From mailbox.vhc.se!mikael  Fri Feb  9 08:40:04 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Fri, 09 Feb 96 08:44:00 GMT
	for mikael
Received: from mailbox.swip.net by mn3.swip.net (8.6.8/2.01)
	id IAA17849; Fri, 9 Feb 1996 08:40:04 +0100
Received: from win95.swipnet.se (dialup97-3-11.swipnet.se [130.244.97.51])
	by mailbox.swip.net (8.6.12/8.6.12) with SMTP
	id IAA01456 for <mikael@vhc.se>;
	Fri, 9 Feb 1996 08:40:36 +0100
Message-Id: <2.2.32.19960209074146.006d949c@mailbox.swipnet.se>
X-Sender: m-33619@mailbox.swipnet.se
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 09 Feb 1996 08:41:46 +0100
To: mikael@vhc.se
From: Nick FitzGerald <n.fitzgerald@cantva.canterbury.ac.nz> (by way of Mikael Larsson <mikael@mailbox.vhc.se>)
Subject: Fwd: VIRUS-L Digest V9 #13

From:	IN%"virus-l@lehigh.edu"  5-FEB-1996 03:45:34.57
To:	IN%"virus-l@lehigh.edu"  "Multiple recipients of list"
CC:	
Subj:	VIRUS-L Digest V9 #13

Return-path: <postmaster@csc.canterbury.ac.nz>
Received: from fidoii.CC.Lehigh.EDU ("port 4949"@fidoii.CC.Lehigh.EDU)
 by csc.canterbury.ac.nz (PMDF V5.0-5 #7295)
 id <01I0U96L4BFUPVGQEE@csc.canterbury.ac.nz> for
 uoc-virus-l@csc.canterbury.ac.nz; Mon, 05 Feb 1996 03:45:15 +1300
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with
 SMTP id <40730-5693>; Sun, 04 Feb 1996 09:30:28 -0500 (EST)
Date: Sun, 04 Feb 1996 09:22:46 -0500 (EST)
From: VIRUS-L Moderator <virus-l@csc.canterbury.ac.nz>
Subject: VIRUS-L Digest V9 #13
Sender: virus-l@lehigh.edu
To: Multiple recipients of list <virus-l@lehigh.edu>
Errors-to: postmaster@csc.canterbury.ac.nz
Reply-to: virus-l@lehigh.edu
Message-id: <01I0U87ANNAYPVGQEE@csc.canterbury.ac.nz>
Content-transfer-encoding: 7BIT
Precedence: bulk
Originator: virus-l@lehigh.edu
X-Comment: Virus Discussion List
X-Listprocessor-version: 6.0c -- ListProcessor by Anastasios Kotsikonas

VIRUS-L Digest    Monday, 5 Feb 1996    Volume 9 : Issue 13

Today's Topics:

Report about viruses
Dr Solomon's USA on the move
100 year stealth virus?
Re: will formatting a floppy kill viruses on it?
Re: were wolf 1996
Re: will formatting a floppy kill viruses on it?
Re: Virus Scanner for E-Mail Attachment??
Re: Shareware beasties
Re: Shareware beasties
References for Virus Definition Languages??
Re: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!!
Re: What are the best Integrity Checkers?
(Fwd) Risks of "secure" documents containing executed code
Re: Shareware beasties
Re: Shareware beasties
Re: Virus Protection Policy
Re: E-MAIL Viruses.
Re: Scaning Zip files
Re: Viruses from the internet
Re: Shareware beasties
Re: What are the best Integrity Checkers?
Re: Viruses from the internet
Re: Can a computer get a virus from the internet?
Re: Testing AntiVirus software

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Tue, 30 Jan 1996 23:50:29 -0500 (EST)
From: Blue Dog <papy@worldnet.net>
Subject: Report about viruses
X-Digest: Volume 9 : Issue 13

Could you mail me documents, articles about viruses to make a report
for my school, please ? If possible, I'd like documents in french 
language !!!

        thank you.

[Moderator's note:  Sorry, can't help with the French side of things, but
there are some excellent articles and book referenced in the FAQ for this
list/group--some of the books from the larger publisers are likely to have
been "internationalized".]

------------------------------

Date: Wed, 31 Jan 1996 06:39:47 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Dr Solomon's USA on the move
X-Digest: Volume 9 : Issue 13

In-Reply-To: <01I0LP9POC0OPCQYD3@csc.canterbury.ac.nz>
The USA Headquarters of S&S Software International, Inc. (developers of 
Dr Solomon's Anti-Virus Toolkit) has moved.  Our new larger premises can 
be found at:

  S&S Software International, Inc
  1 New England Executive Park,
  Burlington, MA 01803, USA

  Tel:        +1 617 273 7400
  Fax:        +1 617 273 7474
  Email:      support@us.drsolomon.com
  CompuServe: GO DRSOLOMON


The change is from 17 to 1 (New England Executive Park)

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 01 Feb 1996 16:20:39 -0500 (EST)
From: Dan Kirkwood <dpkirkwo@dangogh.edaco.ingr.com>
Subject: 100 year stealth virus?
X-Digest: Volume 9 : Issue 13

This one's for a friend..

Has anyone heard of a "100 year stealth virus"?  I don't have a full
description of how it was detected, but I know Norton AntiVirus is
used regularly on this system (actually, a small network).  There is
some suspicion that a virus is the cause of many problems recently
encountered on this network.

I can get more details,  just want to know first off if it's a known
virus, and if there's a cure...

dpkirkwo@veribest.com

------------------------------

Date: Thu, 01 Feb 1996 17:41:58 -0500 (EST)
From: Tom Simondi <tsimondi@slonet.org>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 13

In article <0002.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz>,
James Owens <ad354@freenet.carleton.ca> penned:
> Will reformatting a floppy kill all viruses on it?

If you use DOS versions lower than version 5 the command FORMAT A:
will completely wipe the disk in the A: drive. If you use DOS
version 5 or above then you have to add a parameter to accomplish
this:  FORMAT A: /U

If you don't add the /U parameter then DOS will attempt to "save"
everything on the disk so the UNFORMAT command can restore it.

> Sorry if this seems like a silly question. I'm almost positive the
> answer's yes. I just need to be completely sure.

When it comes to viruses there are no "silly" questions. (Although
there are folks who don't read the FAQ <grin>.)

- - 
=-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-=
=-=- http://ourworld.compuserve.com/homepages/ck -=-=-=-=-=-=-=-=
=-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -=

------------------------------

Date: Thu, 01 Feb 1996 18:53:37 -0500 (EST)
From: Steven Hoke <shoke@NorthNet.org>
Subject: Re: were wolf 1996
X-Digest: Volume 9 : Issue 13

Super D wrote:

> Does anyone know the new virus WEREWOLF 1996 ?

There is an analysis of the Werewolf family of viruses available at 
http://www.thenet.ch/metro/avpl/werewolf.htm

The analysis was written by Eugene Kaspersky, the author of AVP (and 
that site is also one of the AVP distribution sites).
- - 
- -==Steve==--

shoke@northnet.org
steven_hoke@msn.com

------------------------------

Date: Thu, 01 Feb 1996 20:51:06 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 13

James Owens <ad354@freenet.carleton.ca> writes:

> Will reformatting a floppy kill all viruses on it?
> 
> Sorry if this seems like a silly question. I'm almost positive the
> answer's yes. I just need to be completely sure.

Be completely sure. The answer *is* 'yes'. Provided that no virus is
active in the memory of the computer doing the formatting, of course.
Note that the answer for a hard disk is "probably not".

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

[Moderator's note:  As others have poinetd out, you have to use the "/u"
switch with MS-DOS 5 and later.]

------------------------------

Date: Fri, 02 Feb 1996 08:30:46 -0500 (EST)
From: David Harley <harley@callisto.lif.icnet.uk>
Subject: Re: Virus Scanner for E-Mail Attachment??
X-Digest: Volume 9 : Issue 13

Evan Rosenbaum (erosenba@vger.rutgers.edu) wrote:

: I seem to recall reading about this in the last couple of weeks.  It
: might have been in InfoWorld.  The writeup said that MIMEsweeper
: automatically decodes all attachments and uses a user provided
: AV program ( i.e. F-PROT or NAV) to examine the resulting file.
: If a virus was detected, the file would be segregated and the user
: would be notified, I think.

As I understand it, MIMEsweeper is actually hosted on an NT server,
rather than being on the (Windows) workstation. I seem to remember that 
Reflex Magnetics were doing some joint development with Integralis so 
that Disknet and MIMEsweeper could be in some way integrated.

David Harley

------------------------------

Date: Fri, 02 Feb 1996 10:01:49 -0500 (EST)
From: Mike Taylor <taylorm@it.postoffice.co.uk>
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 13

Thomas F. Hosmer Sr. wrote:

>      I have one question thats been bothering me.  Like many others
> who have an affinity for the web I like trying shareware.  Usually
> only keeping one out of a couple of dozen, deleting the rest.  The
> other day some one told me many of the shareware programs I deleted
> left small programs hidden on my hard drives keeping track to make
> sure I never use them for more then the alloted shareware time.  My
> question is this: If there are little programs hidden, running
> always checking to see if the program is reinstalled could
> these have a negetive effect on ones system, like a virus?
> 
>      I recently reformated my "C" drive because I seemed to be
> running a little slower and had a little less memory then I thought I
> should.  I scanned for viruses with 3 programs and they showed a
> clean system, memory, boot sector, files etc. Is it possable an
> accumulation of these small shareware leftovers could have caused the
> problem.
> 
>      I hope this question is appropriate to this group and look
> forward to your responces.  Thanks for all the info I've already
> gleaned from this group.

Someone has been telling you little white lies. Or maybe not, they may 
beleive it themselves. Shareware authors are honest people who would 
expect you to either pay for a program that you use a lot, or get rid of 
it. Once you have deleted it, unless you use an undelete program, then 
that is it, it cannot come back.

As for the system slowing down, it is probable that as you have deleted 
files and added more downloads, and deleted some of them etc., that the 
disk has become fragmented, and all you really needed to do was to 
defragment it. So the answer to your last question is Yes, in a way the 
'leftovers' from the shareware did cause you a problem, assuming that 
you are now Ok having reformatted.

- - 

Mike Taylor                             mtaylor@bcs.org.uk
                               taylorm@it.postoffice.co.uk
Amber Seam Ltd.  ( PC & Unix Consultancy )
Computer Security and Antivirus Consultancy
          TEL:44(0)1246-214595 POSTLINE:5415 4595
Visit my homepage at : http://www.geocities.com/Paris/2203

------------------------------

Date: Fri, 02 Feb 1996 10:34:56 -0500 (EST)
From: Alan Miller <ajm@mcs.com>
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 13

Thomas F. Hosmer Sr. <thosmer@epix.net> wrote:
>     I have one question thats been bothering me.  Like many others
>who have an affinity for the web I like trying shareware.  Usually
>only keeping one out of a couple of dozen, deleting the rest.  The
>other day some one told me many of the shareware programs I deleted
>left small programs hidden on my hard drives keeping track to make
>sure I never use them for more then the alloted shareware time.  

Actually, it's more common for the program to place an INI file in 
the Windows directory with an entry that indicates that information,
or place a single innocuous line in a vital file like WIN.INI that 
contains coded date information.  I've never heard of anything that 
actually put an executable to monitor for usage, since it's pretty
simple to check for programs.  In DOS, check CONFIG.SYS and 
AUTOEXEC.BAT for modifications, in Windows check the LOAD= and RUN=
lines in the [Windows] section of WIN.INI.

For the speed problem you were encountering, it's more likely that 
your drive was badly fragmented.  If you're using DOS 5 or later, 
there should be a DEFRAG program that ships with the operating 
system that will correct this problem.

ajm
- - 
Alan Miller \\ ajm@mcs.com 
<a href="http://www.mcs.net/~ajm/home.html">AJM's WWW page</a>

------------------------------

Date: Fri, 02 Feb 1996 11:06:48 -0500 (EST)
From: R.Wood@comp.lancs.ac.uk
Subject: References for Virus Definition Languages??
X-Digest: Volume 9 : Issue 13

I am a 3rd year student doing a disertation on av techniques and was
wondering if anyone could give me any references to papers on on the
structure, use and implementation of VDLs (Virus Definition Languages)
like VIRTRAN.  

Any info will be appreciated, however small.

Thanks 

Robin
- - 
+==========================================================================+
| Robin Wood            | R.Wood@comp.lancs.ac.uk  | Views expressed and   |
| Lancaster University  | mac088@cent1.lancs.ac.uk | statements made are   |
| United Kingdom        | csc150@cent1.lancs.ac.uk | mine, not yours!      |
+==========================================================================+

------------------------------

Date: Fri, 02 Feb 1996 13:51:06 -0500 (EST)
From: Jason Garms <jason.garms@gsfc.nasa.gov>
Subject: Re: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!!
X-Digest: Volume 9 : Issue 13

For more on this subject, please see http://www.microsoft.com/windows/pr/av.htm
This is a Microsoft informational article on subject oof anti-virus scanners
for 
Windows 95. Here's the first paragraph so you can get the jist of it:

  "Recently there has been some information in the press and on the
  Internet about the Windows 95 versions of some anti-virus scanners
  not detecting certain types of files. While this is not a problem
  with Windows 95 itself, and no customers have been affected by this
  issue, Microsoft feels that it is important to fully explain the issue."

Jason

- - 
- --------------------------------------------------
Jason Garms
Desktop Integration Support Group
NASA/Goddard Space Flight Center, Code 251.6
(301) 286-9607
- --------------------------------------------------

[Moderator's note:  That URL is well worth a look!]

------------------------------

Date: Fri, 02 Feb 1996 19:19:39 -0500 (EST)
From: Robert Michael Slade <rslade@freenet.vancouver.bc.ca>
Subject: Re: What are the best Integrity Checkers?
X-Digest: Volume 9 : Issue 13

Al Kimel (akimel@awod.com) wrote:
: While a number of comparative evaluations of scanners are available,
: one notes an absence of comparative evaluations of integrity

It is relatively easy to evaluate scanners: just get a good "zoo" and see 
how many viruses are identified by the respective products.  (Maintaining a 
good "zoo", on the other hand, is the problem.)  This is also easy for 
users to judge, since it gives a numerical rating.  The numerical rating 
isn't always an indication of how good a given product *is*, but it's easy.

Integrity checkers (or change detection software) and activity monitors 
are a lot harder to judge.  I have done a number of detailed reviews (uh, 
Nick?  :-), and try to assess the overall effectiveness of a given 
product, for a specific type of computer environment and type of user.

[Moderator's note:  I know, I know--before 10 February I'll have them all
posted!]

My general recommendation for change detection software would be Integrity 
Master.  It provides solid protection, different levels of protection, 
and excellent information to the user (particularly in setting the 
program up).  It is available in a shareware version (I believe the 
filename is I_Mxxx.ZIP, where xxx is the version number) at better ftp 
and antiviral archive sites everywhere  :-)

Some general guidelines.  Change detection is the one type of antiviral 
software which will catch all viral programs--*if* it is sufficiently 
broadly based, and run properly.  When asessing a program, make sure that 
it checks for changes not only in files, but in system areas of the disk, 
memory and interrupts (for MS-DOS machines).  The "image" of the clean 
system (and you do have to start clean) should have an integrity check of 
its own, preferrably have an encryption option, and most preferrably have 
on option for offline storage (usually on a diskette).

Also, please note that you have to know something about both viruses and 
computer operations to use change detection software.  Change detection 
will detect *all* viral programs--but it will also detect a lot of other 
stuff, mostly non-viral.  You will have to be able to weed through the 
false alarms.
 
====================== 
roberts@decus.ca   Rob.Slade@f733.n153.z1.fidonet.org  rslade@vanisl.decus.ca
               Crossbows don't kill people, quarrels kill people
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Wed, 17 Jan 1996 03:20:02 -0500 (EST)
From: Otto Stolz <Otto.Stolz@uni-konstanz.de>
Subject: (Fwd) Risks of "secure" documents containing executed code
X-Digest: Volume 9 : Issue 13

[Moderator's note:  Apologies to Otto--this got stranded in a mail folder
it oughtn't ever have been in originally...]

- -- Forwarded mail from RISKS@CSL.SRI.COM

RISKS-LIST: Risks-Forum Digest  Tuesday 16 January 1996  Volume 17 : Issue 64

Date: Sun, 14 Jan 96 05:14:45 -0800
From: "Henry J. Cobb" <hcobb@slip.net>

I was going to make this the shortest RISK ever:

Spotted above the banner of the Feb 96 C/C++ User Journal:
    "QUAD-PRECISION Math for ERROR-FREE APPS"

But then I noticed this comment from Tim Parker in the Jan 11th RISKs:

>2) develop a standard code wrapper scheme to provide authentication and
>certification - Authentication (ala PGP) to verify that the file wasn't
>altered after the creator created it - and that the creator is really the
>creator)

The problem in the Win-Word case is that the creator of the document
that gave you the virus did not intend to send it.

Your computer reads the document, verifies the public-key, executes the
code, installs the virus and then proceeds to send out authenticated copies
of the virus with each document you send.

At the very best, this would only give you an audit trail. (Doubtlessly
compromised by the action of the virus itself)

If any of the data on any of your systems has the slightest value, then
it's time to take a good look at the track record of your software
suppliers at keeping data safe.  (If you don't like what you see, vote
with your pocketbook, I have)

- --End of forwarded mail from RISKS@CSL.SRI.COM

------------------------------

Date: Sat, 03 Feb 1996 02:03:49 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 13

On Wed, 24 Jan 1996, Thomas F. Hosmer Sr. wrote:

>      I have one question thats been bothering me.  Like many others
> who have an affinity for the web I like trying shareware.  Usually
> only keeping one out of a couple of dozen, deleting the rest.  The
> other day some one told me many of the shareware programs I deleted
> left small programs hidden on my hard drives keeping track to make
> sure I never use them for more then the alloted shareware time.  My
> question is this: If there are little programs hidden, running
> always checking to see if the program is reinstalled could
> these have a negetive effect on ones system, like a virus?

No. These hidden files (which only some shareware uses) are simple data
files -- not programs -- that are merely used to track _when_ you started
using the shareware, so it can implement it's timeout. It is not an active
program that stops you from loading the software, the software itself
searches out the file when you run it. 

Also, _any_ piece of software which has copy protection or a timeout of 
some sort might be using such files, not just shareware.

>      I recently reformated my "C" drive because I seemed to be
> running a little slower and had a little less memory then I thought I
> should.  I scanned for viruses with 3 programs and they showed a
> clean system, memory, boot sector, files etc. Is it possable an
> accumulation of these small shareware leftovers could have caused the
> problem.

No. They might eat a little disk space, but that's it, and any utility
that can display hidden files would let you see then. (I believe "DIR /AH"
should work in recent versions of MS-DOS). They'll probably be located in
C:\ -- if any programs are using them at all, which isn't highly probable. 

>      I hope this question is appropriate to this group and look
> forward to your responces.  Thanks for all the info I've already
> gleaned from this group.

I hope this helps.

Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Sat, 03 Feb 1996 06:43:49 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 13

On Fri, 26 Jan 1996, Andrew Lee wrote:

> Are there any PC viruses out there that can damage your BIOS and also
> damage PC peripherals (disk drive, chips, tape drive, etc...)  which
> would require replacement hardware to fix?  
> 
> [Moderator's note:  These viruses exist mainly in the land of Nod... 
> The best response to this question will be used as the basis of a new
> Q&A in the FAQ!]

[I'll give it a go...]

No, modern PC hardware is not susceptible to damage from software, and any
computer virus, no matter how devastating, is merely software. A virus 
can remove all the data on your disk drive, and theoretically could erase 
a tape, but neither the disk drive, tape, or tape drive would be 
permanently damaged.

Years ago, some computers and some equipment for PC's could be damaged in
specific way via software. This is no longer possible on any machine you 
are likely to encounter.

There is a partial exception to this: the BIOS. Recent machines
incorporate a "flash" BIOS. Traditionally, the BIOS is stored in an EPROM,
which like all ROM memory cannot be altered from software. However, to
facilitate easy upgrades, BIOS's are now being stored on "flash" memory, a
type of memory that can retain data indefinitely, like ROM, but can be
erased and re-loaded a limited number of times. 

The upshot of that is that a virus _could_ erase or, in theory, infect a 
BIOS. I believe one virus attempts to erase flash BIOS's, although I 
don't know whether it actually succeeds. I don't know of any that 
attempt to infect a flash BIOS.

In any case, the solution is simple: any decent motherboard with a flash
BIOS will also include a jumper that disables any changes to the BIOS. 
Make sure this jumper is set so that the BIOS cannot be altered, and only
switch the jumper when you specifically want to upgrade the BIOS. This
jumper is hardware, and no virus will be able to bypass it. 

In summary: check your motherboard for a flash BIOS. Other than that, you
do not have to worry about a virus damaging your hardware. 

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Sat, 03 Feb 1996 10:52:08 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: Virus Protection Policy
X-Digest: Volume 9 : Issue 13

(X-Digest: Volume 9 : Issue 10)
netwise@hevanet.com wrote:

>I am in search of a sound policy which deals specifically with the
>protection of an organization information resources through the
>introduction of both internal and external Viruses.

Computers connected via a Local Area Network ("LAN") can
be exposed to a virus elsewhere on the LAN if security is 
breached.  Anti-virus security means minimal "privileges" 
for each user, to avoid a virus "epidemic."   One infected
computer is bad enough, a thousand can spell disaster.
     Only those who need full write access privilege, such 
as the Administrator, should be able to access the server 
with write intent.  And they should do so only from their 
own (hopefully virus-free) computer, and not from anyone 
else's computer, which could possibly be already infected.
     In addition, there should be no transitive flow path 
between users, meaning: 1> Executable files written on one 
computer should not be read on another.  
2> All computers which can write to another, or (especially)
   to the server must be monitored carefully, to prevent 
   infection.  No diskettes from any other computer should 
   ever be used in such computers.   
3> Diskette swapping between other users should be also be 
   discouraged.  Where such swapping cannot be avoided, 
   diskettes should be scanned before use by the recipient, 
   no matter the source.
     It's important to remember that even if all the above 
is followed precisely, the very next diskette coming in from
off-site presents a risk.  Diskettes from home, school, and 
vendors, as well as service technicians, should always be 
viewed with suspicion, and scanned before use.
     Only when a LAN is not kept secure can a virus spread, 
but some can infect every computer, in seconds.  If the 
situation is severe enough, shutting down the entire LAN to
remove a virus can result.  While restrictions like those 
above aren't very appealing, they may be necessary.

Regards, Henri Delger
http://pages.prodigy.com/XWWC29A
email: henri_delger@prodigy.com 

------------------------------

Date: Sat, 03 Feb 1996 11:55:15 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: E-MAIL Viruses.
X-Digest: Volume 9 : Issue 13

In article <0006.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>,
Phillip Steck <NUHS@oro.net> wrote:
>Have you personaly seen any Email virus within an attached
Email file? 

There is no such thing as an e-mail virus.  Any virus can be
distributed either uuencoded in e-mail, or as an attachment.
It's possible to send any program over e-mail, so it's possible
to send viruses too (they're just replicating programs).

As far as personally receiving a virus via e-mail, yes, I have
received one.  A friend of mine sent me a Microsoft Word
document file that was infected with Windord.concept.  I used
the evaluation copy of Dr. Solomon's FindVirus and removed the
virus, and continued on my merry way. :-)

Regards, 

George Wenzel

George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Student of Wado Kai Karate 
U of A Karate Club Home Page: http://www.ualberta.ca/~gwenzel/
"Who's General Failure & why is he reading my disk?"

------------------------------

Date: Sat, 03 Feb 1996 11:57:06 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Scaning Zip files
X-Digest: Volume 9 : Issue 13

In article <0002.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Sean
Burgess <mickey@zoom.com> wrote:
>Are there any products that will scan .ZIP files for viruses?
>

Yes, quite a few, actually.  Dr. Solomon's, NAV, Pc-Cillin, and
others.

Regards, 

George Wenzel

------------------------------

Date: Sat, 03 Feb 1996 12:01:32 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Viruses from the internet
X-Digest: Volume 9 : Issue 13

In article <0008.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Eric
Cheuk Ming Leung <ericlcm@hk.linkage.net> wrote:

>As Virus begins for Winword and Excel via Macro languages, I
believe 
>surfing around WWW pages will also generate virus onto ones
own PC as 
>newer features are added to Web browser like the Java applets
which is 
>actually a small program build-in the page and execute at your
PC when 
>you are viewing that page.

Macro viruses CANNOT be distributed simply by surfing web
pages.  You must download an infected document file and open it
within its respective program to become infected.  As far as
Java applets, the developers of Java claim that it is
virus-proof, but this is yet to be seen.  For the moment,
nobody has found a virus that can be distributed via Java.

Regards, 

George Wenzel

------------------------------

Date: Sat, 03 Feb 1996 15:09:19 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 13

In article <0009.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz>, "Thomas F.
Hosmer Sr." <thosmer@epix.net> wrote:
>     I have one question thats been bothering me.  Like many others
>who have an affinity for the web I like trying shareware.  Usually
>only keeping one out of a couple of dozen, deleting the rest.  The
>other day some one told me many of the shareware programs I deleted
>left small programs hidden on my hard drives keeping track to make
>sure I never use them for more then the alloted shareware time.  My
>question is this: If there are little programs hidden, running
>always checking to see if the program is reinstalled could
>these have a negetive effect on ones system, like a virus?

Every shareware program that uses this method will implement it slightly 
differently, but generally these files are merely a data file saying how
long the program has been run on the system.  If you delete the
corresponding program, your only loss is the small amount of disk space
that these files contain.  These files do not actively search out the
shareware program; it works the other way around - the program searches
out the files.

These files shouldn't have caused any system slowdown.  

Regards, 

George Wenzel

------------------------------

Date: Sat, 03 Feb 1996 15:09:09 -0500 (EST)
From: PJN.-.TSA@news.flinet.com
Subject: Re: What are the best Integrity Checkers?
X-Digest: Volume 9 : Issue 13

In article <0006.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz>, akimel@awod.com 
says...

>While a number of comparative evaluations of scanners are available,
>one notes an absence of comparative evaluations of integrity
>checkers.  If a competent someone were to ever do such an evaluation,
>they would be doing all of us a real service.
>
>In the meantime, I'd be interested in hearing people's opinions,
>with the why's and whynot's.  TIA.

Command Software has an integrity checker simply named CHECK.EXE and comes 
with a DOS tsr, CS-TSR.COM. It notifies when file has changed or is not in 
the database of allowable programs. There is the option to ignore the
warning or to stop the program from executing. The use of such a product
will depend on the user's knowledge of his or her own software; there are
very few applications that do modify themselves and would cause warnings
when using the integrity checker. I'm not sure if the integrity checker
can be purchased separately or not (it comes with the professional version
of F-Prot av), but email sales@commandcom.com or check out
www.commandcom.com for other means of contact.

PJN - TSA

------------------------------

Date: Sat, 03 Feb 1996 16:49:51 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Viruses from the internet
X-Digest: Volume 9 : Issue 13

In article <0008.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Eric Cheuk Ming
Leung writes:
: As Virus begins for Winword and Excel via Macro languages, I believe 
: surfing around WWW pages will also generate virus onto ones own PC as 
: newer features are added to Web browser like the Java applets which is 
: actually a small program build-in the page and execute at your PC when 
: you are viewing that page.
: Am I correct?

        In theory, like with the macro viruses, it could happen.  But one 
thing to remeber, is like with the macro viruses, that said viruses are 
confined that specific medium, if there ever is a JAVA based virus, it 
will stay in JAVA files UNLESS it has a way of writing to a standard file 
in which case it could write a stanard file infector virus much like 
winword.nuclear.

        Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
"Piss off a government, practice civil disobedience TODAY!"

------------------------------

Date: Sat, 03 Feb 1996 17:38:40 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Can a computer get a virus from the internet?
X-Digest: Volume 9 : Issue 13

Zvi Netiv <netz@actcom.co.il> writes:

> Something users usually ignore: Only DOS file infectors constitute a threat.
> There are practically no real Windows application infectors and since most
> Internet programs run as such then the possibility to infect this way is
> very unlikely.

This is false. There are more than half a dozen Windows-specific
viruses (even one Win95-specific virus). One of them - Ph33r - is very
widespread.

> What is there to edit online in a Word doc? :-) Besides, the macro viruses
> is a localized issue, not a general one.

Try explaining this to the hundreds of companies worldwide who were
infected with Cocept.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 20:57:51 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Testing AntiVirus software
X-Digest: Volume 9 : Issue 13

In article <0004.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>
           mlookabaug@aol.com "MLookabaug" writes:

 > In article <0005.01I06C4XA6HQOK8IBB@csc.canterbury.ac.nz>, Iolo Davidson
 > <iolo@mist.demon.co.uk> writes:
 >
 > >The only valid way to test the detection ability of anti-virus is
 > >with real viruses.  Obtaining a comprehensive collection of real
 > >viruses for testing is beyond the resources of most people.
 > >
 > >Put those two statements together, and you have: It is not
 > >possible for most people to conduct a valid test of the detection
 > >capabilities of anti-virus software.
 >
 >   It seems to me that a *valid* test of AV software is one that uses
 > viruses that have been found ITW, or are reasonably likely to be found
 > there.  Therefore,  I dispute your stand that it is not possible for
 > those outside of  the AV industry to conduct a valid test.

Well, you are wrong then, in public, and it is all your own 
doing.  You could have just kept quiet.

- -
NO LADY LIKES               ACCOMPANIED BY
             TO DANCE                     A PORCUPINE
                     OR DINE                         Burma-Shave

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 13]
*****************************************




