of >the message indicates that F-Prot has found "suspicious" behaviour (which >it has) that does not match any of the known signatures (which it does not) >but has warned the user that it is similar to that used by MBR "droppers" >(which it is). > >Incidently, the original SafeMBR.com and its removal tool 2to1.com have been >superceeded by the much more capable FixMBR program which does not trip >F-Prot 2.02d. This posting shows that the heuristic analysis is already flawed, and most people haven't even implemented it yet. If you can write a program that will overwrite the MBR and F-Prot 2.02d heuristic scanner doesn't trip on it, then a virus could use the same code that you are using. Ron Whittle Internet : CSCRDW%CURIE@epavax.rtpnc.epa.gov | EPA/NAREL VMSnet : CURIE::CSCRDW | Voice : (205) 270-3482 FTS 228-3482 | This message is not self FAX : (205) 270-3454 FTS 228-3454 | referential. This one is. ------------------------------ Date: Thu, 02 Apr 92 07:56:24 +0000 From: cjkuo@locus.com (Chengi Jimmy Kuo) Subject: Re: 639k on PS/2s (PC) miguel@roxanne.nuclecu.unam.mx (Miguel de Icaza A.) writes: >IBM PS/2 computers reserve 1Kb from conventional RAM for the ABIOS >(Advanced BIOS) variables. ^^^^^ IBM PS/2 computers reserve 1Kb from conventional RAM for additional data storage required by BIOS. Note: not all PS/2s have ABIOS (models 25/30). However, ALL PS/2s reserve "at least" 1K. Today, they reserve 1K but the concept is not limiting. Jimmy Kuo (former IBM employee, PS/2 model 30 BIOS programmer) PS. IBM does not divulge the contents of the Extended BIOS Data Area. That's why the contents are not publicized. - -- cjkuo@locus.com "The correct answer to an either/or question is both!" ------------------------------ Date: Wed, 01 Apr 92 12:43:31 -0500 From: CSVCJLD@NNOMED.BITNET Subject: XCOPY under OS/2 (OS/2) I wrote >I'm running OS/2 1.3. Under OS/2, XCOPY does not change the >dates of the files it copies. In the DOS box, the files created by >XCOPY have their dates set to the current date. The resulting files >are the same size as the originals and COMP says they are the same. >Is this a known OS/2 1.3 bug? Or, do I have a virus? Kevin Haney (NIHCR31.BITNET) writes >I tried this on my system which has IBM OS/2 1.3 Standard Edition, and >XCOPY in the DOS box did not change the file dates. You could possibly >have a virus. DOS viruses can usually run in the DOS box of OS/2 and >your DOS command files could be infected. You can easily determine >this by scanning your system with a recently updated scanner after >booting up from a clean DOS diskette. Unfortunately, my hard drives use OS/2's High Performance File System which cannot be read by DOS; I can't boot from a DOS diskette and scan the hard drive. If I use PKUNZIP *under OS/2* to extract SCAN.EXE from McAfee's SCANV89B.ZIP, nothing is detected when I run "SCAN C: /M" or "SCAN D: /M" in the DOS box. -- Jimmy Dean CSVCJLD@NNOMED.BITNET ------------------------------ Date: 01 Apr 92 10:11:23 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Printer, printer, sing a song... [Moderator's note: Having received this on April Fool's Day, I was rather skeptical of the message's authenticity. (I did, by the way, receive a few other "strange" postings which turned out to be AFD jokes.) However, Vesselin assures me that this report is bona fide, so here it is.] Regardless of the date of this message, it is not an April Fool's joke; it's a true story. A few weeks ago somebody called the Laboratory of Computer Virology in Sofia and asked for help, "because his printer was infected by a virus". When asked why does he think so, he replied that his printer is playing a melody. No, not just a beep, a whole melody. Since after CNN reported that NSA has shut down the Iraqui air defense with a printer people tend to believe just -everything- about viruses, the reaction of the virus experts there was "c'mon, don't be silly". Of course, they expressed it in a more polite way, like "oh, it's probably a hardware problem; you should check the manual". Then they forgot the whole thing. A few days later somebody else called and reported that his all three printers are playing one and the same tune. No, not the beep that they usually emit when they are out of paper. Yes, he has read the manual and the melody is not mentioned there. Yes, the printers began to play the melody on one and the same day, although at different times. One after another, just as if something is infecting them. Indeed, it sounded like a virus. One of my colleagues from the Lab visited the "infected" site. After a while she called back and said that indeed, all the printers are playing a melody. She put the phone hook near one of them so that the people at the Lab could hear the melody. It wasn't "Yankee Doodle". It wasn't a melody played by any of the known viruses, but it was a melody. The printers were all of the same kind - "TURCO" or something like that. They played the melody even when physically detached from the computer. Now, how do you boot a printer from a clean diskette? :-) The printers have been bought about a month ago from a company which didn't exist any more and which imported them from some of the far east countries. It took my people almost a week to find somebody who understands those printers. To make the long story short, it turned out that the producer has included, for some weird reasons, the possibility to play this melody when something goes totally wrong - like the printing head is damaged. This "feature" wasn't documented, since it was thought that this is a kind of "impossible error", an error that will never occur. Unfortunately, the printers turned out to be of rather low quality, so the got out of order pretty soon. And almost at one and the same time... So, beware of singing printers... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 01 Apr 92 15:15:51 +0100 From: "Vaughan.Bell" Subject: International virus symbol. Thanks for everyone's mail on the subject... I think an international symbol for a computer virus would be useful. it has been pointed out to me that there is a symbol for a Biological hazard but... Due to regulations (institutional and otherwise) this cannot be used unless the disk IS a biological hazard. So should there be a consensus on a symbol ? I have got a rough draft of one I sometimes used for infected machines. This is the biological hazard symbol imposed on a disk. If any one wants a copy in Postscript format just mail me. Thanks... )===---> Vaughan Bell - vaughan@uk.ac.psw.cd <---===( )===---> Polytechnic South West - Drakes Circus <---===( )===---> Babbage Building - Room 112 - Plymouth <---===( )===---> Devon - UNITED KINGDOM <---===( ------------------------------ Date: Wed, 01 Apr 92 13:35:05 -0500 From: "Catherine E. Emery" Subject: Research help...Please :) Hi all !! A brief request.....(hopefully some of you guys and gals can help me :) I'm doing a couple (actually 3) papers of viruses. They range from Viruses on PC's to viruses with telecommunications and networks to Viruses and Information systems (sounds fun doesn't it) What I could really use are: - Some info on good anti virus programs, which is best; I've read tons of reviews but still can figure out which is best. - Any figures on the infection rates so far for 92 or from 1991 (would make a wonderful graph) - Some background more info on Michalangelo (I've gotten alot from here but would love more) Anything else anyone wants to send would be very much appriciated. I get to give presentations for 2 of these (PC's and Telecomm) and I'll (hopefully) be giving a presentation to my users group in Stow Ohio on PC Viruses (basicly it will be my presentation for my PC (Small Systems Tech) class). Thanks to everyone :) I hope to hear from some of you soon :) I can be mail here at my acct ( CEMERY at KENTVM.KENT.EDU ) or in the digest, though I dont get to read the digest every day :( But I'll try to check. Well, enough babbling. Test time!! (Need to pass these else wont graduate in Dec). Thanks again :) Catherine ------------------------------ Date: Wed, 01 Apr 92 17:58:26 -0800 From: wetmore@cs.ucdavis.edu (Brad) Subject: Virus "Hot Days" >From: jgunders@copper.denver.colorado.edu (James P. Gunderson) > Speaking of which, wasn't someone working on a viral "Hot Day" calander? I don't know if there was another one published, but you might check in the conference proceedings of the Fifth International Computer Virus and Security Conference, pg 147-155. The name on the article was Norton Swimmer, U. of Hamburg. "1992 Computer Virus Calendar." It listed viruses by their trigger dates from April to December. (Neat graphics on the side, a surgeon, a brain writing brain on a parchment, a chewed up floppy, etc.) However, it did not seem to be very complete. (It's also partly in German.) Brad / O / Steal here. X ---------------------------------------------------------------- O \ Brad Wetmore: wetmore@iris.eecs.ucdavis.edu \ Help!!! I've been robbed. Someone stole my .sig, and sold it back at the UCD used .sigstore. ------------------------------ Date: Thu, 02 Apr 92 06:39:42 -0600 From: perry@leopold.jpunix.hou.tx.us (John Perry) Subject: BEACH is still alive!! Hello Everyone! Since the announcement of eugene.gal.utexas.edu as an anti-viral site, I have received a flood of mail asking about the status of beach.gal.utexas.edu. Beach is still up and fully operational until I announce otherwise. I am maintaining 2 sites instead of 1. I will be upgrading the archives on beach as soon as files come in. The only difference is that eugene will additionally carry other documentation and software acquired from CERT (thanks Ken!). So don't worry, beach will be there when you try to connect! - -- John A. Perry perry@leopold.jpunix.Hou.Tx.US - Internet jpunix!perry - UUCP ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 82] *****************************************