
	     The Scanner - The Anti-Virus Newsletter of Today
			      March 1995
			 Volume 1    Issue 2

     The Scanner is a newsletter compiled by Howard Wood with the
help of many people in the Anti-Virus community and Anti-Virus researchers 
as well as users.  The information contained within the newsletter is public 
domain.  Any article or part of an article is free to copy as long as the 
proper credits go to the author of such article.

     The Scanner is in no way liable for the accuracy of any or all 
information it is passing along. The sole responsibility for the data 
contained in the articles remain with the original author. While accuracy 
and facts are the paramount goal of The Scanner, it is humanly impossible 
to verify all information and guarantee its accuracy 100%.

     The goal of The Scanner is to disseminate as much information to as 
wide spread a group as possible. Researchers, developers and users alike need 
various levels of information to deal with the viruses, Trojans and hacks 
that are encountered daily.  The Scanner will *attempt* to pass along viable 
information for all groups.
       
     Any and all constructive criticism and suggestions are welcomed
and encouraged.  Send all responses to the addresses below.
	    
     My PGP public key available upon request.  You can send any files you 
suspect of viral infection or know to have viral infections, hacks or 
suspect files to the same addresses.  Please include the name of the 
program the file was discovered in and your name and address so the alert 
notices can be a little more accurate than "there is a virus out there!!".                                

     Most of all, The Scanner is *your* newsletter.  If you have encountered 
any viruses, Trojans, or hacked programs let us know.  We need to all work 
together to combat the problems out there.  Since the last issue there have 
been some address changes.  Any correspondence with either The Scanner staff 
or Howard Wood can be sent to the following addresses:

	       The Scanner     SCNR@aol.com
	       Howard Wood     HRRWood@aol.com
			       Howard.Wood@Flagship.org   

============================================================================
			  CONTENTS

     Article                                 Author
----------------------------------------------------------------------------
New Times     .............................  Howard Wood
AV Around the World
    Argentina .............................  Ruben Arias
    France    .............................  Gerard Manning
The Vanguard
      Retroviruses ........................  Mikko Hypponen
The ProShop
    FRODO recovery ........................  Wolfgang Stiller
    Dealing with B1 ( NYB ) ...............  Henri Delger
    A Friendly Warning ....................  Rob Slade
The Book Shelf ............................  Rob Slade
		       Reviews on:
    "The Trail Guide to Compuserve" .......  Robert R. Wiggins
    "E-Mail Security" .....................  Bruce Schneier
Hacks,Viruses and Trojans .................  Howard Wood
     Doom ][ Trojan .......................  Bryan Joyce
     DNMCHEAT.ZIP .........................  Steven Hoke
     PC Board .............................  Bill Lambdin                  
Preliminaries .............................
     Page 10 Virus ........................  Bill Lambdin
     TiaPan.666 ...........................  Wallace Hale
From The "JUNK" Yard ......................  Howard Wood
     Dealing with Junkie ..................  Henri Delger
     Junkie Alert .........................  Noel Rode
New Releases ..............................  Howard Wood
     Integrity Master V2.42 ...............  Wolfgang Stiller
From Woody's Desk .........................  Howard Wood
============================================================================
			    New Times

     Well, here we are again.  Its the end of February and there are more
things going on than one can keep up with.  Starting this month, The Scanner 
will be a monthly publication.  The next issue should be out about the 
begining of March.  This will be on a trial basis.
     We have some great stuff this month.  We have changed the format a bit 
again in an attempt to find just the right format.  We have tips from the 
pros in The Proshop.  We have information from around the World in the AV 
Around The World section.  As promised, this issue has Mikko Hypponen's 
treatise on Retorviruses (Part 1).  A brilliant piece of work don't skip it. 
We of course have the usual book reviews and virus info.  So, sit back get 
comfortable and let us know what you think.

				    Woody

=============================================================================
			     AV Around the World

			      ARGENTINA
			      ---------

I am pleased to introduce Ruben Mario Arias.

Ruben is a new member of The Scanner staff and I can see already he is 
going to be a great asset.  He caught his virus in 1989 (Ping Pong A ) 
and was curious enough to pursue the virus.  As it ends up Ruben now owns 
his own Computer Security company called RALP Computer Security.

Ruben's home is in Bueno Aries, Argentina, where he and his wife, Alejandra, 
live.  Ruben is 34 years old and enjoys music and working out at the gym.  
Ruben also writes in a local virus and security magazine called "
Diskette Magazine".

Welcome aboard Ruben, we look forward to working with you in the future
and welcome the news from Argentina.


VIRUS SITUATION IN ARGENTINA.
-----------------------------
Ruben Arias

Since end of 1993 many groups of the "underground" have been programming new
threats and increasing the population of "known" virus in Argentina.

Situation is not different at all for countries limiting Argentina like
Uruguay, Chile and Brasil. Each country has its very own local viruses that
enter Argentins by frontier points or by companies representing these 
countries here.

Many local Virus Interchange BBS complement the activities listed before and
this situation will increase in the future. The viruses are not complex at 
all but the people who program them are learning quickly. An example of this 
was a local virus (Avispa) that many researchers consider polimorphic. 

I don't wish to make "free" publicity for the groups so I will not mention 
them by their "War_names". 


 ------------------
|     Vinchuca     |
 ------------------

Preliminary analysis of Vinchuca virus by Ruben M. Arias 
(RALP Computer Security)


Name        : Vinchuca.
Size        : 925 Bytes.
Infects     : .COM files only.
Scan string : B0 B8 BF 1D 01 2E 38 05 74 13 F9 BE 1D 01 72 01.
In the wild : Yes.
Interrupts  : Hooks interrupt 21h.
Load Address:  ---
Polymorphic : No.
Resident    : Yes.
Size in RAM : 1232 bytes.
Stealth     : No.
Text        : Not visible.
Type        : Infects .COM files, and the virus locate itself in
	      the beginning of the infected host files.
	      Don't infect command.com.
Unusual     : When some small *.com files are executed system crash (hangs).
	      When virus try to infect a write protected diskette no message
	      is shown. 
Other info  : This virus was submitted to Wolfgang Stiller.
===============================================================================


 ------------------
|     Patoruzu     |
 ------------------

Preliminary analysis of Patoruzu Virus by Ruben M. Arias
(RALP Computer Security)


Name        : Patoruzu.
Size        : 1024 Bytes.
Infects     : .COM files only.
Scan string : 4D 59 00 F1 E5 EB 53 2D 13 3D BF 59 15 25 21 BD BF 0D BF 65 15.
In the wild : Yes.
Interrupts  : Hooks interrupt 13h and 21h.
Load Address:  ---
Polymorphic : No.
Resident    : Yes.
Size in RAM : 1360 bytes.
Stealth     : No.
Text        : (In the begin of file: TOMY)
Type        : Infects .COM files, and the virus locates itself in
	      the beginning of the infected host files.
	      Don't infect command.com.
Unusual     : Some small should be infected but then no run.
	      When the virus tries to infect a write protected diskette DOS 
	      reports a write protect error.
Other info  : This virus was submitted to Wolfgang Stiller.

		       ***************************

				 FRANCE
				 ------
     Gerard Manning is an Anti-Virus researcher in France.  Apparently there 
aren't too many in the field in France.  Gerard gives us the stats from '94'
on the virus situation in France.

     Gerard has a degreee in Science Technology is attending school again
in pursuit of a Computer Science Degree.  We are glad he has joined the 
'gang' at The Scanner and we look froward to working with him in the future.

     I asked Gerard what RECIF stood for.  He is what he had to say:

It is a French acronym standing for :

Recherches et
Etudes sur la 
Criminalit
Informatique
Franaise '

which could be translated in 'French Computer Criminality Research Center '

Here is a quoted message about the 'announcing RECIF creation' I posted 
months ago in comp.virus newsgroup

The RECIF society (' Recherches et Etudes sur la Criminalite
Informatique Francaise ') targets experiences and ideas exchange to fight 
computer
criminality. These exchanges may be done between both RECIF members
and national/international societies running in computer security
Main activities of RECIF are recording, collecting, studying all
informations about computer foul-play. RECIF members meet regularely
and publish both documents and utilities relating to their goals for
individuals, corporates and media

RECIF has just finished gathering virus attack stats for 1994

Virus names stated hereafter are common names. Due to varity of scanners
used, it is impossible to present a Caro-naming listing in this posting. We
plan to imporve this as time goes on

1994 virus attacks

Virus name         % of total attacks reported          Cumulative %

Form                    20.7                             20.7
Jumper                  19.7                             40.4
Parity_Boot             9.6                              51
AntiEXE                 8                                59
Stoned family           5.3                              64.3
Tequila                 4.8                              69.1
'Generic'
Boot/MBR attack         3.7                              72.8
Cascade                 2.7                              75.5
Cansu                   2.6                              78.1
Yankee Doodle           1.9                              80
Flip                    1.7                              81.7
Jack_The_Ripper         1.7                              83.4
AntiTel                 1.5                              84.9
No_Int                  1.3                              86.2
Maltese Amoeba          1.2                              87.4
Michaelangelo           1.2                              88.6
French_Bug              1                                89.6
miscellaneous           11.4                             100

Contributors


What about 1995 ?

Forecasting is always somewhat hasardous. Our wishes are rather convincing
France-located companies ( regardless of where their respectives HQ reside )
to report us the viruses they are infected with. Demonstrating how important
this *actually* is is not in the scope of this posting

Apart collecting samples for AV tools improvment and/or study purposes, such
reports would allow RECIF to emphasize its stats accuracy, increase its 
utility in providing advices to companies/individuals victims of viruses,
help it to improve its stregnht mainly when RECIF collaborates with Police
Departments

EDITOR'S NOTE:  Gerard can be reached at manning@world-net.sct.fr if you
		would like more information.

=============================================================================
			     
			     RETROVIRUSES
			   By: Mikko Hypponen

Again, The Scanner thanks Mikko for his generosity and time.  The
following article is taken from the FP Bulletins for 2.14 and 2.15.
Mikko attended the Virus Bulliten Conferance in 94 and presented 
this brilliant paper.  Don't miss the second half in the next issue 
of The Scanner!!!

Retroviruses - how viruses fight back
-------------------------------------

Mikko Hyppnen, who works in Data Fellows Ltd's F-PROT-
support, presented the following treatise in the Virus
Bulletin '94 conference. 

"The GoldBug virus has extensive anti-anti-virus routines.
It can install itself while several resident anti-virus
monitors are running. It will prohibit most popular anti-
virus programs from running, and will also by-pass several
integrity checking programs"   -from the original source
code of the GoldBug virus

Abstract
--------
This paper will discuss the methods viruses use or might use
in the future to attack anti-virus programs. Attacks of this
kind are becoming more common, as virus writers seem to be
constantly looking for ways to make their viruses more
efficient and vigorous. This paper also suggests how to make
anti-virus products more resistant to such attacks. The
scope of this paper is limited to PC-compatible machines.

Introduction
------------
There is a constant battle going on between computer virus
authors and virus fighters. Virus writers are looking for
ways to create more complicated, more difficult-to-analyse
and more inconspicuous viruses. At the same time, anti-virus
people are building methods to address these threats.

It's not surprising that virus authors have realised that
anti-virus tools are one of their creations' worst enemies.
The logical step for them has been to make ...their viruses
fight back, either directly or indirectly..

Several viruses explicitly target anti-virus programs. The
attack routines may be generic or targeted against a
specific program. Many virus authors obviously consider an
attack to be the best defence, when the objective is to keep
the virus alive in order to spread it as widely as possible.

There is a battle going on in computer systems world-wide -
it's survival of the fittest, one might say. Hopefully, this
paper will provide some ideas how to make anti-virus
applications fitter than viruses.

A virus that fights back
------------------------
For the purposes of this paper, a retrovirus is defined as
follows:

Retrovirus is a computer virus that specifically tries to
by-pass or hinder the operation of an anti-virus program or
programs. The attack may be specific to a known product or a
generic one.

Retroviruses are sometimes known as anti-anti-viruses. Anti-
anti-viruses should not be confused with anti-virus-viruses,
which are viruses that will disable or disinfect other
viruses. To avoid confusion, the term retrovirus will be
used here.

The creation of a virus which incorporates retro-routines is
not necessarily a difficult task. In most cases, virus
writers have access to the anti-virus programs they want to
by-pass. All they need to do is experiment by trial and
error until they find a way to attack the anti-virus program
in a way the anti-virus developer has not foreseen.
[Siilasmaa]

Some virus authors have gone all the way and disassembled
the offending anti-virus programs in order to find the most
effective way to attack them. They often look for methods to
attack a product in a way that would be most difficult to
circumvent in future versions of the product.

As the virus authors are pretty efficiently connected to
each other via different types of electronic networks,
information on how to attack specific products spreads
quickly.

It should be noted that virus writers typically have access
to only those anti-virus products that are available as
freeware or shareware. Some virus exchange BBS systems are
known to make pirated copies of commercial products
available, but the shareware products seem to be targeted
most often [Fellows].

It can be expected that more retroviruses, using more
advanced retro-routines, will be seen in the future.

Rules of the game
-----------------
Viruses using retro-routines started to show up during late
1980's - before that, there was no point in creating
retroviruses, as anti-virus products weren't widely used. As
the popularity of anti-virus programs has grown, so has the
number of viruses that attempt to subvert them in some way.

Several approaches are possible, including:

-   modifying the code of an anti-virus program file or the
    image in memory

-   detecting when an anti-virus program is activating, and
    either hiding itself, stopping the execution of the
    program or triggering a destructive routine

-   altering the computing environment in a way that affects
    the operation of an anti-virus program

-   using methods in the virus code that cause problems for
    anti-virus programs

-   exploiting a specific weakness or a backdoor in an anti-
    virus program

-   using generic methods that generally make it difficult or
    potentially dangerous to detect, identify or disinfect the
    virus

The basic principle is that the virus must somehow hinder
the operation of an anti-virus program in such a way that
the virus itself benefits from it.

Methods like encryption, stealth, polymorphic routines, code
armouring, anti-debugging tricks and confusion code can also
be considered attacks against anti-virus programs. However,
they are often generic in type and therefore outside the
scope of this paper.

Attacks against non-resident scanners
-------------------------------------
Non-resident scanners are probably the most commonly used
anti-viral products. They are also the favourite target of
real-world retroviruses.

There are several different ways a scanner can be attacked
against.

Deletion and replacement

A virus can locate the anti-virus program and delete it. A
more sophisticated attack would be a modification or a patch
that would alter the operation of the scanner in a way that
would be beneficial to the virus. A virus could locate the
search strings used by the scanner and overwrite them,
making the scanner unable to find any virus, but still
appear to be functional.

A virus can replace the scanner program with a Trojan horse
which could trigger a damage routine when run or just simply
display an error message and abort. Such an error message
would also make the scanning product look bad in the eyes of
the users, especially if the error message would be
something like 'only 620kB of free DOS memory, unable to
run' or 'BRUN30 GW-Basic run-time library not found,
aborting'.

If the virus stays resident in memory, it can do similar
attacks when it sees that an anti-virus program is executed.
It can also by-pass a self-check routine of an anti-virus
program by patching it only after the application has
finished the check on its own code.

Modification of parameters

There is at least one known case of a virus that modifies
the command-line parameters when it sees a specific anti-
virus program to be started (see below). This technique
allows the virus to modify the operation of the scanner to
its advantage without patching the actual program code.

A similar attack in which the virus modifies the
configuration file of an anti-virus program might also be
possible - these files are often left unencrypted and are
not checked for such modifications.

Altering the output

If the visual interface of the anti-virus program isn't
complex (ie. command-line driven), it might be feasible for
a retro-virus to mimic the operation of the program. This
way, the user might not notice anything strange.

A variation of the theme would be that the virus would patch
the texts displayed by the product. If the text string
'Virus found!" were to be changed to 'All clear!', a typical
user wouldn't probably doubt anything.

In many installations, anti-virus programs are run
automatically and the alarms are set off depending on the
exit codes (errorlevels) returned by a program. A successful
attack on such a system might consist of a retrovirus that
would always set the return-code of an anti-virus program to
zero.

False false alarms

Scanners are prone to false alarms ie. detecting a virus in
a clean file. Viruses can use this as one way to attack. If
a virus incorporates code sections from popular
applications, it is quite possible that an anti-virus vendor
without a proper false-positive testing routine might
include a search string that would cause a large amount of
false positives.

One way to implement this kind of an attack would be to
include an encryption routine to a virus, but borrow the
decryption code from some known application - the encryption
would limit the traditional search strings to only strings
that would cause false positives, and this in itself would
cause problems for some scanning products.

Problems with packed files

Several scanners are able to scan inside compressed
executables that have been packed with some of the most
popular EXE-packers. Some scanners do not scan packed files
at all, but only flag them as packed so the user is aware of
them. This provides one way a virus could cause problems for
a scanner. If a virus used a section of fake code that would
make an infected program look like it had been packed, it
could by-pass the scanning by such a product completely. The
virus could also replicate in packed form, making it even
more difficult for some scanners to detect.

A similar attack might be possible against products that
actually unpack the programs and scan underneath the
packing. In order to uncompress the program, the scanner
fetches program info from the unpacking code. If this code
contained irrational values, it could cause some scanners to
crash or run out of memory.

One man's data is another man's code

Almost all scanners default to scanning only the executable
files instead of all files. File type is usually determined
by the extension (ie. COM, EXE, SYS).

Since a virus can control the system in any way it wants,
one way to by-pass a scanner would be to change the file
extensions of all infected files to non-executable ones, for
example from EXE to XEX. While the virus is resident in
memory, it can use stealth techniques to hide this change -
but it will also make sure that all executables copied to
floppies have the valid extension, to ensure that the virus
gets a chance to spread. The advantage of such a method is
that even if the machine is booted up from a clean diskette
and all executables are scanned with a scanner that can
detect the virus, it will only be found in the initial
carrier file.

Exploitation of technical limits

A virus writer could analyse in detail how a scanner
actually does the scanning and develop infection methods
that cause detection problems for a specific scanner. The
virus doesn't have to be difficult to find - it is enough
that it is very slow to search for.

The Command Bomber virus is an example of this: it inserts
its code in the middle of the host file and builds a
complicated series of branching commands to transfer the
flow of the program code to the actual code. The detection
of such virus would force some scanners to scan the whole
file from the beginning to the end - which would be enough
to make them unusably slow.

Attacks against resident scanners and behaviour blockers
--------------------------------------------------------
Resident anti-virus programs are vulnerable to special
attacks. Since DOS does not provide any kind of memory
protection, a program can modify the memory space of another
program. This makes it possible for a virus to locate and
patch or disable a resident scanner or a behaviour blocker.

Unloading the protection

Some anti-virus TSRs can be unloaded from memory (actually,
they will have to be unloadable if the product is wanted to
be Novell-certified). If such mechanisms exist, they can
also be called by a virus. Viruses use this method quite
successfully with some products for which it is known to
work.

Through the back door

Practically every TSR scanner has a back door, which is used
by the non-resident scanner of the same package. This back
door either turns off the checking done by the TSR or
provides an alternative access method to the file system. If
such a back door did not exist, the TSR part would clash
with the normal scanner, as the TSR would notice an
infection when the non-resident part would open an infected
file for scanning.

A virus can use such back doors for its own benefit, either
disabling the resident part or by using the clean path to
file system provided by the TSR.

Yet another way for a virus to attack a resident scanner is
to observe the display routines, and trap the alarm messages
displayed by the TSR. If the user never sees the alarm
messages of the TSR, the protection is not doing its job.

* To be continued in the next Scanner *

============================================================================
			   
			   The Pro-Shop

     This is a new section of The Scanner.  So many times I have seen good 
tips on the various confereces I haunt that I thought I would start posting 
them in The Scanner.

			      *********

    On the sunject of the FRODO virus, Wolfgang Stiller ( the author of
    Integrity Master) says:

With Frodo (as with many Stealth viruses), you can get the virus to 
disinfect itself by copying infected files to non-executable extensions 
(e.g. copy *.COM *.COO + COPY *.EXE *.EXX). Booting clean and then renaming 
the files.

			      *********

     Henri Delger ( Security consultant for PRODIGY) gives some advice to a 
troubled user that has come across the B1 virus ( also known as NYB ):

>I've been infected by the B1 virus.  I have no idea how to get rid of 
>it as F-Prot will not run with the virus in memory.  Here's what 
>happens:
>F-Prot comes up and scans memory.  96% of the way through the scan I 
>get a red-screened message that states that B1 is in memory (though may not 
>be active).  I have booted from many clean floppies and each time I run 
>F-Prot, I get the same message.

HD>The floppies don't appear "clean" from what you report.

> Running F-prot with the /nomem switch will allow me to run the
>program, but I can't find any sign of infection (B1 works!  Go figure...).  

HD>It's stealth, and controls memory, mis-directing disk reads.

>IBM AV, which I consulted for a second opinion, does the same 
>thing F-Prot does--reports a virus and stops.

	(Henri goes on to explain more about B1)

     You need to power down and reboot from an UNinfected floppy.
B1, also known as NYB, is a Boot Sector Virus, which starts from an 
infected PC.  It's in memory all the time, and writes part or all of its 
code to Sector #0, which all diskettes have.  It makes no difference to 
the virus what is on the disk, or even whether the diskette is bootable 
or not, and infects diskettes in both A> or B> drives, if not they are 
not already infected, or write-protected.  

     B1/NYB moves the diskette's original Boot record code to the last 
sector of the area used by the Directory, and if the disk has files 
listed in the overwritten sector, this will cause the loss of entries of 
files, deleted files, and sub-directories in the root. 

    The files could still be located in the file storage area of the disk, 
and could be recovered using CHKDSK /F, or a utility program, but since 
they are no longer listed in the Directory, they may be overwritten, as 
other files are later stored on the diskette.  

    Once the virus is on the diskette, if that diskette is later in the 
A> drive of another PC at power-up, or when re-booted with Ctrl-Alt-Del, 
the Boot sector is read, the virus takes control of memory, and infects 
the hard disk, moving the partition/MBR data to the last sector (#17) of 
Track Zero, and writing its code to the first sector.  

    Ordinarily, data are not lost from the hard disk, because Sector 17 
which the virus thus overwrites is not used by DOS.  However, disks 
formatted in a non-standard manner, other than with DOS, will lose data 
from Sector 17. 
     
     B1/NYB is loaded into memory at every boot-up after.  It's considered 
a "stealth" virus, since besides giving no outward sign of its presence, 
while in memory it can keep anti-virus and disk utility programs from reading 
the infected Partition/MBR sector, where the virus code is.  It does this by 
re-directing attempted reads of the infected MBR or boot sector to the sector 
which has a copy of the original, un-infected code.
     
     One pecularity of the virus is that if it's in memory, DOS sometimes 
cannot read infected high-density diskettes.  "General Failure" messages 
may occur, and disk utility programs can be deceived, reporting (erroneously) 
that the Boot Record is "invalid," that the Media Descriptor Byte is 
"incorrect," and that File Allocation Tables are corrupt.  Unfortunately, 
correcting these non-existent errors will cause data loss.

HENRI DELGER
XWWC29A@prodigy.com
BBS: (617) 471-3455

			      *********

     Our friend Rob Slade has a few words of wisdom on complacency towards
the MICHELANGELO virus:

Many people think that the Michelangelo computer virus was a) a hoax or b)
confined to March of 1992.  Neither of these assumptions are true.  Many
hundreds of thousands of copies of Michelangelo were found, and eradicated,
in the months leading up to March 6, 1992, which was why there was no great
crash on that day.  Michelangelo is, however, still around, and in some
countries is the most commonly reported computer virus.

Michelangelo will infect any Intel/BIOS architecture machine, although it
generally will create problems, and therefore be noticed, if MS-DOS is not
present.  Until the computer is "booted" on March 6th of any year, the virus
is symptomless (except for possible loss of files on diskettes).  March 6,
1993 was a Saturday, and most business computers would not have been
turned on.  Therefore, Michelangelo would not have triggered, and could
have infected many of those machines and had March 6th pass without notice.
The same is true for Sunday, March 6, 1994.  March 6th in 1995, however, 
will be a Monday, the first "boot time" on March 6th, for many computers,
since 1992.

Almost all virus scanners can easily identify, and readily eliminate,
Michelangelo.  With the increase in the use of antiviral software, the
level of danger is likely somewhat less than in 1992.  However, the danger
*is* still there, and this would be a good time to prompt people just to
make a quick check.

A couple of further points: if people are too lazy to get antiviral
software, a quick check can be made with CHKDSK.  If the "Total memory"
is 655,360, then you do *not* have Michelangelo.  You may, of course, have
something else, and there are other reasons than a virus infection for a
lower number.  Also, making a backup on diskettes is *not* protection
against Michelangelo, as it can corrupt the non-standard disk format used
by popular backup software.)

(Also, the source code for Michelangelo has been recently posted no less than
three times on various computer networks.)

============================================================================                          
			  
			  The Book Self
			  By: Rob Slade


BKTGCSRV.RVW   941209
 
"The Trail Guide to CompuServe", Wiggins/Tittel, 1995, 0-201-40834-1,
U$12.95/C$16.95
%A   Robert R. Wiggins wiggo@mail.utexas.edu
%A   Ed Tittel etittel@zilker.net
%C   1 Jacob Way, Reading, MA   01867-9984
%D   1995
%G   0-201-40834-1
%I   Addison-Wesley Publishing Company
%O   U$12.95/C$16.95 800-822-6339 617-944-3700 Fax: (617) 944-7273
%P   243
%S   Trail Guide to ...
%T   "The Trail Guide to CompuServe"
 
Book guides to commercial online systems tend to be marked by three
characteristics:  a "gee whiz" selling of the wonders of *this* particular
system; voluminous, overly detailed, and quickly dated descriptions of
commands and information; and, an iconoclastic and restricted view of the 
points of interest on the system.  This work is written by "net" veterans 
and is realistic, though not jaded.  The book is fairly short, so the 
material guides by concept, rather than pushing by keystroke.  Finally, the 
authors realize that this is an introduction, and present guideposts rather 
than inundate the reader with unwanted "advertising".
 
Part one is a general introduction to CompuServe, covering means of access,
the WinCIM front end program and a general overview of CompuServe services.  
This last is extended to form the eight chapters of part two, giving details 
of operation of the features and functions.  Part three gives a quick 
overview of the information resources available.
 
The book is not without flaws.  Although attention is paid to both front end
and command line access, the material is not always clear on which functions
are handled by the local program, and which by CompuServe, itself.  The
question of costs, with the growth in interest of the supposedly "free"
Internet, is delicate, but some of the advice in this area is questionable. 
Overall, however, the material is relevant, useful, and to the point.
 
Well worth the investment for a new CompuServe member.
 
copyright Robert M. Slade, 1994   BKTGCSRV.RVW   941209

--------------------------------

BKEMLSEC.RVW   950127
 
"E-Mail Security", Bruce Schneier, 1995, 0-471-05318-X, U$24.95/C$32.50
%A   Bruce Schneier schneier@counterpane.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1995
%G   0-471-05318-X
%I   John Wiley & Sons, Inc.
%O   U$24.95/C$32.50 416-236-4433 fax: 416-236-4448 800-CALL-WILEY
%O   212-850-6630 Fax: 212-850-6799 Fax: 908-302-2300 jdemarra@jwiley.com
%P   365
%T   "E-Mail Security"
 
This is the third work that I have seen on the PGP (Pretty Good Privacy) text
encryption and authentication system.  (I understand that at least two more
are in the works.)  It is also the first to truly present the general concept of
email security by covering the only other realistic option--the Internet
Privacy Enhanced Mail (PEM) standard and (Mark) Riordan's Internet Privacy
Enhanced Mail (RIPEM) implementation.  The book divides roughly into quarters
discussing background, practical use, the PGP documentation, and the PEM
RFCs.
 
The work is considerably different, in style, to the Stallings (BKPRTPRV.RVW)
and Garfinkel (BKPGPGAR.RVW) efforts.  Those books, while not obtuse, were
still written with a technical audience in mind.  Schneier's work, while
definitely showing the expertise he demonstrated in "Applied Encryptography"
(BKAPCRYP.RVW), is clearly aimed at the general, non-technical reader. 
(Interestingly, while he *does* tell you where to find the RC4 algorithm
posting, he *doesn't* mention the loophole recently pointed out in the
Clipper "Skipjack" algorithm.)  The straightforward style lulled me into 
thinking that chapter one was too long.  It isn't:  Schneier makes the 
important point that, for it to be *truly* effective, encryption must be used 
on *all* correspondence, even trivial items.  So well crafted is his argument that it
would be difficult to reduce the chapter by so much as a paragraph.
 
Schneier uses this argument to good effect in pointing out some of the major
deficiencies in the two systems.  PGP is awkward to use, and PEM may use
incompatible algorithms.  Surprisingly, he does not emphasize (though he does
mention) what is probably the major problem with each--the inability to use
the same system within and outside of the United States.  The PGP fiasco is 
too involved to get into here (see the Garfinkel work for details) and there 
is not yet an "international" implementation of PEM (although there may soon 
be an "authentication only" version available).
 
This won't help you design your own algorithm, but it is definitely for any
user of email, manager of communications systems, or student of privacy and
confidentiality.
 
copyright Robert M. Slade, 1995   BKEMLSEC.RVW   950127

======================
DECUS Canada Communications, Desktop, Education and Security group
newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at
1:153/733
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0
			
============================================================================
			
		       HACK VIRUSES and TROJANS

     We are starting to get some participation from a few of you out there 
and it is great stuff.  Keep those alerts coming in.

---------------------

    The first one comes from Rob Slade.  Think there is safety in
shrink wrap? Guess again.

SunGuard Data Systems, as the name implies, sells security, and even
antiviral, software.  Recently the company shipped disaster recovery 
planning disks to clients -- infected with a virus.  Microsoft also 
distributed virus infected disks to developers at a recent meeting in 
London, UK.  Neither report (in Information Week for February 6th, and 
The Guardian, reported by Edupage) mention the viral programs involved.

						       Rob Slade
			    **********

     Next, Jay Cochrane sends an addition to last months Trojan report
on the file SCCL100.zip.

Thanks for the heads up,
Did a search of our CD's and found it also on Mega CDROM 3 so I guess we can
all add that one to the list..Guess there are nice people out there ......
				   Jay

 (Yeah Jay, there are some real sweethearts out there :-) )

------------------------------

     Thomas Smith got a hold of Bill Lambdin and reported this
Trojan reported by Mike Schmieg.
 
 A customer has informed us that a file called QKEY.COM, accompanied 
 updated technote, titled "MS-DOS 6 and UPDATE for Quarterdeck Produc
 an abridged version of UPDATE75.TEC Q-FAX #197, was uploaded  to his
 
 It claims to be an update to QEMM 7.5 and suggests to replace KEYB a
 KEYBOARD.SYS with the provided QKEY.COM.  This is not a genuine upda
 There is no technote called "UPDATE75.TEC" and Q-FAX #197 is RSH.TEC
 
 According to the information we have received, QKEY.COM contains cod
 self-encryption and can potentially kill your partition-table.
 
===========================================================================
			  
			  TROUBLE IN DOOM

     DOOM II is very popular game out there.  Perhaps that is why it has 
become such a target for viruses and Trojans.  In the past week we have 
received two reports of viruses and trojans in the add-ons and cheats.  Read
and heed. :-)


			   Doom II Trojan

     Bryan Joyce reported the following DoomII Trojan to Bill. Bryan did
such a good job of detailing the problem I thought we'd just do his report
in The Scanner.  Thanks Bryan.


 Here is the full report on the Doom2 trojan that I mentioned earlier 
 in the week.  I'm afraid it's not much more than I said in earlier 
 posting.  Please spread this message as far as possable.
 
     *****************************************************
 
 Last week (3/jan/95) I visited a friend of mine.  One of the
 files that he gave me was LKCC_WAD.ZIP which was a supposed
 WAD viewer for doom one and two.  Except that it wasn't.
 
 The main file SHOWAD.EXE didn't seem to do anything other than
 report that it couldn't find the WAD file.  The file seemed
 too small to be an editor.  When it was ran without any
 parameters it showed a help table which said that the Escape
 key would delete the contents of the WINDOWS directory.  This
 was followed by an emosicon of a face winking.  This struck me
 as odd an I immediately did a virus check which showed up
 nothing.
 
 I ran another file DA-CHAOS.COM.  Bingo!  It tried to unload
 VSAFE from memory.  Luckily for me, it was unable to do this
 as I had loaded other TSR's after Vsafe.  Next it tried to
 write to the bootsector, but was unable to do so because Vsafe
 was still loaded.  It then displayed an ANSI screen that
 looked like an advert for a BBS or coding group.  Finally it
 returned to DOS with the message THE CHAOS EFFECT.
 
 I then used Norton to copy my FATs, CMOS values and bootblock
 to a floppy file and write protected it.
 
 This done, I turned Vsafe off and re-ran the file.  Something
 was written to the bootsector which changed the size of
 COMMAND.COM.  After rebooting, I found that Vsafe no longer
 worked, but still gave a message that it was installed
 although it wasn't.  MSAV detected no virus, but noticed a
 difference in file sizes.  It was the same with FINDVIRU
 (Solomons). The files DOSKEY.COM, INK.COM and MOUSE.COM had
 got bigger.  The few EXE's that I ran were unaffected; WP.EXE,
 and PRINTER.EXE.
 
 To double check, I re-sysed the hard drive.  After a reboot,
 the new COMMAND.COM had become bigger again along with
 SYS.COM.  Tests having been done, I deleted all the infected
 files, rebooted with a clean disk, restored the bootsector etc
 from the floppy I had created, sysed the hard drive from the
 clean floppy and finally restored the deleted files from a
 back up on my tape streamer.
 
 In conclusion, the file DA-CHAOS.COM disables VSAFE, and
 writes a virus into the boot block of the hard drive.  From
 there it copies itself into other files.  What it will
 ultimately do is anybody's guess.  Whither or not it was
 written by the same person (claiming to be Dr Lazy'94) who wrote
 SHOWAD.EXE is not known, but seems likely.

			  ************************
    Steven Hoke writes:
 
 I have installed the new Night Owl 15 cdrom on the Obelisk BBS 519.67
 ( calls up to 28.8 VFC - free access 1st call ) and have had a report
 virus called "DOOM2 DEATH" was found on the file DMNCHEAT.ZIP 03/11/9
 CHEATER FOR DOOM1 AND II.
 

       EDITOR'S NOTE:  This has been confirmed by Bill Lambdin,
       Wallace Hale and Howard Wood. See Wallace's preliminary
       report on TIAPAN.666.

			  ************************

     Bill came across a few bugs in some PC-BOARD PPE programs updates.  
     Here are the details.

I viewed the contents of these archives with PKunzip 1.93 alpha version. 
My computer, and PKzip 2.04G do not cooperate. Just a brief disclaimer 
to explain the "Method" column of the archive contents.

REG_AT10.ZIP

Here is the coptents of REG_AT10.ZIP

Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
------  ------   ----- -----   ----    ----   -------- ----  ----
  152  A-Xtra      69  55%  11-29-94  16:55  a7bb45fa --w-  AUTO.CFG
 1443  A-Xtra     408  72%  11-27-94  16:26  b2d136b7 --w-  HEADER.PCB
    0  Stored       0   0%  11-29-94  18:17  00000000 --w-  AUTO.MSG
 2654  A-Xtra    2297  14%  11-29-94  18:01  f6930f49 --w-  AUTOEDIT.PPE
   71  A-Xtra      58  19%  12-10-94  14:45  9b7bd441 --w-  FILE_ID.DIZ
  828  A-Xtra     677  19%  11-29-94  18:07  ffbf0429 --w-  AUTO.PPE
 5282  A-Xtra    1907  64%  11-29-94  18:27  f3985f6b --w-  AUTO.DOC
15900  A-Xtra   15643   2%  11-29-94  18:17  03b5cf9f --w-  AUTO.DAT
   81  A-Xtra      51  38%  11-29-94  18:19  578d939d --w-  AUTO.BAT
 1467  A-Norm     457  69%  11-13-94  03:13  d6cd997e --w-  WORKSHOP.BBS
------          ------  ---                                  -------
 27878           21567  23%                                       10

AUTO.DAT is a corrupted self extracting archive infected with Taipan.438 
virus.
 
Taipan.438 is a resident infector of .EXE files. The infected files 
increase by 438 bytes. This virus is not stealthed, and is not 
destructive. This virus is also refered to as Whisper.

Here is an AUTO.BAT Included in the archive.

@ECHO OFF
DEL AUTO.MSG
REN AUTO.DAT AUTO.EXE
AUTO.EXE
REN AUTO.EXE AUTO.DAT

As you can see, the .BAT file renames the infected file to AUTO.EXE, 
Runs the infected file then renames the file back to the original file 
name.
 
The sole purpose of this .BAT file is to drop the virus on computers 
belonging to unsuspecting users. The executable files were intentionally 
named to non executable file extension so scanners would not detect this 
virus because most people only scan files with executable extensions.

-------------------------------------------------------------------------

REG_ER10.ZIP

Here are the contents of REG_ER10.ZIP

Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
------  ------   ----- -----   ----    ----   -------- ----  ----
 1952  A-Xtra    1765  10%  11-27-94  21:39  c7e812c7 --w-  RUNPPE.PPE
    0  Stored       0   0%  11-27-94  14:01  00000000 --w-  RUNPPE.SCR
    0  Stored       0   0%  11-27-94  14:01  00000000 --w-  RUNPPE.TEM
 5720  A-Xtra    2067  64%  11-27-94  14:08  a34d4ad8 --w-  RUNPPE.DOC
  260  A-Xtra     224  14%  12-10-94  14:46  5a26faff --w-  FILE_ID.DIZ
  214  A-Xtra      73  66%  11-27-94  14:01  6c04038d --w-  RUNPPE.DAT
29397  A-Xtra   29080   2%  02-01-93  02:04  79548d46 --w-  RUNPPE1.DAT
  121  A-Xtra      70  43%  11-27-94  14:02  3fb6a08b --w-  RUNPPE.BAT
 1467  A-Norm     457  69%  11-13-94  03:13  d6cd997e --w-  WORKSHOP.BBS
------          ------  ---                                  -------
 39131           33736  14%                                        9

RUNPPE1.DAT is PKunzip.EXE version 2.04g infected with the Taipan.438 
virus. See note above for brief description for Taipan.438.

Here is RUNPPE.BAT included in this archive.
 
@ECHO OFF
DEL RUNPPE.SCR
DEL RUNPPE.TEM
REN RUNPPE1.DAT UNZIP.EXE
UNZIP.EXE RUNPPE.DAT
REN UNZIP.EXE RUNPPE1.DAT

This virus renames RUNPPE1.DAT to UNZIP.EXE Runs the infected file with 
RUNPPE.DAT, then renames the executable file to RUNPPE1.DAT.
 
Apparently; this is a deliberate attempt to release Taipan.438 on 
computers belonging to unsuspecting users.

		       Bill

 ===========================================================================
			 
			 PRELIMINARIES

EDITOR'S NOTE : The Scanner would like to welcome Wallace Hale of Brunswick,
		Canada.  Wallace has worked with me on several projects and 
		has taken the time to teach this "rookie" a few tricks. We
		look forward to working with you in the future Wallace!

   Wallace submitted this preliminary report on Whisper.666 (TaiPan.666)

Virus...............: TaiPan.666
Alias(es)...........: Doom_II_Death, Doom_III, Doom2.666
Virus Strain........: Tai-Pan (Whisper)
Status..............: New, verified in the wild.
Detected:..when.....: 13 November 1994
	   where....: Toronto, Ontario, Canada
Specimen source.....: Marc Faubert, Ajax, Ontario

Classification......: Memory resident .EXE file infector
Length(s) of Virus..: 666 bytes
Disassembled........: Yes

Operating System(s).: PC-DOS/MS-DOS
Version/Release.....: 2+
Computer model(s)...: PC/XT/AT
		      
Type of Infection...: Appending;  modifies EXE header.
Infection Technique.: Infects on host execution.
Infection Trigger...: EXEC function, INT 21h, fn 4B00h
		      
Interrupts hooked...: 21h
Stealth.............: No
Tunneling...........: No
Polymorphic.........: No
Encryption Engine...: n/a

Damage..............: None intentional
Damage Trigger......: n/a
		      
		      
Particularities.....: Following plain ASCII text can be found in the
		    : body of the virus:
		    :
		    :   DOOM2.EXE
		    :
		    :   Illegal DOOM II signature
		    :
		    :   Your version of DOOM2.EXE matches the
		    :   illegal RAZOR release of DOOM2
		    :
		    :   Say bye-bye HD
		    :   
		    :   The programmer of DOOM II DEATH is in
		    :   no way affiliated with ID software.
		    :
		    :   ID software is in no way affiliated
		    :   with DOOM II DEATH.'
		     
Similarities........: Essentially Tai-Pan code padded to achieve 
		    : a 666-byte length.
		     
Countermeasures.....: F-PROT 2.15 recognizes as a Tai-Pan variant.
		    : TBScan 6.30 identifies as DOOM_III.
		    : AVP 2.1 names the virus Doom2.666

Date................: 30 November 1994
Updated.............: 14 December 1994
By..................: R. Wallace Hale
For.................: Zen Works



COMMENTS:

On initial execution, the virus calls Interrupt 21h, function
7BCFh, as a residency test, and if a copy is not found it memory,
it goes resident just below TOM in the lower 640k of main memory,
reserving 720 bytes for itself, and hooking Interrupt 21h.  
CHKDSK will detect the change in free memory and almost any memory
mapping utility will show the presence of the virus.

Interrupt 21h calls are monitored for an EXEC function, fn 4B00h,
and suitable hosts are infected when that function is intercepted
by appending the viral code to the end of the host file. Original
time and date stamps of infected hosts are preserved.

Suitable hosts are .EXE files not larger than 64,768 bytes, and
.EXE files that have been renamed to .COM extensions.  The EXE
header is modified so the viral code is executed first, then
control is passed to the host file.

The virus contains no intentionally destructive routines and the
text strings detailed above are never displayed.

					     Wallace Hail

			*********************

    Bill Lambdin has been quite busy these past few months but managed
to submit the following Preliminary on the PAGE10 virus.

Preliminary analysis of Page 10 Virus by W.H. (Bill) Lambdin

Name         ] Page 10
Size         ] 1221 bytes 
Infects      ] .COM & .EXE files including COMMAND.COM
Scan String  ] I'm not releasing a scan string because I do not believe
	     ] this virus can survive in the wild. 
In the wild  ] Unlikely. However; this virus was UUencoded and posted
	     ] into the FIDO Virus_NFO conference.
	     ]
A-V          ] This virus has been forwarded to the following;
	     ] Vesselin Bontchev, David M. Chess, Spencer Clark,
	     ] Dmitry O. Gryaznov, Eugene V. Kaspersky, FRISK, Dr.
	     ] Alan Solomon, Wolfgang Stiller, Frans Veldman, and
	     ] Tarkan Yetiser.
Armored      ] No.
Detected     ] Yes. F-prot detects the first generation as possibly a
	     ] variant of Desperado. However; F-Prot does not detect the
	     ] second generation specimens.
Effects      ] This virus deletes the following data files ANTI-VIR.DAT,
	     ] CHKLIST.CPS, CHKLIST.MS, and MSAV.CHK
Encrypted    ] Yes
Interrupts   ] 21h 
Marker       ] On all infected host files except for COMMAND.COM, the
	     ] seconds field of the time stamp, was updated to 24
	     ] seconds.
Polymorphic  ] No
Resident     ] Yes
Size in RAM  ] 2560 bytes (according to CHKDSK)
Stealthed    ] Partially Stealthed. Page 10 does not temporarily
	     ] disinfect infected host files when they are opened. The
	     ] time and date stamps remain the same except for the
	     ] seconds field mentioned earlier.
Text         ] No text visible in the second generation of this virus.
Type         ] Resident .COM and .EXE infector. The virus appends to the
	     ] end of the infected host files. 
Unusual      ] This virus will repeatedly try to access write protected
	     ] diskettes, but this virus does intercept the errors. The
	     ] second generation of this virus refused to replicate on
	     ] my test machine. I'm posting this because this virus may
	     ] properly re-infect other systems.

This is only a "Preliminary" analysis, and may be incomplete.

						 Bill

============================================================================

				The "JUNK" Yard

     There is a particular virus making the conferences on a regular basis
here lately.  The JUNKIE virus.  Henri Delger has the following words on this 
pest.  One thing to remember about JUNKIE ( or any other BS infector ), check
all disk that were intorduced to the infected system.  Failure to do this 
important step will inevitably result in re-infection.

					    Woody

=============================================================================

			   A Virus Called Junkie        
			     By: Henri Delger

    Junkie virus originated in Sweden, and is classified as "Multipartite" 
since it can infect the hard disk Master Boot Record, diskette boot sectors, 
and *.COM files.  
     
     It can spread to an uninfected PC when a diskette, infected in another 
PC, is in the A:\> drive at boot-up, or when a *.COM file which was infected 
in another PC, is run.
     
     Junkie writes its code to the first sector of the hard disk, where the 
Master Boot/Partition data are stored.  Unlike most such viruses, it does not 
save or relocate the original data.  It also writes the rest of its code to 
(cylinder&head 0, sectors 4 and 5).
     
     Ordinarily, data are not lost from the hard disk, because the sectors 
which virus uses are not used by DOS.  Some disks formatted in a non-standard 
manner may lose data, however.  Junkie will be in memory after that whenever 
the PC is on, and infects floppy diskettes (not 360KB) by writing its code to 
the Boot sector (sector #0) of them.  
     
     It also writes its code to the last track of infected diskettes, and 
unlike some viruses which do so, does not protect its code by arbitrarily 
marking the sectors as if they were "bad."
     
     Junkie can spread quickly, because it will infect diskettes on any 
access, even when just read, such as if the DIR command is used.  In 
addition, it infects *.COM files as they are run or even if they're merely 
opened, such as during an anti-virus scanning process.  It adds just over 
1,000 bytes to infected *.COM files.

HENRI DELGER
XWWC29A@prodigy.com
BBS: (617) 471-3455

			  ***********************

			      JUNKIE ALERT !!

     Noel Rode posted the following alert on the Internet conference
compvirus:

I spent some time recently getting rid of the JUNKIE.BOOT virus off my
cousins PC.  I think if I had V214 of McAfee scan at the time it would
have helped a lot.  The only problem I had with scan was that I had to
reboot the machine each time scan found and tried to remove the
JUNKIE.BOOT virus from a diskette.  Scan would find and remove the
first detected virus and any following viruses found would be reported
as "JUNKIE.BOOT+emr" and could not remove the virus.  The virus would
also be loaded into memory when first detected and hence needed to be
rebooted.

I located the source where I got the virus from.  It came from a game
called "Quarter Pole" by Microleague.  Each of the four (write protected)
disks were infected.

I'm sure it must have been said many times before but please be sure to
scan ANY new disks purchased before making use of them.

Noel Rode
- --
 / Noel J. Rode (Ph.D Candidate)          e-mail: noel@rdt.monash.edu.au \
|  Dept. Robotics and Digital Technology  Phone :  +61 3 905 3575         |
|  Monash University, Clayton Campus,     Fax   :  +61 3 905 3574         |
 \ Melbourne, Victoria, Australia  3168               ...Hi There.       /
============================================================================
			       NEW Releases

     Here is another new section.  At the very last minute, I decided
to start a section to help the AV authors get the word out about their
new releases.  There will be more next month.

				**********

			      Integrity Master

Stiller Research announces release of Integrity Master(tm) version 2.42a

Version 2.42a was released February 28, 1995

Integrity Master provides complete, easy to use, data integrity for your
PC plus virus protection.  It can also be used to provide file change
management and security on your PC.  As well as scanning for known
viruses, it detects unknown viruses and unlike other products will
detect files which have been damaged but not infected by a virus. IM
checks and restores your CMOS including the new larger CMOS
configuration memories found on most newer PCs. IM's scanner component
is certified by the National Computer Security Association (NCSA) by
testing against their collection of known viruses.

				What's new?

1) IM supports a new option to allow rapid screening of diskettes for boot
   viruses.  This is available through the Check menu as well as the
   "/VB" command line switch.  This also allows IM to read boot sectors
   on diskettes that are unreadable to DOS.  Researchers can use this
   option when testing IM since IM will also check the boot sector for
   partition sector (MBR) viruses.

2) New "Force update" option on the "Integrity update" options submenu.
   Selecting this option or using the new "/UA" command line switch will
   force integrity master to update integrity data for all files.  Normally
   IM will not update integrity data for what appear to be corrupted files
   when it is running unattended.

3) When run from a diskette, IM will now automatically offer to change to
   change to another disk.

4) New easier install.  SetupIM will now offer a super fast install that
   usually gets IM installed in under one minute.

5) IM tolerates a wild card spec on it's /P (disk and directory change)
   parameter.  This allows you to use IM with some programs that insist
   on including a wild card with the directory to check.  For example:
   IMSCAND C:\DOS\*.* will scan all files in subdirectory \DOS.

6) SetupIM changed so it will correctly recognize drive characteristics of
   disks using Symantec's Ncache.

7) IM will not pause even if severe hardware errors occur when the /ND
   command line option is used.

8) IM identifies over 600 new viruses by name and characteristic
   including: 7thSon2, Ambalama, Andromeda, Ansibomb, AntiCleric,
   Asexual, Attitude, Aurea, BNB, BigX, Big_Bang, Bloody_Warrior,
   Breaking, CarpeDiem, Centenary, Click, DA'BOYS, Dementia, Dichotomy,
   Dillinger, ESP, Emma, Felize, Galicia, Geek, Gipsy, Greetings, Heja,
   Hellspawn, Human Greed, Taslehoff, Icecream, Infernal, Iron, Jack,
   Jimmy, Jpage, Kode4, Kode4b, Kohn6, Kommuna, Leningrad, Leuk, Loki,
   Merde-3/5, NoLimitz, Ntit, Nygus.278, Offspring, Override, Ovile,
   PHB, Panek, Panic, PeaceMan, Peanut, Peter2, Phantasm, Pirate,
   Polifemo, Praying, Psychosis, Rambo, Raptor, Rattle, Redstar,
   Rubbit2, Saigon, Sampo, Sandy, Santa, Satyricon, Semtex6, Shin,
   Smallcomp, Soupy, Soupy-Death, Sov1, Sterculius, Strange, Sword,
   Teraz, VLamiX, Vampiro, ViNCHuCa, ViroGen, Wet, YB2, Zombie, and Zulu
   as well as the usual new but trivial ARCV, Australian Parasite,
   Jerusalem, Leprosy, PS-MPC, VCL and Vienna related viruses.

Versions 2.40a, 2.41a and 2.41b were restricted beta versions please do
not distribute these releases.

The new Integrity Master(tm) (V2.42a) is now available.

			 Where do I find it?
			 -------------------

Integrity Master should be available soon from any SDN, FDN or ASP AHN BBS.

Most larger cities have at least one such BBS the current file name
is I_M242a.ZIP (or .ARJ, .LZH, .PAK etc.)

Plus, we upload the latest versions of Integrity Master directly to
these locations:

o First time callers can download and get support from Wingit!  Call
  904-386-8693 for 9600 to 28.8kbps and HST modems or 904-385-0449 (for all
  but HST). For really fast access, you can log on as user: "Integrity
  Master" (without the quotes) and you will immediately be offered the
  download.  IM can be freqed with the magic name IMAST  (Fido 1/3605:13).

o We offer free IM downloads on Solitude BBS (Fido 1:300/23) 1-602-747-5236 -
  FIDO users can also freq it from this BBS.

o IM and support is available on the Metaverse anti-virus BBS.
  606-843-9363 (14.4 V.32bis). Logon as "GUEST USER", password=GUEST.

o COMSEC (Computer Security) BBS (6 lines) 1-415-495-4642.

o Download from CompuServe in IBMSYS (lib 3)  and ZNT:TIPS lib 14 (one
  of the Ziff-Net, PC Magazine forums) file I-MAST.ZIP. Or "GO STILLER"
  to reach the Stiller Research support forum.

o Download from the GEnie Virus Security RT (Page 1350) or the IBM PC RT
  (page 370).

o IN the UK we provide free downloads at 01442 891109.
  FREQ to 2:257/112, filename I-MAST.ZIP.

Any major shareware diskette vendor should have a current copy of
Integrity Master.   All ASP affiliated disk vendors automatically get
new copies and AHN hub BBSes will always have the latest copy.  These
BBSes are:

 North-East Coast         Mid-East Coast            West Coast USA

 The Consultant BBS       The Break RBBS <East>     Space BBS
 New York NY 10116-4655   Dale City, VA 22193-3011  Menlo Park, CA 94026
 BBS Phone: 718-837-3236  BBS Phone: 703-680-9269   BBS Phone: 415-323-4398

						    Canada
 North Mid-USA            Southern Mid-USA
						    Knightec BBS
 The Twilight Zone        The DataExchange BBS      Orangeville, ONT L9W 3L1
 Auburndale, WI 54412     Leesville, LA 71446       BBS Phone: 519-940-0007
 BBS Phone: 715-652-2758  BBS Phone: 318-239-2122

IM is available via ftp on Internet from:
  OAK.Oakland.Edu/SimTel/msdos/virus/
	(This probably includes all the Simtel mirror sites)
  ftp.demon.co.uk:/pub/antivirus/ibmpc/av-progs/
  garbo.uwasa.fi ...

	     How do I make sure it's a valid version?
	     ----------------------------------------
If you get a copy of Integrity  Master from other than one of the above
sources, you can make sure it's a legitimate copy of checking the PKzip
CRC values for the executable files included in the archive (for 2.42a):


 Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
 ------  ------   ----- -----   ----    ----   -------- ----  ----
   2054  DeflatX   1913   7%  02-28-95  02:42  49566a68 --w-  GENVIR.EXE
 143833  DeflatX 139528   3%  02-28-95  02:42  c0730330 --w-  IM.EXE
  63408  DeflatX  62401   2%  02-28-95  02:42  d40304df --w-  SETUPIM.EXE
   4582  DeflatX   2535  45%  02-28-95  02:42  3b074f35 --w-  IMCHECK.EXE
   3454  DeflatX    780  78%  02-28-95  02:42  a9db7921 --w-  IMPRINT.BAT
    314  DeflatX    198  37%  02-28-95  02:42  cf856aac --w-  IMQ.BAT
    509  DeflatX    305  41%  02-28-95  02:42  ce571b3b --w-  IMSCAN.BAT
    491  DeflatX    298  40%  02-28-95  02:42  23cb674e --w-  IMSCAND.BAT
    448  DeflatX    273  40%  02-28-95  02:42  aa1c898f --w-  IMSCANM.BAT
   1118  DeflatX    978  13%  02-28-95  02:42  515b8205 --w-  IMVIEW.COM
 ------          ------  ---                                  -------
 592827          336772  44%                                       29

Regards, Wolfgang

Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A.

============================================================================

			    FROM WOODY'S DESK

     Well, as you can see, The Scanner is growing by leaps and bounds
thanks to the wonderful folks that have contributed and taken time out 
of their busy scheduals to participate.  To be honest with you, I had to
stop here before this issue got too far out of hand.  As this is being 
posted and distributed, I am already starting April's issue. Don't miss it!

   My heartfelt thanks to the following people:

   Wolfgang Stiller
   Mikko Hypponen
   Rob Slade
   Wallace Hale
   Bill Lambdin
   Henri Delger
   Ruben Arias
   Gerard Manning

      And most of all thank-you, the reader, for taking the time to read 
The Scanner.  Some of you have contacted us and let us know how we are doing.  
Please, if you have the time, let us know what you think of The Scanner.  Any
suggestions or ideas will be looked at and seriously concidered. Until April
take care.  Remember, keep those AV programs busy!

				      Woody

