V.I.R.U.S. Weekly - December 3, 1993
A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade
Other columns this week:
15   Getting help
16   "Terminal Compromise" by Schwartau
Untouchable will continue (MS-DOS)
In the wake of the Symantec purchase of Fifth Generation have come reports of
un immediate cessation of support for the Untouchable and Search and Destroy
antivirals.  Ysraeli Radai has contacted BRM, the actual developers of the
product in Israel.  He has been told that no final decision has been reached. 
In addition, whatever the outcome, these programs and their features will
continue to be made available, albeit possibly in another form.
NAV updates (MS-DOS)
Symantec apparently is making the updates for the Norton AntiVirus available to
the online community.  They have been available for a while at various ftp
sites on the Internet, and are now being distributed through the VirNet
distribution system to BBSes.  The marketing department giveth, and the
marketing department taketh away.
Freddy 2.1 (MS-DOS)
A student now studying in Montreal reports that in early 1993 Brazilian
researchers found a new virus that contained the strings "Frisk" and "Hi
Fridrik!".  The virus is polymorphic and also contained the string "Freddy
VSI '94
The Virus Security Institute is presenting a conference in Philadelphia,
Pennsylvania on March 29-30, 1994.  Presented as "A Different Kind of
Information Security Conference", the symposium will involve a high degree of
participation in challenging models of security as applied to the "real world". 
Papers are solicited by the conference chair padgett@tccslr.dnet.mmc.com (A.
Padgett Peterson).   For more information, E-Mail or Fax:
VSI94_info@dockmaster.ncsc.mil  (case sensitive) or (302)764-6186 (include
E-Mail address, please).
10th Chaos Communication Congress
The Chaos Computer Club is holding its tenth convention in Hamburg, Germany
December 27th - 29th 1993.  Contact ccc93@t42.ccc.de.
More MS-DOS 6.2 update updates
Apparently one of the things that the Microsoft MS-DOS 6.2 upgrade checks is
the length of the 6.0 files and refuses to upgrade any that do not match.  If a
PC has been infected, this can result in a number of programs that are not
updated.  No word on whether this applies to SETVER (which always changes
itself when you use it.)  This could be considered an antiviral feature except
that no virus scanning is done first, and there is no provision for a manual
update.  Most likely this is aimed at those who use other vendor versions of
And still more MS-DOS 6.2 update updates
The update mechanism appears to be buggy: repeated attempts appear to fail
regularly with different programs.  Also, the hidden system files IO.SYS and
MSDOS.SYS are the first to be changed in the process while COMMAND.COM is
updated near the end.  This means that any interruption of the process can
leave you with an unbootable computer.  Better have a boot disk and a backup
handy before you try it.
Rosenthal hype
Messages posted to several Usenet newsgroups have been promoting Rosenthal's
WinLite program.  Nothing wrong with that, but they also carry ads implying
that the Virus Bulletin recommends the Rosenthal Virus Simulator.  This is
diametrically opposed to the truth: Virus Bulletin has stated that the Virus
Simulator is of no use whatsoever, and may do harm by "recommending" an
inferior antivirus product ... 
Dangerous and useless too
Rumour has it that a certain company making an antivirus product is sending out
copies of "crippled" viral programs so that potential users can test the
effectiveness of the product.  (It may be that this is the action of an
overzealous salesperson operation without sanction.)  In the first place, it
should be fairly easy to "uncripple" the virus.  (The report has it that only
the first ten bytes or so are changed.)  In the second place, such a "test" is
highly suspect.  The producer would, of course, ensure that his product would
pass it.  There is no particular reason anyone else would: it isn't testing
"real" programs.
Commercial and government infections
For those who don't believe that commercial software can be a source of
infections, send a message to LIBRARY@hemkosys.com with the keyword
MC.INFECTIONS in the subject line.  You will get back almost six typed pages of
listings of commercial software and government disk distributions which
contained viral infections.
That was no virus, that was my logic bomb
The-media-aren't-taking-this-seriously-dept.: From the front page of the New
York Times of November 23rd:  "Software Maker Accused of Using Virus to Compel
Client to Pay."  Michael Lofaro, 29, owner of MJL Design of Manhattan, and his
technician, John Puzzo, 22, planted extra code in a program they wrote for a
furniture company in Westbury, NY.  The piece, not written by more virus aware
John Markoff, refers not to a virus, of course, but to a simple logic bomb.  It
is, however, called a virus several times throughout the article.  The story
was also picked up by EduPage.  Mich Kabay posted an article to RISKS in which
he comments that it's strange to have the media mirror this confusion, to which
editor PGN replied tersely, "Not surprising at all."
More accuracy for less pay?
It has been noted by the antivirus community that the antiviral "certification"
list in VSUMX310 is closer to the results expected by other researchers.  One
posting noted that this time around only Symantec is paying for the privilege
of being tested.  This led to the ironic observation that perhaps if more
people refused to pay, the results would get even better.
Help wanted, apply VIRUS-L
First Paul Ferguson, and now Ken van Wyk.  While Ken is still moderating the
VIRUS-L/comp.virus postings, he is looking for some help in the related areas
such as updating and maintaining the FAQ sheet, coordinating the posting of
product reviews, and maintaining the FTP area.
How *not* to review
Readers are advised to look for Sarah Tanner's article published in "Virus News
International", November 1993, pp. 40-41, 48.  For those who can't find VNI, it
is also available from the CARO ftp site.  Hilarious to those who have done
some reviewing, all of its 26 "rules" are taken from the actual practices of
some of the more well known reviews.
==============                      _________________________
Vancouver      ROBERTS@decus.ca    |    |     |\^/|     |    | swiped
Institute for  Robert_Slade@sfu.ca |    |  _|\|   |/|_  |    | from
Research into  rslade@cue.bc.ca    |    |  >         <  |    | Alan
User           p1@CyberStore.ca    |    |   >_./|\._<   |    | Tai
Security       Canada V7K 2G6      |____|_______^_______|____|