Computer underground Digest    Mon  Dec 2, 1996   Volume 8 : Issue 85
                           ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Shadow Master: Stanton McCandlish
       Field Agent Extraordinaire:   David Smith
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #8.85 (Mon, Dec 2, 1996)

File 1--Info on 'Microsoft home page virus' HOAX
File 2--In Re Virus Hoaxes
File 3--CIAC Bulletin H-05: Internet Hoaxes
File 4--Cu Digest Header Info (unchanged since 1 Dec, 1996)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: 30 Nov 1996 23:48:57 -0000
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: File 1--Info on 'Microsoft home page virus' HOAX

Source - Newsgroups: comp.virus

- ----BEGIN PGP SIGNED MESSAGE-----

This is a warning on a nasty hoax that has been distributed on several
mailing lists and in usenet news. The hoax message is falsely
attributed to me (Mikko.Hypponen@datafellows.com).

This false warning urges people to stay off Microsoft's
home page and not to use Microsoft Internet Explorer,
because the 'Microsoft home page is possibly infected
by a virus'. This is nonsense.

If you have seen this warning, please pass on this message,
and please do not redistribute the original warning any more.

The origins on this nasty hoax is as of yet unknown.
The original hoax warning is quoted here in full:

   ---begin hoax---

   Red Alert for anybody using Microsoft's Internet Explorer as
   their web browser.

   This came in on the virus forum at the University of Hamburg
   from a fairly reliable source: Mikko H. Hypponen
   (Mikko.Hypponen@datafellows.com) in Finland. (datafellows is
   an anti-virus company)

   The first indication that something was amiss was when the computer
   of an MIS professional friend of Mikko's was completely wiped --
   including BIOS and CMOS -- on 11-20-96. It took a great deal of
   arguing with Microsoft until 11-22-96 (logged at 0930 hours) when
   they finally admitted something was wrong and took "their homepage
   into their lab."

   Mikko's first report was at 11:13 on 11-22-96. By 13:17 on 11-22-96
   the following message was received:

   ---------------------------------------------------------
   >       Okay, it's official (last conversation with techs at 1200 hrs,
   >       11-22-96, virus confirmed) Western Digital and Microsoft
   >       confirm that a new virus is on the web and they cannot
   >       isolate it. The only thing they know for sure is that it
   >       completely wipes out a computer. As of this time, they cannot
   >       determine how best to get rid of the thing once it is in your
   >       system.
   >
   [irrelevant "in-joke" cut]
   >
   >       They are recommending that until they can isolate it (it appears
   >       to be coming from several locations) you just stay off the web.

   ---------------------------------------------------------

   This sounds like a trojan rather than a virus, but it is extremely
   destructive nonetheless.

   Unless you can filter addresses so your webbrowser will not
   go to Microsoft's home page, stay off Microsoft's home page
   until further notice. (As Mikko post updates, I'll forward
   them.)

   Incidentally, Mikko and his friend *were* frequent users of Microsoft's
   Web browser.

   ---end hoax---

Oh, by the way. I prefer Netscape and Lynx...
If you have any questions, contact me directly at
Mikko.Hypponen@datafellows.com.


- ----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMp7jpdn7CX0PJlcJAQFFjQQAkzaqIaAPIH0TKVM+1K2Ampj7yP/MIaKS
cGbWzb2A0EHnloxa5i5ZqYDYq69+Y4TYaDV2CsKz6jGdQJ+niZEs0K6sjNYRxyxV
eO7xk52f3UOvsrKTXsgZM2MffTHV+YuHDDvw+K+qN2FgTlepJzsdGzaVlURi5LnR
gHYqDRZoatY=
=zvx3
- ----END PGP SIGNATURE-----

- -
         Mikko Hermanni Hyppvnen - Mikko.Hypponen@DataFellows.com
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-9-478444, Fax +358-9-47844599

------------------------------

Date: Mon, 25 Nov 1996 11:31:30 +0000 (GMT)
From: harley@icrf.icnet.uk
Subject: File 2--In Re Virus Hoaxes

((MODERATORS' NOTE: The following provides some useful URLs
for anti-virus/hoax, and other information. The author correctly
notes that the CIAC bulletin might be of interest here, so we're
reprinting it in the next post--jt)).

  --------------

Since #8.82 was somewhat dominated by Irina, Good Times, and Deeyenda,
it might be worth drawing to the attention of CuD readers the CIAC
bulletin H-05 of November 20th, which includes information on the
Irina, Good Times, and Deeyenda hoaxes, the PKZ300 semi-hoax (dealing
with the warning has wasted more time and money than the few real
instances of this trojan ever did), and the erroneous GHOST.EXE
'Trojan' alert (it's -just- a screensaver, folks, at least until
someone gets the bright idea of virus-infecting it or trojanizing it).

The bulletin also revisits the 2400 baud modem virus hoax and
Robert Morris III's joke alert of 1988, a little of which is
included here for your edification.

        Warning: There's a new virus on the loose that's worse than
        anything I've seen before! It gets in through the power line,
        riding on the powerline 60 Hz subcarrier. It works by changing the
        serial port pinouts, and by reversing the direction one's disks
        spin. Over 300,000 systems have been hit by it here in Murphy,
        West Dakota alone! And that's just in the last 12 minutes.

        It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac,
        RSX-11, ITS, TRS-80, and VHS systems.

Well, it amuse me, even though some of this stuff has turned
up since in hoax alerts and trolls.

In the CIAC bulletin, there's also a pretty sensible
section on how to recognise a likely hoax and ways
to validate an alert (by examining its PGP signature, for
instance. I rather like "When in doubt, do not send it out
to the world.", the suggestion being that the user forwards
it to their sysadmin for validation instead.

The URL is:

	http://ciac.llnl.gov/ciac/bulletins/h-05.shtml

One or two other hoaxes, jokes etc. are addressed in the
alt.comp.virus FAQ at

	http://webworlds.co.uk/dharley/

Bob Rosenberg's Computer Virus Myths page at

	http://www.kumite.com/myths/

is a good source of information on some of these issues, too.

------------------------------

From: David Crawford <crawford@eek.llnl.gov>
Subject: File 3--CIAC Bulletin H-05: Internet Hoaxes
Date: 25 Nov 1996 03:27:29 -0000

- ----BEGIN PGP SIGNED MESSAGE-----

Source - Newsgroups: comp.virus

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

            Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost

November 20, 1996 15:00 GMT                                        Number H-05
______________________________________________________________________________
PROBLEM:       This bulletin addresses the following hoaxes and erroneous
               warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and
               Ghost.exe
PLATFORM:      All, via e-mail
DAMAGE:        Time lost reading and responding to the messages
SOLUTION:      Pass unvalidated warnings only to your computer security
               department or incident response team. See below on how to
               recognize validated and unvalidated warnings and hoaxes.
______________________________________________________________________________
VULNERABILITY  New hoaxes and warnings have appeared on the Internet and old
ASSESSMENT:    hoaxes are still being cirulated.
______________________________________________________________________________


Introduction
============

The Internet is constantly being flooded with information about computer
viruses and Trojans. However, interspersed among real virus notices are
computer virus hoaxes. While these hoaxes do not infect systems, they are
still time consuming and costly to handle. At CIAC, we find that we are
spending much more time de-bunking hoaxes than handling real virus incidents.
This advisory addresses the most recent warnings that have appeared on the
Internet and are being circulated throughout world today. We will also address
the history behind virus hoaxes, how to identify a hoax, and what to do if you
think a message is or is not a hoax. Users are requested to please not spread
unconfirmed warnings about viruses and Trojans. If you receive an unvalidated
warning, don't pass it to all your friends, pass it to your computer security
manager to validate first. Validated warnings from the incident response teams
and antivirus vendors have valid return addresses and are usually PGP signed
with the organization's key.

PKZ300 Warning
==============

The PKZ300 Trojan is a real Trojan program, but the initial warning about it
was released over a year ago. For information pertaining to PKZ300 Trojan
reference CIAC Notes issue 95-10, that was released in June of 1995.

http://ciac.llnl.gov/ciac/notes/Notes10.shtml

The warning itself, on the other hand, is gaining urban legend status. There
has been an extremely limited number of sightings of this Trojan and those
appeared over a year ago. Even though the Trojan warning is real, the repeated
circulation of the warning is a nuisance. Individuals who need the current
release of  PKZIP should visit the PKWARE web page at http://www.pkware.com.
CIAC recommends that you DO NOT recirculate the warning about this particular
Trojan.

Irina Virus Hoax
================

The "Irina" virus warnings are a hoax. The former head of an electronic
publishing company circulated the warning to create publicity for a new
interactive book by the same name. The publishing company has apologized for
the publicity stunt that backfired and panicked Internet users worldwide. The
original warning claimed to be from a Professor Edward Pridedaux of the
College of Slavic Studies in London; there is no such person or college.
However, London's School of  Slavonic and East European Studies has been
inundated with calls. This poorly thought-out publicity stunt was highly
irresponsible. For more information pertaining to this hoax, reference the
UK Daily Telegraph at http://www.telegraph.co.uk.

Good Times Virus Hoax
=====================

The "Good Times" virus warnings are a hoax. There is no virus by that name in
existence today. These warnings have been circulating the Internet for years.
The user community must become aware that it is unlikely that a virus can be
constructed to behave in the manner ascribed in the "Good Times" virus
warning. For more information related to this urban legend, reference CIAC
Notes 95-09.

http://ciac.llnl.gov/ciac/notes/Notes09.shtml

Deeyenda Virus Hoax
===================

The "Deeyenda" virus warnings are a hoax. CIAC has received inqueries
regarding the validity of the Deeyenda virus. The warnings are very similar
to those for Good Times, stating that the FCC issued a warning about it,
and that it is self activating and can destroy the contents of a machine
just by being downloaded. Users should note that the FCC does not and will
not issue virus or Trojan warnings. It is not their job to do so. As of this
date, there are no known viruses with the name Deeyenda in existence. For a
virus to spread, it  must be executed. Reading a mail message does not execute
the mail message. Trojans and viruses have been found as executable attachments
to mail messages, but they must be extracted and executed to do any harm. CIAC
still affirms that reading E-mail, using typical mail agents, can not activate
malicious code delivered in or with the message.

Ghost.exe Warning
=================

The Ghost.exe program was originally distributed as a free screen saver
containing some advertising information for the author's company (Access
Softek). The program opens a window that shows a Halloween background with
ghosts flying around the screen. On any Friday the 13th, the program window
title changes and the ghosts fly off the window and around the screen. Someone
apparently got worried and sent a message indicating that this might be a
Trojan. The warning grew until the it said that Ghost.exe was a Trojan that
would destroy your hard drive and the developers got a lot of nasty phone
calls (their names and phone numbers were in the About box of the program.)
A simple phone call to the number listed in the program would have stopped
this warning from being sent out. The original ghost.exe program is just cute;
it does not do anything damaging. Note that this does not mean that ghost
could not be infected with a virus that does do damage, so the normal
antivirus procedure of scanning it before running it should be followed.

History of Virus Hoaxes
=======================

Since 1988, computer virus hoaxes have been circulating the Internet. In
October of that year, according to Ferbrache ("A pathology of Computer
Viruses" Springer, London, 1992) one of the first virus hoaxes was the
2400 baud modem virus:

	SUBJ: Really Nasty Virus
 	AREA: GENERAL (1)

 	I've just discovered probably the world's worst computer virus
 	yet. I had just finished a late night session of BBS'ing and file
 	treading when I exited Telix 3 and attempted to run pkxarc to
 	unarc the software I had downloaded. Next thing I knew my hard
 	disk was seeking all over and it was apparently writing random
 	sectors. Thank god for strong coffee and a recent backup.
 	Everything was back to normal, so I called the BBS again and
 	downloaded a file. When I went to use ddir to list the directory,
 	my hard disk was getting trashed again. I tried Procomm Plus TD
 	and also PC Talk 3. Same results every time. Something was up so I
 	hooked up to my test equipment and different modems (I do research
 	and development for a local computer telecommunications company
 	and have an in-house lab at my disposal). After another hour of
 	corrupted hard drives I found what I think is the world's worst
 	computer virus yet. The virus distributes itself on the modem sub-
 	carrier present in all 2400 baud and up modems. The sub-carrier is
 	used for ROM and register debugging purposes only, and otherwise
 	serves no othr (sp) purpose. The virus sets a bit pattern in one
 	of the internal modem registers, but it seemed to screw up the
 	other registers on my USR. A modem that has been "infected" with
 	this virus will then transmit the virus to other modems that use a
 	subcarrier (I suppose those who use 300 and 1200 baud modems
 	should be immune). The virus then attaches itself to all binary
 	incoming data and infects the host computer's hard disk. The only
 	way to get rid of this virus is to completely reset all the modem
 	registers by hand, but I haven't found a way to vaccinate a modem
 	against the virus, but there is the possibility of building a
 	subcarrier filter. I am calling on a 1200 baud modem to enter this
 	message, and have advised the sysops of the two other boards
 	(names withheld). I don't know how this virus originated, but I'm
 	sure it is the work of someone in the computer telecommunications
 	field such as myself. Probably the best thing to do now is to
 	stick to 1200 baud until we figure this thing out.

	Mike RoChenle

This bogus virus description spawned a humorous alert by Robert Morris III :

 	Date: 11-31-88 (24:60)	Number: 32769
 	To: ALL	Refer#: NONE
 	--ROBERT MORRIS III	Read: (N/A)
 	Subj: VIRUS ALERT	Status: PUBLIC MESSAGE

 	Warning: There's a new virus on the loose that's worse than
 	anything I've seen before! It gets in through the power line,
 	riding on the powerline 60 Hz subcarrier. It works by changing the
 	serial port pinouts, and by reversing the direction one's disks
 	spin. Over 300,000 systems have been hit by it here in Murphy,
 	West Dakota alone! And that's just in the last 12 minutes.

	It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac,
 	RSX-11, ITS, TRS-80, and VHS systems.

 	To prevent the spresd of the worm:

 	1) Don't use the powerline.
 	2) Don't use batteries either, since there are rumors that this
 	  virus has invaded most major battery plants and is infecting the
 	  positive poles of the batteries. (You might try hooking up just
 	  the negative pole.)
 	3) Don't upload or download files.
 	4) Don't store files on floppy disks or hard disks.
 	5) Don't read messages. Not even this one!
 	6) Don't use serial ports, modems, or phone lines.
 	7) Don't use keyboards, screens, or printers.
 	8) Don't use switches, CPUs, memories, microprocessors, or
 	  mainframes.
 	9) Don't use electric lights, electric or gas heat or
 	  airconditioning, running water, writing, fire, clothing or the
 	  wheel.

 	I'm sure if we are all careful to follow these 9 easy steps, this
 	virus can be eradicated, and the precious electronic flui9ds of
 	our computers can be kept pure.

 	---RTM III

Since that time virus hoaxes have flooded the Internet.With thousands of
viruses worldwide, virus paranoia in the community has risen to an extremely
high level. It is this paranoia that fuels virus hoaxes. A good example of
this behavior is the "Good Times" virus hoax which started in 1994 and is
still circulating the Internet today. Instead of spreading from one computer
to another by itself, Good Times relies on people to pass it along.

How to Identify a Hoax
======================

There are several methods to identify virus hoaxes, but first consider what
makes a successful hoax on the Internet. There are two known factors that make
a successful virus hoax, they are: (1) technical sounding language, and
(2) credibility by association. If the warning uses the proper technical
jargon, most individuals, including technologically savy individuals, tend to
believe the warning is real. For example, the Good Times hoax says that
"...if the program is not stopped, the computer's processor will be placed in
an nth-complexity infinite binary loop which can severely damage the
processor...". The first time you read this, it sounds like it might be
something real. With a little research, you find that there is no such thing
as an nth-complexity infinite binary loop and that processors are designed
to run loops for weeks at a time without damage.

When we say credibility by association we are referring to whom sent the
warning. If the janitor at a large technological organization sends a warning
to someone outside of that organization, people on the outside tend to believe
the warning because the company should know about those things. Even though
the person sending the warning may not have a clue what he is talking about,
the prestigue of the company backs the warning, making it appear real. If a
manager at the company sends the warning, the message is doubly backed by the
company's and the manager's reputations.

Individuals should also be especially alert if the warning urges you to pass
it on to your friends. This should raise a red flag that the warning may be
a hoax. Another flag to watch for is when the warning indicates that it is a
Federal Communication Commission (FCC) warning. According to the FCC, they
have not and never will disseminate warnings on viruses. It is not part of
their job.

CIAC recommends that you DO NOT circulate virus warnings without first
checking with an authoritative source. Authoritative sources are your computer
system security administrator or a computer incident advisory team. Real
warnings about viruses and other network problems are issued by different
response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by
the sending team using PGP. If you download a warning from a teams web site or
validate the PGP signature, you can usually be assured that the warning is
real. Warnings without the name of the person sending the original notice, or
warnings with names, addresses and phone numbers that do not actually exist
are probably hoaxes.

What to Do When You Receive a Warning
=====================================

Upon receiving a warning, you should examine its PGP signature to see that it
is from a real response team or antivirus organization. To do so, you will
need a copy of the PGP software and the public signature of the team that
sent the message. The CIAC signature is available from the CIAC web server
at:

http://ciac.llnl.gov

If there is no PGP signature, see if the warning includes the name of the
person submitting the original warning. Contact that person to see if he/she
really wrote the warning and if he/she really touched the virus. If he/she is
passing on a rumor or if the address of the person does not exist or if
there is any questions about theauthenticity or the warning, do not circulate
it to others. Instead, send the warning to your computer security manager or
incident response team and let them validate it. When in doubt, do not send
it out to the world. Your computer security managers and the incident response
teams teams have experts who try to stay current on viruses and their warnings.
In addition, most anti-virus companies have a web page containing information
about most known viruses and hoaxes. You can also call or check the web site
of the company that produces the product that is supposed to contain the virus.
Checking the PKWARE site for the current releases of PKZip would stop the
circulation of the warning about PKZ300 since there is no released version 3
of PKZip. Another useful web site is the "Computer Virus Myths home page"
(http://www.kumite.com/myths/) which contains descriptions of several known
hoaxes. In most cases, common sense would eliminate Internet hoaxes.

- -----------------------------------------------------------------------------

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-43: Vulnerabilities in Sendmail
G-44: SCO Unix Vulnerability
G-45: Vulnerability in HP VUE
G-46: Vulnerabilities in Transarc DCE and DFS
G-47: Unix FLEXlm Vulnerabilities
G-48: TCP SYN Flooding and IP Spoofing Attacks
H-01: Vulnerabilities in bash
H-02: SUN's TCP SYN Flooding Solutions
H-03: HP-UX_suid_Vulnerabilities
H-04: HP-UX  Ping Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

- ----BEGIN PGP SIGNATURE-----
Version: 2.6.1
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMpN8qrnzJzdsy3QZAQHpZgP/V+NTN7AwEtWCM46sSBMFnEuz0NxmN9X2
DMOFnATcUSNvukXBPAMc3LMYmnjhp+CrqDyfQCWVBUaHDTmb3yKTTsexYev5alyd
cSR4uZjQrMjO1pu16HG7BS+faxaP+E/FVEcbAof9a+tjX4aj9LTOM/Nt8Hb6Aazo
eRHTBH+AYy4=
=fBQM
- ----END PGP SIGNATURE-----

------------------------------

Date: Thu, 21 Mar 1996 22:51:01 CST
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 4--Cu Digest Header Info (unchanged since 1 Dec, 1996)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

     SUBSCRIBE CU-DIGEST
Send the message to:   cu-digest-request@weber.ucsd.edu

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CU-DIGEST
Send it to  CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
and on Rune Stone BBS (IIRGWHQ) (860)-585-9638.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE:  In BELGIUM: Virtual Access BBS:  +32-69-844-019 (ringdown)
         In ITALY: ZERO! BBS: +39-11-6507540
         In LUXEMBOURG: ComNet BBS:  +352-466893

  UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                  world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)


The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #8.85
************************************