From lehigh.edu!virus-l Thu Dec 24 09:56:36 1992 Date: Tue, 22 Dec 1992 09:26:08 -0500 Message-Id: <9212221358.AA03720@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #207 Status: R VIRUS-L Digest Tuesday, 22 Dec 1992 Volume 5 : Issue 207 Today's Topics: CPAV leftovers: summary (PC) Another Kind Of Droppers (PC) Re: Integrity Master update (PC) VSHIELD, VIRSTOP, ... comparison ? (PC) Pink dos color -Virus? (PC) Re: Is this a new virus? (PC) Re: Virus Simulator MtE Available (PC) Tequila on the Pc (PC) CHKDSK & PC-DOS 5.00 (IBM) (PC) RE: VI-SPY 10.0 spitting out strange numbers... (PC) Re: INFO SOUGHT: FILLED virus (PC) Re: DAME update (PC) Re[2]: Stoned Virus (PC) Re: Vshield vs Virstop (PC) Viruses in OS/2 HPFS (OS/2) Problems in MCAFEE OS/2 Clean (OS/2) viruses in OS/2 environment (OS/2) Questions about OS2SCAN and OS/2-based AV software in general (OS/2) Re: Questions about OS2SCAN and OS/2-based AV software in general (OS/2) Re: Viral Based Distribution System VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 19 Dec 92 17:15:09 -0500 From: Luca Parisi Subject: CPAV leftovers: summary (PC) Here is what I've found out about the "leftovers" I mentioned. The "CARMEL Software" string is indeed added to files by the "Immunize" option of Central Point Anti Virus 1.0 and 1.2 (At least; I could only find those versions, and the new Windows one that has no such option). It is not part of the integrity checking program, however. It seems to be used to pad the executable file to a multiple of 16 before adding the self-checker, but only under certain conditions (I was unable to replicate it except on NU.EXE, and I found another padding string elsewhere). It is not deleted by the "Remove Immunization" option, although the file is restored to its original size. The padding string and a copy of the first bytes of the original immunized program can be read in the slack space and will disappear as expected when the deimmunized file is copied. The user who originally faced the program had indeed used CPAV, not the original CARMEL product. Thanks to those who supported me with suggestions. Luca Parisi ------------------------------ Date: Sat, 19 Dec 92 17:15:35 -0500 From: Luca Parisi Subject: Another Kind Of Droppers (PC) Not much time ago, a posting by Stefano Turci (Stefano_Turci@ f108.n391.z9.virnet.bad.se) prompted discussion about the fact that converting a file from .COM to .EXE caused scanners not to recognize some virus infections any more. I don't have much to object to the views expressed by the scanners themselves (well, actually their authors :-) but I faced the same problem while dealing with the "leftovers" of my previous posting. That is, files infected with virus 855 (Nov. 17th) and subsequently immunized with CPAV 1.2 are not recognized as such by F-Prot 2.06, Scan 97 or VirX 2.4 (I know they are not entirely up-to-date, but all three recognize the 'vanilla' infection on the same files). I don't think this is more than an "academic" problem unless the current DOS version of CPAV still offers immunization, and a bit more if the rumored MSDOS 6.0-bundled one does (the most recent plain DOS CPAV I have is 1.2, and WinCPAV doesn't). More generally, I'd say that the integrity check should be a built-in function, otherwise it can only build false security. But somebody here must have said that before and better than me... Luca Parisi ------------------------------ Date: Fri, 18 Dec 92 22:38:06 +0000 From: Sara_Gordon@f0.n10.z9.virnet.bad.se (Sara Gordon) Subject: Re: Integrity Master update (PC) just a note.. some people reading the virus-l/comp.virus want to get the a-v files, but aren' t able to use ftp, etc. the list rob slade made of bbs that have the files is really quite good, but i'm not sure if they would all have the latest files such as integrity master, f-prot, tbscan, scan. for people who do not know how to ftp or do file requests, simple downloading of files is available on 'traditional' type bbs (not the internet sites), and rob's list is very good for helping find a bbs near you that has these files. anyone who wants to file request, or download these files can do so from my ( private) system :), the number is 219-273-2431. the login, if you wish to not identify yourself, is demo account. the password is system. of course, i dont really want my system tied up all day and night doing this, so please look near you first, but if you cant find, consider this an invitation to get them here. If you want to read the virus-L faq and cant ftp it, you can d/l it here, or read it online. Intergrity Master is sent to this system directly from the author as is VirX. F-Prot, Scan, TBscan, and the other programs are obtained from either the author's ftp sites, or a site utilized by the author. With all of the hacked a- v programs floating around, it is of course important to verify that the file you get is really -helping- you. # talk to me about those computer viruses.... # sara@gator.use.com # vfr@netcom.com # SGordon@Dockmaster.ncsc.mil - --- GEcho 1.00 * Origin: VFR SYSTEMS (219)273-2431 'ask us about VIRNET' (9:10/0) ------------------------------ Date: Sat, 19 Dec 92 06:03:00 +0000 From: Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod Kedem) Subject: VSHIELD, VIRSTOP, ... comparison ? (PC) (Sorry, Aryeh... I just have to...) > 1) VShield can check the authentication codes added to the files by > SCAN /AV (it is a BAD idea to modify other people's files!) and refuse > to run those that are not "checksummed". Unfortunately, this feature > can be trivially bypassed (i.e., it is trivial to write a virus that > adds a correct checksum to the file it infects). This is true when using VSHIELD with the /CV option. A better option to use is the /CF one, which compares the checksums from an external file created by SCAN /AF command and does not alter any executable file. > 3) VShield uses much more memory than VirStop. But may be loaded to high memory, and then needs less then 1K of conventional memory. > 6) VShield can be removed from memory (very BAD idea!). That's why there is the /NOREMOVE option... Regards, Rudy. - ---------------------------------------------------------- Nemrod.Kedem@f101.n9721.z9.virnet.ftn (Nemrod Kedem) FidoNet: 2:403/138 VirNet: 9:972/0, 9:9721/0, 9:9721/101 (972)3-966-7562 (14.4K) (972)3-967-0348 (Voice) P.O.Box 8394, Rishon Le-Zion, Zip 75253, Israel. - ---------------------------------------------------------- - --- FastEcho 1.21/Real! * Origin: Make Safe Hex! (9:9721/101) ------------------------------ Date: Sat, 19 Dec 92 20:58:00 +0000 From: Malte_Eppert@f6002.n491.z9.virnet.bad.se (Malte Eppert) Subject: Pink dos color -Virus? (PC) Hello! > My default dos foreground color is Pink not low intensity > white. Is this possibly a virus? I booted from a protected floppy > master disk - - no change! Does your monitor display the default gray at all after the failure? If not, try to fix your video cable. It just may be a loose contact. Had that before, and all the gray on the screen turned pink, until I fixed the cable. cu! eppi - --- Via SCANTOSS V 1.37 * Origin: No Point for viruses - The EpiCentre! (9:491/6002) ------------------------------ Date: 21 Dec 92 11:50:23 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Is this a new virus? (PC) tck@fold.ucsd.edu (Kevin Marcus) writes: > I have varients of stoned which copy to 0,0,15, and 0,0,7, as well as a > few other locations. They do not necessarily copy to the same spot. And we have here variants that put the original MBR at 0,0,2 and 0,0,8. This is irrelevant. What is rellevant is that the problem with Michelangelo occurs exactly because the "standard" Stoned variant put the original MBR at 0,0,7 - at the same place as Michelangelo, and because the two viruses do not recognize each other. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 21 Dec 92 12:45:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Simulator MtE Available (PC) as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: > Virus Simulator MtE Supplement Available [stuff deleted] > Virus Simulator (introduced earlier) and this new Virus > Simulator MtE Supplement are not intended to replace the > comprehensive collection of real virus samples as > maintained by Rosenthal Engineering and other anti-virus > product developers for testing. Virus Simulator MtE > Supplement produces safe and controlled dummy test files > that enable users to verify that they have installed and > are using their MtE virus detecting programs correctly, > additionally affording an opportunity for a practice > training drill under safe and controlled conditions. I've had some very strong objections against your virus simulator in the past. I have not seen yet your MtE simulator, but I have the following questions about it: 1) Does is simulate perfectly the behavior of the MtE? I.e., are the dummy files generated by it the same as if generated by the MtE? If not, then it is not good as a simulator, because the simulation is not perfect enough. 2) If the answer of the above question is "yes", then it means that it uses the MtE itself to encrypt the dummy files - because using anything else would mean imperfect simulation. If it uses the MtE, do you include the MtE itself in the generated dummies? 3) If the answer of the above question is "no", then the simulation is again not good enough, since the only way a scanner could detect the unencrypted replicants of an MtE-based virus is to scan for a scan signature of the unencrypted body of MtE. If the answer of the above question is "yes", then it is pretty easy to extract the MtE from the unencrypted dummies... Therefore, you are distributing malicious software... Conclusion: regardless how you answer to the above questions, either the simulator is useless, or you are distributing malicious software... Hmm, I was able to draw this conclusion even without having to look at the simulator... Pretty good, isn't it?... :-) Leaving the ethical problems aside, do you try all kinds of flags (i.e., the contents of the AX register before calling the MtE)? Because, if you don't, you'll be able to generate only a small subset of the code that can be generated with the MtE... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 21 Dec 92 09:01:07 -0500 From: Mike Mulrooney Subject: Tequila on the Pc (PC) Could somebody out there please give me some info on the various strains of the TEQUILA virus. We have unfortunately contracted it at one of our sites here and there was no virus protection there to stop it (they feel pretty daft). So I am left to try and pick up there pieces and would like to know a little background info on the little critter. Also I am sorry if this is a FAQ but - what is the best SHAREWARE-FREEWARE-ETC software to use for the first line of defence, the RAM overhead and sig updates is important. Many Thanks Mike Mulrooney -- Senior Network Technician Edge Hill College of HE - Lancs - UK ------------------------------ Date: Mon, 21 Dec 92 10:01:08 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: CHKDSK & PC-DOS 5.00 (IBM) (PC) My last last word on DOS 5.00 CHKDSK problem with big disks (promise) It seems that the same problem *may* exist in PC-DOS 5.00 from IBM however I do not have PC-DOS 5.00 so cannot say for sure. However if it does exist, here is how to tell. First PC-DOS VER/R is said to give a slightly different output than MS-DOS 5.00 VER/R e.g. IBM DOS Version 5.00 Revision 1 CSD URxxxxx 02/92 (note: this version apparently has the "fix") According the report, PC-DOS uses CHKDSK.COM instead of CHKDSK.EXE (though still in .EXE format) and further, it is 16 bytes shorter than the MS-DOS 5.00 CHKDSK.EXE (16,184 bytes vs 16,200). Accordingly, the fragment in question appears to be at DEBUG offset DS:2633h instead of DS:263Eh (offset used in my .BAT file was different since file was "converted" to permit update). The same check should be valid (8B 4F 0F 8B F9 indicates the "early" version while 8B 7F 0F 32 ED is an indicator of the "fixed" CHKDSK) just at the different offset, but as said, I do not have a copy of either version of PC-DOS 5.00 so your guess is probably better than mine. * | abc defgh And a Merry Christmas to All, ijklmno pqrstuvwx Padgett yzabcdefghi jklmnopqrstuv wxyz __||__ ------------------------------ Date: 21 Dec 92 17:08:51 +0000 From: yoshida@microsupport.sas.upenn.edu (Dan P. Yoshida) Subject: RE: VI-SPY 10.0 spitting out strange numbers... (PC) 12/21 I talked to RG Software: According to them the numbers are debugging codes that only beta versions of 10.0 should display. The numbers only showed up when vi-spy was being run by the AUTOVS program, so this could have been the problem somehow. Their recommendation: erase the current version of vi-spy and reinstall from an original disk know to be a release version. - --dan [Moderator's note: Thanks for the follow-up, Dan. This is exactly the sort of thing that I had in mind with regards to posting product support questions and summaries here. I hope that others follow this example.] Original post: > VI-SPY 10.0 > RG Software Systems, Inc. > > Has anyone encountered this problem with VI-SPY 10.0? > > I have vi-spy running from the autoexec.bat on a Northgate > 386 that has a Stacker "stacked" drive. > > On boot up, vi-spy starts to check for viruses, then it spits > out four numbers, <<3031>>,<<3120>>,<>,<<4549>>, > then the system freezes (need to hit the reset button). ------------------------------ Date: Mon, 21 Dec 92 21:49:06 +0000 From: aryeh@mcafee.com (McAfee Associates) Subject: Re: INFO SOUGHT: FILLED virus (PC) Hello Ken McVa, You write: [...deleted...] >When SCANV was run, it warned of FILLED three times, after the format ^^^^^^ Filler virus, perhaps? >- - local rumour has it FILLED resides on an area of the disk DOS >doesn't read - at any rate, after three warnings, the system was shut >down. [...deleted...] When SCAN is run in the presence of certain other anti-viral programs, such as Central Point Anti Virus, it can erroneously report the presence of viruses because if the other program uses the same piece of code SCAN does to detect the virus but does not hide that code in memory. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 ------------------------------ Date: Mon, 21 Dec 92 18:23:54 -0500 From: Jimmy Kuo Subject: Re: DAME update (PC) Dave Mickle x5205 reports: >Further investigation reveals DAME was reported by NAV V9.5, *NOT* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >some infected program running on the machine. SCAN V99 did not find >it. The owner has good habits, controls access to the PC and is >careful about installing new software. I'm concluding it's a false >positive. I'd like to thank the folks at MacAfee and HI Industries >who were kind enough to call and offer the benefit of their >experience. Um... DAME could *NOT* have been reported by NAV V9.5. NAV does not have a version 9.5 and NAV uses the name "MtE", not "DAME". Jimmy Kuo cjkuo@ccmail.norton.com Norton AntiVirus Research ------------------------------ Date: Mon, 21 Dec 92 18:27:59 -0500 From: Jimmy Kuo Subject: Re[2]: Stoned Virus (PC) mrosen@nyx.cs.du.edu (Michael Rosen) writes: >I've encountered what seems to be a new variant of stoned (according >to a guy who works in the computer center here) on my diskettes when I >use them in our computer labs occassionally. Norton Anti-Virus sees >as it as my boot sector being infected by Bloomington, while f-prot >says I have stoned. According to f-prot's files in viruses, >Bloomington is a cousin to stoned. What NAV reports as Bloomington is more commonly known as NoInt and has since had its name changed in NAV to NoInt. NoInt is a stoned variant. >The guy I spoke to is sending my diskette to the author of f-prot. >It's quite annoying; it creates invisible junk files on my diskettes. >I'll get a file name on there with portions of garbage characters and >some partial words like "DOS 5.0" or other words. Just recently it >destroyed a bunch of files that thankfully I couldn't find again, >though it was a major pain. Your data corruption is likely the result of the virus overwriting one of the sectors with its saved copy of the original boot sector. The original boot sector looks to have been written over a sector that serves as your directory sector thus creating a number of strange looking files. It is not that you have invisible junk files on your diskettes but rather the directory table is bad. (Garbage in certain fields that get translated as file names, garbage in other fields that translated into where the supposed file begins...) You can edit the directory to eradicate the bad filenames or better yet, copy off the files you know and reformat the diskettes. Jimmy Kuo cjkuo@ccmail.norton.com Norton AntiVirus Research ------------------------------ Date: 22 Dec 92 00:24:47 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Vshield vs Virstop (PC) maven@kauri.vuw.ac.nz (Jim Baltaxe) writes: >Maybe this is being greedy, but would it be possible for you to put a >switch into VIRSTOP that would force it to use the Secure scan >mechanism? Possible, but difficult. The biggest problem is that VIRSTOP is written in 100% assembly, while the Secure scan is in a C/assembly mix. If I created a "Secure Scan" version of Virstop, I don't see how I could get the memory requirements below 30K. The 2K size (if using /DISK) is ok for most users, but 30K is a different story... - -frisk ------------------------------ Date: Sun, 20 Dec 92 15:02:25 +0000 From: bjl1@Ra.MsState.Edu (Brett J.L. Landry) Subject: Viruses in OS/2 HPFS (OS/2) There has been aa lot of talk about OS/2 not being able to be infected from regular old DOS boot sector viruses using the HPFS. This is false since regular old STONED can infect both logical and physical parttions on OS/2 using HPFS. Why wait for true OS/2 viruses when you can suffer from regular DOS viruses. - -- - --------------------------------------------------------------------- |------------------ Brett J.L. Landry, bjl1@ra.msstate.edu, -------| ------------------------------ Date: Sun, 20 Dec 92 15:12:05 +0000 From: bjl1@Ra.MsState.Edu (Brett J.L. Landry) Subject: Problems in MCAFEE OS/2 Clean (OS/2) I downloaded the new OS/2 wares from Mcafee and had mixed results. OScan discovered that there was stoned in two partitions on 120 meg drive that was partitioned into a 40 and 80 meg C and D respective drives. The problem came into play when I cleaned using OSclean. It removed stoned but also removed the second partition loosing the 80 meg section. This was in a single boot HPFS scenario. Any thoughts on this would be appreciated. Brett J.L. Landry - -- - --------------------------------------------------------------------- |------------------ Brett J.L. Landry, bjl1@ra.msstate.edu, -------| ------------------------------ Date: Mon, 21 Dec 92 11:32:23 +0000 From: tytgat@esat.kuleuven.ac.be Subject: viruses in OS/2 environment (OS/2) I'm looking for information (books, articles, news-items...) about the spread of virusses in an OS/2-environment : have any infections (DOS or OS/2 viruses) been reported yet ; what's the impact of compartmentalisation on the infection power of DOS-viruses ; how is this compartmentalisation actually realised within OS/2, etc. ... Thanks. Pedro Tytgat ------------------------------ Date: Mon, 21 Dec 92 22:07:12 +0000 From: aryeh@mcafee.com (McAfee Associates) Subject: Questions about OS2SCAN and OS/2-based AV software in general (OS/2) Hello Vesselin, You write: >>I write: >This is not actually a problem. Since the scanner runs in its own area >of memory, protected from the other processes, it cannot be fooled by >a stealth virus and cannot be made to spread a fast infector on all >files it scans... In fact, I am wondering why a memory check is >performed at all by an OS/2-based scanner... Are you aware OS/2 scanners that do? I know that IBM's Antivirus/2 has a DOS-based TSR component which scans memory when a DOS session is started up. But that's really an anti-viral for DOS, not OS/2. >> - - OS2SCAN checks "extended filenames" and HPFS-partitioned >> drives as well as DOS (FAT) drives. >Do you know any way in which a known DOS virus can infect an extended >filename on an HPFS partition? Nope. But I myself create directories under OS/2 HPFS with names like "MS-DOS 3.3 Files" and "Today's Downloads" in which I keep normal DOS files. I'm sure other people do as well :-) Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 ------------------------------ Date: Tue, 22 Dec 92 08:51:58 -0500 From: Kenneth R. van Wyk Subject: Re: Questions about OS2SCAN and OS/2-based AV software in general (OS/ 2) Aryeh Goretsky writes (in response to Vesselin): > >Do you know any way in which a known DOS virus can infect an extended > >filename on an HPFS partition? > > Nope. But I myself create directories under OS/2 HPFS with names like > "MS-DOS 3.3 Files" and "Today's Downloads" in which I keep normal DOS > files. I'm sure other people do as well :-) I, for one, use long file/dir names (such as these) extensively on my home OS/2 system. A short filename scanner (e.g., a DOS-based product running in a DOS session) would see only a very small portion of my primary HPFS partition, which has DOS files strewn all over it. That is why I use an OS/2-specific product. Opinion: long filenames is one of the things that makes HPFS so nice to work with, especially when combined with a command interpreter that can do name completion. Cheers, Ken van Wyk ------------------------------ Date: 21 Dec 92 12:35:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viral Based Distribution System ygoland@edison.SEAS.UCLA.EDU (The Jester) writes: > If the purpose of the program is to automatically cause some > 'change' in various computers, then the program must execute from a > loader or an infected file. If its being launched from a loader then > the need for the distribution system is nullified. Assuming the goal > is to still keep absolute system security, then the loader will be > 'allowed' in by the administrator but the virus it is loading won't > be allowed to attach itself to another program, just make the change > for the single user that activated the loader. Yes, this is exactly how the current products with virus-like distribution work. The "loader" is the system login script of Novell NetWare. When the user logs in, the script checks whether his/her workstation has an up-to-date version of the software, and if not copies the newest version of the software from a secure directory on the server to the workstation and requests a reboot. > If this is an > effective means of distribution then why use a virus at all? The question is incorrect. According to Dr. Cohen's definition, "this" - -is- a virus. And, since you are using it to do something you would like to be done, it is obviously a benevolent virus. Do you see the misunderstanding now? It's all matter of definitions... > In conclusion, a system that changes in an unpredictable manner, > that uses hard to track mechanisms of change, is a security > nightmare. Yup... Ever tried MS Windows?... :-) > Just as self modifying programs have been given a very > bad reputation for very good reasons, a viral based distribution > system deserves a similarly bad reputation. Does it? Why? Because of the word "virus"? But they just don't use that word when selling you the package! They call it "Installs and Updates Hundreds of PCs on a Network in One Easy Step" (Symantec), "Completely Centralized Anti-Virus Strategy" (Central Point Software) or others some such... > The Jester-PGP Ver2 upon Request Please consider this a request... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 207] ******************************************