VIRUS-L Digest Thursday, 5 Sep 1991 Volume 4 : Issue 157

VIRUS-L Digest Thursday, 5 Sep 1991 Volume 4 : Issue 157

Today's Topics:

Re: Viruses more common in Mac environment?
Frequency of PC vs. Mac Viruses
Re: Virus Simulator (long) (PC)
Re: Disassembler Info
Re: Norton Anti Virus (PC)
Re: Viruses more common in Mac environment?
Re: Virus Simulators
RE: FPROT 2.0/MIRROR conflict (PC)
Re: Virus Simulator available (PC)
PC Strategy to avoid infection
Invitation to the EICAR / CARO conference

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 05 Sep 91 09:32:17 +0100
>From: Norman Paterson <[email protected]>
Subject: Re: Viruses more common in Mac environment?

David Chess (Vol 4 issue 155) points out I may be answering the wrong
question. True - I hadn't thought of that. Unfortunately it's much
more difficult to answer the more interesting question.

But first let me improve my first answer - how many different Mac
viruses are there? The help text in Disinfectant 2.5.1 lists just 10:
Scores, nVIR, INIT 29, ANTI, MACMAG, WDEF, ZUC, MDEF, Frankie and
CDEF. Some of these are going to be historical curiosities (eg MacMag
deletes itself) but others have one or two strains (eg nVIR has A and
B). I thought 20 was a generous round number in my previous letter.

Now to the more difficult question: how many copies of each are there
out there. What exactly should we try to count? The number of Macs
are infected with each kind, allowing that an infected machine will
probably have many copies of the infecting virus? Or infected discs?
Or should we count reports of infection (assuming that each report is
followed automatically by disinfection so we don't count things
twice)?

However you define it, I think the only way to get a reliable (but not
necessarily useful) figure would be to set up a register of people who
would take part in the survey. For example, I am responsible for
software security on about 100 Macs, but only about 50 of them are in
a situation where I can easily keep track of them. The rest are in
people's offices, and I can't control what they do to them. So I
would register my 50 easy Macs. Then every month I could send in the
number of infections or whatever, even if it is zero. If we had a
base of say 10 000 Macs around the world we'd soon get a consistent
and meaningful picture building up. The trouble with the reports that
come in just now, without this formality, is that they are sent in at
the whim of whoever has just seen a virus. After a few viruses they
don't bother reporting and nobody reports if they have no viruses.
(ok, perhaps we should assume no report = no infection, save network
traffic.)

Disadvantages of the formal system are: it's a lot of work, and it's
not obvious how to interpret the results. (Suppose we find that nVIR
is not reported for six months. Is it extinct?) On the other hand,
the advantage is that we'd have some very interesting numbers to look
at. Would it be worth the effort? Is anyone willing to take it on?

In any case, of the Mac viruses I mentioned at the start, I have only
ever seen nVIR and WDEF, and neither of these for many months. We zap
'em as soon as they show.

Norman Paterson

------------------------------

Date: Wed, 04 Sep 91 13:44:17 -0500
>From: ROsman%ASS%[email protected]
Subject: Frequency of PC vs. Mac Viruses

Aaron Delwiche (in vol 4 issue 152) wrote:

> Somebody recently tried to convince me that viruses were more
> widespread in the Macintosh environment than the PC environment.
> Is this true? It seems to me that the opposite would be true.

ZZZZZZZZZZZip! *>snick<* SNAP!, Okay, the flame suit is on...

The overwhelming number of posted responses seems to indicate that
this is not true. My (limited) experience directly supports the
original assertion. My wife is in the publishing/page layout business
and heavily dependent on Macs. Both she and her employer religiously
practice "safe computing" and rarely have troubles. I'm forever
hearing about serious damage to other Mac users in the area. Most of
the problem seems to come from the limited, but rather common set of
viruses that have been around for years. My theory (as an occaisional
Mac user and regular PC user) is that Mac users tend to be less aware
of the machine and the OS (generally a *good* thing). This seems to
allow greater viral propagation before detection. This coupled with
more built-in OS hooks for propagation tends to make them more common.

I just ran this by a local Mac guru who agrees completely (whew!).

Comments to: [email protected]
Flames to: /dev/null

The opinions expressed are my own, SwRI will disavow any knowl-
edge of my existance.

------------------------------

Date: 05 Sep 91 09:48:00 -0500
>From: "William Walker C60223 x4570" <[email protected]>
Subject: Re: Virus Simulator (long) (PC)

The most heated discussions occur when the participants' opinions are
extremely opposite each other. Such is the case with the Virus
Simulator.

>From: [email protected] (Doren Rosenthal) [the author]
> So far the response and cooperation from producers of anti-virus
> products to my Virus Simulator 2.0 has been overwhelmingly positive.

The major players in the anti-virus arena who participate in this list
are Fridrik Skulason, Aryeh Goretsky (McAfee), Dave Chess (IBM), Ross
Greenberg (Microcom) and Vesselin Bontchev. Also of significant
contribution to this list are Tim Martin, Padgett Peterson, and Rob
Slade (sorry if I left someone out). So far, Aryeh, Ross, and Rob
Slade have not expressed their opinions. Of those that have:

>From: Fridrik Skulason <[email protected]>
> I fail to understand why the author of this program believes that
> anyone might find it of any use whatsoever.

>From: [email protected] (Tim Martin; FSO; Soil Sciences)
> ... The virus simulator is NOT of ANY USE
> I can see, and will simply generate false security and false paranoia,
> not to mention horribly inaccurate reviews in already inaccurate
> magazines and journals.

>From: "David.M.Chess" <[email protected]>
> ... The results obtained from testing any anti-virus
> product with this "simulator" will be essentially meaningless.

>From: padgett%[email protected] (A. Padgett Peterson)
> Consequently, I consider a sigmature simulator to be of limited value
> as a scanner validator.

>From: [email protected] (Vesselin Bontchev)
> It would be a good idea to quote some names and how much professional
> experience do these people have in the anti-virus field indeed.
> Currently I've not seen even one positive oppinion from the most
> well-known anti-virus researchers...

Well, I've quoted some names. Looks like Vesselin summed it up
pretty accurately.

It seems to me that the real basis for the disagreements about the
Virus Simulator are its effects in the real world. Most of the
comments are concerning whether or not a "good" virus scanner will
identify the output of the simulator as "real" virus infections. Some
comments have dealt with the problems of unscrupulous people using the
simulator to leave simulated viri lying around. But one subject which
both sides have missed is cleanup.

>From: [email protected] (Doren Rosenthal)
> Virus Simulator generates controlled programs infected with the
> signatures (only) of every known virus available.

If the "bait" files contain only the signatures, then how can one test
the removal capabilities of an anti-virus package? You can't. An
anti-virus package may be able to detect 100% of all known viri, and
maybe even the simulated viri in the "bait" files, but if it's
recommended cleanup action is "ERASE *.*" or "FORMAT C:," how useful is
it? I think that the more useful package is one which could detect 90%
(or whatever) of all known viri, and 100% of the most common viri, AND
REMOVE THEM ALL without deleting the files outright (well, the parasitic
ones, at least). Suppose this useful package couldn't detect ANY of the
simulated viri, because it used different signatures and/or an
algorithmic approach. Should it be punted in favor of the less useful
one? NO!

Our service license for ViruScan is about to expire. I am evaluating
several anti-virus packages (including ViruScan again) to determine
which ones will be selected for the next service license. One thing
that I am considering is a complaint by several people that at least one
version of ViruScan did not successfully remove Jerusalem-B or TP-44
from .EXE files. Fortunately, I have copies of those viri that I can
use for testing a package's ability to clean them up. If I did not, I
would either have to get the viri, have someone else test the packages,
or take the vendors' word. Virus Simulator would be totally useless in
this evaluation; however, this comes back to Virus Simulator's original
premise.

>From: [email protected] (Fred Waller)
> Quite a few people would like to test virus scanners but are unable
> to do so because they do not have access to the large collection of
> viruses that is necessary to perform such tests.

Not everyone who uses an anti-virus package has access to several
genuine viri, and some don't have access to ANY. Therefore, their
evaluations of a package's effectiveness would have to depend largely
on vendors' claims and media reviews. Vendors' claims will, by their
very nature, be biased. Media reviews, as has been pointed out many
times on this list, also have sources of bias, in spite of their
attempts at objectivity. An independent source of information and
product reviews would be greatly welcomed.

Patricia Hoffman's VSUM document is an excellent starting point. In
addition to the virus information it contains, it also lists which
major (and some minor) anti-virus packages detect and remove each
virus, even indicating which is the earliest version which will detect
a given virus. But, VSUM is difficult to use in this manner, as there
is no index to this part of the list.

There is also a person or two (forgive me for not mentioning names - I
don't remember them right now) who regularly post product reviews
and/or tests to this list. While I don't know their affiliations to
anti-virus vendors, I would wager that they are relatively bias-free.
A compilation of these reviews/tests could be put together and made
available via anonymous FTP from CERT and wherever.

>From: [email protected] (Vesselin Bontchev)
> ... My oppinion is
> that such collection should be available at some central organization
> (VTC?, CERT?, NIST?, NCSC?), and this organization should perform an
> objective test of different anti-virus products.

This is a much better idea than making a virus simulator. NCSC
maintains an Evaluated Products List for security products, which
indicates their ability to perform prescribed security functions.
There is no reason why they ( or another group (Ken??) ) couldn't
maintain a similar list for anti-virus products. Testing in this
manner could be accomplished by someone much more familiar with viri
and anti-virus packages than, for example, an MIS director of some
company. The results would be unbiased, and would probably be more
reliable that if the products were tested in-house.

Finally, one last comment about Virus Simulator.

>From: [email protected] (Doren Rosenthal)
> It's now available from a number of sources if you'd
> reconsider actually trying it.
> Compuserve as "VIRSM2.COM", EXEC-PC and several other BBS ( including
> SLO-BYTES (805) 528-3753 ) as "VIRSIM20.COM".

Bad move. Even if Virus Simulator was of some use, letting any Tom,
Dick, and Harry download it is an EXTREMELY POOR way of distributing
it. Providing it to vendors of anti-virus software to distribute to
licensed customers would have been much more logical. As it is:

>From: [email protected] (Daniel J Karnes)
> It is great for upsetting network administrators etc when those
> silly bogus virii start popping up at the hands of those who are
> jerks. I spent a lot of time verifying that there were no REAL ones
> under just such circumstances recently.

People who are tasked with finding and removing viri do not like
wasting time tracking fake viri (for that matter, they don't like
tracking REAL ones, but that's a necessary evil). Companies who pay
people to find and remove viri don't like having to pay for that time,
either. I and others have recently put in a total of about a man-month
chasing down some real viri. Imagine how bad managers would be hacked-
off if they found that they paid to track down fake ones.

Well, enough of that. It's someone else's turn.

Bill Walker ( [email protected] ) |
OAO Corporation | "Non sequitur -- your facts are
Arnold Engineering Development Center | un-coordinated."
M.S. 120 | -- NOMAD
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: 05 Sep 91 15:29:23 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Disassembler Info

[email protected] (Zoltan Kelemen) writes:

> The best disassembler is your own brain, aided by DEBUG. I don't
> understand how on earth normal disassemblers can handle
> encrypted/self-modifying/bizarre code.

Well, in general this is true, but some disassemblers aid the brain
better than DEBUG... :-) SOURCER being one of them.

As to the encrypted viruses, I usually force them to decrypt
themselves in memory (each encrypted virus has to have a decryption
routine), then I save the whole thing in a file and submit this file
to the disassembler.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN
[email protected] Schlueterstrasse 70, D-2000 Hamburg 13
New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 05 Sep 91 11:47:41 -0400
>From: "John D. Hopkins" <[email protected]>
Subject: Re: Norton Anti Virus (PC)

> I have a question (probably asked earlier but I was not here). Is NAV
> known for finding AIDS virus in error? I recall seeing this
> - -somewhere- but cannot find reference. This information would help me
> restore peace of mind (or utter terror) to the mind of a local sysop.

As near as we have been able to tell, Norton DOES give false alarms of
the AIDS II virus. Whether it does the same for the original AIDS, I
can't say. We have a disk that Norton reported infected by AIDS II,
but that McAfee, TBScan, and FPROT have all reported to be clean. I
believe Norton is outvoted on that one.

+-------------------------------------------------------------------------+
| John D. Hopkins, Operational Support | [email protected] |
| Terry College of Business Computer Ctr. | or |
| University of Georgia, ph.(404)542-3829 | [email protected] |
|-------------------------------------------------------------------------|
| "Laugh and the world laughs with you. Sneeze and it's goodbye Seattle."|
| -- Steve Martin |
| |
+-------------------------------------------------------------------------+

------------------------------

Date: 05 Sep 91 15:46:47 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Viruses more common in Mac environment?

[email protected] (David.M.Chess) writes:

> different strains of virus. It's certainly true that there are more
> different viruses for PCs than for Macs. But that doesn't tell us
> whether or not there are more infected PCs than infected Macs, or a
> higher percentage. I'd be very interested in any data that anyone has
> on that question.

Well, according to my statistics, only in Bulgaria alone, the PC
viruses are more widespread than the MAC ones in whole the world...

> (Remember: the vast majority of 'known' PC viruses have never been
> known to infect a real user. Is that also true for the Mac?)

This can be argued too. For instance, the 605 varian of the stupid
AntiPascal viruses was first detected in the wild in Bulgaria... It's
the same with many other viruses that come from there and that others
(e.g., Patti Hoffman) consider as "research", "extinct" or "rare" ones
- - they are often quite common in Bulgaria.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN
[email protected] Schlueterstrasse 70, D-2000 Hamburg 13
New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 05 Sep 91 16:04:21 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Virus Simulators

[email protected] (Fred Waller) writes:

> > I fail to understand why the author of this program believes that
> > anyone might find it of any use whatsoever.
>
> Currently, there is no independent means of testing and verifying
> virus software. Simply having the word of a seller/producer has, of
> course, never been enough, and is not likely to ever be; the danger
> of collusion is simply too great for any reasonably-cautious
> consumer to accept it blindly.

Yes, indeed, and this is a quite old and well-known problem. It is
still unsolved, and I don't see it solved in the near future. And the
notorious virus simulator is certainly not a step towards the
solution. It just shows that simple scanning may cause false positives
(something that everybody knows... or doesn't?).

> apply to themselves), outfits such as Rosenthal Engineering perceive
> the obvious need for some sort of "test method" without using hard-to-
> get actual virus samples. Of course, it is not enough. However,

Yes, there is a need of such method. Of course, Rosenthal's program is
NOT such method. Of course, it is "not enough" and of no use at all.

> instead of complaining about its inadequacy, we might have addressed
> the reason for the appearance of such software. I fear we are not
> doing that at all, but should.

Once again? But wasn't addressed it wide enough? At least I've seen
this problem addressed in most proffessional journals that test
anti-virus products... Virus Bulletin comes to mind at once.

> viruses that is necessary to perform such tests. Virus Simulator
> doesn't test accuracy, but it does something else that's very
> interesting.

It doesn't "test" anything. It just fools some (stupid) scanners and
that's all.

> > .....the Virus Simulator does not create viruses - therefore there
> > is no reason why an anti-virus program should report any of the
> > files it creates to be infected.
>
> But they do. Every one of the hundreds of "fake virus" files produced
> by the Virus Simulator succeed in triggering every virus scanner
> commonly used: SCANV, F-PROT, VIRX, IBM VIRASCAN, TBSCAN, etc. etc.
> They all denounce its "fake virus" files as if they indeed contained
> true viruses, though not all scanners report the same virus in the

It's normal for SCANV (true name is VIRUSCAN, as far as I know), IBM's
VIRSCAN, TBSCAN, HTSCAN - all these are not virus scanners - they are
pattern matching engines that verify the presence of a pattern
(possibly including wildcards) in the files. Don't have enough
information about VirX.

However, F-Prot and Dr. Solomon's Anti-virus Toolkit are anti-virus
tools, that also cerefully check whether a file that is found to
contain a virus signature is really infected. I am pretty sure that if
you test carefully these on the fake "infected" files, you'll notice
that they do not tell you that the file is INFECTED by a KNOWN virus
and do not try to disinfect it. (If they do, this is a bug, and you
should report it to the authors of these programs.) Especially F-Prot
probably says that the file is "Possibly infected" or "seems to be
infected by a new variant of..." and refuses to disinfect the file.
Check it again, and you'll see that I'm right.

> same file <g>. If nothing else, Rosenthal's Virus Simulator is a
> sobering educational tool which demonstrates how easy it is to fool
> all of the current scanners into producing false alarms, and how
> little uniformity there exists in virus nomenclature!

Oh, well, but this is rather well known... Do we need a special
program that demonstrates it? I have even heard about the exsistence
of a program in Bulgaria (or a set of programs) that get a known
virus, a copy of SCAN.EXE, and after a few tries reports the scan
string that is used by SCAN (or any other anti-virus program), and
even suggests where it should be modified, in order to make the virus
not detectable by this particular scanner.

> Precisely. In reality, the files are not infected at all, but as far
> as the scanners are concerned, those files *appear* infected and are

Again, a good scanner (or a good anti-virus tool more exactly)
shouldn't report that these files are infected by a KNOWN virus. If
you insist, I can send you my anti-virus program (with a list of the
viruses that it detects), and I'm pretty sure, that it will not get
fooled by any of the "simulated" viruses.

> reported as such. And that points out a weakness of the scanning
> method better than any theoretical consideration I've seen.

This only means that you are unable to understand the appropriate
theory and need such childish example. Well, maybe you're right after
all - there certainly exist other people that will need it too...

> Probably not by chance. The code used in Rosenthal's fake viruses
> seems to trigger the scanners reliably every time... as intended.

It DOES NOT trigger RELIABLY any RELIABLE anti-viru program.

> Not `some scanners', and not `in some cases'. They cause all scanners
> (which I tried) to trigger in all cases, every time. It's remarkable.

What is remarkable is the fact that you consider it as some kind of
wonder... :-)

> Of course. And as soon as somebody invents this "perfect virus
> detector", Rosenthal's Virus Simulator will cease to be of interest.

I repeat. F-Prot and Dr. Solomon's Anti-virus Toolkit. None of them
will disinfect any of the test files. The same goes for my anti-virus
program, although it is far from perfect and cannot compare with the
two listed above.

> Until then, it remains a remarkable and interesting program which
> demonstrates how imperfect the virus scanners really are.
>
How can an obvious fact be so "remarkable"?

> Not misleading. The signatures don't need to be specially "provided
> by the author of the anti-virus program"?. The signatures are
> contained in each issue of each scanner. Sometimes, they are modestly
> encrypted for reasons that were never satisfactory to me but, in any
> case, it's child's play to decrypt them. If not decrypted, they may
> be otherwise simply derived. I do not think that Rosenthal's

Yes. All this means that Rosenthal has fished these signatures from
the different scanners. Therefore, they have been provided by the
scanners' authors (since he didn't bother to find these signatures
from the live viruses).

> statement was misleading at all. In my experience, his program does
> what he announced, and does it very competently, although some of the

This would be true, if the program simply states that it generates
files, which cause false positives and fool some of the popular
scanners. Is this what is stated exactly in the program's
documentation? I have the impreesion, that the author claims that his
program is some kind of "test". It isn't.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN
[email protected] Schlueterstrasse 70, D-2000 Hamburg 13
New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Thu, 05 Sep 91 10:43:46 -0600
>From: Diskmuncher <[email protected]>
Subject: RE: FPROT 2.0/MIRROR conflict (PC)

>Date: Wed, 04 Sep 91 16:11:49 +0000
>From: Fridrik Skulason <[email protected]>
>Subject: F-PROT 2.00 and MIRROR conflict (PC)
>Several people have informed me of a conflict between VIRSTOP.EXE (a
>part of version 2) and MIRROR from Central Point Software.
>This will be corrected in version 2.01, but until then don't load both
>programs at the same time.

There are other conflicts that VIRSTOP sseems to have with
Central Point Software's PC Tools Deluxe programs. During the
beta-test phase (I haven't tried it since receiving the official
release) I discovered that if VIRSTOP is loaded AFTER PC-SHELL goes
resident (TSR), the PC will crash when you load a program of any
significant size (i.e. FORMAT worked, but DOSSHELL (DOS 5.0) crashed).
The MIRROR conflict happens with both the PC Tools version and the DOS
5.0 version. The solution I found was to load VIRSTOP AFTER MIRROR
but before PC-SHELL and other TSR's. In fact, if I remember correctly
the PC-Tools manual explicitly states that MIRROR must be loaded first
in the AUTOEXEC.BAT
John-David Childs
Consultant, University of Montana
[email protected]

------------------------------

Date: 05 Sep 91 15:52:47 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Virus Simulator available (PC)

padgett%[email protected] (A. Padgett Peterson) writes:

> technicians how to recognize virual activity. For example if a scanner
> detects the STONED virus in memory yet "655360 total bytes memory" is
> reported, one might logically expect that there has been a false negative.

Nope... This might be a Stoned variant that installs itself in memory
in a different way. Say, by not decreasing the total amount of memory
at all (like the Stupid virus), or by waiting until COMMAND.COM is
loaded and increasing its MCB right before any other program is loaded
(as a new Bulgarian virus - Compiler - does)... :-)

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Universitaet Hamburg, FB Informatik - AGN
[email protected] Schlueterstrasse 70, D-2000 Hamburg 13
New address after October 1, 1991: Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 05 Sep 91 09:13:06 +0000
>From: [email protected] ( Mr S. Rahim )
Subject: PC Strategy to avoid infection

STRATEGY TO AVOID INFECTION
===========================

1. Backup often and keep multiple copies of the backups.
Virus infections can be present for a long time before
becoming obvious. Keep a log of dates for the copies and
try to trace the most possible way of infection.

2. Donot run programs with dubious origins. These include
illegally copied software, shareware, programs which
have been downloaded from a BBS where they havent been
tested. Note that a program which have been around is
a likely candidate for viruses.

3. Test all software before insatlling on to the harddisk.
this should be carried out on the floppies.

4. Beware of software and floppy disks sent in mail which
were not ordered. Check if the software has the following:
- The developers name and address.
- Appropriate documentation.

An example of this was the AIDS trojan. This was supposed
to be an expert system but it turned out to be a blackmailing
scheme.

5. Change .COM and .EXE file attributes to Read Only. This will
work against the first generation viruses although the
Second and Third generation viruses will have no problem
getting through it.

6. Use write protect tabs on all the floppies. Remove them
temporarily if you wish to write to disk but replace them
when finished.

7. Never boot your machine from a floppy disk if you have a
hard disk. If you do boot from the floppy make sure that
the floppies are clean.

8. Handle lowlevel tools carefully. They are excellent for
viruses but can lead to damage if not used carefully.

9. Run a complete check on your computer periodically. This
is sure to catch a virus that might have got through before
it has any chance to unleash its payload. This is due to
the fact that the you cannot be confident that the prevention
system installed has worked.

- --
============================================================================
Computer Science Dept, Rhodes University, Grahamstown, South Africa
Internet : [email protected]
- ----------------------------------------------------------------------------

------------------------------

Date: Thu, 05 Sep 91 17:56:24 +0600
>From: [email protected]
Subject: Invitation to the EICAR / CARO conference

Finally I can send the invitation to the European anti virus
conference of EICAR / CARO. We hope to see many of you in Brussels!

Trends in computer viruses

The virus threat has clearly not lessened over the past years and
it will continue to get worse. The number of MS-DOS viruses will
reach 1000 this year. Managers as well as PC specialists ask:
"Are viruses just a good story or are they really dangerous
to the valuable information on PCs?"

Many companies have already had virus accidents and lost data,
time and money. Managers are not always aware that this is
happening. The virus threat, and actions against viruses are
often just talked about until the first appearence of a virus,
and sometimes the discussion even continues until the first
damaging virus.

It is possible to formulate a sensible anti-virus strategy,
consisting of Procedures, Organisational rules, Education and
Technical Means. This seminar is designed to help you to do that.

EICAR and CARO

It is necessary for research groups and manufacturers of hard-
and software - especially of anti-virus products - to
cooperate, because of the rapidly growing number of viruses. So
the first meeting of European virus experts was organized
together with a seminar and workshop in Hamburg at the beginning
of December 1990. The participants of this conference founded the
worldwide CARO (Computer Anti-Virus Research Organization) and
EICAR (European Institute for Computer Anti-Virus Research). The
formal foundation of EICAR will take place in Brussels just
before this seminar.

The seminar and the workshop

The seminar offers an up-to-date introduction to computer viruses
and similar malicious software. Trends as well as methods and
tools for virus detection and cleaning of systems will be
presented first. Special topics will be discussed in working
groups (second day).

What you will take with you

After an interesting seminar it is very helpful to have printed
material and tools available which gives also an important
support by introducing new methods or tools. Each participant
will get:

Seminar proceedings and slides, EICAR information,

Dr. Solomon's Anti-Virus Toolkit, Anti-Virus package F-PROT,

BFKTools, Back issues of Virus News International, Virus
Catalogue (VTC Hamburg), Belgian PC-magazine

The participants will get some more publications and products
which are not fixed yet.

Meet the experts in Brussels

Meetings of CARO and EICAR special technical committees will take
place in Brussels during the seminar. This means that the
participants at the workshop will be able to discuss their
problems with all of the European virus experts. They will have
the possibility to meet for example: Vesselin Bontchev, Prof.
Dr. Klaus Brunnstein, Dave Chess, Ruediger Dierstein, Christoph
Fischer, Roger Gustafsson, Steve Hill, Joe Hirst, Detlev
Hoppenrath, Prof. Dr. Joerg Muehlbacher, Tony Naggs, Christian
Schmidt, Fridrik Skulason, Dr. Alan Solomon, Franz Swoboda,
Morton Swimmer, Michael Weiner. This is the greatest
concentration of anti-virus expertise ever assembled - if
these experts cannot help you, no-one can.

Who should attend the seminar?

The participants of the seminar should have some experience in
using personal computers but no special know-how is required. A
wide range of managers and professionals will be addressed: PC
support professionals, LAN managers and supervisors, DP
management staff, managers responsible for data security, PC
users receiving or mailing software, etc.

The speakers

The introduction to the virus threat will be presented by Dr.
Alan Solomon, S&S International, on the first day of the seminar.
He is one of the outstanding professionals in this area. Other
experts like Prof. Dr. Klaus Brunnstein, Ruediger Dierstein,
Prof. Dr. Bart De Schutter and virus experts from different
countries will present special topics. All lectures and
discussions will be given in English language; no simultaneous
translation will be prepared.

Your contribution to the seminar

Due to the fact that presentations will given in plenary sessions
as well as sessions of small working groups it will be possible
to concentrate discussions on special topics which are proposed
by participants. Therefore please write down your suggestions for
topics of interest. You can use the application form for this
purpose. You can also bring with you for example suspect
diskettes or PCs. They can be checked during the seminar.

More information on products

Sometimes it is not so easy to get enough information about
products. Therefore some manufacturers of hard- and software will
be present during the seminar and exhibit their products.
Furthermore some PCs will be available in order to demonstrate
anti-virus products and to check out possibly infected diskettes.

Belgian evening

For those who will arrive already on Monday 23, a coming together
meeting will be arranged. Most of the virus experts will
participate. One of the very important objectives of such a
seminar will be to make new contacts. Therefore the participants
and the virus experts will have an informal meeting on the
evening of September 24.

Seminar Programme

September 24, Seminar

The first day consists of a survey about the present situation as
well as new problems which are coming up. Mostly, on day one, PC
viruses will be covered

PC-viruses today

How a PC works with respect to malicious software

How a virus works: present techniques like stealth

Damages done by viruses including side-effects

Detection of viruses and cleaning of systems

Precautions: techniques using soft- and/or hardware

Other malicious software like worms and Trojans

Virus scene in European countries and worldwide

What's going on in 1992?

Many demonstrations will lead to interesting discussions and
exchange of experience. While the major meeting take place, the
experts will be convening in workshops to cover various topics in
considerable depth.

September 25, Workshop

Mainly working groups will meet. The topics will also cover
viruses on computers other than PCs.

Viruses and mainframes, UNIX-viruses, Viruses and PC-
networks, EICAR

The results of the working groups as well as the EICAR meetings
will be presented in a final plenary session.

Fees

The seminar fee is 1.800,- DM for the first participant of a
company or organization. Additional attendees will get a
reduction of 10%. Members of scientific institutes and
handicapped will pay 1.200,- DM only. VAT is not included!
The fees are mainly used to be able to pay the travelling
expenses for the virus experts coming from scientific institutes.

Registration

Please send the attached form to the address printed on this
form. If you have received the seminar leaflet from one of our
associates please write a short remark on your application form.
Please use the address printed on the form. In case of any
question or if you are missing the registration form please
contact the organizer of the seminar:

Guenter Musstopf, perComp-Verlag GmbH
Holzmuehlenstr. 84, D-2000 Hamburg 70
phone: 0049 (40) 6932033, fax: 0049 (40) 6959991
e-mail: [email protected]

The number of participants is restricted. Reservations are taken
in the order they arrive at perComp-Verlag or MU-Innovation.
Therefore you should send your registration form as soon as
possible. The confirmation of your registration and the invoice
will be posted to you.

Cancellations can only be accepted after a written notification
received at least September 06, 1991. An administration fee of
150,- DM will be accounted. If the seminar is cancelled by
the organizers for any reason or by circumstances beyond their
control, any pre-paid fees will be refunded in full.

Accommodation: We will send you a list of hotels in different
price categories. Please make your reservation as soon as
possible und add a notice that the seminar will be held at the
European Community as an expert meeting. This gets you a special
price. This holds only true for the hotels which are on this
list.

We are looking forward to meeting you in Brussels.

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 157]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253