-----BEGIN PGP SIGNED MESSAGE-----

                            The Scanner

     Welcome to "The Scanner". The Scanner is a publication to alert the 
general public of viruses, trojans and hacked programs.  It will attempt to 
give accurate alerts of the programs involved and possible remedies where 
possible if infection has occured.  I am going to try and make this a 
bi-monthly publication. I guess response to this will determine if there 
will be a second issue ! :-)
       Any and all constructive criticism and suggestions are welcomed
and encouraged.  Send all responses to howard.wood@flagship.bbs.net or
UMWC45A@prodigy.com.  My PGP public key available upon request.  
Send any files you suspect of viral infection or know to have viral 
infections, hacks or suspect files to the same addresses.  Please include 
the name of the program the file was discovered in and your name and 
address so the alert notices can be a little more accurate than 
"there is a virus out there!!".                                

                                    Woody
____________________________________________________________________________

                          GOLD BUG

        Some time in Mid October Gold-Bug hit the Gulf Coast of Mississippi.  
This is one nasty little virus.  Here is the "gouge":
     
DISCLAIMER: The source of the following data sheet is unknown.  However,
after running some test it appears to be acurate.
     
     
Virus Name:  GOLD-BUG
Aliases:     AU, GOLD, GOLD-FEVER, GOLD-MINE
V Status:    New, Research
Discovery:   September,  1993
Symptoms:    CMOS checksum failure; Creates files with no extension;     
             Modem  answers on 7th ring; BSC but it is hidden; Most
             virus scanners fail to run or are  Deleted; CHKLIST.???
             files deleted.
Origin:        USA
Eff Length:  1,024 Bytes
Type Code:   SBERaRbReX  - Spawning Color Video Resident and
             Extended HMA Memory Resident Boot-Sector and Master-Sector 
             Infector
             Detection Method:  None
Removal   Instructions:  See Below
     
General   Comments:
     
     GOLD-BUG is a memory-resident multipartite polymorphic stealthing
boot-sector spawning anti-antivirus virus that works with DOS 5  and
DOS 6 in the HIMEM.SYS memory. When an .EXE program infected
with the GOLD-BUG virus is run, it determines if it is running on an
80186 or better, if not it will terminate and not install.  If it is on an
80186 or better it will copy itself to the partition table of the hard disk
and remain resident in memory in the HMA (High Memory Area) only
if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no
infection will occur.  The old partition table is moved to sector 14 and the
remainder of the virus code is copied to sector 13.  The virus then
executes the spawned associated file if present.  INT 13 and INT 2F are
hooked into at this time but not INT 21.  The spawning feature of this
virus is not active now.
    
     When the computer is rebooted, the virus goes memory resident in the
color video memory.  Also at this time the GOLD-BUG virus removes
itself from the partition table and restores the old one back. Unlike other
boot-sector infectors, it does not use the top of memory to store the
code. CHKDSK does not show a decrease in available memory. At this
time it only hooks INT 10 and monitors when the HMA becomes
available.  Once DOS moves into the HMA, then GOLD-BUG moves
into the HMA at address FFFF:FB00 to FFFF:FFFF.  If the HMA never
becomes available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to
bypass the CONFIG.SYS, then the virus clears itself from the system
memory  when the computer changes into graphics mode.  If it moves to
the HMA, it hooks INT 13, INT 21 and INT 2F and then rewrites itself
back to the partition table.  The GOLD-BUG virus also has some code
that stays resident in the interrupt vector table to always make the HMA
available to the virus. The full features of the virus are now active.

     The GOLD-BUG virus will infect the boot sector of 1.2M
diskettes. The virus copies itself to the boot sector of the diskette and
moves a copy of the boot sector to sector 28 and the remainder of the 
code is copied to sector 27. These are the last 2 sectors of the 1.2M disk
root directory. If there are file entries on sector 27 or 28 it will not
overwrite them with the virus code. It will infect 1.2M disks in drive A:
or B: If a clean boot disk is booted from drive A: and you try to access C:
you will get an invalid drive specification.
    
     The boot-sector infection is somewhat unique.  If the computer is
booted with a disk that contains the GOLD-BUG virus, it will remain in
video memory until the HMA is available and then infect the hard disk.
Also at this time, it will remove itself from the 1.2M disk.  The virus will
never infect this disk again. It makes tracking where you got the virus
from difficult in that your original infected disk is  not infected anymore.

     If an .EXE file less than 64K and greater then 1.5K is executed,
GOLD-BUG will randomly decide to spawn a copy of it.  The .EXE file
is  renamed to the same file name with no extension, ie. CHKDSK.EXE 
becomes CHKDSK. The original file attributes are then changed to 
SYSTEM. An .EXE file with the same name is created. This .EXE file
has the same length, file date and attributes as the original .EXE file. 
This spawning process will not make a copy on a diskette because it might be
write protected and be detected; but it will make a spawn .EXE file on a
network drive.  When a spawned file is created, CHKLIST.??? of the
current directory is also deleted. The .EXE file that is created is actually
a .COM file; it has no .EXE header. The GOLD-BUG virus is very
specific as to what type of .EXE files it will spawn copies.  It will not
spawn any Windows .EXE files or any other .EXE files the use the new
extended .EXE header except those that use the PKLITE extended .EXE
header.  This way all Windows programs will continue to run and the
virus will still be undetected.
    
     The GOLD-BUG virus is also Polymorphic.  Each .EXE file it
creates only has 2 bytes that remain constant.  It can mutate into 128
different decription patterns. It uses a double decription technique that
involves INT 3 that makes it very difficult to decript using a debugger. 
The assembly  code allowed for 512 different front-end decripters.  Each
of these can mutate 128 different ways.

     The GOLD-BUG virus incorporates an extensive steathing
technique. Any time the hard disk partition table or boot sector of an
infected diskette is examined, the copy of the partition table or boot
sector is returned. If a spawned .EXE file is opened to be read or
executed; the GOLD-BUG virus will  redirect to the original file.
Windows 3.1 will detect a resident boot-sector virus if the "Use 32 Bit
Access" is enabled on the "Virtual Memory" option. GOLD-BUG will
disconnect itself from the INT 13 chain when Windows installs and
reconnect when Windows uninstalles to avoid being detected.  When
Windows starts, the GOLD-BUG virus will copy the original hard disk
partition table back. When Windows ends, the GOLD-BUG virus will
reinfect the partition table.

     The GOLD-BUG virus also  has an extensive anti-antivirus
routine.  It can install itself with programs like VSAFE.COM and
DISKMON.EXE resident that monitor changes to the computer that are
common for viruses.  It writes to the disk using the original BIOS INT 13
and not the INT 13 chain that these types of programs have hooked into.
It hooks into the bottom of the interrupt chain rather than changing and 
hooking interrupts; very similar to the tunneling technique.  If the
GOLD-BUG virus is resident in memory, any attempts to run most virus
scanners will be aborted.  GOLD-BUG stops any large .EXE file 
(greater than 64k) with  the last two letters of "AN" to "AZ". It will 
stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE,
MSAV.EXE, TNTAV.EXE, etc., etc.  The SCAN program will either be
deleted or an execution  error will return.  Also, GOLD-BUG will cause a
CMOS checksum failure to happen next time the  system boots. 
GOLD-BUG also erases "CHKLIST.???" created by CPAV.EXE and
MSAV.EXE. Programs that do an internal checksum on themselves will
not detect any changes.  The Thunder Byte Antivirus programs contain a
partition table program that claims it can detect all partition table 
viruses. GOLD-BUG rides right through the ThunderByte partition virus 
checker.

     The GOLD-BUG virus detects a modem.  If you received an
incoming call on the modem line, GOLD-BUG will output a string that
will set the modem to answer on the seventh ring.
     
     If a program tries to erase the infected .EXE file, the  original     
program and not the infected .EXE file is erased.

     The text strings "AU", "1O7=0SLMTA", and "CHKLIST????"
appear in the decripted code. The virus gets it name from "AU", the
chemical element "GOLD". The text string "CHKLIST????" is actually
executable code.
     
     The GOLD-BUG virus has two companion viruses that it works with. 
The DA'BOYS virus is also a boot-sector infector.  It is possible to have
a diskette with two boot-sector viruses.  GOLD-BUG hides the presence
of the DA'BOYS virus from the Windows 3.1 startup routine.
GOLD-BUG removes the DA'BOYS virus from the INT 13 chain at the
start of  Windows and restores it when Windows ends.  The GOLD-BUG
virus works with the XYZ virus; it reserves the space FFFF:F900 to
FFFF:FAFF in the HMA for the XYZ virus so it can load as well.

     To remove the GOLD-BUG virus, change DOS=HIGH to
DOS=LOW in the CONFIG.SYS, then reboot.  Once the system comes
up again, reboot from a clean   boot disk.  The Virus has now removed
itself from the partition table and memory.  With the ATTRIB command
check for files with the SYSTEM bit set that don't have any extension.
Delete the .EXE file associated with the SYSTEM file.  Using ATTRIB
remove  the  SYSTEM attribute.  Rename the file with no extension to an
.EXE file. Format each diskette or run SYS to remove the virus from the
boot sector of each 1.2M disk.  Any spawned .EXE files copied to
diskette need to be deleted.

     Several variations of this virus can exist.  The assembly code
allowed for 14 features to be turned on or off: Delete Scanners, Check
for 8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading
Stealth, Same File Date, Double Decription, Execute Spawned, Modem
Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M
Diskette Infection.  Some of these features can be disabled and more
code added to change the characteristics of this virus.
     

- -----------------------------------------------------------------------------------------------------------------




                  Results of Gold-Bug scanning and removal.
                          By: Howard Wood
                                                          
          The  Gold-Bug virus hit the Mississippi Gulf Coast about Mid
October 1994.  Thanks to  Joe Barbara , I was able to obtain a copy of 
the "guilty" file and I have since sent a copy of it to the AV community.  
I ran a few AV programs against the virus and here are the results:
     
     All of my work on viruses is done on a Maxtar 286T, 33 MHZ, 40 Meg
( MLM ) hard drive under DOS 5.0.  
     
     Upon initiating GOLD-BUG I did a cold boot to introduce the bug
to the system.  DOS = HIGH was in set in my config.sys.  This virus will
not infect until the program is run. When the virus is initiated it looks 
for room in the HIMEM.SYS.  As long as DOS=HIGH is set in your
config.sys this virus will work.  I proceeded to infect DEBUG.EXE and
CHKDSK.EXE  (NOTE: In order for CHKDSK to be infected the /F
switch has to be  activated.  Using CHKDSK without the /F switch set did
not infect the file) I went into the HMA (High Memory  Area) at address
FFFF:FB00 and did a memory dump to confirm that GOLD-BUG was in
fact there.  I found the following strings "AU", CHKLST????, and
"107=OSLMTA".  This was confirmation that it was present. ( SEE
Gold-Bug data sheet).

     At that time I was using VSHIELD 212E, SCAN-212E and F-Prot 2.14.
     
     SCAN 212E:  Did not recognize the fact that the Boot Sector had been 
     infected or that the virus was in memory. The message it gave after 
     scanning was:
     
     File(s)
          Analyzed: ................   88
          Scanned: .................   66
          Possibly Infected: .......    0
     Master Boot Record(s): ........    1
          Possibly Infected: .......    0
     Boot Sector(s): ...............    1
          Possibly Infected: ......    0
     NON-CRITICAL ERROR(s) .........    1
     
          The NON-CRITICAL ERROR(s) was at least an indication that
something was wrong. Gold-Bug will stop any files larger then 64 with the
last letters of "AN" to "AZ".  SCAN.EXE is 167884K bytes so it definitely
falls into this category.  I believe this is what happened and as a result
SCAN at least told me there was a NON-CRITICAL ERROR. 

       F-PROT 214: Cought the virus in memory immediately.  I ran F-PROT
       with the /NOMEM switch again to see if it would find anything else.
       It picked up on the Boot sector infection immediately. 
                   Identified it as GOLDBUG(?) - UNKNOWN
                     ( I did not use the Heurisitics )
     
      VSHIELD 212E.Wouldn't let the initial infection take place.   
                   It immediately stopped the infected program from
                   infecting the system.  Identified it as DA' BOYS virus.
     
          After the initial reboot I re-booted once again.  This time :
     
     SCAN 212E:  Came up with the following:

     
     File(s)
                    Analyzed: ................    0
                    Scanned: .................    0
                    Possibly Infected: .......    0
          Master Boot Record(s): ........    1
               Possibly Infected: .......    0
          Boot Sector(s): ...............    1
                    Possibly Infected: ......    0
          NON-CRITICAL ERROR(s) .........    1
     
     
     F-PROT 214: Displayed "Invalid drive in search path".  The F-PROT
     program loaded up and I told it to scan anyway.  It displayed:
     
           "Master Boot Sector infection:  GoldBug - unknown"
                                        
                    "ERROR : No hard disk found"
     
          I then took a clean boot disk and coldbooted again to see if I 
could get into the hard disk that way. No go, it told me there was an invalid 
drive specification.  So, as far as any of the programs and the boot disk 
were concerned there was no hard drive.  I then cold booted the system again 
and let the computer take its natural course.  Results?  The system came up 
and ran as if nothing was wrong.  The virus conatins 14 switches that can be  
either truned on or off. One of the switches is CMOS_BOMB.  I believe this
was the case at this point. 

     Once the system came up again I went into my config.sys and made
DOS=HIGH into DOS=LOW. Then re-booted the system again and went
back up to HMA to look for the virus.  It wasn't there.  I then scanned the
hard disk with the scanners and here are the results: 
     
     SCAN 212E: Came up with:
     
     File(s)
          Analyzed: ................  135
          Scanned: .................   95
          Possibly Infected: .......    1
     Master Boot Record(s): ........    1
          Possibly Infected: .......    0
     Boot Sector(s): ...............    1
          Possibly Infected:........    0
     
               SCAN 212E did not find CHKDSK.EXE or DEBUG.EXE to be
infected. HOWEVER, it did find GOLD-BUG.COM to be infected with
DA' BOYS  virus.  ( This is one of the accompanying viruses that 
works with GoldBug.  SEE Gold-Bug data)
     
          F-PROT 214: Identified the following:
     
          Scanning MBR of hard disk: 1
          Scanning Boot Sector: C
          Scanning Volume MS_DOS_5 ( this is the label of my HD )
          C:\DOS\DEBUG.EXE         Infections: GoldBug(?)
          C:\DOS\CHKDSK.EXE        Infections: GoldBug(?)
          C:\LAB\GOLD-BUG.COM      Infections: GoldBug(?)
          
          At this point I knew I had rid my system of the virus, now all I 
had to do was get the files taken care of.  Looking at the DOS directory with
the DIR command showed all the files to be in place. BUT, using the DIR
command with the /AS attribute revealed that there were two files there
without .SYS extensions.  These two files were DEBUG and CHKDSK. 

     Now, if you read the data on this virus you would know that these
are the real files with SYSTEM,  attributes added to them and the
DEBUG.EXE and CHKDSK.EXE files are actually .COM files that have
no .EXE headers.  So, I deleted the CHKDSK.EXE file and the
DEBUG.EXE file . Then I turned off the SYSTEM attribute on the files
with ATTRIB -S  CHKDSK and ATTRIB -S DEBUG.  After the files
showed up in the directory I renamed them with the .EXE extension on
them. I then deleted GOLD-BUG.COM. All systems go again.  Up and 
running and looking forward to more work. :-)

At the time of writing this issue I am working with I_M231b and  
TBAV625.  
     
- ------------------------------------------------------------------------------------------------------     
     
                              ROB SLADE

     Rob Slade is a data communications and security specialist from
Vancouver, British Columbia, Canada.  His first love is teaching, and he
got into computers because of an interest in what they could do in
improving the education process in the public school system.  He still
has links with the education system in BC with both grade school and
the college system, and writes and speaks for the computer educators in
the province.

     His research into computer viral programs started when they
first appeared as a major problem "in the wild".  Acting initially as the
unofficial archivist for the budding research community, he has since
become known for "Mr. Slade's lists" of antiviral software vendors,
antiviral reviews, antiviral BBSes and virus books.  One of the working
group for the VIRUS-L FAQ, he is best known for a series of review
and tutorial articles which have recently been published as "Robert
 Slade's Guide to Computer Viruses" (and that was *not* his idea for a
title--blame Springer-Verlag).

     He is more widely known for his series of daily technical book
reviews which appear on appropriate newsgroups and mailing lists,
including alt.books.reviews, rec.arts.books.reviews, the
*.books.technical  groups and topics related to the individual titles.

     He fondly remembers a distant time when he had time for sailing,
photography, folk music, camping and involvement with non-computer
related volunteer groups.  At present, he makes every available effort to
spend time teaching operating systems to his new grandson.  He is
married to the world's best executive secretary.


======================
DECUS Canada Communications, Desktop, Education and Security
group newsletters Editor and/or reviewer ROBERTS@decus.ca,
RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide
to Computer Viruses" 0-387-94311-0/3-540-94311-0 (contact
1-800-SPRINGER in the US and Canada, ertel@springer.de in Europe)


- -------------------------------------------------------------------------------------------------------------

        Rob was kind enough to contribute to "The Scanner".  The
following is a reprint of one of his many posts on the Internet,
FidoNet and others.



                     Boot Sector Infectors
                                                                 
     Having dealt with some non-viral terminology, let us cover some
viral related terms that may be unfamiliar.

     Most people think of viral programs in the terms of Fred Cohen's 
definition.  That is, a virus is a program which always "attaches" to
another program.  This has given rise to a great many misconceptions
about some of the most common viral programs, boot sector infectors.

     Boot sector infecting viral programs, often referred to as "BSI"s,
*do*, in a sense, attach to another program.  Most people are unaware
of the fact that there is a "program" on every disk, even those which are
"blank".  Every formatted disk has a "boot sector", specified, not by a
file name, but simply by its location as the first physical (or logical, in
the case of hard drives) sector. When the computer is "booted", the
ROM programming looks for a disk, then "runs" whatever happens to
be in that sector as a program.

     In most cases, with non-bootable disk, the "program" that is
there simply prints a message reminding the user that the disk is
non-bootable.  The important thing, however, is that regardless of how
small the actual program may be, the computer "expects" there to be a
program in the boot, and will run anything that happens to be there. 
Therefore, any viral program that places itself in that "boot sector"
position on the disk will be the first thing to run, other than ROM
programming, when the computer starts up.  BSIs will copy themselves
onto floppy disks, and transfer to a new computer when the "target"
machine is (usually inadvertently) booted with the infected floppy in the
A: drive.

     The physical "first sector" on a hard drive is not the boot sector. 
On a hard drive the boot sector is the first "logical sector.  The number
one position on a hard drive is the master boot record or MBR.  (This
name gets slightly confused by the fact that the MBR contains the
partition table; the data specifying the type of hard disk and the
partitioning information. "Master boot record", "partition table" and
"partition boot record" are often used interchangeably, although they are
not identical entities)  Some viral programs, such as the Stoned virus,
always attack the physical first sector: the boot sector on  floppy disks
and the master boot record on hard disks. Thus viri that always attack
the boot sector might be termed "pure" BSIs, whereas programs like
Stoned might be referred to as an "MBR type" of BSI.
                                                               
                               ROB SLADE

- ----------------------------------------------------------------------------------------------------------            
                                                                            


       Rob sent me several book reviews.  The internet is becomming bigger                                     
everyday.  It is the meeting place of the AV community and those that have
problems looking for answers in reference to with viruses, trojans and hacks.  
So, for the "newbies"  I thought the following would be helpful in finding 
the proper tools to get onto and enjoy as well as prosper from the INTERNET. 
Yours truely is a "newbie" and needs all the help he can get as well. :-)
        For the record, after reading the review on Paul Gilster's book 
"The INTERNET Navigator" I went to the Mall and purchased it.  I made a wise
investment.  Here's Rob's review of that very book and a few others.

                                                                                         

- -----------------------------------------------------------------------------------------------------------


The following were re-printed with the permission of Mr. Slade

 
                            BOOK REVIEWS
                            ----------------------

BKINTNAV.RVW  940211

John Wiley & Sons, Inc.
22 Worchester Road
Rexdale, Ontario
M9W 9Z9
800-263-1590
or
605 Third Avenue
New York, NY   10158-0012
USA
800-263-1590
212-850-6630
Fax: 212-850-6799
jdemarra@wiley.com
aponnamm@jwiley.com
"The Internet Navigator", Gilster, 1993, 0-471-59782-1
73537.656@compuserve.com gilster@rock.concert.net pag@world.std.com

This book is an embarrassment to me.  I *think* that it's very good--but I
am at a bit of a loss as to why.

By and large, this is an Internet guide like other Internet guides.  A bit
of an introduction and some history, then coverage of the major applications
(email, ftp, telnet) and the more esoteric ones (gopher, WAIS, World Wide
Web).  Right from the front cover, though, Gilster avoids the "whole
Internet" bias of so many guides and aligns himself with the dial-up user. 
There is, in fact, a whole chapter devoted to the use of email to access
Internet resources; particularly useful to those on commercial online
services, business "mail only" connections or Fidonet.

It is, of course, very much easier to point out the flaws.  Although
Gilster explains "why UNIX," there is a heavy emphasis on the specific
commands of mail, trn, elm and other UNIX specific programs.  (In the
chapter on email access to resources, Gilster switches to Compuserve: 
oddly appropriate, but no less limited.)  While the explanation of
LISTSERV is complete and helpful, the sin of sending administrative
messages to the list, rather than the LISTSERV, is not emphasized. 
Even in the opinion chapter, a discussion of the future of the newspaper
lauds Clarinet for providing syndicated material, apparently unaware
that Clarinet is strictly a reseller, and is providing for no development of
editorial content.

In spite of minor shortcomings, however, this book has a very
comfortable feel to it.  The material is clear and well-written, with little
attempt at the sarcasm or barbed wit of some other beginner materials. 
One positive factor may be the grouping of functional items together, so
that archie, for example, is covered in the chapter on ftp.  There is only
one icon; a very helpful little ship which points out Internet accessible
resources for the item under discussion.

The resource guides included are not extravagantly large, and are of
variable quality.  The directory of Internet resources is very useful for
the beginner: not exhaustive, but of high quality in terms of what *is*
covered.  The bibliography is more exhaustive than useful, with Gibson's
fictional "Neuromancer" next to Quarterman's quite technical, "The
Matrix."

Overall, I highly recommend this for the beginner to the Internet.

copyright Robert M. Slade, 1994   BKINTNAV.RVW  940211
 

- ------------------------------------------------------------------------------------------------------------

BKFNDINT.RVW  940902

"Finding It On The Internet", Gilster, 1994, 0-471-03857-1, U$19.95
gilster@interpath.net
%A   Paul Gilster
%C   605 Third Avenue, New York, NY   10158-0012
%D   1994
%G   0-471-03857-1
%I   John Wiley & Sons, Inc.
%O   U$19.95
%P   288
%T   "Finding It On The Internet"
22 Worchester Road
Rexdale, Ontario
M9W 9Z9
800-263-1590
800-567-4797
fax: 800-565-6802
or
800-CALL-WILEY
212-850-6630
Fax: 212-850-6799
Fax: 908-302-2300
jdemarra@jwiley.com
aponnamm@jwiley.com

Among the larger resource-oriented guides to the Internet, I hold Gilster's
"The Internet Navigator" (BKINTNAV.RVW) to be best overall:  clear, balanced
and mature.  (Not to be confused with "Navigating the Internet" by Gibbs and
Smith, BKNAVINT.RVW.)  Gilster has now affirmed his preeminent position on
the Internet Bookshelf with this second work.

Search tools are perhaps the most valuable of all computing
applications. Paradoxically, they are precisely the applications that
people have trouble learning and effectively using.  This work
concentrates on these vital aids.  It could be seen as a superior form of
documentation for archie, Gopher, veronica, WAIS, World Wide Web,
HYTELNET, WHOIS, netfind and other programs.  Gilster has,
however, added cogent editorial comments, such as the times you might
actually prefer an email search of archie or WAIS, or the best strategies
to use for veronica queries.

Gilster's approach is realistic based upon the proportion of users with
different types of access.  Telnet, rather than direct connection, is the
major access route, and email servers are noted for all application
except two.  (The WWWs mail server at CERN is not mentioned.  I do
not know of any HYTELNET mail server.)  His enthusiastic advocacy
of Gopher and WWW is not allowed to get in the way of a fair
presentation, and the weaknesses of the various tools are considered
briefly towards the end of the book.  That this fails to consider some of
the bandwidth issues is perhaps the only failing in the work.

This book should be at the desk-side of every serious Internet user.  For
trainers and resource people it is essential.  Threaten your local
bookseller with grievous bodily harm if they refuse to stock it.

copyright Robert M. Slade, 1994   BKFNDINT.RVW  940902
 

- --------------------------------------------------------------------------------------------------------------

BKZENINT.RVW  940326

Prentice-Hall, Inc.
113 Sylvan Avenue
Englewood Cliffs, NJ   07632
(515) 284-6751
FAX (515) 284-2607
or
11711 N. College Ave.
Carmel, IN   46032-9903
or
201 W. 103rd Street
Indianapolis, IN   46290
or
15 Columbus Circle
New York, NY   10023
800-428-5331
or
Market Cross House
Cooper Street
Chichester, West Sussex PO19 1EB
England
phyllis@prenhall.com - Phyllis Eve Bregman
Beth Mullen-Hespe beth_hespe@prenhall.com
Pat Carol 317-581-3743
"Zen and the Art of the Internet", Kehoe, 1994, 0-13-083033-X
brendan@zen.org

Kehoe starts out by quoting E.B. White's exhortation to students of
English usage from "The Elements of Style" with, "Get the *little*
book!  Get the *little* book!  Get the *little* book!"  Sound advice.  It
applies equally to those just starting out on the Internet.  "Zen" is a mere
pocketbook in comparison to some of the other telephone
directory-sized guides, but a pocket guide is usually what is needed. 
Kehoe has done a marvelous job of presenting the essentials, plus a few
interesting tidbits, while holding off from reproducing reams of
resources from those already available on the net, itself.


"Zen" is, itself, one of the very widely known and highly regarded
resources on the net.  It was also the first introductory guide to the
Internet published in popular book form.  Therefore, I am rather
shocked to note that this third edition, copyright 1994, proudly boasts
of over 50,000 copies sold.  I'd be delighted to do that well as an
author, but it indicates that the book is nowhere near as well-known in
the general populace as it deserves.

I should, having given these accolades, admit to a decided bias:  this is
my type of book.  Those who are not happy with concepts and only
wish to know what button to press may find the book frustrating.  Mail,
ftp, news, telnet and a number of other tools are covered, but Kehoe
does not reproduce, wholesale,  help screens from elm and tin.  Since
the specific programs you will use all have help features, Kehoe
evidently does not feel the need to waste paper explaining how to use a
program that you may not, indeed, need to use.  I agree, and it is
refreshing to see at least one Internet guide which gives clear
explanations of the essence of the Internet tools without having to fill
space with specifics which you will be able to get from the programs
themselves.  (In response to the first draft of this review, Kehoe stated
that Internet providers should be also providing documentation for any
system specific features.  He also mused on the bewilderment
newcomers must feel when confronted with a shelf full of 400 to 800
page guides for a system whose basics are supposedly fairly simple. 
( Again I concur.)

Probably for the same reason, Kehoe does not reproduce an annotated,
or even expurgated, .newsrc file or "list of lists."  Some may say that
this is a lack on the part of the book and that it is less interesting for 
not providing such a directory.  These resources are, however, readily
accessible on the net (Kehoe tells you where to find them) and cannot,
in book form, be anything more than an outdated and possibly
misleading first indicator.

There is, of course, nothing wrong with the large guides with all of their
lengthy references.  As the same time, most newcomers will want a
gentler, smaller introduction, rather than being dumped into a vat of
data.  For those to whom the sound of few pages flipping is as music,
this is definitely your book.

copyright Robert M. Slade, 1994   BKZENINT.RVW   940326

Postscriptum: sadly, Brendan Kehoe was recently involved in a major
traffic accident.  In one of the network ironies, the flood of email
condolences to his personal mailbox had created something of a problem
for friends trying to help out.  Mid-January, however, saw a dramatic
improvement, and when I sent him the draft review he was beginning to
work on the backlog of mail.  (He responded far faster than many
authors who have no such excuse  :-)  By the time you read this it is
possible he may be back at work.  (He still has a huge backlog, though,
so don't expect any immediate answers  :-)
 

- ----------------------------------------------------------------------------------------------------------

BKINTBOK.RVW  940408

Prentice Hall
113 Sylvan Avenue
Englewood Cliffs, NJ   07632
(515) 284-6751
FAX (515) 284-2607
or
11711 N. College Ave.
Carmel, IN   46032-9903
or
201 W. 103rd Street
Indianapolis, IN   46290
or
15 Columbus Circle
New York, NY   10023
800-428-5331
or
Market Cross House
Cooper Street
Chichester, West Sussex PO19 1EB
England
phyllis@prenhall.com - Phyllis Eve Bregman is postmaster
70621.2737@CompuServe.COM Alan Apt
Beth Mullen-Hespe beth_hespe@prenhall.com
"The Internet Book:  Everything You Need to Know About Computer Networking
and
How the Internet Works", Comer
dec@purdue.edu

It is difficult to find books which give some background to the Internet. 
Most guides assume that readers are either already thoroughly familiar
with computer communications, or are uninterested.  The history of the
Internet often vaguely mentions military or government projects without
giving much idea of the problems which needed solving.  Given the
growth in computer networking, a reference is needed which lies
between non-explanations ("This computer is connected to that
computer and they talk to each other.") and the TCP/IP programming
manuals.

This book fills a lot of those gaps.  After an initial introduction to the
current state of the Internet, chapters two through six give a very simple
introduction to data communications and the need therefor.  Those who
have any kind of technical background may find the explanations a
touch simplistic.  With such rapid Internet growth, however, and for
 those who need some level of explanation without getting beyond their
technical depth, this is likely to be very useful.  It's easily readable.  
(It's also accurate.)  Chapters seven to ten explain the drive for, and 
growth of, the Internet including excellent explanations of "why".  The basic
underlying concepts of the Internet protocols are covered in chapters
eleven to seventeen, before the remaining nine chapters describe the
primary application level tools of the system.

(Actually, I'm jumping the gun a bit here.  I've seen two drafts of the
book, but the final version isn't done yet.  The drafts I've seen have had
some problems, particularly in regard to repetition of material and
significant variation in reading level from ome section to another.  A
section addressing the concept of bandwidth, particularly as applied to
text versus sound versus video application might also be helpful.  The
explanation of the tools of the Internet is quite reasonable, although
mailing lists get dismissed very briefly while Usenet news gets perhaps a
trifle more ink than it really deserves.  The latest version, though, shows
improvement in many of these areas, and I have great hopes for the final
work.)

The problems notwithstanding, this is an important addition to the
library of Internet references.  I heartily recommend it to those involved
in network training.  To date, the primary source material for the study
of the development of the Internet, aside from the RFCs themselves, has
been the "Internet System Handbook" (cf BKINTSYS.RVW), but it
tends to be written at a technical or academic level.  For those at the
non-technical level who are wondering what the heck the Internet is
(and one of Comer's anecdotes points out the hilarious misconceptions
that are abroad), and what it all means, this is your book.

copyright Robert M. Slade, 1994   BKINTBOK.RVW  940408 





- ---------------------------------------------------------------------------------------------------------

                      Bill Lambdin

     Bill Lambdin is independent virus researcher out of East
Berndstadt, Ky.  He runs a great BBS called Metaverse ( 606-843-9363 ) 
Bill and two fellow researchers developed a safe check program called
CHK-SAFE.  This is a program used to check the integrity of AV
software down loaded from local BBS's.  Bill posts a list each month
that gives the MD5 Hash ( this is much more secure than Checksums or 
CRCs. ) users can compare to verify their AV software.  The latest 
version is CS-2.51



     Bill can be reached at bill.lambdin@pcohio.com on the Internet.

- --------------------------------------------------------------------


     I asked Bill if he would do an article on virus detection and 
techniques.  He was kind enough to do so.

- --------------------------------------------------------------------

                        Virus detection.
 
Many ask my opinion on viruses and A-V software.
 
I recommend a three step approach.
 
Your first level of defense should be a recent backup.
 
Your second level of defense should be a quality scanner. Scan all new 
files and diskettes that enter your system. It is better to find a virus 
before you run an infected file.
 
Your third level of defense should be a generic virus detector. Generic 
virus detection detects viruses after they have entered your system. 

Boot clean from a known clean bootable diskette, and delete the
infected files, then restore these files from backup mentioned earlier.

Scanners are fine but they have three problems.
 
1. Scanners can only detect "Known" viruses
2. A Hacker can easily modify a virus by juggling the order of
   instructions in the signature to fool most scanners.
3. Scanners become obsolete quickly because 5-7 new viruses are
   discovered every day.
 
This is why it is vital for users to use generic virus detection  software.

                           Bill Lambdin

- ----------------------------------------------------------------------------


                        Bill's Bait Shop


I posted this routine once before. I have done further testing on this 
idea, and it does work. even on some stealth infectors without the 
necessity of booting clean from a bootable diskette.

I want to state up front, that this will not identify the virus, nor  help
you get rid of it. This is detection only, and should be considered  as an
enhancement to scanners, and integrity checking, and not be used  to
replace either.

This will detect most (if not all) file infectors that a scanner may  miss.

This will act as an early warning system for people that use integrity 
checking software. namely limiting the number of infected files to a 
minimum.

This can detect many viruses without the need to boot clean prior to 
running the test.

If you wish to use my idea, you will need the following.
 
LHA.    I use LHA 2.13
Archive your most common used files.
FC.EXE that comes with DOS 4.0 and above
The .BAT file below.

BAIT.BAT

@ECHO OFF
CLS
C:
CD\BAIT
DEL VIRUS.LZH
LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*
FC BAIT.LZH VIRUS.LZH
CD\

It would be a very good  idea to rename the utilties, and directory. to 
prevent a hacker from writing a virus that will delete or fool this 
routine.

You can archive as many files as you wish, but I would recommend a 
minimum of two files. 1.COM file, and one .EXE file. Currently; I am 
archiving eight files. six are DOS programs, and two of them are Windows 
programs. So I can detect either DOS or Windows viruses in one test
that  takes only a few seconds on my 486. Be sure to use the asterisk for
the  .EXE extension. This will make LHA add any companion infectors
that are  present.

Part of that .BAT file is complex, and it is vital that it be typed  exactly
as shown. So I should explain how it works in more detail.

DEL VIRUS.LZH

This deletes the previous test to give you a clean and fresh test every 
time.

LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*

In the command line above,  the first A instructs LHA to add the files 
to the archive.

The second paramater -A instructs LHA to add the file regardless of 
which atribute(s) are set. It works for all four atributes.
 
Hidden
System
Read only
Archive

I have been thouroughly testing this routine for weeks.

I have tested it against the following stealth viruses.

X = detected change.

                      active               inactive
Virus           in memory        booting clean
SBC                 X                    X
FRODO               X                    X
TREMOR                                   X

My routine should have detected SBC because it is not fully stealthed, 
and it doesn't disinfect the host file when it is opened.

My routine should not have detected FRODO because it is fully
stealthed, and does disinfect the host file on the fly when it is opened for
any reason. FRODO sets the date stamp forward 100 years. This is how
that  Frodo Marks the files as infected. My routine detected the change
to the  date stamp even though Frodo had disinfected the host file when
LHA  archived the host file(s).

My routine is able to detect the following types of changes.

1. Change to files
2. change of file attributes
3. change of file time stamp
4. change of file date stamp

I release this routine to the public domain, and anyone may use it  freely.

                             Bill Lambdin


         EDITOR'S NOTE:  This routine was originally published in 
         VOL 6 issue 100 of the Virus-L Digest and reprinted with
         permission of Bill Lambdin.

- ------------------------------------------------------------------------------------------------------------

                  Infection procedures to follow

Here are my procedures for users to follow when they believe their 
computer is infected.

If you believe that you have a new or unknown virus, follow the seven 
steps below. 

a. Boot from the hard disk of the computer suspected to be infected.
b. Format a  low density diskette in A: of the infected computer.
c. Copy AUTOEXEC.BAT and CONFIG.SYS from C: to this diskette.
d. Copy all files loaded in AUTOEXEC.BAT and CONFIG.SYS to 
   this diskette.
e. Copy a few COM and EXE files to this diskette, preferably programs
   that you often execute. Their size should 10K - 40K.
f. Run all files on this diskette twice.
g. Mail to one or more of the A-V researchers or A-V developers listed
   below.

Bangkok Security Associates             Central Point Software
Attn. Alan Dawson                       Attn. Richard W. Schwartz 
P.O. Box 5-121                     15220 N.W. Creenbrier Parkway #200
Bangkok 10330                           Beaverton, Oregon, 97006
Thailand

FRISK Software International             Bill Lambdin
Attn. Fridrik Skulason                   102 Jones LN
Postholf 7180                            P.O. Box 577
IS-127 Reykjavik                         East Bernstadt, KY 40729
Iceland                      

Leprechaun Software                       McAfee Associates
P.O. Box 669306                           Attn. Spebcer Clark
Marietta, Ga. 30066-0106                  2710 Walsh Ave. - Suite 200
                                          Santa Clara, CA 95051-0963

S&S International                         Stiller Research
Attn. Dr. Alan Solomon                    Attn. Wolfgang Stiller
Berkley Court                             2625 Ridgeway St.
Mill Street                               Tallahassee, Fl. 32310
Berkhamstead                    
Hertfordshire HP4 2HB
England

Symantec                                  VDS Research
Attn. Jimmy Kuo                           Attn. Tarkan Yetizer
2500 Broadway Suite 200                   50 West Philadelphia St.
Santa Monica, CA 90404                    York, PA 17403

Data Watch Software                       Frans Veldman
Attn. Glenn Jordan                        ESaSS B.V.
P.O. Box 51489                            P.O. Box 1380
Durham, NC. 27717                         6501 BJ  Nijmegen
                                          Netherlands

Eugene Kaspersky                          Central Command
KAMI Ltd.                                 Attn. Keith Peer
109052 Nizhegorodskaya st, 29             P.O. Box 856
Moscow, Russia                            Brunswick, Oh. 44212

If you send infected files via Internet. Please encrypt the file(s) with 
PGP, PKzip, or ARJ for security reasons.

Vesselin V. Bontchev        bontchev@fbihh.informatik.uni-hamburg.de
David M. Chess              chess@watson.ibm.com
Spencer Clark               sbc@netcom.com
Alan Dawson                 sysop@wov.com
Cristoph Fisher             crfisher@nyx.cs.du.edu
Mikko Hypponen              mikko.hypponen@datafellows.fi
Eugene V. Kaspersky         eugene@kamis.msk.su
Jimmy Kuo                   cjkuo@symantec.com
Bill Lambdin                bill.lambdin@pcohio.com
Michael E. Lambert          mikelambert@delphi.com
Zvi Netiv                   ila2007@datasrv.co.il
A. Padgett Patterson        padgett@tccslr.dnet.mmc.com
Keith A. Peer               kapeer@netcom.com
Yuval Rakavy                yuval@brm.co.il
Fridrik Skulason            frisk@complex.is
Dr. Alan Solomon            drsolly@ibmpcug.co.uk
Wolfgang Stiller            72571.3352@compuserve.com
Frans Veldman               veldman@esass.iaf.nl
Tarkan Yetiser              tyetiser@cyberia.com


Bill

For PGP key. Send E-Mail to bill.lambdin@pcohio.com

- -----------------------------------------------------------------------------------------------------------------
                      
                      
                      Hacks, Trojans and Viruses

        Being the first issue I really don't have many to report. But,
with your help the next issue can have pleanty of info.  So, please, send
in your files, hacks, viruses alerts and the info for them.

        The following key will be used to identify the problem or problems
of the hacked files:

                        H = Hacked
                        P = Pirated
                        T = Trojan
                        V = Virus Infected
                        X = Hoax
- -----------------------------------------------------------------------

File: PKZ305.EXE      Problem: H

Reported By:  Fido Virus_Info Conference.

         A hacked version of PKzip, and reportedly infected with the
         Proto-T virus.  Fridrik Skulason, Bill Lambdin, Wolfgang Stiller
         and Tarkan Yetiser analysed the file and found no virus.  This was
         just a hacked program.
- ---------------------------------
File: DOOM2CHE.ZIP      Problem: V     

Reported By: Mike Karina of Biloxi, Ms.

        The Mississippi Gulf Coast was hit with the Gold-Bug virus mid 
        October. It was uploaded to a local BBS under the name DOOM2CHE.ZIP.  
        The file had 2 files in it.  GOLD-BUG.ASM and GOLD-BUG.COM.  The .ASM 
        file was the actual sourse code for the Gold-Bug virus.  The .COM 
        file was the virus file itself.  

- -------------------
File: SF2_UP.ZIP        Problem: V

Reported By: Fido WARNING Conference. This is a renewal of the original
             report in 1992.  It appears there are folks out there that 
             didn't get the proper notification from the companies involved.

        This file can be found on teh Night Owl 10.0 CD.  It is infected with 
        the Lapse_366 virus.  The staff of "The Scanner" found this file and
        varified the virus is still present. Fridrik Skulason varifies 
        the virus on this file in the FP virus information files.


- ---------------------------------
File: SPORT21C.ZIP      Problem: V

Reported By: Fido WARNING Conference.  This is a renewal of the original
             report in 1992.  It appears there are folks out there that 
             didn't get the proper notification from the companies involved.

        This file can be found on the Night Owl 10.0 CD. It is infected with 
        the Crusader variant of Butterfly.  The staff of "The Scanner" found
        this file and varified the virus is still present. Fridrik Skulason 
        varifies the virus on this file in the FP virus information files.
- --------------------------------------------------------------------------


                          FROM THE EDITOR

        Well, that's it.  The first issue of "The Scanner". I would like to 
take this opportunity to thank the folks that made this possible.

        Bill Lambdin for his time, patience and contributions. 
            " Bill, appreciate the time and council. "

        Rob Slade for his encouragement and contributions as well as a few 
friendly words from up there in Vancouver, BC, Canada. Looking forward to
reading the new book Rob.

        To my local SYSOP ( Joe Rosa, Flagship-Pulsar BBS, Oceansprings, Ms.) 
who was the test pattern for the concept and the early morning chats online 
while I try to get ready for the day and just "shootin the breeze".  

        And most of all to my wife Trish for proof reading material she 
had no interest, clue or idea as to what she was reading but checked it 
anyway.

        Harold J. Neiper and Jim Sharpe of Coast Computers, INC, in
Biloxi, Ms. for thier technical help and expertise.  When I am in a jamb]
I give Harold a call and either he of Jim are always ready to assist.  
Thanks guys.
        
        And nmost of all, thanks to you, the reader, for taking the time 
and checking this publication out.  Hope you enjoyed the issue as well as 
benifited from it.

        I would appreciate any comments or suggestions you have for improving
The Scanner.  I can be reached by E-Mail at either: 
        
        Primary:   howard.wood@flagship.bbs.net  
        Secondary: umwc4a@prodigy.com.  
        
        In the Biloxi area I can be reached on just about any board.  My
        main boards are:

        Flagship - Pulsar BBS           872-4518
        Micro - Tech BBS                832-8589
        Datasync BBS                    875-2355


                My public-key is available upon request.


                                Howard Wood


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQB1AwUBLtOfgVa8qH7fcm1BAQGsUQL+PNNrGqGyg8x9wX5FNkvx+PR4TS3lrpBP
TbDhsntNi78l8NB+PwqsN+hOYemXbbLMFYcBRaVr9BYpdVMFOdYM27TUnCo2O9wM
ENYy4FjxDnArOrTMX+b5xOBaXR8MIprD
=3BAo
-----END PGP SIGNATURE-----
