VIRUS-L Digest Thursday, 23 May 1996 Volume 9 : Issue 77 Today's Topics: Re: Final decision Re: Word Macro Virus cleaner wanted Re: How to select an anti-virus product? Re: Macro Viruses (Concept etc.) Re: Macro Viruses (Concept etc.) Re: How to select an anti-virus product? Re: Word Macro Virus cleaner wanted Re: Final decision Re: How to select an anti-virus product? RE: Rebooting, OSs... Re: Macro Viruses (Concept etc.) F/WIN 3.09 just released HELP HELP--FORM A Virus on NT floppy (NT) Anti-Virus product for NT _3.50_ ??? (NT) Re: Scanner for DEC Alpha running NT (NT) Mac virus or just strange stuff? (MAC) Re: Evil Rabbit Appleshare file--a virus? (MAC) Re: Do macro viruses infect Finnish Word? (MAC,WIN) Re: Do macro viruses infect Finnish Word? (MAC,WIN) Win 95 Stealth C Help (WIN95) Re: TBAV trouble detecting Concept (WIN) System.Ini Virus? (WIN) Re: QUANDARY virus (PC) Re: Cruncher (PC) Possible F-PROT false positive (PC) Disinfecting BARROTES--Can you help me???? (PC) Re: Good scanner with smallest TSR memory footprint (PC) Regarding InVIRcible (PC) Re: TBAV false alarms in Acad13? (PC) Re: Stealth_Boot_C - what does it do? (PC) Re: Different scanners report diff viruses (PC) SMEG virus (PC) Re: running antivirals on infected PC's (PC) Re: Scanning Iomega Zip Drive (PC) Re: Bios virus? (PC) Re: Bios virus? (PC) Registering F-PROT for 1$ (PC) Re: Is virus writing illegal? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Tue, 21 May 1996 10:47 +0000 From: Graham Cluley Subject: Re: Final decision X-Digest: Volume 9 : Issue 77 In-Reply-To: <01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz> Harald Horgen <"Harald Horgen"@smtp.wanadoo.fr> writes: > The product you should take a close look at is Vi-Spy from RG > Software in Scottsdale Arizona. There are two primary reasons: > > 1. It is the only program we know of that uses the same scanner > in the TSR as in the general scanner. Virtually every other > product runs into severe memory limitations, Dr Solomon's doesn't. I would expect other properly written TSRs to be the same. > and as a result they > have had to drop virus signatures from the TSR. So while many > products have a very good front-end detection rate, they do much > worse when you are relying on the TSR to do its job, and unless you > scan every file that enters the machine, you are left vulnerable. It's certainly true that some TSRs are better than others, and that some good command-line scanners have much weaker on-access scanners. Some independent comparative reviews from the likes of the University of Tampere can be found at http://www.drsolomon.com/avtk/reviews We're finding the world is moving to VxDs for on-access protection. As they can even protect against polymorphic and macro viruses. Certainly Dr Solomon's VxD has the same detection rate as our on-demand scanner, FindVirus. > 2. The Vi-Spy TSR is only 12K, which is a fraction of the size of > the others. Dr Solomon's TSR is 9K. A new version is about to reduce in size by about 30% more. I suspect there are other TSRs which are smaller - the trick is to balance a high detection rate with small residency in memory. > Vi-Spy is written in Assembler, which makes the code much more > efficient then other products. Dr Solomon's TSR is written in assembler. I would expect all of the good anti-virus TSRs to be written in assembler. > By way of example, it is our understanding that F-Prot's TSR takes up > 40k of conventional RAM, Norton 30K+, and McAfee 64K. They all claim > smaller memory requirements, but at the cost of less protection. Don't know about that. You can read more about VxDs, TSRs, and on-access protection on our website (including independent comparative reviews). Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Tue, 21 May 1996 12:39:11 +0200 From: Stefan Kurtzhals Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 77 > > IVX also fails to detect macros in DOC files larger than 500 KB. It missed > > 50 Concept samples in such large files. You have to redesign IVX I think. > > I checked IVX against Concept on huge docs (Eudora's - about 1.5 meg - and > my own product's manual). IV both found Concept and cleaned it like a > charm. Again, which version of IVX do you use for testing. I only have the 6.11a which is available by FTP. > I think you have to redesign your "tests" and make them look sensible. 50 > files of 500 K make 25 meg and take a lot of time to prepare. All that > trouble for discrediting a competing product to yours? Naah! Do you really think I just create 25 MB of doc files just for testing IVX? I created them months ago to have a generic test set. It also contains lots of other documents. About which competing product are you talking? F/WIN is just a generic tool for detecting and removing macro and windows exe viruses. And why do you alway think that everyone wants to discrediting your product? In fact, I clearly support generic products because they are much better than all those stupid regular scanners! bye, Stefan ------------------------------ Date: Tue, 21 May 1996 11:14:21 +0000 (GMT) From: Wolfgang Weisselberg Subject: Re: How to select an anti-virus product? X-Digest: Volume 9 : Issue 77 netz@actcom.co.il, who is called Zvi Netiv wrote one day: > A multilayered virus protection is more effective than duplicate and > triplicates scanners. They are just more of the same. *nod* > Scanning new software (from shelf, archived or download) is good practice, > yet you need to do it only once. There is no point in repeating scanning > over and over again since viruses didn't join the paratroopers yet, and > they don't just drop in. Since the differences in performance between the > top notch scanners are marginal, then just one scanner will suffice for > that purpose. Yet all other experts say that it is GOOD practice to use more than one scanner ... Perhaps because they do use different scanstrings and detection methods and the detection is more accurate. Some scanners can be easily circumvented by ACTIVE viruses, but all scanners and security measures can be switched off by a virus. So more than one scanner IS a good idea. But scanning the same software with the same scanners over and over is not going to give you new insights. > Antivirus TSR, VxD and activity monitors (or blockers) tend to conflict > with other applications, sometimes in the worst moment and conditions. *nod* More than one TSR (unless they are in one package like in TBAV) is asking for trouble. > Moreover, TSR and VxD detect the same viruses, most times less, than the > scanner of the same maker can find. It's more logical then to use just the > scanner and obtain the same results, without the penalty of the TSR/VxD/ > blocker. The latters also cripple your machine's performance and > resources. *nod* A TSR-Scanner is (almost) always worse than a stand-alone one. > The complementary layer consists of generic virus capture and integrity > monitoring and recovery, when necessary. Generic AV does NOT equate with > "change detection", as suggested in one of the replies to your post. TBAV does offer a multilayer TSR-Package as well (and there is a Windows-version, too). Most important is perhaps the Integrity checker. It does not allow you (secure switch) to run programs that have no valid validation CRC. Generic AV is also implemented in TBAV - it runs under the name of "Heuristic" like it does in F-Prot, AVP and almost any other AV-Program. In fact, the heuristic is always switched on with TBAV. > The combination of generic on-line protection and off-line software > screening yields the most effective protection, for the lowest investment > and no adverse effects on your computer's peformance and resources. Least impact, yes. But USE backups! AND a integrity checker, so you can be sure that the programs were not modified (or have been completely reconstructed after a virus attack). > Lastly, beware of "independent comparative test reports". No such thing! > They are all conducted by parties with veiled or unveiled interest. They do rate your programs differently and not utterly suprior? :) In fact there are 'alternative' views in INVIRCIBLE ... (though they do have some bias, they also do not lie, do they?) - -Wolfgang - - "finger weissel@moon.ph-cip.uni-koeln.de" for my PGP-Key, or mail me. Verbietet Autos, Geiselgangster koennten damit fluechten! Outlaw cars, kidnappers might use them to escape! ------------------------------ Date: Tue, 21 May 1996 10:17 +0000 (GMT) From: CLAYTON E RUTH Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 77 Jim Champ wrote: >Bearing in mind the way cc:mail stores messages I shouldn't hold your >breath waiting for this one [the back-feed]... probably better to work >on stopping them getting into the cc:mail system in the first place. >Its also theoretically possible to create a system that does virus >checks on attachments as messages flow between post offices through >routers. However the only way I've seen it done is hideously slow, >and only really practical on incoming external mail. My message resulted in a private response from a U.S.-based AV agent with whom I am now working to set up a virus trap at the SMTP gateway. Incoming external mail is indeed our primary problem and it appears that a satisfactory solution may be close at hand. Other U.S. companies interested in this approach can contact the agent, NH&A, for more information: nhirsch@nha.com http://www.nha.com Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL http://www.slchicago.com Clayton.E.Ruth@SLChicago.Infonet.com ------------------------------ Date: Tue, 21 May 1996 20:58:50 +0100 From: Niels Bjergstrom Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 77 Dirk Siebert wrote: >If this is correct. Is there an easy way to check a .doc file whether >it is a template. Possibly only working if the file contains macros; as >this is the most interesting case? I assume that you wish to do this automatically, not by opening each and every Word file on your computer to examine it. You can write e.g. an assembler program to perform this very primitive heuristic test quite easily, but it is not sufficient. The reality is that in order to set up a professional quality OLE (or macro) virus scanner you must write code that is able to correctly interpret the OLE compound file format - and if you wish to clean infected files, to write it as well. This is doable under Windows because you can use existing APIs, but it is a whole lot harder on a non-native platform such as DOS, where you have to write the actual APIs, yourself. This is why not even the leading anti-virus companies have come up with anything really good, although some of them are almost there. This difficulty also provides an opportunity for less scrupulous dabblers in the anti-virus field to present products that they claim are wondercountermeasures (:)) of heuristic ingeniousness. CSE currently includes a stop-gab solution of reasonable quality with PC Vaccine Professional. It does not fully interpret the OLE files, and for this reason misses approximately 1.5% of possible infections, corresponding to special file fragmentation cases. It will be replaced asap. Hope this throws a bit of light. Niels - - Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- - - Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- - - Postbus 85 502, NL-2508 CE Den Haag UK: +44 1536 772 052 -- - - Netherlands Email: njb@csehost.knoware.nl -- - - PGP Public key available on request - please use when mailing vira -- ------------------------------ Date: Tue, 21 May 1996 20:29:28 +0000 (GMT) From: Robert Michael Slade Subject: Re: How to select an anti-virus product? X-Digest: Volume 9 : Issue 77 Zvi Netiv (netz@actcom.co.il) wrote: : Lastly, beware of "independent comparative test reports". No such thing! : They are all conducted by parties with veiled or unveiled interest. OK, what's Chris McDonald's interest; what's Bill Lambdin's interest; and what's my interest? I'd be interested to know :-) ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for rslade@vcn.bc.ca | - originally spoken by Papal Research into rslade@vanisl.decus.ca | Legate Bishop Arnald-Amalric User slade@freenet.victoria.bc.ca | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= for back issues: AV contacts list: ftp://cs.ucr.edu/pub/virus-l/docs/reviews or The Cage Antiviral reviews: ftp://cs.ucr.edu/pub/virus-l/docs/reviews/pc or The Cage telnet://freenet.victoria.bc.ca (command "go virus") http://csrc.ncsl.nist.gov/virus/virrevws/ Viral Morality: http://www.bethel.edu/Ideas/virethic.html Book reviews: telnet://freenet.victoria.bc.ca (command "go tbooks") RobertS Rules of Internet: http://www.brandonu.ca/~ennsnr/Resources/order.html ------------------------------ Date: Tue, 21 May 1996 17:52:37 +0000 (GMT) From: Iolo Davidson Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 77 In article <0002.01I4ZK5F9E7WSKZSW7@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > Iolo Davidson wrote: > > > kurtzhal@wrcs3.urz.uni-wuppertal.de "Stefan Kurtzhals" writes: > > >> Yes, -TOO- generic. IVX had 100% false positives here on my system with > >> all antivirus-macros like SCANPROT, lots of regular tool macros and > >> others. > > >> IVX also fails to detect macros in DOC files larger than 500 KB. It missed > >> 50 Concept samples in such large files. You have to redesign IVX I think. > > > Oh, no! Does this mean that Invircible will have to have another > > (GASP!) update? > > That won't be necessary as IV works fine in all instances mentioned by Mr. > Kurtzhals. It's blatant disinformation. I believe Kurtzhals disputes the above characterisation in another post. > As an ex technical reporter and an ex programmer for S&S, I would think > you are capable of assessing the credibility of what you quote. I asked a question. I don't see any credibility problem there. I take it your answer is that another update won't be necessary at this time. I am capable of assessing the credibility of that. A few days ago you were saying in here that the macro virus problem was all hype and that your product could handle them by giving people instructions about how to delete infected macros by hand. > You could for example check IVX with SCANPROT.DOT as the latter is > available to all. IVX does not false alarm. The rest of Mr. Kurtzhals' > claims are as true as this one. Well, you say it doesn't, and he says it does. I don't give you equal credibility, by the way. I don't care to go to the effort of testing your product myself, quite aside from the fact that I would have to allow it into the house to do so. Maybe Bontchev will have a go at it, but for the moment, I believe Kurtzhals rather than you. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Tue, 21 May 1996 18:17:20 +0000 (GMT) From: Iolo Davidson Subject: Re: Final decision X-Digest: Volume 9 : Issue 77 In article <0006.01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz> "Harald Horgen"@smtp.wanadoo.fr "Harald Horgen" writes: > 2. The Vi-Spy TSR is only 12K, which is a fraction of the size of > the others. VirusGuard, the TSR in Dr. Solomon's, is smaller than that. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Tue, 21 May 1996 18:13:43 +0000 (GMT) From: Iolo Davidson Subject: Re: How to select an anti-virus product? X-Digest: Volume 9 : Issue 77 In article <0004.01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > Lastly, beware of "independent comparative test reports". No such thing! > They are all conducted by parties with veiled or unveiled interest. Typical blanket attack on the ethics and professionalism of everyone in the world. After all, they're all against Invircible, as evidenced by the fact that Invircible doesn't come top in all the reviews. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Tue, 21 May 1996 13:59:09 +0000 (GMT) From: "Eric T. Waid" Subject: RE: Rebooting, OSs... X-Digest: Volume 9 : Issue 77 On Monday, May 20, 1996, Jad wrote... > Hello all. I have been reading a lot in this mailing list for a while, and > it seems there are quite a few people who know what they are talking > about. > > Anyway, I wanted to ask a few questions. > > First off, do you really have to turn off the computer instead of > rebooting when you think/know you have a virus and want to boot from a > floppy? I mean, doesn't a warm boot clear the entire memory banks? And a > cold boot should do it for sure. I once downloaded a program, and for some > reason ran a BBS and program before scanning all the files. I then ran > TBAV and it said it was possibly infected. I did a warm reboot, cleaned > the Tai-pan virus from TBSCAN and the BBS ad with no problem(using my > second scanner, F-PROT). Any comments? I have heard that there are some viruses that can survive a warm boot because they alter they way a warm boot works. As I understand it, the first thing a warm boot does is clear memory. However, some of these viruses cause the warm boot to skip that step so they remain in mamory for what looks like a complete boot. That is why the cold boot from a clean floppy is best. That way the virus never has a chance to start. > Also, how are operating systems like Unix, OS/2(using the HPFS file > system) with viruses? Are they more "immune" to viruses than the DOS and > Win/Win95 operating systems? These systems are not as susceptible to file viruses as DOS because they do a very good job of protecting their "kernal" (Windows NT can also be included in this group). In addition, I have never heard of a UNIX or Windows NT virus. There are (supposed to be two OS/2 viruses, but they are still only lab viruses). However, all of these systems are susceptible to boot viruses. They may not work, but there is the potential for damage to the boot member. One other thing to remember. If a DOS file is infected, it can still run in the virtual DOS windows of these systems. While the virus cannot spread, it can still "go off" if its trigger is pulled. This may or may not cause data loss. Personally, I don't want to take the chance. I am running Windows NT, Windows 95, and OS/2 Warp on my machine and everything still gets scanned before I use it. > A friend once got the Ripper virus on his machine, which was not detected > by CPAV, MSAV(yuck), or NAV until I thought of giving him some real > scanners. We run them just for fun, and TBAV found the Ripper virus in the > boot sector. Cleaned it and the hundreds of floppy disks, then ran NDD on > the hard drive to check for errors(F-PROT said it corrupts approx. 1 in > every 1000 disk writes), but found none whatsoever. Anybody know why? No Idea. > Last thing. Would it be possible to write software to make the partition > (MBR) table and boot sector "read only"? If so, would it be easy for > viruses to defeat the software protection? Some people have suggested this in the past, however, since the setting is a software one instead of a hardware one, a virus can simply issue the command to remove the "read only" setting before doing it deed. Hope this helps. ------------------------------ Date: Tue, 21 May 1996 17:58:12 -0500 From: moroch@onramp.net Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 77 CLAYTON E RUTH wrote: > My primary problem with Word Macro viruses is getting them out of > cc:Mail file attachments. I look forward to the day (hopefully soon?) > when one of the many AV developers out there comes up with something > that will intercept them and clean them up as they pass from cc:Mail to > Word when the user double-clicks the attachment. I've been scouring this group and the Web for a program that will scan *any* file saved to my Mac hard drives. We receive Word docs via e-mail constantly, and the users in our company save them to their hard drive. They usually double-click the documents to start Word, bypassing the normal (SCANPROT installed) macros and often reinfecting their machines, so far with just Concept. I've d/led the latest SAM file, and it does a fabulous job with floppies but misses anything downloaded, shared, or e-mailed in unless the user runs a full HD scan. I could set it to do so each morning or whatever, but in the meantime we may send out files to others with the Concept virus. Is there an AV program for the Mac that performs a robust scan such as I've decribed? How about for the PC? > I can't trust users to > assume the responsibility of cleaning documents themselves; I want to > automate it as much as possible. Amen. ------------------------------ Date: Wed, 22 May 1996 02:59:12 +0000 (GMT) From: F/WIN Anti-Virus Support/Ordering Subject: F/WIN 3.09 just released X-Digest: Volume 9 : Issue 77 F/WIN 3.09 just released! One unique new feature is that F/WIN now alerts users to the presence of the TOOLSMACRO macro. This lets users know to AVOID clicking on 'Tools', then 'Macro' to try to view or remove the suspected virus/trojan manually. No other product provides users with this kind of warning. In additional to TOOLSMACRO, F/WIN also alerts users to the presence of AUTOCLOSE, AUTOEXEC, AUTONEW, AUTOOPEN, FILEEXIT, FILENEW, FILESAVE, FILESAVEAS. Some features F/WIN has that are unique to it include: * A detailed analysis for the user as to what potentially harmful things the macros are trying to do. Some products will only tell users that an auto macro is present, or maybe not even that much. F/WIN has considerable intelligence built into it to give users as much information as possible to help them make informed decisions about the potential threat they face. This detailed information may also help to explain if a macro virus/trojan was responsible for damage that may have already occurred. * F/WIN doesn't automatically flag every template/file that contains an auto macro such as AutoOpen, AutoClose, etc. It will only flag a file as being potentially infected if it finds potentially dangerous code as well. This means that users who want to continue using macros they've written can probably continue to do so without having to put up with endless false alarms. See our web page for more details about F/WIN's other new features: http://www.entrepreneurs.net/fwin Gary Martin Computer Virus Solutions E-mail: fwin_sup@ix.netcom.com WWW: http://www.entrepreneurs.net/fwin Authorized Distributor of F/WIN Anti-Virus ------------------------------ Date: Tue, 21 May 1996 17:58:56 -0400 From: Charlene Rodgers Subject: HELP HELP--FORM A Virus on NT floppy (NT) X-Digest: Volume 9 : Issue 77 Have a problem that an NT machine boot drive has died after sving files to a floppy infected with the FORM A virus. Anyone know how to repair the drive without doing a low level format !! Thanks Armando ------------------------------ Date: Tue, 21 May 1996 11:02:44 -0400 From: Al Dykes Subject: Anti-Virus product for NT _3.50_ ??? (NT) X-Digest: Volume 9 : Issue 77 I need to buy an A/V product that runs on NT 3.50. I've called a couple of the major brands and get either "3.51 or higher" or "I'll call you back". Can anyone help ? Al Dykes ------------------------------ Date: Tue, 21 May 1996 18:09:43 +0000 (GMT) From: Jan Hruska Subject: Re: Scanner for DEC Alpha running NT (NT) X-Digest: Volume 9 : Issue 77 > 1. Is there a product that has been tested and proven to work in this > environment? Sophos have SWEEP for Windows NT for Alpha. See www.sophos.com. ------------------------------ Date: Tue, 21 May 1996 16:28:42 +0000 (GMT) From: "P.Cosway" Subject: Mac virus or just strange stuff? (MAC) X-Digest: Volume 9 : Issue 77 I have been experiencing strange behavior on my Mac powerbook, but as yet, no noticable damage. Situation: When I press the shift key five times in a row, the Mac plays a rising scale of notes and shows something that looks like a "U" (kind of like the cross section of a rain gutter) in the top right corner. Further pushes of the shift key cause a "down arrow" to appear above the "U", the "U" to be filled in, both arrow and fill to disappear, the arrow to reappear, and then the "U" and arrow to disappear, accompanied by a downward scale of notes. This has been happening for several months, but I only just figured out the pattern of keystrokes that causes the behavior. Any ideas about what is going on? Email responses are appreciated. Thanks, Paul Cosway pcosway@inter.nl.net ------------------------------ Date: Tue, 21 May 1996 19:08:34 -0500 From: Ryan McCullough Subject: Re: Evil Rabbit Appleshare file--a virus? (MAC) X-Digest: Volume 9 : Issue 77 In article <0012.01I4ZK5F9E7WSKZSW7@csc.canterbury.ac.nz>, Richard C Garella wrote: > On our network of Macintoshes, strange things have been afoot: Crashes, > network problems and more. I found on the desktop of each of the Macs an > invisible file called Appleshare PDS, with a evil-looking rabbit, wearing > sunglasses, as its icon; this file cannot be trashed (in use). Appleshare PDS is a file that is created the first time File Sharing is turned on. It, and the "killer rabit" icon are normal and not the symptom of any problem. In case you are wondering, the icon comes from a Monty Python movie, of which the Appleshare developers were apparently fans. The problem is more likely some type of extension conflict or other such thing. - - Ryan McCullough roark@dartmouth.edu "I claim to have expert knowledge of nothing but erotics." -Socrates PGP public keys at ------------------------------ Date: Tue, 21 May 1996 11:01:00 +0200 From: Stefan Kurtzhals Subject: Re: Do macro viruses infect Finnish Word? (MAC,WIN) X-Digest: Volume 9 : Issue 77 Marjut Kaistinen wrote: > I heard about Word's macro virus and now two my friends are > arguing that can it infect other language Word macros(example FI) > than Word UK/US? This is the same situation like we have here in Germany. Most of the macro viruses use fixed strings refering to macros like "FileSaveAs" or "FileClose" and so on. Because of this, most of the macro viruses will just infect your NORMAL.DOT and nothing more. Of course, if there's a payload in the Auto* macros, it still can get activated! So, English language macro viruses are still a problem for you. And there are some macro viruses, which only use Auto* macros and which will work fine with every Version of Word. bye, Stefan Kurtzhals ------------------------------ Date: Tue, 21 May 1996 14:01:14 +0000 From: Szappanos Gabor Subject: Re: Do macro viruses infect Finnish Word? (MAC,WIN) X-Digest: Volume 9 : Issue 77 Marjut Kaistinen wrote in Digest: Volume 9 : Issue 75: >I heard about Word's macro virus and now two my friends are >arguing that can it infect other language Word macros(example FI) >than Word UK/US? It is a common belief that macro viruses can not operate under different nationalized versions of Word. It is not exactly true. The problem is that the macros are stored in "precompiled" format in the templates. This means that each macro command is represented by a 2 or 3 byte sequence. For example MacroCopy is stored in a template as 67 C2 80. These sequences are the same in each nationalized version. Upon execution or editing a macro, WordBasic interprets these sequences. Well-behaving macros can therefore be used in any version. Viruses don't behave well. They try to intercept built in Word commands. The FileSaveAs macro can intercept the File|Save As... command in the English version but can not do the same in the German version where the same built in command is called DateiSpeichernUnter. Thus one could conclude that macro viruses can not work under different nationalized versions. The situation is worse. The name of the automatic macros is the same in all language versions. Therefore macro viruses can activate without problems in other nationalized version. If the virus has a time-dependent payload, it can execute, for example FormatC will format the C: drive anywhere in the world. DMV only operates with the automatic macro AutoClose therefore it is fully functional in all nationalized versions. One could conclude that macro viruses and trojans can activate but can not infect other document. The situation is even worse. There are two types of nationalized versions: I will call them major and minor. All of the above is true for the major versions (like German or French). In smaller countries (like Hungary) Microsoft did not find worth to implement the nationalied macro programming, therefore used the English version. No matter what the name of the menu command for saving a file is, it is represented by the built-in command FileSave. In these minor versions macro viruses written in the English version of Word will work properly. On the on the hand, Xenixos and Concept.French written in the German and French version will not. Conclucively macro viruses can activate in different nationalized versions of Word, but won't work properly in a different major version. To answer your question: I do not know whether the Finnish Word is a major or a minor version (you can easily find it out by checking the WordBasic reference in Word: if all the macro names are English, it is a minor version, if they are Finnish, it is a major version). If it is a major version, then you are save from Concept but not from FormatC or DMV, if it is a minor version, you are only (relatively) safe from the German and French macro viruses. Szapi ------------------------------ Date: Tue, 21 May 1996 16:31:04 +0000 (GMT) From: Dan Iehl Subject: Win 95 Stealth C Help (WIN95) X-Digest: Volume 9 : Issue 77 I have the stealth C virus. When Mcafee checks at boot up. I have made a clean bootable disc with Mcafee scan on the disc and boot with it and ck my drive and it shows all is clean. Then when I re boot windows 95 steath c shows again. How do I fix this master boot record problem? Mahalo, Dan ------------------------------ Date: Tue, 21 May 1996 16:59:11 +0000 (GMT) From: Al Trucano Subject: Re: TBAV trouble detecting Concept (WIN) X-Digest: Volume 9 : Issue 77 You might want to try VDOC from EliaShim Microcomputers. It can be downloaded as freeware from www.eliashim.com. It is a stanalone utility that finds nine flavors of macro viruses and removes all of them. The only false alarm that I have detected happened when the document had an extra form feed at the end of it. Removing the extra page killed the false alarm. ------------------------------ Date: Tue, 21 May 1996 13:49:22 -0400 From: "James R. Mac Donald" Subject: System.Ini Virus? (WIN) X-Digest: Volume 9 : Issue 77 Has anyone heard and/or experienced a virus that would "edit" the Windows System.Ini file. It seems that 4 users this morning in my firm have reported System.Ini files that have been decimated; leaving only two non-functioning lines within. It apparently deletes the [386 Enhanced] section among others. If you have heard of this and / or have a "cure", please let me know. Jim Mac Donald macdonaldj@norden.com jrmd@thehole.win.net http://www.win.net/~thehole ------------------------------ Date: Tue, 21 May 1996 10:57 +0000 From: Graham Cluley Subject: Re: QUANDARY virus (PC) X-Digest: Volume 9 : Issue 77 In-Reply-To: <01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz> Someone called "Steve" writes: > I was hit with the Quandary virus about 3 weeks ago, and since then > I have heard of three other infections (not possible that I cross > contaminated). Seems to me that this is a fairly large infection > rate, but I'm no expert. Anyone else come across this virus > lately? How about any info on it? (besides that fact that it > affects BS's) Here's some information from Dr Solomon's: Quandary Aliases: IHC, Parity.boot.enc, Newboot_1, Boot-c Quandary is a stealthing boot sector virus, infecting the boot sectors of floppies and the partition sector (MBR) of hard disks. The virus only takes up one sector and in fact the infected partition sector looks very similar to an infected floppy disk boot sector. Part of the beginning of the virus is encrypted (34 bytes). This is an attempt to avoid detection by heuristic scanners (the most suspicious actions of the virus code are encrypted - memory installation and interception of Int_13). The virus infects write-enabled floppies when they are accessed. Before infecting the floppy the virus checks to see whether it has already been infected. It then analyses the diskette parameters (number of FATs, number of root directory entries, number of sectors per FAT, number of reserved sectors). The limitations applied allows the virus to infect only standard 1.44MB floppies. Quandary is stealth virus and the original floppy boot sector is saved at the very end of the root directory (head=1, sector=15 on track 0). On the hard disk the original partition sector (MBR) is stored in sector 15 (0F) of track 0. > Incidentally, McAfee ViruScan95 picked it right up and killed it just > as fast. That's good news. Dr Solomon's Anti-Virus Toolkit can detect, clean-up and intercept this virus as well. I would expect other good anti-virus products to be able to do the same. An evaluation version of Dr Solomon's FindVirus is available for download from our website. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Tue, 21 May 1996 10:57 +0000 From: Graham Cluley Subject: Re: Cruncher (PC) X-Digest: Volume 9 : Issue 77 In-Reply-To: <01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz> Sune Lundholm writes: > F-prot 2.22 (heuristic) reports Cruncher in a .comfile. (not in memory) > It`s not supposed to be in the wild. Is it a known false alarm? It sounds like it could be a false alarm. Cruncher uses part of Teddy Matsumoto's DIET compression algorithm to hide itself in files. Maybe F-Prot is picking up on the DIET algorithm and, in heuristic mode, saying it might be Cruncher. You might like to try downloading the evaluation version of Dr Solomon's FindVirus from our website. It can scan inside compressed and archived files (including DIET) and will confirm whether you really have Cruncher or not. > Another question: When to use "paranoid" scan (not just F-prot) they > (TBAV, AVP and others) reports lots of suspicious unknown viruses. > Should you be "paranoid"? You may also care to try the heuristics in Dr Solomon's FindVirus which are not as prone to false alarming as those in some other products. Full independent comparative reviews on our website. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Tue, 21 May 1996 11:57:04 +0000 (GMT) From: Bill Peel Subject: Possible F-PROT false positive (PC) X-Digest: Volume 9 : Issue 77 F-prot v2.22a identified a file V5.COM as "Possibly a variant of Cascade". The file was in the TECHDIAG directory of a recently purchased Western Systems PC. At the top the file contains the text: Techline Lookup Database Copyright 1991 by Fred Harding and further on: ENCYCLOPEDIA OF VIRUSES (JER - MIR) The first part of the file is binary mixed with text and the rest consists of text descriptions of viruses. I assume this is a false positive - comments welcomed. Bill Peel | Information Systems Unit w.peel@mmu.ac.uk | Manchester Metropolitan University | Chester Street | Manchester M1 5GD | England ------------------------------ Date: Tue, 21 May 1996 13:02:45 +0000 (GMT) From: Ramon Ros Sanjuan Subject: Disinfecting BARROTES--Can you help me???? (PC) X-Digest: Volume 9 : Issue 77 Yesterday I found a virus in my PC and I fear it can be located in a lot of friend's computers. It's called BARROTES (Bar too, I think) and I tried to kill it using McAfee Scan, but I'm not sure about his death. So, does anyone know how it acts? It's a terrible virus? How can I be sure it's dead? Please, if possible mail me any answer (Ramon.Ros@uv.es). Thank you in advance. Ramon Ros, Spain. ------------------------------ Date: Tue, 21 May 1996 16:56:17 +0000 (GMT) From: Al Trucano Subject: Re: Good scanner with smallest TSR memory footprint (PC) X-Digest: Volume 9 : Issue 77 You migjht want to take a look at ViruSafe from EliaShim. It's TSR takes only 13K of conventional memory (loads itself high automatically if UMB are available) and load the remainded of its code into EXTENDED memory. ------------------------------ Date: Tue, 21 May 1996 11:01:58 -0500 (CDT) From: Jarrod Henry Subject: Regarding InVIRcible (PC) X-Digest: Volume 9 : Issue 77 I have tested InVIRcible with my collection, and believe me, it doesn't catch 100 %. (My collection consists of about 100 virii, most of them are common) I too, had problems with it picking up concept, as well as a good number of other virii. I think that I will consider inVIRcible itself a trojan, as it promises 100 % detect, but doesn't deliver that. I think I'll stick with F-prot and TBAV. Jarrod ------------------------------ Date: Tue, 21 May 1996 11:11 +0000 (GMT) From: CLAYTON E RUTH Subject: Re: TBAV false alarms in Acad13? (PC) X-Digest: Volume 9 : Issue 77 Joan Rodenbaugh wrote: >I've recently installed TBAV and all seemed well until I went to >install my autocad disks. It found a lot of files that could possibly >be viruses. I turned the heurisitc level down to low, but still got a >few alarms. I don't think Autodesk sends out infected disks, but heh, >you never know. I'm sitting here staring at my hubby's Acad disks and >won't install the app until I get some answers. Anyone else scan their >Acad13 with TBAV and get these type results? TBAV has a tendency to false-alarm on files it doesn't know. Download a copy of F-PROT at ftp://ftp.coast.net/SimTel/msdos/virus/fp-222.zip (it will likely become fp-223.zip soon) and give it a try. If F-PROT says the disks are clean, you can be reasonably assured that you won't have a problem. You are wise in being cautious; shrink-wrapped viruses have happened before. But TBAV tends to be a bit too paranoid. TBAV's heuristic alerts should be taken seriously only if you find the same combination of heuristic flags on several different files. An unknown file- infecting virus would exhibit the same pattern of behavior, as reflected by the flags, on all executable files it has infected. F-PROT is a very good scanner that will rarely, if ever, lead you astray. Best of all, when you use it at home, it's free! Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL http://www.slchicago.com Clayton.E.Ruth@SLChicago.Infonet.com ------------------------------ Date: Tue, 21 May 1996 17:25:25 +0000 (GMT) From: Joe Spears Subject: Re: Stealth_Boot_C - what does it do? (PC) X-Digest: Volume 9 : Issue 77 Jock: I just helped a friend identify his virus and clean his system(s). Stealth_C is a boot sector virus that redirects all of your disk I/O through the virus, watches for floppy disk activity, and takes the opportunity to infect the boot sectors of any floppies you use in your system that are not write protected. If other systems are booted from such an infected floppy, their hard disks get infected (unless there are some antiviral measures being taken). As long as you use write-protected floppies, and the performance you're getting with your disk I/O redirected through the virus is OK, you can live with this for a while. (My friend was trying to install Windows 95, which defaults to protected-mode disk I/O, which was erroring because the virus is a real-mode virus, which caused significant compatibility and performance problems for him.) Joe Spears State of Alaska ------------------------------ Date: Tue, 21 May 1996 04:12:21 +0000 (GMT) From: George Wenzel Subject: Re: Different scanners report diff viruses (PC) X-Digest: Volume 9 : Issue 77 In article <0025.01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz>, Temple wrote: >We have the mcafee, f-prot, and dos virus scanners. Mcafee and dos both >say that the memory is infected with monkey virus. F-prot says that >memory is infected with the stoned virus. All the scanners are detecting the same virus, but reporting it with a different name. The naming conventions for viruses aren't quite standardized yet. You need not worry what name your AV program is giving the virus - as long as it can detect it, it can probably remove it. By the way, you say you used the 'dos' virus scanner. I assume you are talking about Microsoft Anti-Virus. This product isn't worth running (it's miserable compared to any other AV program), and I'd suggest NOT using it to remove the virus. F-Prot or McAfee would be considerably more reliable. >I checked the hard drive and floppy drive boot disk with f-prot and it >said that they were clean, but for some reason we keep getting the report >that memory is infected even after booting from a supposedly clean boot >disk. I don't think your boot disk is really clean then. What I'd suggest you do, is dig up your original DOS system disks, and boot from disk 1, and then exit from the setup program. That should work (but make sure the disk is write-protected). After that, run F-Prot to clean the hard drive and the other floppies. >Anyone have any suggestions? Is there a way to clean the memory? (When we >try to run the scans including the memory, we get the message to reboot >from a clean floppy). Generally, to clean the memory, you have to ensure you are booting from a clean floppy. You might want to get one from a friend if you don't have one available, or you might want to go to a reputable computer store and ask for one (but this is a little more risky, because computer store computers aren't the cleanest in the world). >[Moderator's note: Are you accurately reporting -exactly- what these >scanners reported? I suspect not -and- that at least one of them is >saying something to the effect "a new variant of". The Monkey and Stoned >families of viruses are closely related, so it is not surprising in the >case of new variants for there to be some apparent confusion. I've seen some scanners call that particular virus stoned.empire.monkey, so it could be that there isn't any mix-up, just a different naming convention afoot. Regards, George Wenzel - - |\ _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' Student of Wado Kai Karate |,4- ) )-,_ ) /\ University of Alberta Karate Club <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Tue, 21 May 1996 18:06:38 +0000 (GMT) From: DANIELE CINCOTTA Subject: SMEG virus (PC) X-Digest: Volume 9 : Issue 77 did/do you know the virus called SMEG? Please, reply me cincotta@micronet.it ------------------------------ Date: Tue, 21 May 1996 18:22:20 +0000 (GMT) From: Iolo Davidson Subject: Re: running antivirals on infected PC's (PC) X-Digest: Volume 9 : Issue 77 In article <0023.01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > With IDE drives, InVircible is the preferred way to remove > stealth boot infectors Preferred by who? > Generic capture is far more reliably than virus scanning. Again, who says so besides you? (Not that I have ever heard anyone else in the industry use the prhase "generic capture".) > Unlike scanners and signature/heuristics > based TSR and VxD, IV is unobstructive > and won't cripple your machine or take it over. You seem to be saying that other people's products *will* "cripple your machine or take it over". This is obviously not the case, as other products outsell Invircible by a substantial multiple. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Tue, 21 May 1996 18:29:44 +0000 (GMT) From: Iolo Davidson Subject: Re: Scanning Iomega Zip Drive (PC) X-Digest: Volume 9 : Issue 77 In article <0022.01I4Z4I4D74WSKZSW7@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > Install IV to your home base machine and have all downloaded software > actively screened under IV's surveillance. This should detect everything > viral that escaped your scanner. "Should" detect? Sounds like you aren't sure. What happens if it misses one? You are going on about the terrible, terrible problem of scanners occasionally not detecting a new virus, but you seem to pass over the problem of your own software doing the same thing as if it doesn't matter. Did Invircible detect word macro viruses when they first appeared? I understand you just issued an update ( a second update) to deal with the latest macro viruses, so I believe that you were missing them before. What is the big advantage of the way you claim your software works if it still misses new viruses just like scanners sometimes do? At least scanner produucers acknowledge the problem of new viruses and have regular updating subscription programs to keep up. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Tue, 21 May 1996 18:57:06 +0000 (GMT) From: Iolo Davidson Subject: Re: Bios virus? (PC) X-Digest: Volume 9 : Issue 77 In article <0025.01I4ZK5F9E7WSKZSW7@csc.canterbury.ac.nz> stephen.l@ukonline.co.uk writes: > Problem is-I have a Diamond Stealth graphics card PCI, when I boot up > nothing appears on my screen and it go's into power down mode approx > 8 seconds.I get 1 long and 2 short beeps indicating a video problem. > I took out this board and inserted an ISA graphics board, booted from > the floppy a drive presto I have a screen display "bios rom checksum > error".I still have no c drive recognition. Sounds like you have a hardware problem. > I've tried all the relevant > key sequences to get access to the bios but have had no success. There are no key sequences that give you access to the BIOS. You probably mean that you cannot get access to the CMOS setup. That could happen if your BIOS is faulty. > I suggested to the repairer that the checksum error may be due to the > fact that the pci board video bios being removed may have caused this > checksum error.To my suprise I was being told that there is a virus > which over time continually attacks the bios eventually so corrupting > it that it renders the system inoperable.I was then told a new board > would be the solution at a cost of ukp140.Is this a virus problem. No, this is nonsense. A ROM cannot be affected by any virus. CMOS can be corrupted by a virus (a few viruses write to CMOS), and there is a possibility that a flash eprom BIOS could be corrupted by a virus, as they are designed to be reprogrammed by software, but so far there are no viruses known to do this. If you have a hardware problem, then it may well be that a new motherboard would be the cheapest solution, but don't swallow the virus guff. > My bios is Award 4.50PG.Can anybody shed any light on this. Is it a flash eprom? - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Tue, 21 May 1996 18:07:25 -0500 From: jonvwill@iastate.edu Subject: Re: Bios virus? (PC) X-Digest: Volume 9 : Issue 77 stephen.l@ukonline.co.uk wrote: > Today I called in to a computer dealer/repairer to exlain my computer > problem to him and see if he could help. > > Problem is-I have a Diamond Stealth graphics card PCI, when I boot up > nothing appears on my screen and it go's into power down mode approx > 8 seconds.I get 1 long and 2 short beeps indicating a video problem. > I took out this board and inserted an ISA graphics board, booted from > the floppy a drive presto I have a screen display "bios rom checksum > error".I still have no c drive recognition.I've tried all the relevant [rest deleted] Perhaps a dead bios battery is a more likely candidate? Jonathan ------------------------------ Date: Tue, 21 May 1996 23:10:25 +0100 From: Thomas Moenkemeier Subject: Registering F-PROT for 1$ (PC) X-Digest: Volume 9 : Issue 77 Quite a few times I was asked the same question about registering F-Prot. As we all know, it's free for private use, and thankfully acceptet by the millions of users around the world for that. But what about commercial users, that do not want to purchase the profess- ional version, that does more that the shareware-package, what about those, that just want to register on the "1$-per-year-and-machine-basis" Vesselin stated some months ago: 1. What do they have to do ? 2. What do they get ? I would not mind, if they don't get anything but a good conscience, this would be really enough for this fine piece of software ! But can anbody here confirm, that it is correct just to send the amount in dollars to Frisk, get updates via BBSs on myself and feel alright ? I'm shareware-maker, too, and would like to register too, but do not got any clear answer for this from the german distribution site. Any hints would be greatly appreciated, thanks in advance ! Regards, thm@vgasoft.com (Author of VGA-COPY/386) - - voice: +49-441-972952, fax: +49-441-972954, data: +49-441-972955. snailmail: VGA-Software GmbH, Schuetzenweg 85c, D-26129 Oldenburg. - -- ------------------------------ Date: Wed, 22 May 1996 00:33:25 +0000 (GMT) From: William Robert Night Subject: Re: Is virus writing illegal? (PC) X-Digest: Volume 9 : Issue 77 William F. McCarthy (billm@netsync.net) wrote: : Pfunk240 wrote: : If you want to propagate computer use, you have to make : computers easier to use for the masses and that keeps us all in jobs. : Intentional writing of destructive code should be the last place you : should be spending your time. You should understand the extreme contempt that a lot of people feel for the masses. They participate in building a system that supports their way of life, then see it taken over in a year or two by systems like AOL. Spams were virtually non-existant until the "Net" was adopted as the favorite word of newscasters. Nobody talked about censoring the net until recently because both the pedophiles and the children use AOL, which didn't exist until recently. Your job may depend on having a bunch of cretins stomping on the net, mine doesn't. (I write games) I wouldn't cry if the masses couldn't use a computer because the only OS was unix; the nice thing about that day and age was that the IQ test was built in. Honestly, asking for sympathy for the poor unfortunate, rude, beligerant, masses, is not going to get you much support. : > I don't write : > virii YET because i want to learn more about it before I start...but once : > I do..I wont stop because of some puny law...hell, most of us brake the : > law every day. Just keep telling yoursself that it isn't that big a deal : > and it will all be better. :) chill. : I understand that you are young (this is obvious by your tone and style of : writing) and that virus writing sounds exciting. This tells me two : things: First that you know very little about programming and second that : you know very little about virii. Someone's age and spelling tell you that much? Are you The Amazing Jojo (A 1-900 psychic in case you don't know) by any chance? You may not like it, but people find a wide variety of things fun, some are gauranteed to like things you find distasteful, but that doesn't mean they don't know what they're doing. : Programming is not easy and those that : do it would like to see their work make them some money or cause them to : have a certain amount of recognition. Programming comes as easily to me and a lot of people my age (I'm 21, but I've been programming since I was 9) as tinkering with cars came to our parents. It's not a monumental task like the climbing of everest. I've written many a program for a target audience of less than a dozen, just because I wanted to. Money is why I work, but at home I do it for fun. (Not virii myself, but I can see the attraction... I play C-Robots and the like because I enjoy watching my programs beat others.) : Writing Virii does not cause any : money to be coming into the house (something that I assume does not mean : much due to your age) and does not cause any recognition. Many hobbies don't make you any money, or cause professional recognition, yet a lot of people build models, collect stamps, etc. The only people who give you recognition are those with similar interests, but those are usually the most important people in your opinion. ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 77] *****************************************