TE AM FL Y Viruses Revealed David Harley, Robert Slade, Urs Gattiker Osborne/McGraw-Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Copyright © 2001 by The McGraw-Hill Companies, Inc All rights reserved Manufactured in the United States of America Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher 0-07-222818-0 The material in this eBook also appears in the print version of this title: 0-07-213090-3 All trademarks are trademarks of their respective owners Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark Where such designations appear in this book, they have been printed with initial caps McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-hill.com or (212) 904-4069 TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc (“McGraw-Hill”) and its licensors reserve all rights in and to the work Use of this work is subject to these terms Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited Your right to use the work may be terminated if you fail to comply with these terms THE WORK IS PROVIDED “AS IS” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE McGraw-Hill and its licensors not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom McGraw-Hill has no responsibility for the content of any information accessed through the work Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise DOI: 10.1036/0072228180 It has been said, in regard to computer network communities, that no community is worthy of the name until it has had a wedding and a funeral We, in the computer virus research tribe, have had both We will not embarrass the newlyweds here We wish, however, to dedicate this book to the memory of Ysrael Radai and Harold Joseph Highland Their contributions to our field, and to so many others, are appreciated, and they will be sorely missed To the Meeter Machine, and its viral output —Robert Slade To my daughter Katie, my constant reminder that computer security should not be confused with real life Now, perhaps, we’ll have time to play Monopoly Also to my mother, Gwendoline Harley, for being an honorary parent to Katie when I had to find time for Baby Book —David Harley Dedicated to my friends Inger Marie, Melanie, Lars, Rainer, Stefano, and all my current and past students who continue in keeping me going when obstacles seem insurmountable —Urs Gattiker This page intentionally left blank For more information about this title, click here Table of Contents Foreword About the Authors Acknowledgments Introduction xxi xxv xxix xxxi I The Problem Baseline Definitions Computer Virus Fact and Fantasy Definitions Viruses and Virus Mechanisms Virus Structure Damage Damage Versus Infection Stealth Mechanisms Polymorphism What Is This, a UNIX Textbook? Diet of Worms Trojan Horses In the Wild Instant Guide to Anti-Virus Software Summary 7 10 10 12 12 13 15 16 Historical Overview 17 Virus Prehistory: Jurassic Park to Xerox PARC Wormholes Core Wars The Xerox Worm (Shoch/Hupp Segmented Worm) Real Viruses: Early Days 18 19 19 20 22 v Copyright 2001 by The McGraw-Hill Companies, Inc Click Here for Terms of Use vi Viruses Revealed 1981: Early Apple II Viruses 1983: Elk Cloner 1986: © BRAIN 1987: Goodnight Vienna, Hello Lehigh 1988: The Worm Turns The Internet Age 1989: Worms, Dark Avenger, and AIDS 1990: Polymorphs and Multipartites 1991: Renaissance Virus, Tequila Sunrise 1992: Revenge of the Turtle 1993: Polymorphism Rules 1994: Smoke Me a Kipper 1995: Microsoft Office Macro Viruses 1996: Macs, Macros, the Universe, and Everything 1997: Hoaxes and Chain Letters 1998: It’s No Joke 1999: Here Comes Your 19th Server Meltdown 2000: Year of the VBScript Virus/Worm And So It Goes Summary 22 23 25 26 27 30 30 32 33 34 36 37 38 39 40 40 41 43 48 49 Malware Defined 51 What Computers Do Virus Functionality Application Functionality Versus Security In-the-Wild Versus Absolute Big Numbers What Do Anti-Virus Programs Actually Detect? Viruses Worms Intendeds Corruptions Germs Droppers Test Viruses Generators Trojans Password Stealers and Backdoors Jokes 52 53 53 54 57 58 61 62 63 64 64 65 65 66 70 71 vii Contents Remote-Access Tools (RATs) DDoS Agents Rootkits False Alarms Summary 74 75 77 77 79 Virus Activity and Operation 81 How Do You Write a Virus? Tripartite Structure Infection Mechanism Trigger Payload Replication Non-Resident Viruses Memory-Resident Viruses Hybrid Viruses Generality, Extent, Persistence Payload Versus Reproduction Damage Impact of Viral Infection on the Computing Environment Direct Damage from Virus and Trojan Payloads Psychological and Social Damage Secondary Damage Hardware Damage Ban the Bomb Logic Bombs Time Bombs ANSI Bombs Mail Bombs and Subscription Bombs Summary 83 87 87 88 88 90 91 91 92 93 94 96 96 97 98 98 99 100 100 101 101 102 102 Virus Mechanisms 103 Hardware-Specific Viruses Boot-Sector Infectors The Boot Zone File Infectors Prependers and Appenders Overwriting Viruses 104 105 109 112 114 115 viii Viruses Revealed Misdirection Companion (Spawning) Viruses Multipartite Viruses Interpreted Viruses Macro Viruses Scripting Viruses Concealment Mechanisms Stealth Polymorphism Social Engineering and Malware Summary 117 118 119 121 121 122 123 126 129 132 134 II System Solutions Anti-Malware Technology Overview 139 Great Expectations How Do We Deal with Viruses and Related Threats? Pre-emptive Measures What Does Anti-Virus Software Do? Beyond the Desktop Outsourcing Summary 140 143 144 151 162 169 170 Malware Management 171 Defining Malware Management Proactive Management Reactive Management Cost of Ownership Versus Administration Costs Summary 172 173 184 186 190 Information Gathering 193 How Can I Check Whether Advice Is Genuine or Useful? Books The Good The Bad (or Mediocre, at Least) The Really and Truly Ugly Related Topics General Security 194 196 197 198 199 200 201 Contents Legal Ethics Fiction Articles and Papers Online Resources Mailing Lists and Newsgroups Free Scanners Online Scanners Encyclopaedias Virus Hoaxes and False Alerts Evaluation and Reviews Anti-Virus Vendors General Resources Various Articles General Advice Specific Viruses and Vulnerabilities General Security References 204 205 206 208 216 217 218 218 219 220 221 222 223 224 225 225 229 Product Evaluation and Testing 237 Core Issues Cost Performance It’s Not My Default Disinfection and Repair Compatibility Issues Functional Range Ease of Use Configurability Testability Support Functions Documentation Outsourced Services Test Match Detection Versus Usability Other Ranks Upconversion It’s All Happening in the Zoo We Like EICAR 238 239 245 251 253 255 256 261 262 264 264 267 269 269 270 270 271 273 277 ix 670 Viruses Revealed Concealment mechanisms, 123–134 malware, 132–134 polymorphism, 129–131 social engineering, 132–134 stealth technology, 126–129 Concept, 377–383 viruses, 38–39 Conduct Codes of, 544–547 developing Codes of, 540–541 minimum Codes of, 540–541 Configurability, 262–263 Contributors, primary, 568–607 Conventional morality, 528 Convergence is going to get worse, 555 Cookie programs, 71–72 Copying data files, 597 Core Wars, 19–20 Corruptions, 63–64 Costs cost of ownership versus administration, 186–190 management, 306–309 of ownership versus administration costs, 186–190 product evaluation and testing, 239–244 CRC (cyclic redundancy check), 126, 155, 259–260 Criminal proceedings, grounds for, 493–495 Cross-national differences, 531–532 CSS (content scrambling system), 525 Cultural norms, 526–532 CVC (Computer Virus Catalog), 569 D Daemons defined, 348 Damage, 7–8, 96–100 direct damage from Trojan payloads, 97–98 direct damage from virus payloads, 97–98 hardware, 99–100 impact of viral infection on computing environment, 96–97 primary, 96 psychological, 98 secondary, 98–99 social, 98 Damage versus infection, 8–9 DAME (Dark Angel’s Multiple Encryption), 36 DAME (Dark Avenger’s Mutating Engine), 131 Dark Avenger, 30–32, 35 Data back up, 292 backing up, 360 versus programs, 378–379 Data diddling defined, 182 Data files copying, 597 virus infecting, 591–592 Data processing, 499 Data Protection Act, UK’s, 497, 498 Data protection legislation, 497–498 Data protection principles, 498–500 Datacomp, Welcome, 618 DBR (DOS Boot Record), 364 DDoS (Distributed Denial of Service), 42, 43–44, 557 DDoS (distributed denial of service) agents, 75–77 DEC (Digital Equipment Corporation), 28 Definitions, baseline, 3–4, 5–16 Demographics, 523–526 age, 523–525 gender, 525–526 Departments, heads of, 316 Desktop, beyond, 162–169 Detecting new viruses, 579 Detection adding for every virus, 57 distinction between disinfection and, 16 intrusion, 168–169 one hundred percent effective, 155 versus usability, 270 Detection software, generic, 144 Development, 183–184 Diagnosing viruses, 574 Diagnostic utility, PC, 606 DIR-II virus, 117 DIR | MORE, 606–607 DIR, performing of infected floppy disks, 596–597 DIR, using, 606–607 Disinfecting, 594–595 Disinfection, 152, 359 and repair, 253–255 Disinfection and detection, distinction between, 16 Disk file system, hard, 582 Disk to clean PC’s hard disk, infected floppy, 597 Disks compressed, 252 infected floppy disk cleaning PC’s hard, 597 infecting nonbootable DOS floppy, 589–590 performing DIR of infected floppy, 596–597 Disks, cleaning of viruses on all, 294 Distribution secondary, 455–456 virus origin and, 439–459 Index DMV (Document Macro Virus), 388–389 Document library, 178 Documentation, 267–269 DOS command FDISK, 109 DoS (Denial of Service), 43–44, 75, 557, 631 DOS (Disk Operating System), 44 protection systems in DR, 585 three main types of executable programs, 113 DOS floppy disks, infecting nonbootable, 589–590 DOS session, DOS session infecting another, 597–598 DOS system, infection and 639KB memory on one’s, 580–581 DOS virus surviving and spreading on OS/2 system, 597 DOS viruses common, 581–582 working under MS Windows, 598 DR DOS, protection systems in, 585 Draconians, 291–292 Droppers, 64–65 DRPs (disaster recovery plans), 181 DSL (Digital Subscriber Line), 327 Dual-infection viral programs, 120 Dumpster diving, 634 E Ease of use, 261–262 EAVEP (EICAR Anti-Virus Enhancement Program), 142 Eavesdropping/surveillance, 633 Education and basic policies, 554–555 does it work?, 456–458 global, 458–459 and training, 315–319 training and information provision, 178 EICAR (European Institute of Anti-Virus Research), 142, 541–543 installation test file, 618–619 string, 277–280 EICAR (European Institute of Anti-Virus Research) code, 541–543 Article 1: public interest, 542 Article 2: legal compliance, 542–543 Article 3: duty to employers, clients, and colleagues, 543 Article 4: duty to the profession, 543 Article 5: specialist competence, 543 Electronic leftovers, 634 Elk Cloner, 23 Email getting viruses from reading, 598–599 policy, 514 Encryption, 252–253 Encyclopaedias, 218 End users and responsibility, 533–535 Engines, polymorphic, 130, 131 Epidemiology, and computers, 36–37 EPO (Entry Point Obscuring), 422 Esperanto virus, 401–402 Esperanto.4733, 618 Ethical hacking, 451 Ethics commercial, 538–539 and familiarity, 532–533 introduction to computer, 318 two-minute guide to, 520–523 and vendors, 536–537 Ethics, responsibility and morality, 519 Codes of conduct, they make a difference?, 544–547 cultural and national norms, 526–532 demographics, 523–526 developing codes of conduct, 540–541 no harm, 539–540 EICAR (European Institute of Anti-Virus Research), 541–543 Is anti-virus a profession?, 535–536 Evaluation and reviews, 220 Evaluation, product, 237–281 Excel viruses, 392–393 Executables, compressed, 252 Expanded RAM, viruses hiding in, 591 Extended RAM, viruses hiding in, 591 Extensions, file-type, 84 Extent defined, 93–94 F False alarms, 77–78, 156 False alerts Good Times most famous of all, 374 virus hoaxes and, 218–220 False negatives, 576–577 False positives, 576–577 FAQs (Frequently Asked Questions), 38 FAQs (Frequently Asked Questions) on VIRUS-L/comp.virus, 567–607 FAT (File Allocation Table), 117, 339 FCC (Federal Communications Commission), 473 FDISK, DOS command, 109 FDISK/MUMBLE, contraindication of, 362–363 671 672 Viruses Revealed Feliz Navidad, 47 File infectors, 112–119 appenders, 114–115 companion (spawning) viruses, 118–119 Mac-specific system and, 611–614 misdirection, 117 overwriting viruses, 115–117 prependers, 114–115 File system garbled, 582 File system, HPFS, 597 Files checking, 189 copying data, 597 EICAR installation test, 618–619 protecting from viruses, 584–585 virus infecting data, 591–592 viruses hiding in JPEG, 599–600 zipped, 251 File’s attributes, setting to read-only, 584 Filles, viruses hiding in GIF, 599–600 Firewall scanning, 167–168 Firmware settings, 146 Flight simulator, 68–69 Flip viruses infection, 604 Floppies, booting from clean, 604–606 Floppy disk to clean PC’s hard disk, infected, 597 Floppy disks infecting nonbootable DOS, 589–590 performing DIR of infected, 596–597 write-protect tab on, 586 Forbidden, what is, 315–316 FormatC, 389 Free scanners, 216–217 Free software, avoiding, 595 Freelinks, VBS, 413 FUD (Fear, Uncertainty, Doubt), 510 Functions, support, 264–267 G Games, avoiding, 595 Gateway scanning, 166–167 GenB virus, 604 Gender, 525–526 Generality defined, 93–94 Generators, 65–66 Generic solutions, 153–158 GenP virus, 604 Germs, 64 Ghost positive alerts, 579 GIF files, viruses hiding in, 599–600 Global education, 458–459 Goals, anti-virus, 141–142 Good Times, 374–377 most famous of all false alerts, 374 GPFs (General Protection Faults), 97 Grammar and spelling, errors, 37 Green Stripe, 389–390 Guru, local anti-virus, 507 H Hacking, ethical, 451 Hacking, people, 632–634 being sociable, 633 dumpster diving, 634 eavesdropping, 633 electronic leftovers, 634 inappropriate access, 633 phone phonies, 633–634 shouldersurfing, 632 surveillance, 633 Happy99, 410–411 Hard disk disappearance of, 604 file system, 582 infected floppy disk cleaning PC’s, 597 write-protecting with software, 583 Hard drives, 581 Hardware damage, 99–100 protection, 583–584 solutions, 147 Hardware-specific viruses, 104–109 boot-sector infectors, 105–109 Hare, 399–400 Harm, no, 293 Help Desk advice to users, 297–298 attacks on, 635 investigations, 295–296 staff, 507 staff responsibilities, 507–508 support, 311–313 targeting, 634–635 Heuristic analysis, 159 Heuristics, hoax identification, 472–481 Hex guidelines, safe; See Safe hex guidelines HFS (Hierarchical File System), 405 High Memory area viruses hiding in PC’s, 591 Historical overview, 17–49 Internet age, 30–48 real viruses: early days, 22–30, 22–30 and so it goes , 48–49 virus prehistory: Jurassic Park to Xerox PARC, 18–21 Index HLLs (high-level languages), 83, 86 Hoax alerts, handling, 488–489 Hoax identification heuristics, 472–481 Hoax management, 329–331 Hoax virus alerts, motivations for, 454–455 Hoax viruses described in terms of technobabble, 469 Hoaxes, 465 and chain letters, 40, 466 JPEG, 469–470 modem virus, 365–366 passing on virus, 455–456 and related nuisances, 461–490 SULFNBK, 560 virus, 37, 218–220 and virus alerts, 466–468 Hostile software, protection from, 501 HPFS file system, 597 HTML (Hypertext Markup Language), 406 HTTP (HyperText Transfer Protocol), 165 Hybrid viruses, 92–93 HyperCard infectors, 614–615 I Identification, virus, 299, 574 IDS (intrusion detection systems), 169 IIS (Internet Information Server), 561, 562 Incident management, 184–186, 283–285 best form of defense is preparation, 286–294 reported virus incidents, 295–300 Incidents, dealing with virus, 297–299 Incidents, reported virus, 295–300 dealing with virus incidents, 297–299 general protective policies, 299 Help Desk investigations, 295–296 virus identification, 299 Inexpertise, technical, 317 Infecting nonbootable DOS floppy disks, 589–590 Infecting; See Disinfecting Infection versus damage, 8–9 of DOS, 581–582 flip viruses, 604 Michelangelo virus, 603 on one’s DOS system, 580–581 Stoned virus, 602, 603 and subdirectories, 581 Infections indications of virus, 573 Ohio, 338 scanners reporting, 579 Infectors boot-sector, 105–109 file, 112–119 HyperCard, 614–615 Mac-specific system and file, 611–614 PE (Portable Executable), 400 Information gathering, 174–177, 193–234 articles and papers, 206–214 books, 196–206 genuine advice, 194–196 online resources, 214–234 useful advice, 194–196 Information gathering, online resources, anti-virus vendors, 220–221 Information provision, education, training and, 178 Information resources, Macintosh, 619–623 Information security, classic tripod model of, 445 Injustice, 429 Insurance and security, 304 and viruses, 304–305 Integrity checkers, 155 checking, 259–261 Intendeds, 62–63 Internet age, 30–48 AIDS, 30–32 Dark Avenger, 30–32 here comes one’s 19th server meltdown, 41–43 hoaxes and chain letters, 40 it’s no joke, 40–41 Macs, macros, universe, and everything, 39 Microsoft Office macro viruses, 38–39 polymorphism rules, 36–37 polymorphs and multipartites, 32–33 Renaissance virus, Tequila Sunrise, 33–34 revenge of turtle, 34–36 smoke me a kipper, 37–38 worms, 30–32 year of VBScript virus/worm, 43–48 Internet servers, 165–166 Internet worms, 347–352 Interpreted viruses, 121–123 Intranet servers, 165 Intruders, what they want to know, 631–632 Intrusion detection systems, 168–169 Iraqi printer virus, 366–369 IRC (Internet Relay Chat), 42, 48, 411 IRQ (Interrupt ReQuest), 606 673 Viruses Revealed J Jerusalem virus, 353–355 Job, nuke one’s, 385 Joke/prank programs, 40–41 Jokes, 71–74 JPEG files, viruses hiding in, 599–600 JPEG hoax, 469–470 JPL (Jet Propulsion Laboratory), 365 Jurassic Park to Xerox PARC, 18–21 Justice, 429 K Linux/Adore (Linux/Red), 431–432 Linux/Lion, 431 Linux viruses, 578 Linux worms, 430–432 Lion, Linux/, 431 Lists mailing, 215–216 VIRUS-L mailing, 452 Love Bug, 133, 396, 414, 416 LoveLetter, VBS, 414–416 M AM FL Y (ISC) (International Information Systems Security Certification Consortium, Inc.), 195 ISO 9000, 505 ISPs (Internet service providers), 512 Israeli virus, 353 IT security, 630–631 and other units, 314–315 IT support staff, miscellaneous, 314 ITAA (Information Technology Association of America) Foundation, 459 ITAA (Information Technology Association of America), 570 TE 674 KAKworm, 44, 420–421 Knowledge, domain of conventional, 522 Known-virus scanners, 77 Known viruses, 568–569 KVS (Known Virus Scanning), 15, 143 L LAN servers, 162–165 Languages, macro, 133 LANs (local area network), 163 LANs (local area networks), 21, 128, 162 and stopping viruses, 586 Law, and malware, 492–493 Legal and quasilegal imperatives, 491–518 Legislation data protection, 497–498 eight principles that underpin UK, 499–500 Lehigh viruses, 26, 93, 346–347 Letters chain, 463–464, 488–489 hoaxes and chain, 40 motives for starting chain, 453–454 Level, to next, 381 LIFE_STAGES, 45 Lindose/Winux, 432, 561–562 Mac and viruses, 609–627 Mac books, 620 Mac-related newsgroups, 619 Mac-specific viruses, 610–617 Mac Trojan Horses, 615–616 Mac troubleshooting, 623–624 Mac Virus, questions received at, 624–627 MacMag virus, 339–343 Macro languages, 133 Macro techniques anti-, 397–399 See also Anti-macro techniques Macro virus information resources, 622 Macro virus nomenclature, 396–397 Macro viruses, 121–122 detecting, 386 Macro viruses, Microsoft Office, 38–39 FAQs (Frequently Asked Questions), 38 figures, 38 proof of concept, 38–39 Macro viruses, Trojans, and variants, 616–617 Macs macros, universe, and everything, 39 we love, 415 MacSimpsons, 562 Magistr@mm, W32/, 432–433 Mail management, 349 Mail policy, anti-chain, 515 Mailing lists and newsgroups, 215–216 VIRUS-L, 452 Mainframe computers and susceptible to computer viruses, 592–594 Maintenance, preventive, 290–293 back up data, 292 back up software changes, 293 Malware, 132–134 and law, 492–493 nonreplicative, 189 Index Malware defined, 51–79 in-the-wild versus absolute big numbers, 54–57 virus functionality, 53–54 what anti-virus programs actually detect, 57–78 what computers do, 52–53 Malware management, 171–191 defining, 172–186 proactive, 319–320 Malware management, defining proactive management, 173–184 reactive management, 184–186 Malware technology; See Anti-malware technology Management costs, 306–309 defining malware, 172–186 incident, 184–186, 283–285 mail, 349 malware, 171–191 metaviruses and user, 486–489 proactive, 173–184 proactive malware, 319–320 reactive, 184–186 risk, 283–285, 285–286 taking malware-related threats seriously, 316 user, 301–331 virus, 142 Managers, managing, 303–305 policies count, 303–304 security and insurance, 304 viruses and insurance, 304–305 Mandragore, 559–560 MBR (Master Boot Record), 364, 603 don’t monkey with, 362–364 MBR viruses, removing, 575 Mechanisms, virus, 103–135 Melissa, 406–410 Memories, viruses hiding in PCs CMOS, 590 Memory and DOS system, 580–581 Memory area, viruses hiding in PC’s High, 591 Memory on one’s DOS system, infection and 639KB, 580–581 Memory-resident viruses, 91–92 Metaviruses and user management, 486–489 handling spam, chain letters, and hoax alerts, 488–489 What should I tell my customers?, 487–488 Metaviruses, hoaxes, and related nuisances, 461–490 chain letters, 463–464 chain letters and hoaxes, 466 hoaxes, 465 hoaxes and virus alerts, 466–468 metaviruses and user management, 486–489 misinformation under microscope, 468–481 spam, spam, spam, 481–484 spamology and virology, 484–486 ULs (Urban Legends), 465–466 Michelangelo, monkey, and Stoned variants, 357–361 Michelangelo roulette defined, 360 Michelangelo virus, 34–35, 603 Microsoft holds source code for operating system, 149 security weaknesses, 150 Microsoft Office macro viruses, 38–39 Microsoft Windows, 148–149 Misdirection, 117 Misuse Act, Computer, 495–496 Modem virus hoaxes, 365–366 Monkey, 362 Monkey, and Stoned variants, Michelangelo, 357–361 Morality conventional, 528 personal domain of, 522 post-conventional, 528 pre-conventional, 528 Morality and ethics, responsibility, 519 Codes of conduct, they make a difference?, 544–547 cultural and national norms, 526–532 demographics, 523–526 developing codes of conduct, 540–541 no harm, 539–540 EICAR (European Institute of Anti-Virus Research), 541–543 Is anti-virus a profession?, 535–536 Morris worm, 347–352 Motivational factors, 530–531 MS Windows, DOS viruses working under, 598 MSAV (Microsoft Anti-Virus), 36 MSD (Microsoft Diagnostics), 295 MtE (Mutating Engine), 130, 131 MTX (Matrix, Apology), 421–424 W95, 46 Multipartite viruses, 119–120 Multipartites, and polymorphs, 32–33 N Naked Wife, 425 National issues, 527–530 National norms, 526–532 675 676 Viruses Revealed Navidad, 46–47 W32/, 425–427 NDA (Non-Disclosure Agreement), 383 NED (Nuke Encryption Device), 36 Negatives, false, 576–577 Network administration, systems and, 179–183 New viruses; See Viruses, new NewLove-A, VBS/, 417–418 Newsgroups Mac-related, 619 and mailing lists, 215–216 Next level, to, 381 911 worm, 418–419 NLM (NetWare Loadable Module), 163 Non-resident viruses, 91 Nonreplicative malware, 189 NOP (no-operation), 274 NOP (null operation), 130 Noped, Poly/, 559 Norms, cultural and national, 526–532 cross-national differences, 531–532 motivational factors, 530–531 national issues, 527–530 NSA (National Security Agency), 284, 351 Nuclear virus, 384–387 Nuke one’s job, 385 Numbers illegality of, 556 in-the-wild versus absolute big, 54–57 Numerals, substitution of, 385 O OCR (Optical Character Recognition), 302 Octopii, and virii, 60 OEM (original equipment manufacturing), 379 Offices, 288–290 Ohio, 339 Ohio infection, 338 OLE (Object Linking and Embedding), 592 On-access scanning, 160–162, 258–259 On-demand scanning, 159–160, 256–258 Online resources, 214–234 encyclopaedias, 218 evaluation and reviews, 220 free scanners, 216–217 general advice, 223 general resources, 221–222 general security references, 227–234 mailing lists and newsgroups, 215–216 online scanners, 217 specific viruses and vulnerabilities, 223–227 various articles, 222–223 virus hoaxes and false alerts, 218–220 Online resources, general security references, 227–234 encryption, 228 miscellaneous, 230–233 NT security, 234 port scanners, 229–230 security agencies, 228–229 spam, unsolicited commercial Email, etc, 227–228 Web information grabbers, 229–230 Online scanners, 217 Operating system, Microsoft holds source code for, 149 Origin and distribution, virus, 439–459 OS/2 2.0+, 597–598 OS/2 system, DOS virus surviving and spreading on, 597 Outlines, policy, 511–517 Outlook View Control, 562 Outsourced services, 269 Outsourcing, 169–170 Overkill, 294 Overwriting viruses, 115–117 P Papers, articles and, 206–214 PARC, Jurassic Park to Xerox, 18–21 Password/access control systems, 584–585 Password practices, 638–640 Password stealers, 448 Password stealers and backdoors, 70–71 Passwords best practices, 639–640 disclosing one’s, 635 good systems enforcement practice, 638–639 Payloads activation of, 90 direct damage from Trojans, 97–98 direct damage from virus, 97–98 versus reproductions, 94–95 usage of, 89 PC boot sequence, typical, 111 PC diagnostic utility, 606 PC scripting viruses, 618 PC viruses on emulated PCs, 617 PCs CMOS memories, viruses hiding in, 590 PC’s hard disk, infected floppy disk cleaning, 597 Index PC’s High Memory area, viruses hiding in, 591 PC’s Upper Memory, viruses hiding in, 591 PDAs (Personal Digital Assistants), 43 PE-EXE (Portable Executables), 114 PE (Portable Executable) infector, 400 People hacking, 632–634 Performance, product evaluation and testing, 245–251 Peripherals, use of as viral vectors, 125 Persistence defined, 93–94 Personnel, systems management, 507 PGP (Pretty Good Privacy), 486 Phone phonies, 633–634 PIN (personal identity number), 71 PKI (Public Key Infrastructure), 253 Platform identifiers, common, 396 Platform, range of term, 93 Platforms and viruses, 32 Policies anti-chain mail, 515 anti-spam, 515–516 anti-virus, 506–507, 516–517 education and basic, 554–555 Email, 514 general protective, 299 standards, guidelines and, 177–178 worthiness of, 508–509 Policy issues, 309–311 Policy outlines, 511–517 anti-chain mail policy, 515 anti-spam policy, 515–516 anti-virus policy, 516–517 use of Email, 512–515 use of facilities and resources, 512 use of World Wide Web and USENET, 516 Poly/Noped, 559 Polymorphic engines, 130, 131 Polymorphism, 10, 129–131 rules, 36–37 threat of, 131 and worms, 131 Polymorphs and multipartites, 32–33 Positive reinforcement, 319 Positives, false, 576–577 Post-conventional morality, 528 Practice, Code of, 501, 503–504 Pranks spreading Trojans, 74 spreading viruses, 74 Pre-conventional morality, 528 Pre-emptive measures, 143, 144–151 Predictions, 552–553 Prehistory, virus, 18–21 Core Wars, 19–20 wormholes, 19 Xerox worm (Shoch/Hupp segmented worm), 20–21 Preparation, best form of defense is, 286–294 computers, 287–288 no harm, 293 offices, 288–290 preventive maintenance, 290–293 Prependers, 114–115 Press, stop, 557–564 PrettyPark, 411–412 Preventive maintenance, 290–293 back up data, 292 back up software changes, 293 Primary contributors, 568–607 Primary damage, 96 Printer status report bits, 367 Printer virus, Iraqi, 366–369 Privileges, restriction of, 180 Proactive malware management, 319–320 Proactive management, 173–184 Problem, who owns, 312 Product evaluation and testing, 237–281 core issues, 238–269 further information, 280–281 test match, 269–280 Product evaluation and testing, core issues compatibility issues, 255–256 configurability, 262–263 cost, 239–244 disinfection and repair, 253–255 documentation, 267–269 ease of use, 261–262 functional range, 256–261 it’s not my fault, 251–253 outsourced services, 269 performance, 245–251 support functions, 264–267 testability, 264 Product evaluation and testing, test match, 269–280 detection versus usability, 270 EICAR string, 277–280 it’s all happening in zoo, 273–277 miscellaneous ranks, 270–271 upconversion, 271–273 Production, payload versus, 94–95 Prolin/Shockwave/creative, 47 Proof of concept viruses, 38–39 677 678 Viruses Revealed Protection data, 497–498, 498–500 hardware, 583–584 systems in DR DOS, 585 Protective policies, general, 299 Psychological damage, 98 Q QA (quality assurance), 505 Quasilegal imperatives, legal and, 491–518 BS7799 and virus controls, 500–504 data protection legislation, 497–498 data protection principles, 498–500 grounds for criminal proceedings, 493–495 ISO 9000, 505 malware and law, 492–493 policy outlines, 511–517 security architecture, 505–511 some broad concepts, 496 UK’s Computer Misuse Act, 495–496 R RAM, viruses hiding in Expanded, 591 Ramen, 430–431 RAS (Remote Access Service), 41 RATs (Remote-Access Tools), 71, 74–75, 516 Reactive management, 184–186 Read-only, setting file’s attributes to, 584 Real viruses: early days, 22–30 Reinforcement, positive, 319 Remote-control software, 74 Removing MBR viruses, 575 viruses, 574–576 Renaissance virus, 33–34 Replication, 90–93 hybrid viruses, 92–93 memory-resident viruses, 91–92 non-resident viruses, 91 Responsibility anti-virus administrator’s sphere of, 180 and end users, 533–535 Responsibility, morality and ethics, 519 Codes of conduct, they make a difference?, 544–547 cultural and national norms, 526–532 demographics, 523–526 developing codes of conduct, 540–541 no harm, 539–540 EICAR (European Institute of Anti-Virus Research), 541–543 Is anti-virus a profession?, 535–536 Retailers, computer, 156 Reviews, evaluation and, 220 REVS (Rapid Exchange of Virus Samples), 43 Risk analysis, 174–177 Risk/impact analysis, 305–306 Risk management, 283–285, 285–286 best form of defense is preparation, 286–294 reported virus incidents, 295–300 Rootkits, 77 RTF is not panacea, 558–559 RTF (Rich Text Format), 323, 558 S Sadmind, 561 Safe hex guidelines, 320–329 anti-virus vendor lists, 327 back up, back up, back up, 328–329 be cautious with office documents, 322 checking all alerts and warnings, 320 continue to use anti-virus software, 323 disable floppy booting, 324 disable Windows scripting host, 326 don’t install unauthorized programs, 322 don’t rely on anti-virus software, 327–328 don’t trust attachments, 320–321 introduce generic mail screening, 326 keep one’s anti-virus software updated, 323 Microsoft security resources, 326–327 office avoidance, 325 reconsidering news software, 325–326 reconsidering one’s Email, 325–326 scan everything, 327 show all file extensions in Windows Explorer, 326 super-users aren’t super-human, 324 take care in newsgroups and on Web, 321–322 up to date doesn’t mean invulnerable, 324 use and ask for safer file formats, 323 write-protect diskettes, 324 Safer computing, 320 Safety, configuring for, 300 Scanners, 151 free, 216–217 known-virus, 77 online, 217 reporting infections, 579 virus, 296, 578–579 Index Scanning firewall, 167–168 gateway, 166–167 on-access, 160–162, 258–259 on-demand, 159–160, 256–258 Scanning, virus-specific, 158–162 on-access scanning, 160–162 on-demand scanning, 159–160 Scores virus, 343–345 Script viruses, 412–413 Scripting viruses, 122–123 Scripting viruses, PC, 618 Secondary damage, 98–99 Secondary distribution, 455–456 Sectors boot, 125 overwriting boot, 359 Secure software, 148–151 Security application functionality versus, 53–54 breaches of, 316 classic tripod model of information, 445 and insurance, 304 IT, 630–631 Security architecture, 505–511 implementation and configuration, 510–511 responsibility for security in given context, 509 systems that are protected, 509 Security issues, unwarranted interest in, 635–636 Security specialists, 553–554 Self-checking code, 601–602 Semi-altruistic, 536 Semi-Trojan defined, 319 Sendmail program, 350 Server meltdown, here comes one’s 19th, 41–43 Servers Internet, 165–166 intranet, 165 LAN, 162–165 Services, outsourced, 269 Setting file’s attributes to read-only, 584 ShareFun, 395 Shareware, avoiding, 595 Shoch/Hupp segmented worm, 20–21 Shockwave virus, 47 Shouldersurfing, 632 SIGs (special interest groups), 267 Simulator, flight, 68–69 Sircam, 563–564 639 KB total memory on one’s DOS system, 580–581 SLAs (Service Level Agreements), 265 SMEG (Simulated Metamorphic Encryption Engine), 373 SNAFU, 471 Sociable, being, 633 Social damage, 98 Social engineering, 45, 132–134, 442–444, 629–640 attacks on Help Desk, 635 disclosing one’s passwords, 635 getting further information, 640 good password practice, 638 How big is risk?, 636 IT security, 630–631 password practices, 638–640 people hacking, 632–634 targeting Help Desk, 634–635 unwarranted interest in security issues, 635–636 What are solutions?, 636–638 what intruders want to know, 631–632 Social engineering definitions, 444–450 password stealers, 448 this time it’s personal, 449–450 Software avoiding free, 595 change-detection, 151, 157 function of anti-virus, 151–162 generic detection, 144 instant guide to anti-virus, 15–16 protecting computer system with, 582–583 protection from hostile, 501 remote-control, 74 secure, 148–151 technological aspects of anti-virus, 143 use of reputable anti-virus, 502–503 virus-specific, 143 Windows and using other, 150 write-protecting hard disk with, 583 Software changes, back up, 293 Solitaire, forget, 68–69 Source codes, 121 Spam, handling, 488–489 Spam, spam, spam, 463, 481–484 common themes, 484 motivations, 482–484 Spamology and virology, 484–486 Spawning viruses, 118–119 Specialists, security, 553–554 Spelling and grammar, errors in, 37 Spelling, idiosyncratic approach to, 385 Spreadsheet viruses, experimental, 133 Stages of Life, 45, 419, 420 Stages, VBS/, 419–420 679 680 Viruses Revealed Standards, policies, and guidelines, 177–178 Stealers, password, 448 Stealth mechanisms, 9–10, 127 Stealth technology, 124, 126–129 tunnelling, 128–129 Steganography defined, 599 STO (Security Through Obscurity), 129 Stoned variant, Michelangelo, monkey, and, 357–361 Stoned virus, 356 Stoned virus infection, 602, 603 Stop press, 557–564 Cheese, 561 Code Red/Bady, 562–563 Lindose/Winux, 561–562 MacSimpsons, 562 Mandragore, 559–560 Outlook View Control, 562 Poly/Noped, 559 RTF is not panacea, 558–559 Sadmind, 561 Sircam, 563–564 SULFNBK hoax, 560 Strategic subfunction, 174–178 Subdirectories and infection, 581 infinite loops of, 581 Subfunction, strategic, 174–178 SULFNBK hoax, 560 Support functions, 264–267 Support staff, miscellaneous IT, 314 Surveillance, 633 System users, knowledge by, 309–310 Systems and network administration, 179–183 Systems management personnel, 507 T TCO (Total Cost of Ownership), 244 TCP/IP (Transmission Control Protocol/Internet Protocol), 165 Technical inexpertise, 317 Technologies, stealth, 124 Tequila viruses, 33–34, 356 Test file, EICAR installation, 618–619 Test match, 269–280 Test viruses, 65 Testability, 264 Testing, product, 237–281 Threats covering potential future, 318 viruses and related, 143–170 Tools miscellaneous, 261 upgrading anti-virus, 600 Tools, existing, 557 TPE (Trident Polymorphic Engine), 36, 131 Training and education, 315–319 Training and information provision, education, 178 Transparency, absolute, 188 Transparency defined, 127 Tripartite structure, 87–90 infection mechanism, 87–88 payload, 88–90 trigger, 88 Trojan, AIDS, 355–356 Trojan horses, 12–13, 66 defined, 572 Mac, 615–616 original, 132 Trojan payloads, direct damage from, 97–98 Trojaned, 66 Trojanized, 66 Trojans, 57, 66–70 backdoor, 71 defined, 67 macro viruses and, 616–617 pranks spreading, 74 Troubleshooting, Mac, 623–624 TSR (Terminate and Stay Resident) programs, 161, 339 Tunnelling, 128–129 U UK legislation, eight principles that underpin, 499–500 UK’s Data Protection Act, 497, 498 ULs (Urban Legends), 465–466 Unbootable, computers become, 603 UNIX systems, virus scanners for, 578–579 UNIX textbook, 10–12 Upconversion, 271–273 Update viruses, 47–48 Upgrading anti-virus tools, 600 Upper Memory, viruses hiding in PC’s, 591 URLs (Uniform Resource Locators), 214 Usability, versus detection, 270 Use, ease of, 261–262 USENET, use of, 516 User management, 301–331 education, 315–319 Help Desk support, 311–313 hoax management, 329–331 Index IT security and other units, 314–315 management costs, 306–309 managing managers, 303–305 and metaviruses, 486–489 miscellaneous IT support staff, 314 policy issues, 309–311 positive reinforcement, 319 proactive malware management, 319–320 risk/impact analysis, 305–306 safe hex guidelines, 320–329 training, 315–319 Users end, 533–535 Help Desk to advice to, 297–298 knowledge by system, 309–310 Utility, PC diagnostic, 606 V Value-added virus, 410–411 VBA (Visual Basic for Applications), 39, 121, 176, 245, 379 VBS/First, 412–413 VBS/Freelinks, 413 VBS/LoveLetter, 414–416 VBS/NewLove-A, 417–418 VBS/Stages, 419–420 VBS/Staple.a@mm, 429–430 VBS/VBSWG.J@mm (Anna Kournikova), 428–429 VBS (Visual Basic Script) file, 84 VBScript virus/worm DDoS and DDon’ts, 43–44 how was it for you?, 44 KAKworm, 44 Navidad, 46–47 Prolin/Shockwave/creative, 47 social engineering, 45 Stages of Life, 45 test match, 45–46 update viruses, 47–48 W95/MTX (Matrix, Apology), 46 VBScript virus/worm, year of, 43–48 VCL (Virus Creation Laboratory), 34, 66 Vendors, 220–221, 536–537 Vienna virus, 26 Viral infection, impact on computing environment, 96–97 Viral programs dual-infection, 120 self-encrypting, 130 VIRDEM, 26 Virii and octopii, 60 Virology, and spamology, 484–486 Virus activity and operation, 81–102 Virus alerts and hoaxes, 466–468 motivations for hoax, 454–455 Virus Bulletin, 621–622 Virus-busters, 289 Virus controls, BS7799 and, 500–504 Virus functionality, 53–54 Virus hoaxes, 37 modem, 365–366 passing on, 455–456 Virus hoaxes and false alerts, 218–220 Virus identification, 299 Virus incident checklist, 298–299 Virus incidents, dealing with, 297–299 Virus incidents, reported, 295–300 dealing with virus incidents, 297–299 general protective policies, 299 Help Desk investigations, 295–296 virus identification, 299 Virus infecting data files, 591–592 Virus infection Michelangelo, 603 Stoned, 602, 603 Virus infections, indications of, 573 Virus information resources, macro, 622 VIRUS-L/comp.virus, FAQs (Frequently Asked Questions) on, 567–607 primary contributors, 568–607 VIRUS-L mailing list, 452 Virus, Linux, 578 Virus mechanisms, 103–135 boot zone, 109–111 concealment mechanisms, 123–134 file infectors, 112–119 hardware-specific viruses, 104–109 interpreted viruses, 121–123 multipartite viruses, 119–120 viruses and, Virus origin and distribution, 439–459 Virus payloads, direct damage from, 97–98 Virus prehistory: Jurassic Park to Xerox PARC, 18–21 Virus, questions received at Mac, 624–627 Virus resources and Macintosh, 622–623 Virus resources, miscellaneous, 622–623 Virus scanners, 296 for UNIX systems, 578–579 Virus; See Anti-virus Virus software; See Anti-virus software Virus-specific scanning, 158–162 Virus-specific software, 143 Virus structure, 681 682 Viruses Revealed Virus/worm, VBScript, 43–48 Virus writers, 441–442 motives of, 451–453 Viruses, 58–61 activations of, 90 Altair, 35–36 avoiding, 595 boot-sector, 589–590 Brain, 25 Budget, 470 Cap, 391–392 Cascade, 606 changing shapes of, 130 Chernobyl, 400–401 CIH.Spacefiller, 400–401 cleaning on all disks, 294 Colors, 387–388 common DOS, 581–582 companion, 118–119 computer, 570–572 concept, 38–39 detecting macro, 386 detecting new, 579 diagnosing, 574 DIR-II, 117 early Apple II, 22 eradicating traces of, 557 Esperanto, 401–402 Excel, 392–393 experimental spreadsheet, 133 form boot-sector, 364–365 GenB, 604 GenP, 604 getting from reading Email, 598–599 hardware-specific, 104–109 hybrid, 92–93 identifying, 574 infect, 446 Iraqi printer, 366–369 Israeli, 353 Jerusalem, 353–355 just the same, but more, 555–556 known, 568–569 LANs (local area networks) and stopping, 586 Lehigh, 93, 346–347 Mac-specific, 610–617 MacMag, 339–343 macro, 121–122, 396–397 mainframe computers and susceptible to computer, 592–594 memory-resident, 91–92 Michelangelo, 34–35, 603 Microsoft Office macro, 38–39 multipartite, 119–120 Nuclear, 384–387 overwriting, 115–117 PC scripting, 618 pranks spreading, 74 proof of concept, 38–39 protecting files from, 584–585 reasons for writing, 450–455 removing, 574–576 removing MBR, 575 Renaissance, 33–34 Scores, 343–345 script, 412–413 scripting, 122–123 See also Metaviruses spawning, 118–119 spreading to other computers, 592 Stoned, 356 substitution of, 338 technical definition of, 54 test, 65 update, 47–48 value-added, 410–411 writers of Brain, 337–338 writing, 83–86 zoo, 56 Viruses affecting Macintosh, 610 Viruses and insurance, 304–305 Viruses and Macintosh, 609–627 books, 619–620 HyperCard infectors, 614–615 information resources, 619–623 Mac-related newsgroups, 619 Mac-specific system and file infectors, 611–614 Mac Trojan Horses, 615–616 Mac troubleshooting, 622–623 macro virus information resources, 622 macro viruses, Trojans, and variants, 616–617 miscellaneous virus resources, 622–623 questions received at Mac Virus, 624–627 Virus Bulletin, 621–622 Web sites, 620–621 Viruses and related threats, pre-emptive measures, 144–151 Viruses and related topics, information on, 569–570 Viruses and virus mechanisms, Viruses and Warez, 341 Viruses hiding in Expanded RAM, 591 Extended RAM, 591 Index GIF files, 599–600 JPEG files, 599–600 PCs CMOS memories, 590 PC’s High Memory area, 591 PC’s Upper Memory, 591 Viruses infection, flip, 604 Viruses, interpreted, 121–123 macro viruses, 121–122 scripting viruses, 122–123 Viruses, new Cheese, 561 Code Red/Bady, 562–563 Lindose/Winux, 561–562 MacSimpsons, 562 Mandragore, 559–560 Outlook View Control, 562 Poly/Noped, 559 RTF is not panacea, 558–559 Sadmind, 561 Sircam, 563–564 SULFNBK hoax, 560 Viruses, real: early days, 22–30 Brain, 25 early Apple II viruses, 22 Elk Cloner, 23 Fred Cohen, computer viruses, 23–24 goodnight Vienna, hello Lehigh, 26–27 worm turns, 27–30 VX (Virus eXchange), 33 VxDs (virtual device drivers), 92 W W32/Happy99 (Ska), value-added virus, 410–411 W32/Magistr@mm, 432–433 W32/Navidad, 425–427 W95/MTX (Matrix, Apology), 46 W95.Hybris, 427–428 W97M/Melissa (Mailissa), 406–410 WAN protection, 165 WANK worm, 352 WANK (Worms Against Nuclear Killers), 352 WANs (wide area networks), 165 WAP (Wireless Application Protocol), 43 Warez and viruses, 341 Warhead, usage of, 89 Wazzu, 389–390 Web sites, Macintosh, 620–621 Welcome Datacomp, 618 Wheat and chaff, 471–472 Wiederoffnen, 389 Wild, in the, 13–15 WildList Organization, 14, 56 Windows DOS viruses working under MS, 598 Microsoft, 148–149 and using other software, 150 Windows NT terminology, 368 Winux, Lindose/, 432, 561–562 WLL (Word Link Libraries), 384 WM/Atom, 390 WM/Cap, 391–392 WM/Concept, 377–383 WM/Nuclear, 384–387 WM/ShareFun, 395 Word 97, 395 Word Link Libraries (.WLL), 384 World Wide Web, use of, 516 Worm turns, 27–30 Worm/virus/hybrids, 57 Wormholes, 19 Worms, 30–32, 59, 61–62 Christmas Tree, 347 defined, 572 diet of, 12 infest, 446 Internet, 347–352 Morris, 347–352 and polymorphism, 131 See also Case studies: turning worm (third wave) Shoch/Hupp segmented, 20–21 VBScript virus, 43–48 WANK, 352 Wrap up, 551–564 Write-protect tab on floppy disks, 586 Write-protecting hard disk with software, 583 Writers motives of virus, 451–453 virus, 82, 441–442 Writing viruses, 83–86 reasons for, 450–455 WSH (Windows Script Host), 122, 300, 414 X Xerox PARC, Jurassic Park to, 18–21 Xerox worm (Shoch/Hupp segmented worm), 20–21 Z Zipped files, 251 Zoo defined, 273 viruses, 56 683 Blind Folio 684 INTERNATIONAL CONTACT INFORMATION SINGAPORE (Serving Asia) McGraw-Hill Book Company TEL +65-863-1580 FAX +65-862-3354 http://www.mcgraw-hill.com.sg mghasia@mcgraw-hill.com CANADA McGraw-Hill Ryerson Ltd TEL +905-430-5000 FAX +905-430-5020 http://www.mcgrawhill.ca SOUTH AFRICA McGraw-Hill South Africa TEL +27-11-622-7512 FAX +27-11-622-9045 robyn_swanepoel@mcgraw-hill.com TE GREECE, MIDDLE EAST, NORTHERN AFRICA McGraw-Hill Hellas TEL +30-1-656-0990-3-4 FAX +30-1-654-5525 AM FL Y AUSTRALIA McGraw-Hill Book Company Australia Pty Ltd TEL +61-2-9417-9899 FAX +61-2-9417-5687 http://www.mcgraw-hill.com.au books-it_sydney@mcgraw-hill.com MEXICO (Also serving Latin America) McGraw-Hill Interamericana Editores S.A de C.V TEL +525-117-1583 FAX +525-117-1589 http://www.mcgraw-hill.com.mx fernando_castellanos@mcgraw-hill.com UNITED KINGDOM & EUROPE (Excluding Southern Europe) McGraw-Hill Education Europe TEL +44-1-628-502500 FAX +44-1-628-770224 http://www.mcgraw-hill.co.uk computing_neurope@mcgraw-hill.com ALL OTHER INQUIRIES Contact: Osborne/McGraw-Hill TEL +1-510-549-6600 FAX +1-510-883-7600 http://www.osborne.com omg_international@mcgraw-hill.com ... 112 114 115 viii Viruses Revealed Misdirection Companion (Spawning) Viruses Multipartite Viruses Interpreted Viruses Macro Viruses Scripting Viruses ... anything; those virus writers and former virus writers who felt it was worth maintaining a dialogue and discussing the issues; and the volunteers of VIRUS- L, alt.comp .virus, alt.comp antivirus, security-focus,... Questions on VIRUS- L/comp .virus 567 Primary Contributors What are the known viruses? Where can I get more information on viruses