VIRUS-L Digest Tuesday, 25 Feb 1992 Volume 5 : Issue 41 Today's Topics: Will Write Protection Prevent Virus Infection? (PC) Re: Help: 1193 virus? (PC) Re: F-prot and non-executable files (PC) Re: Michelangelo's handicaps. (PC) Re: Michelangelo hits Sandia from a vendor (PC) Re: Conflicting Software & Odd Behaviour (PC) Re: Michelangelo on ARTEC AM25 3 button mouse driver disk (PC) Re: Michelangelo Virus in Florida too! (PC) vdefend from PC-Tools 7.1 and Mcaffee clean (PC) Solution to DOS 2.11/F-Prot problem (PC) Re: AUX files (PC) F-PROT 2.02D & Novell (PC) Re: looking for... (PC) Re: Boot Sector Virus Infections (In General) (PC) Surviving warm reboot (PC) Re: WDEF infection at a school (Mac) Non dectable Virus (Amiga) viruses in general-=help VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 22 Feb 92 13:45:22 +0000 >From: gt1280b@prism.gatech.edu (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR) Subject: Will Write Protection Prevent Virus Infection? (PC) I have a simple question: If I set the attributes of all the executables, overlays, and COM files in my hard drive to be read-only, will this reduce the chances of getting virus infection? I understand that viruses usually get transmitted by modifying these files. And since these files are rarely required to be read-write, (maybe during the installation only) I do not think that the applications would mind setting the attributes to read-only. ======================== Hesham Elgharib ------------------------------ Date: Sat, 22 Feb 92 14:09:18 -0400 >From: calhoun@ihost.isnet.com (Warren D. Calhoun) Subject: Re: Help: 1193 virus? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >The name was changed to Copyright, because (1) a numeric name must be >avoided - it is difficult to remember and closely related virus >variants (i.e., viruses in the same family) can have different >infective length, and (2) because the virus contains the strings: > "(C)1987 American Megatrends Inc.286-BIOS" > "(C)1989 American Megatrends Inc." > "(c)COPYRIGHT 1984, 1987 Award Software Inc." > "ALL RIGHTS RESERVED" >An alternative was to call it "Award", or "Megatrends", but it's our >policy to never name a virus after a company or product. Thanks. I was sure there was a logical reason, but I had not heard it. I think the policy of not naming a virus in such a way as to include a company or product name is a very good one. (I suppose it could have been called the 'ALL RIGHTS RESERVED' virus, but that would be silly :-) >Sorry to disappoint you, but CLEAN 86-B does not remove this virus. After my previous post, I was able to check a copy of clean 86b and, of course, you are right. I was hopeful that it would be capable of removing the virus, but it is not. I think I had seen something that indicated it might, but now I don't remember. Oh well, maybe sometime soon. Anyway, thanks for the clarifications... - -- | Warren D. "Cal" Calhoun | | Information Systems Network (Host) | CIS: 76336.2212@compuserve.com | | Phone: DSN: 354-3396/3595 | UUCP: mimsy!ihost!calhoun | | COM: (703) 664-3396/3595 | Internet: calhoun@ihost.isnet.com | ------------------------------ Date: Sat, 22 Feb 92 21:49:47 +0200 >From: Tapio Keih{nen Subject: Re: F-prot and non-executable files (PC) >We were using F-prot here and we noticed that it doesn't scan non >executable files. This raises the question, can a virus hide in a >text file, and then transfer itself elsewhere? No, virus can't use text files or any other non-executable files for spreading. Virus needs to be executed and since text files can't be executed, virus can't spread via them. There are some viruses which infect data files, but those infected data files can't spread the virus any further. For example, Cinderella and 4096 viruses do this, because of the way they check the file extensions. (BTW, this should be on the FAQ list...) - -- Tapio Keih{nen | Mesihein{nkatu 2 B 6 | 33340 Tampere | Finland - ------------------========tapio@nic.funet.fi========--------------- "You've got some stairs to heaven, you may be right I only know in my world, I hate the light I speed at night!" -R.J. Dio, 1984- ------------------------------ Date: Sat, 22 Feb 92 22:23:27 +0200 >From: Tapio Keih{nen Subject: Re: Michelangelo's handicaps. (PC) >Bug 2: >I have been unable to infect 3.5" floppy disks (720's as well as >1.44's) other than by simply copying a 5.25" image over a 3.5" floppy. >This might lead to the conclusion that only systems with a 5.25" A: >drive can be infected. I haven't looked at the date check routine in Michelangelo, so I'll comment only this. Just like Stoned Michelangelo infects only diskettes in A: drive. If the virus was introduced to hard disk from 5.25" floppy (A:) and then A: drive was changed to 3.5" floppy, Michelangelo will infect 3.5" floppies then just normally. - -- Tapio Keih{nen | Mesihein{nkatu 2 B 6 | 33340 Tampere | Finland - ------------------========tapio@nic.funet.fi========--------------- "You've got some stairs to heaven, you may be right I only know in my world, I hate the light I speed at night!" -R.J. Dio, 1984- ------------------------------ Date: Sat, 22 Feb 92 17:53:20 -0700 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Michelangelo hits Sandia from a vendor (PC) dave%triton.unm.edu@lynx.unm.edu (Dave Grisham) writes: >I recieved this mail after Sandia notified us of their infection. >My comments are in [ ]. >grish >- -----Begin forwarded letter--------------- >Date: Fri, 21 Feb 92 00:21:37 -0700 >From: Harold Iuzzolino > We (a Sandia Labs division) received several new 486/33 IBM compatibles >last week. Immediately after powering up one system, a virus checker >(Central Point Anti Virus) was installed and run. CPAV found and removed the >virus [Michelangelo]. The other new pc's were checked and the results were >the same. The dealer was called, and he found the virus on his stock pc's. >(The dealer has expressed annoyance at my mentioning his name so I am not >going to mention any dealers' names.) I think such dealers should be publicly derided, scorned, and if possible sued. There is no excuse anymore. >The virus came with the MS DOS 5.0 sent to the dealer. What can I say? This should be pursued: it could explain Michelangelo's "commercial success". Anyone want to bet someone somewhere is trying hard to cover something up? Not necessarily in this case: don't call the slander lawyers on me yet! But it is becoming increasingly obvious Michelangelo got lucky in a big way, probably with some wholesale supplier of some fundamental software, if not from the software house itself. Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Sun, 23 Feb 92 10:56:52 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Conflicting Software & Odd Behaviour (PC) Hello Mr. Erixon-Stanford, IRMSS907@SIVM.BITNET (Mignon Erixon-Stanford) writes: > We recently purchased McAfee's WSCAN & CLEAN86B, with which I'm >happy. One of our scientists had Central Point's VSAFE and BOOTSAFE >programs (loading from his AUTOEXEC.BAT). Upon scanning with WSCAN, it >reported finding Israeli Boot [Iboot] and Filler. We booted from a >safe disk, ran CLEAN against Iboot and Filler, scanned again; no >viruses were found. VDefend, VSave, and VWatch, from Central Point Software (included in their Central Point Anti Virus and PC Tools 7.1 packages) contains several of the same virus signatures that are used by the VIRUSCAN series. While this is not too uncommon--there are some viruses for which there is only one reliable signature string--the Central Point programs do not encrypt or otherwise cipher their search strings in memory, causing VIRUSCAN (et al) to erroneously report a virus when it comes across VDefend (and cousins) in memory. > Then we booted from his autoexec.bat which loaded the Central Point >programs; wscanned and it reported Iboot in memory. We changed the >autoexec.bat so VSAFE & BOOTSAFE wouldn't load; wscanned; no viruses >were found. Since the CP programs weren't in memory at the time WSCAN was run, no "viruses" were found in memory. > Am I right in concluding that Central Point's memory resident >software is erroneously recognized as a virus by McAfee's WSCAN? Quite correct. Because of this problem, I would not recommend that you use CPAV and SCAN together on the same system without removing CPAV and then powering to clear memory prior to running SCAN. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 1900 Wyatt Drive, Suite 8| FAX (408) 970-9727 | Santa Clara, California | BBS (408) 988-4004 | 95054-1229 USA | v32bis(408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: 23 Feb 92 20:09:21 +0000 >From: stella@remus.rutgers.edu (Ricky Suave Stella) Subject: Re: Michelangelo on ARTEC AM25 3 button mouse driver disk (PC) > Michelangelo on ARTEC AM25 3-button mouse driver disk. It would be helpfull to know the version of the driver disk. BTW, does anybody know how to get an updated version of the driver? - ------------------------------------------------------------------------------ Ricardo Stella stella@remus.rutgers.edu RUCS US - CCF stella@elbereth.rutgers.edu Owl's Roost Manager stella@zodiac.rutgers.edu Hill 118 - (908)932-2491 Rutgers University, NJ ...suave... - ------------------------------------------------------------------------------ ------------------------------ Date: Mon, 24 Feb 92 06:32:21 +0000 >From: Jim.Baltaxe@vuw.ac.nz (Jim Baltaxe) Subject: Re: Michelangelo Virus in Florida too! (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Jim.Baltaxe@vuw.ac.nz (Jim Baltaxe) writes: > >> BTW After making the story available to the media on Friday, we >> received something like 400 disks by today (Tuesday). In a country the >> size of ours, that is an incredible response. Maybe somebody out there >> is really listening. > >According to the University's telephone center, the VTC Hamburg >received 3,000 phone calls for the last week. This happened after we >told the media about the virus... :-) Hey, I really don't want this to turn into a matter of look at how many _I_ got... but... the score for the kiwis is well over 2,000 (I lost count sometime after 1:30am :-) Actually, I am rather proud that some people are trying to do something to protect themselves; maybe the fact that the disks were free might have had something to do with it. - -- Jim Baltaxe - jim.baltaxe@vuw.ac.nz Computing Services Centre - Victoria University of Wellington - New Zealand - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time is such a valuable commodity because they're not making it any more. ------------------------------ Date: Mon, 24 Feb 92 09:49:35 +0000 >From: zeus@zeus3.sozialwissenschaften.uni-mannheim.de (Thomas Walter Neser) Subject: vdefend from PC-Tools 7.1 and Mcaffee clean (PC) Hello, some times ago i detected with an old version of mcaffee scan a stoned virus on a hard disk and cleaned it with mcaffees cleaner. Now the newer versions from mcaffee don't find the virus any more. When i activate vdefend from pctools 7.1 it informs me that there is a stoned virus. f-prot202 says its suspicious, maybe a ne form of stoned but won't disinfect it. Since i don't have the virus removal from central point i would ask if clean only partitially erases the stoned to disable it and if it's possible that vdefend and scan look for a different part on the stoned virus to detect it. virx20 doesn't find anything at all and maybe this is just a marketing gag. Sincerly Please write to me directly cause i normally don't read this list. - --- Thomas Neser, Zeus im MZES, Universitaet Mannheim, Steubenstr. 46, D-W-6800 Mannheim, Germany BITNET: m75 at dhdurz1 INTERNET: fs21@rummelplatz.uni-mannheim.de UUCP: unima!fs21 X400: C=de; A=dbp ; P=uni-mannheim; OU=rz; OU=munix; S=neser; FAX: +49-621-292-8435 TEL.: +49-621-292-8473 ------------------------------ Date: Mon, 24 Feb 92 10:02:52 -0500 >From: Lynne Meeks Subject: Solution to DOS 2.11/F-Prot problem (PC) Thanks to Mickey Waxman, who provided the solution to this problem. I'm posting the solution to virus-l for any other DOS 2.1 users out there. ======================================================================== > ... your troubles stem from trying to run Fprot from floppy disk. > The cure: copy all files from floppy to harddisk and run from the harddisk. Sure enough, copying the F-Prot files to the hard drive and then running F-Prot works! This is a fine solution- it ought to be on the hard drive anyway. > Uh ,oh! You do have a harddisk, don't you? If someone does not have a hard drive it's really not a problem- scan the boot disk on another machine and make sure it's clean, then write protect the boot disk and ALWAYS boot from that disk. It's really machines with hard drives that I'm more concerned about anyway. > Definitely, Virstop.exe does not work on this Dos 2.1 system. > No error message, but it does not announce it's loaded and it does not > catch viruses. The solution is to Scan everything before you put it > on harddisk --- no automaticity. Again, this is something we can live with. I think everything ought to be scanned anyway. Thanks again Mickey! Lynne Meeks (LZM@UVMVM.UVM.EDU) 238 Waterman Building University Computing Services University of Vermont, Burlington, VT 05405 ------------------------------ Date: 24 Feb 92 15:14:31 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: AUX files (PC) jaflrn!jaf@uunet.UU.NET (Jon Freivald) writes: > Acutally, I just figured something out... My command processor is 4DOS. > If I execute command.com, I don't see these files. In case you haven't > guessed, all of my systems use 4DOS, as do most of the systems at > work... I guess that this subject has been already beated down to death, but nevertheless, here is some more information. In one of my previous postings, I said that the problem seems to be fixed in DOS 5.0. Well, it isn't. I am using NDOS 6.01 with MS-DOS 5.0 right now and was able to reproduce the problem by using the command dir aux Since the main difference between directory searches between COMMAND.COM and NDOS (4DOS) is that the former uses FCBs, while the latter uses file handles. Therefore: The device drivers are visible as files, when you perform a file handle FindFirst/FindNext (INT 21h/AH=4Eh, AH=4Fh) on a file name equal to the name of the device driver (no wildcards). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 24 Feb 92 08:58:00 -0600 >From: MARK@iscsvax.uni.edu Subject: F-PROT 2.02D & Novell (PC) I have been having problems scanning Novell file servers with F-PROT v2.02D. When I reach a system hidden file, my computer locks up. The only way I have been able to successfully scan the server is to omit .SYS files via the "User Specified" option. What am I doing wrong? By the way, I am indicating that a "network" is to be scanned. Thank you, Marty Mark, University of Northern Iowa mark@iscsvax.uni.edu 319-273-6258 ------------------------------ Date: Mon, 24 Feb 92 16:36:44 +0100 >From: Martin_blas Perez Pinilla Subject: Re: looking for... (PC) suned1!slced1.Nswses.Navy.Mil!lev@elroy.Jpl.Nasa.Gov (Lloyd E Vancil) writes: > I'm trying to locate a program called PROTEC.COM. This program > prohibits writes to the C: drive. I have two or three of such programs and can send you if you wish, but its utility is limited: some (many?) viruses can bypass the protection and infect the hard disk. Regards M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: 24 Feb 92 15:26:43 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Boot Sector Virus Infections (In General) (PC) austin@tecnet1.jcte.jcs.mil writes: > I have some curiosity questions about the way "boot sector" viruses > infect the "hard drive" and "the system (memory)", (or is it "the > system (memory)" and then the "hard drive"?), only because I have been It depends on the particular virus. Most viruses first install themselves in memory, then infect the hard disk. However, nothing prevents the virus from doing the same in the reverse order. > We have the same "powered-off", non-infected, MS DOS based, PC computer > system with one 5.25" floppy drive and one hard drive. Let's say I > have an infected (Michaelangelo virus) 5.25", 360K, "NON-bootable" > floppy. Let's put it into our "A" Drive and close the door. Now, turn > on the power to the computer and let it attempt to "boot" up. Instead > of a DOS Prompt, we now have "Non-system disk or disk error; replace > and strike any key when ready" or something like that--you get the > idea. NOW, instead of replacing and rebooting, let's turn the power > off. > 1. Is the virus in memory? I believe no, since the power is off. Of course. It cannot be there. > 2. Has the virus infected the hard drive? (I do not know. Can > someone answer for me?) In this particular example (Michelangelo) - Yes. This particular virus does the following when booted from an infected floppy: 1) Installs itself in memory; 2) Checks whether the hard disk is infected and infects it if it isn't; 3) Checks for the activation date and overwrites the disk(ette) it has been booted from, if the date is March 6th. The GetDate function is performed via INT 1Ah, so the virus will not cativate on computers that do not support it (mainly old XTs); 4) Loads the original boot sector and transfers control to it. This original boot sector will look for the DOS files and print the "Press any key" message if they are not found. However, some other viruses act in a different way. For instance, Ping Pong will infect the hard disk only if you access it. The hard disk is first accessed (after the infected boot sector has received control) only when DOS is loading and the devices initialized. So, the following scenario holds: 1) You put a non-bootable diskette, infected with Ping Pong in drive A:; 2) You switch the power on; 3) The virus installs itself in memory; 4) It transfers control to the original boot sector, which displays the "Press any key" message; 5a) If you now switch the machine off (or just press Alt-Ctrl-Del) and replace the diskette with a non-infected bootable one, the virus is gone. 5b) If you replace the infected diskette with a bootable one and press the "any" key, DOS will be loaded from this diskette, the virus will be active in memory (and your bootable diskette infected, if it is not write-protected), and your hard disk infected, even if you have not explicitely accessed drive C: (because DOS itself has done this already). > The point I am getting at is this: Most people will FIX the "non-boot" > problem by opening the floppy drive door and then use the three-key > (CTRL-ALT-DEL) combination to "reboot" from the hard drive without > turning the system power off, possibly leaving the virus in memory, but > maybe the virus has not infected the hard drive yet, giving it the > opportunity to now infect the hard drive, after the second, now > successful, "boot" attempt. Right, that is why most people keep getting re-infected by Stoned, Michelangelo, etc... Educate the users! > If we were to turn the system power off, killing the virus in memory, > and then reboot from a "non-infected" floppy disk, would the hard drive > already be infected? Depends on the virus. Most probably - yes. Hope the above explains the situation. Feel free to ask if you have more questions. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 24 Feb 92 15:43:50 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Surviving warm reboot (PC) CHESS@YKTVMV.BITNET (David.M.Chess) writes: > Powering off is key, though; if the virus is in memory when you c-a-d, > all bets are off. Some viruses, including the Joshi as I recall, > intercept the c-a-d sequence, and arrange to remain in memory. So if > you boot from a Joshi-infected diskette, then open the door and c-a-d > at the "Strike any key" message, your hard disk will be infected > shortly thereafter (if I'm remembering correctly; I don't have Joshi > source at hand at the moment). Sorry to disagree, Dave, but this is a pet peeve of mine, so I couldn't resist. :-) In short, no virus is able to survive the Alt-Ctrl-Del IN GENERAL. What I claim is: 1) You insert an infected diskette and execute the virus from it. The virus installs itself in memory, but does not write anything on the diskette or the hard disk (there might be no hard disk, and the diskette might be wrte-protected. 2) You replace the infected diskette with a clean, write-protected, system diskette. 3) You press Alt-Ctrl-Del. 4) You observe the same "booting picture" as usual, i.e. the usual messages displayed by the BIOS during the boot process. 5) When the boot process is completed, the virus is still active in memory. 6) This works on all kinds of computers, not only on some weird ones (for instance, it could be achieved on standard IBM XTs, on computers with EMS, on 80386-based machines, etc., but this does not fit the "general" scheme). Well, I claim that no virus is able to achieve all of the above. True, there are at least two viruses, which try really hard to fake a true reboot. These are Joshi and Alabama. However, since they are using INT 19h to chain to the warm reboot sequence, they will either hang the machine if there are any TSRs loaded, or will not display the original "reboot picture". The way to achive this on -some- machines (like the mentioned above) is achievable, however, and I can explain it to you privately, if you don't know it already. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 24 Feb 92 04:42:33 +0000 >From: n8735053@henson.cc.wwu.edu (Iain) Subject: Re: WDEF infection at a school (Mac) > Latest version Disinfectant 2.5.1 NOT! ( Always wanted to say that.... ;] ) As per comp.sys.mac.announce: Tool: Disinfectant Revision to be released: 2.6 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac When available: (expected) late 2/21/92 - -iain - -- / /\ Davidson, IAIN@wwu.edu, uw-beaver!wwu.edu!IAIN / /\ \ {umop ap!sdn} {n8735053 | iain}@henson.cc.wwu.edu /_/__\ \ ".... but you can't quote me on that ...." -- Scot Vidican \_____\/ <> (Egads-Ugh! I'm infected!) ------------------------------ Date: Mon, 24 Feb 92 04:59:00 +0000 >From: v064qpfu@ubvmsb.cc.buffalo.edu (Christopher S. D'Arrigo) Subject: Non dectable Virus (Amiga) ANyone know of a virus that could not be detectable by most scanners that would cause any or all of the following: Cant Boot off Hard Drive (sometimes) System wont recognize Fast Ram (sometimes) Causing Guru's While Disk I/o Guruing W/o disk I/O System just freezes Maybe its not a virus at all but one of the highly intergrated chips that just gave up. (its a rather old A500). Your thought will be GREATLY appreciated. ------------------------------ Date: Mon, 24 Feb 92 14:11:16 +0000 >From: an565@cleveland.Freenet.Edu (Gregory Grosshans) Subject: viruses in general-=help I've just scanned the last 200 messages on this newsgroup to try to get a feel of how viruses work more specifically. My employer doesn't understand the ramifications of a virus not detected on a pc and is relucatant to have software always check the system each time it is powered up. Is it not true that checking on weekly or bi-weekly intervals for a virus infection is not dangerous? Does anyone know how long it takes for a "new" virus to enter the market (public domain) after the latest anti-virus software package is released (i.e. do the virus-writers wait until the latest anti-virus software is released before they come up with a new virus)? Methods of virus infection, or types of virus infection, can include: boot sector, .EXE and .COM files, device drivers. Are there any others that I'm missing? Can non-executable (i.e. data files) be infected with escape character sequences, etc? Any information is greatly appreciated! - -- +-----------------------------------------------------------------+ | Gregg Grosshans > normal disclaimers apply | | an565@cleveland.freenet.edu >--------------------------| | an565%cleveland.freenet.edu@cunyvm > | ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 41] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253