VIRUS-L Digest Tuesday, 25 Feb 1992 Volume 5 : Issue 41
Today's Topics:
Will Write Protection Prevent Virus Infection? (PC)
Re: Help: 1193 virus? (PC)
Re: F-prot and non-executable files (PC)
Re: Michelangelo's handicaps. (PC)
Re: Michelangelo hits Sandia from a vendor (PC)
Re: Conflicting Software & Odd Behaviour (PC)
Re: Michelangelo on ARTEC AM25 3 button mouse driver disk (PC)
Re: Michelangelo Virus in Florida too! (PC)
vdefend from PC-Tools 7.1 and Mcaffee clean (PC)
Solution to DOS 2.11/F-Prot problem (PC)
Re: AUX files (PC)
F-PROT 2.02D & Novell (PC)
Re: looking for... (PC)
Re: Boot Sector Virus Infections (In General) (PC)
Surviving warm reboot (PC)
Re: WDEF infection at a school (Mac)
Non dectable Virus (Amiga)
viruses in general-=help
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 22 Feb 92 13:45:22 +0000
>From:
[email protected] (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR)
Subject: Will Write Protection Prevent Virus Infection? (PC)
I have a simple question:
If I set the attributes of all the executables, overlays, and COM
files in my hard drive to be read-only, will this reduce the chances
of getting virus infection?
I understand that viruses usually get transmitted by modifying these
files. And since these files are rarely required to be read-write,
(maybe during the installation only) I do not think that the
applications would mind setting the attributes to read-only.
========================
Hesham Elgharib
------------------------------
Date: Sat, 22 Feb 92 14:09:18 -0400
>From:
[email protected] (Warren D. Calhoun)
Subject: Re: Help: 1193 virus? (PC)
[email protected] (Vesselin Bontchev) writes:
>The name was changed to Copyright, because (1) a numeric name must be
>avoided - it is difficult to remember and closely related virus
>variants (i.e., viruses in the same family) can have different
>infective length, and (2) because the virus contains the strings:
> "(C)1987 American Megatrends Inc.286-BIOS"
> "(C)1989 American Megatrends Inc."
> "(c)COPYRIGHT 1984, 1987 Award Software Inc."
> "ALL RIGHTS RESERVED"
>An alternative was to call it "Award", or "Megatrends", but it's our
>policy to never name a virus after a company or product.
Thanks. I was sure there was a logical reason, but I had not heard
it. I think the policy of not naming a virus in such a way as to
include a company or product name is a very good one. (I suppose it
could have been called the 'ALL RIGHTS RESERVED' virus, but that would
be silly :-)
>Sorry to disappoint you, but CLEAN 86-B does not remove this virus.
After my previous post, I was able to check a copy of clean 86b and,
of course, you are right. I was hopeful that it would be capable of
removing the virus, but it is not. I think I had seen something that
indicated it might, but now I don't remember. Oh well, maybe sometime
soon.
Anyway, thanks for the clarifications...
- --
| Warren D. "Cal" Calhoun |
| Information Systems Network (Host) | CIS:
[email protected] |
| Phone: DSN: 354-3396/3595 | UUCP: mimsy!ihost!calhoun |
| COM: (703) 664-3396/3595 | Internet:
[email protected] |
------------------------------
Date: Sat, 22 Feb 92 21:49:47 +0200
>From: Tapio Keih{nen <
[email protected]>
Subject: Re: F-prot and non-executable files (PC)
>We were using F-prot here and we noticed that it doesn't scan non
>executable files. This raises the question, can a virus hide in a
>text file, and then transfer itself elsewhere?
No, virus can't use text files or any other non-executable files for
spreading. Virus needs to be executed and since text files can't be
executed, virus can't spread via them. There are some viruses which
infect data files, but those infected data files can't spread the
virus any further. For example, Cinderella and 4096 viruses do this,
because of the way they check the file extensions.
(BTW, this should be on the FAQ list...)
- --
Tapio Keih{nen | Mesihein{nkatu 2 B 6 | 33340 Tampere | Finland
-
[email protected]========---------------
"You've got some stairs to heaven, you may be right
I only know in my world, I hate the light
I speed at night!" -R.J. Dio, 1984-
------------------------------
Date: Sat, 22 Feb 92 22:23:27 +0200
>From: Tapio Keih{nen <
[email protected]>
Subject: Re: Michelangelo's handicaps. (PC)
>Bug 2:
>I have been unable to infect 3.5" floppy disks (720's as well as
>1.44's) other than by simply copying a 5.25" image over a 3.5" floppy.
>This might lead to the conclusion that only systems with a 5.25" A:
>drive can be infected.
I haven't looked at the date check routine in Michelangelo, so I'll
comment only this. Just like Stoned Michelangelo infects only
diskettes in A: drive. If the virus was introduced to hard disk from
5.25" floppy (A:) and then A: drive was changed to 3.5" floppy,
Michelangelo will infect 3.5" floppies then just normally.
- --
Tapio Keih{nen | Mesihein{nkatu 2 B 6 | 33340 Tampere | Finland
-
[email protected]========---------------
"You've got some stairs to heaven, you may be right
I only know in my world, I hate the light
I speed at night!" -R.J. Dio, 1984-
------------------------------
Date: Sat, 22 Feb 92 17:53:20 -0700
>From:
[email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Michelangelo hits Sandia from a vendor (PC)
dave%
[email protected] (Dave Grisham) writes:
>I recieved this mail after Sandia notified us of their infection.
>My comments are in [ ].
>grish
>- -----Begin forwarded letter---------------
>Date: Fri, 21 Feb 92 00:21:37 -0700
>From: Harold Iuzzolino <
[email protected]>
> We (a Sandia Labs division) received several new 486/33 IBM compatibles
>last week. Immediately after powering up one system, a virus checker
>(Central Point Anti Virus) was installed and run. CPAV found and removed the
>virus [Michelangelo]. The other new pc's were checked and the results were
>the same. The dealer was called, and he found the virus on his stock pc's.
>(The dealer has expressed annoyance at my mentioning his name so I am not
>going to mention any dealers' names.)
I think such dealers should be publicly derided, scorned, and if
possible sued. There is no excuse anymore.
>The virus came with the MS DOS 5.0 sent to the dealer.
What can I say? This should be pursued: it could explain
Michelangelo's "commercial success". Anyone want to bet someone
somewhere is trying hard to cover something up? Not necessarily in
this case: don't call the slander lawyers on me yet! But it is
becoming increasingly obvious Michelangelo got lucky in a big way,
probably with some wholesale supplier of some fundamental software, if
not from the software house itself.
Tim.
-------------------------------------------------------------
Tim Martin *
Soil Science * These opinions are my own:
University of Alberta * My employer has none!
[email protected] *
-------------------------------------------------------------
------------------------------
Date: Sun, 23 Feb 92 10:56:52 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: Conflicting Software & Odd Behaviour (PC)
Hello Mr. Erixon-Stanford,
[email protected] (Mignon Erixon-Stanford) writes:
> We recently purchased McAfee's WSCAN & CLEAN86B, with which I'm
>happy. One of our scientists had Central Point's VSAFE and BOOTSAFE
>programs (loading from his AUTOEXEC.BAT). Upon scanning with WSCAN, it
>reported finding Israeli Boot [Iboot] and Filler. We booted from a
>safe disk, ran CLEAN against Iboot and Filler, scanned again; no
>viruses were found.
VDefend, VSave, and VWatch, from Central Point Software (included in
their Central Point Anti Virus and PC Tools 7.1 packages) contains
several of the same virus signatures that are used by the VIRUSCAN
series. While this is not too uncommon--there are some viruses for
which there is only one reliable signature string--the Central Point
programs do not encrypt or otherwise cipher their search strings in
memory, causing VIRUSCAN (et al) to erroneously report a virus when it
comes across VDefend (and cousins) in memory.
> Then we booted from his autoexec.bat which loaded the Central Point
>programs; wscanned and it reported Iboot in memory. We changed the
>autoexec.bat so VSAFE & BOOTSAFE wouldn't load; wscanned; no viruses
>were found.
Since the CP programs weren't in memory at the time WSCAN was run,
no "viruses" were found in memory.
> Am I right in concluding that Central Point's memory resident
>software is erroneously recognized as a virus by McAfee's WSCAN?
Quite correct. Because of this problem, I would not recommend that
you use CPAV and SCAN together on the same system without removing
CPAV and then powering to clear memory prior to running SCAN.
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- --
- - - -
McAfee Associates | Voice (408) 988-3832 |
[email protected] (business)
1900 Wyatt Drive, Suite 8| FAX (408) 970-9727 |
Santa Clara, California | BBS (408) 988-4004 |
95054-1229 USA | v32bis(408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
------------------------------
Date: 23 Feb 92 20:09:21 +0000
>From:
[email protected] (Ricky Suave Stella)
Subject: Re: Michelangelo on ARTEC AM25 3 button mouse driver disk (PC)
> Michelangelo on ARTEC AM25 3-button mouse driver disk.
It would be helpfull to know the version of the driver disk.
BTW, does anybody know how to get an updated version of the driver?
- ------------------------------------------------------------------------------
Ricardo Stella
[email protected]
RUCS US - CCF
[email protected]
Owl's Roost Manager
[email protected]
Hill 118 - (908)932-2491 Rutgers University, NJ
...suave...
- ------------------------------------------------------------------------------
------------------------------
Date: Mon, 24 Feb 92 06:32:21 +0000
>From:
[email protected] (Jim Baltaxe)
Subject: Re: Michelangelo Virus in Florida too! (PC)
[email protected] (Vesselin Bontchev) writes:
>
[email protected] (Jim Baltaxe) writes:
>
>> BTW After making the story available to the media on Friday, we
>> received something like 400 disks by today (Tuesday). In a country the
>> size of ours, that is an incredible response. Maybe somebody out there
>> is really listening.
>
>According to the University's telephone center, the VTC Hamburg
>received 3,000 phone calls for the last week. This happened after we
>told the media about the virus... :-)
Hey, I really don't want this to turn into a matter of look at how
many _I_ got... but... the score for the kiwis is well over 2,000 (I
lost count sometime after 1:30am :-) Actually, I am rather proud that
some people are trying to do something to protect themselves; maybe
the fact that the disks were free might have had something to do with
it.
- --
Jim Baltaxe -
[email protected]
Computing Services Centre - Victoria University of Wellington - New Zealand
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time is such a valuable commodity because they're not making it any more.
------------------------------
Date: Mon, 24 Feb 92 09:49:35 +0000
>From:
[email protected] (Thomas Walter Neser)
Subject: vdefend from PC-Tools 7.1 and Mcaffee clean (PC)
Hello,
some times ago i detected with an old version of mcaffee scan a stoned
virus on a hard disk and cleaned it with mcaffees cleaner. Now the
newer versions from mcaffee don't find the virus any more. When i
activate vdefend from pctools 7.1 it informs me that there is a stoned
virus. f-prot202 says its suspicious, maybe a ne form of stoned but
won't disinfect it. Since i don't have the virus removal from central
point i would ask if clean only partitially erases the stoned to
disable it and if it's possible that vdefend and scan look for a
different part on the stoned virus to detect it. virx20 doesn't find
anything at all and maybe this is just a marketing gag.
Sincerly
Please write to me directly cause i normally don't read this list.
- ---
Thomas Neser,
Zeus im MZES, Universitaet Mannheim, Steubenstr. 46, D-W-6800 Mannheim, Germany
BITNET: m75 at dhdurz1 INTERNET:
[email protected]
UUCP: unima!fs21 X400: C=de; A=dbp ; P=uni-mannheim; OU=rz; OU=munix; S=neser;
FAX: +49-621-292-8435 TEL.: +49-621-292-8473
------------------------------
Date: Mon, 24 Feb 92 10:02:52 -0500
>From: Lynne Meeks <
[email protected]>
Subject: Solution to DOS 2.11/F-Prot problem (PC)
Thanks to Mickey Waxman, who provided the solution to this problem.
I'm posting the solution to virus-l for any other DOS 2.1 users out there.
========================================================================
> ... your troubles stem from trying to run Fprot from floppy disk.
> The cure: copy all files from floppy to harddisk and run from the harddisk.
Sure enough, copying the F-Prot files to the hard drive and then
running F-Prot works! This is a fine solution- it ought to be on the
hard drive anyway.
> Uh ,oh! You do have a harddisk, don't you?
If someone does not have a hard drive it's really not a problem- scan
the boot disk on another machine and make sure it's clean, then write
protect the boot disk and ALWAYS boot from that disk. It's really
machines with hard drives that I'm more concerned about anyway.
> Definitely, Virstop.exe does not work on this Dos 2.1 system.
> No error message, but it does not announce it's loaded and it does not
> catch viruses. The solution is to Scan everything before you put it
> on harddisk --- no automaticity.
Again, this is something we can live with. I think everything ought to
be scanned anyway.
Thanks again Mickey!
Lynne Meeks (
[email protected])
238 Waterman Building
University Computing Services
University of Vermont, Burlington, VT 05405
------------------------------
Date: 24 Feb 92 15:14:31 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: AUX files (PC)
[email protected] (Jon Freivald) writes:
> Acutally, I just figured something out... My command processor is 4DOS.
> If I execute command.com, I don't see these files. In case you haven't
> guessed, all of my systems use 4DOS, as do most of the systems at
> work...
I guess that this subject has been already beated down to death, but
nevertheless, here is some more information.
In one of my previous postings, I said that the problem seems to be
fixed in DOS 5.0. Well, it isn't. I am using NDOS 6.01 with MS-DOS 5.0
right now and was able to reproduce the problem by using the command
dir aux
Since the main difference between directory searches between
COMMAND.COM and NDOS (4DOS) is that the former uses FCBs, while the
latter uses file handles.
Therefore: The device drivers are visible as files, when you perform a
file handle FindFirst/FindNext (INT 21h/AH=4Eh, AH=4Fh) on a file name
equal to the name of the device driver (no wildcards).
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Mon, 24 Feb 92 08:58:00 -0600
>From:
[email protected]
Subject: F-PROT 2.02D & Novell (PC)
I have been having problems scanning Novell file servers with F-PROT
v2.02D. When I reach a system hidden file, my computer locks up. The
only way I have been able to successfully scan the server is to omit
SYS files via the "User Specified" option. What am I doing wrong?
By the way, I am indicating that a "network" is to be scanned.
Thank you,
Marty Mark, University of Northern Iowa
[email protected]
319-273-6258
------------------------------
Date: Mon, 24 Feb 92 16:36:44 +0100
>From: Martin_blas Perez Pinilla <
[email protected]>
Subject: Re: looking for... (PC)
[email protected] (Lloyd E Vancil) writes:
> I'm trying to locate a program called PROTEC.COM. This program
> prohibits writes to the C: drive.
I have two or three of such programs and can send you if you wish,
but its utility is limited: some (many?) viruses can bypass the
protection and infect the hard disk. Regards
M.B. Perez Pinilla |
[email protected] | Write 10^6 times:
Departamento de Matematicas | "I'll never waste bandwidth"
Universidad del Pais Vasco |
SPAIN
------------------------------
Date: 24 Feb 92 15:26:43 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Boot Sector Virus Infections (In General) (PC)
[email protected] writes:
> I have some curiosity questions about the way "boot sector" viruses
> infect the "hard drive" and "the system (memory)", (or is it "the
> system (memory)" and then the "hard drive"?), only because I have been
It depends on the particular virus. Most viruses first install
themselves in memory, then infect the hard disk. However, nothing
prevents the virus from doing the same in the reverse order.
> We have the same "powered-off", non-infected, MS DOS based, PC computer
> system with one 5.25" floppy drive and one hard drive. Let's say I
> have an infected (Michaelangelo virus) 5.25", 360K, "NON-bootable"
> floppy. Let's put it into our "A" Drive and close the door. Now, turn
> on the power to the computer and let it attempt to "boot" up. Instead
> of a DOS Prompt, we now have "Non-system disk or disk error; replace
> and strike any key when ready" or something like that--you get the
> idea. NOW, instead of replacing and rebooting, let's turn the power
> off.
> 1. Is the virus in memory? I believe no, since the power is off.
Of course. It cannot be there.
> 2. Has the virus infected the hard drive? (I do not know. Can
> someone answer for me?)
In this particular example (Michelangelo) - Yes. This particular virus
does the following when booted from an infected floppy:
1) Installs itself in memory;
2) Checks whether the hard disk is infected and infects it if
it isn't;
3) Checks for the activation date and overwrites the
disk(ette) it has been booted from, if the date is March 6th. The
GetDate function is performed via INT 1Ah, so the virus will not
cativate on computers that do not support it (mainly old XTs);
4) Loads the original boot sector and transfers control to it.
This original boot sector will look for the DOS files and print the
"Press any key" message if they are not found.
However, some other viruses act in a different way. For instance, Ping
Pong will infect the hard disk only if you access it. The hard disk is
first accessed (after the infected boot sector has received control)
only when DOS is loading and the devices initialized. So, the
following scenario holds:
1) You put a non-bootable diskette, infected with Ping Pong in
drive A:;
2) You switch the power on;
3) The virus installs itself in memory;
4) It transfers control to the original boot sector, which
displays the "Press any key" message;
5a) If you now switch the machine off (or just press
Alt-Ctrl-Del) and replace the diskette with a non-infected bootable
one, the virus is gone.
5b) If you replace the infected diskette with a bootable one
and press the "any" key, DOS will be loaded from this diskette, the
virus will be active in memory (and your bootable diskette infected,
if it is not write-protected), and your hard disk infected, even if
you have not explicitely accessed drive C: (because DOS itself has
done this already).
> The point I am getting at is this: Most people will FIX the "non-boot"
> problem by opening the floppy drive door and then use the three-key
> (CTRL-ALT-DEL) combination to "reboot" from the hard drive without
> turning the system power off, possibly leaving the virus in memory, but
> maybe the virus has not infected the hard drive yet, giving it the
> opportunity to now infect the hard drive, after the second, now
> successful, "boot" attempt.
Right, that is why most people keep getting re-infected by Stoned,
Michelangelo, etc... Educate the users!
> If we were to turn the system power off, killing the virus in memory,
> and then reboot from a "non-infected" floppy disk, would the hard drive
> already be infected?
Depends on the virus. Most probably - yes.
Hope the above explains the situation. Feel free to ask if you have
more questions.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 24 Feb 92 15:43:50 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Surviving warm reboot (PC)
[email protected] (David.M.Chess) writes:
> Powering off is key, though; if the virus is in memory when you c-a-d,
> all bets are off. Some viruses, including the Joshi as I recall,
> intercept the c-a-d sequence, and arrange to remain in memory. So if
> you boot from a Joshi-infected diskette, then open the door and c-a-d
> at the "Strike any key" message, your hard disk will be infected
> shortly thereafter (if I'm remembering correctly; I don't have Joshi
> source at hand at the moment).
Sorry to disagree, Dave, but this is a pet peeve of mine, so I
couldn't resist. :-)
In short, no virus is able to survive the Alt-Ctrl-Del IN GENERAL.
What I claim is:
1) You insert an infected diskette and execute the virus from it. The
virus installs itself in memory, but does not write anything on the
diskette or the hard disk (there might be no hard disk, and the
diskette might be wrte-protected.
2) You replace the infected diskette with a clean, write-protected,
system diskette.
3) You press Alt-Ctrl-Del.
4) You observe the same "booting picture" as usual, i.e. the usual
messages displayed by the BIOS during the boot process.
5) When the boot process is completed, the virus is still active in
memory.
6) This works on all kinds of computers, not only on some weird ones
(for instance, it could be achieved on standard IBM XTs, on computers
with EMS, on 80386-based machines, etc., but this does not fit the
"general" scheme).
Well, I claim that no virus is able to achieve all of the above.
True, there are at least two viruses, which try really hard to fake a
true reboot. These are Joshi and Alabama. However, since they are
using INT 19h to chain to the warm reboot sequence, they will either
hang the machine if there are any TSRs loaded, or will not display the
original "reboot picture". The way to achive this on -some- machines
(like the mentioned above) is achievable, however, and I can explain
it to you privately, if you don't know it already.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Mon, 24 Feb 92 04:42:33 +0000
>From:
[email protected] (Iain)
Subject: Re: WDEF infection at a school (Mac)
> Latest version Disinfectant 2.5.1
NOT! ( Always wanted to say that.... ;] )
As per comp.sys.mac.announce:
Tool: Disinfectant
Revision to be released: 2.6
Where to find: usual archive sites and bulletin boards --
ftp.acns.nwu.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, AppleLink,
America Online, CompuServe, Genie, Calvacom,
MacNet, Delphi, comp.binaries.mac
When available: (expected) late 2/21/92
- -iain
- --
/ /\ Davidson,
[email protected], uw-beaver!wwu.edu!IAIN
/ /\ \ {umop ap!sdn} {n8735053 | iain}@henson.cc.wwu.edu
/_/__\ \ ".... but you can't quote me on that ...." -- Scot Vidican
\_____\/ <<HELLO! I'm a .signature virus! Join in and copy me into yours!>>
(Egads-Ugh! I'm infected!)
------------------------------
Date: Mon, 24 Feb 92 04:59:00 +0000
>From:
[email protected] (Christopher S. D'Arrigo)
Subject: Non dectable Virus (Amiga)
ANyone know of a virus that could not be detectable by most scanners
that would cause any or all of the following:
Cant Boot off Hard Drive (sometimes)
System wont recognize Fast Ram (sometimes)
Causing Guru's While Disk I/o
Guruing W/o disk I/O
System just freezes
Maybe its not a virus at all but one of the highly intergrated chips
that just gave up. (its a rather old A500).
Your thought will be GREATLY appreciated.
------------------------------
Date: Mon, 24 Feb 92 14:11:16 +0000
>From:
[email protected] (Gregory Grosshans)
Subject: viruses in general-=help
I've just scanned the last 200 messages on this newsgroup to try to
get a feel of how viruses work more specifically. My employer doesn't
understand the ramifications of a virus not detected on a pc and is
relucatant to have software always check the system each time it is
powered up.
Is it not true that checking on weekly or bi-weekly intervals for a
virus infection is not dangerous?
Does anyone know how long it takes for a "new" virus to enter the
market (public domain) after the latest anti-virus software package is
released (i.e. do the virus-writers wait until the latest anti-virus
software is released before they come up with a new virus)?
Methods of virus infection, or types of virus infection, can include:
boot sector, .EXE and .COM files, device drivers. Are there any
others that I'm missing? Can non-executable (i.e. data files) be
infected with escape character sequences, etc?
Any information is greatly appreciated!
- --
+-----------------------------------------------------------------+
| Gregg Grosshans > normal disclaimers apply |
|
[email protected] >--------------------------|
| an565%cleveland.freenet.edu@cunyvm > |
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 41]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
