Return-Path: Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by first.org (4.1/NIST) id AA10334; Tue, 27 Oct 92 12:09:39 EST Posted-Date: Tue, 27 Oct 1992 11:47:03 -0500 Received-Date: Tue, 27 Oct 92 12:09:39 EST Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA02527; Tue, 27 Oct 92 12:04:27 EST Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA26094 (5.65c/IDA-1.4.4); Tue, 27 Oct 1992 11:47:03 -0500 Date: Tue, 27 Oct 1992 11:47:03 -0500 Message-Id: <9210271550.AA18013@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #168 Status: R VIRUS-L Digest Tuesday, 27 Oct 1992 Volume 5 : Issue 168 Today's Topics: Re: SCAN 95b doesn't find MtE in EXE files (PC) cascade virus info wanted. (PC) Key Press Virus & scan97 again (PC) Problem cleaning Form (PC) Virus and CMOS (PC) Terminator 2 and Gobler (PC) SCAN 95b doesn't find MtE in EXE files (PC) VirusCURE 2.37 (PC) V-Sign virus struck again!!!!!!!!!! (PC) author of TBScan (PC) Michelangelo & Vshield97? (PC) Re: FDISK /MBR and Boot Sector Viruses (PC) Re: SCAN 95b doesn't find MtE in EXE files (PC) Re: FDISK /MBR and Boot Sector Viruses (PC) Re: KEY Press virus & McAfee v97 (PC) PC Medic question (PC) Re: FORM on an OS/2 system (OS/2) WSCANV97 will not work in OS/2 (OS/2) Re: DOK-V 1.00 Alpha-A test engine ready to FTP. Landmark legal ruling on software copyright Scores virus (CVP) Call for Papers - The Third International Virus Bulletin Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 22 Oct 92 11:20:21 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > Right now one of our students is testing version 97. The test is still > running, but what can be seen is that at least SOME of the infected > EXE files ARE detected. What can be also seen is that at least SOME of > the infected files (the spotted ones were COM files, but I don't have > the final results yet), are NOT detected. So, my warning remains: > don't rely on SCAN for 100% detection of the MtE-based viruses. Follow-up: The tests were performed by Matias Jaenichen, using SCAN 97 downloaded from oak.oakland.edu. The following viruses were used during the test: - Questo (1994 COM files) - CoffeeShop (2000 EXE files) - CryptLab (2000 COM files) - Dedicated (2000 COM files) - Fear (2000 COM files) - Pogue (2000 COM files) - Groove (2000 COM and 2000 EXE files) Of the above viruses, CoffeeShop infects only EXE files, Groove infects both, the others infect only COM files - this explains the selection of infected samples. When infecting an EXE file, Groove damages it with a probability of 1/512. Four of our samples turned out to be indeed damaged. Currently only F-Prot is able to detect that a file is damaged in this way. During the tests, SCAN missed 319 samples, but since 2 of them turned out to be damaged, I am not counting them. Therefore, SCAN missed 317 samples. More exactly, it missed: - 142 samples of Questo - 13 samples of CoffeeShop - 3 samples of CryptLab - 1 sample of Dedicated - 1 sample of Fear - 5 samples of Pogue - 154 samples of Groove (145 EXE files, 2 damaged EXE files, 7 COM files) As you can see from the above, SCAN missed at least one infected sample of EACH of the viruses. Therefore, the conclusion is that it is UNABLE TO DETECT RELIABLY -ANY- OF THE MtE-BASED VIRUSES. The missed samples occur relatively often - a set of 2,000 files is not very large and is what the average user normally has on his/her disk. (Just for comparison - I have ~15,000 files on my hard disk.) Therefore, in a case of a serious infection (when the virus has infected most files on the disk), SCAN 97 is likely to miss at least one of the infected files, which is likely to cause re-infection. Oh, BTW, all samples mentioned above were not modified in any way - they contained the original, live virus (not modified or deactivated), and were created in the normal way - we just let the virus infect. I am currently trying to help McAfee Associates to fix the problem. Let's hope that a future version will at least achieve reliable detection. I'll perform similar tests with other programs that claim to detect the MtE-based viruses and will post the results soon. Meanwhile, both F-Prot 2.05 and FindVirus 6.01 (drivers from 24 September 1992) were able to detect ALL of the infected samples. Of course, this does not prove that they are able to detect every possible MtE mutant - it only shows that we were unable to find any MtE mutant that was not detected by these two scanners. (FindVirus is from Dr. Solomon's Anti-Virus ToolKit and is commercial. F-Prot is shareware, available from most ftp sites, including ours.) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 23 Oct 92 01:41:39 +0000 >From: L.Brown@itc.gu.edu.au (Lachlan Brown) Subject: cascade virus info wanted. (PC) Hi, Could some one tell me if the cascade virus, infects boot sectors or files. I've just found out the company I used to work with is suffering from a minor plage (pitty they didn't let me set up anti-virus software :-). Lachlan Brown. ------------------------------ Date: Fri, 23 Oct 92 03:48:04 +0000 >From: 10666281@eng2.eng.monash.edu.au (KEVIN PRATER) Subject: Key Press Virus & scan97 again (PC) Well I solved my last problem by obtaining clean97. I also installed Vshield97 to stop the problem happening again. BUT..... My hard disk was cleaned with the last key press going with whereis.exe as clean could not remove it. Two days later I used norton disk doctor V5 to have vsheild cut in and say that the file was infected and could not run it. So I powered down, rebooted and removed the virus. Scan 97 says there is no viruses present, but whenever I run disk doctor key virus shows up. so this Key Press virus is hiding in an exe file and scan 97 doesn't find it clean 97 doesn't clean it and vshield only finds it when the exe is run. And it's not a false alarm as if I run any other program after the exe, it also gets infected but scan97 does find and remove this. It almost seems that the virus is dorment and hidden in disk doctor and is activated on running the exe. So the virus remains present and is still there. One way to remove it would be to remove the file, but this seems to be a different key press virus to any I've seen. Has anyone had a similar virus? why wil clean and scan not find it while vsheild detects when you run the exe? Can anyone shead some light on this key press virus? thanks Kevin Prater DownUnderInOz ------------------------------ Date: Fri, 23 Oct 92 15:03:13 +0000 >From: bhwhelan@unix2.tcd.ie (Blake) Subject: Problem cleaning Form (PC) I have a slight problem concerning cleaning the form virus from my hard disk and I was wondering if anyone out there could help. I have F-prot and McAfee v97 and both detect the virus on the disk, however neither can remove it because they cannot find the old boot sector. I have DR Dos 6 and have installed SuperStor disk stacker (I suspect after the virus infected the disk),but I presume the boot sector and remainder of the virus program must be somewhere. Can anyone help? How the hell to I get rid of it without having to backup and format the disk???????? B. P.S. Please e-mail any responses. Thanks. ------------------------------ Date: Fri, 23 Oct 92 15:09:53 +0000 >From: kwon@imada.ou.dk (Joergen Hjort) Subject: Virus and CMOS (PC) Recently, my CMOS-settings was suddenly reset, and it happen to a friend of minetoo the other day. Can it be a virus? Is there any virus, that clears the CMOS settings, and what are their names. P.S. I`ve been scanning the harddisk with NAV20 and CPAV, but without any results. [Moderator's note: You did test the CMOS battery, didn't you? That is a common cause of lost CMOS settings.] Thanks.... - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Joergen Hjort Phone : +45 65 90 62 16 (24 Hours) Odense University, Denmark email : kwon@imada.ou.dk ------------------------------ Date: Thu, 22 Oct 92 10:06:00 -0000 >From: Victor_Smith@f2.n310.z9.virnet.bad.se (Victor Smith) Subject: Terminator 2 and Gobler (PC) > Hi Hello Robert, > Now, none of the virus stuff that either myself or a > friend working > for British Gas (where the student claims he got the > virus) has a > record of this virus. They all mention Terminator, but > not Terminator > 2. > Does anyone have any knowledge of either this virus, > or of the > validity of the report? Both myself and my friend > would be most > interested as between us we are responsible for the > virus-free state > of almost 1500 PCs. I can validate that report, as it was my work :-) The name Terminator-II i decided to give to that virus, because none of known me A-V program could recognize it. But there is already several "Terminator" viruses with different sizes : Terminator.526, Terminator.918, Terminator.1501. All of them have nothing to do with new virus, and therefore( by the way, there is a string inside virus code "TERMINATOR") i decided to name it Terminator-II. All technical specification have been mentioned in my report, if you would like i can repost it, or you can pick it on my board, or i can send it by fax to you. Regards VS - --- FMail 0.90 * Origin: Virus Rescue, Lelystad, The Netherlands (9:310/2) ------------------------------ Date: Thu, 22 Oct 92 10:22:01 -0000 >From: Victor_Smith@f2.n310.z9.virnet.bad.se (Victor Smith) Subject: SCAN 95b doesn't find MtE in EXE files (PC) > program CatchMtE. This program detects MtE-based > viruses ONLY and is > freeware. If you need a scanner that is able to detect > other viruses > too, try F-Prot (shareware, free for individual use). > Version 2.05 > (might not be the latest) was able to detect ALL MtE- > infected samples > in our tests. Hello Vesselin, I'm sorry for long silence, had a lot of work to do, but i will send you new Mte-related stuff as soon as possible. Let me disagree with you, neither CatchMte nor Vdsfscan nor F-PROT 2.05 could get 100% hit rate in MtE detection in my test :-(. Also i was confused when occasionally tested AVTK 6.0 on MtE "tester", it also skipped some samples, but still i beleive that it's not a fault of algorithm, but just a minor bug in i/o system of AVTK. keep in touch Regards, VS - --- FMail 0.90 * Origin: Virus Rescue, Lelystad, The Netherlands (9:310/2) ------------------------------ Date: Sun, 25 Oct 92 09:19:00 -0600 >From: c_w@lawton.lonestar.org (Carl Wilson) Subject: VirusCURE 2.37 (PC) I just purchased VirusCURE PLUS ver 2.37 severial days ago. Is this considered a good virus detect/cure package? I just started a BBS here about a week ago, and severial of the other boards have been trashed by ANSI bombs and the like. I need some real security! - --- DOMAIN: c_w@lawton.lonestar.org (Carl Wilson) UUCP: ...!rwsys!lawton!c_w (Carl Wilson) Good News II BBS Lawton, OK USA +1 (405) 357-0478 ------------------------------ Date: Mon, 26 Oct 92 08:30:00 -0600 >From: VXC15931@VAX1.Mankato.MSUS.EDU Subject: V-Sign virus struck again!!!!!!!!!! (PC) At this moment, my PC is also infected with V-sign. I tried to use F-Prot 2-05a to remove the infection but all I'm getting is this message: Master Boot Sector Infection: V-Sign !! This version of F-Prot cannot remove the virus! Well, it is not verbatim but that is the gist of the message. I tried selecting either "Automatic Disinfection" or "Automatic Deletion" but not one of them works. When I check F-Prot Virus-Information, V-Sign is not listed in there. To anyone out there: if you know a way to help me rid of this virus, please, please tell me! I have $30,000 worth of PCAD, PSPICE and other software packages in my PS/2, 386 computer, and I am in no mood to do a low level format. Also, should anyone of you know how to add a V-Sign signature to F-Prot 2.05a, please tell me how. - Jose' R.C. Cruz Engineering Physics Graduate Student Department of Physics, Engineering and Technology Mankato State University Mankato, MN 56001 Postscript: I will be checking this newsgroup for any advice you people may have. Again, I appreciate it a lot if you could help me. ------------------------------ Date: Mon, 26 Oct 92 15:37:38 +0000 >From: u906271@bruny.cc.utas.edu.au (Chewing Gunn) Subject: author of TBScan (PC) I'm looking for the author of TBScan as I've some question to ask. Could anyone with his address please email it to me? Thanks in advance. Chris - -- Chris Chew Hong Gunn | A Signature? B.Sc, B.E (Third Year) | I'll have to think about it... University of Tasmania | Email: u906271@postoffice.utas.edu.au Australia | u906271@bruny.cc.utas.edu.au ------------------------------ Date: Mon, 26 Oct 92 20:00:12 +0000 >From: cons067@titan.ucc.umass.edu (Andre Comeau) Subject: Michelangelo & Vshield97? (PC) Hello, I am a consultant at UMass Amherst, We currently run Vshield 97 upon boot-up on all of our PC's - 286's. We frequently have students come in with a disk infected with STONED, and we are always able to use CLEAN, to remove the virus. Recently, we've had a two students arrive with Michelangelo on their diskettes - On two separate days. Well, when I tried using CLEAN [Mich], I was given an error message, saying that the diskette was bad. I tried taking a DIR of the disk, and it says Bad disk -- or somthing like that. I can't even format the diskette. I thought it was wierd the first time, but it has happened twice now. BTW, they are 360k drives and diskettes. Does Vshield set some kind of flag on the diskette, making it unreadable? Is something wrong with Michelangelo? Any answers would be greatly appreciated. You can post them here -- as I'm always reading this group, or email me at cons067@titan.ucc.umass.edu Thank you in advance, Andre' ---> cons067@titan.ucc.umass.edu ------------------------------ Date: 26 Oct 92 22:25:14 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: FDISK /MBR and Boot Sector Viruses (PC) gscobie@castle.edinburgh.ac.uk (G J Scobie) writes: >Is there a list of which boot sector viruses can be disinfected from a >hard disk using FDISK /MBR? >Will FDISK /MBR work for them all or are there any interesting "gotchas" >using this method? Well, there is one potential problem. FDISK /MBR does not touch the partition table itself (bytes 1be-1ff in the MBR). Of course, as most boot sector viruses don't touch that table either, they can easily be removed. The problems start when the virus 1) Modifies only the partition table - for example to create a new partition, and making it the loadable one. or 2) Overwrites the entire MBR and uses "stealth" methods to make the original MBR visible to other programs. If you run FDISK/MBR with the virus active, it may not have any effect, as the virus could intercept the write operation. If you run it after booting from a "clean" diskette, most of the virus body will be overwritten, but the table information may not be valid. Fortunately none of the common MBR infectors belongs to either of those categories. - -frisk ------------------------------ Date: 26 Oct 92 22:41:23 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) mcafee@netcom.com (McAfee Associates) writes: >In any case, I would strongly suggest that you complete your research in >the future before posting incomplete results. Well, I am sure Vesselin will have something to say in reply to this [and he has probably already posted a reply :-)], but the fact is that the version of SCAN actually available to users at the time of testing did not detect the MtE viruses perfectly, whereas other products did. Normally this would not bother me - no anti-virus program is ever 100% up-to-date anyhow. However, what annoys me (no, make that "What upsets me considerably") is a piece of advertising - from the UK, I think, claiming SCAN to be in effect the "best and only" MtE-detector, when this is simply not true. - -frisk ------------------------------ Date: Mon, 26 Oct 92 16:37:16 -0700 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: FDISK /MBR and Boot Sector Viruses (PC) gscobie@castle.edinburgh.ac.uk (G J Scobie) writes: >Is there a list of which boot sector viruses can be disinfected from a >hard disk using FDISK /MBR? It will only work on those MBR viruses that leave the partition table data in place: stoned, michelangelo, Bloody!, and a host of others. It will not work on those that either move the partition table data (eg: Empire D) or encode the table data (eg: Monkey, but it moves the table too.) The key* is to realize what FDISK /MBR does: it plops the correct MBR code into place in sector 1, keeping whatever is at offsets 1BEh - 1FDh (1FFh?). If the correct table is found there, then things work fine. But if what is found there is a snippet of the (now dead) virus, the MBR code won't find a valid partition table, and the bootup will crash. One thing FDISK /MBR has over Norton's NDD (besides being a part of DOS) is that it zeroes out the bytes between the last error statements of the code and the first byte of the table, thereby solving the "ghosting" problem common to MBRs fixed with NDD, where a (dead) snippet of the virus left in that area will happen to contain the strings searched for by common scanners. >Will FDISK /MBR work for them all or are there any interesting "gotchas" >using this method? One obvious one, that always needs repeating, nonetheless: if the MBR virus is a stealth virus (eg: most of the Empire family) then FDISK /MBR won't work if you booted from the (infected) hard disk, since the virus won't let FDISK write to sector 1. Tim. *Note: all Padgett's students, repeat with me: "If you understand the system, the rest is obvious." :) ------------------------------------------------------------- Tim Martin * Spatial Information Systems * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Tue, 27 Oct 92 06:36:32 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: KEY Press virus & McAfee v97 (PC) Hello Chan, 739chan1@gw.wmich.edu (LEMMING) writes: <...Kevin Prater's message deleted for brevity...> > I am also getting some discrepencies about the Keypress virus. >Running Scan97 on a sample of the virus, it reported that the file was >infected 3 times. (i.e. The message "Found Keypress Virus..." appeared >3 times.) This was reported again on a variant as well as some other I've not heard of this happening before, which would lead me to believe you have either a damaged host file or a variant of the virus. However, without actually having an infected file to look at, all I can do at this point is speculate. Regards, Aryeh Goretsky McAfee Associates Technical Support >files I tested with the same virus. I know that the files have been >infected only once. Sorry, didn't see this part--how do you know the files have been infected only once? AG - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Tue, 27 Oct 92 03:21:21 -0500 >From: Pua_Yeow_Cheong.xssc@rxsgp.xerox.com Subject: PC Medic question (PC) Hi My colleague has an urgent question: "Have you heard about the anti-virus software PC Medic by Pure Technology ? Pure Technology claims that PC Medic can protect against ALL (!!!) current and future viruses because it uses a new technology - - not signature scanning or CRC. I'd be glad to know anything about the software, the company that distributes it (Singapore), and any experience with its use or techniques. Thanks !" Thank you very much. PS: I am quite new to this list so if this question has been discussed before, please tell me which arhive files are they in. I am sorry I don't have time to go through all the archives right now. ------------------------------ Date: Thu, 22 Oct 92 09:29:27 -0400 >From: "David M. Chess" Subject: Re: FORM on an OS/2 system (OS/2) > From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >And don't forget to re-install OS/2, so that it re-creates a new >BOOT.DOS, with a copy of the (now) clean boot sector. He doesn't need to re-install OS/2, I don't think. Just issuing "BOOT OS2" from the DOS session after the hard disk is clean should re-create the BOOT.DOS file from the (now-clean) boot sector. DC ------------------------------ Date: Fri, 23 Oct 92 08:30:22 +0000 >From: nkolte@daimi.aau.dk (Nikolaj Kolte) Subject: WSCANV97 will not work in OS/2 (OS/2) I recently got the McFee Scanv97 for Windows. I'm running OS/2, but when I want to run WSCAN I get the message that I cann't run the program in a WINOS2 session..... Any sugestions... Nikolaj PS sorry I'm posting this article in the wrong group, but I thought that I might reach someone using WSCAN97 on OS/2 ------------------------------ Date: 26 Oct 92 22:11:49 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: DOK-V 1.00 Alpha-A test engine ready to FTP. chess@watson.ibm.com (David M. Chess) writes: >review via FTP. As long as your copyright notice says that you've >reserved all rights to yourself, no one who works for a company that >has lawyers is going to be able to make a copy of it Please note which company David works for :-) :-) - -frisk ------------------------------ Date: Thu, 22 Oct 92 16:57:11 -0400 >From: Dennis Clouse Subject: Landmark legal ruling on software copyright published today (10/22/92) in the San Francisco Examiner is the following legal decision on disassembly of software (subject line is title of article): - -----------------------(cut here)--------------------------------------- "In the first binding ruling on the application of copyright law to a common process called reverse engineering, a federal appeals court said video game maker Accolade Inc. of San Jose could copy a video game system's code copyrighted by Redwood City-based Sega Enterprises Ltd. in order to design games for the Sega console. Reverse engineering is the parctice of taking apart a product to see how it works, and using the knowledge to design one's own product. During the process, Accolade made a copy of Sega's encoded computer program, designed to exclude unlicensed game makers, in order to translate the information and extract the key to the code. The Ninth Circuit Court of Appeal in San Francisco said the copying did not violate Sega's federally protected copyright on it's software package. The court said Sega's exclusive rights over it's own programs did not entitle it to prohibit another company from learning how the Sega system worked and designing games that would fit it, as long as those games did not copy Sega games." - --------------------------------(cut here)--------------------- - ------------------------------------------------------------------------------- DENNIS E. CLOUSE OFFICE OF THE PRESIDENT UNIVERSITY OF CALIFORNIA PHONE:510-987-0467 ISCDEC@UCCVMA.UCOP.EDU ISCDEC@UCCVMA.BITNET - ------------------------------------------------------------------------------- ------------------------------ Date: Fri, 23 Oct 92 13:28:15 -0700 >From: rslade@sfu.ca Subject: Scores virus (CVP) HISVIRF.CVP 921016 Scores virus The "Scores" Mac virus is very interesting for a number of reasons. I would, however, like to concentrate on two. Scores is the first virus which has a definite company and application as a target, and of Mac viral programs, it definitely has the most interesting programming. I haven't kept the very earliest reports of the Scores virus, but I believe it was detected very early in 1988, if not in late 1987. It baffled researchers, however, since, aside from reproducing, it did not seem to carry any payload. It was not until disassemblies and studies of the actual code were done that it was found to be looking for Mac "resources" identified as VULT or ERIC. At the time, no such applications were known to the general public. (The first detailed account of the virus, including instructions for disinfecting a system, was posted by John Norstad. It is interesting, going back over it, to see that at first he decided not to write a disinfection program for it, since two others had already been produced. However, his reviews of the then current disinfection programs turned up serious shortcomings in them. This may have reawakened his interest in producing the now widely acclaimed Disinfectant.) It wasn't until May of 1988 that EDS of Dallas finally spoke up. ERIC and VULT were identifiers of resources that were internal to the company. The company never did say whether the resources were associated with a strictly internal utility, or if they had been part of a project which never got released, at least not in that form. Whether utility or ill-fated application, it is clear that the Scores virus was "aimed" at EDS. It may be that the virus was supposed to spread "into" the company, and then interfere with vital internal applications. Or, it may be that the virus was simply supposed to lie in wait until a certain application was released for general use. Infected Macs would "misbehave", leading to complaints, bug reports, or a bad name for the company generally. One of the early copies of Scores studied was recovered from the NASA HQ in Washington. This led to reports of the "NASA" virus. Indeed, as late as 1991 I still saw reports in major IS trade papers of how NASA had recently been devastated by the Scores virus as it swept through, trashing hard disks and so forth. (For those who do not know, I take this to be error on the part of the journals.) In July of 1988, a Texas man was charged with computer related sabotage and burglary, and it was reported, in error, that he was the author of Scores. In December of 1988, Apple sources were saying that they knew who the author was, and the matter was int he hands of the lawyers. In December of 1990, it was reported that the Dallas prosecutors office would be proceeding with charges, and reports of damage were being solicited. This was the last message relating to the trial that I ever saw. copyright Robert M. Slade, 1992 HISVIRF.CVP 921016 ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ Date: Thu, 22 Oct 92 17:44:12 +0100 >From: oxcompl@vax.ox.ac.uk Subject: Call for Papers - The Third International Virus Bulletin Conference Amsterdam, 9th-10th September 1993 Call for Papers The International Virus Bulletin Conference is the largest and most prestigious annual event to address the computer virus threat in Europe. The 1992 conference, held in Edinburgh, attracted over 200 delegates and 23 speakers, from more than 20 countries. Abstracts of between 200 and 500 words outlining prospective papers for presentation at next year's Virus Bulletin conference are duly invited from all parties engaged in any capacity in combating the computer virus threat. Papers will be selected for their originality and appeal to a diverse audience comprising corporate computer security staff, PC support specialists, hardware and software developers, government, military, public sector and corporate IT managers, researchers and others engaged in devising technical and procedural countermeasures. Papers covering the following topics are particularly welcome: * Case studies of genuine virus outbreaks. * Post-attack recovery: tools, techniques and lessons learned. * Evaluation methods and protocols for testing anti-virus software. * Running a virus help desk. * Protecting file servers. * Dealing with viruses in compressed software. * What should be in a virus hunter's toolkit? The conference will be held in two streams: stream one will address the management of the virus threat, while stream two will concentrate on technical developments. Abstracts should be completed by December 1st 1993 and should be sent to the Editor, Virus Bulletin, 21 The Quadrant, Abingdon Science Park, Abingdon, Oxon OX14 3YS, UK. Fax +44 (0)235 559935. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 168] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253