VIRUS-L Digest Thursday, 14 Apr 1994 Volume 7 : Issue 27 Today's Topics: New Mac Virus Announcement -- Please circulate (Mac) Re: A few truths good vs bad viruses Re: virus signatures of rare viruses Re: Intelligent detection AVP 2000 protection from virus in college labs Fractal Virus Detection NT viruses? (NT) Re: Is speed really important? (PC) Monkey comments (PC) VDS questions answered (PC) VDS, compatibility etc. (PC) Virus on MS DOS 6.2? (PC) have I been hit with a virus (PC) Form Virus: "Deform.exe" available... (PC) Re: DOS 6.X Anti-Virus (PC) Monkey/Telecom Virus (PC) Re: MS-DOS 6.x Anti-Virus (PC) Need info on Coffee Shop / April Fools (PC) MUSH.COM? (PC) Re: MSAV signature files via FTP? (PC) Form.A (PC) No PC viruses on 3.5" disks? (PC) winword 6.0a (PC) V-CARE (PC) McAfee NETShield v1.60 - Antivirus NLM for NetWare 3.x/4.x (PC) dsii242.zip - BIOS-level anti-virus with access control (PC) A. Padgett Peterson's program update (PC) Conference: IFIP SEC '94, 23-27 May 1994 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 02 Apr 94 11:50:02 -0500 From: spaf@cs.purdue.edu Subject: New Mac Virus Announcement -- Please circulate (Mac) New Macintosh Virus Discovered (INIT-29-B) 2 April 1994 Virus: INIT-29-B Damage: Alters applications, system files, and documents. May cause unexpected program failures or system crashes. Spread: few reported cases yet, but might have spread widely. Systems affected: All Apple Macintosh computers, all systems. The INIT-29 virus first appeared in late 1988. We do not know much about its origin. A variant of the INIT-29 virus has recently been discovered at a West Coast US site. Its behavior is similar to that of the original INIT-29 virus. Both strains of INIT-29 spread quickly and widely. INIT-29 viruses will alter and infect almost every kind of file, including document (data) files; infected document files do not spread the INIT-29 virus, however. All versions of INIT-29 will infect both applications and systems files, and will spread from those files. An application on an infected computer may itself become infected even if it is not launched or executed. INIT-29 viruses may reveal themselves when a locked floppy disk is inserted in the disk drive. An infected Mac will display the alert: The disk "xxxxx" needs minor repairs. Do you want to repair it? Previous experience with the original INIT-29 virus indicates that the INIT-29-B version may cause printing problems and unexpected crashes. Some applications may fail to run correctly. Damage may occur as a result of the file and application modifications. According to feedback from the publishers and authors of the major anti-viral software programs, information about possibly needed upgrades to known, actively supported Mac anti-virus products is as follows: Tool: Central Point Anti-Virus Status: Commercial software Revision to be released: 3.0d Where to find: Compuserve, America Online, sumex-aim.stanford.edu, Central Point BBS, (503) 690-6650 When available: now Comments: New 'MacSig' antidote file available - dated 4/2/94. Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 3.5 When available: now Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.3.1 When available: last released version (1.3) is effective; no update needed Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac Comments: revision 1.3.1 (responding to INIT-9403) remains pending; release date is currently not available. It is recommended that you use the latest version of Disinfectant INIT together with the latest released version of GateKeeper; this will provide satisfactory protection. Tool: Rival Status: Commercial software Revision to be released: N/A When available: now. Where to find it: America Online: RIVAL, AppleLink: TESTNONE, Compuserve: 73112,2144, Internet: miserey@laguna.ics.uci.edu Comments: The current version of Rival detects and removes INIT-29-B Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.5.12 When available: now Where to find: CompuServe, America Online, Applelink, Symantec's Customer Service @ 800-441-7234 Comments: Updates to various versions of SAM to detect and remove INIT-29-B are available from the above sources. Tool: Virex Status: Commercial software Revision to be released: 5.03 Where to find: Datawatch Corporation (919) 549-0711 When available: now Comments: Virex 5.03 will detect the INIT29-B in any file, and repair any file that has not been permanently damaged. All Virex Protection Service members will automatically be sent an update on diskette. All other registered users will receive a notice by mail. Datawatch's BBS number is: (919) 549-0042. UDV Code for INIT29-B Guide Number = 15753664 1: 0302 3000 1276 0000 / 57 2: A9F0 303C A997 A146 / 9D 3: 2028 FFFC 8180 9090 / 4C Tool: VirusDetective Status: Shareware Revision to be released: N/A When available: now Where to find: various Mac archives Comments: VirusDetective is shareware. The current version (5.0.11) identifies INIT-29-B. If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. If you are otherwise unsure of who to contact, you may send e-mail to spaf@cs.purdue.edu as an initial point of contact. Also, be aware that writing and releasing computer viruses is more than a rude and damaging act of vandalism -- it is also a violation of many state and Federal laws in the US, and illegal in several other countries. If you have information concerning the author of this or any other computer virus, please contact any of the anti-virus providers listed above. Several Mac virus authors have been apprehended thanks to the efforts of the Mac user community, and some have received criminal convictions for their actions. This is yet one more way to help protect your computers. ------------------------------ Date: Sun, 03 Apr 94 01:09:22 -0500 From: rmk4@midway.uchicago.edu (Robert Knippen) Subject: Re: A few truths rreymond@vnet.IBM.COM writes: >Hi all, Kohntark wrote: > >>The idea here is the majority of viruses are not intended to cause >>damage intentionally. If they do, well, they are not alone, commercial >>products have the same unexpected effects. >>Just try using a few newer products in older DOS systems. > >Hmmm.... I think you are not considering another side of the prob. A commercial >product is usually tested (level alfa and beta) before release. Those tests >are done in the widest possible environment, just to avoid incompatibility and >or system crash. It's the main interest of the developer to do so, 'cause it is >not a good commercial image to sell products that, sooner or later, got the >name to be buggy and lame. Obviously, it can happen that someone made an error Not to mention the fact that commercial products are a _calculated_ risk. I know that if I run a new piece of software in my old machine, something bad might happen; I get to make the call. Nobody ever gets to decide if they want to be infected or not (well, most people don't get to). Also, it's not feasible to run a machine exclusively on custom-fitted software; you're going to have to take a minor risk eventually. On the other hand, people can get on quite well without any viruses. Comparing the incompatibility problems in commercial software and those found in "harmless" viruses is just stupid. Any behavior of my machine that I didn't ask for, whether or not some goofball who wrote the code thinks it's safe or not, is simply an invasion, not defensible on any grounds. What I find most annoying about this whole topic is the fact that many of the people who think it's cool to write viruses do not think it's cool for the government to interfere in their lives. Why is it cool to mess with other people's stuff? Bob Knippen r-knippen@uchicago.edu ------------------------------ Date: Sun, 03 Apr 94 18:39:18 -0400 From: Iolo Davidson Subject: good vs bad viruses Karl Tarhk writes: >Is is common knowledge that virus infection and 'damage' figures >are way out of proportion to scare users and sell more AV software. I would like to see your evidence for this statement please. >If your statements are not supported by someone's knowledge or studies, >then your truth is a particular one and might not have much in common with >a universal truth. Just so. You are correct. So what is the support for your first statement? Iolo Davidson (no club, lone wolf) ------------------------------ Date: Sat, 02 Apr 94 04:17:09 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: virus signatures of rare viruses vollmerm@fh-nuertingen.de (Michael Vollmer) writes: >Hi comp.virus-guys, >does anybody knows where to become signatures of rare viruses >that common virus scanners not search for, Uh, what do you mean by "common virus scanners" ? Anyhow, the fact is that the publically available lists of virus search strings simply are not sufficient to match the detection rate of many of the scanners that exist today. There are two main reasons - there are many polymorphic viruses for which no patterns are possible....and selecting the patterns is too much work for anybody to do it for free. After all, we are seeing around 7 new viruses per day, on the average. - -frisk ------------------------------ Date: Sat, 02 Apr 94 16:48:17 -0500 From: jbyrd@well.sf.ca.us (John W. Byrd) Subject: Re: Intelligent detection Fernando Bonsembiante (fernando@ubik.satlink.net) wrote: : En un msg del Miercoles 16 de Marzo de 1994, Vesselin Bontchev le escribio a : All: : VB> Yes. :-) Seriously, it is a synthesis of disassembly and application : VB> of common sense, backed up with a lot of experience in the anti-virus : VB> field. : It's true. Today I was thinking about that, about a standarized and : easy-to-follow manual desinfection procedure for unknown viruses in unknown : systems (I mean, with no pre-infection integrity checking). I arrived to the : conclusion that it's impossible, even if the procedure is to be followed by a : thinking person. It's definitely a matter of common sense and experience. : Just think on polimorphic, multipartite, tunneling or FAT viruses... There was an interesting application of Godel's theorem to virus detection on the net a couple years ago. It was basically a high-level proof that a universal disinfector cannot exist for every constructable virus. The proof went something like this. Say you write the perfect virus detection program, VPERFECT, which scanned any file and told you whether it was infected or not. It returns true if the file is infected and false otherwise. Given VPERFECT, then, it would be possible to construct a virus called METAVIRUS that worked as follows: If VPERFECT( METAVIRUS ) then do nothing otherwise infect other programs In essence, this virus only activates if the VPERFECT scanner says it's not a virus, and it does nothing if VPERFECT says it's a virus! You conclude that VPERFECT necessarily doesn't work for every possible virus. This logic can fail only because a computer only has a finite number of states, and theoretically it is possible (though computationally ridiculous) to list exhaustively all states in which a finite-state machine is infected. In sum, yeah, just keep using McAfee, and beware of any so-called universal virus scanners. ------------------------------ Date: Mon, 04 Apr 94 23:05:23 -0400 From: "Jeffrey Rice - Pomona College, California." Subject: AVP 2000 I just downloaded AVP 2000 from Uni-Rostock. I was surprised to see that this program will attempt to remove a virus from memory. How effective is this, and how safe? In a very short look at the program, I was rather impressed by the options. What kind of hit rate does it get? I thought I heard +/-80% awhile back, but I'm not sure. Does anyone have some information on this program? Jeff Rice Pomona College ------------------------------ Date: Tue, 05 Apr 94 08:35:21 -0400 From: adamsb@un.org Subject: protection from virus in college labs >Julian Orvis jorvis@madonna.ec.usf.edu wrote: >If those of you at any other campuses have had success with procedures >implemented or other good ideas that would give us a better handle on >this problem ... We have a large Banyan environment and found a reasonable approach to the problem you described. We installed McAfee's SCAN on each of our Banyan Servers and changed the User Profile of every Banyan user to include running SCAN of the C: drive and directories when the user logs into Banyan. We changed the AUTOEXEC.BAT file in every user's PC to include invoking the Banyan login when the machine is turned on or re-booted. Finally, we asked everyone to turn off their PC's at night. As a result, almost all networked PC's are scanned at least once a day by anti-virus software that lives on the Banyan Server. We detect and clean out Form and Jerusalem virus with equal frequency. We also have some stand-alone PC's that are frequently infected from floppy diskettes that came in from legal sources or offices of various governments. We installed McAfee's SCAN on these machines and ask the users to reboot every day. To the best of my knowledge, no virus has ever got past a third machine here, every virus was stopped before or at the third infection. As I am currently doing research on network security, I have asked several of the subscribers to this list for information or advice. As a result of that advice, I am now l looking for ways to run McAfee's Scan and F-Prot on alternate days on our most critical servers. Bernard Adams, Telecommunications Engineer Technological Innovations Service Electronic Services Division United Nations, New York ------------------------------ Date: Tue, 05 Apr 94 17:00:36 -0400 From: "Tom Zmudzinski" Subject: Fractal Virus Detection Allow me to pose a question to computer science grad students in search of new and wonderful ways to burn computer time: Is there something "virus-ish" in an infected file that is detectable regardless of the particular virus involved? Before you yell "NO! FLAME TO FOLLOW!" consider this: In the side-bar "Show me the trains" (COMPUTERWORLD, 5 July 1993, page 28) Ellis Brooker described using the fractal representation of a freight train to search a large number of fractally compressed images to identify those data sets that contain (visible) trains if decompressed -- the fractal equations form a kind of shorthand for identifying the content of complex images. In other words, there's something "train-ish" that remains detectable in a such a file. (BTW, fractally compressed color graphic data is typically 1/60th the size of the original file; neat hack!) This line of research may be totally impractical; on the other hand, who knows? Tom Zmudzinski ZmudzinT@cc.ims.disa.mil The preceding _may_ have been the greatest work of fiction since vows of fidelity were included in the French wedding ceremony. Make of it what you will. ------------------------------ Date: Wed, 06 Apr 94 18:56:49 -0400 From: Craig Williamson Subject: NT viruses? (NT) Have there been any NT viruses yet? As we consider moving to NT or Chicago as our OS, I wonder about DOS viruses causing problems and how we can find and fix them in that enviornment. Since DOS is not going to be in Chicago or Daytona (the next release of NT) how much of a problem could it be? Craig craig.williamson@columbiasc.ncr.com AT&T Global Information Solutions ------------------------------ Date: Fri, 01 Apr 94 11:49:33 -0500 From: u801403@Winkie.Oz.nthu.edu.tw (Jimmy Chung - from TAIWAN) Subject: Re: Is speed really important? (PC) Karl Tarhk (src4src!ktark@imageek.york.cuny.edu) wrote: > >TbScan has only 8 microprocessor instructions in the crucial inner loop. > [etc. etc. deleted] > Short of engaging everyone in a "my scanner is faster, my scanner is > better, we sell more copies than you" war let me bring a bucket of > cold water to the matter. > I tested 100 different generations of the DSME (dark slayer mutation ^^^^ ^^^^^^^^^^^^ Hi! friend... In fact, DSME 1.0 is only a test program. Because a magazine writer post the message of polymorph engine( MtE, TPE) in our country, so Dark Slayer wrote DSME 1.0 to meet the ability of polymorph. He indeed had NEVER other polymorph engine before. Because the ability is not very powerful yet, so many Scan's AV will show "found [TridenT]" for the answer. I think TBAV and FP lost the DSME's viruses because DSME does NOT look like other polymorph device all over the world, so the signature of DSME is not the same as other engines. > engine, taiwan) available in most Virus Exchange BBSs around the world; > against F-prot 2.11 and TBSCAN 6.10. > F-prot 2.11 /analyse mode => No viruses or suspicious files/boot sectors > found > Tbscan 6.10 Heuristics level 2 => 55 files infected by DSME. > - ----------------------------------------------------------------------------- > It is pretty obvious Frisk hasn't gotten around detecting DSME yet... > (soon?) Dear Frisk : If you want to get DSME 1.0, i am glad to mail you that because I like your product. Maybe my post do not suit the TOPIC. I just want to join your discuss here. Sincerely yours. Jimmy Chung Hsin-Chu, Taiwan, ROC - -- /^ ^\ +-------------------------------------------------------+ / 0 0 \ | National Tsing-Hua University, Hsin-Chu, Taiwan, | V\ Y /V | Department of Power Mechanical Engineering, | / - \ | Chung Yuan-Kai or Jimmy Chung | / | | E-mail: u801403@Winkie.Oz.nthu.edu.tw | V__) || +-------------------------------------------------------+ ------------------------------ Date: Fri, 01 Apr 94 13:02:12 -0500 From: Brian Seborg Subject: Monkey comments (PC) Okay, Vesselin and Dave are technically correct with respect to my having an extra step in my monkey cleaning technique since you will NOT have the Monkey infected MBR. However, I still think that this technique is the most reliable because it does NOT assume that your MBR was necessarily clean to start with. One point for both Vesselin and Dave! :-) Thanks for pointing out a short-cut to my procedure. Also, Dave is right, I am assuming a certain level of expertise on behalf of the user, but it was either that, or assume a certain level of expertise on behalf of some potentially inept virus cleaning package. :-) Brian Seborg VDS Advanced Research Group ------------------------------ Date: Fri, 01 Apr 94 18:25:52 -0500 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: VDS questions answered (PC) Hello, bontchev@fbihh.informatik.uni-hamburg.de writes: >Fridrik Skulason (frisk@complex.is) writes: >>>The default .ini file contains QUICK_VERIFY = yes, which makes VDS >>>fail to find fairly significant changes to a test .exe file, including >>>changing several bytes, changing the date, etc. >> Those changes "significant", but they are not virus-like - without >> having seen the program, I suspect it would catch all changes made my a virus >> infection - different entry points & changes to program size for example >Umm, I tend to disagree. A good integrity checker must be able to >checksum the *whole* file. It is OK if it has a fast-and-insecure >mode, in which it checks only things that are *likely* to be caused by >a virus and even if it does this by default. It is definitely *not* >OK, however, if it doesn't have the capability to verify the integrity >of the whole file. There's nothing to disagree here. If you read carefully, there is a setting "QUICK_VERIFY=yes". Well, that can be set to NO. Guess why? To perform a more thorough (but slower) verification. After all, if an integrity checker did not have the option to check the whole file, it would be very poor. >As an example, consider the Omud virus. It sometimes overwrites a >random part of the file, without pointing the entry point to itself. >The file size doesn't change, the entry point doesn't change. An >integrity checker which tries to be too smart will not notice anything >- - yet if the virus part in the file receives control during the normal >execution of the infected program, it will be able to run and infect >properly. There are other examples, which are relatively easier to Doesn't Omud increase the file size? Receives control? How? Randomly? Hmm, not a virus likely to go too far :-) It needs to arrange to get control to spread well enough. Some very buggy viruses such as this one damage their victims. The result is a program that does not function properly and a virus that does not spread. Not really a serious concern compared to better-written viruses that can create epidemics in a very short time. >handle - like the Emmie and LeapFrog viruses, which do not modify the >file entry point, but the place where this entry point points to. An integrity checker should detect this sort of change even in quick mode. If not, it is probably just checking the file size, which is NOT enough. >True, they also modify the file size, but it is trivial to combine >this strategy with something like Darth Vader or any other cavity >virus does. Strategy? This is a bug in the virus, nothing crafted by design :-) The bigger concern is stealth mechanisms in viruses that work correctly. They can hide both the size change and the modifications to their victims, unless the AV product can bypass them somehow. For example, many scanners spread the infection and do not notice anything if a stealth virus is active in memory and the scanner does not have a signature for it. On a side note, a "cavity" virus? I think I know what you mean... But is this a new CARO term? It's quite fitting. Hmm, I like it; I guess I'll use it too. Regards, Tarkan Yetiser ------------------------------ Date: Fri, 01 Apr 94 18:26:00 -0500 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: VDS, compatibility etc. (PC) Hello, bontchev@fbihh.informatik.uni-hamburg.de writes: >Tarkan). The shareware version of the product which is on the ftp >sites contains also an integrity checker, which, unlike the scanner, >is reasonably good. It's main drawback is its inability to run on some >unusual environments, like compressed disks, encrypted partitions, >(maybe SCSI drives? dunno, don't have one to test), and so on. That is no longer the case, Vesselin. Version 3.0 addressed the compatibility issues sufficiently well. In 1991, compressed drives were not as common as today. After MS-DOS introduced DubiousSpace, that changed quite a bit. In retrorespect, people tried disk compression because it was now "okay" since even DOS did it. This helped the disk compression market in a big way. Now the DoubleSpace is part of history along with DR DOS 6 and other stuff. At least as far as Microsoft is concerned. But their brief entry into this field pushed other competitors to try harder and make their products better. Of course, this was probably not what Billy had in mind :-)) Disk compression is still a risky business (no pun). In the world of Windows, where everyting is unstable, compression adds one more thing that can go wrong. Some people wish to use it at their own risk, obliging to the disclaimer, no less :-) As for any other package, we've kept getting feedback and improving the product. Compatibility issue was addressed at that time. Several generic features as well as configuration options were added/enhanced to provide a stronger and practical solution. VDS 3.0 can even handle Netware volumes without getting confused by the dynamic drive mappings. It works well on STACed and DoubleSmashed disks too :-) BTW, Stacker 3.1 (and 4.0) offers a more seamless compression than DoubleSpace. I think it has to do with DS not keeping the same serial number for the DS boot sector. I'm not sure. Anyway, people still use a popular scanner and assume their system is safe. Even though the numbers game buy them very little assurance in real life. Being the early bird in a field almost always helps. For example, how would you use a Windows-only anti-virus in the case of an emergency? Can't boot off of a clean DOS diskette and run it... Or run Windows off of the same floppy. The user interface sells the product even though the golden rule of dealing with viruses cannot be followed. I wonder what the manual for such a product advises ... Reading the disclaimer perhaps :-) Cannot pop in the trusty DOS diskette and boot clean and run the AV product! People should be told about such things. >Available from our ftp site in both .DVI and PostScript format: >ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/vds_rep.zip I hope you will be equally generous and put the VDS30 shareware edition on your FTP site as well :-) It's on Simtel-20 mirrors. Regards, Tarkan Yetiser ------------------------------ Date: Fri, 01 Apr 94 20:58:56 -0500 From: paul%mahler@uunet.uu.net (Paul W. Shew) Subject: Virus on MS DOS 6.2? (PC) I posted a report to comp.os.msdos.misc earlier regarding MS DOS 6.2 failed to read a diskette infected by Michelangelo virus. I did not encounter other virus after that. I wonder if the version of DOS will read a diskette infect with other viruses. Can anyone share his/her experience of virus infection from diskette on DOS 6.2 please? If indeed MS DOS 6.2 can never a diskette with boot record damaged/altered by any virus, then is it immune to viruses (of course I'm referring to boot sector resident viruses)? - -- + Paul W. Shew .&______~*@*~______&. m Dept. of Computer and Info. Sc. "w/%%%%%%%%%%%%%%%%%%%\w" mmm*** National Chiao Tung University `Y""Y""Y"""""Y""Y""Y' mm***** 1001 Ta Hsueh Road, Hsinchu, p-p_|__|__|_____|__|__|_q-q mm**Y** Taiwan 300, R.O.C. _-[EEEEM==M==MM===MM==M==MEEEE]-_.|..|.... Email: p.shew@ieee.org ------------------------------ Date: Sat, 02 Apr 94 07:46:44 -0500 From: kbruce@oasys.dt.navy.mil (Ken Bruce) Subject: have I been hit with a virus (PC) Greetings all, I am in the process of correcting a catastrophe on one of my clients PCs. The client's files from his old computer was transferred to the lan file serv from his old pc and then to his new pc. During the process one of the cords was accidently kicked loose. I was not there so I don't know if it was a power cord or the ethernet cable or what. However, now in one subdirectory, there are literally hundreds of levels of subdirectories and no files. Using Nortons Diskedit, I see sectors that are marked as directories with file dates that are in the future and in the past before computers. I will fdisk and format the drive as the client has his data backed up. I have ran Scan version 111 and have not detected any virus. Any suggestions? Ken Bruce |-----------------------------------------------------------------------------| | kbruce@oasys.dt.navy.mil | Opinions expressed herein are mine alone. | |-----------------------------------------------------------------------------| ------------------------------ Date: Sun, 03 Apr 94 16:10:10 -0400 From: kapoor@vtaix.cc.vt.edu (Rajat Kapoor) Subject: Form Virus: "Deform.exe" available... (PC) I remember downloading a file called deform.exe that can detect/remove Form virus. It also included a c source file that could be compiled. Didn't get a chance to use it because Norton AV took care of it when a floppy disk was found infected. Any ideas? Rajat ------------------------------ Date: Sat, 02 Apr 94 04:22:21 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: DOS 6.X Anti-Virus (PC) FTH@PSUVM.PSU.EDU (Fred Houlihan) writes: >system became infected. He called Norton and after describing the >symptoms they determined it was the v-sign (sp?) virus and they had >just added it to their signature file on Jan 14. I assume you mean Jan 14th. 1993, right ? After all - V-sign was included in many anti-virus programs back in '92. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sat, 02 Apr 94 23:10:28 -0500 From: Brandon Paul Lai Subject: Monkey/Telecom Virus (PC) I have a Monkey/Telecom virus on my PC computer. I can't seem to get rid of it. I've tried formatting the entire hard drive. I've also used Fprot, CPAV, NAV and various other software. The virus does not go away!! I think it may have destroyed the MASTER BOOT RECORD. Also, I have to boot the drive with a floppy, and the drive only works if the bootable floppy has the virus. If the bootable floppy does not have the virus, the hard drive does not get recognized. My next idea would be a low level format. I don't know how to do this, or if it would work. ....Any ideas??..... - --Brandon ------------------------------ Date: Mon, 04 Apr 94 13:50:04 -0400 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: MS-DOS 6.x Anti-Virus (PC) RichardE@keeper.demon.co.uk (Richard Ellison) writes: > slbray@deakin.edu.au "Sharyn Bray" writes: >> I was wondering whether anyone could offer >> an opinion, comment, thought etc. regarding the effectiveness of the >> Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, >> version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? >I would recommend that you do not use the so AV soft supplied with MS-DOS >as it is not the best around (I am being diplomatic here). Here, let me tell you a little story.... There is a company, which I'm not allowed to identify (but they're located in Huntsville, Alabama) which builds personal computers for two customers (at the moment; firm commitments from two more, I understand) whom I'm not allowd to name (although one was misidentified on the CBS Morning News today). This company builds between 800 and 1200 PCs *per day*. Every one of those systems has a version of MSDOS 6.x installed. (Yes, the company is very pleased with the performance of the department doing this. And work is under way on two more manufacturing lines. :-) ) Every one of those systems is scanned two or three times during the manufacturing process for viruses, to be *very* sure that no infected systems are shipped. This company uses F-Prot under a service license. 'Nuff said? >I suggest that you use something like F-PROT which is a very good and fast >virus scanner (It is also shareware) or if you would like to buy then >Thunderbyte Anti-virus is a very good choice. I've not heard Frisk say he'd turn down money from an individual; however, there is also a "Professional" version of F-Prot available, which does a little more, and does cost money. - -- Gary Heston SCI Systems, Inc. gary@sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. "Quit while you're ahead. All the best gamblers do." Baltasar Gracian ------------------------------ Date: Mon, 04 Apr 94 18:57:37 -0400 From: David Mitchell Subject: Need info on Coffee Shop / April Fools (PC) My mother's company had a virus infection go off last Friday, April 1. She called me asking if I had any info, so I thought I'd come here. It's a PC virus, and she was under the impression that it went by the name 'Coffee Shop'. If anyone has any info on this, please let me know. I do know that it struck last Friday, but I don't know if it was keyed for April Fool's Day, or Good Friday. Please e-mail, as I don't normally read this group. Yes, I checked for the FAQ, but it seems to have expired at my site. Thanks in advance. - -David Mitchell mitchell@ncsa.uiuc.edu ------------------------------ Date: Tue, 05 Apr 94 10:55:07 -0400 From: guest06@mtholyoke.edu (Thom Odell) Subject: MUSH.COM? (PC) Hello- I am wondering if an audio program called mush.com and it's associated file mushroom.ovl is som sort of virus? I aquired a Grid 286 laptop recently with these files in c:\util along side Norton Commander files. when executed, it "sings" an unintelligible song using PC speaker, which on this laptop is a piezio transducer so I cannot understand what it "says". Naturally I am unwilling to put it on my desktop to find out... Any helpful response here or direct email is as always, appreciated Thom guest06@mhc.mtholyoke.edu ------------------------------ Date: Tue, 05 Apr 94 11:20:24 -0400 From: bobmacd@netcom.com (Bob MacDowell) Subject: Re: MSAV signature files via FTP? (PC) YALUSA JONGIHLATI (mm94jony@sirius.ru.ac.za) wrote: : Could someone please tell me if the MSAV signature file for Viruses can be : downloaded via FTP and if so, could you please E-Mail it to me. Actually, could someone please tell the Net? - -Bob, forgive me if this is a FAQ. ------------------------------ Date: Wed, 06 Apr 94 00:38:29 -0400 From: "Jeffrey Rice - Pomona College, California." Subject: Form.A (PC) I'm looking for information about this virus. I know it's a boot infector, but am unsure of its length. Some sources (McAfee) say 512bytes, some (Vsum) seem to say 3072. How long is it? And what parts of the MBR does it infect? Does it affect the FAT or anyother parts? I am refering to floppy disks, not hard disks, if that makes a difference. Jeff Rice Pomona College ------------------------------ Date: Wed, 06 Apr 94 03:02:27 -0400 From: Mike Bogdan Subject: No PC viruses on 3.5" disks? (PC) Hi, I was wondering if someone could explain here how PC viruses work. Can PC viruses be transmitted via network? Can they be carried on a 3.5" disk? I was told that PC viruses can only be tranferred via 5.25" disks and I shouldn't worry about it too much. Thanks for the help. Or point me towards a FAQ please. ------------------------------ Date: Wed, 06 Apr 94 19:39:29 -0400 From: callicot@UTKVX.UTCC.UTK.EDU (Lynda Callicotte) Subject: winword 6.0a (PC) McAfee scan periodically reports that my copy of winword.exe from version 6.0a has been changed. Validate reports the same date and file size as the copy on another computer (1-28-94, 3,483,136). The checksums differ, however. Every computer on which winword is running at our site has a winword.exe with different checksums. Could this be a virus? There have been no problems with other files and none of the computers has been behaving oddly. - ------------------------------------------------------------------------ My employers, the greys and the reptillians agree with everything I post. That is because they use undetectable brain implants to control all my thoughts. They have also impregnated me with Elvis' baby, which they will use to start a new religion and take over the world. -Lynda Callicotte -Callicot@utkvx.utk.edu - ----------------------------------------------------------------------- ------------------------------ Date: Wed, 30 Mar 94 12:11:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: V-CARE (PC) GOL AMIR writes in reply to Amir Netiv: > Wasn't it you who told me, about a year ago, that the reason > InVircible has got no TSR module is that those TSRs can sometimes > be as dangerous as a virus? You had some frightening tales about > lost partitions and damaged files ... No it probably wasen't, because V-CARE has a TSR for 3 years now. True however that some AV-TSRs are dangorouse because of the methods they use, and even more true is the fact that several AV-TSRs working togather might be harmfull! Could it be that you are mixing me with someone else? > The original posting was clear: the files in question had been > "immunized" by CPAV before InVircible was installed, while your > answer refers to "immunization" done after InVircible was installed. What I meant was that Invircible tries to remove CPAV's immunization and the user does not always expect that (as was understood from the original postage). Therefore InVircible might be harmfull to you if you are not an "expert". > I called you with a similar problem a few months ago. Again, are you sure it was me? Are you using InVircible or V-CARE (which are totlly different products) ? > Comments and corrections will be appreciated. And answered... Several weeks later...: >> Wasn't it you who told me, about a year ago [...] > No it wasn't! I was wrong. It was Zvi Netiv who told me that, not Amir Netiv. > Of course, Amir is not responsible for what Zvi is saying, and vice versa. > Sorry for the confusion - It only goes to prove that nobody's perfect, not > even me ;-). So, I wasn't wrong ;-) > As for the "5 missing bytes", Zvi Netiv had assured me that > it wasn't a bug. He has a point, but I'm still a bit doubtful ... I would be too if I were you... ;-( > And again, sorry for the confusion, No harm taken. Warmly * Amir Netiv. V-CARE Anti Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 05 Apr 94 19:57:49 -0400 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee NETShield v1.60 - Antivirus NLM for NetWare 3.x/4.x (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/antivirus/ 3nsh160.zip NETShield v1.60 antivirus NLM for NetWare 3.x 4nsh160.zip NETShield v1.60 antivirus NLM for NetWare 4.x NETShield is a NetWare Loadable Module providing virus protection for Novell NetWare file servers. Two NETShield NLM's are available, one for servers running NetWare v3.11, 3.12, and SFT-III v3.11, and for servers running NetWare v4.01, and NetWare for OS/2 v4.01. NETShield is Tested and Approved by Novell, Inc. New features added in Version 1.6 of NETSHIELD include: o NETSHIELD now broadcasts virus incident messages to all users on the 'Users to notify' list if a virus is found on the last volume during Immediate and Periodic Scanning. o You may now select a list of files to be skipped during On-Access Scanning. This list may be created by selecting "Configuration options -> What to Scan -> Files not to scan on access" from the Main Menu. Fixes and performance enhancements added in this release include: o NETSHIELD no longer attempts to access or checksum the Novell bindery files. This eliminates the problem reported by some users of bindery files being moved during On-Access Scanning. o NETSHIELD no longer generates a 'NetWare detected a Thread going to sleep when it was not allowed.' Abend on NetWare v4.01 servers. o Shrank the memory utilization some on most platforms. o CPU utilization during checksumming has been greatly reduced. [For a complete list, please refer to HISTORY.TXT in the NETShield ZIP files] VALIDATE VALUES NETSHIELD V1.6 for 3.x (NETSHLD.NLM)S:138,028 D:03-29-94 M1: 048D M2: 0F32 NETSHIELD V1.6 for 4.x (NETSHLD.NLM)S:132,820 D:03-29-94 M1: E76C M2: 00C6 NETSHIELD VIR.DAT V113 (VIR.DAT) S:71,441 D:03-14-94 M1: FF42 M2: 1818 Regards, Aryeh Goretsky Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ Date: Tue, 05 Apr 94 19:59:47 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: dsii242.zip - BIOS-level anti-virus with access control (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/antivirus/ dsii242.zip BIOS-level anti-virus with access control DiskSecure v2.42 is Padgett Peterson's BIOS level anti-virus program for all IBM PCs from 8088 through 32 bit with hard disk(s). DSII needs only 304 bytes of low RAM. DSII also provides basic password protection and may be used on Novell servers. DSII provides protection from all master boot record and DOS boot record infections with automatic redundant recovery. Changes: This is a minor bug fix from version 2.4 affecting the installation process only. dsii242.zip has replaced diskse24.zip. FreeWare. Uploaded by the author. Warmly, Padgett - - - A. Padgett Peterson, P.E. Information Security padgett@tccslr.dnet.mmc.com ------------------------------ Date: Wed, 06 Apr 94 14:51:06 -0400 From: HAYES@urvax.urich.edu Subject: A. Padgett Peterson's program update (PC) Hello. Announcing an update of A. Padgett Peterson's DISKSECURE. It is now available from us as DS242.ZIP. - ---------- Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. There is a AAAAREAD.ME (case is _not_ significant), ASCII, with short description for the files in this directory. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Tue, 05 Apr 94 22:02:00 -0400 From: Sara Gordon Subject: Conference: IFIP SEC '94, 23-27 May 1994 The Tenth International Conference on Information Security - IFIP SEC'94 Organized by Technical Committee 11 of the International Federation for Information Processing, IFIP/TC 11 - in cooperation with the Special Interest Group on Information Security of the Dutch Computer Society - and hosted by the Caribbean Computer Society. I F I P S E C ' 9 4 M A Y 2 3 - 2 7 , 1 9 9 4 I T C P I S C A D E R A B A Y C U R A C A O D U T C H C A R I B B E A N I N T E R N A T I O N A L P R O G R A M * * * ** Five days, multiple parallel tracks, over sixty refereed unique presentations,ially invited speakers, dedicated tutorials workshops, working group sessions, lively panel discussions, and much, much more...... * * * Dynamic Views on Information Security in Progress ***ABOUT IFIP'S TECHNICAL COMMITTEE 11 The International Federation for Information Processing was established in 1960 under sponsorship of UNESCO. In 1984 the Technical Committee for Security and Protection in Information Processing Systems, Technical Committee 11, came into existence. Its aim is to increase the reliabil- ity and general confidence in information processing, as well as to act as a forum for security managers and others professionally active in the field of information processing security. Its scope encompasses the establishment of a frame of reference for security common to organiza- tions, professionals and the public; and the promotion of security and protection as essential parts of information processing systems. Eight working groups: Information Security Management, Small Systems Security, Database Security, Network Security, Systems Integrity and Control, Security Legislation, Information Security Education and IT Related Crime Investigations, all chaired by seasoned international experts, cover a major part of the actual TC 11 workload. ---------------------- - -------------------------------------------- ***ABOUT THE TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE This event is the Tenth in a series of conferences on information secu- rity. Something to celebrate. The organizers have compiled a truly exceptional, unique, and especially upgraded conference in a setting suitable for celebrating its Tenth birthday. Over 75 sessions will cover just about all aspects of information security, on a senior and advanced level. The formal language of SEC'94 is English. The proceedings are published by Elsevier North Holland in its acclaimed series. There are evidently some astounding surprises within SEC'94. As key note's SEC'94 will feature major players. Ten invited speakers, doubt- less seasoned seniors in their field, will contribute with their vision of the future. Ranging from the legislative aspects of data privacy, to the international impact of the Clipper chip, and the dimensions of new cryptographic standards and applications. Global policy making and breaking in respect of the international harmonization efforts of infor- mation technology security evaluation criteria, and other most enticing issues are advocated during the various invited lectures. Within the framework of this conference a series of special lectures are built in, dedicated to one most important aspect. SEC'94 includes a UNIX system security workshop and a cryptology tutorial. Special sessions are devoted to information security in developing nations, and information security in the banking and financial industry. Two major full day mini conferences "IT Security Evaluation Criteria" and "Open Systems Network Security" are included in the program as well. SEC'94 offers a panel discussion of the editors of Elseviers Journal Computers and Security, IFIP TC 11's formal journal. ***ABOUT YOU Each of the past ten years you have shown IFIP and TC 11 in particular, your commitment to information security by attending the IFIP SEC conferences. The visitors and delegates to IFIP SEC are a broad audi- ence, from everywhere: The Pacific Rim, Europe, Africa, the North and Latin America's and the Far East. The level of authority/positions is as usual: within practical, management, legal and technical level, the delegate to IFIP SEC is considered the top grade. Anyone - directly and indirectly - involved and/or interested in information security, wher- ever she/or he may live, is IFIP SEC's audience. You certainly may not miss SEC'94! ***SOMETHING EXTRA The organizers wanted to do something extra for this Tenth event. Besides compiling a unique conference program, its length was extended to FIVE days, extra tracks are added, the delegate admission is reduced, special student admission rate are available, Worldwide rebated air- travel and discounted hotel accommodation can be obtained, and those not yet being a member of the World's largest and most influencial computer society are being offered a free of charge membership for 1994! And that's not all! Yet, some surprises are saved for the event itself. IFIP TC 11's SEC'94 welcomes you to Curacao, BONBINI ! A W A R D S Technical Committee 11 of IFIP presents during its 10th event two pres- tigeous awards. The Kristian Beckman Award and the Best Paper Award. The Kristian Beckman Award has been established by IFIP TC 11 to com- memorate the first chairman of the committee, Kristian Beckman from Sweden, who was also responsible for promoting its founding in 1983/84. This award is granted annually to a successful nominee and is presented at the annual IFIP Security Conference. The objective of the award is to publicly recognize an individual - not a group or organization - who has significantly contributed to the development of information security, especially achievements with an international perspective. To celebrate the tenth annual conference the organizers have decided also to present a Best Paper Award. The award will be presented to the individual with the most significant paper at SEC'94. The audience itself will be selecting this presentation/individual. ------------------------------------------------------------------ P R O G R A M ***INVITED PRESENTATIONS*** Computer based cryptanalysis: man versus machine approach by Dr. N. Balasubramanian, former director of the Joint Cipher Bureau/ Crypto- graphic Services of the Department of Defense of the Government of India. Establishing a CERT: Computer Emergency Response Team by Kenneth A. van Wyk, manager Assist team, Defense Information Security Agency of the Department of Defense, United States Privacy aspects of data travelling along the new 'highway' by Wayne Mad- sen, scientist Computer Science Corp., United States Issues in designing and implementing a practical enterprise security architecture by Ross Paul, manager information security, the Worldbank, United States (key note's and other invited speakers to be announced by special bulletin) IFIP TC 11 position paper in discussion: Security Evaluation Criteria by H. Schoone, Netherlands Special TC 11 Working group sessions: 11.8 Computer Security Education, chair: Em. Prof. Dr. Harold Highland 11.1 IT Security Management, chair: Prof. S.H. von Solms (S. Africa) 11.5 System Integrity and Control, chair: William List (UK) Special Appearance: Information Warfare: waging and winning conflict in cyberspace by Winn Schwartau (US) Panel discussion: Panel discussion of the editors of Elseviers Journal Computers and Security chaired by John Meyer, Elsevier (UK), editor Extended UNIX tutorial: Unix meets Novell Netware by Kevin H. Brady, Unix Systems Lab. (US) Extended virus tutorial: Technologically enabled crime:shifting para- digms for the year 2000 by Sara Gordon (US) Viruses: What can we really do ? by Prof. Henry Wolfe (New Zealand) Future trends in virus writing by Vesselin V. Bontchev (Bulgaria/Germany) Viral Tidings by A. Padgett Peterson (US) Integrity checking for anti viral purposes by Yisrael Radai (Israel) Special appearance: *title to be announced* Prof. Eugene Spafford (US) ***REFEREED PRESENTATIONS*** Operations Security: the real solution to the problem - A. Don Temple (US) Security in virtual reality: virtual security - Amund Hunstad (Sweden) Prohibiting the exchange attack calls for hardware signature - Prof. Reinhard Posch/Wolfgang Mayerwieser (Austria) Towards secure open systems - Dr. Paul Overbeek (Netherlands) A security officer's workbench - Prof. Dennis Longley/Lam For Kwok (Aus- tralia/ Hong Kong) An introduction to Citadel: a secure crypto co-processor for worksta- tions - Dr. Elaine Palmer (US) On the calculation and its proof data for PI 10-9th - Shengli Cheng et al (P.R. of China) Securenet: a network oriented intelligent intrusion prevention and detection system - Ass. Prof. Dimitris Gritzalis et al (Greece) A methodology for the design of security plans - Drs. Fred de Koning (Netherlands) An open architecture for security functions in workstations - Stefan Santesson (Sweden) Security systems based on exponentiation primitives, TESS - Prof. Thomas Beth (Germany) The structure and functioning of the COST privacy enhanced mail system - Prof. Sead Muftic, Nada Kapidzic, Alan Davidson (Sweden) The need for a new approach to information security - Dr. Jean Hitchings (UK) A Practical database encryption system - Prof. C. Chang/Prof. D. Buehrer (Taiwan, ROC) Security analysis and strategy of computer networks - Jie Feng et al P.R.o. China) Information Security: legal threats and opportunities - Dr. Ian Lloyd (Scotland) Secure communication in LAN's using a hybrid encryption scheme - Prof. Mahmoud El-Hadidi, Dr. Nadia Hegazi, Heba Aslan (Egypt) Secure Network Management - Bruno Studer (Switzerland) Ramex: a prototype expert system for computer security risk analysis and management - Prof. Peter Jarratt, Muninder Kailay (UK) The need for decentralization and privacy in mobile communications net- works - D.I. Frank Stoll (Germany) Is lack of quality software a password to information security problems ? - Dr. Peter Fillery, Nicholas Chantler (Western Australia) Smart: Structured, multi-dimensional approach to risk taking for opera- tional information systems - Ing. Paul van Dam, et al. (Netherlands) IT Audit: the scope, relevance and the impact in developing countries - Dr. K. Subramanian (India) Program structure for secure information flow - Dr. Jingsha He (US) Security, authentication and policy management in open distributed sys- tems - Ralf Hauser, Stefano Zatti (Switzerland/Italy) A cost model for managing information security hazards - Love Ekenberg, Subhash Oberoi, Istvan Orci (Sweden) Corporate computer crime management: a research perspective - Dr. James Backhouse (UK) A high level security policy for health care establishments - Prof. Sokratis Katsikas, Ass. Prof. Dimitris Gritzalis, et al (Greece) Moss: a model for open system security - Prof. S.H. von Solms, Dr. P van Zyl, Dr. M. Olivier (South Africa) The risk-based information system design paradigm - Dr. Sharon Fletcher (US) Evaluation of policies, state of the art and future research direc- tions in database security - Dr. Guenther Pernul, Dr. A.M. Tjoa (Aus- tria) Exploring minimal ban logic proofs of authentication protocols - Anish Maturia, et al (Australia) Security concepts for corporate networks - Prof. Rolf Oppliger, Prof. Dieter Hogrefe (Switzerland) The security process - Jeanette Ohlsson (Sweden) On the security of lucas function - Dr. C.S. Laih (Taiwan RoC) Security considerations of content and context based access controls - Donald Marks, Leonard Binns, Peter Sell, John Campbell (US) Anonymous and verifiable databases: towards a practical solution - Prof. Jennifer Seberry, Dr. Yuliang Zheng, Thomas Hardjono (Australia) A decentralized approach for authorization - Prof. Waltraud Gerhardt, Burkhard Lau (Netherlands) Applying security criteria to a distributed database example - Dr. Marshall Abrams, Michael Joyce (US) A comparison of international information security standards based on documentary micro-analysis - Prof. William Caelli, Em. Prof. John Car- roll (Australia/Canada) Security in EDI between bank and its client - Pauli Vahtera, Heli Salmi (Finland) Secure information exchange in organizations - D.I. Ralph Holbein (Switzerland) A framework for information system security management - Helen James, Patrick Forde (Australia) The security of computer system management - Xia Ling et al (P.R.o.China) Development of security policies - Jon Olnes (Norway) Factors affecting the decision to report occurances of computer abuse - John Palmer (Western Australia) Secure managable remote access for network and mobile users in an open on-line transaction processing environment - Dr. James Clark (Singapore) * * * Session lay-out: Monday May 23: plenary only Tuesday May 24 - Thursday May 26: four parallel tracks Friday May 25: plenary only * * * Registration: Sunday afternoon May 22 at the conference venue Monday morning May 23 at the conference venue * * * Terms and conditions: The conference registration/admission fee amounts US $ 1,295 for regular registrations per individual. However, if you are a member of a national computer society you may be eligible for a discount. Late charges and cancellations: Registration received after May 1, 1994are charged with an extra late charge of 10 %. Substitutions may be made at any time, though please advise us of a change of name. If you find it necessary to cancel the place, please telephone the conference office immediately and ask for a cancellation number. Confirm in writing quoting the cancella- tion number. Provided written notice is received by May 1, 1994, afull refund will be given less a 15 % administration charge. It is regretted that cancellations received after May 1, 1994 are liable for the full registration fee. Payment: the registration fees are immediately due upon registration, and all cheques should be made payable to the High Tech Port Curacao Foundation, accompanying the signed registration form. Alternatively registrations by fax and electronic mail are accepted, provided the payment for the full amount in US dollars is released by wiretransfer in favor of the High Tech Port Curacao Foundation within one week after the registration. Fax and/or email registrations must be completed before May 1, 1994. If payment is not received within stated period the registration is automatically cancelled and voided. Forms not signed or correctly filled in are not valid registrations. Conference registration fees should be paid in US dollars only, to prevent exces- sive exchange charges. It is possible to pay by credit card, however a surcharge of 25 % is levied due to local monetary restrictions and poli- cies. Immediately after registration you will receive a confirmation by fax or email. Included in the conference fee is the admittance to all sessions of all tracks of the conference, the lunches during tuesday, wednesday, thursday and friday, coffee and tea during the intermissions, a welcome cocktail at your hotel, one admission ticket per delegate to the formal conference banquet, and a copy of the handout of the confer- ence proceedings. Registrations made after May 1, 1994 are on space available basis only. If you apply for a discount the registration form and payment must be received before May 1, 1994. All other services ordered are separately billed, payable upon receipt of the respective order confirmation. * * * Curacao is a tourist destination in high demand, we advise you to make your flight and hotel accommodation reservations well in advance !!! * * * FAX THE FORM BELOW TO: IFIP SEC'94 SECRETARIAT +599 9652828 OR AIRMAIL TO: IFIP SEC'94 SECRETARIAT POSTOFFICE BOX 4 0 6 6 WILLEMSTAD - CURACAO NETHERLANDS ANTILLES CARIBBEAN OR EMAIL TO: < TC11@IAIK.TU-GRAZ.AC.AT > ------------------------------cut-here-------------------------------- IFIP TC 11 SEC'94 CONFERENCE REGISTRATION (one form per individual, copy for multiple registrations) Please register the following individual for IFIP SEC'94: Surname: First name: Title: Organization: Job title: Mail address: Post/zip code: Country: Telephone: Telefax: Email: ** If you are a member of a national computer society, use this priority registration by fax or email, and wiretransfer the applicable amount, you are entitled to a rebated admission rate. Instead of US $ 1,295, you pay only US $ 1,165. If you send this by fax to the Conference secretariat, a signature is necessary, here:: I understand and agree to abide by the conditions as set out in the conference brochure, also printed elsewhere in this document. Date: If you send this form by email, a signature is not necessary. In that case the date of receipt of the wiretransfer of the applicable amount is the date of registration. CONFERENCE PAYMENT I will remit by wiretransfer US $ _________ in favor of the High Tech Port Curacao Foundation, bank account number 11.592652.5570.004 with CITco Bank NV, Curacao, Netherlands Antilles, immediately. Wiretransfer reference: IFIP SEC'94 ABA nr. of the CITco Bank (this is not the account number, but the banks' correspondents number): 021004823. US corresponding bank: Republic National Bank, New York. Upon receipt of the applicable amount by the High Tech Port Curacao Foundation I will receive within 24 hours by fax a confirmation and an invoice marked "fees paid". ADDITIONAL I apply for the 1994 free of charge membership of the ACM (valid only if you are not a member, yet) Mark yes > > < I have a special request: (insert your request here) * * * HOTEL INFORMATION The Curacao Caribbean Hotel (tel: +599-9625000 fax: 599-9625846) as well as the Sonesta Hotel (tel: +599-9368800 fax: +599-9627502, in the US call tollfree 1.800.477.4556) are beach front hotels at walking distance of the conference center. Special roomrates start at US $ 112 per single room/night, including tax, services, full breakfast. Roomrates based on double, triple and quad are available. Various other hotels on request. AIR TRANSPORT There are daily non-stop flights from Miami operated by American Air- lines, daily non-stop wide body flights from Amsterdam (Netherlands) operated by KLM, daily non-stop flights from Marquetia Aeropuerto Inter- nacional de Caracas (Venezuela), Santa Fe de Bogota (Colombia), and various Caribbean islands, all operated by regional carriers. Special promotional fares are by KLM, TAP Air Portugal, and American Airlines. Contact your tarvel agency for more information. * * * Curacao is tropical. Year-round an average temp. of 90 F/35 C. A con- stant tradewind makes it very pleasant. You do not need a jacket or coat! Make your flight and hotel reservation as soon as possible !!! * * * Come enjoy Dutch Caribbean hospitality soon ! SEC'94 also encompasses a great after hours social program, typical Caribbean style. ORGANIZING CHAIR: Dr. F. Bertil Fortrie (chairman SEC'94) Leon Strous (vice chairman SEC'94) Corinne Bor LLM (general secretary SEC'94) ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 27] *****************************************