VIRUS-L Digest Thursday, 30 Sep 1993 Volume 6 : Issue 124 Today's Topics: ADMINISTRATIVE NOTE: Sorry for the down-time, bounces Virus Ad Learning how to make virus programs: NOT Virus scanning for Unix (UNIX) OS/2 v1.3 Scanner??!?? (OS/2) NAV updates, do I need all of them? (PC) Re: Flash BIOS (PC) Re: posting re retaliator viruses (PC) Re: mcafee's 107 serie (PC) Re: Waldo? (PC) Removing the Form virus using MSDOS 5.0 SETUP (PC) You never forget the first time (PC) Re: Vshield v107 (PC) RE: F-PROT & Blinker virus (PC) virusses in .ARJ & .ZIP (PC) CRUNCH21.COM (PC) Satan Bug virus (PC) Stoned virus.... (PC) Tremor Virus and McAfee VIRUSCAN (PC) Cansu(V-Sign) virus...... (PC) Hong Kong? (PC) Re: boot viruses, without booting from an infected disk (PC) McAfee's 108 series (PC) New files on our ftp site (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 30 Sep 93 14:23:01 -0400 From: VIRUS-L Moderator Subject: ADMINISTRATIVE NOTE: Sorry for the down-time, bounces Sorry for the VIRUS-L/comp.virus down-time, folks. I was away at a conference, and my network connection back $HOME was less than usable. I'll try to get the backlog of messages posted asap. Also, we've been installing some new systems here, and I understand that some e-mail to me bounced for a short while. Again, apologies. The problem appears to be fixed, and e-mail is now flowing as before. If any of you got bounced messages from me, please re-send. Please verify that the correct e-mail address is: krvw@assist.ims.disa.mil. (My old "agarne" system is going away.) Thanks for your patience. Cheers, Ken van Wyk ------------------------------ Date: Mon, 20 Sep 93 15:31:51 -0400 From: uttsbbs!steven.hoke@pacbell.com (Steven Hoke) Subject: Virus Ad I was very dismayed to open my October issue of PC Computing and find an ad for a CD-ROM disc that specifically mentions "Virus Code" (top half of page 460). While much of the content of the disc would be considered controvertial, it also included information on "Phreaking" and "Tone Box Information", the use of which is illegal. I think anyone that feels their accepting an ad for a disc listing computer virus code is unnacceptable should send a letter to the editors at: PC Computing 950 Tower Lane, 19th Floor Foster City, CA 94404 The only way to influence their decision on whether or not this is appropriate is to let them know that we feel its not only inappropriate, its irresponsible (that is, if you feel that way too). - -= Steve =- - --- * WaveRdr 0.35 Beta * Practice safe hex. Use a write protect ta - ---- +------------------------------------------------------------------------+ | The Transfer Station BBS (510) 837-4610 & 837-5591 (V.32bis both lines)| | Danville, California, USA. 1.5 GIG Files & FREE public Internet Access | +------------------------------------------------------------------------+ ------------------------------ Date: Mon, 20 Sep 93 18:49:21 -0400 From: Roger Thompson <70451.3621@compuserve.com> Subject: Learning how to make virus programs: NOT TO: INTERNET:VIRUS-L@lehigh.edu On Tue, 14 Sep 93 Phil Seakins <70451.3621@compuserve.com> wrote:- >You've described a product which already exists. N.S.O. - Network >Security Organizer, was designed to give system administrators >centralized control over workstation security...etc >You can download the software for evaluation from Leprechaun Software's >BBS on 404-971-deleted OOPS, I typed the wrong number. The correct BBS number is (404) 971-8886. Phil Seakins. ------------------------------ Date: Mon, 20 Sep 93 14:58:12 -0400 From: bmok@netcom.com (Bert K. Mok) Subject: Virus scanning for Unix (UNIX) I need to implement virus protection on our Unix machines. Can someone suggest a common mechanism for doing that? A coworker suggested getting a Workstation to pre-scan software of files about to be uploaded. Is this a good approach? What's the most bullet proof approach to doing this? Right now our operator only scans the files on the PC before the upload. I just don't think that makes sense because that doesn't guarantee the files don't contain "Virus for our HP/UX". Please help. Please reply by email as much as possible. Thanks. A side question: How does a Virus on Unix do its damage? - - Bert (bmok@netcom.com) ------------------------------ Date: Tue, 21 Sep 93 15:34:48 -0400 From: zycor@netcom.com (UnListed) Subject: OS/2 v1.3 Scanner??!?? (OS/2) I need to locate a scanner/cleaner for OS/2 version 1.3 - also anyone who has ANY info on the -ZOMBIE- virus please respone via email to zycor@netcom.com This is a weird looking thing, launches off of the Kernal and is visible for 20-30 seconds, then disappears. Scanners would be helpful, but PLEASE do not send any attachments that contain scanners or cleaners to me. I can telnet or FTP to almost any site. Thanx in advance. ------------------------------ Date: Sun, 19 Sep 93 00:21:20 -0400 From: jcleon@chaph.usc.edu (Juan Carlos Leon) Subject: NAV updates, do I need all of them? (PC) Hello everyone, This is a simple question, if I need to install again NAV in my machine, do I need to install all the updates again or just the last one? Here we're talking about NAV 2.1 Thanks for any help. Juan Leon - -- email: jleon@scf.usc.edu Electrical & Computer Major University of Southern California Los Angeles, CA. USA ------------------------------ Date: Sun, 19 Sep 93 19:15:47 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Flash BIOS (PC) Anthony Naggs (amn@ubik.demon.co.uk) writes: > > 1: Turn keyswitch to ROM CHANGE position > I don't understand the insistance on a key switch, they add to the production > cost and provide a extra point of failure. You still need some -hardware- way to allow the ROM change. If it can be allowed only in software, then a virus could do it. The easiest way to implement it is as a switch, or more exactly as jumper. > > 2: Place permanently write protected disk in disk drive > Why 'permanently write protected'? > If I was the manufacturer I would reserve the ability to distribute BIOS > images that can be used only a limited number of times, by altering an > installation count on the diskette. Ah, c'mon, Anthony, I didn't expect -you- to say that... Every software distributor should ship their software on permanently write-protected diskettes - so that the users will not involuntarily infect the original disks... We have enough trouble with those manifacturers who to not do that. As Roger Riordan mentioned at the Virus Bulletin conference - the first thing the user must do when getting new software is not scanning it, not even making a backup copy of it, but checking whether it is write-protected and to write protect it if it isn't. Besides, what you are proposing above is nothing more than a copy protection scheme. On the top of that, the diskette has to be protected from copying - otherwise I could make as many copies as I wish before the installer has had any chances to decryment any counters... So, you mean that I must not be able to make a backup copy of the disk? No, thanks. I'm glad that you are not the manifacturer and if you were, I wouldn't buy your products which are protected this way... :-) > > ... use an RSA based (or similar) > > cryptographic checksum to verify the legitimacy of the data in A, load its > > Flash ROM, put the proper message on the screen, and halt the processor. > > This scheme would allow even a bad ROM update to be backed out of because t h > What is your definition of a 'bad ROM update'? To me the phrase conveys > a change of the ROM that fails in some way. Yet your reference to 'backed > out' implies an earlier recognition of failure. I guess that Dr. Cohen means that the updater of the ROM must have some way to AUTHENTIFY that the update is a legitimate one - e.g., one coming from America Megatrends and not from The Mad Hacker. The most convenient (and secure) way to do that is with public key cryptography. Unfortunately, having in mind the patent problems surrounding this field in the USA, such scheme is unlikely to become widespread soon... > > loading routine is in ROM not EROM, should prevent unauthorized updates, an d > > enforces the procedures required to prevent malicious EROM changes. > > > > The reason this scheme is NOT used (even though the hardware designers of m o > > flash ROMs designed their ROMs to work this way) is that it costs money to a > > a switch and the few hundred lines of code required to implement protection , > > and we all know that people want protection for free and believe it is safe > > even when it isn't. Call a bug a feature, and you have happy customers. > This all seems totally excessive. Why is it totally excessive? How much cost adds a jumper? Is it better to have the ROM freely changed by software? Doesn't the PC with MS-DOS have enough security problems already? [Description of Intel's Flash ROM update procedure deleted to save bandwidth.] It is not clear to me how is the ROM address space enabled for update. Is it through a switch or jumper or is it through writing to a port? In the latter case, what prevents a virus to do exactly the same? Hell, it even doesn't need to be in the virus, it could be a dropper that contains part of that same "init block", uses them to enable the ROM modification, and then modifies the BIOS to install from time to time a copy of the Stoned virus on the first hard disk... > The exact details of the authentication procedures are Intel trade > secrets. Security through obscurity. It never works. How much time it will take until the hackers disassemble the init block and figure out what it does? > It certainly appears that Intel PCs using Flash BIOS are > no more vulnerable to malicious alteration than other PCs whose ROMs > can be removed from sockets and replaced. It certainly doesn't appear so to me... You must physically open those other PCs and replace a chip; you can't just walk to them with a floppy, run a magical program and make the BIOS do something completely different... Regards, Vesselin P.S. Yes, I am back. :-) - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 19 Sep 93 19:34:21 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: posting re retaliator viruses (PC) McAfee Associates (mcafee@netcom.com) writes: Sorry, I have missed the original post. What are "retaliator viruses"? Viruses designed to attack a particular product? I think I have heard this term somewhere, but it is certainly not accepted widely... > Point of order: :-) The technician you spoke with was unsure of the answer > and brought a copy of your message to me--I assumed that you meant viruses > which directly attack McAfee Associates' software and told him to answer > "no" to your question. Well, you have been wrong, nevertheless... There are several viruses which attack McAfee Associates' software in one way or another. The most widespread attack is to avoid to infect it, although it could be argued that this is not an attack but a surrender... :-) However, some are not so benign... The Tequila virus removes the checksums added to the files with the /AV option of scan. (I know at least two people at McAfee Associates to whom I have explained this; it's strange that you have not heard about it.) The Jerusalem.2225 virus turns on its "format the hard disk" switch when a program called SCAN or CLEAN is run. There are many other examples. > Your subsequent reply listed a few, including (at > least) one I have not heard of before called the "Lokjaw-zwie" which claims > to delete McAfee Associates' VIRUSCAN (SCAN.EXE). We have it here. The author calls it Lockjaw-zwei (not zwie; "zwei" means "two" in German); standard CARO name is Prot-T.LockJaw.2. It's a companion resident virus. It targets several anti-virus products, meaning that it deletes files with particular names if they are executed with the virus active in memory. In particular, those names are: *IM.* (Integrity Master) *RX.* (VirX PC) *STOP.* (VirStop) *AV.* (CPAV, MSAV) *PROT.* (F-Prot) *SCAN.* (SCAN) *LEAN.* (CLEAN) After deleting the file(s), the virus displays a visual effect. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 19 Sep 93 19:37:15 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: mcafee's 107 serie (PC) (HAYES@urvax.urich.edu) writes: > Hello. > The McAffee's 107 serie is now available from us. Source: McAfee's own > FTP'able site. SCAN 107 seems to have a serious bug, which makes it hang sometimes. Besides, I have not seen it on the usual archive sites (Simtel20, Garbo) - only on McAfee's site. I guess that it has not been released "officially". BTW, SCAN 108 is already out and that one -is- released officially. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 19 Sep 93 19:38:38 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Waldo? (PC) jonathan skean (jskean@unlinfo.unl.edu) writes: > I have a colleague whose PC is displaying the message > "Waldo won't let you do that." at times when running > Microsoft Windows 3.1. Does anyone have information > about this? It isn't mentioned in McAfee ScanV106. That usually happens when you run an old version of CorellDRAW! under Widnows 3.1. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 19 Sep 93 18:20:45 -0400 From: "Ted Wong" Subject: Removing the Form virus using MSDOS 5.0 SETUP (PC) I recently suffered an a attack of the Form virus on my machine, a TI TravelMate. Form inserts itself in the boot sector of disks; in fact, the infection was traced back to an accidental boot off of a non-system disk (NB: always check the floppy drives before booting!). The infection was reported by SCAN 102; however, CLEAN was unable to remove it. The virus was subsequently removed by booting off the OEM distribution of MSDOS 5.0 (NOT the retail upgrade), and reinstalling DOS. My question is: would I have saved myself some time by using FDISK /MBR to write out a new copy of the boot sector? Or do I have the definitions of the Master Boot Record and the boot sector mixed up? Regards, Ted Wong - ----------------------------------------------------------------------------- Ted Wong Cornell University - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 20 Sep 93 05:00:42 -0400 From: norman.hirsch@factory.com (Norman Hirsch) Subject: You never forget the first time (PC) PCPLUS.FON always changes so that is understandable. Do a chkdsk /f and then get McAfee's SCAN or other anti-virus scanner to check your system for bugs. ------------------------------ Date: Mon, 20 Sep 93 05:00:53 -0400 From: norman.hirsch@factory.com (Norman Hirsch) Subject: Re: Vshield v107 (PC) Hi Aryeh. Just checking this E-Mail Internet messaging capability through Invention Factory BBS in New York. Let me know if you get this by return mail and I'll ask next time I speak with you. Best regards, Norman Hirsch, NH&A ------------------------------ Date: Mon, 20 Sep 93 08:35:51 -0400 From: ROBERT HINTEN 617-565-3634 Subject: RE: F-PROT & Blinker virus (PC) >From: dave.loschiavo@cld9.sccsi.com (Dave Loschiavo) >Does anyone out there have any experience with F-Prot and the "Blinker" >virus. I recently had a comm utility quit while I was running it and I >received the message"- Message Blinker: Fatal runtime error 1211". >I don't know if that is an F-Prot warning, an error message from my comm >program or a DOS warning. The only reasons I have to suspect that it's a >virus is there is a virus named Blinker, and that I'm having general >problems with my system. This is not a virus, but a message from Blinker, a popular linker. From the Blinker 2.0 documentation: Run Rime Error Messages 1211: overlay manager stack overflow The Blinker overlay manager maintains a reload stack used in the management of dynamic overlays, and this stack has overflowed. The most common cause of this error is uncontrolled or unintentional recursion within an overlaid procedure or function, where a particular procedure or function is calling itself repeatedly. If this is a recurring problem, you should contact your comm program's developer and report the error. Hope this helps. ========================================================================== Monty Hinten hinten.robert@epamail.epa.gov Information Security Officer (617)565-3634 US EPA, Region I Boston, MA USA ========================================================================== ------------------------------ Date: Thu, 16 Sep 93 12:31:00 +0200 From: Fred_Janssen@f1.n9931.z9.virnet.bad.se (Fred Janssen) Subject: virusses in .ARJ & .ZIP (PC) > SCAN /a C: Almost correct, use SCAN C: /a > do the procedure like UNZIP->SCAN->ZIP Wrong, use UNZIP -> SCAN -> Delete uncompressed files. You can use the original archive, since unzipping it, does not, and should not, delete it. Fred - --- * Origin: Fred's Place (9:9931/1) ------------------------------ Date: Thu, 16 Sep 93 12:26:00 +0200 From: Fred_Janssen@f1.n9931.z9.virnet.bad.se (Fred Janssen) Subject: CRUNCH21.COM (PC) > I am sending the first and second generation of this > to David Chess, > Fridrik Skulason, and Wolfgang Stiller. May I suggest to include McAfee Ass. (support@mcafee.com) to be included in your list ? Most people depend on that product. Fred - --- * Origin: Fred's Place (9:9931/1) ------------------------------ Date: 20 Sep 93 12:53:51 +0000 From: bennett@keylime.cis.ufl.edu (Paul Bennett) Subject: Satan Bug virus (PC) Recently I have been getting reports of a virus F-prot209d refers to as the Satan Bug virus locally. It may be coincidental, but both PC class systems running Dos 6.0 had problems with keyboard charactors. In one case, all keyboard entries were switched to upper case only. In the other case, the "-" key was not recognized. In the second case, pkzip 204g would not run either. Again, may be unrelated, as I do not have any info on Satan Bug. Has anyone else run into this virus before. So far, FP-209D has reported it in one gif file and a couple of *.pcc files that were part of a game. While I grant the files may be false positives, still, FP-209D checked the same files on another system and showed them clean. Paul R. Bennett Senior Electronics Technician/CIS Department, University of Florida. ------------------------------ Date: Mon, 20 Sep 93 18:23:50 +0000 From: dunne@plains.NoDak.edu (Joseph Dunne) Subject: Stoned virus.... (PC) I recently got the stoned virus on my boot sector. F-protect says it cannot remove the virus. Does anyone know of a way I can remove it without re-formatting my hard drive? Thanks. Joe. - -- - ----------------------------------------------------------------------------- | Joseph Dunne | "There is no such thing as | | dunne@plains.NoDak.edu | coincidence, it's just God's | | | plan in action." Lee Hoedl | - ----------------------------------------------------------------------------- ------------------------------ Date: Tue, 21 Sep 93 07:20:44 -0400 From: FWF%GISA.UUCP@GERMANY.EU.NET Subject: Tremor Virus and McAfee VIRUSCAN (PC) In Germany the "Tremor" virus is a widespread virus. McAfee VIRUSCAN 9.17 V 106 identified - not always - this virus as "Tremor" with the following entry in VIRLIST.TXT: Tremor [Tremor] Clean-Up . x x x x x x . . . Varies O P The new version 9.18 V 107 identifies - more often - this virus now as "Tremor2" with the following entry in VIRLIST.TXT: Tremor2 [Tremor2] Clean-Up . x x x x x x . . . Varies O P The "Tremor"-entry was removed or replaced and there is now only the "Tremor2" identification. No other anti-virus product uses and knows a "Tremor2" virus. We had a lot of questions, if this is a "special (?)" Tremor variant and what are the diffences of Tremor and Tremor2. Question to McAfee Company: Why uses scan V107 this curios identification name ? Regards, Frank W. Felzmann - ---------------------------------------------------------------- G German I Information <> Voice +49-228-9582-248 S Security <> FAX +49-228-9582-400 A Agency - ---------------------------------------------------------------- "It's a Snark!" ... Then the ominous words, "It's a Vir--" - ---------------------------------------------------------------- ------------------------------ Date: Tue, 21 Sep 93 13:30:40 -0400 From: minchin@widget.seas.upenn.edu (Min-Chin Hsiao) Subject: Cansu(V-Sign) virus...... (PC) Hi Netters, I thought I could trust Central Point Anti-Virus but it did let me down very badly.... maybe I am too harsh to say this but this is what I have seen on my computer............. My hard disk was infected by V-Sign virus after lending to a friend. This virus, I think, creats a copy of it's own BOOT.CPS which Bootsafe in CPAV uses to check against hard disk boot sector and partition table. Needless to say, nothing was reported wrong with Bootsafe. I am not sure if this virus is CPAV specific but judging from the way it behaves, it seems like it is. The Virus was detected by f-prot 209d and ViSpy version 11.0. CPAV failed to recognize anything wrong with MBR and partition table. The TSR, VSafe did not prevent MBR from being overwritten. To my disappointment, CPAV that comes with PCTOOLS v8 and For windows could not recognized this virus after scanning through it's database. It also kind of surprise me that this virus is specifically designed to work around CPAV. I hope some people out there can tell me more about this virus. Has anyone tried the newest Version of CPAV... Version 2???? Many Thanks. Min-Chin Hsiao minchin@eniac.seas.upenn.edu ------------------------------ Date: Tue, 21 Sep 93 13:40:51 -0400 From: dsantill@s850.mwc.edu (Daniele M. Santillo) Subject: Hong Kong? (PC) Recently, a virus has been discovered in my college's computer lab. According to the scanner, it's called Hong Kong. I haven't touched the pc's so I'm just relating what I heard. The main thing of this virus is that if you try to write to a disk, the disk gets completely trashed. Anyone know anything about it? <====================================================================> Daniele M. Santillo "If everything seems to be going well, dsantill@s850.mwc.edu you obviously don't know what the HELL Marshall 125 x4479 is going on!!!" <====================================================================> ------------------------------ Date: Tue, 21 Sep 93 19:05:55 -0400 From: nathan@remus.rutgers.edu (Nathaniel Schiffman) Subject: Re: boot viruses, without booting from an infected disk (PC) >James W. Kaiser, , reports: >> >> I have a friend who got infected by a boot sector virus and claims the >> machine was _never_ booted with the infected floppy in the machine. I don't >> see how this is possible. I suspect it actually happened but he just doesn't >> remember it. Is it possible? I've seen cases where someone is using WordPefect, and they load in a file off an infected disk (or save a file to the disk) and the hard drive that WordPerfect is on gets infected with the virus. Scary, eh? We used Vshield to stop that. ------------------------------ Date: Sun, 19 Sep 93 09:36:35 -0400 From: HAYES@urvax.urich.edu Subject: McAfee's 108 series (PC) Hello. The 108 serie of AV software from McAfee Associates is now available (DOS version only). These files now reside in our [antivirus] directory, ready for FTP. Source: oak.oakland.edu. Enjoy, Claude. - ------ Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Mon, 20 Sep 93 16:27:13 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: New files on our ftp site (PC) Hello, everybody! I have made available for download from ftp.informatik.uni-hamburg.de the following files: directory /pub/virus/progs/: fp-209f.zip - F-Prot 2.09f - obtained personally from the author about a week ago. ds231c.zip - DiskSecure 2.31c - a bugfix version of Padgett's program. vsumx308.zip - VSUM 9308. nav21upd.zip - Virus definition updates for NAV 2.1 directory /pub/virus/texts/viruses/: virlib.zip - My paper about how to maintain a good virus collection, presented at the Virus Bulletin conference. Suggested reading for all virus collectors out there... :-) directory /pub/virus/texts/security/: crc.zip - Everything you ever wanted to know about CRCs (but were afraid to ask). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 124] ******************************************