Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA05169; Thu, 23 Apr 92 17:26:34 +0200 Message-Id: <9204231526.AA05169@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 9479; Thu, 23 Apr 92 11:10:46 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 1033; Thu, 23 Apr 92 11:10:26 EDT Date: Thu, 23 Apr 1992 11:05:25 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #93 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Thursday, 23 Apr 1992 Volume 5 : Issue 93 Today's Topics: Bloody Virus (PC) Re: Increasing CBCS Security (PC) Re: Write protecting with software (PC) Problem booting from c: Drive (PC) Re: anti-virus BBSes (PC) Re: Polymorphic List (PC) Re: Ping-Pong virus (PC) Re: Write protecting with software (PC) F-Prot and Zeniths (PC) Combatting tunnelling viruses (was Re: Increasing CBCS Security (PC) Re: Viruses via MS Windows OLE? (PC) windows screen saver or VIRUS? (PC) Disinfectant 2.8 (Mac) Virex UDV false positives confirmed (Mac) Checklist part 10 Viruses & Poetry (Humor) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 19 Apr 92 01:26:29 +0000 From: las@cunyvms1.gc.cuny.edu Subject: Bloody Virus (PC) Maybe two months ago I had the greusome esperience of down loading some e-mail from the main computer via modem to my pc at home. Immeddiatly one of my floppy drives stoped working, but I had no idea what was happenning. I took my computer to be serviced, the person ran some viral scanner and found a virus had infected the hard disk. He unfortunatly failed to have an antivirus for the virus that was infecting my machine. I eventually, many dauys later found out mcafee. It ran it and cleaned the machine of the infection. The virus was "Bloody Virus". Now I'm afraid of down loading files into my pc from the main computer. What can I do to prevent an infection of the sort My computer suffered? any software (public domain) available for this sort of stuff. Unfortunatly I didn't know then of this group. ------------------------------ Date: 21 Apr 92 11:49:44 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Increasing CBCS Security (PC) "a_rubin@dsg4.dse.beckman.com"@BIIVAX.DP.BECKMAN.COM writes: > >energetic barrier (the "tunnelling effect"). If correctly implemented, > >these techniques are able to bypass -any- monitoring program, and > >therefore the monitoring programs (like FliShot+) are the weakest > >line in the anti-virus defense (even weaker than the scanners). > Does that mean that they will fail under QEMM 6 STEALTH mode? Huh, pardon my ignorance... I know what QEMM is (although I'm not using it) and have heard that it has a stealth mode, but have no idea what this mode consists in... Does it mean that it permits loading of a resident program in a "shadowed" and read-only area of memory? If it is possible to mark the memory occupied by the program as read-only, this means that the virus will not be able to patch it (unless there's a way to make it writable again), but this -is- memory protection and my initial message dicussed the situation with no memory protection. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 21 Apr 92 12:16:24 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Write protecting with software (PC) kiae!rtech!vl!ALS@vl.ts.kiev.ua writes: > Direct calls to Int 13 are not allowed for any program at all, except > DOS itself. Some software can't work with this restriction, but all other > can. 99% of text editors, spreadsheets, compilers don't need direct > disk access. I'm afraid you are forgetting about Windows and its silly swapfile - why else do you think it must not be on a Stacked volume... Also, I have the suspiciouns that Norton Disk Doctor will have problems to run in the detailed check mode under your protection, since it uses that INT 2Fh/AH=13h stuff... The same goes for CALIBRATE... Oh, I'm speaking about versions 5.0 and above, BTW. > If you ask DOS nicely about BIOS direct access then my defence can > answer to your asking nicely too, but you can not receive address of > BIOS itself. This call returns with address of Int 13, and becomes > equil to call of Get Interrupt Vector. I doesn't find any software > that worked incorrectly while receiving this address (except viruses, > of course :-) Ah, so you have fixed this... Then you depend on becoming active before the virus, right? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 21 Apr 92 08:28:33 -0500 From: "Gregory S. Mollica" Subject: Problem booting from c: Drive (PC) This message has been posted to both VIRUS-L and WIN3-L. I apologize y persons subscribed to both lists receiving duplicate messages. I have a computer containing a AMI 386/33 mother board, 4MB RAM, 120MB Connor's IDE Hard Drive (partitioned 80/40), 1.44 & 720 disk drives, SVGA monitor, mouse, running MSDOS 4.01, Windows 3.0 and various applications. Problem first appeared when I turned the system on a week ago Sunday. Every thing booted fine, preliminary Windows screen came up, then a Windows dialog box appeared stating "can not read C: drive". I did a cold reboot and the normal memory check and AMI board config's appeared. Next, the system tries to read the C: to run the system programs (IO.SYS, MSDOS.SYS) but locks up instead. Troubleshooting Done: System will boot fine from a backup boot disk. Can read c: drive. Latest version of Central Point Anti-Virus has been on the machine since before the "Mike" epidemic in "scan at boot-mode". Ran full scan with CPAV and detected no viruses. Commented out all config.sys and autoexec.bat commands and tried reboot. Same thing. Recopied system files to c: drive using SYS.COM. Surprise, worked. Rebooted again to be sure. No such luck. Future attempts to delete, recopy system files successfully transfer system, files are present, reboots are unsuccessful. Other Oddities: Windows WIN.INI and SYS.INI disappeared. Tried to locate any evidence of them using PCTOOLS 7.1 (latest version) and the UNDELETE directory read identifies 4500 directories before locking up. All other PCTOOLS options read the directories with no problems. Deleted all Windows files/directories. Windows SETUP creates new WINDOWS directory, stops installation and drops to the A>. Next Step?? I am going to try a different virus scanner. Someone told me to check the battery (?). Any other suggestions?? Please reply directly to me as I am not a regular subscriber to the lists. Thanks in advance for any help. Gregory S. Mollica Project Coordinator UPRLC, Inc. Automated Library Services (906) 227-1109 UPGM@NMUMUS ------------------------------ Date: Mon, 20 Apr 92 11:58:17 -0400 From: JDG111@psuvm.psu.edu Subject: Re: anti-virus BBSes (PC) Someone requested a list of sites which carry scan strings for different viruses... I'd be interested in obtaining a list, also. ANyone have a current one? Tis a shame some people will only give such a list to McAfee... Virii can affect anyone, shouldn't anyone be allowed to know how to find them? ------------------------------ Date: Mon, 20 Apr 92 12:04:25 -0400 From: JDG111@psuvm.psu.edu Subject: Re: Polymorphic List (PC) The list of polymorphic viruses was somewhat incomplete. I can think of at least 2 which weren't mentioned; there were probably a lot more. those two are the Bob Ross (aka Beta) virus and Screaming Fist virus, both written by the group PHALCON/SKISM. I recently recieved 3 new viruses, which I haven't tested. They're supposedly from Bulgaria, and only one used DAME. That's the only one which can be scanned. As I said, they may or may not work, but considering the source from which they came, I assume they are new. As far as I know, they haven't been distributed except on two or three US virus boards. Anyone who has seen the file (SOMEVIRS.ZIP) and knows what it contains, please inform the rest of us... if I get a chance to test the programs, I'll post. ------------------------------ Date: 21 Apr 92 12:06:50 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Ping-Pong virus (PC) J$F@FCCJ.BITNET (JEDI) writes: > Hello! I have a question... Does anybody know what the Ping-Pong > virus version b does? I've never heard of it. Sure, if you succeed to explain me what do you understand under Ping Pong B. In her VSUM document Patricia Hoffman states that this version of Ping Pong is able to infect hard disks. She is incorrect; there has never been a floppy-only version of Ping Pong. We have a slightly hacked version of the virus here that we're calling Ping_Pong.B - it is the version modified by the Yankee Doodle virus to inactivate itself after 256 reboots. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 21 Apr 92 15:55:02 +0000 From: black@beach.csulb.edu (Matthew Black) Subject: Re: Write protecting with software (PC) kiae!rtech!vl!ALS@vl.ts.kiev.ua writes: >writes A.Padgett Peterson, >> writes: Alexander Shehovtsov >> > modifying IO.SYS and MSDOS.SYS that can prevent direct access to disk >> > to all programs EXCEPT COMMAND.COM. >> >> More dangerous since while this will protect against Int 21 functions, >> what about direct calls to Int 13 ? Things operating from the BIOS can >> always bypass DOS. > Direct calls to Int 13 are not allowed for any program at all, except >DOS itself. Some software can't work with this restriction, but all other >can. 99% of text editors, spreadsheets, compilers don't need direct >disk access. ***** Matt adds: ***** Not true. Any program can make a direct call to INT 13. However, there is no guarantee that INT 13 points to DOS/BIOS since any program or virus can change the interrupt vector. >> > As a result only very DOS-depended viruses can ignore this defence. >> >> Again, this will not provide any protection against things operating >> on the BIOS level or even things reading from the DOS level and >> writing through the BIOS. The versions mentioned will even tell you >> how to reach the BIOS directly if you ask nicely. > If you ask DOS nicely about BIOS direct access then my defence can >answer to your asking nicely too, but you can not receive address of >BIOS itself. This call returns with address of Int 13, and becomes >equil to call of Get Interrupt Vector. I doesn't find any software >that worked incorrectly while receiving this address (except viruses, >of course :-) >> Am glad to see people thinking about solutions though. > I don't propose solution for all times and peoples. I look to thing >as they are, without any optimism. But this idea can work for some time >(may be long enough to move from DOS to OS :-) preventing DOS and disks from >95-99% of file viruses. >- -- >Alexander Shehovtsov, (044) 266-70-28 (9:00 - 18:00 Kiev, Ukraine) voice > als@vl.ts.kiev.ua Relcom | 2:463/30.5 or 2:463/34.4 FidoNet ***** Matt adds: ***** I have implemented similar protection on hundreds of PCs at my university. The protection has prevented virus infection in almost 100% of instances. Since DOS has no built-in protection, any protection scheme will depend upon either hardware, an EPROM chip with code that is executed during the POST or obscurity. The software I developed (maybe Alex's too) depends upon obscurity: one must be very familiar with the internals of DOS. However, I am not concerned with this type of threat because the protection is installed simply to prevent students from changing the lab software. - --matt [note to Alex Shehovtsov: What is your internet mail address? nslookup through NIC fails on vl.ts.kiev.ua. Perhaps you could e-mail your numeric address to black@csulb.edu] ******************************************************************************* * Matthew Black * The opionions expressed are mine. Computer Engineering & Computer Science * No warranty whatsoever whether California State University * express or implied is hereby Long Beach, CA 90840 * conveyed. ------------------------------ Date: Tue, 21 Apr 92 10:16:00 -0800 From: Michael_Kessler.Hum@mailgate.sfsu.edu Subject: F-Prot and Zeniths (PC) F-Prot 2.02's Virstop.exe had conflicts with various configurations of Zeniths 286 and 386 and Etherlink II and Plus cards. The same machines did not freeze with an Etherlink I (3C501) card installed. F-Prot 2.03 does not have that problem with the same machines. I would put the blame on Zenith, which also has compatibility problems with QEMM and 3ComEMM.SYS, the latter used on a 386/33 and a 386/33E server for 3+Share. Michael Kessler School fo Humanities San Francisco State University e-mail: Michael_Kessler@HUM.SFSU.EDU ------------------------------ Date: Wed, 22 Apr 92 11:40:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Combatting tunnelling viruses (was Re: Increasing CBCS Security (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Most monitoring programs stay resident in memory, intercept some >interrupts and DOS functions and monitor them for dangerous activities >(like modification of an executable file and so on). However, due to >the total lack of memory protection under MS-DOS, a clever virus is >able to disable the monitoring program if it detects it in memory, or >even invoce the "dangerous" functions in a way that cannot be >intercepted (e.g., using CALLs to the ROM BIOS). Virus which are able >to do this are called "tunnelling".... If correctly implemented, >these techniques are able to bypass -any- monitoring program, and >therefore the monitoring programs (like FluShot+) are the weakest >line in the anti-virus defense (even weaker than the scanners). [IMHO MODE ON] Firstly, I am pessimistic about virus protection on the PC while there is still strong pressure from users and software developers for backward compatibility. Most of the solutions to the problem, that would involve new viruses having to carry around a huge toolkit of low-level routines, would also cause lots of software to be broken. Notice I'm not concerned about existing viruses, nor viruses written using existing techniques (even polymorphic "engines")... it is a question of what a really dedicated virus writer *could* do in the future. The discussions about the usefulness of any software-only protection system all hinge on that point. (The only thing stopping the extermination of present-day viruses is that not enough users make the slightest effort, until they're stung). [IMHO MODE OFF] It is theoretically possible to use the power of the 386 (or better) to prevent tunnelling viruses (in fact just about any virus that doesn't get control of the computer before the anti-viral software). It doesn't have to mean using protected mode (but, from what I've seen, it is the most convenient, so long as it is built into the operating system), but it does involve some (okay, LOTS of) speed degradation. Instead of TSR's sitting on interrupts such as int 13, it is possible to check the program as it is loaded. Okay, nothing new so far. But what you can do is interpret (instead of execute) the first few instructions. Because of the way that viruses infect, it is much easier for them to execute at the start of the program than the end. During this stage, it is possible to watch for any illegal disk or memory accesses. This could be done on any PC (8088 chip up), but the speed you get with a 386 is pretty important, as is the memory space for the emulation software. At this stage, you're probably saying that a virus could be specially built to waste lots of time at the start, until the TSR thinks the code being executed must surely be out of any viral area, and stops interpreting. But, to do so the virus would have to slow down the execution of all programs, which should make them obvious to users. Or they could do some sort of instructions to test if there is such software in place, but remember they are being interpreted, so we can fib about anything... the only sensible test they could do is timing, and that would require access to one of the internal timers, which is something the TSR would detect and could trigger a more thorough test of the program. The result would be that the first fraction of a second of code would take a bit longer to execute - perhaps comparable with the time it would take to load it off disk in the first place, but rest of the program would run as fast as ever. That should keep the users happy. Well, anyone see any problems with that? I must admit I can think of a few minor ones, but I think it looks worthwhile enough to pursue further. I'd be happy if anyone wants to take the idea and make some workable software out of it; and I could provide some help, but I can't afford the time to do the whole thing at the moment. Mark Aitchison, University of Canterbury, New Zealand. ------------------------------ Date: Wed, 22 Apr 92 11:53:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Viruses via MS Windows OLE? (PC) sgr4211@uk0x08.ggr.co.uk writes: > Microsoft Windows v3.1 provides a facility for embedding executable > code within datafiles (part of the "Object Linking and Embedding" > philosophy). It occurs to me that this could allow viruses to sneak > in through the anti-virus procedures adopted by many organisations - > scanning "standard executables" and boot-sectors only. Looks like history repeating itself. I wonder if the virus writers will be slower to copy ideas from the Macintosh world than Microsoft was :-) Seriously, though, it looks like something anti-virus people need to look at pretty darned quickly, although I doubt that a virus that requires MS Windows to be present would get very far at the moment. (but then again...?) > Also, I have heard that some virus scanners search for virus patterns > only in places where the virus code would occur - if this means, for > example, the beginning or the end of a file, would this make a virus > invisible to such "smart" scanners? Most can be told to search more, but the default is .COM and .EXE. Personally, I think the default should be .COM and .EXE and .SYS and any file that starts with MZ. The .BAT, .PIF and .BAS viruses are rare enough to not include them by default. Any other extensions don't need to be scanned for general viruses but for specific viruses, to save time. Mark Aitchison, University of Canterbury, New Zealand. ------------------------------ Date: Wed, 22 Apr 92 00:31:00 -0500 From: CRHINE@INDYVAX.IUPUI.EDU Subject: windows screen saver or VIRUS? (PC) When running screenery from Borland Int'l, I have been receiveing a message across the top of the screen displaying the words "WAKE UP". This is not one of the features of the software package and, consequently, I believe it to be a foreign (viral) program. Has anyone heard of these symptoms before? Is there a file located somewhere that could be downloaded (ftp or modem) which contains the descriptions of the symptoms of all know viruses? Thanks for any help. Carl Rhine SPEA Network Administrator CRHINE@INDYVAX.IUPUI.EDU Indiana University/Purdue University at Indianapolis (317) 274-0531 FAX: (317) 274-7860 ------------------------------ Date: Sun, 19 Apr 92 16:56:23 -0600 From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant 2.8 (Mac) Disinfectant 2.8 April 19, 1992 Disinfectant 2.8 is a new release of our free Macintosh anti-viral utility. Version 2.8 detects the new CODE 252 virus. The CODE 252 virus was discovered in California in April, 1992. The virus is designed to trigger if an infected application is run or an infected system is started up between June 6 and December 31 of any year, inclusive. When triggered, the virus displays the following message: You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... Ha Ha Ha Ha Ha Ha Ha P.S. Have a nice day Ha Ha Ha Ha Ha Ha Ha (Click to continue...) Despite this message, no files or directories are deleted by the virus. However, a worried user might turn off or restart a Macintosh upon seeing this message, and this could corrupt the disk and lead to significant damage. Between January 1 and June 5 of any year, inclusive, the virus simply spreads from applications to System files, and then on to other application files. Due to errors in the virus, it only spreads to new applications under System 6 without MultiFinder. The Finder also usually becomes infected. Under System 6 with MultiFinder, the virus infects the System file and the "MultiFinder" file, but it does not spread to new applications. Under System 7, the virus infects the System file, but it does not spread to new applications. A bad error in the virus can cause crashes or damaged files under System 7. Under any system, the virus infects the System file, and it can and will trigger the display of the message. The virus contains a number of additional errors which could cause crashes, damage, or other problems on any system. In addition to recognizing the new virus, there are a few other changes in version 2.8 of Disinfectant. Version 2.8 corrects an error in version 2.7.1 which caused crashes during or after scans on the Mac Plus and 512KE running System 6 with MultiFinder. The protection INIT no longer checks the System file for viruses at startup time. This makes the INIT smaller, more efficient, and more robust. Version 2.8 also includes some changes to the protection INIT which we hope will make it more compatible with other software. The "Protection" section of the online manual now discusses the problem of what to do when you want to use the Disinfectant INIT together with some other INIT which is supposed to load first. Disinfectant 2.8 is available now via anonymous FTP from site ftp.acns.nwu.edu [129.105.113.52]. It will also be available soon on sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac, America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom, AppleLink, and other popular sources of free and shareware software. Macintosh users who do not have access to electronic sources of free and shareware software may obtain a copy of Disinfectant by sending a self- addressed stamped envelope and an 800K floppy disk to the author at the address given below. People outside the US may send an international postal reply coupon instead of US stamps (available from any post office). Please use sturdy envelopes, preferably cardboard disk mailers. People in Western Europe may obtain a copy of the latest version of Disinfectant by sending a self-addressed disk mailer and an 800K floppy disk to macclub benelux. Stamps are not required. The address is: macclub benelux Disinfectant Update Wirtzfeld Valley 140 B-4761 Bullingen Belgium John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 USA Internet: j-norstad@nwu.edu John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ Date: Tue, 21 Apr 92 18:35:08 -0400 From: Eric Conger - Microcom Subject: Virex UDV false positives confirmed (Mac) Resent-From: Werner Uhrig Virex anti-viral announcement: We are sorry to report that the 'User Definable Virus' (UDV) feature of Virex has been shown to incorrectly report some files as being infected with the new 'CODE 252' virus. The problem has been found, and will be corrected in version 3.8 and later. WHAT CAN YOU DO? In the cases where Virex reported the 'false positives', there have been multiple UDVs entered. If Virex reports that a file is infected with the CODE 252 virus, double-check by removing ALL other UDV's and scanning again. We have not seen any false positives using this method (but they may still be possible). PLEASE NOTE: This problem affects the UDV feature ONLY! The normal detection and repair capabilities of Virex were not affected. Again, we are sorry for any inconvienence/trauma this has cased, Eric Conger ------------------------------ Date: Fri, 17 Apr 92 19:07:12 -0700 From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 10 920417 PRTCKLA.CVP Antiviral checklist - part 10 Regularly: As with "what is an office" so here, "what is regularly?" This is going to depend on your situation, but, in general, it is going to mean "more often than you do now." The items under this section of the list are particularly those that should be going on regularly for good maintenance and support anyway. _ Back up data Our good old friend, the backup. Why stress the data? Three reasons. First, programs and structure should be backup up at installation and at every change in configuration. They need not be backed up between times. Second, backing up data only reduces backup time and increases the frequency with which people are wiling to do a backup. Third, you can buy another copy of Perfect Writer tomorrow. Can you buy another copy of your last months receivables? _ Monitor disk space, map, memory map Especially if you partition programs from data, checking the free space can give you a quick indication of many problems. On a disk map, check for increasing numbers of bad sectors showing up, or programs which insist on moving to the end of the disk. Again, the memory map should primarily be checked at boot time. You need not understand what all the numbers and interrupts mean, but if they change you might have a serious problem. _ Monitor program file sizes If programs are partitioned from data (and data should here include any configuration files which change frequently), disk space should give a quick check for prepending or appending file infecting viri. A listing of the files themselves would indicate specific infections. Generally speaking, a check of the sizes of program files takes less time than might be realized at first. Modern commercial programs take up a lot of space, but the number of individual files is not excessive. (Except for those of us who have to have all the very latest in freeware utils ... :-) copyright Robert M. Slade, 1992 PRTCKLA.CVP 920417 =================== Vancouver | "Power users think Institute for Robert_Slade@sfu.ca | 'Your PC is now Research into rslade@cue.bc.ca | Stoned' is part of User CyberStore Dpac 85301030 | the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ Date: 22 Apr 92 12:40:07 -0400 From: "Tarkan Yetiser" Subject: Viruses & Poetry (Humor) Hello netters, it's spring time and we need to cheer up a little. Following is a silly poem for all to enjoy. Please do not take it seriously. It is nothing but a product of Tarkan's idle moments. - ----------------------------------------------------------------------- Boys in the Hood Fudgett, Chess, Wells all in all Always on the net, playing ball Pogue, MtE, others on the roll It's time for a duty call S.O.S. S.O.S. Poor users cry for a recess Do good deeds, don't just confess Go right ahead and try VDS Frisk, Doc John and the rest Get ready for a little test Name the virus that has a nest In every PC with a hairy chest April '92, Baltimore, MD P.S.: Now does anyone care to read my "scanner song"? It is a lot better. Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 93] *****************************************