From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>

From: Kenneth R. van Wyk (The Moderator) <[email protected]>
Errors-To: [email protected]
To: [email protected]
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #6
Reply-To: [email protected]
--------
VIRUS-L Digest Tuesday, 14 Jan 1992 Volume 5 : Issue 6

Today's Topics:

Virus vector Identified (PC)
Odd Problem with F-PROT 2.01 (PC)
Re: Looking for info on "Friday the 13th" virus (PC)
Re: Question re Stoned (PC)
Re: password program (PC)
Re: List of Viruses (PC)
Re: Norton Anty Virus (PC)
Re: Joshi Virus and IDE Hard Drives (PC)
Re: Norton Anty Virus (PC)
Re: List of Viruses (PC)
Re: Looking for info on "Friday the 13th" virus (PC)
Philosophy and Time (PC)
Info about UNIX viruses (UNIX)
I/O bound CPU bound definitions
New Antivirus Organization Announced
Write protection - software

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 09 Jan 92 15:57:05 +0000
From: [email protected] (Lloyd E Vancil)
Subject: Virus vector Identified (PC)

The following received wide distribution at this location. I strongly
advise anyone out there who works for Uncle Sam to be aware and take
proper steps.
L.V.

[Printed with permission]
5230
01-MB
8 JAN 92
MEMORANDUM

From: Executive Officer

Subj: COMPUTER VIRUS

Ref: (a) CINCPACFLT Pearl Harbor HI 250649Z Dec 91

1. Following extracted from reference (a) and forwarded for your
information:

QUOTE 1. Information has been received concerning the
receipt (principally by Public Affairs Offices (PAO)) of a
quantity of rambling, disjointed literature and a computer
disk from a "Masterfard Muhammad" of Chicago, IL. Some of the
packages were mailed from Manhattan and Junction City,
Kansas.

2. The diskette enclosed with the material has been found to
contain a version of the "stoned" computer virus which is a
boot sector virus which will contaminate the hard disk of a
personal computer when booted and cause a "hard disk crash" to
the infected microcomputer.

3. If the material described above is received, do not open
the package. Contact your servicing NIS activity for
disposition instructions. UNQUOTE

M. S. BACIN

Distribution D

- --
|[email protected]|[email protected]|sun!suntzu!suned1!lev
|
|S.T.A.R.S. The revolution has begun!| My Opinions are Mine mine mine hahahah!
|

------------------------------

Date: 09 Jan 92 12:40:00 -0600
From: "William Walker C60223 x4570" <[email protected]>
Subject: Odd Problem with F-PROT 2.01 (PC)

While testing F-PROT 2.01 against my suite of captive viri, I noticed a
curious behavior. When F-PROT prompted to "Press ENTER to scan next
diskette," I swapped diskettes, pressed ENTER, and F-PROT began scanning
the diskette, but the files it reported scanning were those on the
previous diskette. Removing and reinserting the diskette didn't help
any. Only when I quit and restarted the program did it scan the diskette
correctly. However, this was 100% repeatable -- when I changed diskettes
again F-PROT reported scanning the files on the first diskette. Other
scanners work correctly when scanning multiple diskettes, and the machine
(Unisys 3256 25MHz 386 w/12MB RAM, 3.5" and 5.25" floppies, 340MB SCSI
hard disk, DOS 4.01) is working OK. No disk-caching programs are
resident. Booting from a clean, pure DOS 4.01 floppy didn't help, either.
Also, this problem was only present with drive B: (5.25" 360K). F-PROT
otherwise worked OK, and when it correctly read the diskettes, it detected
all viri presented.

Has anyone else encountered this problem with F-PROT 2.01? Does anyone
have any ideas what might be causing this, if it's not F-PROT? Please
excuse me if this has already been brought up -- I haven't had the
opportunity to read through all of my back issues of VIRUS-L as thoroughly
as I would like to.

Bill Walker ( [email protected] ) |
OAO Corporation | "That's not a bug,
Arnold Engineering Development Center | that's a feature!"
M.S. 120 | - Anonymous
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: 09 Jan 92 19:17:38 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Looking for info on "Friday the 13th" virus (PC)

[email protected] (scott.forbes) writes:

> I also have a PC which recently lost its hard drive, at approximately
> the stroke of midnight on Friday, December 13. :-) I don't think this
> is a coincidence, and would like to find out more about the virus in
> question to prevent a recurrence.

> The hard disk received a low-level format, but I still don't know the

All the viruses which activate on Friday 13th that I know (lots of
Jerusalems and South Africans) delete files; do not format the drive.
The Hybrid virus overwrites the hard disk, but as far as I remember,
it does this only on Friday 13th in 1992 and later...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 09 Jan 92 19:37:12 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: Question re Stoned (PC)

[email protected] writes:

> At any rate, "Stoned" seems to be history in our lab, if only because
> it does not seem to infect 3.5" diskettes (which we've recently
> switched to).

Stoned infects 3.5" diskettes perfectly, but it only does this on
drive A: (on the first physical drive, more exactly). They have
probably installed 3.5" drives as dirve B: and/or above.

> My question is this. For the benefit of many users who only have
> 5.25" drives at home and want to use one of our 3.5" PC's, we set up a
> 3-floppy PC with menu-driven software for file copying and diskette
> formatting. A: & B: drives are 360K and 1.2M (respectively); C: is
> 1.44M. D: is the hard drive. If ever a PC would be succeptable to

With this configuration, even if both the floppies in drive A: and the
hard disk (D:) are infected and even if the virus is active in memory,
the copies from drive B: and above will never get infected.

> (Like I say--I know "Stoned" is still around here.) Is there
> something about the four-disk controller setup (or the drive name
> "D:") that creates an immunity to "Stoned"? Or have we been
> incredibly lucky?

As I said, you cannot infect the copies you make. As to why you have
not been infected yet, I guess you just had luck and didn't try to
boot from an infected disk (that is, didn't forget an infected disk in
drive A:).

Hope the above helps.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 09 Jan 92 20:14:05 +0000
From: [email protected] (Bob Blackshaw)
Subject: Re: password program (PC)

[email protected] (Barry T. Drake) writes:

>Another way to reset the CMOS is to disconnect the battery.

>If it's a soldered-in NiCad, try draining it completely with a light bulb
>or other load (unless you *really* want to unsolder it).

>- --Barry ([email protected])

Please don't use a light bulb. Look around the motherboard near the
built-in NiCad for an in-line 4 pin Berg connector (4 vertical pins)
which are usually provided for replacement of the NiCad by an out-
board battery. Two pins should be jumpered together, sort of like so

o o o o
+ N -

where + and - are the usual external battery connections and N is the
positive side of the NiCad, so the + and the N would be jumpered to-
gether. The negative side of the NiCad is connected to the ground
plane of the MB. Removing the jumper and shorting + and - will drain
your CMOS. I think most MB mfrs did this so that we would not have
to take a soldering iron to a six-layer MB (shudder).

Bob B.

------------------------------

Date: 09 Jan 92 17:57:10 +0000
From: [email protected] (Vesselin Bontchev)
Subject: Re: List of Viruses (PC)

[email protected] (THE GAR) writes:

> Someone faxed me a list of viruses, that I believe he got from Center
> Point, with codes for him to enter to update his virus information for
> the package. He sent it to me to show how many viruses Center Point
> protected him from that McAfee fails to protect me from.

Unfortunately, I don't have the latest version of CPAV, but I'm rather
disappointed by the one I last saw. It has a lot of fancy menus but is
not a -very- good anti-virus tool. Especially having in mind that it
is based on TNTVIRUS, which is an -extremely- bad anti-virus tool.

As to SCAN, its latest version (85) is pretty good in detecting
infections. During the tests it didn't detect only about 63 different
variants of our virus collection, which consists of more than 1,000
different virus variants. Unfortunately, you must always have in mind
that you MUST NOT DRAW ANY CONCLUSIONS FROM THE SCAN'S OUTPUT OTHERS
THAN WHETHER A PARTICULAR FILE IS INFECTED OR NOT. Any information
SCAN may give you about the actual name of the virus, the number of
viruses in the file, the properties of the virus, the relationship of
the virus to other viruses, very often has nothing to do with the
truth and can be quite misleading. Fortunately, most users do not need
anything more than a program, which tells them whether any new files
they get are infected or not.

> My question (McAfee rep?) is whether these are actually detected by
> McAfee but called something else.

Very often SCAN uses a different name; replies to this question follow
each of the viruses you ask about.

> Also, can anyone identify any of the following that are especially
> prevalent? Or are these mostly "laboratory" viruses?

Most of them are not widespread.

> Twelve Tricks

This is not a virus, it's a trojan. It does not spread, so it cannot be
widespread. SCAN recognizes it as 12 Tricks Trojan [Tricks].

The following are boot sector viruses. I don't have them in live form, so I
was unable to test how we does SCAN recognize them.

> Golden Gate 1
> Golden Gate 2

These are supposed to be Yale variants. I have only one variant of Yale and
I doubt pretty much that others exist - until I see them.

> Stoned III

This is known also as NoINT.

> Zapper

Stoned variant.

> Den-Zuk 2

Probably the virus, called Ohio.

> Anthrax PT
> Omicron PT (More well known as Flip)

The above two are multi-partite viruses. This means that they infect both
files and boot sectors. Probably by PT the guys at CPS mean that they can
detect the virus not only in the files, but also in the partition table.
Big deal.

Well, now about the file infectors.

> Kylie
> Faggot

I never succeeded to make these work and spread. In fact, I suspect that
Faggot is a trojan, not a virus. You can guess how "widespread" they are.
Anyway, SCAN identifies them as

Kylie: Jerusalem Related [Jeru]
Faggot: VHP Related [VHP]

> 740
> April 15
> France

I don't know what they mean by these names. In general, it's a bad practice
to use a number, a date, or a place as a name of a virus. I certainly don't
know all the infective lengths of our more than 1,000 viruses by heart, but
I don't remember one with infective length of exactly 740 bytes. Maybe
Fridrik Skulason can correct me. April 15th is the activation date of a
variant of the Murphy virus, called Swami. SCAN detects is as Murphy
[Murphy]. There are at least three viruses from France; what they probably
mean is the Paris virus. SCAN detects it as Paris [Paris].

> Lunch
> PC Bandit
> Doctor
> Drug

Never heard about these. They are either new ones, or very obscure names of
old viruses.

> 805

This is probably one of the Stardot variants. SCAN detects it as V-801
[V801]. Not spread at all.

> 1590

This is probably the Green Caterpillar. Scan detects it as 1591/1575
[15xx]. Not spread.

> Amoeba 2

This is probably the Maltese Amoeba. Watch out if you live in Ireland; the
virus is quite widespread there. It's a dangerous polymorphic multi-partite
fast infector. SCAN detects it as Irish [Irish].

> Anarkia

A Jerusalem variant. SCAN detects it as Jerusalem Related [Jeru] and Fu
Manchu - Version A [Fu]. Not spread.

> Beast C
> Beast D

These are No. of the Beast variants. This virus has 13 variants, all of
them detected as 512 [512] by SCAN. Some of the variants are (not very
widely) spread in Bulgaria.

> Cascade YAP

There is a misunderstanding here; in fact two different Cascade variants
were called with this name. SCAN recognizes both as Yap [Yap]. Not spread
at all.

> Dark Lord

A Terror variant. SCAN recognizes it as Terror [Ter]. Found once in the
wild in Bulgaria.

> Decide

SCAN recognizes it as Deicide [Dei]. Not spead at all.

> Diamond

SCAN recognizes it as Alfa Related [Alf]. More exactly is to say "reports
it", since it reports like this a lot of other (completely unrelated)
viruses as well. Two variants were once uploaded to a BBS in Bulgaria.

> HIV

A Murphy variant. SCAN recognizes it as Murphy [Murphy]. Never found in the
wild.

> Horse II

There are 9 variants of the Horse viruses, so I don't know what they mean by
that. SCAN recognizes the first 8 only as Horse [Hrs] (and sometimes
reports also 512 [512], which has nothing to do here). Most of them are not
very widespread in Bulgaria, mainly in some schools in Sofia. Probably
Horse II is the last variant, which SCAN does not detect, since it is a bit
different from the others.

> Justice

SCAN recognizes it as Justice [Justice]. Once found in the wild in
Bulgaria.

> Phoenix

There are 6 variants of this virus. SCAN recognizes 800 as V800 [V800],
1226, Phoenix, Proud, and Evil as P1 Related [P1r], and V82 as [V82].
Relatively widespread in Bulgaria and several times uploaded to BBSes in
West Europe.

> Suomi

SCAN recognizes it as 1008 [1008]. Not very widespread in Finnland.

> Tequila

SCAN recognizes it as Tequila [Teq]. Widespread in West Europe, a
polymorphic multi-patrtite fast infector. Beware.

> Vienna 656

SCAN recognizes it as Lisbon Virus [Lisbon] and VHP Related Virus [VHP].
Not spread at all.

> Virdem 792

SCAN recognizes it as Burger [Burger]. Not spread at all.

> Vriest

SCAN recognizes it as Vriest [Vrst]. Not spread.

Hope the above helps.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Thu, 09 Jan 92 21:12:29 +0000
From: [email protected] (Brian Yoder)
Subject: Re: Norton Anty Virus (PC)

[email protected] (Cezar Cichocki) writes:
> Hi folks,
> I use Peter Norton's programm and I very interesting in his antyviral
> program. Somebody said me that there is Shareware version of NAV
> (about 1.5 or something like this). Is this true ?

No, there is no version of NAV in the public domain or as shareware.
I suspect that someone is pulling your leg (and perhaps his own).

- --
- -- Brian K. Yoder ([email protected]) - Q: What do you get when you cross --
- -- Peter Norton Computing Group - Apple & IBM? --
- -- Symantec Corporation - A: IBM. --

------------------------------

Date: Fri, 10 Jan 92 01:59:39 +0000
From: [email protected] (McAfee Associates)
Subject: Re: Joshi Virus and IDE Hard Drives (PC)

[email protected] (Greg Argendelli) writes:
>How are people removing the Joshi virus from IDE hard drives? Based
>on what I have read in Patricia's VSUM program, the only way to reomve
>the virus is via a low-level format. Since we can't do such a format
>on an IDE, do we wind up trashing the drive? Inquiring minds need to
>know. McAfee's scan/clean find it, and claim to clean it, but
>don't....

Hi Greg,

I'm not sure that the problem is that you are having with VIRUSCAN and
CLEAN-UP but it sounds like the PC in question is becoming re-infected
after removal of the virus. You may want to check any floppies in the
vicinity of the PC and see if they have the virus on them and are
re-introducing it.

In any case, if CLEAN-UP says that a virus cannot safely be removed from
the partition table, you have several options available to you other
then doing a low-level format.

1. If you're so inclined, you can copy the partition table off of
an identically partitioned hard disk and copy it over the PT of
the infected hard disk.

2. If you have MS-DOS 5.00, you can run the DOS FDISK command with
the /MBR option. This is an undocumented switch in the FDISK
command that replaces the Master Boot Record code (alias partition
table) while leaving the data portion intact.

3. Use a sector editor to change the last two bytes of the partition
table, which are "55 AA" to anything else. This will invalidate
the partition table information, and you can then re-FDISK and
FORMAT the disk.

Naturally, there is always a small amount of risk in doing any of this, so
it's always a good idea to make a backup of the hard disk before proceeding.

Another possibility is that you do not have the virus at all and instead are
experiencing a "ghost" effect, that is, when a fragment of viral code is left
at the end of a file somewhere on the disk that is loaded into memory with
the file and causes a false alarm. This can be fixed by running a disk
optimizing program to defragment the disk, or there's a program somwhere in
the simtel archives called COVERUP or COVERUP1 that will null-out the ends
of files.

BTW, I assume that you have tried using the latest (V85) version of
CLEAN-UP to remove the virus, both with the [JOSHI] and [GENP] ID
codes, as well as giving M-DISK a shot (if formatted with DOS 3-4).

Regards,

Aryeh Goretsky
McAfee Associiates Technical Support
- --
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 | "Welcome to the alligator
Santa Clara, California | BBS (408) 988-4004 | farm..."
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM

------------------------------

Date: Fri, 10 Jan 92 05:33:23 +0000
From: [email protected] (Rob Slade)
Subject: Re: Norton Anty Virus (PC)

[email protected] (Cezar Cichocki) writes:
>program. Somebody said me that there is Shareware version of NAV
>(about 1.5 or something like this). Is this true ?

No, it is not true.

A number of people are posting the upgrade virus signature files on
private BBSes. Norton does not condone this either.

==============
Vancouver [email protected] | "If you do buy a
Institute for [email protected] | computer, don't
Research into [email protected] | turn it on."
User CyberStore Dpac 85301030 | Richards' 2nd Law
Security Canada V7K 2G6 | of Data Security

------------------------------

Date: Fri, 10 Jan 92 09:05:58 +0000
From: Fridrik Skulason <[email protected]>
Subject: Re: List of Viruses (PC)

In Message 3 Jan 92 20:09:42 GMT, [email protected] (THE GAR) writes:
>1590 Golden Gate 1
>740 Golden Gate 2
>805 HIV
>Amoeba 2 Horse II
>Anarkia Justice
>Anthrax PT Kylie
>April 15 Lunch
>Beast C Omicron PT
>Beast D PC Bandit
>Cascade YAP Phoenix
>Dark Lord Stoned III
>Decide Suomi
>Den-Zuk 2 Tequila
>Diamond Twelve Tricks
>Doctor Vienna 656
>Drug Virdem 792
>Faggot Vriest
>France Zapper

Some of the names in the list are old and well-known viruses, such as
Anarkia, Cascade YAP, Dark Lord, Deicide, Diamond, HIV, Justice, Kylie,
Phoenix, Suomi, Tequila, the Vienna variants and Vriest.

The others are either not viruses (12 Tricks) a case of bad naming
practices, or (in a few cases) something I have never heard of,
such as Drug and Lunch.

- -frisk

------------------------------

Date: Fri, 10 Jan 92 09:28:26 +0000
From: Fridrik Skulason <[email protected]>
Subject: Re: Looking for info on "Friday the 13th" virus (PC)

There are around 20 viruses which activate on Friday the 13th, such as
"South African" (which may not be South African at all), Jerusalem (with a
bunch of variants), Datacrime (well, sort of...), Relzfu (Fake-VirX),
Monxla, Leningrad and Omega.

Unfortunately the available information is not specific enough to determine
which virus is the cause in this case.

- -frisk

------------------------------

Date: Fri, 10 Jan 92 11:10:42 -0500
From: padgett%[email protected] (A. Padgett Peterson)
Subject: Philosophy and Time (PC)

For over a year now we have be discussing simple techniques
for virus prevention - not 100% techniques but then stopping the
spread does not require 100%, it is significantly less.

Lately, I have come to realize that virus spread is best
modeled using a diffusion-limited aggregation process from
Fractal Geometry: infected populations grow in clusters and
larger clusters grow faster but slow again as they approach a
limit imposed by the envelope. While the math is complex, the
underlying fact is not - if the clusters never exceed a certain
size, epidemics do not occur.

Consequently, I have focused my work not on 100% prevention
with the draconian measures that this would incur but a gentler
process that provides a near-certain likelihood (I have not
mastered all of the math yet) of blocking viruses. With little or
no effect on the PC.

Initially, I decided to concentrate on the BIOS viruses -
those infecting the MBR (master boot record) and BR (DOS Boot
Record) of hard disks. There were two reasons for this: First,
not many people seemed to be working in this primeval area.
Second, the rules were simpler and I felt that it would be
possible to avoid the Turing "halting" difficulty since the
system at that point is rigorously defined.

The results were several: DISKSECURE was the first
technology demonstrator though its roots go back several years to
a pair of programs designed to detect the Pakistani Brain (also
see the "Six Byte" method). Observations made at that time led to
some DS principles.

Of course, the real problems came from compatibility with
all of the diverse systems used around the world, only
discoverable in practice. I wish to thank all of the V-L people
who provided feedback on what did not work that permitted me to
accumulate a database of "compatibility requirements" - seventeen
bytes in one area that could not be depended on to be stable,
operating systems that expected certain registers to be passed
intact, etc.

In comparison, a manufacturer who only has to worry about
his current hardware and software has it easy. I have a
tremendous respect for all of the anti-virus vendors who manage
to write programs that WORK. The marvel is not that they work so
well, the marvel is that they work at all (paraphrased from a
quote but have no idea whose). - No wonder most third-party
FORMAT routines simply put code in the BR that says "This disk is
not Bootable".

As is usual in later generations, I found that while DS was
effective in its purpose, less rigorous methods would suffice:
for anti-virus work. This led to the SafeMBR concept - an MBR
that also did integrity checking using a special pair of rules
but did not have to go resident (unlike DS) to be effective. This
was followed by NoFBoot, a small TSR designed to prevent
"accidents" that (IMHO) cause most MBR infections. The final
step, CHKSMBR (a non-resident program included in FixMBR v 2.1),
simply verifies that SMBR has not been tampered with and permits
Network authentication as well.

This complete "layered" system is IMHO capable of knocking
out the spread of all known MBR viruses (that account for over
50% of all computer virus infections - data from McAfee
Associates - and all of the latest round of "shrink-wrapped"
infections including the Dec. Novell incident).

Of course, and again IMHO, where this technology belongs is
in the Operating Systems. It is trivial to incorporate SafeMBR
techniques into FDISK and NoFBoot could easily be incorporated
into either the hidden files or COMMAND.COM. FixMBR simply
demonstrates a virus-aware repair capability easily included in
FDISK as an extension of the /MBR switch in 5.0. One clone
manufacturer has shown an interest and I have seen an indication
that Compaq may be working this area also (though how seriously I
have no idea) but thusfar that is the extent.

In any event, with the completion of FixMBR v 2.1, my
feeling is that this study has gone far enough and that other
things are more interesting (besides, over the holidays I came
close to exhaustion and zero-free-time has been a fact of life
for too long now).

Consequently, for the next while I plan to use what time is
available for studying networks (I see the potential for some
serious liabilities implicit in peer-peer networks that cannot
require use of login scripts), Fractals, and putting my Pontiacs
together.

Warmly,
Padgett

<padgett%[email protected]>

------------------------------

Date: Thu, 09 Jan 92 17:57:00 +0100
From: "Olivier M.J. Crepin-Leblond" <[email protected]>
Subject: Info about UNIX viruses (UNIX)

Could someone please forward me info about *any* UNIX viruses. I'm
not talking about worms, but actual viruses, comparable to MS-DOS
viruses, for example. I'd just like a description of them (if any).
Pointers to sources of info are also welcome. Thanks,

Olivier M.J. Crepin-Leblond, Communications Sys., Elec. Eng. Dept.
Imperial College of Science, Technology and Medicine, London, UK.
<[email protected]> - Internet/Bitnet

------------------------------

Date: Thu, 09 Jan 92 08:45:19 -0800
From: [email protected]
Subject: I/O bound CPU bound definitions

[email protected] (John Elghani) writes:

> 1- A virus obviously is a program that is CPU bound, io bound, ..etc.
> i.e. it occupies system's resources. Some could probably delete
> all files on a system? right?

Let's clarify I/O bound (input/output bound) and CPU bound. These
terms refer to computers, not the programs. They simply point out the
"weakest link" or "bottleneck". An I/O bound computer means that it
is using all of its I/O resources to the maximum, but the CPU is often
idle. CPU bound means that the CPU is processing at its maximum, but
there is plenty of unused DMA or I/O channels. To improve the
performance of a CPU bound computer, one could buy a faster cpu (not
necessarily true for the I/O bound computer).

- - George Roberts
[email protected]
decwrl.dec.com!teda!ratvax.dnet!roberts

------------------------------

Date: Thu, 09 Jan 92 16:36:00 -0700
From: "Rich Travsky 3668 (307) 766-3663/3668" <[email protected]>
Subject: New Antivirus Organization Announced

The following is from the Dec 30,1991/Jan 6,1992 issue of Network World.

Virus Busters Join Hands -- The Antivirus Methods Congress, a
newly formed organization to combat computer viruses, was announced
last week with the goal of bringing users, vendors and researchers
together to tackle virus attacks on networks in the private and
government sectors.

Dick Lefkon, associate professor at New York University and chair-
man of the new group, said the organization already has 50 members,
including representatives from Martin Marietta Corp., the
insurance industry, the state of Arizona's legal department,
Northern Telecom, Inc. and universities in Hamburg, Germany, and
Iceland.

Any typos are without a doubt mine! (BTW, anyone have a list/whatever of
existing antivirus orgs? Just curious.)

+-----------------+ Richard Travsky
| | Division of Information Technology
| | University of Wyoming
| |
| | RTRAVSKY @ CORRAL.UWYO.EDU
| U W | (307) 766 - 3663 / 3668
| * | "Wyoming is the capital of Denver." - a tourist
+-----------------+ "One of those square states." - another tourist
Home state of Dick Cheney, Secretary of Defense of these here UNITED STATES!

------------------------------

Date: Mon, 06 Jan 92 12:37:22 -0800
From: [email protected] (Rob Slade)
Subject: Write protection - software

DEFMTH3.CVP 920105

Write protection - software

An aspect related to hardware damage is that of "write
protection". Although this aspect of security is a part of
normal computer operation, the details are not necessarily well
understood by the general public. In addition, certain
procedures related to write protection often recommended as
anti-viral measures are of little or no use. They may, indeed,
be "dangerous", in that they encourage users to think themselves
safe and not to take further measures.

First of all, there is software write protection. Many user
manuals for antiviral programs have suggested changing the file
attributes of all program files to "read-only" and "hidden". A
minor problem with this is that a number of programs write to
themselves when making a change in configuration. However, the
more major problem is that this action provides almost no real
protection. What software (the operating system or protection
program) can do, software (a virus) can undo. The overcoming of
this protection in MS-DOS is so trivially simple that utility
programs, asked to make a change to a protected program, simply
remind the user that the file is protected and ask for
permission to proceed. (At least, the better written ones ask.
Such is the contempt for "read-only" flags, that some programs
just "do it".)

There are, as well, programs which attempt to write protect the
hard disk as a whole, or individual files. Since these programs
use methods other than the standard OS calls they are generally
more successful in protecting against "outside intrusion".
However, I must again repeat that what software can prevent,
software can circumvent.

Software write protection must, of course, be running to do any
good. Thus boot sector infectors, and any other viri which
manage to start up before the software protection is invoked,
have little to fear from these programs. Some of the protection
programs start themselves as replacements for the master or
partition boot record, in order to get around such "early"
infectors. However, in testing none have been able to prevent
infection by the ubiquitous "Stoned" virus. (Regular readers of
the reviews will note the recent trial of one such hard disk
security program which not only did not prevent the infection,
but would not, thereafter, allow disinfection! In my reviewing
I have come to be much
Downloaded From P-80 International Information Systems 304-744-2253