Cream of the Crop 22

home *** CD-ROM | disk | FTP | other *** search

/ Cream of the Crop 22 / Cream of the Crop 22.iso / virus / virsim30.zip / VIRSIM.DOC < prev next >

Wrap

Text File | 1996-08-01 | 41KB | 771 lines

Rosenthal Engineering, P.O.Box 1650 San Luis Obispo, CA USA 93406 e-mail doren@slonet.org http://slonet.org/~doren/ -------------------------------------------------------------------- Rosenthal Virus Simulator and Supplements Safe & Sterile Viruses Validate Security Measures -------------------------------------------------------------------- The time to be concerned about computer viruses is before you get one. Virus Simulator and Supplements are intended to help users and technical managers understand the problems viruses pose and provide a practical way to exercise the protective measures they have taken to defend their computer systems. These Virus Simulator programs generate safe and sterile, controlled test suites of sample virus programs. Virus Simulator's ability to harmlessly compile and infect with safe viruses, is valuable for demonstrating and evaluating anti-virus security measures without harm or contamination of the system. The infected programs can be used as bait for virus detecting programs to gain practical virus protection experience. Informed, experienced users are more knowledgeable and better prepared to protect themselves and others they exchange information with. Real Viruses or Simulated Viruses for Testing These test virus simulations are not intended to replace the comprehensive collection of real virus samples as maintained by Rosenthal Engineering and other anti-virus product developers for testing. They are, however, suitable for use by general and advanced users, system administrators and educators. These virus simulations set off virus detectors for testing and demonstration without the danger associated with their malicious virus counterparts. The simulators all produce safe and controlled dummy test virus samples that enable users to verify that they have installed and are using their virus detecting programs correctly, additionally affording an opportunity for a practice training exercise under safe and controlled conditions. - - - - - - - - - - - Access to the Rosenthal Engineering Virus Collection The Virus Simulators and supplements are really intended to give users some hands on practical experience using their virus protection products, on their own systems, without using live ammo. The simulators ability to actually test products exhaustively is limited. That's why Rosenthal Engineering maintains a very comprehensive collection of real sample viruses for testing at our facility. Most users find these simulated viruses more than adequate for their needs, however anyone requiring access to our independent virus sample collection should contact us directly. The collection is generally recognized as one of the most comprehensive, verifiable available anywhere. It is accessible, in our facility, on a workstation dedicated for testing with real viruses. - - - - - - - - - - - Obtaining a Trusted Virus Simulator Copy Because of the security nature of this program, you should not trust it to be harmless unless you can directly trace its source to Rosenthal Engineering without compromise. Never make copies from anything other than the original write protected distribution disk. Remove all test viruses from your system immediately after completing tests. Insist on having the Virus Simulators generate your own unique simulation files and never accept or distribute the simulated viruses themselves. This is especially important if the simulations are to retain their safe and sterile integrity. There are several programs that generate the sample test viruses. Virus Simulator and the Virus Simulator Supplements. Virus Simulator is distributed as shareware. If you find the program useful, you are requested to fill out and return the ORDER.FRM with registration payment. When the registration fee is received, the latest version of Virus Simulator along with all the Virus Simulator Supplements is sent by priority first class or international airmail. Business, corporations, government agencies and institutions require a negotiated site license. The Virus Simulator Supplement "A" is included with the shareware evaluation version, but the other supplements are available only to registered users, and are not shareware. Registered copies of Virus Simulator are sent on write protected diskettes in mailers protected by a special "Tamper Resistant" seal. - - - - - - - - - - - Virus Simulator Virus Simulator VIRSIM.COM creates a simulated test suite of .COM and programs contain the signatures (only) from real viruses. The programs themselves are not really infected with anything, but contain carefully selected portions of code from their real virus counterparts. Whenever possible, these sections of code or virus signatures are selected to trigger vigilant virus detectors. Since these are really only dummy viruses, not all infected program simulations produced by Virus Simulator will trigger every virus detecting program. In addition to simulating .COM and .EXE infected files, Virus Simulator allows the user to experiment with boot sector and memory resident virus simulations. Again, signatures (only) from real viruses are used, but the boot sector of the floppy disk is actually overwritten with very executable code (you can verify this by resetting the system with the test floppy disk in place). The memory resident virus simulation actually puts a suspicious program in memory and displays its presence on screen. Most often, real viruses are not created from scratch, but by modifying existing viruses and thus pose additional problems for virus detecting programs. To further emulate real viruses that might actually be encountered, Virus Simulator creates a completely new modified simulated virus the same way. No two files or disks will be created identically. Virus Simulator prompts the user to generate any (or all) of three test suite types: files, boot sector and memory. 1) Generate A:\VIRUS\VIR_#.COM & .EXE files. (Erase to remove) 2) Overwrite A: boot with (new) simulated virus (Format A: to remove) 3) Install memory test simulated virus (Power off system to remove) Any or all of the options may be selected at the same time. Place a freshly formatted diskette to be infected in the A: drive. If you select the "1) Overwrite A: boot sector" option, the the system will not be bootable from this disk, but will display an "Infected with simulated boot sector virus" message. Virus Simulator actually overwrites the boot sector with executable code; programs that report to intervene in this situation should report that. The A:\VIRUS\VIR_#.COM or .EXE files can be renamed and copied to other disks for testing but remember to erase all test viruses after completing your tests. If option three ( "3) Install memory test virus" ) is selected, a warning message will appear in the upper right corner of the screen until power for the system is turned off. When power is restored, the system will return to normal, and the memory virus will be removed. Virus Simulator actually places a suspicious test program in memory as a simulation and, programs that are report to intervene in this situation should report the memory resident program. How to Use Virus Simulator (VIRSIM.COM) Copy your special write protected distribution disk to your working drive and store the original in a safe place. Run VIRSIM at the DOS prompt, and follow the directions displayed. Then use your anti-virus program to scan for viruses following the directions supplied with that product. A note here about false alarms especially when using disk caching. Anytime you read or write using a disk, the data is first buffered by memory. If you've just written or read a test suite, your virus scanning program may discover it still in the disk buffer memory. Just power down the system and watch it go away. These test suites are only safe and sterile simulations to evaluate your security measures. A virus detecting program is validated when it reports the simulations. Virus detecting programs that fail to find these simulations may indeed discover their real counterparts and variations, but should only be trusted after that ability is demonstrated. Virus Simulator and Virus Simulator Supplements will only generate file and boot sector simulations on a formatted disk in drive A:, you must have an A: drive. Copy VIRSIM.COM and VSIM_A.COM (and for registered users only, VSIM_B.COM, VSIM_C.COM and VSIM_MtE.COM) to whatever drive you wish to run it from. Precautions have been taken to force VIRSIM to run only from the default directory. NOTE. A:> VIRSIM or C:> VIRSIM (works ok) C:> A:VIRSIM or C:>\TEST\VIRSIM (won't work) VIRSIM.COM (and the supplements) compiles simulated viruses directly and when scanned by virus detection programs, must always indicate being free of infection. Only the simulated viruses should report any infection. Each time Virus Simulator is run, it generates a completely new and unique suite of with accompanying documentation. Text files A:VIR_LIST.DOC and A:VIR_BOOT.DOC are created at execution time and describe each unique virus test simulation suite. Executing the generated test suite programs is not required. If executed, they will only display their Rosenthal Engineering origin. Windows users should shut down Windows and restart in DOS mode to create the simulations. Then restart Windows and employ their normal anti-virus measures to detect the samples. - - - - - - - - - - - Virus Simulator Supplement "A" (Included) Once you have gained experience using the original Virus Simulator VIRSIM.COM, the supplements offer additional insights into how viruses work, and more importantly, how to defend against them. Use VIRSIM.COM to verify your anti-virus product is installed and you are using it correctly before advancing to the supplements. VSIM_A.COM is one of several additional supplements included as part of the Rosenthal Virus Simulator test suite. Safe test bait for virus detecting programs is generated to help users better prepare to protect themselves. Virus Simulator's ability to harmlessly compile and infect with safe virus samples provides a means to demonstrate, evaluate and confirm the correct installation and use of anti-virus security measures. Supplement "A" creates the functional, but controlled, test virus sample VIRUS_A.COM on the A: floppy diskette. This program is capable of replicating throughout any drive it is copied to for one hour upon informing the user and receiving permission. After expiring, it removes itself and any copies it made on that drive if run again. Included with other safeguards, the test virus generated by this supplement has a limited life span. It will only replicate throughout the drive for a limited time. Take a moment to confirm your systems date and time are set correctly. The sample will only replicate during that one hour period (see the file date). Outside of that period, running the virus will disinfect (remove) itself and all copies of itself anywhere on the same drive. Place a formatted diskette in the A: floppy disk drive as before. Run VSIM_A.COM at the DOS prompt and confirm the date and time displayed at the top of the screen are accurate. Virus Simulator Supplement "A" will generate two files on the A: floppy diskette, VIRUS_A.COM a live, safe and controlled, replicating virus, and VIRUS_A.DOC, a brief ASCII text documentation file describing the test virus. There is no need to run VIRUS_A.COM to practice employing your anti- virus product to detect and remove it. However should you wish to experiment or have any doubts that it will replicate, simply copy VIRUS_A.COM from the floppy disk to your hard drive and run it from there. It will announce and display its intention, then ask your permission to proceed. If you consent, enter "Y" and it will replicate itself throughout the drive. You can then gain practical experience using your anti-virus product to detect and remove it. One hour to detect and remove the test samples should be more than adequate for any capable anti-virus product. If you fail to detect or remove any of the Virus Simulator Supplement "A" samples, running VIRUS_A.COM or copies it created one hour after its creation, will remove itself and any copies that remain on that drive. Vigilant anti- virus products should have no problem demonstrating their capabilities with the Virus Simulator Supplement "A" samples. - - - - - - - - - - - Virus Simulator Supplement "B" The Virus Simulator "B" Supplement provides users with hands on experience protecting themselves from a boot sector virus. Although easily detected, these are by far the most prolific and extremely infectious. Like the other simulations the test samples are completely safe, but are far more operational, and provide users with the hands on experience required to defend themselves. Several educational institutions have now incorporated this demonstration into their lesson plans. It harmlessly illustrates the importance of adhering to established anti-virus security measures quite dramatically. This type of virus hides in a special portion of the disk reserved for the power up sequence, called "booting" and is therefore called the "boot track" or "boot sector". A boot sector virus replaces the legitimate boot sector program with its' own code. When the user "boots" from the infected disk, the virus first loads itself into the computer ahead of the legitimate programs. Using Virus Simulator Supplement B (registered users only) Copy VSIM_B.COM from the special write protected distribution disk to your working or hard disk. Use a freshly formatted disk in drive A. You must have an A: drive. Run the VSIM_B from the DOS prompt and the program will instruct the user to select the anti-virus product they employ. These are listed alphabetically. The Virus Simulator B Supplement program infects the floppy disk and makes a DOC file labeling the disk as well. Users are encouraged to also mark the disk label appropriately as well. Be sure to plainly mark the sample disk so you don't stumble across it by accident and panic at some future date. As a convenience, the simulation will expire in a few days on systems that support a CMOS clock. You can now scan the disk etc. as the anti-virus product recommends. Now the fun part.... With the disk in place, re-boot the system. The boot program displays it's intention (Test Virus), the copyright, the expiration date and loads itself into memory. The system then boots through from the hard drive, while "TEST VIRUS in memory!" flashes in the upper right corner of the screen and the speaker beeps about every seven seconds. Other than the beeping and flashing, the system appears to work normally. If you are using MS Windows, the beeping will continue even though the display remaps. If you open a DOS window, from within MS Windows, the flashing message will display as well. You now have about four minutes to try your anti-virus measures, or what ever. Then, the screen becomes dominated with the "TEST VIRUS" flashing message. The beep rate goes up to about two seconds, and on most systems, the keyboard locks up! If you are in MS Windows, the mouse if left enabled so you can exit elegantly, the keyboard is then re-enabled when you return to DOS for a few minutes and finally locks again. Some BIOS's allow you to disable booting from the A drive, which prevents the demonstration from working. Real viruses have no problem infecting your hard drives' boot sector, but these simulations are safe so they will only boot from the floppy in A:, they will not infect or otherwise compromise a hard drive or other disks. Unlike these safe and sterile simulations, real viruses are not limited to being harmless. - - - - - - - - - - - Virus Simulator MtE Supplement Viruses are becoming much more sophisticated and difficult to combat especially with the introduction of polymorphic mutating viruses such as those based on the Dark Avenger MtE Mutation engine. These viruses obsolete the traditional pattern matching techniques of detection, which are ineffective against this type of virus. VSIM_MTE.COM compiles a safe set of test viruses and special dummy program files they will infect (only). The test viruses will only infect the special dummy test programs generated by the Virus Simulator MtE Supplement. Unlike their malicious real world counterparts, these simulations will only attack the dummy files provided in the A:\M_VIRUS directory. Provisions have been taken to discourage modification and tampering. Both .EXE and .COM viruses and dummies are provided. With the exception of their special safety and security provisions, the MtE test simulations are real polymorphic viruses. At the heart of these MtE virus simulations is an actual MtE mutation engine. The MtE engine provides virus writers with the ability to turn their relatively simple programs into very sophisticated polymorphic viruses which are extremely difficult to detect by virus scanners. Each time the virus infects a host program, it mutates, changing its signature pattern to avoid recognition. A few examples of viruses that employ the MtE engine are: Dark Avenger Mutating Engine, Dame, MtE, Pogue, Gotcha, 7S, Mut, Dedicated, Fear, Groove, Coffee Shop, MtE-Spawn, Questo, Crypto Lab, Encroach. Although the MtE simulations produced by this program are safe and controlled, they are real viruses, capable of infecting their special dummy host programs. Vigilant anti-virus programs that are capable of reliably detecting the MtE mutation engine should report these simulations as being infected. Because these are polymorphic viruses several samples are required to validate a virus detector, as each time the virus mutates in attempt to avoid detection, its signature changes. Using the MtE Supplement Virus Simulations (registered users only) To generate the MtE simulations and dummy files to be infected, run VSIM_MTE from the default directory. Once again, make sure you have installed your anti-virus software in accordance with the author's instructions. Prepare freshly formatted disks to be infected in your A: drive. When you run the MtE supplement, it will first verify itself (by voice) and display the sign on message, which asks if you wish to continue. Enter "Y". (NOTE! These programs should be run directly from the DOS prompt and not from inside MS Windows) The Virus Simulator will then generate a directory full of dummy test programs, until the disk is nearly full (allowing for an increase in size as the programs are infected). Originally, only the first two samples (A:\M_VIRUS\VIR_1.EXE and A:\M_VIRUS\VIR_2.COM) will be infected. Examine the directory, and you will see a considerable difference in size between the infected and clean programs. Execute an infected program, and you can observe that the test virus will spread to the other samples (only). The infected programs will display that they are indeed infected and ask if you wish to continue. If you enter "Y", the simulation will spread to from one to 15 other programs. Those programs can then be run and they will, in turn infect the others. If you enter "A" (for all) instead of "Y", the infection will spread to all the dummy .COM or .EXE samples in the directory. Because of the sensitive nature of these test samples, the infection will not spread to any sample which has been modified. For security reasons the infections will only activate on the A: drive in the A:\M_VIRUS directory, and only if no modifications have been made to the dummy program files. Once the files produced by Virus Simulator MtE Supplement become infected, your virus detecting program should report them as such. - - - - - - - - - - - Virus Simulator Supplement C The Virus Simulator Supplement C illustrated how a companion virus works, and provides a functional demonstration that affords an opportunity to exercise protective measures. These simulations, like the others, are dramatic, but safe and harmless. Companion viruses exploit a feature of the computers' operating system that differentiates between programs with a COM or EXE file extension in their name. When two programs have the same file name, for example VIRUS_1.COM and VIRUS_1.EXE, the operating system will attempt to run the COM program first. The companion virus assumes the name (with a COM extension) of a legitimate program with an EXE file name extension. When the user enters the name of the program, the companion virus does its dirty work first, and then allows the legitimate program to operate normally. Usually the whole procedure is completely transparent to the user to avoid detection. If the user examines the original program, they find it unchanged. The companion virus remains even if the user reloads the legitimate program directly from the distribution backup unless the program with the same name (and COM file extension) is removed. Using the Virus Simulator Supplement C (registered users only) Copy VSIM_C.COM from the special write protected distribution disk to your working or hard disk. As with the other simulators, place a freshly formatted disk in drive A. When you run VSIM_C it will generate several dummy programs on the floppy disk in the A:\C_VIRUS directory. These test programs are identical except for their name (VIRUS_##.EXE). One of them is associated with a companion virus simulation. When the VIRUS_## programs are run, they will only display a simple message. However, when the program associated with the companion virus simulation runs, it will produce a dramatic, but harmless demonstration. Execute each of the test programs until you discover the companion virus. To terminate the demonstration, simply reset the system. You may repeat the demonstration without generating new dummy samples on the floppy disk again. You'll notice the simulation will assume the name of a different dummy test program each time. To reveal the companion virus simulation use the DOS command ATTRIB A:\C_VIRUS\*.* and you will discover the hidden companion virus simulation. With DOS 5 and above, you can also use the DOS command DIR A: /S /A - - - - - - - - - - - How Anti-Virus Measures Protect Your System There are several popular methods employed to detect viruses that these simulators can exercise. Generally they occupy three categories; scanners, monitor filters, and change monitors. Scanners are the most popular. They check the system for pieces of code that form a signature or fingerprint that is unique to each virus. Because the scanning program will only detect viruses that it knows the signature for, it may not detect a new or modified virus. Virus Simulator offers the signatures of many real viruses, but may not be using the same signatures your viruses detector uses. If your signature scanner fails to report the dummy sample test viruses produced by Virus Simulator, it is most likely that they are different than those required by that scanner. Unlike the test viruses produced by the MtE Supplement, the Virus Simulator and other supplements produce only dummy viruses, not real viruses. Monitor filters are TSRs (terminate and stay resident programs) that watch for suspicious virus-like activity, such as creating or writing to a program file or the boot sector or terminating with a TSR still active in memory. Virus Simulator should have no difficulty demonstrating this type of virus detector as it allows the user to actually overwrite the boot sector of the floppy disk, install a very suspicious (but safe) TSR in memory, and generate plenty of executable program files. Change monitors learn what the original program or boot sector etc. looks like and re-examines them periodically for modification. Virus Simulator and supplements can demonstrate this, since the user can actually elect to modify the floppy disk boot sector. Additionally, when the MtE dummy test programs become infected, they change substantially. You may also conduct additional tests on your system. For example, many users mistakenly believe that changing the attribute of a program to READ-ONLY will protect it from infection. You can test this using the DOS ATTRIB command for example ( C>ATTRIB +R A:\M_VIRUS\VIR_99.EXE ) will not protect the dummy files from becoming infected by the MtE simulation. The best and simplest way to protect a floppy disk from infection is to take advantage of the write protect tab. These are very effective unless yours is some how inoperative. You may wish to conduct your own test by enabling the write protect tab, and repeating the experiment. If your write protect circuitry is functional, you should not be able to make modifications to the protected disk and the MtE simulations will be unable to infect the dummy files. - - - - - - - - - - - History of Virus Simulator Virus simulator was first developed to support testing my System Monitor program. System Monitor was not a virus scanner or even a program devoted to exclusively to virus protection. There are enough things that go astray in a normal computing environment to justify System Monitor on its own. It installs in your IBM PC/XT/AT 386 or 486 Compatible computer to test and extensively monitor a number of performance indicators. Each time you use your computer, System Monitor re-evaluates the system and alerts you to any discrepancies it finds with an announcement that is hard to ignore. You install System Monitor as soon as you're confident that your computer is configured and operational. From then on, System Monitor will intervene immediately upon detecting problems, usually long before a user even suspects any difficulty. This early monitoring and detection is essential in avoiding and correcting problems before they can compound. It also provides formidable anti-virus protection. Virus Simulator can help determine which anti-virus programs are best for you. These programs can then be installed ahead of System Monitor so a virus that attempts to disable either of these programs will have the very Herculean task of disabling or circumventing them both, or risk detection by the other. The first version of Virus Simulator was only intended as a tool to assist volunteers who were beta testing System Monitor in a real world environment. Before beta testing, System Monitor had been tested in a controlled environment, using a considerable collection of real viruses. You can imagine the enthusiasm my beta testers showed to turning real viruses loose on their systems. During the beta testing of System Monitor, we discovered a real need for Virus Simulator beyond its original intention. Some virus detectors not only didn't find the simulated viruses, on closer inspection, they didn't find the real ones either. We found several cases where no security procedures were being adhered to and even though the organization had purchased site license for a very capable program. Few users had ever run it. Additionally, a virus detecting program thought to be protecting a system used to duplicate distribution disks for other offices, was found to be an obsolete version, which missed nearly all of the currently simulated viruses. No virus protection program will ever be effective without the cooperation of its users. Virus Simulator provides a means to verify adherence to established security procedures. Virus Simulator was made available to assist system administrators, end users, and educators enabling them to perform their own tests. Virus Simulator is not a replacement for the comprehensive collection of real viruses maintained by Rosenthal Engineering and other researchers for testing anti-virus programs. Viruses are a form of terrorism and require many of the same precautionary measures. Airports test the effectiveness of their security measures in much the same way. An official, disguised as a passenger, will attempt to bring a disarmed bomb through, trying to evade security measures and avoid detection. Real viruses, like real terrorists, are much more difficult to test with. The test viruses generated by these virus simulators are safe and controlled, but form a validation test suite that trigger vigilant anti-virus detectors. Not all virus detectors use the same virus signatures that Virus Simulator supplies. Some anti-virus software (like Dr. Solomons Tool Kit, TBSCAN, VShield, VirStop and others) provide their own dummy sample programs, so users can perform similar tests. Users can use these safe simulations to verify that their anti-virus measures are correctly in place and functional. Anti-virus programs that report suspicious activity (like FLUSHOT or SECURE ) should detect Virus Simulator actually overwriting the sample floppy disk boot sector, installing an unauthorized memory resident program, or modifying an executable program. Authors of viruses are very aware of how virus detectors work. As polymorphic viruses (especially the MtE mutation engine) were developed, signature scanning alone became inadequate. The Virus Simulator MtE Supplement addresses that need and some of the other comments users have brought to my attention. As more users of these programs began incorporating them into training lesson plans, and demonstrations, the additional supplements B and C were added. - - - - - - - - - - - Statistics, Probability and Making Sense of Tests Virus Simulator makes an infinite number of simulated test viruses by varying each one in a different way. This is much the same way a real virus might be discovered in the world at large. Even testing with a program infected with a real virus can not assure every combination will be examined: Is it a .COM file? .EXE? system? compressed? Is it the same for all programs or just large ones? How about files created before or after a certain date or time. What about a virus that was modified, even trivialy, offset a few bytes or changed from one message to another. Or, a virus that only attacks one vendor's brand of software. The only way to test with any kind of absolute certainty would be to perform tests with every combination and variation, and, even then, hope you didn't overlook any. Now, try that with well into many hundreds of viruses and combinations. It becomes apparent that no matter how exhaustive the tests are, they are just random, probabilistic distributions. The study of probability assumes that you know the entire population or universe from which you are going to sample. Statistics assumes that you have only a sample and that you are trying to determine, or at least guess, the parameters or characteristics of the most likely population or source from which the sample was taken. That's what Virus Simulator supplies, a large enough sample population size to establish statistical significance with some reliability. A large sample size is especially important when attempting to validate polymorphic viruses, as each sample will have a different signature. These sophisticated viruses attempt to avoid detection by altering their signatures, so it is not uncommon for several copies to escape detection. The Virus Simulator MtE Supplement attempts to generate as broad a spectrum of test samples as practical. Allowing Virus Simulator to fill a single 360 k disk should be more than adequate to support reliable testing. Although a 1.2 meg disk offers some improvement, additional disks offers diminishing benefits, as the distribution confidence interval shows an insignificant improvement beyond that point. In other words, for files... One disk ought to do it. Testing using boot sector viruses is another matter, because unlike the hundreds of files that can be created on a disk by Virus Simulator, there is only one boot sector per disk. You can generate a simulated boot sector virus onto as many different disks as you like or overwrite a single disk repeatedly. A new simulation will be generated each time. - - - - - - - - - - - Bibliography and Additional Sources of information National Computer Security Center - Guidelines for Formal Verification Systems (NCSC-TG-014) National Computer Security Center - Computer Security Subsystem Interpretation of the Trusted Computer System Evaluation Criteria (NSC- TG-009) National Computer Security Center - Rating Maintenance Phase Program Document (NCSC-TG-013) National Computer Security Center, Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria (NCSC-TG-005) Department of Defense -Trusted Computer Systems Evaluation Criteria (DOD 5200.28-STD) Richard A. Kemmerer - Verification Assessment Study Final Report, University of California Peter J. Denning, ACM Press/Addison-Wesley - Computers Under Attack: Intruders, Worms and Viruses Lance J. Hoffman, Van Nostrand Reinhold, Anne Branscomb - Rogue Programs: Viruses, Worms and Trojan Horses Springer-Verlag, David Ferbrache - A Pathology of Computer Viruses Dr. Fred B. Cohen, ASP Press - A Short Course on Computer Viruses Dr. Solomons Virus Encyclopedia - S & S International R. Burger - Computer Viruses: A High-Tech Disease Dr. Mark Ludwig - The Little Black Book of Computer Viruses Virus Bulletin Ltd - Abingdon England Virus News International Ltd. - Berkhamsted, Hertfordshire UK Computer Virus Developments Quarterly - American Eagle Pub. Inc. P.O. Box 1507, Show Low, Arizona 85901 - - - - - - - - - - - - Orders Outside the U.S. All international orders are sent by air-mail. See the order form (ORDER.FRM) for shipping and handling rates. Yes! Visa or Master Card can now be accepted and makes currency exchange to US Dollars very simple. Please be sure to make your payment in "US Dollars" either by (US) cash, Visa or Master Card, international money order or check drawn on a US member bank. Otherwise banks want a fifty dollar processing fee to cash a twenty five dollar check. Sorry, euro-checks can not be processed. Local restrictions, regulations, tariffs and taxes etc. are the responsibility of the recipient. Check with your local government. Only California state residents need include sales tax. - - - - - - - - - - - - CD-Rom, Magazine and Book Publishers Publishers are encouraged to include "Rosenthal Virus Simulator (tm)" as shareware with CD-Rom collections, books and magazines. Please contact Rosenthal Engineering directly. - - - - - - - - - - - - Anti-Virus Researchers and Product Developers Rosenthal Engineering is pleased to cooperate with anyone engaged in the development of anti-virus products. All developers are encouraged to contact Rosenthal Engineering and will be supported without prejudice. - - - - - - - - - - - - Shareware Announcement Please feel free to use and evaluate Virus Simulator without charge for 10 days. You are encouraged to copy and distribute shareware version VIRSIM##.ZIP archive freely, provided it remains unmodified, complete in it's original form, and no fee (other than a nominal copy charge) is required. The additional Virus Simulator Supplements are only available directly from Rosenthal Engineering once the single user registration fee is received. All copyrights are reserved. Once the required registration fee is received, the latest registered version of Virus Simulator along with all the Virus Simulator Supplements will be sent by priority first class mail, or international air-mail. Software License Agreement This Software is copyrighted material. It is not sold, but licensed. The registration fee must be paid before evaluation period expires or use of the software must be discontinued. You are encouraged to copy and distribute only the Virus Simulator archive VIRSIM##.ZIP file freely, provided it remains unmodified, complete in it's original form and no fee (other than a nominal copy charge) is required. This software is provided "as is" without warranty, either expressed or implied. You may not make any changes or modifications to the software and you may not decompile, disassemble, or in any way, reverse-engineer the software. This constitutes the entire agreement and understanding between the parties and supersedes any prior agreement or understanding whether oral or written and may only be modified in writing. This software is provided "as is" without warranties of any kind. Responsibility rests entirely with the user to determine its fitness for a particular purpose. ROSENTHAL ENGINEERING SHALL NOT IN ANY CASE BE LIABLE FOR SPECIAL, INCIDENTAL, CONSEQUENTIAL, INDIRECT OR OTHER SIMILAR DAMAGES ARISING FROM ANY USE OF THIS SOFTWARE. Some states may not allow these limits on warranties, so they may not apply to you. In no case shall Rosenthal Engineering's liability exceed the license fees paid by you to Rosenthal Engineering for the right to use the Licensed Software. Virus Simulator and Virus Simulator Supplements, Copyright Rosenthal Engineering 1990 - 1996. All rights reserved.