V.I.R.U.S. Weekly - December 31, 1993 A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and newsletter is prepared by the Vancouver Institute for Research into User Security. For those without online service feeds, both V.I.R.U.S. Weekly and Monthly are available in hardcopy. For more information contact Robert Slade or CyberStore. copyright 1993, Robert M. Slade Other columns this week: 9 Other antivirals - activity monitors 10 "The Adolescence of P-1" by Ryan NEW ANTIVIRALS F-Prot 2.10c (MS-DOS) Almost immediately following the 2.10b version last week, 2.10c is out. Insterestingly, although I saw the announcement initially from frisk, the first copy of the file that I saw came over the VirNet distribution. Two things to note: virus updates coming thick and fast and VirNet becoming a very solid distribution channel. Tripwire Version 1.1 (UNIX) The updated, and very possibly final, version of the UNIX Tripwire change detection program is available. New features were added and some bug fixes and performance improvements were made. Gene Kim, primarily responsible for the coding, is graduating and leaving the COAST program, so further development is unlikely. While no apparent bugs remain, COAST will keep a "wish list" of enhancements if anyone wants to take over the project. Copies of the Tripwire distribution may be ftp'd from ftp.cs.purdue.edu in the directory pub/spaf/COAST/Tripwire. NEW VIRAL PROGRAMS MISiS/Zharinov (MS-DOS) This BSI/MBR moves the original MBR to track 0 head 0 sector 6 on a hard disk and the boot sector to track 0 head 1 on a floppy, sector 3 on double density and sector 12 on high density. MISiS is the institute in Israel where the virus was first discovered and, since the text appears in the virus, probably where it was written. The name MISiS is preferred since Zharinov, although widely used initially, is the name of a staff member there. CONFERENCES AND COURSES VSI '94 The Virus Security Institute is presenting a conference in Philadelphia, Pennsylvania on March 29-30, 1994. Presented as "A Different Kind of Information Security Conference", the symposium will involve a high degree of participation in challenging models of security as applied to the "real world". Papers are solicited by the conference chair email@example.com (A. Padgett Peterson). For more information, E-Mail or Fax: VSI94_info@dockmaster.ncsc.mil (case sensitive) or (302)764-6186 (include E-Mail address, please). RESEARCH VET false positives VET has been the subject of two recent reports of false positive alerts. The SCAN program apparently reports VET to be infected with the Invisible Man virus. At the same time VET is reporting MSAV's VSAFE, when active in memory, to be infected with the Flip virus. (Of course, just about everyone reports VSAFE to be infected with something ... ) GOSSIP Up or down? The last issue of CVIG News mentions two contradictory trends. Reports of viral infection are down all over Australia. This matches with reports around the world citing lower virus reporting in 1993 than in 1992. However, at the same time questionnaires at the local university show a steady increase. These two facts would seem to contradict. They may, however, simply indicate less willingness to report. It could be that the Michelangelo scare in 1992 made people temporarily more virus aware. It could be that people are again growing complacent. Our hero! -- NOT! The "virus underground" supposedly holds the Bulgarian virus author who goes under the name of "Dark Avenger" in considerable respect. Therefore, it was with some surprise that one virus researcher received an email message purportedly from Dark Avenger -- an obvious forgery and a pretty stupid one at that. Nice to know I'm popular ... I think ... Rock Steady's postings on the VIRUS echo range over a great many topics. Nothing too drastic to date: he is even posting virus alerts (swiped from other people, of course). Recently he took it upon himself to post one of my own columns. Much obliged, Rock, but I already posted that one ... weeks ago ... ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into firstname.lastname@example.org | Legate Bishop Arnald-Amalric User p1@CyberStore.ca | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= for back issues: Contacts list: cert.org, /pub/virus-l/docs/reviews Reviews: cert.org, /pub/virus-l/docs/reviews/pc Column: cert.org, /pub/virus-l/docs/slade.cvp.articles For those without ftp, see Jim Wright's posting, or use Cyberstore. Also FREQ from 1:153/733 The Cage 604-261-2347.