VIRUS-L Digest Thursday, 25 Aug 1994 Volume 7 : Issue 73 Today's Topics: A question for Mr Rosenthal Re: Re| Viruses = Commercial Opportunity? Re: Virus simulators Re: virus in jpgs Re: Info Re: Re| Viruses = Commercial Opportunity? Virus Simulators Re: 386/486 virus protection(UNIX) Posible new virus variant (PC) Floppy boot sector replacement (PC) Re: Re| FamM virus (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) FORM_A (PC) Trashed Floppies (PC) Re: Unknown problem (PC) messages re: Rosenthal Virus Simulator (PC) XA1 Virus (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Unknown problem (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Help need to get rid of Michelangelo (PC) Re: changing genP/genB virus (PC) Flash BIOS infector? (PC) Info request (PC) Re: ANSI bombs (PC) Server-downing virii - Netshield corruption on Novell server (PC) GenB Virus - Need Help! (PC) Re: Smeg viruses (PC) Possible undetectable virus?? (PC) Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) [HELP] I Don't know if I have a virus in my computer or not.... (PC) Help on BUPT 9146 Beijing virus (PC) Re: McAfee Virus Scan (PC) Re: Virus Source code on CD ROM? (PC) Re: A new virus? (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) cs-251.zip - CHK-SAFE checks file integrity w/MD5 algorithm (PC) Virus, Hacking and Computer Underground Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 19 Aug 94 08:24:28 -0400 From: DEL2@phx.cam.ac.uk Subject: A question for Mr Rosenthal Dear Mr Rosenthal, Perhaps you will say that as a contributor to this forum I am already something more than what your documentation calls "general end users, system administrators and educators"; but I assume you would still expect your product to be useful to me (and more importantly, to my customers). But when I finally release my perfect AV package, just *how* will it help us? 1. They download the pd version, and try it out. It completely fails to activate my package, because it contains no viruses. At this point therefore they are likely to throw my package away, and use instead an *inferior* one (inferior in that it occasionally gives false positives. We all lose out. 2. Or perhaps they are sufficiently persuaded by my sales hype that they buy the full version of the Simulator and get some real virus samples. Quite apart from the ethics, what have they discovered that my own software cannot adequately show: that it's properly installed, and that this is what happens if a virus pops up? I'm not trying to be agressive, but I just don't understand... Regards, Douglas de Lacey, Cambridge UK ------------------------------ Date: Fri, 19 Aug 94 08:57:51 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Re| Viruses = Commercial Opportunity? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >:-). Oh yeah? Could you please specify what do you mean exactly by >"just about any"? NAV's misnamed "innoculation" is actually an >integrity checker, and not very securely implemented, on the top of >that. Also...don't forget that although the generic disinfection provided by an integrity checker can be useful when dealing with a brand new virus, it is of no use whatsoever unless the integrity checker has been installed before the virus infects the machine. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 19 Aug 94 10:02:19 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus simulators sand@biko.llc.org (David Adams) writes: >Hi All! > I was wondering if any of you have an FTP site where we can get >some virus simulators.. Thanks! Hope you don't mind some questions... 1) What do you mean by "virus simulators" ? Something that simulates the activation effects of some viruses or something else ? 2) Why do you need this...what is the purpose ? - -frisk ------------------------------ Date: Fri, 19 Aug 94 12:06:33 -0400 From: Wilhelmina Temps Subject: Re: virus in jpgs bob kwiatkowski writes: >Does anyone know of any cases where this has actually happened? Where a >virus was dormant in a JPEG or any non-exectuable for that matter ?? I think that question is broader than you intended. 'Non-executable' includes ZIP files. Obviously viruses have been found in ZIP files which have been un-ZIPped and executed. This would also apply to any compressed files (like those extracted by Windows Setup or Install programs) and to something like a 'whatever.xyz' file which you might send to someone and say, 'Rename this to .exe and run it.' These seem like Trojan Horses with viruses contained within them. If you can put a virus into a non-executable file and then somehow get someone to execute it, there you go. This is of particular concern where the distinction between data and executable program becomes blurred: distributed objects, for example, or intelligent agents. Every technological advance has a potential for abuse. --- Wilhelmina Temps ------------------------------ Date: Fri, 19 Aug 94 17:14:05 -0400 From: stanr@mdhost.cse.TEK.COM (Stanley E Ridenour) Subject: Re: Info bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: |> Stanley E Ridenour (stanr@mdhost.cse.TEK.COM) writes: |> |> > I would |> > like to see statistics on the incidence of viral attacks by type and |> > geographical location, as well as trends on the spread of each type. |> |> > Does such a clearinghouse exist? |> |> Unfortunately - no. Several organizations and anti-virus researchers |> are gathering such information for themselves (based on the reports |> from their customers), but no central clearing house for collecting |> such information exists. I wish it existed... But there are many |> problems with this - the different scanners report one and the same |> virus by different names, do not identify the particular variant |> exactly, and so on. I would think that the CARO group would be the best place to start, since they have at least some standards in place. The information gathered may not be 100 percent comprehensive, but it would at least reflect fairly accurately on what is going on in the real world -- at least, if the statistical sample is fairly large. A monthly tally spreadsheet, exported as ascii to the net, where we could pull it into MS Excel (or whatever), would be nice *:). Of course, I'm just dreamin', just dreamin'. Stan - -- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X Stan Ridenour | stanr@tekgp4.CSE.TEK.COM X X Tektronix, Inc. | Beaverton, OR 97077 X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ------------------------------ Date: Fri, 19 Aug 94 21:05:00 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Re| Viruses = Commercial Opportunity? Vesselin Bontchev wrote: >Kevin Marcus (datadec@corsa.ucr.edu) writes: > >> I do know, however, that when used properly, for example, the Innoculation >> feature in NAV 3.0, you can detect just about any virus, and repair it, >> as well. > >:-). Oh yeah? Could you please specify what do you mean exactly by >"just about any"? NAV's misnamed "innoculation" is actually an >integrity checker, and not very securely implemented, on the top of >that. Also, could you please list the infection methods that the >generic repair is able to repair - then I'll list you several more >that it isn't able to repair... I am referring to an extremely high percentage of detection with it, probably between 95 and 100% if the scan was done from a clean disk with the virus not in memory. Repair is not quite as high with *INNOCULATION*. I would put it probably around 80%. The infection methods which NAV's innoc will take care of include the generic appender for both .COM and .EXE's, any boot or MBR infector, as well as prependers. This is 80 or more % of known viruses. While it is true that it won't take care of, say, an improved overwriter, or an overwriter, or maybe ten or fifteen other methods, these methods are not used by very many viruses. So while you might be able to mention many methods that it can't perform *repair* on, (even though you'd advocate that it is better for restoration from backups and you shouldn't use repair at all, right?), there are currently few viruses doing it, so it is not as big a concern. And, so you know, I'm getting my figures from viruses that I have seen. Why don't you tell me how accurate they are. Have you done any tests there at The Virus Test Center on NAV's innoculation techniques to see how many viruses it can detect and remove accurately? I don't know why you are not happy with the term Innoculation. If you'd prefer, I'll use "Virus Sensor Technology", like it says on the box. Besides, using Vesselogic, you end up seeing that you can't give a name to a concept, for example, the absurdity that Calculus is just a misnamed math class occurs, which isn't wholly true. A Pentium isn't a misnamed CPU (though it isn't a "concept"). Let's, for the sake of the matter, say that NAV's Innoculation is not secure. Would you please tell me how many viruses you have seen take advantage of this with *NAV* and no other product? How about with NAV and some other product? What would you suggest should be done to make it more secure? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Sun, 21 Aug 94 10:30:25 -0400 From: Iolo Davidson Subject: Virus Simulators sand@biko.llc.org "David Adams" writes: > I was wondering if any of you have an FTP site where we can get > some virus simulators.. Thanks! When you find one, keep in mind that simulators are useless for testing anti-virus software, or anything else, and that at least one so-called simulator contains real viruses. - -- SAID FARMER BROWN WISH I COULD WHO'S BALD ROTATE THE CROP ON TOP Burma Shave ------------------------------ Date: Fri, 19 Aug 94 17:33:45 +0000 From: gkb@aber.ac.uk (GARY K BARNES) Subject: Re: 386/486 virus protection(UNIX) Jon Freivald wrote: >As for DOS Boot Sector viruses - any good DOS anti-virus that will run >from a floppy ought to do you just fine. Then again, as long as you >never put a DOS floppy in your drive, you don't have a concern from ^^^^^^^^^^^^ >there either... Shouldn't that be _any_ low-level formatted floppy, regardless of file-system, that has _ever_ been used in _any_ DOS machine? I'm pretty sure that some boot-sector viruses aren't gonna be too fussed that your floppy has, say, a minix filesystem on it... Gaz - -- /\./\ gkb@aber.ac.uk (Gary "Wolf" Barnes), Computer Officer, ( - - ) Computer Unit, University of Wales, Aberystwyth. \ " / GCE e++ C++++$ ULUOS++++$ d-- w+++ v- L++ n---- p?+ ~~~ W--- M--- Y+++ t--- 5--- rd+++ b+++ u--- h++ r++ y++ ------------------------------ Date: Fri, 19 Aug 94 08:39:29 -0400 From: stark@iastate.edu (Brian D Stark) Subject: Posible new virus variant (PC) I've recently come across what appears to be a new virus variant. I run MSDOS 6.2 and have 2 harddrives (C: & D:). Symptoms: - -When I boot from a disk, C: is no longer detectable, and drive D: becomes C: . - -Several .exe files now produce the error: Error in EXE file Just a few of the exe files have been messed with, especially the virus scanning programs I have. Such as CPAV.EXE, SCAN.EXE, NAV.EXE, TBAV.EXE & MSAV.EXE . What really makes it interesting is that if you rename these files they will run perfectly, not producing the error message. Even if you don't have any of the above programs installed, if you type in CPAV, it will return the common "Bad command or file name" , but it does not give a blank line after this message. Whereas if you type "DDDD" , you will get the normal blank line after the error message. - -Has taken .EXE files and left both .EXE file and the same file without the extension, and marked it as a system file. For example: ULTRINIT. 18384 02/15/94 05:26 AS ULTRINIT.EXE 18384 02/15/94 05:26 A - -My CMOS has been erased 5 times in 2 days. This of course may have been a hardware problem, but I don't believe it to be so. I booted up without a config.sys and autoexec.bat file, but the virus was still active, leading me to believe that the boot sector is involved. ____________________________________________________________________________ Results of virus scanning. I ran it from a copy protected disk that was booted from and not booted from. Heuristic scanning was always run if the software provided it and at it's highest level. - -AntiViral ToolKit Pro 2.00d When it first loaded it immediately warned me of the following message: Interrupts :trace warnings at 0BCA:2CEC FFFF:FB75 I can get rid of these messages by not loading 2 of .EXE files that the virus supposedly changed. One of those files is the above mentioned ULTRINIT.EXE file. It also reported finding the LoveChild.488 virus, but since it was set to high heuristics I believe this to be a false alarm. My system is not experiencing any common characteristics of the LoveChild.488 virus. After doing an intense scan, it went on to report 2 I/O errors which I am guessing where the 2 trace warnings. - -Central Point Anti Virus 2.1 Ran from just harddrive. Nothing - -F-Protocal 2.13a When run from a bootup disk, it scans 2 MBR's, but only 1 DOS boot sector. It scanned drive D: which is then C: and discovered nothing when run from a bootup disk. It discovered nothing when run from a just a disk. - -Integrity Master 2.21b Detected nothing unusual. - -Microsoft Antivirus Ran from just harddrive. Nothing - -Norton AntiVirus 2.1 Ran from just harddrive. Nothing - -McAfee's VIRUSCAN 9.30 V117 When run from a bootup disk it would load and then give the error message: "Sorry, I cannot read the boot sector of disk C:" . Then SCAN exited back to DOS with out scanning any files. When run from just a copy protected disk the system crashed and I had to reboot (the disk was not the bootup disk). - -McAfee's VirusScan 2.1.0 When run from a bootup disk it would load and then give the error message: "Cannot read the boot sector of disk C:" . At no time did it discover anything else. - -ThunderByte Antivirus 6.22 Ran from just harddrive. Detected itself as having the virus. Was installed in two different directories. This was the only AVS that the virus appeared to actually change. Unknown virus. After unzipping and running the program it appears to be virus free, then if you drop to dos and start it back up again, it is infected. Also located several .EXE files that were thought to be infected. The one thing all the files had in common was the "Undocumented interrupt/DOS call," this included TBAV.EXE . - --------------------------------------------------------------------------- Final comments It's difficult to say which file originally carried the virus, so it's difficult to clean up the system. I have my CMOS system setup, partition table, and boot sector saved, but I'm hesitant to do anything because I'm afraid I may do more harm than good. Restoring my old boot sector, etc. will still leave this nasty thing somewhere on my system. As far as I can tell the virus has not caused any physical damage, other then changing TBAV.EXE and doubling several .EXE files with a . version. I went into such detail, because I'm hoping that someone out there is experiencing the same problem. I'd be happy to upload files for testing, but the only problem is that I can only guess at which files are infected, because no one AVS will positively ID a file as containing a virus having similar side effects that my system is experiencing. Of course the files that it has infected, (For example when it changed the .EXE file to . and marked it a system file), may be of some help. I desperatley watch the AVS sites in hope of their next future upgrade. Any suggestions or advice of what is happening, what to do about it, or just plain any old comment is greatly appreciated. Posted or E-mailed replies are fine and much appreciated. - -- Brian D Stark stark@iastate.edu ------------------------------ Date: Fri, 19 Aug 94 08:41:31 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Floppy boot sector replacement (PC) From: jmccarty@spd.dsccc.com (Mike McCarty) >We agree again. It should not be hard to write a utility which would >read the boot sector off any cleanly formatted disc, fix up the BPB part >of it and write it to the disc to be "disinfected". Maybe I'll do it. >But not now, I'm working 14 hours per day as it is. Anyone else want to >pick up the gauntlet? It would be a good thing! I did that three years ago. It is FreeWare and it is called FixFBR (Fix Floppy Boot Record) & is one of the FixUtils. It also performs heuristic tests that will detect most (think 600 out of 624) BSIs - Doesn't really matter since the replacement BSI removes & detects all & warns you if you try to boot from it. Unfortunately there is a minor conflict between v2.0 and MS-DOS 5-6 (really dumb one IMNSHO - thanks Mr.Bill) so the one to use is v2.1 (will post on Urich). There *may* be a FixUtil7 but am head down in TCP/IP at the moment & these benefit neither my family or my cars so have a low priority). Warmly, Padgett ------------------------------ Date: Fri, 19 Aug 94 09:01:39 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Re| FamM virus (PC) datadec@corsa.ucr.edu (Kevin Marcus) writes: >remove it much more reliably than any of the others mentioned above, if >it is installed correctly. (NAV 3.0's innoculation technology does this) *ANY* integrity checker that offers generic removal can do it ... Untouchable, and F-CHECK (from F-PROT Pro) are two examples. However, for this to be effective, the integrity checker has to be running before the virus, which is not the case here, so the reply does not help the user a bit. A better suggestion would have been to try several other scanners and check what they say. - -frisk ------------------------------ Date: Fri, 19 Aug 94 09:24:50 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) jmccarty@spd.dsccc.com (Mike McCarty) writes: >Um, that's not true. The famous Internet Virus resulted in a Felony >conviction. Have you forgotten? No....but that was not a virus...it was a worm. - -frisk ------------------------------ Date: Fri, 19 Aug 94 10:27:40 -0400 From: bosmith@umich.edu (Bob Smith) Subject: FORM_A (PC) I have a DOS 486 machine that is reporting FORM_A virus from McAfee's scan 2.0.1e program. I have searched mcafee.com, oak archives and cert.org for methods or programs to remove this virus but have not found anything. Can somebody offer some sugggestions on how to dispose of this virus or point me to some useful info? ========================================================================== Bob Smith | Univ of Michigan bosmith@umich.edu | Hospital Financial Services | Ann Arbor, MI ========================================================================== ------------------------------ Date: Fri, 19 Aug 94 10:45:04 -0400 From: Robert Morton <73362.1207@CompuServe.COM> Subject: Trashed Floppies (PC) Vesselin, In a note to Kirk Lipscomb you trash CPAV for not removing the FORM virus properly. Now I am not saying that CPAV is great, but I have had two other virus programs trash floppies when they try to remove viruses, and by that standard we should trash them all. You may need to ask the circumstances in Kirk's case. In mine I work in a college computer lab, and the virus was just a simple stoned varient. But it was on a floppy that had been formated with PC-DOS 3.2 (yes, the IBM version), and here in the lab we are using MSDOS 6.2 I have had virus checkers lock up on me trying to read/clean those disks, and when they do clean them it very often will trash the floppy. In one case it, the student took the trashed floppy to show his teacher so he could get more time, and it read on another machine just fine. I can give you more details if you like, I even did a disk copy of the disk and sent it to Mcafee and they analized it thinking it may have been a new varient, but they said it was not. Bob Robert Morton Tulsa Junior College Paraprofessional 73362.1207@Compuserve.Com Microcomputer Lab rmorton@tulsajc.tulsa.cc.ok.us ------------------------------ Date: Fri, 19 Aug 94 11:00:57 -0400 From: Otto Stolz Subject: Re: Unknown problem (PC) On Wed, 17 Aug 94 14:06:38 -0400 Eric Robichaud said: > One of my clients has two standalone IBM PC. He often copies files from > one computer to the other one. Our technician [...] couldn't find any > viruses. He also checked out the hardware and found nothing. So, what's the problem? Regards, Otto Stolz ------------------------------ Date: Fri, 19 Aug 94 11:12:29 -0400 From: "A.APPLEYARD" Subject: messages re: Rosenthal Virus Simulator (PC) jmccarty@spd.dsccc.com (Mike McCarty) wrote on Thu 18 Aug 94 00:48:12 -0400 (Subject: Re: Rosenthal Virus Simulator (PC)):- > ... The -fact- is that viruses are -dangerous-. Whether Doren has succeded in taming one so that it is -controllable- (I do not say benign, nor do I say "good") I do not know. ... For some time now, up to six Virus-L messages per issue have been coming out with `Rosenthal Virus Simulator' in their Subject: lines. Of these, some are indeed about the Rosenthal Virus Simulator. OK. But many of them are about no such thing but about the ethics of virus writing etc. And one is about neither of those two subjects but is solely replying to a flame about antivirals. And one is about MtE. This persistent lack of match of Subject: line and contents causes great nuisance to me as indexer, and to people using the index. OK, so the subject of this line of messages has shifted. That happens. But when continuing a line of messages replying to other messages, by using your emailer's `reply' instruction, change the Subject: line if necessary so that it describes what your message is about. ------------------------------ Date: Fri, 19 Aug 94 11:41:39 -0400 From: dmill05@aol.com (DMILL05) Subject: XA1 Virus (PC) I recently found an XA1 virus on a laptop at work. It was attached to a windows swap file 386spart.par. Does anyone have any information on what this virus does and what damage it causes? ------------------------------ Date: Fri, 19 Aug 94 13:27:49 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: >Virus Simulator serves the function I designed it to do and >performs as described in the documentation. It does...? Well, let's look at the documentation, shall we ... > These Virus Simulator programs generate safe and sterile, controlled > test suites of sample virus programs. They do not. With the exception of the programs created with the MtE supplement, the programs are NOT viruses. (in fact, you should add "with the exception of the MtE supplement" to many of my comments below...) > Virus Simulator's ability to > harmlessly compile and infect with safe viruses, Again, they are not viruses, and they do not infect anything. > is valuable for > demonstrating and evaluating anti-virus security measures I have not been able to see how they provide any assistance whatsoever in that respect. > The infected programs can be used as > bait for virus detecting programs to gain practical virus protection > experience. They can not, because as the programs are not viruses, the results from the virus detection programs are totally misleading. > These virus simulations set off > virus detectors for testing and demonstration without the danger > associated with their malicious virus counterparts. They do not necessarily set them off. In fact, some of the best virus detectors on the market do not detect a single one of your non-viruses, and that is exactly how it thould be. Virus detectors are supposed to detect viruses, not non-viruses. > The simulators all produce safe and controlled dummy test virus samples Again, they are not viruses. > that enable users to verify that they have installed and are using their > virus detecting programs correctly, They do NOT enable the user to verify that. > additionally affording an > opportunity for a practice training exercise under safe and controlled > conditions. A more accurate wording might be "The simulators all produce safe and controlled programs, that are not viruses, but may cause some virus detection programs to produce false alarms." > products, on their own systems, without using live ammo. The simulators > ability to actually test products exhaustively is limited. very limited...in fact, it is non-existent. > That's why > Rosenthal Engineering maintains a very comprehensive collection of real > sample viruses for testing at our facility. Yeah, sure...hundreds of viruses, I'm sure... > Virus Simulator creates a simulated test suite of .COM and .EXE programs > as well as boot sector and memory resident viruses. These programs > contain the signatures (only) from real viruses. "The signatures" is highly misleading, as it implies (incorrectly) as there is a fixed set of search strings. "Random fragments" would be more accurate. > The programs themselves > are not really infected with anything, Finally a true statement. > but contain carefully selected > portions of code from their real virus counterparts. Whenever possible, > these sections of code or virus signatures are selected to trigger > vigilant virus detectors. Does that mean that if the scanner producers sent you a list of their search strings, you included them ? You do not attempt to trigger virus detectors that use more advanced methods that "dumb" search. Scanners that look at the beginning of files, follow the flow of execution and expect to find certain bytes at certain locations (Dr. Solomon's Anti-Virus Toolkit is an example), will not be fooled at all by your "simulations". > Since these are really only dummy viruses, not > all infected program simulations produced by Virus Simulator will > trigger every virus detecting program. True. In fact many anti-virus programs are not triggered by any of them, or a very small number. However, this says nothing whatsoever about the ability of the scanner to detect actual viruses. > In addition to simulating .COM and .EXE infected files, Virus Simulator > allows the user to experiment with boot sector and memory resident virus > simulations. Again "simulations" is the key word. They may trigger some anti-virus programs, in particular the not-so-great ones, that are just unable to see the simulations for what they are....non-viruses. > Again, signatures (only) from real viruses are used, but > the boot sector of the floppy disk is actually overwritten with > executable code (you can verify this by resetting the system with the > test floppy disk in place). That does not make them a virus, and there is no real reason why this should trigger anti-virus programs. > The memory resident virus simulation > actually puts a suspicious program in memory. Without a definition of what you consider "suspicious", I cannot comment on this. > Run VIRSIM at the DOS prompt, and follow the directions displayed. Then > use your anti-virus program to scan for viruses following the directions > supplied with that product. As the results from that would be meaningless, why bother. > These test suites are only safe and sterile simulations to evaluate your > security measures. They are unsuitable for any evaluation. > A virus detecting program is validated when it > reports the simulations. IT IS NOT. "Detection" of one of the simulated virus only means the the anti-virus program may find the virus in a file under some circumstances, but it does not "validate" anything. For example, a certain anti-virus product used to get a 5% detection rate on a certain polymorphic virus. By a sheer coincidence, that same program got a 100% detection rate of that virus when scanning a certain virus library that was used for comparative purposes, indicating that the product used a small set of search strings for this virus, if those particular search strings had been included in your program at that time, that version of this anti-virus program would have "detected" the virus 100%, but the real detection rate would still have been only 5%....So much for validation.... > Virus detecting programs that fail to find > these simulations may indeed indeed, yes... > discover their real counterparts and > variations, but should only be trusted after that ability is > demonstrated. In other words..."The virus simulator cannot really tell you anything, you have to check out some real test for that purpose". So what is the purpose of it, if it cannot be used to test anti-virus products and does not trigger them ? > Scanners are the most popular. They check the system for pieces of code > that form a signature or fingerprint that is unique to each virus. not necessarily ... you don't really seem to understand how more than a subset of virus scanners work. Have you never heard of hashing-based search, for example ? > Virus Simulator can help determine which anti-virus programs are best > for you. It can not. This statement is completely untrue. If you insist on this, I hope you have a good lawyer (No, I am not going to sue you...I have better things to do with my time, but somebody else might ... for example if an anti-virus company looses business to an inferior competitor, just because that the do not detect your "simulations" but the competiotion does) > Viruses are a form of terrorism And you still feel justified selling a real virus, that any decent assembly language programmer can torn into a harmful virus in a short time ? > Airports test the effectiveness of their > security measures in much the same way. An official, disguised as a > passenger, will attempt to bring a disarmed bomb through Disarmed bombs can be armed. your virus simulations are either programs that can never be turned into real ones, or [MtE-supplement] are already live. > generated by these virus simulators are safe and controlled, but form a > validation test suite that trigger vigilant anti-virus detectors. "...that may trigger some inaccurate anti-virus programs" > Virus Simulator makes an infinite number of simulated test viruses by > varying each one in a different way. it is not infinite....very high, but finite. > virus might be discovered in the world at large. Even testing with a > program infected with a real virus can not assure every combination will > be examined: Is it a .COM file? .EXE? system? compressed? Is it the same > for all programs or just large ones? How about files created before or > after a certain date or time. Unfortunately, your program does not help answer those questions at all. > What about a virus that was modified, even > trivialy, offset a few bytes or changed from one message to another. Then it is just a new virus and should be dealt with as such. > Now, try that with well into many hundreds of viruses and combinations. Excuse me, but we have several thousands of viruses, and as far as I can see your program does not seem to be aware of any recent ones. > sample was taken. That's what Virus Simulator supplies, a large enough > sample population size to establish statistical significance with some > reliability. The word "reliability" strikes me as rather inappropriate, considering everything I have said above. > A large sample size is especially important when attempting to validate > polymorphic viruses, as each sample will have a different signature. > These sophisticated viruses attempt to avoid detection by altering their > signatures, so it is not uncommon for several copies to escape > detection. The Virus Simulator MtE Supplement attempts to generate as > broad a spectrum of test samples as practical. Again...a true statement. However, I believe that in this case the risk outweights the benefits. > Allowing Virus Simulator to fill a single 360 k disk should be more than > adequate to support reliable testing. The word "reliable" does not seem to be entirely correct. > This Software is copyrighted material. Regarding the comment that so is the MtE, that does not matter - the documentation specifically allowes anybody to use it in a virus, but that using it for other purposes is not permitted, so no copyright laws were broken. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 19 Aug 94 14:48:11 -0400 From: stanr@mdhost.cse.TEK.COM (Stanley E Ridenour) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) frisk@complex.is (Fridrik Skulason) writes: |> jmccarty@spd.dsccc.com (Mike McCarty) writes: |> |> >What's wrong with selling viruses? So long as the person buying knows |> >what he is getting (no fraud) I see no problem. |> |> Well, there is one problem with selling viruses - paying for them encourages |> development or distribution of more viruses... You can't get any more correct than that. |> >Any kid who knows DEBUG can also get a copy of Michaelangelo or any |> >other virus just by looking around a little. If it were difficult to get |> >copies of viruses, then nobody would need protection or scanners, |> >because it would be difficult to get infected. |> |> And do you have a problem with that situation ? Most of us do. |> >Until everyone knows how to write a virus . . . |> |> If *everyone* can, *everyone* will . . . There are altogether too many *kids* with the attitude that this just an amusing form of recreation. |> >What we need is good antiviral products. |> |> Unfortunately, one can argue that the increased number of viruses in |> circulation will lead to worse anti-virus products...I will be presenting |> a paper on that subject at a conference later this year. I hope you post it where we can get at it! |> >We believe in liberty. We believe in freedom of thought. We believe that |> >individuals have intelligence. |> |> From the point of view of many non-Americans, it looks like you people in the |> US seem to concentrate too much on the "rights", and not enough on the |> "responsibility"....while most virus-development in the UK is promptly |> shut down by the police, no similar action has ever been taken in the US. |> |> Why ? Well Frisk, as I have been a member of this society for >50 years, I can say that our courts have spent most of their time seeing to it that consequences never come to bear on those who like to indulge in criminal conduct. They have bought into the notion that criminal behavior is excusable if you are a youth, or under the influence of alcohol or drugs, or your parents molested you, or you are insane, etc., . . . ad nauseum. Also, the very people who despise any restriction of their *freedom* can not associate cause with effect --- that much of the criminal behavior in our society is the result of the court decisions of the past that extended peoples rights well beyond the boundaries intended by the framers of our constitution. Stan - -- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X Stan Ridenour | stanr@tekgp4.CSE.TEK.COM X X Tektronix, Inc. | Beaverton, OR 97077 X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ------------------------------ Date: Fri, 19 Aug 94 17:41:15 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) - ------------------------------------------------------------- 19 Aug 1994 10:45:28 comp.virus Article 2321 RE:Virus simulators sand@biko.llc.org wites: > Hi All! > I was wondering if any of you have an FTP site where we can get > some virus simulators.. Thanks! Certainly. The current shareware version of my Virus Simulator anit-virus product is available from most FTP sites as VIRSIM2C.ZIP. Host freebsd.cdrom.com (192.216.222.5) Location: /.3/garbo/pc/virus Host ftp.germany.eu.net (192.76.144.75) Location: /pub/comp/msdos/mirror.garbo/virus Host freebsd.cdrom.com (192.216.222.5) Location: /.3/garbo/pc/virus Host ftp.wustl.edu (128.252.135.4) Location: /systems/ibmpc/garbo/virus Location: /systems/ibmpc/msdos/virus Virus Simulator is quite popular and is also available from ASP and ASAD approved shareware vendors and BBS's, compuserve, America On-Line, Genie, Ziff net etc. You'll also find it on many CD-ROM collections like the JCSM, Nite Owl, Advantage Plus and of course the ASP CD-ROM. Additionaly, you might also try the ICARO ftp sites as well. But I'm not sure they're aware of its existance. If you still have trouble finding it, please don't hessitate to contact me directly. Doren Rosenthal as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 - ----------------------------------------------------------- ------------------------------ Date: Fri, 19 Aug 94 20:50:05 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Subject: Re: Rosenthal virus simulator (PC) August 16, 1994 ay736@Freenet.HSC.Colorado.EDU (Vassil Ivanov) writes: > Date: Tue Aug 16 06:49:53 1994 > yeah, and besides that, MtE is copyrighted material, as it is clearly > indicated in its docs. its not shareware, freeware, copyware, vxware, > use-me-to-make-money-ware, or any of that sort. and i dont think that > Doren Rosenthal got any kind of permission from the author(s) to use > MtE for profit, or for anything at all. an asp member selling stolen > software. what a shame indeed. cant you people make anything ORIGINAL? I'm sorry but you are mistaken on several points. First the author of the Dark Avenger mutation engine specifically authorizes its use in a virus. The following quote comes directly from his documentation. --------------------- MuTation Engine Version 0.90a (17-08-91) (C) 1991 CrazySoft, Inc. written by Mad Maniac. 1. License You are free to include this Engine in viruses. Using it in another ways is prohibited. You are free to give it to people that will only use it in this way. MuTaion engine is free. --------------------- Although my Virus Simulator is clearly an anti-virus product designed to assist people to better defend themselves against viruses, the MtE supplement includes the MtE mutation engine and actually is a virus. Additionally, Mr. Maniac (aka Dark Avenger) of the CrazySoft corporation, is welcome to contact me if he believes there is a problem. My address is given below. The second point is that copyright protection is not extended programs that make copies of themselves or modify the copyrighted works of another without informed permission and consent. Viruses that modify someone else's copyright do not enjoy copyright protection. By their actions, they by nature enter the public domain. Virus signatures are a derivative work of something in public domain and do not enjoy copyright protection either. I believe this was the outcome of law suit between MacAfee and Greenburg. My Virus Simulator MtE supplement does not modify anyone's copyrighted work but mine and although the mutation engine is embedded within the compiled program, the MtE supplement is my own original work. Understand that the MtE mutation engine is a routine that makes the virus change each time it replicates and gives the virus its polymorphic ability to (attempt) avoid detection. The main body of the virus is the portion I have written to be safe and controlled. I'm sorry, but I do not make the source code or MtE engine available without my built in safeguards. Tampering is discouraged, and anyone who obtains a copy for a purpose beyond my legitimate intention is going to be disappointed. Although the complete development kit is not available from me, Vess has posted the email address of Dr. Mark Ludwig at American Eagle Publications in Tucson, Arizona on this forum. His Computer Virus Developments Quarterly (vol 1, no 3) spring of '93 did a very in depth coverage of the subject, complete with a supporting diskette. Far more informative than wasting time attempting to extract the mutation engine from my Virus Simulator MtE supplement... and you needn't pay me a dime! Doren Rosenthal as194@cleveland.freenet.edu Rosenthal Engineering P.O. Box 1650 San Luis Obispo, CA USA 93406 ------------------------------------------------------------ ## ------------------------------ Date: Fri, 19 Aug 94 21:41:53 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Unknown problem (PC) Eric Robichaud wrote: > >One of my clients as two standalone IBM PC. He often copies files from one >computer to the other one. Our technician checked for viruses with F-prot and >Mcafee's latest virus detecters (with bootable disquettes). Guess what? He >couldn't find any viruses. He also checked out the hardware and found nothing. >Is it a stealth virus? Is there a new tough virus out there? Any suggestions >would be appreciated. Why do you think there is a virus? Did somethign weird happen to the system while it was being used? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Fri, 19 Aug 94 22:04:14 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Fridrik Skulason wrote: >Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) writes: > >>How can it lead to worse anti-virus products? Maybe some authors get lazy >>because they can't keep up with the flood of new viruses? > >Laziness is not the problem ... a lack of time and skilled people is. Well, usually to get skilled in something you either have to do your own research on it, or go to a school of some kind. Here, with viruses, it seesm that maybe you could go to school and learn about computer architecture, assembler programming, etc. and then you are halfway there -- you just need to know about the currently existing viruses. With all the imposed control on viruses, it is extremely difficult to find someone who is already trained and knows bunches about viruses and whatnot. Instead, people shouldn't balk and scream that it's too hard to find skilled people, but rather, it is easy to find people who have the appropriate backgroun in computer architecture, and the laziness is what keeps the employers from training them on the specifics. Whenever someone gets a new job, they *always* get some kind of training on what they are doing, I don't care if it is flipping burgers to pointing where the missile is supposed to land. I see the problem as most definitely laziness on the part of the people who have AV packages. They expect people to already know everything they need to know, which is absurd considering that the stuff people need to know is so tightly restricted and controlled. (I'm not trying to imply whether or not this is good or bad). Can you tell me, Frisk, what are the require- ments which you have before you are willing to hire someone for tech support? How about one of your development programmers? Did you know the people for long before you hired them? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Fri, 19 Aug 94 23:33:36 -0400 From: p4f192@ugrad.cs.ubc.ca (Tzu-Soon Jim Horng) Subject: Help need to get rid of Michelangelo (PC) This is the problem: One of my friends asked me to look at her computer (80286), because it couldn't boot up from harddrive. After scan it with msav.exe (virus scanner that came with dos 6.x), I foundd the harddrive is infected by the "Michelangelo" virus. I have some experiences dealing with virus, but I can't seem to remove it by msav.exe or by SYS.COM from a floppy boot up. It seems that as soon as the computer knows the existance of the harddrive, the virus is active in memory (no matter which drive I boot it from). I do not wish to reformat the whole harddrive, since she does not have a backup of all the programs. Questions: 1.How can I remove Michelangelo virus on her system? 2.Is there a program (shareware or freeware if possible) that can remove the virus without reformating the harddisk? 3.How safe is the files on the disk (is the files infected as well?) Is it too late for me to back up the files now? If you have dealed with Michelangelo virus or if you have ideals about how to get rid of please send an email to me. p4f192@ugrad.cs.ubc.ca Thanks a million. Jim Horng ------------------------------ Date: Sat, 20 Aug 94 11:50:27 -0400 From: jayl@dorsai.dorsai.org (Jay_Leiser) Subject: Re: changing genP/genB virus (PC) I guess I left out the details. A co-worker of mine was experiencing delays accessing her floppy drive. In addition she was getting lost clusters with cross linked files when running chkdsk /f. She sent a client a self extracting zip file on a floppy and the client accidentally rebooted off this floppy. The boot was unsuccessful but it infected their system and the PC would not boot. They ran mcaffe v117 and it detected the stealth genb. The PC that infected the diskette when scanned reported the stealth genp. Mcaffe cleaned it up and the client had to re format their hard drive. Kevin Marcus (datadec@corsa.ucr.edu) wrote: : Jay_Leiser wrote: : >I need some info. We got a virus that is detected as the stealth genb : >when booting from hard drive and when booting from floppy it is detected : >as a stealth genp. In addition this virus was detected as the newbug genp. : > : >Any information regarding theses viruses would be greatly appreciated. : I'm rather curious how you know it's Steath. Genb and Genp, which are : really crappy names, mean you might have a virus which corrupts your : data slowly (say, Ripper), or it might do mostly nothing (NYB), or it : might just have a nasty trigger, or maybe cause Windows to lock up, or : it might not. : Hell, maybe it will print out a message, or play a song, or it might not. : It could do just about anything. Oh, and it also might not do anything. : Be sure to let that particular program you're using (cough, cough) clean : it to. I mean, if you can trust it enough to identify somethign as your : system and have no idea what it is (and give you worthless information : about it), then, by all means, that program must definitely know how to : remove it safely, right? : - -- : --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu : "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. : Computer Science Dept., University of California, Riverside. : .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Thu, 18 Aug 94 20:52:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Flash BIOS infector? (PC) "kent norman" asks: > Are there any viruses that infect a flash BIOS? No, not at the moment. ;-( This was an idea I've suggested when I started hering about Flash BIOSs. The VirNet discussion was very interesting and I know that some PC manufacturers had taken it seriously. > If embedded in the new BIOS, it seems it would be > impossible to remove since any new flashes would > be after the computer loaded the bad BIOS and > before reading the floppy with the new BIOS code. That was the original idea. Warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 16 Aug 94 15:37:40 +0200 From: Matt_Haynes@f107.n441.z9.virnet.bad.se (Matt Haynes) Subject: Info request (PC) Hi ..... Can someone please shed some light on this : I have 2 machines (PC's) and on m/c 1 I ran a menu progy I was writing it worked fine the first time !!! then every time after that it just came straight back to the prompt ???. I took the original program and put it on m/c 2 it worked ok every time, so I took the program that would not run onto m/c 2 and ran it but it just came back to the dos prompt. I then tried to run debug on the exe to try and see what was wrong but the same thing happened it came back to the dos prompt. What seems to be happening is that every program you run just comes back to the dos prompt but if you do a directory the time stamp has changed to the current date ?? It's not a problem with the m/c because it does the same on any m/c after you have run one of the progs that returns straight back to the dos prompt. I have run various virus scan progs (SCAN and F-PROT) but these come up with nothing. Please help it's driving me mad, I've got my m/c's back to normal but I've still got copies of the "infected programs" if anyone is interested. Thanks in advance Matt .. Backup not found: (A)bort (R)etry (P)anic - --- ind3x/JAM/Gecho * Origin: IND3X - +44-602-855607 & +44-602-855661 - (9:441/107) ------------------------------ Date: Tue, 16 Aug 94 14:28:06 +0200 From: Arjan_Van_Der_Werf@f7.n315.z9.virnet.bad.se (Arjan Van Der Werf) Subject: Re: ANSI bombs (PC) >>>> Quoting Fridrik Skulason to All <<<< >>>> Subject: Re: ANSI bombs (PC) <<<< Hello Fridrik, I send this message to you because i don't know who send the original message. >I was wondering if anyone knew of a virus scanner/cleaner that >can clean something called an "ANSI bomb"? I was told that they >can't be found by most scanners, and I think there's one going >around my area... FS> The best defenses against something like this: FS> use a program like LIST, not TYPE FS> get a better driver, that does not allow redefinitions. Or use the PKware utilitie called PKSFANSI.COM, that's what i use. This is what the documentation of the program says. ___----------------------------------------------------------------------- Purpose: PKSFANSI (PK Safe ANSI) is a Terminate and Stay Resident program that disables ANSI Keyboard Key Reassignments, thereby preventing 'ANSI bombs' embedded in any text file (such as README files) or output by any program. Normally, ANSI sequences that redefine the keyboard could be hidden inside ANY text file or program, and could be executed completely unnoticed until it is too late. PKSFANSI intercepts calls to ANSI.SYS or other ANSI device drivers, and filters out any keyboard reassignments, while allowing other ANSI sequences through unaltered. If a keyboard key reassignment is attempted, PKSFANSI will intercept the sequence and discard it. PKSFANSI also will BEEP to alert you that a reassignment was attempted. PKSFANSI requires only 832 bytes resident RAM, and should work with any ANSI driver, such as the standard ANSI.SYS driver, NANSI, ZANSI, DVANSI, etc. Note that if you use a memory resident ANSI driver, such as the DESQview DVANSI.COM driver, that PKSFANSI should be loaded AFTER the ANSI driver is loaded. ___----------------------------------------------------------------------- That was just a small quote from the PKSFANSI.DOC file P.s i read somewhere about a undocumented switch for F-prot in the message it said to use the /paranoid option after the /analyse option, when i tried this i got (like the message writer said) alot of false alarms, so i was just curious is this switch for the "paranoid" and why is it undocumented? Greetings, Arjan van der Werf (The Netherlands) .. (A)bort, (R)epent, (I)gnorant? ___ Blue Wave/QWK v2.12 - --- Maximus 2.01wb * Origin: DISCOVERY BBS * Apeldoorn/Holland * +31-55-431332 * (9:315/7) ------------------------------ Date: Sat, 20 Aug 94 15:38:41 -0400 From: "Fabio Esquivel C." Subject: Server-downing virii - Netshield corruption on Novell server (PC) OK, Fran excuses himself 'cause he doesn't know all the details why the PC Support group in their headquarters issued the warning about not=20 using McAfee's NetShld.NLM on a Novell Server. But... what does McAfee have to say about this? Has McAfee experienced such corruption on their own Novell servers when testing the product before they put it on their FTP node? Was it a bug on a single old version, already fixed on current versions? Or what? I think it's important to know if NetShld.NLM is potentially dangerous if loaded on a Novell server, which is a file (data, programs, etc.) server. If it does corrupt databases (I don't know why would it do so), then people already running this software is in danger... Please, John McAfee or Aryeh Goretsky, answer us \___/ (O o) - ----------------------------------oOo-U-oOo-------------------------------- Fabio Esquivel - University of Costa Rica | C:\GAMES>a:install fesquive@cariari.ucr.ac.cr (163.178.101.5) | Blood_Drinker virus found! fesquive@bribri.ci.ucr.ac.cr (163.178.101.8) | Apply, Kill, Panic? _ =09=09=09 "Up the Irons!" - 8=AC) - --------------------------------------------------------------------------- __|||__ (__/^\__) ------------------------------ Date: Sun, 21 Aug 94 04:05:59 +0000 From: spdaley@undergrad.math.uwaterloo.ca (Steve Daley) Subject: GenB Virus - Need Help! (PC) Hi, a friend of mine is having big problems...Can you help? ... Having a problem with several computers, reporting GenB, Generic Boot Virus. The following programs give the following reports: McAfee 2.01 GenB at 960k Thunderbyte Unknown Boot sector virus MSAV Nothing CPAV Nothing I am switching disks in and out of these machines all the time so it is conceivable that I could have this virus --- except that I also swap between two other machines which are not affected. One note - the majority of the machines use the exact same motherboard, bios, and memory (EMPaC Computer - Shuttle Motherboard - AMI Bios - 30 pin SIMMs) - These are the machines that report the virus. The other machines are a year and a half old, with different parts in them and they do not report a virus with any of these programs -- even though I swap disks into them more than any of the other machines (these two are my personal machines). No attempts to remove the virus work. I have done the following (as well as about 500 other things): 1. Make 6.2 boot disk on clean machine with only Himem.sys and Emm386 loading - boot infected machines and check with Scanner - Same Result as above 2. Sys the hard drive from a clean floppy 3. Re-format hard drive, re-install DOS from BRAND NEW package 4. Low level drive, then do step 3. None of these or anything else helped the situation at all. ANY HELP ON THIS WOULD PROBABLY GET MY BLOOD PRESSURE BACK TO SOME SORT OF ACCEPTABLE LEVEL !!! Please Email: spdaley@cayley.uwaterloo.ca ------------------------------ Date: Sun, 21 Aug 94 03:10:27 -0400 From: rshea@netcom.com (Rex Sheasby) Subject: Re: Smeg viruses (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > J M Hicks (cudat@csv.warwick.ac.uk) writes: > > I'm always disturbed by reports that software can damage hardware. > > Most (all) of those reports are either urban legends or concern > outdated/defective hardware. A close friend works in HD design for a major drive company. We recently had a discussion about the possibility of malicious code using the proprietary HD commands (commands not in the IDE spec) to overwrite areas of the disk essential to its operation. A jumper to disable this possibility was considered, and rejected as not being cost effective. So at least some new hardware can be disabled by software to the point that a return to the factory repair center is necessary to restore its operation. In fact, the center may choose to replace the HDA as the most economical solution. Most users would call a disk that had to be returned to the factory repair center 'damaged', I suspect. rex - -- CAUTION: what follows is a meme. It may infect your mind. You may spread it to others without intending to. Hello, I'm from the government. I'm here to help you. Please bend over to facilitate my scan of your microchip ID. ------------------------------ Date: Sun, 21 Aug 94 00:25:02 +0000 From: jamesb@osuunx.ucc.okstate.edu (James Beauchamp) Subject: Possible undetectable virus?? (PC) I may have a virus undetectable by mcafee117. When I try to read a text file from the 3.5 floppy with the write protect open, I get the message "write protect failed......a)bort...etc...". This has never appeared, and should not to my knowledge. I then activated Vsafe to block floppy boot sector writing, closed the write protect, and upon retry, recieved an intermediate pipe error. Something seems to be attempting to write to the disk when I want 'type' command. After downloading everything I could from mcafee and rescanning several times, nothing is found. My knowledge may not be great enough to warrant concern, however, this DOES point to a possible critter. If anyone knows what my next step should be, assuming this is a new and improved bug, PLEASE feel free to mail me before things begin to crash. All autoexec and .sys files have been copied onto floppy just in case. Help..... JamesB ------------------------------ Date: Sun, 21 Aug 94 03:13:28 -0400 From: Henry Huang Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Doren Rosenthal wrote: >Vesselin Bontchev writes... and writes... and writes: > >> The problems I have with this is that, due to lack of technical >> expertise, very few users are able to understand how unsuitable your >> product is for testing scanners. > >You're the only one who said Virus Simulator was designed to >replace real viruses for testing scanners Vess. It's purpose and >limitations are spelled out quite clearly in the documentation >file. Although you have posted your opinion on the value and >function of Virus Simulator before you looked at it, there is >still time to read the documentation. Fair enough ... let's see what it says in your excerpts: > > Virus Simulator > > Virus Simulator creates a simulated test suite of .COM and .EXE programs > as well as boot sector and memory resident viruses. These programs > contain the signatures (only) from real viruses. The programs themselves ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > are not really infected with anything, but contain carefully selected > portions of code from their real virus counterparts. Whenever possible, > these sections of code or virus signatures are selected to trigger ^^^^^^^^^^^^^^^^^^^^^ > vigilant virus detectors. Since these are really only dummy viruses, not ^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^ > all infected program simulations produced by Virus Simulator will ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > trigger every virus detecting program. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Real Viruses or Simulated Viruses for Testing > > These test virus simulations are not intended to replace the > comprehensive collection of real virus samples as maintained by > Rosenthal Engineering and other anti-virus product developers for > testing. They are, however, suitable for use by general end users, > system administrators and educators. These virus simulations set off ^^^^^^^^ > virus detectors for testing and demonstration without the danger ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > associated with their malicious virus counterparts. > > The simulators all produce safe and controlled dummy test virus samples > that enable users to verify that they have installed and are using their ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > virus detecting programs correctly, additionally affording an ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > opportunity for a practice training exercise under safe and controlled ^^^^^^^^^^^^^^^^^^^^^^^^^^ > conditions. > Access to the Rosenthal Engineering Virus Collection > The Virus Simulators and supplements are really intended to give users ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > some hands on practical experience using their virus protection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > products, on their own systems, without using live ammo. The simulators ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ > ability to actually test products exhaustively is limited. That's why ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Rosenthal Engineering maintains a very comprehensive collection of real > sample viruses for testing at our facility........... OK, so what you're trying to say is that your program is designed to deliberately trigger scanners, for the intended purpose of mainly "demonstration" (i.e. a "fire drill", if you will). It's not clear from the text exactly what you mean by "testing" if (as you say) it's not supposed to imply testing a scanner for accuracy or virus detection abilities (I'll explain why I think so below). On the surface, there doesn't appear to be anything wrong with wanting to "demo" an anti-virus program, however: a.) when a scanner detects something as a virus which isn't a virus, that's called a "false positive". In essence, the usefulness of your product in demoing scanners hinges on its ability to trigger such false positives. b.) The usefulness of being able to "demo" a scanner notwithstanding, the very idea of being able to set off AV-products with signature bait should make people feel more nervous than secure. In an ideal world, a virus detector should NEVER flag things which aren't viruses, regardless of what technique it uses (notice I did NOT say "scanner"). When a detector cannot detect/identify viruses accurately, it's called "unreliable". Detecting viruses accurately means more than just being able to detect viruses, it also implies being able to distinguish between what IS and ISN'T a virus. Regardless of whatever known virus-like characteristics you've loaded your samples with in the shareware version, they're not real viruses. You say so in the first paragraph. So, a perfect virus detector should not sound the alarm when presented with any of them -- and you wouldn't be able to see any of the messages or other bells and whistles that you wanted to, thus defeating the purpose of your product. I realize this has been covered before by others, but this point has been kind of buried under all the recent flamage. c.) All of the above comments are specific only to the approach in your product, based on what you've said in the excerpts. (More on that later.) The question still remains: is it useful to be able to "demo" a scanner, regardless of how you do it? Vesselin has stated before that that's what the manual's for. However, I'm still not convinced. Reading a manual is not the same as actually using a scanner and suddenly being hit with a slew of panic messages. Taking into account the general ignorance of many people in dealing with virus attacks, it just doesn't seem as if your average newbie is going to be able to respond to alert messages/sounds with a level head. While education is the only permanent solution to such problems, being familiar with the alerts and other features of a detector may help to calm a person's nerves so that they don't go ballistic when the Real Thing hits. By being familiar with an emergency situation, you have a better chance of knowing how to respond. This is part of the logic behind "fire drills". So, if you agree that being able to "demo" a detector is useful, there's no reason why it can't be implemented -- *within each product*. Attempting to trigger false positives really isn't the way to go, unless you're trying to see if your detector is vulnerable to certain false positives. So that's where I stand (personally) on this whole "simulation" thing. Unfortunately, much of this thread has been devoted to flaming the merits of the people debating rather than the merit of the product -- on *both* sides, and that's disgraceful. In particular, a *lot* of hay has been made over what was and wasn't said in the docs for this product. Vesselin thinks that the whole thing (product, docs, etc.) is deliberately misleading, and while I can't *fairly* say anything about the deliberate part, I can put forward a pretty good argument for the "misleading" bit, based on what Doren posted in his message. Let's review: > Virus Simulator creates a simulated test suite of .COM and .EXE programs > as well as boot sector and memory resident viruses. These programs > contain the signatures (only) from real viruses. The programs themselves ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > are not really infected with anything, but contain carefully selected > portions of code from their real virus counterparts. Whenever possible, > these sections of code or virus signatures are selected to trigger ^^^^^^^^^^^^^^^^^^^^^ > vigilant virus detectors. Since these are really only dummy viruses, not ^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^ > all infected program simulations produced by Virus Simulator will ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > trigger every virus detecting program. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Now, what is he saying here? First off, he makes it quite clear that he's aiming his product at signature-based scanners; although he later claims (outside of the posted docs) that: >it's designed to set off scanners, activity monitors and >integrity checkers etc. it really doesn't wash that a benign piece of code would be able to set off an integrity checker, since by definition, an integrity checker does not look for signatures, but rather for changes in certain files. Unless you somehow manage to simulate THAT, of course -- but it doesn't say in the posted docs that it does. Second (and more importantly), although he states that his product is designed to set off scanners, nowhere does he mention that he's triggering false positives. In fact, he states that his signatures are "selected to trigger vigilant virus detectors", and then goes on to mention that not all detectors will be triggered by his simulations because they're fake. So (correct me if I'm wrong), what he's saying is that "vigilant" (i.e. "good", "reliable", whatever other adjectives come to mind) scanners should be triggered by his fake samples -- with the strong implication that the ones which aren't are not good scanners by the following logic: - - "vigilant" detectors should flag his fake samples, - - not all detectors will flag his fake samples, - - therefore, those detectors which don't aren't "vigilant" Yes, this is FALSE logic -- but it's incredibly tempting false logic, don't you think? It certainly SOUNDS reasonable at first blush. Even if there was no intent to mislead people, the language in that paragraph is quite misleading -- because it's not immediately stated that the purpose of the product is to "demo" and not to "test" detectors for accuracy, it's very easy to come away with the impression that that's what this product is for. Even more disturbing is Doren's assertion that "vigilant" detectors should be more likely to detect his fakes (since that's how he designed them). While many people might associate the word "vigilant" with "accurate" or "reliable", you could also argue that that word means "sensitive" - -- i.e. a "vigilant" detector would err on the side of caution and flag the fakes as real, even though they're not. Like I said before, the difference between an ideal detector and one that detects all known viruses is that the ideal detector will never have false positives. Sure, it could all be a matter of semantics. But it takes a lot more explaining and imagination to make this paragraph sound reasonable than it does to jump to the easiest, reasonable-sounding conclusion. At the very least, it's unintentionally bad writing. [continuing with the next paragraph ...] > Real Viruses or Simulated Viruses for Testing > These test virus simulations are not intended to replace the > comprehensive collection of real virus samples as maintained by > Rosenthal Engineering and other anti-virus product developers for > testing. They are, however, suitable for use by general end users, > system administrators and educators. These virus simulations set off ^^^^^^^^ > virus detectors for testing and demonstration without the danger ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > associated with their malicious virus counterparts. > > The simulators all produce safe and controlled dummy test virus samples > that enable users to verify that they have installed and are using their ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > virus detecting programs correctly, additionally affording an ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > opportunity for a practice training exercise under safe and controlled ^^^^^^^^^^^^^^^^^^^^^^^^^^ > conditions. Now, based on what you've read above, what do you think Doren means by the word "testing"? When he first refers to his virus collection, it sounds like he's talking about testing for accuracy, or detection -- especially when he mentions that stuff about "other anti-virus product developers". Then he starts talking about how his simulator sets off detectors "for testing and demonstration without the danger" caused by the real thing, and about how you can how "verify" that you've installed your anti-virus programs "correctly" -- with a "practice training exercise" as an *ADDED* benefit. But he never ONCE defines just exactly what he means by "testing", and this is left as an exercise to the reader's imagination. Frankly, I can't tell one way or the other what he really means by that -- all I can say is that I really can't blame that poor U.K. magazine for (mis)using his product. I was going to say that maybe he meant testing == demonstration, but his comment about demoing being an added benefit seem to kill that theory. This is important of course, because if (as Doren says) he never intended his product to be used for anything other than demos, he still has to account for what he means by "testing" here. Is it testing for false positives? Who knows? [last paragraph ... finally!] > Access to the Rosenthal Engineering Virus Collection > The Virus Simulators and supplements are really intended to give users ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > some hands on practical experience using their virus protection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > products, on their own systems, without using live ammo. The simulators ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ > ability to actually test products exhaustively is limited. That's why ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Rosenthal Engineering maintains a very comprehensive collection of real > sample viruses for testing at our facility........... This is the first clear statement anywhere that this product is to be used mostly for gaining "practical experience" -- i.e. demoing a product. It's also the first time he admits that perhaps it's not such a good idea to use this product as a basis for "testing" -- but he still doesn't define the word, leaving you to fill in the blanks. (Accuracy testing? Naaaaah, couldn't be ... ;) Of course, if you fill in the blanks a certain way, then all my defenses of his documentation completely fall to pieces ... To be completely fair, I must add that this entire analysis is based only on the excerpts which Doren posted to comp.virus. Perhaps there are things in the complete documentation which answer all these questions - -- and if that's the case, I'd want to be the first one to see them. So Doren, if you'd be so kind as to direct me to the nearest FTP site with the latest version of your product, I'd appreciate it. (I tried looking for the latest version on several sites, but came up empty.) You could also E-mail me the docs. Follow-ups to comp.virus and E-mail, please. All responses appreciated. - -H (hwh6k@virginia.edu) ------------------------------ Date: Sun, 21 Aug 94 03:18:15 -0400 From: kwwong@lynx.dac.neu.edu (Kwong Wong) Subject: [HELP] I Don't know if I have a virus in my computer or not.... (PC) My IBM PS/2 Model 70 is acting very strange for the past two weeks. I suspect that there is a virus in my system. Here are the problems that are happening so far... 1) My Microsoft Windows 3.0 screen "shivers" and "distorts" upon occasions. The mouse pointer moves in direction I DO NOT want it to go... it even clicks and moves icons and I never even TOUCHED the mouse button! (The mouse BTW is clean and I had it for a year... it works fine) 2) Just a few days ago, I noticed when I turned on my computer that the time and date stamps were wrong... I had to correct them. (I never touched the settings) 3) I have the Wolfenstein 3-D game and for one full week now the game is virtually uncontrollable (the mouse which I use won't work even when the settings for the game is activated). The chaingun (the most powerful "weapon" in WOLF3d) goes firing off by itself at random moments!!! I haven't played it since these problems arised and gotten worse... 4) When I hook up my computer to e-mail... upon occasions now, the modem won't dial up the first time I command it to... (I suspect it's the communications program that's being infected as well). 5) Every now and then the screen (whenever it has text) starts to "shiver"... in other words the text on screen seems to slightly distort itself and then goes back to normal... This is scary! It occurs regardless if I'm on DOS or Windows or WordPerfect, and such... I was wondering if anyone here can tell me if I have a virus in my PS/2 and IF I DO HAVE A VIRUS, WHAT CAN I DO TO GET RID OF IT BEFORE IT GETS EVEN WORSE!!!! I really appreciate anyone's help. Email me as soon as possible. - -Kwong kwwong@lynx.dac.neu.edu ------------------------------ Date: Sun, 21 Aug 94 03:43:51 -0400 From: eng30424@solar.cc.nus.sg (TAN SIEW WU) Subject: Help on BUPT 9146 Beijing virus (PC) I encounter a virus in my machine ( digital 486dx33 ) which mem.exe reponded with 637K of conventional memory. When I use debug to look at the memory, I found this string starting at the address 9000:F7BA "Welcome to BUTP 9146 Beijing". This virus has been causing my windows for workgroup unable to have 32 bit disk access. If anyone know anything about this, please email to me or post an article in this group. Thanks in advance...... |----------------------------------------------------------| | Tan Siew Wu | | Department of Electrical & Electronics Engineering. | | National University of Singapore. | | Email address :- eng30424@nus.sg | | Term address :- Raffles Hall, Kent Ridge Crescent, | | Singapore 0511. | |----------------------------------------------------------| ------------------------------ Date: Sun, 21 Aug 94 04:19:18 -0400 From: yngvar@vestnett.no (Yngvar Foelling) Subject: Re: McAfee Virus Scan (PC) I have a problem with McAfee's VSHIELD 2.10e (unregistered version). When it starts up, it keeps detecting viruses at random in the area 640-720 kB. This is, of course, the screen buffer, but since the screen is in text mode when it runs, most of the memory should be disabled. I'm almost certain that they are false positives. SCAN doesn't detect any viruses there, and VSHIELD detects *different* viruses every time. Is this something that is fixed in the registered version? Of course, I *won't* register a program with a bug like this. My computer is a 33MHz 486 with 8 Mb of memory and Tseng ET4000-based graphics adapter. Yngvar Foelling (yngvar@vestnett.no) ------------------------------ Date: Sun, 21 Aug 94 04:37:46 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Virus Source code on CD ROM? (PC) Mike McCarty (jmccarty@spd.dsccc.com) wrote: > I do have problems with people growing and spreading viruses with the > intent of causing disease. This is and should be a crime. > I have no problem with people growing and investigating, e.g. HTLV III > virus. I have a real problem with members of ACTUP intentionally > attempting to spread this virus. > Very different things. What the heck do you think Ludwig is doing? Or is selling viruses somehow different to spreading them? We just had this major debate on FidoNet and I have no particular desire to have it all over again. Suffice it to say that the underground failed to convince us that giving free access to viruses and virus source code was a good thing. In general, they failed to understand the link between freedom and responsibility. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, InterNet: iandoug@cybernet.za P.O. Box 484 or get out of FidoNet: 5:7102/119 7532 Sanlamhof the way. TopNet: 225:2048/1 South Africa (Ted Turner, CNN) PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 21 Aug 94 06:59:55 -0400 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: A new virus? (PC) Eric Hilton Jones (ehjones@whale.st.usm.edu) wrote: > A friend of mine has a real problem. He has a virus that: > 1. Is undetectable using McAfee (2.10, 1.17, 1.13), MSAV 6.22, > F-prot(late july). > 2. You cannot run (get "error in .EXE") them by name, unless you rename > them (McAfee, MSAV). After running them, if you reboot you get > "CHECKSUM ERROR IN CMOS", and you have to re-enter all of the values. > The renamed files all have the same three bits (hex 81 70 0C). > 3. It copies executable files like pkzip.exe, q.exe, [...] into system > files (invisible) and makes a new file the same size, time, and date > but with new code. This has only been done to semi-small executable > files. > 4. CHKDSK, NDD, CHECKIT, PCPROBE indicate no problems. > 5. If you boot from a floppy, you cannot access drive c:. Well, all of the above symptoms match the Goldbug virus, which is known to be in the wild internationally. It was distributed in July in a pirated copy of a beta version of DOOM. This virus has a very wide variety of different tricks it employs, and it is currently (21st of August) not detected by any of the popular scanners we have access to. We now have a version of F-PROT in beta-test which seems to be able to detect it reliably. You can expect that most scanners will start to detect this virus with their next update or so, as the 'polymorphic encryption' used in the virus is not really polymorphic. The virus infects MBR's and floppy boot sectors, as well as being a companion infector. It hides itself in the video memory during boot-up and has several retro-mechanisms against anti-virus programs. It is also able to by-pass the common '32 bit access' error message from Windows. E-mail me for instructions on how to remove this virus manually. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Check out our WWW site at http://www.datafellows.fi/ ------------------------------ Date: Sun, 21 Aug 94 11:06:59 -0400 From: Iolo Davidson Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) jmccarty@spd.dsccc.com "Mike McCarty" writes: > Furthermore, I believe that the charter (if it indeed forbids offering > virus material, I haven't seen the charter) should be changed. You will be outvoted. By Doren Rosenthal, for one. Why would anyone buy his simulated viruses if they could get the real thing for free? > Let's face it. Those who want to get copies of viruses -can- get them. But not from this respectable and responsible newsgroup. > I call on the Moderator to gag Vesselin for making personal attacks > which are libellous and off-topic. This from a professed proponent of liberty and free speech. I think we get it now, Mike. - -- SAID FARMER BROWN WISH I COULD WHO'S BALD ROTATE THE CROP ON TOP Burma Shave ------------------------------ Date: Fri, 19 Aug 94 22:17:29 -0400 From: David_Conrad@MTS.cc.Wayne.edu (David R. Conrad) Subject: cs-251.zip - CHK-SAFE checks file integrity w/MD5 algorithm (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/fileutil/ cs-251.zip CHK-SAFE checks file integrity w/MD5 algorithm Chk-Safe v2.51 is a program written by Bill Lambdin, Don Peters and Robert Bullock which uses the MD5 hash algorithm from RSA Data Security, Inc. to validate the integrity of software. It's purpose is similar to that of VALIDATE which is distributed by McAfee Associates, but it uses a stronger hash function and thus provides much greater security. Hash codes for antivirus software will be published in forums such as comp.virus/VIRUS-L so that users can check the validity of their software. Version 2.51 is the first version which is being offered via anonymous ftp. Previous versions were much slower, but due to optimizations the current version is more than twice as fast. Bill Lambdin has given his permission for me to upload this program, and for its redistribution. Special Requirements: None Uploaded by: David R. Conrad, David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Sat, 20 Aug 94 22:06:14 -0400 From: fernando@ubik.satlink.net (Fernando Bonsembiante) Subject: Virus, Hacking and Computer Underground Conference Hola all! Hacking and Virus congress in Buenos Aires - ------------------------------------------ First international congress about Virus, Hacking and Computer Underground. Organized by Virus Report Magazine Buenos Aires, Argentina, october 7, 8 and 9, 1994, 3 PM to 9 PM. At the Centro Cultural Recoleta, Junin 1930. The admission to all days, all events will be FREE. The congress will be oriented to discuss subjects related to hacking, viruses, and the technology impact in the society of now and in the future. We will also have discussions about cyberpunk, virtual reality, the internet, the phone system, programming, etc. The speakers will be both from the 'official' world, and the 'underground' world. Emmanuel Goldstein (2600 magazine) and Mark Ludwig (Little Black Book of Computer Viruses), will be our special guests. The people coming from other countries will be offered free rooming at volunteer's homes. We can't afford plane tickets for anyone, so the travel expenses are up to you. The official languages will be spanish and english, with simultaneous translation. We expect the congress to be as open as possible, offering freedom to speak to all attendants, being from the 'bad' or 'good' side of the discussed issues. As we in Argentina don't have yet laws against hacking or virus writing or spreading, we think it is very important to discuss all those items as freely and deeply possible. Information: E-Mail: fernando@ubik.satlink.net Fidonet: 4:901/303 Phone: +54-1-654-0459 Fax: +54-1-40-5110 Paper-Mail: Guemes 160, dto 2. Ramos Mejia (1704) Provincia de Buenos Aires Republica Argentina Saludos, Fernando Saludos, Fernando If you think communication is all talk, you havent't been listening. (Ashleigh Brilliant) { Fernando Bonsembiante } { Guemes 160 dto 2 Tel: (54-1) 654-0459 } { Ramos Mejia (1704) Fidonet: 4:901/303 } { Republica Argentina Internet: fernando@ubik.satlink.net } PGP public key available upon request Clave publica de PGP disponible a pedido ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 73] *****************************************