Case 3:17-cv-05659-WHA Document 126-23 Filed 06/28/18 Page 1 of 4
`
`Exhibit 19
`
`

`

`Case 3:17-cv-05659-WHA Document 126-23 Filed 06/28/18 Page 2 of 4
`
`November 199 1
`
`ISSN 0956-9979
`
`TTl \ T Tn
`
`BULLET IN
`
`T H E AUTHORITATIVE INTERNAT IONAL PUBLICATION
`ON COMPUTER VIRUS PREVENTION,
`RECOGNITION AND REMOVAL
`
`Editor: Edward W ilding
`
`Technical Editor: Ft·idl"ik S kulnson
`
`Editorial Advisors: Jim Bates, Oates Associates. UK, Phil Crt we, Fingerprint, UK, David Ferbr11che, Defence Research Agency, UK, Ray Glath, RG Software
`Inc., USA, Hans Gliss, Oatenschutz Bemter, West Gennany, Ross M. Green bug, Software Concepts Design, USA, Dr. Harold Jose ph Highland, Compulit
`Microcomptner Security Evaluation Laboratory, USA, Dr. Jan llr nska, Sophos, UK, Or. Keith Jackson, Walsham Contracts, UK, Owen Keane, Barrister,
`UK, J ohn Laws, Defence Research Agency, UK, David T . Lindsay, Digital F_quipment Corporation, UK, Yisrael Rndai, Hebrew University of Jerusalem,
`lsruel, Martin Sa mocivk, Network Security Management, UK, J ohn Sherwood, Sherwood Associates, UK, Prof. E ugene Spafford, Purdue University, USA,
`Dr. Peter Tippett, Certus International Corporation, USA, Dr. Ken Wong, PA Consultmg Group, UK, Ken van Wyk, CERT, USA.
`
`CONTENTS
`
`EDITORIAL
`
`TECHNICAL NOTES
`
`KNOWN IBM PC VIRUSES
`(UPDATE)
`
`TOOLS & TECHNIQUES
`
`Virus Verification and Removal
`
`VIRUS A NALYSES
`
`I . DJR 11 - The Much Hyped
`' Linki ng' Virus
`
`2. Music Bug
`
`3. Form
`
`2
`
`3
`
`5
`
`7
`
`11
`15
`
`16
`
`FIAT LUX
`
`A Pervadi ng Myth: The ' C MOS
`Virus '
`
`17
`
`ON COMPUSERVE
`
`Troublesome Concubines in the
`Anti-Virus Harem
`
`18
`
`SCANNER TACTICS
`
`Living Together - Without
`False Alarms!
`
`PRODUCT REVIEW
`
`Virus Buster
`
`E ND-NOTES & NEWS
`
`19
`
`20
`
`24
`
`VIRUS DULLETIN ©1991 Virus Bulletin Lrd, 21 The Quad rani, Abingdon Scient< Park, Oxon, OX 14 3YS, Enghmd. Trl (+44) 235 555139.
`/90/$0.00+2.50 This bulletin tsavailable only to qualified subscribers No part of thi$ publication may be reproduced, stored in a retrieval system, or transmtrted
`by any fonn or by any means. electronic. rnagnetic. opt teal or photO<:opying, without the prior written JNrnHssion of the publishers
`
`

`

`Case 3:17-cv-05659-WHA Document 126-23 Filed 06/28/18 Page 3 of 4
`
`November 199 I
`
`VIRUS BULLETIN
`
`Page 5
`
`KNOWN IBM PC VIRUSES (UPDATE)
`
`Updates and amendments to the Virus Bulletin Table of Known IBM PC Viruses as of 20th October 199 1. Hexadecimal patterns may
`be used to detect the presence of the virus with a disk utility program, or preferably a dedicated virus scanner.
`
`Type Codes
`
`E~ EXE [iJes
`C=COM files
`M o Infects Ma~tcr l3(lol Sector (Track Q. Head 0, Sector I)
`R = Memory-resident after infection
`P = Companion virus
`
`D - Infects DOS Boot Sector (logical sector 0 011 disk)
`N =Not memory-resident atlcr infection
`L - Link virus
`
`864 - CN: This virus adds 864 bytes in front of the files it infects. Awaiting analysis.
`864
`8040 8449 8742 473A 2575 153A 7D01 7510 3A45 0275 08C6 4502
`1876 - CER: This 1876-byte virus is probably of Polish origin. Awaiting analysis.
`1876
`8ECO 33FF 33CO 89FF 7FFC F2AE 26F6 05FF 75F8 83C7 0388 072E
`Best Wishes-970 - CER: This virus is detected by the search pattern for the Attention virus, but not by the pattern for the Best
`Wishes-1024 virus. This variant is not able to infect .EXE files properly.
`Black Wiza rd - EN: A variant of the ' Old Yankee' virus and detected by the pattern for that virus, 11Jis variant is 205 1 bytes long and
`plays a different tune than the original virus, but is othetwise similar.
`Bulg;~rian 123 - CN: A simple 123-byte virus from Bulgaria, which does nothing but rcplicatc.lt may infect the same file repeatedly.
`Bulgarian 123
`8103 8054 F484 40CD 2184 3ECD 2184 4FCD 2173 AF8B 0001 FFE3
`Copmpl - CER. This is a III I (COM) or 1114 (EX.E) byte Polish variant of the Akuku virus. The name is derived from the following
`text, which can be found inside the virus 'Sony, I'm copmpletly dead' (sic). The only effect of the virus is to play a tune.
`Copmpl
`80E6 OF8A D680 FAOO 7407 SOFA OB76 0682 0284 OECD 218C CSBE
`Copyright - CN: A 1193-byte virus from East Europe, which contains a t3ke Award BIOS copyright message. Awaiting analysis.
`Copyright
`AB4A 75F2 E2EA 33CO CDl6 8800 0687 0733 C9B6 1882 4FCO 10E9
`DIR-U - LCER: A 1024-byte 'link' virus from Bulgaria. ' Infects' all COM and EXE files in each directory on a single pass. If the
`virus is resident, 'infected' COM and EX.E files can be disinfected by renaming their extensions. (VB, Nov 1991).
`DIR II
`8COO 06FF 06E8 0431 C98E D9C5 06C1 0005 2100 1E50 8430 E824
`DM-400 - CR: This 400-byte virus does not seem to do anything but replicate. It contains the tex t '(C)1990 DM'.
`OM-400
`80FC 4874 3380 FC56 7419 FE04 80FC 3D74 12FE 0480 FC3E 751C
`Eu rope '92 - CR: This 421-byte virus activates if the year is set to 1992, when it displays the message: 'Europe/92 4EVERI'
`Europe '92
`8450 CD21 SC08 48 8E D8C6 0600 OOSA 891E 0100 8916 0300 53B8
`Fake-VirX- CN: A 233-byte virus from Finland which activates on any Friday the 13th, when it displays the message 'VirX 3190'.
`Filke - VirX
`4088 D589 0600 CD2l 6801 575A S9CD 2164 3ECD 2188 0001 FFEO
`Gcrgana- CN: Four variants of the Gergana virus, wh ich are longer than the original with improved error handling.
`Oergana-222
`BFBO FFB9 3000 F3A4 E9C6 FDSE 8 1C6 0001 BFOO 0189 DEOO F3A4
`Gergana - 300
`8F80 FFB9 3000 F3A4 E985 FDSE BlC6 0001 BFOO 0189 2C01 F3A4
`Gergana - 450
`BPSO PF89 3000 F3A4 E97E FDSE 81C6 0001 8FOO 01B9 C201 F3A4
`Gergana - 512
`BAOO FAB4 3FCD 21C3 6900 0284 40CD 21C3 6801 572E 880E 5001
`Gosia - CR: A 466-byte virus from Poland. It contains the text ' I ' Gosia'. ' is the ASCII character (03))
`Gosia
`0275 10AC 268A 2547 3AC4 7405 80CC 203A C4E2 EE9F 03F9 8810
`Gotch a - CER: Two related viruses from East Europe, 879 and 881 bytes long. They contain the text string: 'GOTCHA!'.
`Gotcha
`9C30 DADA 7428 80FC 3074 OA30 006C 7405 80FC 4875 1306 lE50
`Hero-394 - ER: Related to the 506-bytc Hero vi rus. but does not damage the files it infects. Awaiting analysis.
`Hero-394
`898A 0133 C08F 0002 0305 83C7 02E2 F929 069C 0388 0042 33C9
`Hungarian-482 - CR: This 482-byte vints from Hungary activates on November 7th. If an infected program is run on that date it will
`display the string 'Fonnat .. .' and proceed to format the hard disk.
`Hungarian- 482
`5603 F7AC OACO 740A DOES 840E 8307 CD10 E8Fl 8901 008A 8000
`
`VIRUS BULLETIN ~!199 1 Virus Bulletin Ltd, 21 The Qu•drant, Abingdon Science Pork, Ox on, OXJ4 3YS, England. Ttl (+~4) 235 555139.
`/90/$0.00+2.50 This bulletin is available only tO qualified subscribers. No pan of this publicauon may be reproduced, stored in a retrieval system, or tral1smincd
`hy any limn or by any means, electroniC, magnetic, optical or photocopying, without the prior written permission of the publishers
`
`

`

`Case 3:17-cv-05659-WHA Document 126-23 Filed 06/28/18 Page 4 of 4
`
`Page 20
`
`VIRUS BUL LETIN
`
`November 1991
`
`Guidelines
`From the user's point of view, it makes good sense to use a
`number of diffen:nt anti-virus packages in order that they may
`each confirm the findings of rhe other. One of the major
`reasons for such an approach is to limit the problems posed by
`false positive indications. Unfortunately, the careless or self(cid:173)
`centred approach of many vendors means that their packages
`may actually cause false positives in other packages.
`
`To avoid the confusion and inconvenience caused by false
`positives there are certain guidelines:
`
`,.. Use several scanners from dis.~imilar sources. The more
`search data that is available the better- tbis increases the
`likelihood of detecting genuine infections while providing a
`means to diagnose suspected false alarms. No single virus(cid:173)
`scanner can provide I 00 percent protection!
`
`,.. Always run scanning and integrity checks on a freshly
`booted system. Boot lrom power off between subsequent
`checks.
`
`,.. Remember that false positives can result from scanning
`with anti-virus software from dissimilar sources. Either
`remove such software from the disk under inspection or
`ignore any wamings limited solely to it.
`
`,..It would be highly unusual to find just a single occurrence
`of a parasitic (progran1 infecting) vims on a working hard
`disk. Once a virus is invoked its main purpose is to spread,
`so you would expect to find several occurrences within a
`working environment. Floppy disks on the other hand, could
`quite easily contain just a single infection.
`
`,. Avoid the use of integrity checking programs which add
`modifications to actual file profiles. These are often
`advertised as providing a checking system which will travel
`with the file but they are worse than useless when used in
`conjunction with other integrity checking software that
`completes a reliable check.
`
`,.. When a vims infection has been indicated, you should
`attempt to verify its existence via other methods (integrity
`checks versus scanning methods etc.). These include
`checking along possible infection paths and testing with
`other software.
`
`You should also remember to check with the vendor of the
`package - if there are any false positive problems. tbey are
`likely to know about them and be able to put your mind at
`rest. In any case they should be inlonncd so that they can
`make ctlorts to correct the problem (assuming it is a problem
`they can address).
`
`Finally. if o package continues to produce an unacceptable
`number of false positive indications it should be discarded.
`The whole point of ami-virus software is to save time and
`worry - not generate it!
`
`PRODU CT REVIEW
`
`Mtlrk Hamilton
`
`Virus Buster
`
`Virus Buster is an Australian package from Leprechaun
`Software international. The package consists of a 320-page
`perfect-bound paperback manual, two 3 60 Kbyte and one 720
`Kbyte diskettes in video-cassette type packaging.
`
`The sollware consists of three main programs, BUSTER,
`WATCJJDOG and DOCTOR and a number of complementary
`files, tl1rec of which are simply included to install the package
`on a hard disk or floppies. The installation process scans
`memory and the destination disk before copying and installing
`tbe constin1ent parts of the package.
`
`rnstallation
`
`The package refused to install onto the hard disk of my
`Apricot 486, but it installed without any problem to the bard
`drive of my Compaq DeskPro 386/16. An inauspicious start to
`the review.
`
`Alternatively, you can simply copy the 22 files into a sub(cid:173)
`directory, and using the instructions in the documentation,
`configure the software to suit your preferences.
`
`Buster
`
`BUSTER is a checksumming program which detect changes in
`files. The first time it is run, it creates an encrypted data file,
`BUSTER37.DAT, which contains details of the file's path
`name, date, size, header and checksum. This information is
`used by BUSTER for subsequent checks. By default, BUSTER,
`checks all the nonnal executable tile types, but you arc able to
`add to or remove from the list of these to suit your personal
`preferences.
`
`When BUSTER is re-run, any changes to the recorded details
`to any of the files (or disk's system area) are reported in a
`pop-up window. You can add details of any new program;
`change 8 USTER 's record for a file: rename the file; wipe the
`file; or, generically restore the file to its f01mer self. BUSTF.R
`is intelligent enough to know whether it can restore a particu(cid:173)
`lar change successfully and disables this option if it can't.
`
`On my Compaq Deskpro BUSTER completed its checks on
`419 executable files (14 Mbytes) injust2 minutes, which
`works out at 118 Kbytcs per second. lt took less than one
`second longer to create its database initially.
`
`Like all generic checkers. it tripped-up over self-modifying
`programs- such as some of the shareware 'text editors which
`
`VIRUS BULLETIN 1(;)1991 Virus Bulletin Lttl, 21 T htQuadrAnt,Abingdon Scitnt< 'P•rk. Oxon, OX14 JYS, "-ngland. Ttl (+44)235 555139.
`/90/$0.00+2.50 Tl11s bulletlr> is available or>ly toquahficd subscribers. No part ofthis publrcation may be reproduced. swred in a retrieval system, or uansmitted
`by any torm or by any means, electronic, magnetic. optical or photocopying, without the prior wntlen permiSSIOn of !he publishers.
`
`