From lehigh.edu!virus-l Mon Jul 27 16:33:06 1992 Date: Mon, 27 Jul 1992 16:24:57 -0400 Message-Id: <9207271931.AA18193@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: To: Multiple recipients of list Subject: VIRUS-L Digest V5 #132 Status: R VIRUS-L Digest Monday, 27 Jul 1992 Volume 5 : Issue 132 Today's Topics: Administrative: VIRUS-L mailing problems victor charlie (PC) Re: WARNING - Virus Creation Laboratory (PC) re: McAfee Products (PC) re: a report on a viral infection (PC) re: VET as good as Viruscan? (PC) Scream information? (PC) Re: McAfee Products (PC) F-PROT, Telecom, false positive ?? (PC) Bugsres-2 (PC) How do I reverse the effect(s) of Stoned ? (PC) Re: McAfee Products (PC) GIF viewer crashes system (was Re: an amazing problem...) (PC) keypress appears and disappears. Help! (PC) Two new Indian viruses found! (PC) Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) Re: SAM T4 virus defs file difficulties (Mac) re: VAX virus list? (VAX/VMS) Virus BBS List? killmonk.zip available (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 27 Jul 92 15:27:05 -0400 From: krvw@cert.org (Kenneth R. van Wyk) Subject: Administrative: VIRUS-L mailing problems As some of you have noticed, we've been having some e-mail problems associated with the recent move to the new LISTSERV@Lehigh.edu. Please be patient and bear with these teething problems for a while longer while more fine tuning takes place behind the scenes. We hope to have the problems resolved shortly. Thanks for your patience, Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.ORG (work) ken@THANG.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Tue, 21 Jul 92 15:51:05 +0000 From: mebrown@hubcap.clemson.edu (Miriam E Brown) Subject: victor charlie (PC) Has anyone ever used Victor Charlie and have any opinions? We are thinking of using it opposed to McAfee's Scan and Clean. thanks miriam brown pepinsky (mebrown@hubcap.clemson.edu) ------------------------------ Date: Wed, 22 Jul 92 13:08:05 +0000 From: millernw@craft.camp.clarkson.edu (Neal Miller) Subject: Re: WARNING - Virus Creation Laboratory (PC) martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes: >I have acquired a rather disturbing new software package, that is >apparently available from some of the virus BBSes. It is called the >"Virus Creation Laboratory" v 1.00, (c) 1992 Nowhere Man and [NuKE] >WaReZ. The package includes the V.C.L. itself, a development >environment written in Borland C++ and styled after the Borland >Integrated Development Environment, MS-Windows .ico and .pif files, >surprisingly well written documentation, and eight example viruses and >trojans. (Rest of well-written posting deleted for convenience) Oh for crying out loud... Just what we need... A Virus-Construction Kit for beginners... I hope that McAfee gets their hands on this package ASAP, if not sooner. Here's an idea... Could someone conceivably write a virus that will seek out and destroy such a V.C.L. based on unique strings within the program? Just an idea... Please post when McAfee decodes these virii. I have a feeling that these virii will be at least as widespread as Jerusalem and Stoned in a matter of time. - -- - ----------------------------------------------------------------------------- Neal Miller | "Why not go mad?" | millernw@craft.camp.clarkson.edu Clarkson University | - Ford Prefect | dark@craft.camp.clarkson.edu - ----------------------------------------------------------------------------- ------------------------------ Date: Tue, 21 Jul 92 20:16:17 -0400 From: Anthony Naggs Subject: re: McAfee Products (PC) James Roy (james.roy@synapse.isis.org) says: > TO: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) > > APP> Lately, there has been a more disturbing trend to leave off > APP>the explicit identification and identify whole families of viruses > APP>simply as [GEN-P] (GENeric-Partition). Since IMHO it is important for > APP>those cleaning up after infections to know what it is they are dealing > APP>with once an infection has been identified, I sincerely hope that this > APP>trend will not continue. > > McAfee was quoted in Australia recently as saying that he didn't > recommend using virus cleaning utilities by anyone except those without > back-ups. > > The reason he said this is that such cleaning utilities are not 100% > effective and can damage code or leave it infected. One is better to > identify the infected files, wipe them and restore from back-up. As > for those who don't maintain effective back-ups, maybe there is a > Santa Claus, Virginia. Padgett doesn't mention cleaning utilities, by which I take you to mean a 'disinfector'. For a site with multiple PCs cleaning up is a much larger operation, for example: * restoring function and data to the affected PC; * react to information about the effects & damage done by the -identified- virus, (eg does corrupt database files, ...); * determining and clearing up the spread to other PCs, all removable media, any PCs used for home-working; * documenting the incident for managers and insurance claims; * deciding on a level of police involvement, (eg reporting or requesting an investigation); * determining how the virus entered the site/company, tracing back/forewards to customers and suppliers who may be affected; * improve the enforcement of existing preventative measures or implement new ones. Of course McAfee's views couldn't possibly be influenced by the fact that his CLEAN program is shit, could it? Skulason's FPROT and Solomon's A-V Toolkit have reasonable disinfection, if required, and take care to disinfect viruses that they know. > Generic detection is the way to go if what we are talking about is the > ability to detect --all-- viruses known and unknown. This is the major > weakness of scanners - they can't identify viruses they don't already > know about. Sure good generic detection (ie checking after booting from a clean floppy) is great and will spot all viruses. However this detection will only happen - -after- the virus has changed your system, in some cases this could be too late. A number of known viruses with destructive effects simply use a random number generator to selet their action, how lucky do you feel? The sensible response is to use scanning software as a first line of defence to pick up known viruses, and an integrity checker as the second line. Regards, Anthony Naggs Internet: amn@vms.brighton.ac.uk or xa329@city.ac.uk Janet: amn@uk.ac.brighton.vms ( cbs%uk.ac.brighton.vms::amn ) or xa329@uk.ac.city ( cbs%uk.ac.city::xa329 ) ------------------------------ Date: Tue, 21 Jul 92 20:16:51 -0400 From: Anthony Naggs Subject: re: a report on a viral infection (PC) felscher@maplog.informatik.uni-tuebingen.de reports a lingering Cascade/1701 infection. The description of the problem indicates that McAfee's VIRUSCAN software may have failed to disinfect files. I suggest you try Skulason's FPROT (from SIMTEL20 or images) which may give you a greater degree of assurance. It also examines some common compressed executables for viruses present before the compression (LZEXE, PKLITE, etc). Regards, Anthony Naggs Internet: amn@vms.brighton.ac.uk or xa329@city.ac.uk Janet: amn@uk.ac.brighton.vms ( cbs%uk.ac.brighton.vms::amn ) or xa329@uk.ac.city ( cbs%uk.ac.city::xa329 ) ------------------------------ Date: Tue, 21 Jul 92 20:17:34 -0400 From: Anthony Naggs Subject: re: VET as good as Viruscan? (PC) David H. Ivens (D.Ivens@deakin.OZ.AU) asks: > I have evaluated VET anti-virus software (Australia) and it seems a very > good alternative to the expensive Viruscan. > > Has anyone had problems with this software? > > We do not get a lot of viruses and are considering a site licence for VET. I haven't used VET, but I have talked to Roger Riordan (the author) at a couple of conferences and he certainly knows his stuff, both on viruses loose on Australia and effective techniques for anti-virus software. Better still for you he is also in Victoria and will provide good quality and timely support, two things which you may have problems with for Viruscan (esp being so far from LA). Oh, while I am being rude about McAfee, any suggestions as to what will happen to Viruscan if the "big one" hits LA? Regards, Anthony Naggs Internet: amn@vms.brighton.ac.uk or xa329@city.ac.uk Janet: amn@uk.ac.brighton.vms ( cbs%uk.ac.brighton.vms::amn ) or xa329@uk.ac.city ( cbs%uk.ac.city::xa329 ) ------------------------------ Date: Wed, 22 Jul 92 01:19:20 +0000 From: ndecour@spartan.ac.BrockU.CA (Nancy DeCourville) Subject: Scream information? (PC) Any information on a virus called Scream would be appreciated. ------------------------------ Date: 22 Jul 92 08:52:53 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: McAfee Products (PC) james.roy@synapse.isis.org (James Roy) writes: >Generic detection is the way to go if what we are talking about is the >ability to detect --all-- viruses known and unknown. This is the major >weakness of scanners - they can't identify viruses they don't already >know about. Well, if you define "scanner" as using only simple signature search, this is correct - such a scanner will only detect viruses it knows or variants of it. However, some "scanners" now include the ability to find non-specific virus-like code, and this approach does enable the scanner to find around 90-95% of NEW viruses. - -frisk ------------------------------ Date: Wed, 22 Jul 92 09:46:25 -0400 From: RXB%FDACFSAN.BITNET@VTVM2.CC.VT.EDU Subject: F-PROT, Telecom, false positive ?? (PC) Situation - After receiving ftp'd *.zip files, I downloaded them from my mainframe VM session to my PC using Attachmate's Extra for Windows 3.22, under Windows 3.1. Then I ended my mainframe session and exited Windows. After unzipping the files onto a floppy, I scanned them using SCANv93, then Central Point Antivirus 1.2, and then F-PROT 204a. Central Point's VSAFE is loaded into memory as a tsr, the others are not. F-PROT gave a message indicating that the Telecom virus search pattern was found in memory, reboot from a clean floppy. After rebooting, I scanned with each of the 3 packages, and none reported a problem. This happened on several different occasions, involving different unzipped files each time. Is this a case of SCAN or CPAV leaving a virus string in memory that F-PROT is picking up, or do I have a problem? The PC is an Iverson 486/33, DOS 5.0, and QEMM386 6.0. SmartDrive, VSAFE, and Norton Utilities 6.01's Erase Protect are loaded upon booting. Assuming this is just a false positive, is there any reason I shouldn't scan using any or all of these packages under Windows, with the mainframe session still active? Is F-PROT the only one of the 3 that can scan *.zip files, not yet unzipped? Thanks for your help. ------------------------------ Date: Wed, 22 Jul 92 10:38:09 -0400 From: Behrend AArea Subject: Bugsres-2 (PC) Hi. I am a computer operator at Penn State Erie, and I have a student's disk that I ran through F-Prot 2.04. It detected a virus named BUGSRES-2 JOKE PROGRAM. Looking through the Virus information section of F-Prot, I could not find a description of this virus. F-Prot also did not disinfect it. I was wondering if anyone had an idea of this virus, as in what it does, how to disinfect, etc. Any e-mail responses to opa@psuvm.psu.edu will be greatly appreciated. -Jeff Cooper ------------------------------ Date: Wed, 22 Jul 92 16:09:50 -0400 From: berstel@lacim.uqam.ca (Bruno Berstel) Subject: How do I reverse the effect(s) of Stoned ? (PC) Hello, In brief : I got Stoned and now my hard disk has name D:. How can I correct this ? In detail : I have an Amstrad PC-1512 with : - single DSDD 5''1/4 drive - 32Mb hard drive (in fact a FileCard) - keyboard, screen, and so on. I have bought a modem to some unknown fellow; he gave me a floppy with Kermit on it. Well, not just Kermit. Stoned/Marijuana too. Since I'm new to the PC world (yes : another Unix/Mac baby -- in fact I grew up with MULTICS !), I didn't run no scanner on the infected disk. I woke up the day after with my hard disk named D:. Stop me here if there is no relation. >From what (I understand among what) I have been told by my scanner, Stoned sleeps in the boot sector of floppies and attacks hardies, but doesn't settle down on them. Of course I've erased it from the floppy but the evil had been done. Not knowning what to do I "temporarily" notified to all my software that the hard disk was named D:. But now I'm tired of it : some days the hard disk is D:, some days it's C:. Now what is the best behaviour to get things normal ? Should I reformat my hard disk ? Would it be of any good ? If I did, could I trust the files I'd have backed up before reformatting ? Any help, comment, suggestion or else will be greatly appreciated. Bruno. - ----- ----- ----- ----- ----- ----- ----- ----- Bruno Berstel berstel@lacim.uqam.ca Laboratoire de Combinatoire et d'Informatique Mathematique L.A.C.I.M. Universite du Quebec a Montreal U.Q.A.M. (Tele)phone : (514) 987-8495 Fax : (514) 987-8477 - --------------- --------------- --------------- --------------- Noel en hiver, Paques au printemps. ------------------------------ Date: Thu, 23 Jul 92 11:43:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: McAfee Products (PC) james.roy@synapse.isis.org (James Roy) writes: > TO: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) > APP> ... disturbing trend to leave off > APP>the explicit identification and identify whole families of viruses > APP>simply as [GEN-P] (GENeric-Partition). Since IMHO it is important for > APP>those cleaning up after infections to know what it is they are dealing > APP>with once an infection has been identified, I sincerely hope that this > APP>trend will not continue. > >... One is better to identify the infected files, wipe them and restore > from back-up... Yes, but it is still important to know the exact name of a virus sometimes, e.g. to know what damage to expect, or if there is a new virus around. Probably the main reason for me is if it is the same virus that was cleaned up last week then I know I have to hunt harder for some infected diskettes or machine in the department. Knowing the exact name of a file infector might be becoming less useful (or even possible?), I must admit, but I would really like to know why SCAN seems to be going to such great lengths to not identify (or mis-identify) viruses the way it does. It must be deliberate, surely. I agree very much with using backups rather than disinfecting, although with boot sectors the disinfecting process *could* be safe - unfortunately fewo tell (sometimes) which version of boot sector is required an d copy the appropriate one in. Mark Aitchison, University of Canterbury. ------------------------------ Date: Thu, 23 Jul 92 05:09:01 +0000 From: glratt@is.rice.edu (Glenn Forbes Larratt) Subject: GIF viewer crashes system (was Re: an amazing problem...) (PC) sbb1@Ra.MsState.Edu (Shay B. Berthelson) writes: >t7@elan.glassboro.edu (TEMP_7) writes: > >>i am in desperate need of help. > >>yesterday i downloaded a piece of software called NakedEye -- a p.d. gif >>viewer -- when i tried to run it, the screen blanked and the system crashed, >>but when i rebooted i got an error "drive c write protected" -- i am using >>dos 5.0 and as far as i know (and as far as my manual says) you cannot write >>protect a drive. although i am also running stacker and 4dos. 4dos does not >>have a write protect command. does stacker? how did this happen? i am having >>a hell of a time running applications now because of this persistant error. >>any help would be greatly appreciated.... > >Do you have a virus scan program??? Really sounds to me like you got infected. >Better get a scan/clean prog. and clean it up. Most stuff can be fixed and >saved if it hasn't destroyed everything. I agree that this sounds like malicious code at work, since t7's assumption is correct that write-protecting a hard drive is not a part of standard MS-DOS or (I think) 4DOS or Stacker. This is especially likely if you down- loaded from a BBS or from an INCOMING directory of an ftp site. Your best bet would be to take your inquiry to comp.virus: that forum reaches some of the foremost experts in antiviral and other anti-malicious code work. Followups to comp.virus. - -- ===/| Glenn Forbes Larratt | CRC OCIS | "Quid pro quo, |/ ==/| glratt@rice.edu (Internet) | Rice University | Clarice." |/= =/| GLRATT@RICEVM1 (Bitnet) |=================| - The Silence |/== /| The Lab Ratt (not briggs :-) | Neil Talian? | of the Lambs |/=== ------------------------------ Date: Thu, 23 Jul 92 19:46:00 +1000 From: CHE358W@vaxc.cc.monash.edu.au Subject: keypress appears and disappears. Help! (PC) Hi I have an aunt who has a confuser that has contracted the key press virus. I decided that since they are always getting viruses to install vshield93 in the autoexec file. All this file does is prompt, path and run mouse.com and win.com. I inserted vsheild before win.com and it found key in memory. I booted off a floppy and scanned with scanv93. (all files). nothing was found. I moved the vshield command up before mouse.com and this time nothing was found. After windows executed I started vhield and still it didn't find anything. It's as though keypress pops up at a specific point and then dispears again almost straight away. Can anyone tell me if this is expected behaviour for keypress and how I can find it on the hard disk? Thanks so much. Samantha Lane . che358w@vaxc.cc.monash.edu.au ------------------------------ Date: Thu, 23 Jul 92 19:05:07 +0000 From: cspl1@saathi.ernet.in (Dr. Raj Mehta) Subject: Two new Indian viruses found! (PC) NEW VIRUS Two new Indian Viruses have been found. These were uploaded to Dr.Alan Solomon by me and his Toolkit now looks out for them. NAME: MUGSHOT VIRUS (AKA ANIL RAO VIRUS) - ---------------------------------------- DISCOVERED BY: Neville Bulsara & Suchit Nanda (Microcomputer Users' Club, Bombay & Comsoft Services) This one's a real coool dude! Got his own(?) mugshot inside, and he flashes it around! Wish it were clearer - would help to make an example out of him! INFECTION: On booting from an infected floppy disk, the virus takes over the interrupt 9h i.e. the keyboard interrupt and the interrupt 13h which is the disk interrupt handler. The keyboard handler does the following:- The original keyboard vector is revectored to point to interrupt 6Eh which is normally unused. Upon every occurrence of a keyboard interrupt, the virus increments a series of variables. Once these variables reach a total value of 512b (200h), indicating that a total number of 256 keys are depressed, the virus triggers if the video mode is medium resolution 4 color (320 x 200 - mode 4). At this point, a flag is set to indicate that the threshold has been crossed. If the video mode is correct, a mugshot of the "Mug" himself is displayed on the top left-hand corner of the screen. This mug shot will remain on the screen as long as you remain in this graphic mode. If the mode is reset to any other than the one required by the virus, the mugshot disappears. However switching back to mode 4 at any point results in the mugshot reappearing as soon as a key is pressed. In fact, in mode 4 resolution, the mugshot is refreshed every time a key interrupt occurs. DISK INTERRUPT HANDLER The disk interrupt is mapped to 6Dh like Brain & Print Screen. The virus only infects disks in floppy drives A & B. On closer examination it seems certain that this is a hacked copy of the Brain virus. The major change being a completely rewritten keyboard handler and the mugshot display. The signature is also different. The stealth algorithm is the same as Brain, as is the disk handler. Messages have been changed and the name of the alleged author of the hack is present in between the code. However, we cannot categorically state that Mr.Anil Rao is the originator of this virus as changing the name is a relatively simple job. What we are convinced is that this virus is of Indian origin as it has not been detected elsewhere and Anil Rao is a common Indian name. MUGSHOT POEM (Not part of the virus!) This is the Mugshot virus It's a real coool dude It's got a real mugshot Whatta pity its not in the nude Its a namby pamby virus Which is really a great big pity If not you would see RedAlert Reaally selling in this city What this here guy does When he's in the mood Is display his crappy mugshot Which may be why hell be sued POEM: Peter Theobald (Microcomputer Users' Club) VA IITD (BAGOBA File Virus) - --------------------------- Detected by: Chetan Varde & Suchit Nanda (Microcomputer Users' Club, Bombay) Description: This virus is a memory resident .EXE file infector only. The only way the virus can get into the memory of the computer is by execution of an infected .EXE program. Once in the memory the virus relocates itself at the Top Of Ram at address 9F60:0000h. It then modifies the Top Of Memory location in the PSP by marking it 00A0h bytes less than what it actually is. This is done to ensure that DOS does not allocate the memory used by the virus to any other program. The virus redirects Interrupt 21h calls to itself so that it can infect executables when a "load & execute" command is sent to DOS. The virus has no self recognition scheme built into it and therefore infected .EXE files continue getting reinfected and hence keep growing in size. The infection of a file comprises of making the .EXE file a perfect multiple of 10h and then appending 663h bytes of viral code. The header of the .EXE is modified so that the virus gets control first. The virus also increments the MINALLOC field in the .EXE file header. The antivirus VIR_KILL.EXE written by Chetan Varde, a member of Microcomputer Users' Club, Bombay finds and cleans-up files infected with this virus. The cleaning-up operation works even if the .EXE file is infected multiple times by this virus. To ensure that the virus is not active when this antivirus program is run, it attempts to restore the address of the MS-DOS kernel in the vector table. As a result memory resident applications and device drivers may get disabled. A reboot is recommended after running the antivirus program to ensure proper working of the machine. If you need any more information on either of them please post a net message on Internet to: cspl1@shakti.ncst.ernet.in Suchit Nanda Chief Editor - Microcomputer Users' Club Product Manager - COMSOFT Services E-mail (Internet): cspl1@shakti.ncst.ernet.in X.400: C=IN A=VSNB G=PETER S=THEOBALD O=COMSOFT Add: C-503, Eden-IV, Hiranandani Garden, Powai, Bombay 400 076. INDIA Voice: 91-22-5781132 FAX: 91-22-2041389/2040395 ------------------------------ Date: Thu, 23 Jul 92 16:30:56 -0700 From: System Manager Subject: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the mirroring ftp sites). Filename is /mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that the file is infected with Wonder-2 virus. F-PROT did not report a virus. I sent mail to the person who maintains garbo.uwasa.fi and received an answer that he is out of town till July 27. This means, the file will not be tested/removed from garbo until then. Has anyone downloaded this file before ? What happened ? ***************************************************************** * Andrew Zaitsev, * * Computer Lab Consultant, University of Missouri - St Louis * * "This ain't working, * * That's the way you do it- * * Money for nothing, * * Chicks for free!" * * (Dire Straits) * ***************************************************************** ------------------------------ Date: Tue, 21 Jul 92 22:36:21 -0400 From: marvin@norton.norton.com (Marvin Carlberg) Subject: Re: SAM T4 virus defs file difficulties (Mac) Attention SAM Users: If you are experiencing any difficulties after updating your copy of SAM for the T4 virus and its associated strains, please note that SAM's ability to provide protection, detection, and repair via Virus Clinic, Intercept, or Intercept Jr are not compromised or diminished in any way. If your system satisfies all three of the following conditions, you may experience errors when attempting to launch some applications. 1) using SAM version 3.0.3 or earlier AND 2) using the latest SAM Virus Definitions file (7/8/92) or have added the T4-A/T4-B virus definition manually via Virus Clinic AND 3) running System 7 or MultiFinder under System 6 The specific errors include a -605 system error, -33 system error (only with System 7 File Sharing enabled), an 'Unknown' system error, and a system freeze or hang. Please call technical support at 310-449-4990 from 7:00am - 5:00pm Pacific time, Monday through Friday if it appears that this situation is affecting your system. Once again, please keep in mind that protection for all currently known Macintosh viruses, including the T4 strains, is still very complete even if you are having these difficulties. Thank you, Symantec ------------------------------ Date: Tue, 21 Jul 92 19:49:51 -0400 From: JERRY LEICHTER Subject: re: VAX virus list? (VAX/VMS) matrix@valinor.mythical.com (JJ Kahrs) asks: This may be a totally ignorant question...BUT... Does anybody have a list of VMS virilli? Lucky him. I have just such a complete list. It's right here: For the humor-impaired: There are no known VMS viruses at this time. It's worth repeating, of course, that neither VMS nor any system is inherently immune to viruses; but none have been reported as of today (and I'd be in a position to hear fairly quickly - certainly within a couple of days of any public discussion). There HAVE been some network-related VMS "worms" reported. These go back a couple of years and, with the tighter security that's the default in current versions of VMS, they have not been seen recently. Virilli? -- Jerry ------------------------------ Date: Wed, 22 Jul 92 16:10:49 -0700 From: brianc@eskimo.celestial.com (Brian C) Subject: Virus BBS List? Could someone please e-mail me a list of virus related bbs? Thanks, Brian ------------------------------ Date: Wed, 22 Jul 92 14:55:34 -0400 From: HAYES@urvax.urich.edu Subject: killmonk.zip available (PC) KILLMONK.ZIP by T. Martin is now available from us. As the name implies, the program will detect and eradicate the "monkey" virus. - ----- Site: urvax.urich.edu, [IP# 141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - ----- Best to all, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 132] ******************************************