As Mr. Ferguson pointed out, polymorphic viruses are making their way into the DOS world. This is a problem in the short term, but not in the long term because people will be changing to memory-protected & file-permission based operating systems like NT, OS/2 and Unix, where it is very difficult for most kinds of virus to spread. I myself am very familiar with the virus underground, so for those who are not, let me explain the two newest and most deadly virus techniques which are being seen in the DOS world. The first is something called "Stealth" viruses. Stealth viruses imbed themselves into DOS and intercept disk read calls from applications. If those read system calls are reading non .EXE or .COM files, then they are processed normally. However when an application such as virus scanning program is reading in .COM and .EXE files (in order to scan them for virus code), the stealth code in DOS intercepts this and returns to the application what the .EXE or .COM file would look like if it wasn't infected by the stealth virus. Thus, all virus checking programs can be decieved in this manner. There are steps to get around this, like booting off of a write-protected floppy disk (with a clean copy of DOS on it) and running the virus checking program directly from that floppy. But people seldom do that, so the stealth technology is a worthwhile one for virus creators to pursue. The second is called "Polymorphic" viruses. These are viruses which contain a tiny encryption/decryption engine. The great thing about polymorphic viruses is that they encrypt themselves with a different key each time they replicate (make a new copy of themselves). The small amount of virus bootstrap code which is not encrypted is changed in each replication by dispursing random NOP's throughout the virus boostrap code. Thus each sample of polymorphic virus looks completely different to virus checking programs. The virus checking programs cannot use "signature" byte strings to detect polymorphic viruses. I have seen something called D.A.M.E., also known as Dark Avenger Mutation Engine. This is a freeware polymorphic library/kernel/toolkit which allows anyone to take an ordinary virus and wrap it in a polymorphic shell. Thus each new copy of the virus will look completely different as it replicates. D.A.M.E. is a great toolkit for those who want to release new viruses but don't have the skills to write a virus from scratch. DAME works very well with Turbo Assembler and MASM. I believe that DAME II will be coming out sometime this spring. At least that is what the author has promised. Among the new features will be more powerful encryption, stealth capabilities, and compatibility with Stacker and DR DOS compressed file systems. I have read that the author of DAME and DAME II will be coming out with a Virus Construction Set, which will allow point-n-click building of new viruses using object oriented techniques. It works sort of like a Mr. Potatohead, you point and click on the parts/modules you want and it builds it for you. You select the replication method, stealth capability, polymorphism, and payload module (there are several payloads, varying from playing music and showing graphics, to printing a text message on screan, to complete wipe out of the HD). The really wonderful thing is that you will be able to build your own modules and link them into the virus. I am sure a flourishing of third-party modules will occur. With the VCS, a 9 year old can build a competely new virus just by pointing, clicking, and dragging, popping up windows and choosing options. My oh my, aren't we in for fun times ahead... Thug