VIRUS-L Digest Wednesday, 26 Apr 1989 Volume 2 : Issue 100 Today's Topics: UK computer virus conference Yale and 1701/1704 virus, and Sentry (PC) Re: Using Checkfunctions For Virus Detection (General Interest) more on Flu_Shot+ availability (PC) --------------------------------------------------------------------------- Date: Tue, 25 Apr 89 22:41:51 BST From: David.J.Ferbrache Subject: UK computer virus conference Combatting Computer Viruses --------------------------- There will a one day conference (sponsored by PC Business world) held on the 17th May 1989, in the City conference centre, London. The agenda for the conference is enclosed: 0930 What is today's computer virus Jim Bates, Consultant Programmer, Bates Associates Introductory session, characteristics of viruses, demonstration of live viruses (Italian, Brain, New Zealand) 1030 The networking perspective Mark Gibbs, Manager, Corporate marketing, Novell Inc Network virus propogation. Management and technical measures to prevent propogation. 1150 The legal position, Jeffrey Chapman, consultant to the Law commission Existing and propsed legislation. Actions to recoupe damages. 1400 Keeping out the virus - The US experience Ross Greenberg, owner software concepts design Management procedures and software used in prevention of viruses 1505 How paranoid do you want to be? Alan Solomon, Chairman IBM PC user group. Personal prospective on virus control, including emphasis on an organisation awareness of the dangers. Supportive case studies. 1600 Virus forum The conference package includes distribution of disks with anti-viral software. The price is 235 pounds + vat. Enquiries to: Jenny Mann, Quadrilect, 46 Gray's Inn Road, London WC1X 8PP Telephone 01-242-4141 Fax 01-404-0258 The conference seems from their program to be aimed primarily at business and corporate users, with limited experience of systems programming or virus prevention. If I can afford to attend (!) I will be writting a review for comp.virus of the conference, and of the available protective software. - ------------------------------------------------------------------------- Dave Ferbrache Internet Dept of computer science Janet Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX dferbrache - ------------------------------------------------------------------------- ------------------------------ Date: Tue, 25-Apr-89 15:14:25 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Yale and 1701/1704 virus, and Sentry (PC) There seems to be some confusion about whether the Alameda/Yale virus can infect ATs or other 286 systems. I worked on the original Alameda College infection and the virus at that time was unable to work on any 286 system. The reason is that it contained an invalid 286 instruction (POP CS), which is not a legal op code. A 286 will normally hang up if this op code is in the executable file. Two months after the Alameda infection, though, a new strain showed up that was able to infect 286 systems, using a different relocation technique. This newer strain is identical in every respect to the original strain, with this single exception. Also, there seemed to be some confusion about the difference between the 1701 and 1704 viruses. Mr. David Chess stated that the 1704 virus could not successfully avoid infecting IBM systems, and that he had tested that aspect himself. If that is the case, then he has tested the 1701 virus, not the 1704 virus. The 1701 is the precursor to the 1704. It had a bug in the BIOS check routine, and infected IBM systems anyway. The1704 is three bytes longer and has been verified by dozens of sites to successfully avoid infecting IBM systems. Mr. Goodwin's decompilations of the two viruses points out these differences. Finally, I would like to comment on Mr. David Bader's remarks about the Sentry program. I have been using various versions of Sentry for almost a year and I couldn't ask for better protection. It's clear that Mr. Bader has had limited exposure to live viruses. Anyone who has worked with a broad range of viruses could not arrive a the conclusions he stated. ------------------------------ Date: Tue, 25 Apr 89 20:28:06 -0400 From: Joe Sieczkowski Subject: Re: Using Checkfunctions For Virus Detection (General Interest) A friend of mine saw dmg@mwunix.mitre.org's message on the above subject and had the following comment in response to it. I thought it was appropriate for the list. >His checksum might be harder to fake, but it is not necessary to be able >to reverse the encryption to fake a checksum. Only the algorithm for >the forward encryption is needed, and that can be pulled from the >program that does the checking. If f is the checksum and g is the >encryption, all he has done is create a new function s(x) = f(g(x)) >which is just another signature function. If f was more than just >a CRC polynomial, g might not really make any difference, and if >f is a CRC, then some choices of g could make the combination easier >to break. > WB Joe ------------------------------ Date: Wed Apr 26 12:49:15 1989 From: utoday!greenber@uunet.uu.net Subject: more on Flu_Shot+ availability (PC) Hey folks! I guess I forgot to mention that I have to get those requests for the freebie FLU_SHOT's in writing! I know it sounds horrid and all that, but my fufillment stuff requires paper copies (boo! hiss! old technolgy!) Here's my paper address again for those of you who need it: Ross M. Greenberg Software Concpets Design 594 Third Avenue New York, New York 10016 Thanks! Ross ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253