V.I.R.U.S. Weekly - December 31, 1993

A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade

Other columns this week:

9    Other antivirals - activity monitors

10   "The Adolescence of P-1" by Ryan


F-Prot 2.10c (MS-DOS)
Almost immediately following the 2.10b version last week, 2.10c is out. 
Insterestingly, although I saw the announcement initially from frisk, the first
copy of the file that I saw came over the VirNet distribution.  Two things to
note: virus updates coming thick and fast and VirNet becoming a very solid
distribution channel.

Tripwire Version 1.1 (UNIX)
The updated, and very possibly final, version of the UNIX Tripwire change
detection program is available.  New features were added and some bug fixes and
performance improvements were made.  Gene Kim, primarily responsible for the
coding, is graduating and leaving the COAST program, so further development is
unlikely.  While no apparent bugs remain, COAST will keep a "wish list" of
enhancements if anyone wants to take over the project.  Copies of the Tripwire
distribution may be ftp'd from ftp.cs.purdue.edu in the directory


MISiS/Zharinov (MS-DOS)
This BSI/MBR moves the original MBR to track 0 head 0 sector 6 on a hard disk
and the boot sector to track 0 head 1 on a floppy, sector 3 on double density
and sector 12 on high density.  MISiS is the institute in Israel where the
virus was first discovered and, since the text appears in the virus, probably
where it was written.  The name MISiS is preferred since Zharinov, although
widely used initially, is the name of a staff member there.


VSI '94
The Virus Security Institute is presenting a conference in Philadelphia,
Pennsylvania on March 29-30, 1994.  Presented as "A Different Kind of
Information Security Conference", the symposium will involve a high degree of
participation in challenging models of security as applied to the "real world". 
Papers are solicited by the conference chair padgett@tccslr.dnet.mmc.com (A.
Padgett Peterson).   For more information, E-Mail or Fax:
VSI94_info@dockmaster.ncsc.mil  (case sensitive) or (302)764-6186 (include
E-Mail address, please).


VET false positives
VET has been the subject of two recent reports of false positive alerts.  The
SCAN program apparently reports VET to be infected with the Invisible Man
virus.  At the same time VET is reporting MSAV's VSAFE, when active in memory,
to be infected with the Flip virus.  (Of course, just about everyone reports
VSAFE to be infected with something ... )


Up or down?
The last issue of CVIG News mentions two contradictory trends.  Reports of
viral infection are down all over Australia.  This matches with reports around
the world citing lower virus reporting in 1993 than in 1992.  However, at the
same time questionnaires at the local university show a steady increase.  These
two facts would seem to contradict.  They may, however, simply indicate less
willingness to report.  It could be that the Michelangelo scare in 1992 made
people temporarily more virus aware.  It could be that people are again growing

Our hero! -- NOT!
The "virus underground" supposedly holds the Bulgarian virus author who goes
under the name of "Dark Avenger" in considerable respect.  Therefore, it was
with some surprise that one virus researcher received an email message
purportedly from Dark Avenger -- an obvious forgery and a pretty stupid one at

Nice to know I'm popular ... I think ...
Rock Steady's postings on the VIRUS echo range over a great many topics. 
Nothing too drastic to date: he is even posting virus alerts (swiped from other
people, of course).  Recently he took it upon himself to post one of my own
columns.  Much obliged, Rock, but I already posted that one ... weeks ago ...
Vancouver      ROBERTS@decus.ca         | "Kill all: God will know his own."
Institute for  Robert_Slade@sfu.ca      |       - originally spoken by Papal
Research into  rslade@cue.bc.ca         |         Legate Bishop Arnald-Amalric
User           p1@CyberStore.ca         |         of Citeaux, at the siege of
Security       Canada V7K 2G6           |         Beziers, 1209 AD
============= for back issues:
Contacts list: cert.org, /pub/virus-l/docs/reviews
Reviews: cert.org, /pub/virus-l/docs/reviews/pc
Column: cert.org, /pub/virus-l/docs/slade.cvp.articles
           For those without ftp, see Jim Wright's posting, or use Cyberstore. 
           Also FREQ from 1:153/733 The Cage 604-261-2347.