Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!mcsun!hafro!isgate!krafla!frisk
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.binaries.ibm.pc.d
Subject: Re: Withdrawal symptoms...
Message-ID: <1508@krafla.rhi.hi.is>
Date: 9 Feb 90 13:00:24 GMT
References: <1502@krafla.rhi.hi.is> <4913@itivax.iti.org>
Reply-To: frisk@rhi.hi.is (Fridrik Skulason)
Organization: University of Iceland (RHI)
Lines: 35

In article <4913@itivax.iti.org> dhw@itivax.UUCP (David H. West) writes:
>Clearly, one service we can expect (demand?) from a moderator is to scan
>submitted binaries for KNOWN viruses, but I can't see how, in a
>reasonable amount of time, a moderator could be sure that a submitted 
>binary didn't contain a NEW virus.

Well, most "new" viruses are not really so new - rather only modifications
to existing viruses (see note #1)  If the moderator uses several different
virus scanners, he can probably catch all viruses based on those previously
known.

One thing a moderator can at least stop, but would be more of a problem if
the group was not moderated, is something like the Virus-90 case.

There the author uploaded his virus to a number of Bulletin Board Systems,
with documentation that said something like:

     "This program contains a virus. You are permitted to study it,
      but not to modify it. If you wish to receive the source, please
      send $25 to......."

If an unmoderated c.b.i.p. group had been running at the time, he might
even have managed to distribute the virus there - I guess that would
have resulted in instant removal of c.b.i.p at some sites.....

note #1:

Recently I received a Package of 30 Bulgarian PC viruses. Only 4 of them were
known before, but since most of the other 26 viruses were related to currently
known viruses, only 2 viruses could not be detected by existing anti-virus
tools.

-- 
Fridrik Skulason   -   University of Iceland, Computing Services.
frisk@rhi.hi.is        Technical Editor, Virus Bulletin.