The Scanner - The Anti-Virus Newsletter of Today January 1995 Volume 1 Issue 1 The Scanner is a newsletter compiled by Howard Wood with the help of many people in the Anti-Virus community and Anti-Virus researchers as well as users. The information contained within the newsletter is public domain. Any article or part of an article is free to copy as long as the proper credits go to the author of such article. The Scanner is in no way liable for the accuracy of any or all information it is passing along. The sole responsibility for the data contained in the articles remain with the original author. While accuracy and facts are the paramount goal of The Scanner, it is humanly impossible to verify all information and guarantee its accuracy 100%. The goal of The Scanner is to disseminate as much information to as wide spread a group as possible. Researchers, developers and users alike need various levels of information to deal with the viruses, Trojans and hacks that are encountered daily. The Scanner will *attempt* to pass along viable information for all groups. Any and all constructive criticism and suggestions are welcomed and encouraged. Send all responses to the addresses below. My PGP public key available upon request. You can send any files you suspect of viral infection or know to have viral infections, hacks or suspect files to the same addresses. Please include the name of the program the file was discovered in and your name and address so the alert notices can be a little more accurate than "there is a virus out there!!". Most of all, The Scanner is *your* newsletter. If you have encountered any viruses, Trojans, or hacked programs let us know. We need to all work together to combat the problems out there. Since the last issue there have been some address changes. Any correspondence with either The Scanner staff or Howard Wood can be sent to the following addresses: The Scanner SCNR@aol.com Howard Wood HRRWood@aol.com ============================================================================ CONTENTS Article Author ----------------------------------------------------------------- The New Year .............................. Howard Wood Polymorphic Generators .................... Mikko Hypponen Tech Reports .............................. Bill Lambdin, Bill Hoover Trojan Alert ! ............................ Howard Wood The Bookshelf ............................. Robert Slade Reviews on: "The Internet Business Book" - By Jill H. Ellsworth "Your Internet Consultant" - By Kevin M. Savatz Gold-Bug Companions ....................... Howard Wood In The News ............................... Howard Wood Hacks, Viruses and Trojans ................ Howard Wood Stoned.Empire.Monkey.A Removal ............ Howard Wood Performance of: F-PROT vs Monkey ...................... Mikko Hypponen Integrity Master vs Monkey ............ Wolfgang Stiller The Monkey is on my back !! ............... Howard Wood From Woody's Desk ......................... Howard Wood ============================================================================ The New Year Well, 1995 has started. It is customary in many circles to reflect on the year past and look ahead to the new year present. We can't look back too far but we can certainly look ahead. As I have been reading the Virus-L digest I see the ever increasing problem of the viruses, hacks and Trojans. Basic precautions are needed but seem to be neglected. Promise yourself that the new year will start new habits. Backup your files. Set yourself up with a tool box to help you prevent being in the position where that report that is due tomorrow isn't lost because you can't get to it, or even worse, has been destroyed. Take the few minutes it takes to set up an Integrity program, and a scanner that meets your requirements. LEARN them and talk with others that use the same ones and find out what works for them so you can establish a system of your own. Backup your files Get yourself into a virus conference on one of the many conferences offered out there. Keep you eyes open for warnings of virus infected programs, hacks or Trojans. Backup your files Keep those files you just downloaded in a separate directory where you can uncompress them and scan them before you run them. As sure as I am writing this article, the first time you say " I'm sure this is safe" is when you will get hit. And finally, BACKUP YOUR FILES !!! "The best defense is a good offense" I hope 1995 is a good year for all. Remember, keep those scanners going!! :-) Woody ============================================================================ Polymorphic Generators EDITOR NOTE: Mr. Mikko Hypponen, of Datafellows LTD, was kind enough to allow The Scanner to use articles from his FP-Bulletins in this issue and others to follow. We thank him for his generosity and help in making The Scanner a more professional newsletter. Polymorphic viruses ------------------- The rise of polymorphic viruses can be seen as virus writers' response to the increasing expertise of virus scanners. Since properly built scanners can recognize viruses by their characteristic code, the obvious way to try to beat scanners was to design viruses that change their code, thus rendering recognition with search strings impossible. Polymorphic viruses employ code alteration and encryption to hide themselves from scanners. Their usual tactic is to encrypt the main part of their code with a variable key and leave only the decryption executor unencrypted. The decryption code is altered during every infection to prevent detection with a search string. However, it takes considerable skill to design a polymorphic virus. This kept the number of true polymorphic viruses quite small for a relatively long time. Of course, this couldn't last forever: At some stage, the heavyweights of the virus trade took notice and came to rescue their less skilled brethren by writing and distributing polymorphic generators. Polymorphic generators ---------------------- Polymorphic generators are routines which can be linked to existing viruses. The generators are not viruses per se; their purpose is to hide actual viruses under the cloak of polymorphism. The first all-purpose polymorphic generator was the Mutation Engine, or MtE. Published in 1991, capable of billions of different permutations, linkable to any virus, it heralded the age of instant polymorphism. Today, there are 33 different viruses which are known to use the MtE. Other polymorphic generators followed in MtE's wake. The next two appeared late in the year 1992. They were the TridenT Polymorphic Engine (TPE) and NuKE Encryption Device (NED). TPE was written in the Netherlands. In principle it is capable of producing smaller number of different permutations than the MtE. However, it created detection problems for antivirus products because the decryptors it creates are more generic than those produced by MtE. NuKE's generator wasn't quite as advanced, but unlike most other polymorphic generators, it was distributed as readable source code instead of an object module. Other known polymorphic generators are Dark Angel's Multiple Encryptor (DAME), Darwinian Genetic Mutation Engine (DGME), Dark Slayer Mutation Engine (DSME), MutaGen, Guns'n'Roses Polymorphic Engine (GPE) and Dark Slayer Confusion Engine (DSCE). These generators are typically distributed via underground networks, virus exchange BBSs and private areas in the internet. Operating Principles -------------------- Polymorphic generators are code modules which a programmer can incorporate into a program. After this, the program can use the functions the code module contains. This process is called linking. Once a generator is linked to a virus, it becomes an intrinsic part of the said virus. The virus will thereafter carry the engine along while spreading itself. It should be noted that the generator itself does not care in which kind of a program it is linked to. The known polymorphic generators are clearly written to be linked to viruses, but in principle they could be used in other kinds of programs as well. When a virus that employs a polymorphic generator is infecting a program file (or some other object), it requests the generator to create an encrypted copy of the virus code and the generator itself. Besides performing the encryption, the generators also create a decryptor - a routine which is able to undo the encryption applied to the actual virus code. The generators often use relatively simple encryption techniques. However, they do change the encryption key during every execution. This alone makes the detection of such a virus difficult, but encrypted viruses retain one Achilles heel: the decryption routine, which must remain unencrypted if it is to be executable. Thus, the true effectiveness of a polymorphic generator is measured by its ability to mutate the decryption routine. All polymorphic generators need some kind of a randomization routine in order to create different algorithms each time. Some of the generators allow the virus programmer to substitute his own randomization routines instead of the original one. Polymorphic generators are able to create completely different encryption methods and a wide variety of different decryption routines for them. They modify their decryption routines by such means as shifting the commands inside the routine around, adding ineffectual commands in random places and using different processor registers and opcodes. The basic idea is to make the binary image of the decryption routine totally different between different infections. All this makes it impossible to search for the decryption routine with fixed search strings - there is no search string that could always be found in infections made by a polymorphic virus. How does a virus using a polymorphic generator infect a file? 1. A clean file before the infection. We'll call this the victim file. 2. The virus starts the infection process by modifying the victim file's first commands. It replaces them with a command to jump to the end of the file. The original first bytes of the file are stored in the virus's body. 3. Next, the virus calls the polymorphic generator to create an encrypted copy of the virus code and the generator itself. The generator also creates a decryption routine, which is added to the end of the victim file. 4. The encrypted code is added to the end of the victim file. This encrypted section contains three parts: a copy of the actual virus code, the original first bytes of the victim file, and the code of the polymorphic generator. Limitations ----------- When the first polymorphic generators were found, it was feared that there would be a huge rise in the number of polymorphic viruses. However, these generators have not proved as popular as was originally thought - only about one hundred viruses are known to use a generator. One of the reasons for this is that a generator must be linked to the program to be encrypted, and since the operation requires changes to the program itself, some programming experience is necessary. This alone places the generators out of the reach of the run-of-the-mill virus enthusiasts. Unfortunately, the generators usually come with detailed instructions on their use, so that virus aficionados with even limited experience of assembly programming can easily use them. Another limitation is the generators' size. Although the generators are quite small in themselves, they do increase the size of viruses by some amount. This makes it difficult to link them to boot sector viruses, which have limited code space. No generator-masked boot sector viruses have been found. With the exception of V-Sign (a mildly polymorphic boot sector virus), polymorphic capabilities seem to be the privilege of file viruses. Of course, the advantage that viruses get from polymorphic generators is somewhat questionable. If an anti-virus program is able to recognize the presence of a particular generator, it is usually able to detect all viruses masked by it. Detection --------- Despite the cunning nature of polymorphic generators, viruses masked by them can be detected by using proper tools. Antivirus programs often employ algorithmic means to recognize files infected by polymorphically hidden viruses. Another way to find such viruses is to use checksumming. It is also possible to try to solve the encryption and search for the virus underneath the encryption layer. Algorithmic methods ------------------- Algorithmic methods are based on the fact that however much a generator mutates the decryption routine, it must still contain certain programming structures which make the decryption possible. If a program file contains such structures, the antivirus program can say with sufficient certainty that the file is infected by a polymorphically cloaked virus. As polymorphic generators vary a lot, a different algorithm is needed for each generator - and in order to build such algorithm, the generator will have to be studied closely. However, the algorithmic methods have a certain weakness: they are prone to false positives. The program structures employed by polymorphic generators can be very random. This means that similar structures sometimes occur inside legitimate program code. False alarms may crop up especially if data files are also included in the search, because they typically contain data similar to the random 'garbage-code' which the generators produce. It is relatively easy to create an algorithm that will find all infections created with a polymorphic engine, but if the algorithm would also flag a large amount of clean programs as infected, it is useless. Checksumming ------------ Checksums are comparison values calculated from the executables in a system. These values are stored in a database. When a checksum search is made, the checksums are re-calculated and compared with the original values in the database. Since this method detects all changes to a system, the mutability of polymorphically hidden viruses does them no good; a change is a change, and thus detectable. Checksumming has its drawbacks, too: checksummers suspect all changes that happen inside a system, and occasionally give warnings of ordinary programs which alter their own code. Nowadays, checksummers are usually equipped with an exclude-list and a heuristic faculty to prevent this from happening. Although theoretically able to detect all changes to a system, checksummers are vulnerable to stealth viruses. If such a virus is active in a computer's memory, it is able to hide all the changes it has made. When stealth viruses are involved, checksummers base their calculations on false data, and will consequently find everything to be in order. It should be noted that polymorphic viruses which also stealth their presence are very rare, simply because they are technically difficult to create. Decryption-based detection -------------------------- The decryption-based detection of polymorphic viruses work by first reasoning whether the examined object is encrypted. If the object seems to warrant suspicion, generic decryption methods are applied to it, and a string-based search is done to the code found underneath the encryption. This method works against some polymorphic generators with great success, but is difficult to implement for others. What is the best solution? -------------------------- Checksumming is the strongest method against polymorphic viruses - as long as the machine is clean when the checksummer is installed, and the virus is not falsifying the information received by the checksummer. Checksummers will also detect those polymorphic (and normal) viruses that have not yet been analyzed. The algorithm-based detection mechanisms against polymorphic viruses tend to have problems with false alarms, but these can be overcome by designing the detection engine carefully. One advantage of algorithm- based detection is that, once a detection engine is able to detect a certain polymorphic generator, it will probably detect all viruses utilizing it. A decryption-based detection mechanism can only detect those polymorphic viruses that have been analyzed by the creator of the antivirus product, but it is very unlikely to produce false alarms. Furthermore, such a mechanism is also able to detect the exact variant of the virus in question - this is something that most algorithm-based detection methods are unable to do. Thus far found... ----------------- In the following are brief descriptions of the polymorphic generators that have been found to this date. The generators usually come with introductory notes which explain their use, and in which the authors seek to justify themselves, for example by prohibiting the use of their products in viruses, by trying to explain why polymorphic generators are beneficial, necessary and generally morally uplifting, or by giving the by now well-established lecture about free speech and freedom of expression. Since many of the generators' authors are members of well-known virus groups, these disclaimers can be seen as simple hypocrisy. MtE (Mutation Engine) --------------------- Mutation Engine was the first polymorphic generator, written by the Dark Avenger. MtE was put into circulation in 1991. It is the most widespread polymorphic generator, and has been incorporated to 33 different viruses. Though revolutionary in its time, Mutation Engine is currently somewhat outdated. Practically all anti-virus products can detect MtE-hidden viruses. Nevertheless, MtE continues to be a source of inspiration for people aspiring to write polymorphic generators - for example, almost all generators written after MtE mimic the documentation provided with MtE. MtE v0.91's size is 2048 bytes. TPE (TridenT Polymorphic Engine), DGME (Darwinian Genetic Mutation Engine) -------------------------------------------------------------------------- TPE was written in 1992 by Masud Khafir, a Dutch member of the TridenT virus group. Before and after TPE, Masud Khafir has created several advanced viruses. Among them are the first Windows virus, Win_Vir, the Cruncher virus series, and one of the most widespread viruses using MtE, the MtE.Pogue virus. TPE itself is based on the encryption routine of Masud Kafir's Coffeeshop 3 virus, currently known as TPE.1_0.Girafe.A. To date, four versions of TPE have come out. The author has implied that he considers the product finished, and will not write further versions. The later versions of TPE are highly complex, making it one the most advanced polymorphic generators in the world. TPE version 1.1 was technically advanced, but it contained bugs which made it incompatible with some processor types. Versions 1.2 and 1.3 corrected this problem. The last version, 1.4, introduced an improved, highly complex encryption method, which makes TPE-hidden viruses difficult to identify by using decryption-based detection methods. A separate, modified version of TPE has also appeared. It is known as the Darwinian Genetic Mutation Engine (DGME). DGME was published in Mark Ludwig's latest disputed book 'Computer Viruses, Artificial Life and Evolution'. TPE takes up about 1.6 KB. Presently, it is known to be linked to 10 different viruses. NED (NuKE Encryption Device) ---------------------------- NED, the first polymorphic generator from USA, appeared at approximately the same time as TPE. According to the generator's documentation, it was released in October, 1992. Nowhere Man is credited as being the author of this generator, but there have been suspicions that it is actually written by some other programmer. Nowhere Man is the author of NuKE's Virus Creation Laboratory, the VCL. Unlike most other polymorphic generators, NED was distributed as source code. This, of course, makes it easier for other virus creators to modify the generator, but so far only a single version of NED has been found. The generator's documentation expressly forbids its distribution outside NuKE itself, but it has obviously been in wide distribution. NED version 0.90B takes up 1355 bytes. It is known to have been linked to two different viruses. DAME (Dark Angel's Multiple Encryptor) -------------------------------------- Naturally enough, Phalcon/SKISM didn't want to be upstaged by NuKE. In 1993, this virus group, which originates from Canada, joined the fray with Dark Angel's Multiple Encryptor, DAME. The new generator's name may have been meant as a dig at some members of the anti-virus community, who had been using the name DAME for Dark Avenger's Mutation Engine, MtE. Dark Angel published his generator during the summer of 1993 in issue 11 of Phalcon/SKISM's magazine, 40Hex. Dark Angel has also written the two virus creation toolkits published by Phalcon/SKISM, the PS-MPC and G2. Like NED, DAME was distributed as commented source code. Along with the generator, Dark Angel published an article which dealt with polymorphism and the writing of polymorphic generators in general. Dark Angel was apparently not completely satisfied with his initial product, because he introduced an improved version of DAME in the next issue of 40Hex. The first version of DAME, 0.90, took up 1574 bytes. The improved 0.91 version had grown to 1960 bytes. Dame is known to have been linked to two different viruses. DSME (Dark Slayer Mutation Engine) ---------------------------------- DSME was the first polymorphic generator from Taiwan. It was written by a person calling himself Dark Slayer. DSME was published in the end of 1993. Interestingly, DSME contains documentation both in English and Chinese. The author sends greetings to Dark Avenger and Nowhere Man and thanks for the inspiration he received from earlier polymorphic generators. DSME is not as advanced as the generators produced before it. Dark Slayer admits this in his notes. The actual size of the generator is little over 2 kilobytes. At the moment, only one virus is known to use the DSME. MutaGen ------- In the beginning of 1994, a new author entered the stage. Calling himself MnemoniX, this American virus writer proudly presented a new generator called MutaGen. At the moment, there are four different versions of MutaGen in distribution. Each successive version is more complex than the previous ones. Their sizes range from 1032 bytes to 1385 bytes. In MutaGen's documentation, MnemoniX criticizes the other polymorphic generators for being too unreliable and easy to detect. MnemoniX himself has published two different viruses which utilize the MutaGen generator, but otherwise the response of the virus underground to this new generator is unknown. GPE (Guns'n'Roses Polymorphic Engine) ------------------------------------- The Guns'n'Roses Polymorphic Engine is a newcomer, written by a person calling himself Slash Wu. Like the Dark Slayer Mutation Engine, this generator originates from Taiwan - and it only comes with Chinese documentation. In the generator's documentation, the author prohibits the use of the generator in viruses and other malicious software. He claims to have developed GPE solely for the purpose of protecting data and programs from unauthorized use. These claims are lent some credence by the fact that the author has included his apparently real name and phone number in the introductory notes. Version 1.00 of the Guns'n'Roses Polymorphic Engine was released in March 1994. So far, the generator is not known to have been linked to any virus. It's size is about two kilobytes. DSCE (Dark Slayer Confusion Engine) ----------------------------------- There is at least one polymorphic generator which has so far eluded the antivirus researchers. The one that we know of is called DSCE, and it is written by the same author as DSME. A file that demonstrated DSCE's abilities was sent to F-PROT Professional Support during April 1994. Deductions based on this demo indicate that DSCE is a rewritten version of DSME, and capable of creating far more complicated samples. [Source: F-PROT version bulletin 2.14. Copyright (c) 1994 Data Fellows Ltd.] ============================================================================ Tech Sheets Mr. Bill Hoover of Virus Research and Statistics in Indianapolis, Indiana is a new member of The Scanner's contributing authors and researchers. We welcome him aboard and look forward to working with him more in the future. EDITOR'S NOTE: At publication time The Scanner learned that Bill has just recently been hired as a programmer/analyst for a client server based company called Support Net in Indianapolis, Indiana. CONGRATS Bill, and good luck. TRON and HIDER are two viruses Bill has researched. The following are his reports on the two viruses: TRON: ===== The Tron virus was submitted to Virus Research & Statistics on 12.03.94 from a local sysop who runs a board here in Indianapolis, Indiana USA. Seems a user uploaded the infected file compressed with PKLite and F-Prot 2.14 detected it. From taking a quick look at it and testing it on an isolated computer, it seems to be a resident *.COM infector including COMMAND.COM and the infected files increase by 754 bytes. Upon executing an infected program, the virus will go resident and hook interrupts 8 (system timer), 16 (keyboard), 21 (Dos Functions) and 22 (Dos Terminate address) and infect *.COMs when they are executed. Seems to also play around with the keyboard a bit, and adds 1 to the ANSI value of the 6th typed character. For example, 'xxxxxx' becomes 'xxxxxy' and 'aaaaaa' becomes 'aaaaab'. Although F-Prot 2.14 detects it, users can use the scan sig below to detect it since it is present in all infected files (at least the ones I tested) : 0E 1F BE 18 01 46 81 3C 54 52 75 F9 81 7C 02 4F 4E 75 F2 83 C6 04 In addition, (not sure about the trigger yet since I've only looked at it for a couple of secs) but a little graphic ball will appear at the top left of the screen and continue across the screen left to right until it hits the bottom right, erasing the screen contents. I have a feeling that this happens after a the virus has been resident for so long (reason for system timer being hooked) but not exactly sure. In addition, the text 'TRON' can be found within infected programs, and the infected program's name appears in the interrupt chain and as resident in memory. ******** HIDER: ===== Possible Virus Name : Hider / Anston Rant The 'Hider / Anston Rant' virus was submitted to Virus Research & Statistics on 10.08.94 via the Prodigy Service by a user of Prodigy. The virus is a non-resident direct action parasitic infector of *.COM / *.EXE files using a standard method of appending the viral code to the end of the infected program(s) and adding a JMP command to the beginning of the infected *.COM files. The virus seems to use a very effective traversal scheme which will search relentlessly until it infects 3 *.COM and 3 *.EXE files or until no more candidate files are found. Infected files will increase by 1782 bytes with the virus being appended to the end of the infected files and the original file's time and date stamps will not be changed from their original state. Infected files will contain the following message : Anston Rant is back for more! Whoa, looks like you be missing some files there, Bud! The user who submitted a sample of this virus stated that on the 13th day of any month, the virus would 'hide' all files and directories located within the root directory and the files could be safely recovered by using the ATTRIB -H *.* command. However, during my tests, no files or directories were 'hidden' and the virus merely continued to infect non-infected files and displayed the message listed above. Generation 1 samples of the this virus can easily be detected using the following scan sig : BF 03 02 06 1E 06 89 FE 81 EE 00 01 32 E4 B9 CB 06 BB 00 00 In addition, infected *.COM / *.EXE files can be detected by : 06 1E 06 89 FE 81 EE 00 01 32 E4 B9 CB 06 BB 00 00 2E 8A 04 In the current form, this virus does not contain an encryption scheme and will easily be detected by using the above scan sigs added to F-Prot or any other AV product that supports external user defined scan sigs. Tron and Hider / Anston Rant virus tech-specs provided by : Mr. William E. Hoover Virus Research & Statistics 1142 South Reisner Street Indianapolis, Indiana 46221 U.S.A. ******************************** Bill Lambdin is a member of The Scanner staff. The following is his preliminary report on the NYMPHO MITOSIS virus. NYMPHO MITOSIS 2.0 ================== Preliminary analysis of Nympho Mitosis virus by W.H. (Bill) Lambdin Name ] Nympho Mitosis 2.0 Size ] 787 bytes Infects ] .COM and .EXE files including COMMAND.COM. Scan string ] 33 FF 8C C0 48 8E D8 38 3D 75 44 88 1D 83 6D 03 In the wild ] Unknown ] A-V ] This virus has been forwarded to the following; Vesselin ] Bontchev, David M. Chess, Spencer Clark, Eugene V. ] Kaspersky, FRISK, Dr. Alan Solomon, Wolfgang Stiller, ] Frans Veldman, Tarkan Yetiser. Dmitry O. Gryaznov Armored ] no Detected ] Yes Encrypted ] No Interrupts ] Hooks interrupt 21h Load Address] 9FBDh Marker ] The virus places an 8 in the last column of the seconds ] field of the time stamp to mark infected files. When ] Nympho Mitosis disinfects a host file, 02 in placed in ] the seconds field of the time stamp. Polymorphic ] No Resident ] Yes Size in RAM ] 1088 bytes Stealthed ] Fully stealthed, but very unusual, the virus removes ] itself, when an infected file is opened, but does not re- ] infect when the host file is closed. Text ] [Nympho Mitosis] v2.0 Copyright (c) 1993 Memory Lapse ] Phalcon/Skism Canada Type ] Infects .COM & .EXE files, and the virus is appended to ] the end of the infected host files. Unusual ] Does not trap errors. So DOS reports a write protect error ] when trying to run a file from a write protected diskette. ============================================================================ Hacks, Viruses and Trojans A Trojan alert from THE SCANNER !!!! The following message was taken off of the WildNet Virus conference 19 December 1994: ------------------------------------------------------------------------ Date: 12-16-94 Msg # 98 To: ALL Conf: (125) Virus'-WN From: ROBERT KEMPER Stat: Public Subj: WARNING WARNING WARNING Read: Yes ------------------------------------------------------------------------ I discovered a Trojan on the Software Vault Gold Collection CD. Under the utilities section is a supposedly shareware virus scanner that will damage any disk you attempt to scan. The file name is SCCL100.zip DO NOT ATTEMPT TO RUN THIS PROGRAM ! I have notified American Databankers Corp and they have confirmed that this program is designed to damage disks and will be removed from future CD's. Copyright 1994 Robert L. Kemper Jr. --- þ TNet 3.60 ÷ WILDNET: The Right Note! - MUSIC ORIENTED BBS - 502-452-1453 --------------------------------------------------------------------------- Thanks Robert, great catch!! The staff at The Scanner went into action and went looking. We found this program on 8 CDs total in our area and made the proper notifications to the sysops. Here they are the CDs and the areas the program was found in: CD Title Area ------------------------------------------------------------------------- Shareware Vault Gold Virus Detection and Prevention Shareware Studio #4 Virus Tech Arsenal Anti-Virus Utilities Cream of the Crop II Virus Prevention Hobbes OS/2 MAC File Viewers Best of Bizzness '94 Virus Utilities Best of Shareware '94 MAC File Viewers Night Owl #9 Virus Night Owl 10 Virus EDITOR'S NOTE: Thanks to Jerome Priest - SYSOP of THE Busy Body BBS, W. Branch, MI, we added Night Owl #10 to the list. Thanks Jerome ! The file is 709180 Bytes with a file date of 05-26-93. This program claims to be a *virus scanner*. The program will start out asking you what drive you want to scan. Upon entering a drive letter you are immediately taken to a screen where the alleged scanning is taking place. The unsuspecting victim will observe a Scanning box and a Status box on the screen. As the Scanning box fills ( Showing the percentage of the disk that is scanned ) the status box shows the message : "Scanning Memory ...." Once the Scanning box reaches 100%, the status box then reports "Memory appears to be clean ....". Now the program performs the alleged disk check. The Scanning box once again will display the percentage of the disk being scanned and the status box displays the following message: " Now performing check on disk.... Please Wait ...." Now the fun begins. The Scanning box will go the screens width several times and the then stop. The Status box displays the following message: " Uh Oh....Virus Detected...." Upon hitting the return button this message comes up: " Trying to gain control of vital areas...." After a few seconds the final message comes up as: " Cannot destroy virus !!!!" The system is waiting for a RETURN from the user. The light on the A: drive goes on and the damage is now in progress. After the drive stops, the system is locked up. The system needs to be rebooted again. After rebooting, the unsuspecting user then looks at the disk in the A: drive to see if the "virus" has been removed only to find the disk rendered useless. That, folks, is a TROJAN. A program that claims to do something, but in reality does something else unbeknownst to the user. *************** Editor's Follow-up: I have personally verified each program off of each CD. I am doing more follow-up because the file sizes are not all the same, yet, the same action occurs in each program. The EXE file is the same size in each program 5599 bytes. The SCCL100.DAT file is always 702383 bytes. Prior to doing a scan on a disk the following files are in the directory of the SCCL100 program: SCCL100.DAT 702383 05/26/93 18:57 SCCL100.DOC 1497 05/26/93 19:27 SCCL100.EXE 5599 05/26/93 18:58 After executing the program the following files are added: SCANNER.DAT 140392 - Woody - ============================================================================ The Bookshelf Rob Slade is busy at work up in British Columbia, Canada, reading book after book after book. He is kind enough to share his views on these "parcels of knowledge" with The Scanner and we appreciate it. "The Internet Business Book", Ellsworth/Ellsworth, 1994, 0-471-05809-0, U$22.95 oakridge@world.std.com je@world.std.com %A Jill H. Ellsworth %A Matthew V. Ellsworth %C 605 Third Avenue, New York, NY 10158-0012 %D 1994 %G 0-471-05809-0 %I John Wiley & Sons, Inc. %O U$22.95 800-CALL-WILEY Fax: 212-850-6799 %O aponnamm@jwiley.com jdemarra@jwiley.com %P 376 %T "The Internet Business Book" This is a reasonable guide to what the Internet is, and how it works. It gives good advice on the best means to approach the net community. The list of resources is aimed at, and appropriate to, business and professional users. The specifics of how to conduct a business on the Internet could use some work. The Internet information provided is concise, and provides a good, if fairly standard, starting point. Those new to the Internet should plan to spend some time practicing the various applications, or might want to look for more detailed guides in areas of interest. The coverage is quite broadly based, though. The email chapter, for example, goes into some detail on the use of UUENCODE to send binary files, an often neglected topic. While the advice to avoid troublesome items such as unsolicited mail and mass advertising mailing is good, there could be much more in the way of specific business advice. The choice of Internet provider only asks whether they provide all the Internet services you require, without analyzing the need for an information provider to set up anonymous ftp, gopher or World Wide Web servers. The chapter on an Internet business plan really only looks at a standard planning tool, with a few line items added for Internet service costs. This work should provide an adequate starting point for those interested in launching a business with support from Internet tools. Those who do should, however, spend some time getting used to the net, before rushing in. copyright Robert M. Slade, 1994 BKINTBUS.RVW 940929 *************** "Your Internet Consultant", Savetz, 1994, 0-672-30520-8, U$25.00/C$34.95 savetz@rahul.net %A Kevin M. Savetz %C 201 West 103rd St., Indianapolis, IN 46290 %D 1994 %G 0-672-30520-8 %I SAMS Publishing %O U$25.00/C$34.95 317-581-3718 fax: 317-581-4669 %O 75141.2102@compuserve.com 75141.2104@compuserve.com %P 550 %T "Your Internet Consultant" The subtitle of this book, "The FAQs of Life Online", refers to a common form of online documentation and reference. A list of "Frequently Asked Questions" list basic and common questions that people have, along with (supposedly) expert answers. FAQs are generally undergoing constant maintenance and updating. They are periodically reposted to specific topical groups and discussion lists, and are often accessible by various other means. Savetz maintains a number of such lists, so it is natural that his Internet guide is written in this style. Question 1.2, in the introduction, in fact, asks whether the world needs another Internet book. He feels that his guide has a distinctive, and that the question and answer style makes a fundamental difference to the work. I'm not sure that the difference is fundamental, but I do think it was a valuable exercise, and produced a worthwhile book. The need to answer the questions keeps sidetracks and diversions to a minimum,. The "frequently" part also helps keep the book focussed on what most people want; the question, however, gives the book some added breadth. I note some questions which I am certainly asked often, and which many Internet guides fail to answer. The questions are all listed at the beginning of the book, forming a type of expanded table of contents. This is less helpful than one might suppose, since one needs to know the area that the question might appear in. Overall, a concise and informative starting guide, well worth consideration. copyright Robert M. Slade, 1994 BKYRINTC.RVW 940930 ============================================================================ DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ============================================================================ EDITORS NOTE: I have recently purchased a copy of Rob's book "Robert Slade's Guide to Computer Viruses" and highly recommend it to anyone wishing to take serious steps in learning the basics of computer viruses and procedures to arm themselves against them. It is well written and quite informative. Hopefully, I will have completed it by the next issue and look forward to giving you the "scoop" in detail. :-) ============================================================================ GOLD-BUG Companions In the last issue of The Scanner we featured the GOLD-BUG virus. In the "gouge" we included in the article, two companion viruses of GOLD-BUG were mentioned. The DA'BOYS virus and the XYZ virus both, accompany the GOLD-BUG virus. All three of these viruses are written by an individual named "Q" the misanthrope. Well, the "Q" library is growing. I guess if we have to have virus writers that turn their creations loose on the world we might as well have one that will at least send the code and the removal instructions as well ! :-) DA'BOYS VIRUS ------------- Virus Name: DA'BOYS Aliases: DALLAS COWBOYS V Status: New, Research Discovery: January, 1994 Symptoms: Possible diskette access problems; BSC; Infected disks fail to boot on 8088 or 8086 processors; No COM4. Origin: USA Eff Length: 251 Bytes Type Code: BORaX - Resident Overwriting Boot Sector and Master Boot Sector Infector Detection Method: None Removal Instructions: DOS SYS General Comments: The DA'BOYS virus will only work with DOS 5 or DOS 6+ with an 80186 or better processor. Unlike other boot sector infectors, the DA'BOYS virus overwrites or rewrites the DOS boot sector. It does not make a copy or move the boot sector to another sector. It will infect all American DOS 5 or DOS 6 boot sectors. It will infect disks in drive A: or B: It works with 360K, 720K, 1.2M, 1.44M or 2.88M disks. When a disk is booted with the DA'BOYS virus, it will load itself into a "hole" in lower DOS memory. CHKDSK will not show a decrease in available memory. INT 12 will not be moved. The DA'BOYS virus code is written in the "Non-System disk or disk error Replace and press any key when ready" string. But it will display the above message by using the code found on the hard disk DOS boot sector. It will then infect the DOS boot sector (not the partition table) of the hard disk and overwrite the "Non-System ... " text string with it's code. The DA'BOYS virus does not damage any data. It disables COM4. The text string "DA'BOYS" appears in the virus code but is not displayed. The DA'BOYS virus has a companion virus that it works with. The GOLD-BUG virus is also a boot sector infector. It is possible to have a diskette with two boot sector viruses. GOLD-BUG hides the presence of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG removes the DA'BOYS virus from the INT 13 chain at the start of Windows and restores it when Windows ends. It can be removed from diskettes and hard disks with the DOS SYS command. ************* XYZ VIRUS --------- Virus Name: XYZ Aliases: X-AMINE YOUR ZIPPER V Status: New, Research Viron Discovery: September, 1993 Symptoms: None - Pure Stealth Origin: USA Eff Length: 440 Bytes Type Code: OReE - Extended HMA Memory Resident Overwriting .EXE Infector Detection Method: None Removal Instructions: See Below General Comments: The XYZ virus is a HMA memory resident overwriting direct action infector. The virus is a pure 100% stealth virus with no detectable symptoms. No file length increase; overwritten .EXE files execute properly; no interrupts are directly hooked; no change in file date or time; no change in file attributes; no change in available memory; INT 12 is not moved; no cross linked files from CHKDSK; when resident the virus cleans programs on the fly; works with all 80?86 processors; VSAFE.COM does not detect any changes; Thunder Byte's Heuristic virus detection does not detect the virus; Windows 3.1's built in warning about a possible virus does not detect XYZ. The XYZ virus will only load if DOS=HIGH in the CONFIG.SYS file. The first time an infected .EXE file is executed, the virus goes memory resident in the HMA (High Memory Area). The hooking of INT 13 is accomplished using a tunnelling technique, so memory mapping utilities will not map it to the virus in memory. It then reloads the infected .EXE file, cleans it on the fly, then executes it. After the program has been executed, XYZ will attempt to infect 15 .EXE files in the current directory. If the XYZ virus is unable to install in the HMA or clean the infected .EXE on the fly, the virus will reopen the infected .EXE file, remove itself, and then write the cleaned code back to the .EXE file. It then reloads the clean .EXE file and executes it. The virus can not clean itself on the fly if the disk is compressed with DBLSPACE or STACKER, so it will clean the infected .EXE file and write it back. It will also clean itself on an 8086 or 8088 processor. It will infect an .EXE if it is executed, opened for any reason or even copied. When an uninfected .EXE is copied, both the source and destination .EXE file are infected. The XYZ virus overwrites the .EXE header if it meets certain criteria. The .EXE file must be less than 62K. The file does not have an extended .EXE header. The file is not SETVER.EXE. The .EXE header must be all zeros from offset 72 to offset 512; this is where the XYZ virus writes its code. The XYZ virus then changes the .EXE header to a .COM file. Files that are READONLY can also be infected. The text string "XYZ" and "ZYX" appear in the virus code but are not displayed. The XYZ virus has a companion virus that it works with. The GOLD-BUG virus also goes memory resident in the HMA and reserves space for the XYZ virus. To remove the virus from your system, change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the system. Then run each .EXE file less than 62k. The virus will remove itself from each .EXE program when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute an infected .EXE file, then use a tape backup unit to copy all your files. The files on the tape have had the virus removed from them. Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the system. Restore from tape all the files back to your system. ============================================================================ In The News If you find any interesting or humorous articles related to computers, hackers, Trojans or even viruses, let us know. China seems to be a topic of interest so far as hackers and hacks go. Death Penalty for a Computer Felony ----------------------------------- Death penalty has been carried out in China on a person who hacked his way into a bank's computer system. In 1991, Shi Bao embezzled 192.000 dollars from the Agricultural Bank of China by using a computer. Shi Bao was executed as a warning to would-be computer criminals. [Source: F-PROT version bulletin 2.09. Copyright (c) 1993 Data Fellows Ltd.] ---------------------------------------------------------------------------- Date: Mon, 05 Dec 94 04:15:39 -0500 From: ANTHONY APPLEYARD Subject: New virus reported in China: `Li Peng' (PC) In 5 Dec 1994 issue of the Daily Telegraph (UK newspaper), p23:- A new virus doing the rounds in China is perplexing the party faithful. When it strikes, a question appears on the screen: "Do you think Li Peng is a good prime minister?". If the operator answers "no", then the message disappears and the system is left untouched. On the answer "yes", however, the virus wipes the entire hard disk. [ Source: Virus-L Digest Volume 7 Issue 100 ] ============================================================================ Hacks, Viruses and Trojans LEGEND: H = Hacked P = Pirated T = Trojan V = Virus Infected X = Hoax * = Previous listing ============================================================================ * File: PKZ305.EXE Problem: H Reported By: Fido Virus_Info Conference. A hacked version of PKzip, and reportedly infected with the Proto-T virus. Fridrik Skulason, Bill Lambdin, Wolfgang Stiller and Tarkan Yetiser analyzed the file and found no virus. This was just a hacked program. - --------------------------------- * File: DOOM2CHE.ZIP Problem: V Reported By: Mike Karina of Biloxi, Ms. The Mississippi Gulf Coast was hit with the Gold-Bug virus mid October. It was uploaded to a local BBS under the name DOOM2CHE.ZIP. The file had 2 files in it. GOLD-BUG.ASM and GOLD-BUG.COM. The .ASM file was the actual source code for the Gold-Bug virus. The .COM file was the virus file itself. - ------------------- * File: SF2_UP.ZIP Problem: V Reported By: Fido WARNING Conference. This is a renewal of the original report in 1992. It appears there are folks out there that didn't get the proper notification from the companies involved. This file can be found on the Night Owl 10.0 CD. It is infected with the Lapse_366 virus. The staff of "The Scanner" found this file and verified the virus is still present. Fridrik Skulason verifies the virus on this file in the FP virus information files. - --------------------------------- * File: SPORT21C.ZIP Problem: V Reported By: Fido WARNING Conference. This is a renewal of the original report in 1992. It appears there are folks out there that didn't get the proper notification from the companies involved. This file can be found on the Night Owl 10.0 CD. It is infected with the Crusader variant of Butterfly. The staff of "The Scanner" found this file and verified the virus is still present. Fridrik Skulason verifies the virus on this file in the FP virus information files. ----------------------------------- File: SCCL100.ZIP Problem: T See Trojan Alert ! above. ============================================================================ STONED.EMPIRE.MONKEY.A Removal This seems to be one of the most active viruses at this time. I am constantly seeing questions about it in the Virus-L Digest and on the various virus conferences. Rather than me trying to explain it, I felt it best the "experts" pass along their summations and techniques in its removal. Mr. Mikko Hypponen of Datafellows LTD, Finland on Stoned Monkey Empire A virus and F-Prot: ( Latest version 2.15) STONED.EMPIRE.MONKEY.A ---------------------- The Monkey virus was first discovered in Edmonton, Canada, in 1991. The virus quickly spread to USA, Australia and UK. Monkey is one of the most common boot sector viruses. As the name indicates, Monkey is a distant relative of Stoned. Its technical properties make it quite a remarkable virus, however. Like Stoned, the virus infects Master Boot Records on hard disks and DOS boot records on diskettes. Monkey spreads only through diskettes. The original Stoned leaves the partition table in its proper place in the hard disk's zero track, but Monkey does not . Instead, it copies the whole Master Boot Record to the hard disk's third sector to make room for its own code. The hard disk is inaccessible if the computer is booted from a diskette, since the operating system cannot find valid partition data in the boot sector - attempts to use the hard disk result in the DOS error message "Invalid drive specification". When the computer is booted from the hard disk, the hard disk can be used normally because the virus is executed first. The virus can, therefore, escape notice, unless the computer is booted from a diskette. As Monkey not only moves but also encrypts the Master Boot Record, it is difficult to remove. The changes to Master Boot Record cannot be detected while the virus is active, since it reroutes the BIOS-level disk calls through its own code. Upon inspection, the hard disk seems to be in its original shape. There are two often-used procedures, either of which can disinfect most boot sector viruses. One of these is the MS-DOS command FDISK /MBR, which rewrites the code in the Master Boot Record, and the other is using a disk editor to restore the Master Boot Record back on the zero track. In this case, the relocation and encryption of the partition table render these methods unusable. Although both procedures destroy the actual virus code, the computer cannot be booted from the hard disk afterwards. There are five viable ways to remove the Monkey virus: o The original Master Boot Record and partition table can be restored from a backup taken before the infection. Such a backup can be made with the MIRROR /PARTN command of MS-DOS 5, for example. o The hard disk can be repartitioned by using the FDISK program, after which the logical disks must be formatted. The procedure will also destroy all data on the hard disk, however. o The command FDISK/MBR can be used to overwrite the virus code, after which the partition table can be restored manually. In this case, the partition values of the hard disk must be calculated and inserted in the partition table by using a disk editor. The method requires expert knowledge on the disk structure. o It is possible to exploit Monkey's stealth capabilities by taking a copy of the zero track while the virus is active. Since the virus hides the changes it has made, this copy will actually contain the original Master Boot Record. This method is not recommendable, because the diskettes used in the copying may well get infected. o The original zero track can be located, decrypted and moved back to its proper place. As a result, the hard disk is restored to its exact original state. F-PROT uses this method to disinfect the Monkey virus. The Monkey virus is quite compatible with different kinds of diskettes. It has a built-in table containing structural data for the most common diskette types. Using this table, the virus is able to move a diskette's original boot record and a part of its own code to a safe area on the diskette. If Monkey does not recognize a diskette, it moves the boot record to the diskette's third physical sector. This is what happens also to, for instance, 2.88 megabyte ED diskettes, with the consequence that Monkey partly overwrites their File Allocation Tables. The virus is difficult to spot, since it does not activate in any way. A one-kilobyte reduction in DOS memory is the only obvious sign of its presence. The memory can be checked with, for instance, DOS's CHKDSK or MEM programs. However, even if MEM reports that the computer has 639 kilobytes of available memory instead of the more common 640, that does not necessarily mean that the computer is infected. In many computers, BIOS allocates one kilobyte of DOS memory for its own use. F-PROT recognizes and removes all known variants of the Stoned.Empire.Monkey virus. ************ Mr. Wolfgang Stiller of Stiller Research, and the Author of Integrity Master, on the Stoned.Empire.Monkey.A virus and Integrity Master: (Latest version 2.31c) Monkey: (Description quoted from Integrity Master User's Guide) Synopsis: Resident, stealth infector of floppy boot sectors and partition sectors Symptoms: Inaccessible hard disk after floppy boot, 1K less available memory Details: Monkey is unusual in that it completely replaces the partition sector with its own code. If you boot from a floppy the hard disk will be inaccessible since there is no valid partition table in the partition sector. If the virus is resident in memory, it will use stealth techniques to return the original unmodified partition sector. Once Integrity Master (AKA IM) is installed, removing Monkey is trivial. It will detect the virus in memory and ask you to boot from a diskette. (The hard disk will of course seem inaccessible at this point but Integrity Master can access it anyway.) After you boot, you just use the "ReLoad" menu to restore the "missing partition sector" (AKA Master Boot Record or MBR). Other products call this the master boot record but we prefer to call it the "partition sector" since it contains the hard disk's partitioning information and to more clearly differentiate from the operating system boot sector (usually a DOS boot sector). What if you get the Monkey virus but you don't have Integrity Master installed already? You could remove Monkey, with an "FDISK /MBR" but then you would lose access to your hard disk. Not a good idea! Removal with Integrity Master is easy. Running IM on your infected PC, you use the Initialize menu to capture your partition sector. IM writes this to part.srl. What IM manages to do at this point is to get you a copy of the uninfected (clean) partition sector (Master Boot Record). You copy this to a diskette (realizing that this diskette is now infected). You now boot from a clean write-protected DOS diskette and run IM from floppy. You can now use the "ReLoad" menu to reload the missing partition sector as before. (You will need to insert the diskette with Part.srl in any one of the floppy drives at the point you do the reload.) Don't forget to disinfect all your diskettes. The best way to do this is to scan your diskettes (use the scan Multiple diskettes menu option in IM for this or the command IMSCAM a: where "a" is your drive letter.) If the diskette is infected, copy all data to another diskette and trash or reformat the diskette. It's not safe to just remove the infected boot sector since Monkey will damage the file structure on the diskette causing possible data loss, if the diskette is not reformatted. -Wolfgang ============================================================================ The Monkey is on my back !! After reading Wolfgang and Mikko's articles I went and infected Albert ( my working platform :-) ) I started out with an infected floppy. I put it in the drive and turned the system off then back on. I got the typical " Non-Systems disk or disk error Replace and press any key when ready" message. I removed it from the system and continued with the boot-up. Once the system was up I did a CHKDSK. The system reported a total of 654336 total bytes free instead of the usual 655360. MONKEY-A was there. That is how easy it is to infect the system. No whistles, whiz bangs or gala,just Non-system disk.... I ran F-Prot first. Clean boot the system ( turn the system off and put the disk in the drive then turn it on again. DO NOT USE ALT-CTL-DEL, some viruses can trap this and the infected memory will still be in control). F-Prot will start to come up then all of a sudden this appears in the upper right hand corner of your screen: Invalid drive in search path Bad command or file name Don't panic, wait a few seconds and F-Prot continues. Go to the Scan screen run Scan in the Report/Only mode.You will observe the following on your screen: Scanning MBR of hard disk 1 Master Boot Sector infection: Stoned.Empire.Monkey.A ERROR: No hard disk found Again, don't panic ! Go back to the Scan screen and go to the Action: block. You can enter either Disinfect/Query or Automatic Disinfection or Automatic Delete. Whatever you choose, enter it. Run Scan again with this and you will get rid of the problem in a flash. That's it. The system is ready to go. No pain, no strain. Next, I ran Integrity Master ( version 2.31b ). ( NOTE: Read the instructions * very carefully *. Here is how to set up.) The setup of Integrity Master is crucial to its proper use. I speak from experience. :-) I had some problems at first because I did not set it up properly. Thanks to Wolfgang Stiller and Bill Lambdin assisting me I now have the proper set up. So, let me go over the set up first with you so those of you running Integrity Master have a proper set up. 1. Format a floppy disk and use the FORMAT/S ( or SYS A: to transfer the system files to it. Substitute the proper drive label if A: is not your boot floppy). Make a directory called IM_HOME. Put it aside for the moment. 2. Install Integrity Master on your hard drive. Do the entire system setup within Integrity Master. Now, put that new floppy you just formatted and made bootable into the drive. Copy IM*.* to that drive. Go into the IM_HOME directory on the HD and copy all .SRL files to A:\IM_HOME. Now you are ready for any situation that arises. Be sure to copy any new additions you make to the hard drive to the "emergency disk" I booted the system up with an infected disk containing Stoned.Empire.Monkey.B this time. I ran IM from the hard drive first. The system stopped and informed me that the virus was there and that I should perform a clean boot. Again, turn the system off and put the bootable, write protected disk with IM in the drive and turn the system on. Run IM. At this point you will get a screen asking you if you want to initialize the system. You can hit any key at this point and it will get you into the menu. Go to ReLoad. Curser down to the Missing partition ( NOT the Partition sector !!). Hit enter at this point. You will see two screens come up. The one on the left explains everything on the screen on the right. Go to the Physical hard disk number (0 to 9). Hit enter. Go to the Physical Drive option and hit 0. ( Viruses only infect Drive zero, so no matter how many you have hit zero ) At this point you will be warned that you are about to over write your partition sector with the version saved in file: A:\IM_HOME\PART.SRL. This is what we want to do. Enter Yes. You will get an error report saying there is an error on C:\IM_HOME. This is alright. Remember, the virus tried to tell you there was no Hard drive, but IM got through it and fixed the missing partition. ( NOTE: If you turn off the Report FIle you wont even see this error ) Turn the system off and then back on and you should be ready to go. Do a chkdsk, if you come up with 655360 then that is confirmation you are ready to go about your business. Both of these products will remove both Monkey-A and Monkey-B in the manner described above. My thanks to Bill Lamdin and Wolfgang for coming to my rescue, thanks guys. :-) Woody ============================================================================= From Woody's Desk Well, that's the second issue. What do you think? *Please* let me know. You will notice the Hacks, Viruses and Trojan section is rather scant. I could use some help from folks out there helping me pass the word along. Drop me a line and let me know what you want to see. Next issue, I plan on running a treatise of Mikko Hypponen's on Retroviruses. A brilliant paper on the viruses of today and their aggressive behavior. You won't want to miss it !! My heartfelt thanks to the folks that help make this issue: - Mr. Rob Slade of British Columbia, Canada for his book reviews and his council in matters of the internet and reviewing The Scanner prior to publication. - Mr. Mikko Hypponen of Datafellows LTD, Finland for his contributions of the FP-Bulletins as well as his words of wisdom on the Monkey virus and taking the time to help a guy out. - Mr. Wolfgang Stiller of Stiller Research, Tallahassee, Florida for his contribution in the Monkey virus article and helping when ever asked for some advise and answers. - Mr. Bill Hoover of Virus Research and Statistics, Indianapolis, Indiana, for his contributions and willingness to take the time to research some code and for joining the "gang". - Mr Bill Lambdin, for his council, time and efforts which have been a big part of The Scanner since its conception. Most of all thank you, the readers, for taking the time to read The Scanner and sending me your views and suggestions. Keep them coming we have only just begun. Best to you all from Biloxi, Mississippi Woody