4-Jan-95 11:52:44-GMT,74473;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA12831; Wed, 4 Jan 95 06:52:16 EST Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx/8.6.6) with ESMTP id GAA01968 for ; Wed, 4 Jan 1995 06:52:00 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <127715-4>; Wed, 4 Jan 1995 06:28:06 EST Message-Id: <9501041128.AA11094@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #1 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Wed, 4 Jan 1995 06:19:48 EST VIRUS-L Digest Wednesday, 4 Jan 1995 Volume 8 : Issue 1 Today's Topics: Re: "Tekroids" episode of Tekwar and the perception of viri re: Tech Report on Virus fighting through Biological Processes re: Virus reporting procedures and rumor control Re: Virus reporting procedures and rumor control Hypertext VIRUS-L FAQ Re: Mainframe Viruses? (IBM VM/CMS/etc) Re: OS/2 Virus? (OS/2) OS/2 semi-virus (OS/2) Re: GenB virus alert (PC) Re: Of what value is McAfee Netshld (PC) Re: HELP: Form virus attacks Windows NT NTFS boot sector. (PC) KEYPRESS virus (PC) F-PROT (PC) Re: NYB (PC) Possible Virus Problem (PC) Re: Stoned.Empire.Monkey.B (was Re: THANKS!! Re help with FORM) (PC) How to get with CPAV (PC) Any info about the KHOBAR virus? (PC) Floppy format and NYB???? (PC) Unfavourable InVircible Review (PC) Re: WIN.COM modification (PC) Looking for an antivirus (PC) Win 96 AV? (PC) re: Question: Infection Misconceptions? (PC) DA'BOYS Virus (PC) Re: Lyceum.930 virus (PC) F-Prot professional updates? (PC) SW-logo in mode 13: Serious trouble! (PC) ANSI bombs dropping viruses (PC) Re: Can a virus spread like this? (PC) Re: Question: Infection Misconceptions? (PC) Re: Disabling TSRs (PC) Re: memory scanning (PC) Re: Network Antivirus NLM's / need advise (PC) question on virus (PC) Re: NOT an InVircible (CMOS) Error! (PC) Re: Need Help with Stoned Virus (PC) Problem with Tbscan 6.26 (PC) Re: Need basic virus information (PC) JUNKIE1 (PC) Re: Virus Alert -- NATAS. (PC) Re: master boot record viruses (PC) TBAV (PC) Need help selecting virus softwares (PC) Re: DOOM game messages (PC) Re: VCL?? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 20 Dec 94 10:29:07 -0500 From: jr7877@cesn12.cen.uiuc.edu (Jason V Robertson) Subject: Re: "Tekroids" episode of Tekwar and the perception of viri "Rob Slade" writes: >TVTEKWAR.RVW 941201 > >Bill Shatner has been reading "Snow Crash" (cf BKSNCRSH.RVW)! > [An excellent critique of the modern virus in fictitious works] While I do not doubt Mr. Slade's expertise, I do doubt his point. He has admittedly proved to us that he knows much more about the common MS-DOS virus than the average Joe, but he has failed to show us any valuable information. Who would not say that the media perception of the modern virus is incorrect? Not very many. But I think in his obvious arrogance he also shows us a hidden danger in the current state of computer science. Namely that we can somehow predict the advances we will conquer in the future. I do not claim that we will have holographic virii that will knock us out with a glance. But I am not so arrogant as to claim that since our MS-DOS virii are so simple we will never advance beyond the TSR/multi-partite virus. I'm sure the "brains" of daVinci's day scoffed at his visions of the future. - -- Ignore header. Mail: jroberts@uiuc.edu (With subject: "getkey" for PGP autoreply) ------------------------------ Date: Tue, 20 Dec 94 12:07:39 -0500 From: "David M. Chess" Subject: re: Tech Report on Virus fighting through Biological Processes >From: S1104145@cedarville.edu (Daniel Hatfield ) >I am looking for a Technical Report produced by someone in IBM on the >possibility of fighting viruses like the body fight viruses. I suspect you're looking for one of Jeff Kephart's papers; various are available in the IBM Computer Virus Information Center. GOPHER users can gopher to index.almaden.ibm.com, choose "Computer Virus Information Center" and then "Papers and Reports". Web users can access this URL: gopher://index.almaden.ibm.com/1virus/menus/virpap.70 DC ------------------------------ Date: Tue, 20 Dec 94 12:12:27 -0500 From: "David M. Chess" Subject: re: Virus reporting procedures and rumor control > From: Kenneth Gillgren > What have been the most effective reporting procedures in companies or > organizations with extensive WAN/LAN systems? Within IBM, we've found it quite effective to have a central CERT (Computer Emergency Response Team), and to educate people (through notices, messages in antivirus programs, etc) to report all incidents to it electronically. The CERT is also responsible for sending out notes like "Please don't forward around reports of a 'Good Times' virus, as it is known to be a hoax". For some general good advice on this subject, see Alan Fedeli's papers "Corporate Antivirus Disciplines" and "Managing Computer Virus Emergencies" in gopher://index.almaden.ibm.com/1virus/menus/virpap.70 DC ------------------------------ Date: Tue, 20 Dec 94 15:00:21 -0500 From: Jeff Hull Subject: Re: Virus reporting procedures and rumor control > What have been the most effective reporting procedures in companies or > organizations with extensive WAN/LAN systems? An organization-wide Computer Emergency Response Team (CERT) with the responsibility & adequate assets for rapid followup on virus reports within the entire organization (often has many other responsibilities as well, e.g., disaster planning); a single telephone number (800 # if appropriate) either staffed 7x24 or with automatic paging &/or voice mail, as appropriate; widely distributed standard virus reporting procedures for users; and (a must-have) post-incident analysis. The standard procedure includes guidelines for controlling spread of rumors (defined as unvalidated reports of virus incidents), response time by the CERT, simple steps that minimize false positives (i.e., that reduce the # of times a "virus report" is called in that isn't really a virus) -- roll your own, YMMV. Be well. Jeff ------------------------------ Date: Wed, 21 Dec 94 12:34:29 -0500 From: tdavis@umr.edu (Ted Davis) Subject: Hypertext VIRUS-L FAQ An hypertext version of the VIRUS-L FAQ is now available on the Web as URL=http://gearbox.maem.umr.edu/0c:/virus/v-l_faq.htm|/ Note that the "htm" is followed by a pipe character, not an 'L' - this is the way the server want it. The AWK script that converted the FAQ file into HTML format is available as URL=ftp://gearbox.maem.umr.edu/gopher/pub/scripts/faq.awk/ This is by no means official, and comments are welcome - there is a mailto link at the bottom of the FAQ page. If Murphy is on the ball, this should cause an updated FAQ to appear immediately. T.E.D. (tdavis@umr.edu) ------------------------------ Date: Tue, 20 Dec 94 12:18:16 -0500 From: "David M. Chess" Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) > From: valdis@black-ice.cc.vt.edu (Valdis Kletnieks) > There's absolutely no protections on a DOS machine. You wanna scribble > anywhere in memory or disk, go right ahead. On the other hand, > for instance, an IBM mainframe running MVS/ESA with RACF or Top Secret > installed is *quite* the challenge to write viruses for ... Let me make the opposite case: a standalone PC has the *best* possible security, better than any multiuser mainframe. The only way someone can alter the files on my machine is to sit down at its keyboard and type, or persuade me to run some program myself that'll do the dirty work for him. Even if I *wanted* to authorize someone somewhere else to alter my system, I couldn't do it. On multiuser systems, on the other hand, a virus can spread from user to user whenever one user is authorized to write to an object that another user is authorized to execute, something that happens more often than the average system owner realizes. It's important to remember that viruses don't spread (or don't have to spread) by taking advantage of holes in access control systems, free access to all of memory, or anything like that. A virus can spread purely through *authorized* links, where someone has officially-approved write access to some executable. Access controls that are well-used can certainly slow down potential virus spread, but the mere presence of non-buggy access controls does *not* magically prevent viruses. DC ------------------------------ Date: Wed, 21 Dec 94 04:15:38 -0500 From: 3dierks@rzddec2.informatik.uni-hamburg.de (Joern Dierks) Subject: Re: OS/2 Virus? (OS/2) : (...) I was wondering if there are any : virus that have been written specifically for the OS/2 operating system? Yes, actually, there are two OS/2-viruses: 1. A virus which has been published in a magazine called 40Hex. 2. A virus named "Jiskefet" Both viruses seem to be only experimental. The one from 40Hex is an overwriting, non-resident virus. It reports when it infects a file, so it seems to be just a demonstration. Jiskefet is a non-resident infector, but it has no damage-routine. It "only" spreads. Because it was delivered in source-code, it seems also to be a demonstration of how to write viruses for OS/2. As far as I know, these viruses have not been seen in the wild. : He says that it is impossible to write an OS/2 virus : because of the way OS/2 works with memory. As you can see, it is not impossible to write OS/2 viruses. But to write a really complex virus, like some DOS-viruses are, requires much effort. OS/2 itself does not protect itself well enough, i. e. the kernel is writable after bootup. Regards, Joern - ------------------------------------------------------------------------------ Joern Dierks Virus Test Center Universitaet Hamburg - FB Informatik Vogt-Koelln-Strasse 20 22527 Hamburg e-Mail: 3dierks@fbihh.informatik.uni-hamburg.de - ------------------------------------------------------------------------------ ------------------------------ Date: Wed, 21 Dec 94 11:37:40 -0500 From: vlpynskd@cig.mot.com (Dmitry Volpyansky) Subject: OS/2 semi-virus (OS/2) Hi, There have been some questions about OS/2 viruses. At my previous company I wrote an OS/2 virus to prove that it could be done. Since I have never written any viruses before, and since I did not want it to get out, it could not replicate, and did not do any damage. Also, it was very fat (C++). In an essence, to cause damage you don't need to go to the disk under OS/2. You can randomly change named shared memory and named semaphores to screw up the programs that are running (including the OS). Whether that qualifies as a virus, I don't know, but after running it for a few minutes, I had to reinstall my system because a lot of the control files (non-OS) got corrupted. Also, with the advent of DLL's, you can insert your versions of the OS DLL's in the path, and stuff like that. I like OS/2, but it is not meant to be protected against viruses. I think that when it gets more popular, (Warp?), you may see a new generation of viruses appear that can hide themselves in shared memory of other processes. My $0.02 on this. Dmitry Volpyansky Advanced Techniques & Tool Development Software Engineer I Motorola Cellular Infrastructure Group vlpynskd@cig.mot.com 1501 West Shure Drive, N349 (708) 632-6191 Arlington Heights, IL 60004 ------------------------------ Date: Sun, 18 Dec 94 22:29:41 -0500 From: kellogg@netcom.com (Lucas) Subject: Re: GenB virus alert (PC) Jimmy Kuo (cjkuo@symantec.com) wrote: : Michel Carbon writes: : >I have avirus : GenB. : >I have detected it with scan117, on a floppy disk. : >how can I eradicate it , on my floppy disk? : >If there is a cleaner for that, where can I have it? : GenB by McAfee means it's sure you have a virus in the boot sector. But it : doesn't know what it is. : So, neither can anyone else till they see your sample or you get a scanner : that does know exactly which virus you have. : If you follow these steps, you can have something to send to AV people to help : you determine what you have: : stick diskette in A: : using DEBUG : - -l 100 0 0 1 : - -n virus.boo : - -r cx : :200 : - -w : - -q : If you must put the diskette in B:, then the first instruction is : l 100 1 0 1 : When you do that, if you feel like sending me a copy, contact me and I'll give : you some procedures. : Jimmy Kuo : Norton AntiVirus Research Use version 2.14 from McAfee, and you will get exact identification under most circumstances. That is one the new features of McAfee's "Phoenix" product line...to provide more specific identification. K.D. Lucas ------------------------------ Date: Sun, 18 Dec 94 22:36:04 -0500 From: kellogg@netcom.com (Lucas) Subject: Re: Of what value is McAfee Netshld (PC) John, Please check to ensure that CRC checking is turned *off*. If CRC checking is enabled, then it will treat every modified executable as a virus [except those excluded in the exception list]. Netshield's virus signature files are updated enough so that CRC checking should not be necessary. Thanx for the input, KD Lucas John Kloepper (kloeppej@ccmail.orst.edu) wrote: : We've recently run through an evaluation period using the McAfee Netshield NLM : on one of our files servers. Maybe I didn't have it correctly configured, so : i'm willing to cut it a break, but I can't see how it works. : More Info: : In our office we have a couple of programers who are constantly tweaking : and updating pieces of code. When they recompile their programs and then load : their files up to the server, the NLM would grab them and send a message that : a virus was detected. However when I would view the log file all that is : reproted was that the suspect file was moved to it's infected subdirectory. : There was no mention of what type of Virus was suspected of operating. : I suspect in our case all the program was doing is a CRC comparison check and : then throwing the changed file into the infected area. In which case the : moved file wasn't virus contaminated at all. : Has any one been able to get more bang for their buck using netshield to scan : servers for viruses or is there something else, we should be considering. ------------------------------ Date: Sun, 18 Dec 94 22:38:50 -0500 From: kellogg@netcom.com (Lucas) Subject: Re: HELP: Form virus attacks Windows NT NTFS boot sector. (PC) Paulo, Also, try McAfee's RomShield to protect against boot viruses *before* the operating system loads!! KDLucas McAfee Associates (mcafee@netcom.com) wrote: : tito@ciunix.uc.pt (Paulo Jorge Pimenta Marques) writes: : [...short description of FORM virus deleted...] : >Under Windows NT, however, its effects are disastrous. I don't think the form : >virus could attack from within Windows NT itself, since the system is so : >robust, not allowing programs to mess up with the system. If, however, you : >boot up a PC with an infected floppy disk, the form virus attacks every : >partition it finds, not caring whether it is, FAT, HPFS or NTFS. : [...more about FORM on Windows NT deleted...] : To remove the virus, try booting the infected hard disk from a clean : copy of DOS (IBM, MS, Novell) and then try running your antivirus : program. I've had luck with users doing this with VirusScan on Windows : NT systems with FAT and NTFS volumes. : Regards, : : Aryeh Goretsky : Technical Support : - -- : - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - : McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com : 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com : Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 : 95051-0963 USA | USR HST Courier DS | or GO MCAFEE : Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Mon, 19 Dec 94 09:19:44 -0500 From: rocketrex@aol.com (RocketRex) Subject: KEYPRESS virus (PC) Hello, I have been repairing a client's computer, and it appears that it has been infected with the "KEYPRESS" virus (info given from McAfee's Virus Scan v2.1.3) McAfee's also says that they do not have a fix for this virus as of this release. Does anyone out there know of a fix? (Yeah, I know.... other than removing the partition & reformatting?) Thanks for any help available. Rex Smith Rex Smith rocketrex@aol.com ------------------------------ Date: Mon, 19 Dec 94 09:24:32 -0500 From: davidr@searchtech.com (David Resnick) Subject: F-PROT (PC) Sorry if this is in the faq -- haven't gotten a copy of that yet if there is one. Could someone tell me where I can get a copy of the latest version of F-PROT? Many thanks in advance! [Moderator's note: You can get a copy of the FAQ from ftp://corsa.ucr.edu; also, an updated version of the FAQ is being developed.] Dave - -- David Resnick Search Technology davidr@searchtech.com (404)441-1458 ext. 219 ------------------------------ Date: Mon, 19 Dec 94 09:43:17 -0500 From: councill@levy.bard.edu (John Councill) Subject: Re: NYB (PC) TSE CHI ON ANDREW (s935476@acs.csc.cuhk.hk) wrote: : Hello all! : Does anyone know the virus named NYB. It's a very new virus. : Even the newest SCAN 2.1.3 still cannot kill that virus! : So, does anybody know whether there's cleaner for that virus : NYB? Thanks. : - -- If NYB is the same NYB that I am thinking of (another name for it is B1), get the latest version of F-prot and boot the machine from a clean booting disk. Run F-prot. It wasn't able to find the original MBR but letting F-prot overwrite the MBR with a clean one worked for me. I've had no problems cleaning it off of diskettes with F-prot. John A. Councill Technical Analyst/LAN Admin. (councill@bard.edu) Henderson Computer Resources Center | Bard College | (914) 758-7494 ------------------------------ Date: Mon, 19 Dec 94 11:23:03 -0500 From: asad@esu.edu (Asad Chaudhry) Subject: Possible Virus Problem (PC) Hello, My computer doesn't boot properly. I get a missing interpreter error. But when I type in command.com at the prompt it boots fine. Then I type in autoexec and everything is O.K. Did some virus do this? If so, how do get my computer to boot normaly? (I scanned with MSAV and found nothing) Thanx - -- *** Asad Chaudhry *** Internet: asad@esu.edu ------------------------------ Date: Mon, 19 Dec 94 12:02:53 -0500 From: jjb18@columbia.edu (Jeremy J. Blumenfeld) Subject: Re: Stoned.Empire.Monkey.B (was Re: THANKS!! Re help with FORM) (PC) >Either way, be on the lookout for the form virus whenever you find the >monkey virus. Disinfecting floppies twice with F-prot 2.15 usually >eradicates the virii with no problems. And disinfecting hard drives >(Rebooting with a clean bootable write-protected floppy both times) >twice almost always works too. > We had similar problems in our lab last year (which are continuing, somewhat into the current year). Very often found more than one boot sector virus on a hard drive. As far as keeping the virus out, the best thing was to add /boot to the command to load virstop. Otherwise, users weren't warned about the virus on their disks, continued to use them, and eventually transfered the virus to the lab hard drive or their own PC when doing a reboot with the floppy in the drive. ___________________________________________________________ Jeremy Blumenfeld IAB rm. 510 Systems Coordinator (212) 854-1578 School of International and Public Affairs ------------------------------ Date: Mon, 19 Dec 94 14:51:17 -0500 From: thumper@sefl.satelnet.org (Jonathan Abramson) Subject: How to get with CPAV (PC) I need a way through the I-net to download updates from Central Point. Can anyone help me. Thanks in advance Jonathan Abramson Thumper@sefl.satelnet.org ------------------------------ Date: Mon, 19 Dec 94 20:20:51 -0500 From: asad@esu.edu (Asad Chaudhry) Subject: Any info about the KHOBAR virus? (PC) The title says it all. Thanx for any info - -- *** Asad Chaudhry *** Internet: asad@esu.edu ------------------------------ Date: Mon, 19 Dec 94 23:21:42 -0500 From: whorne@Libris.Public.Lib.GA.US (William K. Horne) Subject: Floppy format and NYB???? (PC) Had a problem - couldn't finish a format of a floppy disk. Got all the way through to 100%, then got abort,retry,fail. Changed card, cable, and drive. No effect. Ran scan 213, found NYB (no indication of genb or genp). Did fdisk /mbr on c:. NYB gone, floppies format OK. What is NYB? What else does it do? bill horne /| | JoAS \'o.O` | You can change the past if you accept ABB Systems -(___)= | that today is tomorrow's yesterday. whorne@mail.public.lib.ga.us U | ack ------------------------------ Date: Tue, 20 Dec 94 00:24:39 -0500 From: 91406723@brt.deakin.edu.au Subject: Unfavourable InVircible Review (PC) I have just finished reading a product review of the InVircible v5.07A anti-virus software product in the December '94 issue of the Virus Bulletin. Can anyone out there defend this review as it raised serious issues with the product. The conclusion drawn was to avoid it. ------------------------------ Date: Tue, 20 Dec 94 08:37:30 -0500 From: cannon@nic.com (Kevin Martin) Subject: Re: WIN.COM modification (PC) mikie@owlnet.rice.edu (Michael Howell) wrote: > In the past two days, my win.com file has been modified from 50,904 bytes to > 95,036 ... The date changes at that point, as well ... When the 95K version > is executed from a DOS command line, the message "Program too big to fit in > memory" appears. > > Sounds evil and virus-like, but I've run mwav, fprot, and tbav, and none > have come up with anything. Sigh. Any comments? An MS-DOS .com file by definition has to fit in 64k. WIN.COM specifically is built by Windows SETUP out of three binary pieces, and is rebuilt if you change screen resolutions. One of the pieces is a 16-color RLE bitmap, the familiar Windows logo screen, VGALOGO.RLE. Lots of folks have fun replacing this bitmap with more, uh, interesting graphics... but you have to be careful to use one that is small enough to keep the total size of the resulting WIN.COM below 64KB. Try this: In DOS, cd \windows and run setup. Change your video resolution to something different than it is now. Then change it back. You should get a new WIN.COM that will work, unless someone has messed over your VGALOGO.RLE file. In that case you'll need to get it off the Windows setup disk. Look for VGALOGO.RL_ and run windows\EXPAND.EXE to unpack it (it's a DOS program). Sorry I don't remember which disk it's on. :-) - --- "That's MISTER Windoze to you, bubby!" ------------------------------ Date: Tue, 20 Dec 94 09:23:04 -0500 From: borsoi@esa-jandri.grenet.fr (PJB) Subject: Looking for an antivirus (PC) Hello ! Our Business School have lots of problems with viruses, and is lookingfor an antivirus that would stop the computer when detecting the Genb or Genp virus on the hard disk or floppy disk. We presently have the Mac Fee antivirus but this one is not efficient enough. We need HELP !!! Hope to hear from you soon, Thanks & Merry Christmas, Fran=E7oise & Co. ------------------------------ Date: Tue, 20 Dec 94 12:02:10 -0500 From: poppg@columbia.dsu.edu (Gary Popp) Subject: Win 96 AV? (PC) When Win 95 comes out, what anti-virus packages will run the best on it? I heard a little about F-Protect Professional for Windows, does it include a TSR? Will this package work with Win 95? Thanks for any input. Gary ------------------------------ Date: Tue, 20 Dec 94 12:03:38 -0500 From: "David M. Chess" Subject: re: Question: Infection Misconceptions? (PC) From: moylek@mcmaster.ca (Kenneth Moyle) > First: MS-DOS viruses cannot survive a warm boot. Not precisely true. There are some viruses which will survive your pressing control-alt-delete. They don't *exactly* survive a warm boot: instead, they arrange things so that c-a-d doesn't actually *do* a full warm boot, it just reloads the operating system with the virus still active. If you have a BIOS that's talkative at warm-boot-time, for instance, you won't see the usual logos and things. DOS will just reload, with the virus still in control. The most common virus that does this is the JOSHI. It's always safest to cold-boot if your suspect there may be a virus active (the virus can intercept c-a-d, but it's much harder to intercept the power switch!). > Second: Boot-sector viruses on a diskette can only infect a pc if > the diskette is booted from (whether the boot was sucessful or > not; i.e. whether it had the system files or not). That one's true. I only wish more people knew it! *8) - - -- - David M. Chess / "In the long run, life depends less on High Integrity Computing Lab / an abundant supply of energy than on IBM Watson Research / a good signal-to-noise ratio." - Dyson ------------------------------ Date: Tue, 20 Dec 94 13:11:13 -0500 From: "David M. Chess" Subject: DA'BOYS Virus (PC) > From: DJenkins@UH.EDU (David Jenkins) > Two computers we work with have been infected with the DA'BOYS virus. > Neither McAfee nor CPS was able to detect the virus, which was visible > using Norton DE to look at boot record. (Virus has been removed using > FDISK/mbr and SYSCON.) Was the virus in the master boot record, or the operating system boot record? The DA'BOYS virus that we know (IBMAV 1.07 and after detect it) infects only operating system boot records, not master boot records. > Question: Why couldn't these packages detect the virus at all ... The virus isn't "invisible"! You were just running versions of the anti-virus programs that didn't know about this particular virus. > What kind of damage might we have suffered as a result of this > infestation? (McAfee is silent on this.) If it's the same DA'BOYS virus that we have here, it has no damaging (or otherwise) payload at all. If you've cleaned up the infected boot records, your systems should now be back to normal (make sure you've checked any and all diskettes used in those machines!). DC ------------------------------ Date: Tue, 20 Dec 94 14:34:25 -0500 From: Werner.Icking@gmd.de (Werner Icking) Subject: Re: Lyceum.930 virus (PC) pirot@socrates.ceid.upatras.gr (Pete Pirot) says: > >I was infected by virus Lyceum.930 >I'm using scan of Mcafee but the virus >cannot be safely removed By accident I detected Lyceum.930 in two data-files (*.TOM) when disinfecting floppies used on a PC which had been infected by the Ripper virus. I used F-PROT which stated that the virus could be removed from the files. After that the files looked clean. But because I don't know what the files are good for I couldn't test whether the data was ok. I unpacked SCAN 2.1.1 and tried to clean the files; but SCAN refused to remove the virus. >Since I have no back-up files of my infected files >I would appreciate any help in order to remove this virus >safely. Please answer..... What's better a good virus-scanner/remover or a good backup? :-( Hope this hilft -- Werner ------------------------------ Date: Tue, 20 Dec 94 15:55:23 -0500 From: wintera@columbia.dsu.edu (ADAM WINTER) Subject: F-Prot professional updates? (PC) Does anyone know where to get updates for the anti-virus list in F-Protect Professional? Please email WINTERA@COLUMBIA.DSU.EDU. Thanks! ------------------------------ Date: Tue, 20 Dec 94 16:02:53 -0500 From: we50263@vub.ac.be (Thomas Van Den Bon) Subject: SW-logo in mode 13: Serious trouble! (PC) Hello, I, and a number of other people, have experienced some trouble when entering video-mode 13, probably after downloading something. Whenever entering mode 13, a logo "SW" is displayed on the screen. I believe it is something very nasty, because I've even formatted my hard-disk and I still have got the problem. So I believe it is written inside the video-card. I also put my video-card in another slot and this hasn't solved the problem neither. However, this appears fewer when I execute my video-card driver utilities (I have a simple Trident 8900; drivers that make the problem occur fewer is the TVGABIO.EXE. However, the problem is also on video-cards from other manufacturers.) I wonder if there are other people experiencing this problem. Is it a bug or a virus? Has anyone fixed this problem or know a way how to fix it? If so, please let me know. I'll be very thankful. - ------------------------------------------------------------------------------ ****************************************************************************** * * Thomas Van den Bon * * * * E-Mail: we50263@is1.vub.ac.be * * ****************************************************************************** - ------------------------------------------------------------------------------ ------------------------------ Date: Tue, 20 Dec 94 16:13:52 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: ANSI bombs dropping viruses (PC) Mike McCarty (jmccarty@spd.dsccc.com) writes: > Iolo Davidson wrote: > ) > )I have heard of an ANSI bomb which launched a virus, ie. loaded > )it into memory and executed it. The body of the virus was in the > )file containing the ANSI bomb, and the whole thing happened when > )you typed the file. The virus then infected files as an ordinary > )memory resident file virus. > ) > )I haven't had this thing in my own hands, but the person who told > )me about it is extremely reliable. > In other words, it happened to a FOAF. Is this perhaps an urban legend > in the making? Who knows. I know. I have seen the thing with my eyes. The ANSI bomb was in a text file called REDHAIR.TXT or something like that. When TYPEd, it attempted to reprogram the Enter key to create a small, trivial, non-resident COM-only file infector and to start it. The virus is currently known under the name Dutch_Tiny.117 - we don't have a name for the ANSI bomb. It was a rather trivial thing, although obviously somebody has done it just to prove that it is possible. BTW, I got it together with a batch of other viruses sent to my by Dr. Alan Solomon. Iolo used to work for him, which probably explains how he has heard about this thing. The ANSI bomb was created by the Dutch virus writing group TridenT - they have exploited many novel ideas in virus writing. I have myself played with ANSI bombs - I wanted to see whether it is possible to use an ANSI bomb to force the user to execute something by just doing a DIR of a diskette. My conclusion was that it is not possible to do it in a way that wouldn't be immediately obvious. The most I could do was to reprogram one key to another (i.e., to a single-byte character), but nothing more. I was putting the ANSI sequence in the volume label, but 11 characters are sumply not sufficient for anything serious. Besides, ANSI bombs are trivial to stop. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 20 Dec 94 16:18:52 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Can a virus spread like this? (PC) dhusson@novell.business.uwo.ca (dhusson@novell.business.uwo.ca) writes: > Doing a dir of an infected floppy will laod the virus into memory in > the case of the ANTIEXE and STONED.HENGE. The Viruscan software picks > this up. If you write a file to your hard disk, the hard disk does > become infected. The above statement is WRONG. Read the FAQ to see why. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 20 Dec 94 16:22:09 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question: Infection Misconceptions? (PC) Kenneth Moyle (moylek@mcmaster.ca) writes: > First: MS-DOS viruses cannot survive a warm boot. Incorrect. Some (few) MS-DOS viruses can survive a warm reboot (from the user's point of view) on some machines. Such viruses are Joshi.*, Parity_Boot.*, Alabama, and probably a couple of others. The EXE_Bug.* viruses can survive (again from the user's point of view) even a *cold* reboot on some machines. > Second: Boot-sector viruses on a diskette can only infect a pc if the > diskette is booted from (whether the boot was sucessful or not; i.e. whether > it had the system files or not). Correct. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 20 Dec 94 16:37:18 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disabling TSRs (PC) Fridrik Skulason (frisk@complex.is) writes: > A virus that is "known" to the TSR will be stopped by it, before it > gets a chance to disable the it (unless it is launched from a "dropper" > program). In this case you don't have a problem. > A brand new virus does not have to disable the TSR to bypass it - the TSR > will not be able to recognize it anyhow. However, this would only cause :-). Frisk, you are forgetting that not all anti-virus TSRs are like yours. :-)) The above arguments are valid for a scanner-only TSR. However, some anti-virus TSRs (e.g., the ones that come with CPAV, NAV, and many others) are combined systems - scanners, as well as behaviour blockers, and sometimes even integrity checkers. It does make perfect sense for a virus to disable *them* - if it is a new virus, the scanner part will miss it, so it will get a chance to execute, but it has to disable the behaviour blocker, in order to prevent it from detecting the virus. VSAFE is a typical example and indeed, most viruses target it - an additional reason is that it is *so* easy to target it - the producer has provided a "KickMeOut" function call... :-( Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 20 Dec 94 17:44:26 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: memory scanning (PC) I tried. I swear, I tried hard. *Really* hard. But, with all due respect to Frans (who is a friend), I just cannot let this one pass... Frans Veldman (Veldman@esass.iaf.nl) writes: > Iolo Davidson wrote: > > > > And further to that, whatever Thunderbyte is designed to do, > > the actual performance under test conditions showed that it did > > not cope sensibly with viruses in memory. Whether you think this > As it appears that you are still unable to get my point, let's try > it again. As it appears, Frans, it is *you* who seems to be unable to get the point. Let's try to get it straight. > TBAV is a very bad text processor. Some other Anti-Virus products have a > very nice text processor to type in your signatures. > The point is, TBAV is not designed to have a full fledged text > processor, since we, developers of TBAV, considered it not to be an > important necessary component of an anti-virus product. The lack of a > word processor doesn't mean however that TBAV is a bad product. Correct. It just means that it is useless for text processing. The article in "Secure Computing" we are talking about didn't test how "good" the products are. Instead, it tested them how well they detect viruses in memory. Their conclusion was - and, after having done some limited tests myself, I agree - that your product is USELESS FOR DETECTING VIRUSES IN MEMORY. Do you agree with this? Whether you think it important to detect viruses in memory or not is besides the point right now - I will address that issue later. The point is that if somebody wants a program that can detect viruses in memory, they should better forget about your product - right? It is about as pointless to use it for this purpose as to use it for text processing. > For some reason you consider memory > scanning as a necessary component of an anti-virus product. Aha, here comes the second question - but is detecting viruses in memory necessary? Iolo seems to think that it is. I happen to agree with him - for an explanation why - see below. > We have tried > and failed to explain you that locating viruses in memory is and has > never been the goal of anti-virus products, Yes, you have failed. You have tried to convince us here too, and have failed as well. > but an aid to achieve the > real goal of anti-virus products: detecting viruses on disks. Rubbish. The goal of the anti-virus products is to detect viruses in places where they might pose a danger TO THE USER AND THEIR DATA. Oh, but you are saying, but a virus active in memory does not pose a problem to my anti-virus product. Well, my reply is: WHO CARES? I don't give a damn whether a virus active in memory causes a problem to you scanner or not - it causes a problem to ME, THE USER! I want a good anti-virus product to be able to find it there and to warn me about that. Consider the following scenario. A fast infector is active in memory and I do not know about that. I run your scanner and it tells me that a bunch of files are infected. Because your scanner is so smart, it manages not to infect the clean files during the scanning process. So far, so good. However, I want to get rid of the virus. And, since your product is essentially useless for disinfection too (not that I think that disinfection is a good thing), what do I do? Right, restore from backups. Too bad, you didn't tell me that there was a virus active in memory. While I am copying the originals, the virus cheerfully infects the copies, and, if the diskettes with the originals are not write protected (a Bad Thing, yes, but to err is human), it has now infected my originals as well. SNAFU. Why? Because your scanner was not able to find viruses in places where it is important to find them - in memory. Had it done so, I would booted from a clean floppy and the above problem wouldn't have occured. Next scenario. Same as above, but the virus has a time-dependent destructive payload. As your scanner is happily scanning the disk - not affected by the presence of the virus but not detecting it in memory either - the timer reaches that dreaded value and - PUFF - all my data is gone, together with your oh-so-smart scanner. Tough luck. All this could have been avoided, had your "smart" scanner been smart enough to detect the virus active in memory and warn me about it. See my point? > If a product is capable reaching that goal by using different methods, > than it should not get a penalty for not using a specific aid. If a product is smart enough to detect viruses - on the disk as well as in memory - it shouldn't be penalized for it, I agree. However, your product isn't. It doesn't detect viruses in memory and sometimes hangs without any explanation, due to a conflict between the stealth routines of the virus and the scanner's own tunnelling routines. > In our opinion, the test should have been designed as follows: > 1) Load a stealth virus in memory. ^^^^^^^ No. Load a *resident* virus in memory. I want scanners that tell me when a virus - any memory resident virus - is active in memory. If they fail to do so, they are not good enough, or at least to not suit my needs. Frans, take a look at some other products. Do you seriously think that they scan the memory only for stealth viruses or fast infectors - because those are the only kind of memory resident viruses that could cause problems to a scanner at runtime? No! They scan for *any* memory resident viruses - and they do this not because it is easier (it isn't that much easier; it's maybe even harder), but because it is necessary - because the user needs this kind of protection. > There are three results possible: No, there are four, actually. > a) The scanner is still able to point out which files are infected. > Since the scanner doesn't get disturbed by the stealth virus, it reaches > it goal, and the result should be considered as 'positive'. Yep, it's good, but not good enough. > b) The scanner is not able to detect the infected files because of the > stealth virus, but instead notices this potential dangerous situation > by detecting the virus in memory. > In this case the result is also 'positive'. Yep, it's acceptable, although not as good as before. > c) The scanner fails to detect all viruses on disk but also fails to detect > the virus in memory. > The result is 'negative'. Correct. There is a third possibility, however, indicating the BEST possible result. That possibility consists of detecting the virus in memory AND detecting it on the disk, unaffected of the "stealthiness" of the virus. As a bonus, it could even deactivate the virus in memory (as AntiVirus Pro does), although this is a dangerous operation, if not done properly. > The article we are currently discussing didn't consider situation 'a)' > at all, Of course! This wasn't what they were testing! Frans, did you actually read the article? I mean, the whole of it, not just the summary for your product? They did a test how well anti-virus products cope with viruses in memory. Yours didn't - it didn't detect them, hung, and so on. Which is what they reported - that your product did not perform well in this particular test. They didn't say that the product is bad in general, or that it is bad in detecting viruses on the disk - they just said that it does not cope well with viruses in memory. I'm sure that when they do a virus detection test on disk only, your product will score rather high - because it is pretty good in this aspect. It's just not good for detecting viruses in memory and shouldn't be relied on by people who consider this capability important. > and showed a negative result for those products which were > actually able to handle the situation properly. But your product didn't handle the situation properly! (The situation being a virus present in memory when the scanner was run.) It didn't warn the user that there is a virus in memory. It sometimes hung. > The main problem of this > test was the failure to see that memory scanning is just an aid, and > they considered memory scanning as a goal by itself. The goal of this test was to test how well scanners cope with viruses in memory. Yours didn't. Whether this is important for a good product is a completely different matter and the article did not discuss this at large - although they did publish your oppinion. For reasons explained above, I think that this capability *is* necessary for a good anti-virus product. In fact, had I written that review, my comments against your product would be much sharper than the ones in the present review. > The real problem however was not the test, but your reaction here. > Someone asked: Is TBAV a good product. > Your answer: We did a test on memory scanning, and TBAV was the worst > product tested. Not quite. I don't have the original message, but from the later exchange it seems to me that somebody asked whether TBAV is good, somebody else said that it is, and Iolo warned them that its memory detection is rather useless, according to the tests performed by "Secure Computing" (even not by him!). Instead of providing reasonable arguments why do you think that memory scanning is unimportant, you jumped on him attacking the review, the magazine, their bias, and so on. > Some people here understand that: > 1) Memory scanning is not the main component of scanners and therefore > shouldn't be used to judge a whole product. It might not be the main component, but it is an important one - just like scanners must not be the main component in a good virus protection, but they are an important part. I sure hope that people here understand this. Frans, why don't we make a test. Ask the readers of this forum - if they can chose between a product which can detect viruses in memory, and one which cannot, and given everything else qual (detection rate on the disk, speed, price, etc.), which one would they select? > 3) This answer just irritates me. Your totally unfounded whining irritates me too, which explains this message. :-) > 4) Reviewers should not comment on products when they are 'off-duty'. RUBBISH! It is the duty of every self-estimated reviewer to share their knowledge with the others and prevent false claims from being spread by the marketoids. I have tested anti-virus products several times. Have you seen me refrain EVEN ONCE from informing the people that some product is crap when this is indeed the case? Let's face it, regular users do not have the expertise to evaluate an anti-virus product. Therefore, it is the duty of virus-competent people like Iolo, me, Rob Slade, and many others, to review those products and share our knowledge on it. > Suppose what we would get if Paul Robinson, Richard Ford, an author of > PC magazine, etc. all would answer "which product is good" questions in > this forum? You would create a lot of confusion and a lot of enemies. > Furthermore, it would trigger a lot of comments from AV developers who > simply wouldn't agree. First, you are forgetting that Paul Robinson's position was not advise Iolo *not* to argue with your accusations. Second, you seem to think that Iolo is still working for an anti-virus producer (Alan). He isn't. It is my understanding that he is a self-employed consultant now. His *only* role in this particular test has been that he has advised the testers which particular viruses to use during the tests. > Furthermore, if I submit a product for testing purposes for Secure Computing, > I expect to see an article in Secure Computing, but I don't expect an employee > of Secure Computing to run away with all information and use it wherever he > thinks it applies. Iolo commented here an a private person. I am pretty sure that we all are commenting here are private persons and none of us is officially speaking for their company (well, with a few exceptions, when they *are* the company ). I don't see anything wrong with somebody refering to some test results published in a magazine - even if he has happened to consult that magazine. Heck, I refer to my scanner tests all the time! > I have seen similar statements from Patricia Hoffman, Doren Rosenthall, > Bill Lambdin and a dozen others. They all claim that THEY are the experts, > and that they don't need to listen to the AV developers. There is one big difference. Patricia Hoffman, Doren Rosenthal, and Bill Lambdin are "wannabes" in the field of computer viruses. Iolo is an expert. He has participated the development of an anti-virus product. He has disassembled lots of viruses. Unlike the above people, he knows what he is talking about. > YES!!!! Of course you have to listen to the developers! They are the only > one with practical experience in the field, they KNOW why they have choosen > a specific solution, and they KNOW how their products should be tested! Frans, get a clue. :-) Iolo has been a developer. And - guess what - he has participated in writing a TSR scanner. He knows all this. > We have had a similar situation with 'fake viruses' designed to test > anti-virus products, which seemed a good idea, until the DEVELOPERS explain > HOW their scanners work, and why testing their products with random > signatures does not work. Which does not completely invalidate those test methods. The important thing is to use the *proper* test methods - and, in order to do that, one has to know how the different products work. I agree, few people do. Rosenthal's mistake is pushing a product that puts scan strings in files as a method to test *any* scanners. Of course it doesn't work. However, if he took a scanner that did bulk (instead of smart) scanning (i.e., scanning the whole file, not just the parts where a virus can be), like the IBM scanner does, extracted that scan strings used by THAT PARTICULAR SCANNER, inserted them into executable files and used those files to test THAT PARTICUALR SCANNER - this would be a perfectly valid approach. Similarly, using MtE-encrypted non-viral files is not a valid method for general testing of MtE detection - bacause some scanners decrypt the file, look for a virus beneath the encryption, and do not report anything if they don't see any. However, such a testing method is perfectly applicable for a scanner that attempts to recognize the MtE decryptors - like McAfee's SCAN. The point is that the tester must know how the different products work and use the *proper* method to test them. There are no unversally "right" or universally "wrong" test methods - they depend on the products being tested. > A reviewer may know how a virus works, but is NOT an expert. He hasn't Gee, sometimes he is! > have to answer support calls from users for several years. He hasn't > experienced compatibility problems with the design of anti-virus > products. He doesn't know how bad some solutions perform in the real > world. He doesn't know how the anti-virus products work internally. Get a clue - see above. Iolo has done all this. I have done all this. In some sense, I am even more qualified in this aspect, because I know how *several* products work - not only a single one, my own. > Recently I had a discussion with a reviewer who wants to test checksummers. > He intended to make random changes to files, to test whether anti-virus > products would detect the changes. It would be wrong to test *only* this. However, this is one of the tests that *must* be performed. See below. > After I explained them that our product tries to distinguish between > changes which are the result of an infection and changes that are the result > of configuration changes, he understood that he should use real viruses > for this test, and not randomly change files as this would result in a > penalty for the smarter products. Sigh... Yet another potential reviewer has been fooled by the short-sightness of an anti-virus producer. Frans, the above is WRONG! Yes, it is good to be "smart" and check only at the places where the viruses can be. However, viruses can be in damn many places! Ever heard of the Omud virus? I suggest that you review the old issues of "Virus Bulletin" - I can dig up the exact reference, if necessary. They call the virus "8888". Sometimes, this virus overwrites a random sector of the file with itself, expecting to receive control at runtime. Often this works - not always, of course. Pray tell, how is your "smart" integrity checker going to detect this, if it does not have the option to check the integrity of the *whole* file? > As a reviewer, you have to listen to the developers, and judge this input > for validity and adapt your tests where applicable. If you make a mistake, > AV developers will jump on you. Wrong. The AV developers will jump on him - if he produces a review that exposes their product in a bad light - completely independent on whether he has made any mistakes or not. Trust me, I know from personal experience. :-) > If you don't like that, you should not > try to play a dominant position in this field. Rubbish. An expert's duty is to play a position in his field according to their knowledge. If they spot that some product is bad - completely, or only in some aspect - their duty is to report this to the public, regardless of what some product developers might say about it. Regards, Vesselin P.S. No, I am not back. I stopped reading the newsgroups (not only this one), because I am too busy with my Ph.D. thesis. I had to read them for a while, because I had important information to share in one of the cryptography groups and I feel the need to follow the discussion and share my knowledge and experience in some particular field (I got my hands on the German cryptographic machine from the WWII "Enigma"), because not many people have had my luck to have the opportunity to aquire it. I'll disappear back soon, for many more months. Frans, if you want to continue this discussion, let's switch to e-mail - by making fool of yourself you are only making your product look bad - which is a pity, because it's a rather good one, besides some drawbacks. - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 20 Dec 94 18:50:28 -0500 From: cceksw@leonis.nus.sg (Gerald Khoo) Subject: Re: Network Antivirus NLM's / need advise (PC) Anna Gentry (agentry@uga.cc.uga.edu) wrote: : kloeppej@ccmail.orst.edu (John Kloepper) wrote: : > : > We are currently looking into antivirus NLM's to run on our Novell servers. : > To date all i've been able to find is netshld from McAfee. Can any one : > provide information on other options or an opinion on netshld? You can try SWEEP by Sophos. So far, I have found it pretty good, and also their support and reponse time for new viruses is good. : Anna - -- =============================================================================== Khoo Seng Wee, Gerald National University of Singapore Computer Centre Tel: (65) 772-6426 10, Kent Ridge Crescent Fax: (65) 778-0198 Singapore 0511 Internet: cceksw@leonis.nus.sg =============================================================================== In Christ alone, I place my trust, And find my glory in the power of the cross; In every victory, let it be said of me; My source of strength, my source of hope, Is Christ alone. Michael English =============================================================================== ------------------------------ Date: Wed, 21 Dec 94 01:57:26 -0500 From: aureyre@grenet.fr (Laurent Aureyre) Subject: question on virus (PC) I've got a big problem with my PC computer... I've got a virus called 2KB, I know the name because I used a program (virus scan) which is stupid because it gives me the name of the virus but can't repair my system. I know that my virus is in the master boot sector but I don't know how to remove it. Somebody told me that I can do something with the FDISK option of the Dos 6.22 but I don't know how to use it.... Thank you for your help laurent E-mail : aureyre@ccalc2.grenet.fr ------------------------------ Date: Wed, 21 Dec 94 03:52:29 -0500 From: Zvi Netiv Subject: Re: NOT an InVircible (CMOS) Error! (PC) > Subject: HELP: InVircible CMOS Error ? (PC) vcurtis@relay.nswc.navy.mil (vcurtis) wrote: > Periodically when I boot up my system InVircible gives me a message > stating 'CMOS Data has changed'. I have no idea what it thinks is > wrong or what, if anything, I should do about it. I don't know why it > is changed sometimes and not others. What would cause my CMOS to > change or is InVircible fooling me? It happens probably about every > 3rd time I boot up. Any ideas? Add the /NOCMOS switch to the line containing the IVINIT command, in your autoexec batch. That should have be done automatically if you selected "to Laptop" in the IV installation menu, provided you have a laptop or notebook, of course. In portable machines, the current brightness and contrast settings of the display are stored in the CMOS. That's why the /NOCMOS switch exists. Although rare, certain models use the CMOS to store other data, except the configuration, such as the last boot status etc. This might be your case. Regards, Zvi Netiv, InVircible ------------------------------ Date: Wed, 21 Dec 94 05:06:27 -0500 From: Otto Stolz Subject: Re: Need Help with Stoned Virus (PC) Scot P. Templeton (templeto@toadflax.cs.ucdavis.edu) wrote: > I had gone through every disk I owned, most of which were "non- > bootable" (eg. no DOS). I found roughtly 70% of my disks were also > infected. On Tue, 06 Dec 94 15:41:42 -0500 Michael Warchut or Glenn said: > Every diskette that has been formatted has a boot sector with code that > gets executed everytime you boot to that diskette. [...] A virus can > replace this boot sector code and get executed, hence put into memory, > every time you try to boot to it whether or not DOS was installed on > the disk. Even, if no boot record was on the disk (i.e. the last two bytes of the 1st sector on the disk did not contain the 55AA key), a DBR virus could (and probably would) write there a functional virus boot record. > As a precaution you should ALWAYS hit reset after accidently booting > with a floppy in the disk drive instead of just hitting a key to > continue or even Ctl-Alt-Del. When the computer has a HD, this would not constitute a precaution, at all. As Michael, or Glenn, has explained above, the virus code will be executed first in the booting sequence. Most BR viruses will seize this opportunity to infect the hard disk. When the original BR will display its "No system disk" message, the HD will already have been infected; now, whichever manipulation you choose to boot from your HD, the virus will controll the computer. There are better precautions available: - - In the advanced BIOS setup, inhibit booting from the floppy disk, if your BIOS provides this option. (Some BIOSes provide for a "C,A" boot-sequence rather than the default "A,C" sequence; other BIOSes allow an even finer-grained choice.) This will effectively lock BR infectors out; of course, multi-partite viruses, and dropper programs still could infect your HD's MBR, or DBR. - - If your BIOS offers MBR protection, activate it. This will inhibit most MBR infections. (However, there are still loopholes.) - - Install a TSR to inspect every floppy disk accessed by the computer for known BR viruses, or for suspicious BRs. This will alert you of BR viruses floting around in the vicinity of your computer, long before you accidently boot from any of these disks. - - Make a habit of pulling every floppy disk when you do not need it for the next couple of minutes; in particular pull the floppy disk before you leave the room (when the power supply is interrupted for a second or so, your computer will try to boot, afterwards). - - Make a habit of checking that the A drive is empty (or contains a trusted boot disk) before you power on, or reset, the computer. On systems without a HD, it is indeed a good idea to switch the computer off, or press the reset button, before you re-attempt a boot. However, there is a much better pre-caution available: - - always have your boot-disk write-protected. > Can't be too safe... Indeed. Best wishes, Otto Stolz *** Please use only my new address at uni-konstanz.de, as all Bitnet *** addresses at DKNKURZ1 will expire by end of 1994, and all Internet *** adresses at Nyx.Uni-Konstanz.de will do so some time in 1995. ------------------------------ Date: Sat, 19 Nov 94 17:55:18 +0200 From: Arndt_Schroeder@p1.f6050.n495.z9.virnet.bad.se (Arndt Schroeder) Subject: Problem with Tbscan 6.26 (PC) Hello *.*... I've got a small problem with TBSCAN 6.26: Scanning for viruses using TBSCAN ALLDRIVES ALLFILES made my Computer hanging while scanning the file WIN386.PS2 in the windows- directory. Now I've got a new bus-system (PCI) and a new controller and the problem has left... Well, because some of my friends have the same problem I still want to know where the problem comes from. Thanks... - -Arndt- - --- Yuppie v2.10 * Origin: Who's grinning at this origin ? (9:495/6050.1) ------------------------------ Date: Wed, 21 Dec 94 07:11:40 -0500 From: Luca.Sambucci@IWI.unisg.ch Subject: Re: Need basic virus information (PC) prosys@Cybernetics.NET (Gary S. Hutchins) dixit: >Have there been any lawsuits because of the accidental release of viruses by >commercial companies or individuals? In Italy a magazine has been distributed with the disks infected with the "Junkie" virus. It happens sometimes; but this time the editor got several problems with the law. I believe now he's waiting trial. Since 1994 in Italy there's a law that forbids the distribution of computer viruses. Best Regards, Luca Sambucci + . . + . . * . . + . . + * * . Luca Sambucci luca.sambucci@iwi.unisg.ch . . . * . . . * http://www-iwi.unisg.ch/~sambucci/index.html . * . . . . . . . . * . Italian Computer Antivirus Research Organization . + . . . . . . * Iterum rudit leo . + ------------------ ------------------------------ Date: Wed, 21 Dec 94 08:42:24 -0500 From: sdhowell@aol.com (SDHowell) Subject: JUNKIE1 (PC) Looking for any information on a virus reported as JUNKIE1 ------------------------------ Date: Wed, 21 Dec 94 09:05:27 -0500 From: aa484@freenet.buffalo.edu (Bill Jenney) Subject: Re: Virus Alert -- NATAS. (PC) I've just cleaned NATAS from 2 computers using F-PROT 2.15. Prime suspect is my new Clincher 486 from PF Micro -- and they confirmed they have NATAS, and have successfully cleaned it up using McAfee's LATEST version of SCAN (2.1.3 ?). One clue: if you type 'natas' and try to 'find' it in your scroll-back buffer, your eyeballs will see it, but 'find' won't ;-( bill j ------------------------------ Date: Wed, 21 Dec 94 09:05:30 -0500 From: aa484@freenet.buffalo.edu (Bill Jenney) Subject: Re: master boot record viruses (PC) In a previous article, bwhirl@aol.com (BWhirl) says: >susanbs@satelnet.org (Susan Sassoon) writes: > >> Getting a virus out of Master Boot Record > >Simply use the command fdisk /mbr to clean the master boot record. This will NOT work for NATAS ;-( bill j ------------------------------ Date: Wed, 21 Dec 94 11:26:56 -0500 From: "Frans Veldman" Subject: TBAV (PC) Zvi Netiv writes: >AVDW> But i did have some problems with it, because when i tried to run any >AVDW> of the executable files TBAV (yes, i also am a registered user of TBAV, >AVDW> and yes i know what you think of using scanners) would give me some >AVDW> warnings that the IV executable i just started did something and the >AVDW> whole system crashed. :-( > > Nothing wrong about using TBAV, but if you want to use IV too then you > can't use the TBfile and TBcheck TSR's. These two intercept IV's bait > process as if "virus like", which of course it isn't. What I have heard about it, Command.Com is temporarily moved away, another 'bait' Command.Com is created, executed, in order to get it infected by a virus. Is creating a 'new' Command.Com not virus alike? >AVDW> So i tried again, this time i made sure that there were no other TSR's >AVDW> in memory and it all worked fine.But i want to know why my whole system >AVDW> crashes when i try to use IV when i got the TBAV utilities loaded, and >AVDW> is there something i can do about it (other than removing the TBAV >AVDW> utilities from memory) :-) > > You can use TBAV TSR's with IV, except the two I mentioned. Like in > medicine, there are medications that you should not administer at the > same time to the same patient. Either the one, or the other. But some medicines are very aggressive, and can not be combined with any other medicins. It is the responsible task of medicine makers that they make medicins in such a way that they do not likely interfere with other medicins. > Mind you, the "aggressive" one here is TBAV, IV doesn't care about > TBAV, the later one is rather jumpy on IV. :-) Sure. Which one is suspicious behaving, making the other one think something dangerous is going on? >AVDW> Because, TBAV always did a good job at protecting my system so i'm not >AVDW> going to drop that one. > > Your choice! > > You just experienced why IV does not have TSR's. I hope Peter van Arkel > reads this too, as he asked a lot of questions why I thought AV TSR are > dangerous. The example you just brought is one. :) In certain AV TSR's are not dangerous at all. We supply our TSR's for years now, and they don't cause any troubles. Our TSR's never write to disk, they do not swap away Command.Com, they do not 'invite' viruses, etc. TSR's serve a good purpose, as they protect the system in the background, and not the only 'once a day' when the user scans or checks its system. Even in the unlikely case a TSR causes a problem, the user has the opportunity not to use the TSR, making our product at the same level as any product which hasn't TSR's at all. > circumstances the combination of TBAV-IV will knock-out the > command.com. If this occurs then boot from a floppy and copy a new It is certainly not TBAV who knocks-out Command.Com. Anyone with some knowledge and a debugger is able to confirm himself that the TBAV TSR's do not contain any code which is able to locate Command.Com, nor to delete any file, nor to rename any file, even not to perform any operation that results in a disk write. If Command.Com is indeed (temporarily) replaced by something else, TBAV is right to warn about this potentially dangerous situation. Besides of TBAV, also a power failure might occur, and in this case Command.Com will be permanently away, which is a very dangerous situation. > Here is another aspect for your consideration. None of the TBAV TSR > does a self-sanity check before loading, meaning that they can be > infected themselves, load into memory, and neither you or TBAV would > notice. OTOH, all IV programs do self-sanity checks, they will sample > any virus that attach to them into a file, and recover themselves - Our products do this too, but not the TSRs. The reason for this is what you described above, beating stealth viruses means that you have to be smarter, playing dangrous tricks, than the stealth virus. We try to keep our TSR's interference as low as possible, meaning that we don't fiddle with baith files, do not perform interrupt tracing, etc. The purpose of the TSR's is to guard against viruses entering the system, and not to guard against viruses which already infected the system. If the TBAV TSRs are infected, the system is ALREADY infected, and the TBAV TSRs serve no purpose any longer. > even from the teeth of a stealth virus. _This_ is the process that > TBfile/TBcheck is intercepting as "viral", and this is also the reason > why I had to elaborate on the subject, since you asked about. And this is why such a test is a Bad Idea (tm). > You can test the last one with the AV Practice Lab (AVPL), both on TBAV > TSR's and on IV programs. The AVPL test is harmless and totally safe - > just informative. Any anti-virus test which involves disk writes is dangerous, and makes it more complicated to recover from viruses. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Wed, 21 Dec 94 11:35:48 -0500 From: Quoc Truong <73504.2304@CompuServe.COM> Subject: Need help selecting virus softwares (PC) I like to purchase an anti-virus program for my company, but I don't have any idea which anti-virus program is currently the best one. If you have used or heard of any anti-virus software, please let me know. Any recommendation is appreciated. Thanks You! Regards Quoc Truong EnaTec Software Systems, Inc. Cupertino, CA e-mail: netcom.com!enatec!quoct ------------------------------ Date: Wed, 21 Dec 94 13:41:38 -0500 From: jlmcad01@homer.louisville.edu (Jeff McAdams (J McA)) Subject: Re: DOOM game messages (PC) ANTHONY APPLEYARD (A.APPLEYARD@fs1.mt.umist.ac.uk) wrote: : Not directly a virus [1] but something that can choke the net up as bad as : viruses or worms can: Is there a program / routine / option / etc that can be : clipped onto or patched into Novell Net software, which can detect and stop : the DOOM game's inter-player messages? The DOOM game must have some way to : tell its messages from other messages, when the player is interacting with : other players over the net: and, if so, then the Novell server if correctly : programmed should be able to distinguish DOOM game messages also. : What other games etc are there that choke the net up that bad? Sorry to show : my ignorance, but I am not a computer games fancier. : [1] Indeed directly viruses!, if the game habit encourages people to copy : infected games about, as has been reported for DOOM. The problem with DOOM on a netware system, is that DOOM does not use the server to transmit the info. The DOOM games sends packets peer to peer, doesn't even have to go through the server (thus you can't play netDOOM across a router). You would almost have to put a TSR on every machine to do this type of checking and filtering. I am still fairly new to networking, but this is a problem that we have dealt with in our lab here, so I've done some looking into the problem and would be interested in any other suggestions that people may have. Chill, J McA ------------------------------ Date: Wed, 21 Dec 94 14:48:40 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: VCL?? (PC) Tripp Lewis (Tripp@richmond.infi.net) wrote: > Nick FitzGerald says: > there are alot of mindless minor variations being exchanged, but at the same > time there are people who like to collect them. The main reason why we run > vx bbs's is for communication and education not because we want to infect > the computers of the world. Ah, come off it.... why do viruses have damage routines in then? Any decent assembler book will tell you all you need to know about using int 13h to 13h to trash a disk.. you don't need a virus to teach you that. > >As this is more often than not a euphemism for "pimply, testosterone- > >charged teenager with dubious ethical standards", it is no wonder that > >VX BBS'es are the main places that they obtain material for their > >"research". > . . And where does the AV go to obtain their material? Oh please tell us. Well, I get my new viruses from people who have been infected, i.e. in the wild... and then send them to AV authors.. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) XNTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 1] **************************************** 5-Jan-95 15:26:24-GMT,68093;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA21410; Thu, 5 Jan 95 10:25:54 EST Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx/8.6.6) with ESMTP id KAA14663 for ; Thu, 5 Jan 1995 10:24:33 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <127610-4>; Thu, 5 Jan 1995 09:46:12 EST Message-Id: <9501051129.AA13265@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #2 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Thu, 5 Jan 1995 09:36:36 EST VIRUS-L Digest Thursday, 5 Jan 1995 Volume 8 : Issue 2 Today's Topics: Advice needed: Best way to protect heterogeneous LAN ? Logic Bombs Book about viruses Re: CVIA -- does it still exist and how can I reach it? Re: Viruses in newsgroups - how can that be? Re: OS/2 Virus'? (OS/2) Can a virus spread like this? (PC) Re: TBAV sig file wanted (PC) Re: Just how safe is VSAFE? (PC) Re: FORM virus on Doublespaced Drives (PC) Re: Stealth C virus (PC) Re: Just how safe is VSAFE? (PC) What is the best antivirus? (PC) Re: MSAV / F-Prot comparison (PC) Re: Natas Virus (PC) NYB Virus (PC) Re: Keyboard problem (PC) Re: NOVI antivirus software good? (PC) DOS dir listing bug, or Trojan? (PC) Help!! with One Half &/or Dis.Com? Virus (PC) CARO Naming List (PC) Apparent false alarams (PC) Re: Virus modifying CHKLIST.CPS/.MS? (PC) Kampana.C and Perv (PC) Entire files in my DOS dir turning to NULLs!!! (PC) Re: McAfee and Michelangelo (PC) Re: Just how safe is VSAFE? (PC) Re: Happy birthday PC virus. Please help! (PC) Re: Descript.ion Virus (PC) RE: surviving warm boot (PC) Re: Doom II virus (PC) Re: MBR Viruses / rebuilding MBR (PC) Re: Network Antivirus NLM's / need advise (PC) Re: Infect with Die Hard 2 ???? (PC) Re: F-Prot Professional versus F-Prot Shareware (PC) Re: What can a virus do ? I need HELP! Please (PC) Just how safe is VSAFE? (PC) Re: FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) how do viruses do it?? (PC) Re: About memory scanning (PC) Re: WIN.COM modification (PC) -- useful generic virus detection info Re: What Genb etc is (PC) Re: NOVI antivirus software good? (PC) Re: Keyboard problem (PC) CFP: Call for Papers and Panels CFP: VB 95 Conference FYI: Phone number change VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 21 Dec 94 16:58:55 -0500 From: giddb01@nt.com Subject: Advice needed: Best way to protect heterogeneous LAN ? I was wondering if anyone can reccomend a good book that deals with virus' from a business point of view. Specifically I want to convince the I.S. dept. where I work that more protection for the company is required. I want them to continuously update our anti-virus software and also give copies to employees with home machines. However our I.S. manager is not totally taken with the idea and as I don't work for him I need some kind authority to quote or reference. Our network is mid-scale ( about 200 PC's & 200 Macs & the usual mainframes, servers & UNIX boxes. ) Also has anyone out there implemented any schemes like this? How did it work, was it effective? If anyone has any experience of a similar situation, could they share their experiences. Sorry if this is re-hashing old ground, (yes I have read the FAQ, I've even shown it to our IS manager). Email would be appreciated if possible. If I get a few responses I will post a consensus view on what approach should be taken. Thanks. Donal Buckley giddb01@nt.com Northern Telecom, Galw ------------------------------ Date: Thu, 22 Dec 94 08:50:46 -0500 From: benh@gco.apana.org.au (Ben Humphreys) Subject: Logic Bombs Hi! I know this may sound like a stupid question but, would anyone be kind enough to explain to me what a Logic Bomb is? Thanks in advance! :-) Please reply via email (if you can). Regards, Ben Humphreys ------------------------------ Date: Thu, 22 Dec 94 12:20:05 -0500 From: celustka@sun.felk.cvut.cz (Ing. Celustka Suzan dokt k336) Subject: Book about viruses Hi everybody, Just a little question: What should contain the book about computer viruses you would like to read and have in your library? Please, answer personally to celustka@sun.felk.cvut.cz Thanks. Cheers, Suzana ------------------------------ Date: Thu, 22 Dec 94 17:11:42 -0500 From: kellogg@netcom.com (Lucas) Subject: Re: CVIA -- does it still exist and how can I reach it? Fridirik, You're correct. The CVIA is no longer an organization; albeit, it did exist until 1992. Regards, kdl Fridrik Skulason (frisk@complex.is) wrote: : julian@panix.com (Julian Dibbell) writes: : >I need some data on the antivirus industry for an article I'm writing for : >_Wired_. Does anybody know if the Computer Virus Industry Association is : >still in existence? : CVIA ? Are you sure you don't mean AVPD ? : As far as I know, CVIA never was a "real" organization - it was mostly just : an extension of John McAfee....AVPT (Anti-Virus Product Developers) is, however : an active organization. : >Alternatively, if anyone has authoritative figures for the current size of : >the antivirus industry (in $$$ sales), that might save me the phone call. : I don't think that this information is available. ------------------------------ Date: Sat, 24 Dec 94 02:21:04 -0500 From: Sync_@ix.netcom.com (Sean Straw) Subject: Re: Viruses in newsgroups - how can that be? dtulloh@kazak.NMSU.Edu (dtulloh) writes: [snip] >If I were to uudecode such a digitized picture and used it in a >viewer prior t virus-scanning it, could the virus infect my system? >I wouldnt think so since the viewer would be treating the whole >file as a data file. With normal graphics file formats, no. Data is data. I'm not heavily into graphics formats myself, although I am a programmer - -- it is quite possible to have graphics files which contain code within them for decompression or the like. Highly unlikely with the current mainstream graphic file formats (ESPECIALLY platform independant, like GIF for instance). I am unaware of any graphics formats which implement embedded code. But it would be possible. Unlikely to be popular (size increase, platform dependancy, and other issues), so probably it'll never happen with mainstream stuff -- but there isn't anything stopping someone from generating a file format that does contain code... However, as an example, TrueType fonts CONTAIN CODE. Really. WINDOWS AND DOS code -- copy ARIAL.FOT from your WINDOWS\SYSTEM directory to a file called ARIAL.COM, and run it. The message you get is produced BY CODE IN THE FONT FILE. It isn't a message being generated by Windows or DOS. TTF files are a bit different in this reguard, but as the FOT files are often distributed with the TTF files (although the installation of a font can generate the .FOT file if necessary), I consider them to be potentially dangerous. - -- Sean B. Straw / Professional Software Engineering Post Box 2395 / San Rafael, CA 94912-2395 CompuServe: 72210,521 Internet: Sync_@ix.netcom.com / 72210.521@compuserve.com | This message was posted from a Netcom CSLIP account. This service is | | experiencing multi-day delays on some message processing. | | Appologies if this message was not recieved in a timely manner. | ------------------------------ Date: Sat, 24 Dec 94 09:55:19 -0500 From: cyber1@io.org (Cyber City) Subject: Re: OS/2 Virus'? (OS/2) David M. Chess wrote: >There are at least two known viruses that run under OS/2 itself, but >both are only "laboratory viruses" at the moment; meaning that someone >with nothing better to do (hard to imagine, eh?) wrote them up and >distributed them around various K00L HACKERZ boards and such. Perhaps someone grew tired of ignorant pontificating in this forum (e.g. "OS/2 viruses are impossible because there are no interrupts"). What is a software interrupt but push-flags/system-call/iret? You can do that under any operating system. Protected mode viruses can gain control on exception, traps, task switches, privilege transitions, and in conjunction with device drivers, shared objects and installable file systems. The reason we do not have a problem with OS/2 viruses is not because they are technically impossible, but rather because OS/2 is a splendid programming environment, and no competent programmer wishes to "foul his own nest", so to speak. - -- R. Jamieson ------------------------------ Date: Wed, 21 Dec 94 14:51:28 -0500 From: James F Brown Subject: Can a virus spread like this? (PC) writes: > Doing a dir of an infected floppy will laod the virus into memory in > the case of the ANTIEXE and STONED.HENGE. The Viruscan software picks > this up. If you write a file to your hard disk, the hard disk does > become infected. This has not been my experience with ANTI-EXE. You have to attempt to boot from an infected floppy for the hard disk to become infected. - - Jim Brown brownj@world.std.com ------------------------------ Date: Wed, 21 Dec 94 15:10:20 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: TBAV sig file wanted (PC) UL ENG (sinclaij@stanilite.com.au) wrote: > I have the latest copy of ThunderByte antivirus but the last official > signature file I can find is may 93. Is this the last one or are there > later ones out there. Has someone been maintaining their own? > Can someone tell me if I can can a later version and where? Current versions of TBAV include the signatures and algorithms in the .zip file. The external sig file is no longer necessary. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) XNTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Wed, 21 Dec 94 15:30:36 -0500 From: jfredian@pepperdine.edu (The Mermaid) Subject: Re: Just how safe is VSAFE? (PC) Well, I don't know about how well it keeps viruses off the computers, but I work in a computer lab at a university, and we're cleaning all our computers out (it's winter break), and we cleaned all the viruses off the PCs, and one of the files that was attacked by a virus (Kela, I believe) was VSAFE.... ------------------------------ Date: Wed, 21 Dec 94 15:30:32 -0500 From: collins@sunydutchess.edu Subject: Re: FORM virus on Doublespaced Drives (PC) Greg Davis writes: >From: Greg Davis >Subject: Re: FORM virus on Doublespaced Drives (PC) >Date: 20 Dec 1994 13:03:46 -0000 >Steve W. Taylor writes: >>Has anyone had any experience of getting rid of the FORM virus on MSDOS 6.2 >>Doublespaced drives? Clean on NAV, DrSolomon etc. fails. Our only solution >>is to reformat. >> >>Help would be appreciated. >Have you tried KillMonk ?? it was written specifically for Monkey. I don't know >how it would react on a double spaced drive. If I recall the biggest problem is >recovering the Master Boot Record. I can't find my copy right now, but if I >recall correctly it was on mcafee.com the last time I was there. >Greg Davis greg.davis@DaytonOH.NCR.COM >The comments and opinions expressed are those of the >author and do not reflect those of AT&T or AT&T GIS. >DONT TREAD ON ME I recently found the Form virus on my machine and had no problem getting rid of it using nothing more than MAV from 6.2 DOS. Just make sure that you do BOTH drives on the double spaced disk. The compressed one AND the uncompressed one. No muss, no fuss no bother. sean collins@sunydutchess.edu ------------------------------ Date: Wed, 21 Dec 94 18:26:29 -0500 From: jfredian@pepperdine.edu (The Mermaid) Subject: Re: Stealth C virus (PC) I saw this virus about a week ago, and I think the McAffee scanner said it was a strain of the Genb virus. The virus was in the boot sector of the disk, and the only thing we knew to do was to reformat the disk. If anyone else knows any other ways of ridding floppies of this virus, please post. Thanx. ------------------------------ Date: Wed, 21 Dec 94 20:49:54 -0500 From: sbringer@netcom.com (Retired) Subject: Re: Just how safe is VSAFE? (PC) Ostcroix (ostcroix@aol.com) wrote: : I would like to know how effective is DOS VSAFE against viruses. Is this : the best way to protect my system against viruses? I recently downloaded : the latest signatures from MSDOS BBS. Is their a better virus remover and : detector than VSAFE on the market? Heh.... no, it's not safe.... if I thought Ken would allow me to post it, I'd post the 8 bytes required to remove it from memory found in several viruses..... Thunderbyte, F-prot, and several other packages provide devent anti-viral TSR's that actually work... you might check those. Cheers, John Constantine ------------------------------ Date: Thu, 22 Dec 94 04:33:10 -0500 From: excoffier@cemag-lyon.fr (David Excoffier) Subject: What is the best antivirus? (PC) :-x Hi. I'm a new computer user and I 'd want to know what is to your mind the best anti-virus existing now. I read lotsa computers publications and i've found lotsa differents antivirus. Each of them are the best and the most powerfull to eradicate virus, but i 'd want opinions of computers users and not only newspapers opinion. So , as far as you're concerned, could you tell me what is the antivirus you use and why do you think he's better than the others. Then i'll be able to make a good choice. Thank you very munch indeed. David. ------------------------------ Date: Thu, 22 Dec 94 08:55:27 -0500 From: aa484@freenet.buffalo.edu (Bill Jenney) Subject: Re: MSAV / F-Prot comparison (PC) In a previous article, frisk@complex.is (Fridrik Skulason) says: >barclae@gov.on.ca (Elizabeth Barclay) writes: > >>Does anyone have any information comparing the >>performance of MSAV vs. F-Prot? > F-PROT just saved 2 of my computers from NATAS.4744 and I have at least one report that MSAV cannot. Thank you for a FINE product, frisk!! bill j ------------------------------ Date: Thu, 22 Dec 94 08:55:31 -0500 From: aa484@freenet.buffalo.edu (Bill Jenney) Subject: Re: Natas Virus (PC) In a previous article, umfauche@cc.UManitoba.CA (Ryan Ulric Faucher) says: > I have recently come across the Natas 4744/4746 variations on my >PC computer. So far I have been able to remove it, except from boot >sectors on my floppy disks. I am currently using F-Prot 2.15 and >Microsoft virus scanners. Microsoft does not recognize anything and >F-Prot returns a message that it does not know how to remove the virus. I'm sure frisk@complex.is would be VERY interested in this. I had NATAS.4744 -- his F-PROT 2.15 cleaned it up. bill j ------------------------------ Date: Thu, 22 Dec 94 09:39:23 -0500 From: pbooth@robins.af.mil (PHIL BOOTH) Subject: NYB Virus (PC) If y'all don't mind a comment from the military sector -- we've been battling the NYB bug for a little over a year now, we've gotten to know the little bastard fairly well now. It first surfaced here when our Unisys techies couldn't figure out why they couldn't fix a floppy drive. Even a new drive wouldn't format correctly. Using an old scan package we were able to determine that the hard drive was infected with some sort of bug. We sent a sample to the folks at Z-RAM and they found it to be a variation of Stoned. It is a Boot Sector Virus that infects theMBR on hard drives and the BR on floppies. It does not infect program files. I've got more info (techie-type stuff) but not enough time to include it all. For now I'll just say that mcafee scan v114 and up will clean it (genb or genp) and so will IBMAV. The folks at Z-RAM have a good product too -- VDS-Pro. I've had good luck with these. If I can be of further assistance -- don't hesitate to call... Phil Booth Small Computer Tech Center Robins AFB, Ga pbooth@wrdis01.robins.af.mil ------------------------------ Date: 22 Dec 94 09:44:31 -0500 From: dabyrd@cc.memphis.edu Subject: Re: Keyboard problem (PC) davidr@searchtech.com (David Resnick) writes: > I'm having a problem with a Gateway 2000 4DX-33 and I'm wondering > whether it could be a virus. The symptoms are: > > Pressing the up-arrow key causes the computer to respond as though > "Enter" was pressed > > Pressing the left Alt key causes the computer to respond as though > "Cntrl" was pressed > > Pressing the left Cntrl key causes the computer to respond as though > "." (period) was pressed > > The other keys on the keyboard, including the right Alt and right > Cntrl keys all seem to work okay. > > The label on the back of the keyboard indicates that it is an "Anykey" > keyboard, Model 2189014-XX-XXX. It sounds like you have reprogrammed your Anykey keyboard accidently. The four keys in the upper right of an Anykey keyboard are used to program macros (sequences of keystrokes) into a single key. Try the following to clear the problem: Ctrl-Alt-Suspend Macro The Suspend Macro Key is one of the four keys at upper right. If this works, the Program LED above the four keys will flash briefly and then go out indicating that all macros have been erased. If this does not work, your Ctrl or Alt key may have been remapped. Attempt to restore the Ctrl and Alt keys by pressing the Remap key; press Ctrl twice, press Alt twice, and then press Remap again. Now try Ctrl-Alt-Suspend Macro again. I have never seen anyone use this macro feature on an Anykey keyboard, but I have seen Gateway users think they had a virus due to inadvertent macro programming. The "Gateway User's Guide" should talk about this in chapter 3, I believe. Good luck. Dave Byrd The University of Memphis dabyrd@memphis.edu ------------------------------ Date: Thu, 22 Dec 94 13:32:12 -0500 From: lschlesi@world.std.com (Lee Schlesinger) Subject: Re: NOVI antivirus software good? (PC) Anele Waters (anele@AccessPt.North.Net) wrote: : I have NOVI antivirus software by Certus and was wondering if it was : adequate for detecting viruses now. This is a 1991 edition. -- The 1.0 version is obsolete. The 1.1 version is better. Novi works by checking for virus-like behavior, rather than signature-scanning. It should catch many viruses even today. However, "adequate" is a relative term. I don't know what new techniques virus writers have come up with since 1991. I do know that Symantec bought Certus and incorporated the Novi technology into Norton Anti-virus. Lee Schlesinger ------------------------------ Date: Thu, 22 Dec 94 15:31:10 -0500 From: a0dasg01@homer.louisville.edu (Abhijit Dasgupta) Subject: DOS dir listing bug, or Trojan? (PC) I run DOS 6.2, and have a 540 Meg Hard Disk. I thought that the total size of all files on the disk (excluding the hidden files) as reported by CHKDSK should equal to that reported by a "DIR /S/A:-D-H C:\" command. However, CHKDSK reports 181 Megs in 4,816 user files, but the "DIR /S/A:-D-H C:\" command says 130 Megs in 4,816 (same number) files. I believe that the second report is correct. (The two commands agree on the total numbers and size of hidden files, and on total space left on the disk.) Am I missing something here or what? (Scanning with McAfee's and F-Prot's latest versions does not report anything however.) Any help or comments will be greatly appreciated. ------------------------------ Date: Thu, 22 Dec 94 21:00:58 -0500 From: jeeter@delphi.com Subject: Help!! with One Half &/or Dis.Com? Virus (PC) Amidst everyone else looking for help... My company (a software company) has been hit with this polymorphic virus that I'm told is called the One Half or Dis.Com virus. Apparently the powers that be at my company think that if the confiscate *ALL* the media in the company and scan for the virus, they can eradicate it. I don't think they realized the massive task they were undertaking. Obviously the implications of a software company unknowingly distributing a virus aren't so great. But what can we do to get rid of this thing? We were hit with the Jerusalem B virus a number of years ago and got rid of it quite easily. We've found several others over the years, but this one seems particularly pesky. Any help or insight would be GREATLY appreciated. Ppeace, Joe ------------------------------ Date: Thu, 22 Dec 94 22:15:07 -0500 From: srain@netcom.com (Silent Rain) Subject: CARO Naming List (PC) Where can I acquire the lastest list of CARO approved virus names for PC viruses? FTP/WWW/Email? Silent Rain ------------------------------ Date: Thu, 22 Dec 94 23:27:21 -0500 From: "David P. Maroun, Vancouver PC LUG editor" Subject: Apparent false alarams (PC) I seem to have generated false alarms from recent versions of McAfee's SCAN. So far, I have those alarms only on one machine--others do not have enough main memory for the problem. I get the alarms when I run SCAN after setting up a RAM drive with SETRAM. SETRAM is an adjustable RAM drive utility. It allows changing the size of a RAM drive without rebooting a computer. It allows allotting memory to the RAM drive in blocks of 1024 characters, and sets up the RAM drive in *low* memory. Here is what I found: If I create a RAM drive with from 268 to 300 blocks of memory allotted to it, then SCAN version 2.1.3 says that traces of the Tequila virus are active in memory. SCAN 9.30 V117 says that the Mummy virus is active. If only 100 blocks of memory are allotted to the RAM drive, neither version of SCAN reports the presence of a virus. I tried using 267 blocks and 400 blocks in the RAM drive and did not produce warnings from SCAN 2.1.3. Repeat scanning of all disk drives and all files revealed no viruses. I got these alarms only on a DEC Rainbow with 917 504 characters of main memory. I tried to generate the problem on another computer, but it did not have enough *main* memory to allow creating a RAM drive big enough while still leaving enough memory for SCAN to run. Rainbows are the only MS-DOS machines I have available which allow more than 655 360 characters of main memory. David P. Maroun davidpm@decus.ca ------------------------------ Date: Fri, 23 Dec 94 00:05:29 -0500 From: beaurega@ireq.hydro.qc.ca (Denis Beauregard) Subject: Re: Virus modifying CHKLIST.CPS/.MS? (PC) beaurega@ireq.hydro.qc.ca (Denis Beauregard) writes: > >MSAV and CPAV put check sums in a file (chklist.ms and .cps) and >advise when there is a change. I found many files changed (after >I modified and recompiled them) but the checksum did not change. After thinking a little about that and checking that the time to compute the checksum is much smaller than the time to copy it when it is a small file, I concluded that MSAV and CPAV are only checking the beginning of the file. Thus, a virus that would embed into the body of a widely spread program (like WIN.COM) could well exist inside Windows and not be detectable. Since many programs are very common, this leads to a very easy place for virus to live and IMHO for an easy turn-around. Not funny to find that... In other words, many virus scanners only check if a virus changed the beginning of the .EXE file. A virus designed to attack a specific program (suppose there is a huge block of say 10k of blank space in a popular program) or some specific would be somewhat dangerous (while spreading could be hard except thru some games for example). Widely used anti-virus like MSAV and CPAV would give a wrong feeling of being safe. And the switches of SCAN are so complex one could easily miss a virus. On another subject: I saw that some virus scanners don't check .SCR files. Windows screen savers are actual .EXE files renamed to .SCR. - -- Ce message represente uniquement l'opinion de son auteur et n'engage en aucune facon son employeur. Denis Beauregard Internet: beaurega@ireq.hydro.qc.ca Programmez avec de la classe: essayez le C++ ------------------------------ Date: Fri, 23 Dec 94 01:30:15 -0500 From: ethelk@netcom.com (Ethel Kendrick) Subject: Kampana.C and Perv (PC) Recently I ran across a computer infected with what F-protect called "Kampana.c". It's a real virus since diskettes I inserted would later show the infection. F-Protect has no info on this virus in it's database, nor does VSUM. TBAV has it listed but I don't have that registered. Anyone know about this virus? Also, TBAV tells me a program called DOSKEY is a joke program called Perv. I know DOSKEY is a real program and all, so is this a false alarm? What is Perv anyway? Harmful or harmless...I guess I could run it on a junk or re-doable system...just to find out. Thanks... ------------------------------ Date: Fri, 23 Dec 94 01:33:55 -0500 From: myroon@ee.ualberta.ca (Don Myroon) Subject: Entire files in my DOS dir turning to NULLs!!! (PC) Hi all... I seem to be having some sort of problem that looks like a virus. In my DOS dir (and only there from what I've seen so far), entire files are turning to nothing but NULL characters. That is to say it you look at them in hex mode, they are nothing but 00 00 00 00 00 00 00 etc... The file sizes remain the same and the dates do not change! I've tried the latest versions of McAfee's Scan and F-Prot 2.15. Neither tell me of any virus. If anyone has any info.. thanks! Don CompE III, U of A ------------------------------ Date: Fri, 23 Dec 94 02:33:04 -0500 From: unge1845@kutztown.edu (Chris G Unger) Subject: Re: McAfee and Michelangelo (PC) Noam Enav (Noam_Enav@f205.n9721.z9.virnet.bad.se) wrote: : Why is it that SCAN removed the Michelangelo virus only from HDs and : not from floppies ? I had that problem with Monkey and Form. The way I fixed it was installed McAfee to a hard drive. Then ran SCAN A: /MANY /CLEAN. That then , scanned and cleaned Monkey/Form off the floppy. But it only worked when Scan was on the hard drive. (something I don't like to do, but had no real choice!) - -- /********************************SBK****************************************\ |** Chris Unger Student MicroComputer Specialist **| |** Vice President, Computer Services **| S** Kutztown University Kutztown University, PA **S B** Computer Association Phone: (610) 683-4175 **B K** Fax: (610) 683-4634 **K |** Internet: **| |** unge1845@atlantic.kutztown.edu Finger unge1845 for Office Hours **| \********************************SBK****************************************/ ------------------------------ Date: Fri, 23 Dec 94 03:44:27 -0500 From: Whodini Subject: Re: Just how safe is VSAFE? (PC) On 21 Dec 1994, Ostcroix wrote: > I would like to know how effective is DOS VSAFE against viruses. Is this > the best way to protect my system against viruses? I recently downloaded > the latest signatures from MSDOS BBS. Is their a better virus remover and > detector than VSAFE on the market? > > Thanks in > advance............................................................... > > > Welp, if VSAFE doesn't detect windows as a virus.. it ain't worth a damn. Actually, if you get the new signatures every few months, it'll be fine. I prefer people who make virii their life (McAfee & F-Prot) because they actually are more interested in getting new signatures then Microsoft. I like F-Protect because it cleaned out the Junkie Virus when Scan just sat there and said I had it, and didn't do anything. Whodini - DDL ------------------------------ Date: Fri, 23 Dec 94 05:47:11 -0500 From: mrj@nemetschek.de (Martin Roesler) Subject: Re: Happy birthday PC virus. Please help! (PC) Ruben Arias (ruben@ralp.satlink.net) wrote: : jvizcain@colibri.tid.es (Javier Vizcaino) : 6 Dec 1994 16:29:31 wrote: : >I have been asked about a PC virus playing "Happy birthday" from time to : >time, which resists detection (several antivirus dated moreless mid 94). : >Does anyone know? : First of all You must look inside Your Autoexec.bat or config.sys and search : for something unusual. : If You don't see anything wrong, look for some .EXE or .COM files. : Compare this files with originals (example: Command.com, EMM386.Exe, etc) in : order to stablish if the lenght of the files was altered. : (Other way to do this is create some "integrity checking" using some Anti- : Virus Products that do this) If I remember correctly, the last Virus Bulletin mentioned some trojanized BIOS (maybe from Taiwan), which causes such a behavior on special dates. If there are no changes in the system detectable, this might be the reason for the "Happy birthday" song. - -- MfG Martin Roesler Dipl.-Ing.(FH) Martin Roesler Programmsysteme Nemetschek, Riedenburger Str. 2, 81677 Munich, Germany Phone +49-89-92793-0, Fax +49-89-92793-579 e-mail mrj@nemetschek.de ------------------------------ Date: Fri, 23 Dec 94 07:41:17 -0500 From: Kenneth Albanowski Subject: Re: Descript.ion Virus (PC) On Sat, 17 Dec 1994, John Mayer wrote: > I came across an extremely funny hidden file on my PC yesterday called > descript.ion. It was a hidden file. As soon as I saw it I ran FP and > McAfee products (213's) and none of them detected anything funny. Has > anyone had any experience with this file before. I don't for sure what > it was but it had spread to 5 different directories rather quickly. The > file description on my shell was "Ha." I am not absolutely positive but I > am pretty sure that I picked it up off of a program called QPEG, which I > obtained from a very reputable FTP site. I have since destroyed the > files and am keeping my fingers crossed. If anyone has any info. on this > would you please let me know, preferably by e-mail. If you do have any > info., you may also want to post it to this group. Thanks in advance !! > > [Moderator's note: Sounds to me like you're running 4DOS or NDOS - > which use the (hidden) descript.ion file for storing file > descriptions; it's actually a very useful feature, IMHO, especially > with DOS's limitation on file name lengths.] The moderator is quite correct, those are file-descriptions in the format that 4DOS and NDOS (among others) use. Since you mention it "spreading to other directories," it sounds as if you have downloaded a piece of software that understands and will produce these description files in an attempt to be helpful. They are harmless, and you are welcome to delete them if they annoy you. As to the "Ha." bit, it could be completely accidental/incidental, or it could be the result of a joke by the programmer. In any case, it is still harmless. - -- Kenneth Albanowski (kjahds@kjahds.com) ------------------------------ Date: Fri, 23 Dec 94 08:28:28 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: RE: surviving warm boot (PC) > >At warm reboot (ctrl-alt-del) the message "I'll be back!" appears. > > A word of advice from a virus researcher who's has "released" numerous > viruses on his own computer, NEVER do a warm boot on a computer that > you suspect is infected. ... > > ... Most of the newer viruses can survive a > warm boot. ... OK some common mythconceptions here. The "cold boot" process which involves the power-on or reset (if you just push the button) involve the computer "losing its mind", becoming an 8086 (going into "real" mode), placing FFFF in the CS, 0000 in the IP and executing. This is designed into the hardware and a virus cannot affect this. A "warm boot" takes two forms. The first involves pushing a value into 0:472 and JMPing to FFFF:0000. This is an absolute action and while it is theoretically possible to intercept, I have yet to see anything do so. The second and more common form is the traditional "three finger salute" and is handled entirely in software as a function of interrupt 09. Being software it can be modified, being an interrupt action just makes it easy (for an example, just look at my FreeWare NoFBoot in the FixUtil. This intercepts the warm boot process, looks to see if there is a floppy in drive A: and allows the boot only if there is not.) However, being software you can make it do anything it likes. For example if the right values were stored at boot, an intercept can restore these and begin what looks like the boot process but is not entirely (QEMM 7.5 "quickboot" uses this mechanism). A virus can run through this process making it look to the user as if a full boot took place but leaving the virus in place. Joshi (1989) was the first virus that I know of to use this mechanism but unlike the earlier posting, it is quite rare, just *can* be done. What all of this really means is that no virus can survive a real reboot but some are able to fool the user into thinking there was a reboot without it really happening. So the real right answer is "If in doubt, power down and restart." I do. Warmly, Padgett ps for a more detailed technical description, look in Ralf Brown's "Interrupt List" (believe inter43a-d.zip - four files - is current) or his hardcover "PC Interrupts" under Interrupt 19h. ------------------------------ Date: Fri, 23 Dec 94 09:10:42 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Doom II virus (PC) aquaman@cloudnet.com (John W Stemper) writes: >Fprot saw the virus as a variant of the Whisper virus. It is. Whisper.666, to be exact. I just added disinfection of it....it will be included in 2.16 (due out around the end of the year), but anyone who has a problem with this virus can contact me for an update to SIGN.DEF that handles disinfection. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 23 Dec 94 09:18:07 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: MBR Viruses / rebuilding MBR (PC) dbuchere@Physik.TU-Muenchen.DE (Daniel Bucherer) writes: >sorry about this naive way of thinking, but what happens to a boot sector >virus on a hard disk if you boot from a clean disk containing the FDISK >utility and then type FDISK /MBR ? Doesn't that finish off the virus? yes, *if* the virus does not move or encrypt the partition data at the end of the MBR. Doing a FDISK /MBR is ok, though, if you are able to access the partitions normally after booting from the diskette. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 23 Dec 94 12:22:01 -0500 From: cceksw@leonis.nus.sg (Gerald Khoo) Subject: Re: Network Antivirus NLM's / need advise (PC) David M. Chess (chess@watson.ibm.com) wrote: : IBM AntiVirus for Netware is an NLM that has (if I do say : so myself) a very good detection rate, low overhead, and : all like that there. The Number to Call in the U.S. is : 1-800-742-2493; in other countries, contact your local IBM : office. I think Sopohs' SWEEP is good and also their response time in case of any new viruses is pretty fast. They also have a 24hr BBS. It has all the functionalities of Intel's LANDesk Virus Protect and more. : DC - -- =============================================================================== Khoo Seng Wee, Gerald National University of Singapore Computer Centre Tel: (65) 772-6426 10, Kent Ridge Crescent Fax: (65) 778-0198 Singapore 0511 Internet: cceksw@leonis.nus.sg =============================================================================== In Christ alone, I place my trust, And find my glory in the power of the cross; In every victory, let it be said of me; My source of strength, my source of hope, Is Christ alone. Michael English =============================================================================== ------------------------------ Date: Fri, 23 Dec 94 12:23:54 -0500 From: cceksw@leonis.nus.sg (Gerald Khoo) Subject: Re: Infect with Die Hard 2 ???? (PC) Deepak Shenoy (deepak@india.hp.com) wrote: : Hello, my system is infected with Die Hard 2. I heard it makes : the machine slow. Is there any cure for it. Is this also called DH2 virus. : Please reply quickly, its urgent So far, only one AV software that I have found can clean DH2... the Antiviral Toolkit Pro ver 2.1b by Eugene Kaspersky. Another method to clean it is abit unorthodox but it seems to work. 1. Load the virus in the memory 2. Copy all infected files to another extention (e.g. .exe to .999 and .com to .998) and the virus will remove itself from the file 3. Warm boot the system with a clean bootstrap 4. Delete all infected files 5. Replace the command.com 6. Rename all files back to correct extention (i.e. .999 to .exe and .998 to .com) : Deepak Shenoy Gerald Khoo - -- =============================================================================== Khoo Seng Wee, Gerald National University of Singapore Computer Centre Tel: (65) 772-6426 10, Kent Ridge Crescent Fax: (65) 778-0198 Singapore 0511 Internet: cceksw@leonis.nus.sg =============================================================================== In Christ alone, I place my trust, And find my glory in the power of the cross; In every victory, let it be said of me; My source of strength, my source of hope, Is Christ alone. Michael English =============================================================================== ------------------------------ Date: Fri, 23 Dec 94 13:30:52 -0500 From: user039@edvzbb2.ben-fh.tuwien.ac.at (Gerald Pfeifer) Subject: Re: F-Prot Professional versus F-Prot Shareware (PC) Mikko Hypponen writes: >No, there are no differences in the detection and disinfection >capability, except that the Professional version is updated more >frequently (once a month versus once every two months) Well this is not true for F-Prot Professional/German (in Austria) at least. I receive only one update per "major" release, where "major" means that the version number actually changes, e.g. 2.13, 2.14, 2.15. >and the Professional updates are sent out little before the shareware >version is published. I always do get my Professional update one or two or even more weeks after I downloading the latest shareware version. (Sometimes, however, the Professional update is a newer version then, e.g. I got 2.15a last week. - - But still: Only one update per "major" version.) Gerald - ------------------------------------------------------------------------- Gerald Pfeifer (Jerry) University of Technology, Vienna . e9025064@student.tuwien.ac.at . ------------------------------ Date: Fri, 23 Dec 94 17:05:05 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: What can a virus do ? I need HELP! Please (PC) Kevin Marcus wrote: >Michael Jackson wrote: >>"Jim Bennett" writes: > >Even fdisk/mbr will not remove MBR infectors. As one reader kindly mentioned to me in email, my statement should be corrected to: "Even fdisk /mbr will not remove *ALL* MBR infectors". I forgot an important word there... - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Fri, 23 Dec 94 19:02:21 -0500 From: floyd.patterson@ssbbs.org (Floyd Patterson) Subject: Just how safe is VSAFE? (PC) OS>From: ostcroix@aol.com (Ostcroix) OS>I would like to know how effective is DOS VSAFE against viruses. Is this OS>the best way to protect my system against viruses? I recently downloaded OS>the latest signatures from MSDOS BBS. Is their a better virus remover and OS>detector than VSAFE on the market? Dos's virus checker is a mediocre scanner. What it does, it does ok, it just doesn't do very much. It is not updated often enough, and it's detection rate is poor. I would urge you look for something else. McAfee offers a shareware set of programs that do a much better job. There is also a superb program called F-Prot that is free for personal use, and many people like TBAV. Whatever you use, you want something that is updated at LEAST monthly, and has an excellent rate. Take time to learn how to use it correctly, use it reguarly and then don't worry about it. Unless your computer is in a high risk category...open to the public...or you are in the habit of swapping disks with friends, the chances are your risk for infection is low. floyd.patterson@ssbbs.org * SLMR 2.1a * I haven't lost my mind, its backed up on disk - --- * Synchronet * System Support BBS (303) 469-9359/9389 Barry Young - ---- +----------------------------------------------------------------------+ | System Support BBS 303-469-9359 Zoom 24v.fc 303-469-9389 Zoom 28v.fc | | Denver, Colorado__MetroLink Hub and InterNet/UseNet Node | +----------------------------------------------------------------------+ ------------------------------ Date: Fri, 23 Dec 94 21:25:34 -0500 From: bdp@flowbee.interaccess.com (Brian Peterson) Subject: Re: FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) ivarw@oslonett.no (Ivar Walseth) writes: >ACM0200@mtroyal.ab.ca wrote: >> >> In addition to the "Filler" virus, I have detected the "Israeli Boot" >> virus on my system. The latest McAfee software will catch them both >> when active in memory, but never, ever, ever on any disk. Accepting >> that, I went out and bought a brand spanking new copy of the Norton >> Anti-Virus, which detected a grand total of nothing at all. >> >> Any help out there? >I've seen the same problem caused by the resident VSAFE while SCAN was >running. Try to unload VSAFE (ALT-V ALT-U) before SCANning. >Ivar. i also have seen this happen on my system.. when VSAFE is loaded, scan will find iboot and chaos. but, if i unload VSAFE, it checks out just fine. can anyone verify that the scan falsely finds these viruses if VSAFE is loaded?? i use scan version 76-C. i would hate to think i have a virus if i really dont... any comments/help/warnings/etc are welcome. - ------------------------------------------------------------------------- sig file under construction bdp@interaccess.com - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 23 Dec 94 21:37:28 -0500 From: bdp@flowbee.interaccess.com (Brian Peterson) Subject: how do viruses do it?? (PC) i was wondering.... if a virus is going to wipe your disk, would it use a dos command to do it?? like FORMAT.COM or DELTREE.EXE or FDISK.EXE?? because if it does, cant you just rename those utilities so the virus cant use them?? sorry if this sounds stupid, i'm not that familiar with how viruses work. any advise/comments/help/etc are welcome! thanx.... - ------------------------------ bdp@interaccess.com ------------------------------ Date: Fri, 23 Dec 94 22:03:47 -0500 From: rc.casas@ix.netcom.com (Robert Casas) Subject: Re: About memory scanning (PC) gmk@eva.system.sikkerhet.no (Geir M. Koeien) writes: > >I can accept that the vir-signatures is loaded into memory by the AV product >when scanning for viri in memory. I can also understand that the signatures, >if left in memory, can cause the AV product to trigger. > >However, I refuse to accept that this problem should be an excuse for not >doing memory scanning. It should be no problem at all for the AV product to >zero-out the signatures before it exits. (no reason for Iolo to watch out >yet) > >So, if you don't want to do memory scanning you'd better put up a better >excuse that this one. I disagree. There are many reasons for _not_ "scanning memory." Probably the most important is that if a stealthy, piggybacking virus has already gained controlled of memory then the technical difficulties involved in scanning in such an environment are enormous. This is especially true if a scanner uses algorithmic and virus-specific methods of scanning. If the scanner doesn't possess identification strings for the virus it will be missed and the scan process will spread the virus. Since viruses are currently being written and released more quickly than algorithmically based scanner updates end-user's are putting themselves at risk with such scanners. Other issues include the scanner's ability to perform self-integrity checks, self-restore when infected, and detect the process of piggybacking and alert the user if this happens. Many "scanners" don't posses all of these capacities. :-) The issue most important to assess with an AV package is whether it performs it's intended function - protecting your system from viruses and recovering from any damage that does occur. The issue is not _how_ it accomplishes this goal but _whether_ it does. If you think "scanning" is the primary and most important method for dealing with viruses then your bound to get yourself into trouble. :-) There are many stealthy viruses that are already a few years old that some scanners still don't detect. Even worse, when resident, there are some "old" stealthy viruses that will piggyback on well known "scanners" ( including ones that claim to scan memory ) and infect all scanned files in the process. One such scanner can't even "see through" the viruses stealth with the result that it doesn't even report any infected files on your system at all when, in fact, it has just spread the infection across all of the files scanned. Best open yourself to new ideas. Your putting yourself at risk with your current ones. Regards. - -- - ---------------------------------------------------------------------- Robert C. Casas, Ph.D. Computer Security & Encryption CPC Ltd. Software Sales & Support (708) 729 - 5443 rc.casas@ix.netcom.com < or > 73763.20@compuserve.com PGP - keyID: 18239E91 fingerprint: F0 4A EB 7E F0 B0 9A 45 A6 DE DD 51 FE 77 91 54 ______________________________________________________________________ ------------------------------ Date: Sat, 24 Dec 94 00:34:16 -0500 From: Sync_@ix.netcom.com (Sean Straw) Subject: Re: WIN.COM modification (PC) -- useful generic virus detection info Appologies to those who may feel this post is too long or wandering. Don't flame me -- I'll ignore you. mikie@owlnet.rice.edu (Michael Howell) writes: >In the past two days, my win.com file has been modified from 50,904 bytes > to 95,036 ... The date changes at that point, as well ... When the 95K >version is executed from a DOS command line, the message "Program too big >to fit in memory" appears. > >Sounds evil and virus-like, but I've run mwav, fprot, and tbav, and none >have come up with anything. Sigh. Any comments? I'd _tend_ to agree with another respondent to your problem that it is unlikely to be a virus since the file size has expanded so much, but it is possible -- there are a number of viruses out that have buggy code in them that can cause a .COM infection to exceed the size limits of a .COM file. Whenever you install a new video driver for windows, there exists the possibility (and nowadays, likelyhood), that the WIN.COM file will be modified, usually to add a new bitmap. Diamond does it, and so does ATI, tho ATI has done evil things with their bitmap loader -- patching the WIN.COM to exectute code in the added bitmap region, allowing them to not only load their own bitmap, but also to animate the ATI logo -- this has caused problems when reverting to another driver, which then modifies the BITMAP portion of the WIN.COM, unaware that the program portion has been tweaked, and the program portion jumps into never-never land when WIN.COM is run, but I am wandering off topic... PKZIP off the oddity file (let us not call it virus infected as yet), then reinstall your video driver, and see what happens to the file size over the course of a few days. I've done virus research in the past (I'm the author of OFF! and NEUTER, as well as several other freeware antivirus utilities -- and the Virus that OFF! identifies and completely removes (Offspring v0.89, since OCTOBER 1993), has yet to be identified by McAfee (even though I *GAVE* them source to the utility and fully disassembled and documented virus code), or even listed in the Hoffman Virus Summary. While those viruses I've dealt with have no relationship whatsoever to the one you _may_ have, if you do sincerely believe you have a virus, then I encourage you to look around for the distribution files for those utilities, and after verifying my address in their documentation (so you have a better idea that I'm legit and not just looking to get my grimy hands on a virus to spread), send me a copy (or post it electronically to my Email Address -- PKZIP then UUEncode), and I'd be glad to examine the file. VERBOSE NOTE TO OTHERS: PLEASE DON'T START SENDING ME ALL FILES YOU THINK MAY BE INFECTED ON YOUR MACHINE -- unless you want to accompany the file with lots of cash. I don't have the time to pour through that much stuff. Those viruses I've written detector/disinfectors for have typically been provided by BBS operators I've met over the years, who of course wish to limit the number of possible infections that might otherwise originate from their site, since they interract with so many other computer users frequently. Joe user doesn't usually have 100-1000+ links with other users every day, so he isn't quite as devastating a transport medium. These BBS operators have also usually performed enough diagnostics as to identify POSITIVELY that a virus does indeed exist, and not that something just seems to be funky on their system, as Joe User might. Quick fixes are needed in those cases, since even reporting them to McAfee/Symantec/CPS won't get a disinfector soon. It is just the way I work. I do however welcome Email inquiries reguarding possible virus examination -- just don't send them to me, and don't _expect_ me to do anything for you. I have a living to make... That said, A couple of utilities everyone should have around for general purpose stuff, and which come in especially handy with new unknown viruses: LIST a file viewer (by Vernon Buerg). Allows you to scroll through the contents of a file, as text, or as a "hex dump", which allows you to see things you won't find by attempting to TYPE the file. This is generally a useful utility to have (my copy is registered), since it is useful for many file viewing tasks. and a "STRINGS" program that can dump apparent ASCII strings found in a file (useful for locating ominous messages in a file -- unless the file is in any way encrypted). Often useful just to find help on a program that might not have a help option, or that you don't want to blindly run. Now, that useful bit of virus detection information I mentioned in the subject line: A useful trick too is to use DOS debug to create a simple program file: (left column below is the prompts you see, or something very similar, and the right column is what you type, on the "xxxx:0105" line you press Enter by itself to stop the assembly process). C:\> DEBUG C:\INFECTME.COM - f 0 ffff 0 - a -xxxx:0100 mov ax,4c00 -xxxx:0103 int 21 -xxxx:0105 - rcx CX 0000 : 2000 - w Writing 02000 bytes - q What this does is creates a .COM file 8K in size (or you could substitute the "2000" for some other HEX number to dictate the size -- be careful though) that merely quits when you run it. Immediatley PKZIP the file into a safe place. PKZIP will do a nice little thing for you: It will generate a CRC-32 signature for the file (you'd see it if you viewed the ZIP directory). This file should have a CRC-32 of "9F6613C4", and a length of 8192 bytes. I use another utility I wrote for doing these file signature checks, but PKZIP will work fine for most any user. I call this file a "Petri-file". That is, it is a file quite prepared for cultivating a virus in (rather like a petri-dish cultivation of a Strep Throat virus at the Doctor's office), since virtually ANYTHING the virus does to the contents file is quite noticeable (the file is almost completely "00" or NULL character symbols). You can rename this file to whatever, say WIN.COM in your case, and go about your business as usual (except running WIN.COM, which _won't_ launch Windows). Examine the file every so often and see if the size has changed. Even run it (occasionally), since this is sometimes what an in-memory virus waits for in order to infect a file. PKZIP the file (into a DIFFERENT file), and see if the file is any different than it was the first time you zipped it (the size may not change, but the contents may). Once this happens, you have a cultivated a near-pure infection of the virus, which is fairly easy for an experienced software engineer to peel out of the original file, since the original file is so simple. I use many variations on the petri-file format (EXE files, files containing some small amount of code variance before termination), just so I have several possibilities for virus separation, in case some virus author thinks he's clever by avoiding files that apparently terminate right off at the beginning. Hope this is of use -- it has greatly helped me when I've gone virus hunting. - -- Sean B. Straw / Professional Software Engineering Post Box 2395 / San Rafael, CA 94912-2395 CompuServe: 72210,521 Internet: Sync_@ix.netcom.com / 72210.521@compuserve.com | This message was posted from a Netcom CSLIP account. This service is | | experiencing multi-day delays on some message processing. | | Appologies if this message was not recieved in a timely manner. | ------------------------------ Date: Sat, 24 Dec 94 01:25:23 -0500 From: Sync_@ix.netcom.com (Sean Straw) Subject: Re: What Genb etc is (PC) ANTHONY APPLEYARD writes: > I get the impression that as follows. Please correct me if I am wrong. > When SCAN reports the xxxx [yyyy] virus, the virus is called xxxx, and CLEAN >must use the method called [yyyy] to remove it. [Genb] is a method of removing >various specific viruses and also indefinitely bad boot sectors. [humourous "real-world" disinfection analogies snipped] GenB is "Generic Boot". A partition sector on a hard drive consists of some code, plus a table of partition information (numbers that make up your drive's characteristics). What a GenB remover does (and I've written one before, called PartFix), is gets the partition DATA (just the characteristic numbers) from the disk, and plants them into fresh, uninfected code imbedded into the remover program, and writes that to the disk, as a fresh uninfected copy of the boot sector. In some cases, the partition data isn't available at the normal location (the virus has placed it elsewhere), and therefore a GenB remover cannot remove the virus since it cannot get the disk characteristics, or because the virus redirects write operations to the disk (though booting from a floppy should correct that). Example: Before generic boot sector disinfecion, the technique used to be something like "Gee, this identified virus is known to copy the original boot sector to sector 7, so copy that sector back here, and we are home free". Unfortunatley, when you get TWO sufficiently different boot sector viruses (Say, one of many variants of Stoned and then Joshi, just for instance), then the first virus copies the original partition sector away to sector 7, and when the second virus attacks the system (and sees itself not in the partition table already), infects, and copies the INFECTED (with Stoned, in this case) to Sector 9. Well, the next time a Stoned virus hits the machine, it sees itself not already being there (since Joshi is, right now), and so it copies the INFECTED sector to Sector 7 (overwriting what was previously a clean copy of the partition sector saved there). Run a virus detector/disinfector, and it sees Stoned, and removes it (by copying the "original" from Sector 7. Oops -- a subsequent scan will now show Joshi. Disinfection copies the "original" from Sector 9. Now Stoned is back. Endless loop. So GenB is needed. Get the partition DATA, and put it in a KNOWN clean version of the boot sector, and write that. No more virus in the partition table sector. I assume this is what you mean by "indefinatley bad boot sectors". Hope this has been of help. - -- Sean B. Straw / Professional Software Engineering Post Box 2395 / San Rafael, CA 94912-2395 CompuServe: 72210,521 Internet: Sync_@ix.netcom.com / 72210.521@compuserve.com | This message was posted from a Netcom CSLIP account. This service is | | experiencing multi-day delays on some message processing. | | Appologies if this message was not recieved in a timely manner. | ------------------------------ Date: Sat, 24 Dec 94 04:14:52 -0500 From: tracker@netcom.com (Craig) Subject: Re: NOVI antivirus software good? (PC) Anele Waters (anele@AccessPt.North.Net) wrote: : I have NOVI antivirus software by Certus and was wondering if it was : adequate for detecting viruses now. This is a 1991 edition. -- I've tested it's TSR portion and think it's a joke. Then, again viruses can easily bypass TSR's as some experts on this newsgroup have stated before. Certus was bought out by Symantec. Certus makes a very good product that's more expensive that combats viruses very well, in fact it can make the machine so secure it's a very big hassle to get work done, like in a college computer lab, or average work that someone may do. ------------------------------ Date: Sat, 24 Dec 94 04:23:02 -0500 From: tracker@netcom.com (Craig) Subject: Re: Keyboard problem (PC) David Resnick (davidr@searchtech.com) wrote: : The label on the back of the keyboard indicates that it is an "Anykey" : keyboard, Model 2189014-XX-XXX. This is the Maxiswitch programmable keyboard. Looks like someone has been reprogramming certain keys for whatever reason. ------------------------------ Date: Thu, 22 Dec 94 20:27:03 -0500 From: Jack Holleran Subject: CFP: Call for Papers and Panels CALL FOR PAPERS AND PANELS 18TH NATIONAL INFORMATION SYSTEMS SECURITY CONFERENCE (formerly the National Computer Security Conference) Co-sponsored by the National Computer Security Center and National Institute of Standards and Technology Baltimore Convention Center, Baltimore MD October 10-13, 1995 The National Information Systems Security Conference audience represents a broad range of information security interests spanning government, industry, commercial, and academic communities. Papers and panel discussions typically cover: ( research and development for secure products and systems presenting the latest thinking and directions; ( practical solutions for real-world information security concerns; ( implementation, accreditation, and operation of secure systems in a real-world environment; ( evaluation of products, systems, and solutions against trust criteria; ( security issues dealing with rapidly changing information technologies; ( network security issues and solutions; ( management activities to promote security in IT systems including security planning, risk management, and awareness and training; ( international harmonization of security criteria and evaluation; ( social and legal issues such as privacy, ethics, investigations, and enforcement; ( tutorials on security basics and advanced issues; and ( highlights from other security forums. We invite the submission of papers and proposals for panel discussions in any of the above areas as well as other topics related to IT system security. We especially encourage student papers written by individuals in degree programs. The student should not have been previously published, and the paper shall be endorsed by an academic advisor. BY MARCH 1, 1995: Eight (8) copies of your draft should arrive at the following address. See instruction on reverse side regarding the format of your submission and accompanying information required. National Information Systems Security Conference Attn: Conference Secretary, APS XI National Computer Security Center Fort George G. Meade, MD 20755-6000 BY JUNE 1, 1995: Authors and Panel chairs selected to participate in the Conference will be notified and advised when final papers and panel statements are due. For additional information on submissions, please call (410) 850-0272 or send Internet messages to NISS_Conference@DOCKMASTER.NCSC.MIL. For other information about the National Information Systems Security Conference, please call (301) 975-2775. PREPARATION OF CONFERENCE SUBMISSIONS Cover Sheet: Type of submission (paper, panel, tutorial) Title or Topic Abstract (not to exceed 250 words) Author(s) Organizational Affiliation Phone numbers (voice and fax, if available) Internet address, if available Point of Contact, if more than one author Submissions related to work under U.S. Government sponsorship must also include the following information: U.S. Government Program Sponsor or Procuring Element Contract Number (if applicable) U.S. Government Publication Release Authority Classified material or topics must NOT be submitted. Draft Papers: 10 page maximum, including figures and references. Include title, abstract, and keywords on first page. No more than 12 characters/inch and 6 inches/line. One-inch margins all around. Since the paper referee process will be anonymous, names and affiliations of authors should appear only on the separate cover sheet. All submissions are treated as proprietary information belonging to the authors. Release for Publication and Copyright: Authors are responsible for obtaining government or corporate releases for publication. Written release will be required for all papers to be published. Papers developed as part of official U.S. Government duties may not be subject to copyright. Papers that are subject to copyright must be accompanied by written assignment for multi-media publication to the National Information Systems Security Conference Committee. PANEL PROPOSALS: ( Panels are limited to 90 minutes, including time for prepared remarks, discussion, and audience interaction. ( Proposals are not to exceed two pages but should summarize the topic, issues, viewpoints and questions that will be addressed by the panel. ( Proposals are to include the names of panelists, panel chair, and affiliation of each participant. ( Each panel is limited to *five (5)* persons, including panel chair and four (4) panelists. ( Panels will be selected by the Conference Committee. Panel chairs and panelists will be expected to provide written statements for inclusion in the Conference Proceedings. ( Panel proposals *must be* received by March 1, 1995. ------------------------------ From: virusbtn@vax.ox.ac.uk Subject: CFP: VB 95 Conference VB'95 Fifth International Virus Bulletin Conference and Exhibition September 20 - 22, 1995 Boston, USA Call for Papers Over the past four years, the Virus Bulletin conference has established itself as the most prestigious annual event to address the computer virus threat in Europe. Now in its fifth year, VB'95 will be held for the first time in the USA, affirming the event's truly international nature. VB'95 will run as three parallel tracks featuring technical and non-technical presentations on the computer virus threat and related security issues. Abstracts of between 200 and 500 words outlining proposed papers are invited from anyone working in computer security. Papers will be selected for their originality and appeal to a diverse audience, comprising government, military, public sector and corporate computer security staff, researchers, and hardware and software developers. Papers covering the following subjects are particularly welcome: * Windows viruses, Windows '95 and Windows NT vulnerability * Case studies of virus attacks in corporate environments * Legal controls of computer viruses * Viruses on UNIX systems * Heuristic scanners * Securing DOS The conference venue is the Park Plaza & Towers Hotel, located in the heart of Boston. Virus Bulletin will cover speakers' accommodation expenses. Please send abstracts to The Editor by 31st January 1995. Virus Bulletin * 21 The Quadrant * Abingdon * OX14 3YS * England Tel. +44 (0)1235 555139 * Fax +44 (0)1235 531889 * Email virusbtn@vax.ox.ac.uk ------------------------------ Date: Fri, 23 Dec 94 09:19:05 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: FYI: Phone number change The phone number of Frisk Software International (producers of F-PROT) has changed. New phone: +354-5-617273 New fax: +354-5-617274 - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 2] **************************************** 6-Jan-95 11:56:17-GMT,63936;000000000000 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA02661; Fri, 6 Jan 95 06:55:10 EST Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx/8.6.6) with ESMTP id GAA00583 for ; Fri, 6 Jan 1995 06:54:53 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <127583-4>; Fri, 6 Jan 1995 06:34:00 EST Message-Id: <9501061131.AA15768@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #3 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Fri, 6 Jan 1995 06:24:25 EST VIRUS-L Digest Friday, 6 Jan 1995 Volume 8 : Issue 3 Today's Topics: Re: Viruses in newsgroups - how can that be? Virus on NeXTStep486 3.1 boot sector? (PC/UNIX) Re: OS/2 Virus? (OS/2) Re: OS/2 Virus Susceptability? (OS/2) Re: WIN.COM modification (PC) Re: Junkie virus (PC) McAfee 2.1.4 Crashes - help (PC) Re: NYB (PC) Re: InVircible IS Safe (PC) Re: Michelangelo(?) virus bypasses bios test (PC) Thunderbyte AV and my Hard drive! (PC) ThunderByte AV and my boot sector (PC) Re: Possible Gold Bug infection (PC) Re: junk-virus on my PC- Help me!!! !!! (PC) Help with Screaming.Fist.Boot Virus (PC) Re: New Bug (PC) Tequila Virus (PC) Re: HELP-Omega (PC) virus detection (PC) McAfee vs Central Point vs F-Prot (PC) boot-437 virus (PC) Re: Virus protection:the best solution (PC) Re: TBAV sig file wanted (PC) Re: Just how safe is VSAFE? (PC) What are the effects of FDISK/MBR (PC) Re: What's a Logic Bomb ? VIC virus (PC) Re: About memory scanning (PC) Re: Tai-Pan (PC) Re: WIN.COM modification (PC) Re: Keyboard problem (PC) ThunderByte CRC checking (PC) Re: Descript.ion Virus (PC) Re: WIN.COM modification (PC) Re: FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) Re: NATAS Alert! (PC) Re: What Genb etc is (PC) Re: What can a virus do ? I need HELP! Please (PC) Jumper Virus! HELP Please! (PC) False alarm of FP 2.15 on IBM-DOS boot sector (PC) Re: MBR Viruses / rebuilding MBR (PC) Re: new virus? (PC) Form.A??? (PC) Infection via a .WK4 file? (PC) Re: What kind of virus is this ? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 29 Dec 94 04:03:45 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Viruses in newsgroups - how can that be? Hello Mssrs. Wai, Tulloh, and Moderator :-), The popular picture formats (GIF, JPEG, and so forth) contain only data. No program code is present which may be executed by the processor to spread a computer virus. However, sometimes executable files are posted to picture-bearing (bare-ing?) newsgroups and these can contain viruses since they are programs. Generally speaking, the charters for pictures newsgroups prohibit (or at least frown upon) the posting of executable programs so take appropriate caution if you decide to use a program posted to a pictures newsgroup. When in doubt, check with the moderator or FAQ for the newsgroup. [Moderator's note: I stand by my note (below). One side note: there are many newsgroups that post uuencoded "binary" files that aren't graphic data; check out the comp.binaries.* tree.] Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ dtulloh@kazak.NMSU.Edu (dtulloh) writes: >Wu Kwok Wai (kwwu@hkusub.hku.hk) wrote: > >: [Moderator's note: Simple - uuencoded files being posted as messages >: to the group. Same method used to post digitized pictures to other >: groups. There's no harm to the casual reader - unless s/he uudecodes >: the viruses (or pictures! :-) and runs them.] > >If I were to uudecode such a digitized picture and used it in a >viewer prior t virus-scanning it, could the virus infect my system? >I wouldnt think so since the viewer would be treating the whole >file as a data file. - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Wed, 28 Dec 94 09:29:31 +0000 From: yogi@csa.technion.ac.il (Yossi Gil) Subject: Virus on NeXTStep486 3.1 boot sector? (PC/UNIX) My NeXTStep486 3.1 have many problems in rebooting. Many times, during he boot process it will identify problem(s) and try to reboot, but fail. It must be helped by pushing the PC reset switch. I noticed that during the boot process, it reports of only 639KB of conventional memory. If the computer is booted under DOS (with a floppy), then 640KB are reported. This raised my suspicion that there is a virus on the hard disk boot sector. Does anyone outthere know how I can get rid of such a virus? I tried using the norton disk editor, but it could not identify a partition table. Also, the famous DOS scan program was confused since the hard drive is unreadable under DOS. - -- Joseph (Yossi) Gil yogi@CS.Technion.AC.IL The Faculty of Computer Science yogi@NeXT.CS.Technion.AC.IL Technion -- Israel Institute of Technology Tel: +972-4-29-4333 Technion City, Haifa 32000, Israel Fax: +972-4-29-4353 ------------------------------ Date: Thu, 29 Dec 94 03:20:10 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: OS/2 Virus? (OS/2) lrgray@ix.netcom.com (Lee Gray) writes: >There is an ongoing debate between myself and my manager concerning >virus's and OS/2. He says that it is impossible to write an OS/2 virus >because of the way OS/2 works with memory. Your manager is wrong. Totally wrong. There are several OS/2 viruses already, and the reasons there are so few are: 1) Lack of information. 2) DOS is just so much more popular. >Opinions asked for and, if you know of virus's please include their >given name. Well, there is one for example that F-PROT calls OS2_First. >I have scanned through the VSUM hyper-text file and could not spot any >OS/2 virus'. Vsum only lists a part of the 5500 (or so) viruses that exist. - -frisk ------------------------------ Date: Thu, 29 Dec 94 04:46:21 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: OS/2 Virus Susceptability? (OS/2) Hello Kelly D. Lucas, You wrote: [...description of boot viruses under OS/2 deleted for brevity...] > >DOS based viruses cannot survive within other OS's; however, Boot sector ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Unless, of course, that other OS emulates (or even runs) DOS. Examples of this include OS/2's Virtual DOS Machine and WIN-OS2 support, and SoftPC for the Mac. >viruses that use the BIOS routines to infect hard disks will write them- >selves to any disk if the hardware is a PC, regardless of the OS. This >has occured on UNIX and Windows NT workstations as well as OS/2. Hardware >is the key under the scenario described above. > >I hope this little tidbit helps, Regards, Aryeh Goretsky McAfee Associates, Inc. - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Sat, 24 Dec 94 12:12:13 -0500 From: ethelk@netcom.com (Ethel Kendrick) Subject: Re: WIN.COM modification (PC) Kevin Marcus wrote: >Michael Howell wrote: >>In the past two days, my win.com file has been modified from 50,904 bytes to >>95,036 ... The date changes at that point, as well ... When the 95K version is >>executed from a DOS command line, the message "Program too big to fit in >>memory" appears. > >This message is caused when a .COM file is executed that is larger than >65536-256 bytes is executed. > >>Sounds evil and virus-like, but I've run mwav, fprot, and tbav, and none have >>come up with anything. Sigh. Any comments? > >Unless there are multiple infections, I don't know of any virus with >the length increase you specify. Of the multi-infect viruses, the Jerusalem >family is largest and most common; but no varients I have reinfect .COM >files; only .EXE's. Of course programs that you might run which change your Windows video drivers will change the logo that starts up with windows. This logo is kept in WIN.COM. If the logo and the original WIN.COM executable is larger than 64k, you're outta luck. Simple fix is to copy the WIN.CNF file in the \windows\system directory to WIN.COM in the \windows directory. That's the original COM file sans logo. ------------------------------ Date: Sat, 24 Dec 94 17:37:54 -0500 From: Whodini Subject: Re: Junkie virus (PC) On 23 Dec 1994, John Davey wrote: > Hopefully someone reads this. > > I've picked up the junkie virus from someware, ftp I think, getting kermit.exe. > > Anyway, we cant seem to get rid of it, it seems to stick to com files, clean > gets rid of it, but after a clean boot it seems to re-appear.> > Any comments?> Use F-Protect to clean your Hard Drive's boot sector. It stays in the MBR. McAfree won't clean it, and F-Prot won't clean files with it (it just sits there and tries to clean it over and over). FInd all the files with it, delete them, and boot on a clean system disk. Use F-Protect to clean your boot sector, and you will be fine. (Just got rid of it a week ago) __ ___ __ _ .:Whodini:. _ __ ___ __ /_/\ ______ ___ _ .:jkao@ic.sunysb.edu:. _ ___ ______ /\_\ \_\/___ __ _ .:tiME t0 gET eLiTE!:. _ __ ___\/_/ ------------------------------ Date: Sat, 24 Dec 94 19:30:09 -0500 From: nisk115%albnyvms.BITNET@uacsc2.albany.edu (DAN GINSBURG) Subject: McAfee 2.1.4 Crashes - help (PC) I just download McAfee v2.1.4 (scnb214a.zip, which I got from Software Creations BBS). When I scan my HD, everything is fine until it hits C:\TELEMATE. It kept locking up at a program called convert.exe in the directory. It was a program I didn't need, so I deleted and re-scanned. It again crashed at another EXE in that directory. So, I clean booted and this time it crashed, but it gave me this error message: C:\TELEMATE\GIFLINK.EXE Error Report: Error Code 1 Please record the following information and contact your McAfee representative. Source: ph_ui.c Location:679 Status -20480, Information $ Revision:1.15$ Error Code 1 Please record the following information and contact your McAfee representative. Source: ph_ui.c Location: 679 Status 4096, Information $Revision:1.15$ It then crashed at the next EXE in that directory. Unfortunately, McAfee is closed for the holiday, so I was wondering if anyone has any idea what this means? Do I most likely have a virus or is this a bug in SCAN? Also, why would only files in C:\TELEMATE be infected when I have hundreds of others on my HD? Thanks... ******************************** * Dan Ginsburg * * dginsburg@globalone.net * * or * * nisk115@cnsvax.albany.edu * ******************************** ------------------------------ Date: Sun, 25 Dec 94 00:50:38 -0500 From: patlee@panix.com (Patrick Lee) Subject: Re: NYB (PC) sborduas@step.polymtl.ca (Simon Borduas) writes: > > TSE CHI ON ANDREW (s935476@acs.csc.cuhk.hk) wrote: > > : Does anyone know the virus named NYB. It's a very new virus. > : Even the newest SCAN 2.1.3 still cannot kill that virus! > : > : So, does anybody know whether there's cleaner for that virus > : NYB? Thanks. > > We also have troubles with this BOOT-MBR infector in Montreal. Any info > will are welcome. A coworker says he was able to clean the NYB virus with Norton Anti Virus. Does anyone know what harm the virus does? We're in New York City ... - -- Patrick Lee [Internet: patlee@panix.com] [CompuServe: 74003,2566] Stuyvesant H.S. Alumni Assoc. Home Page http://www.panix.com/stuy ------------------------------ Date: Sun, 25 Dec 94 06:55:22 -0500 From: hood!hstroem@uunet.uu.net (Henrik Stroem) Subject: Re: InVircible IS Safe (PC) Zvi Netiv wrote: > features detect even the doings of full stealth viruses and do recover > In order to accomplish these capabilities, InVircible uses special > techniques that can be found only in few other disciplines, such as in > ECCM (electronic counter counter measures). Using itself second and > even third order anti spoofing techniques, no wonder that IV confuses > first order anti virus TSR. I would suggest that you among your very advanced anti-virus techniques put a very simple installation check for Thunderbyte's TSRs. Then you can issue a warning to the user that the presence of some AV TSR was detected, and even suggest how to proceed to create a safe configuration. Skulason did put in a V-Safe detection in F-Prot, and I myself had to put in QEMM Stealth, TBDISK and DiskSecure II checks in the latest version of HS Anti Bootvirus (not yet available). The users do NOT read the documentation. If you want to avoid sceared customers, you should employ simple checks for troublesome software before all your very advanced and fancy anti spoofing techniques. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Sun, 25 Dec 94 11:11:36 -0500 From: hood!hstroem@uunet.uu.net (Henrik Stroem) Subject: Re: Michelangelo(?) virus bypasses bios test (PC) Bob Argyle wrote: > I found one of our computers with the BIOS warning about boot sector > writes infected with what was identified as the Michelangelo virus. > Is there any possibility for a virus to defeat the warning, or is On SCSI disks the BIOS warning usually does NOT work. Only IDE disks are supported with most BIOSes. > the only explanation operator error? The CMOS switch for the test > was probably being modified (along with A:/C: boot sequence) at the > time of infection. Any virus could flip the BIOS BOOT SECTOR WRITEPROTECT to off, and modify the CRCs accordingly. But why bother. It is easier to infect another sector than the MBR, which is not protected by the BIOS. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Sun, 25 Dec 94 15:07:15 -0500 From: howardl@typhoon.seas.ucla.edu (Howard S. Lee) Subject: Thunderbyte AV and my Hard drive! (PC) I used thunderbyte AB 6.3 the other day, and the tbutil included with it does something funky with the hard drive... it writes over a sector that is read BEFORE the boot sector is read to make sure bootsectore viruses do not infect the system. The problem is I'm trying to install software that requires this Tbutil fu ction to be that requires this TBUTIL function to be turned off... however, after reading the WHOLE manual last nite, there is no mention that any command-line options or whatever CAN disable it.... so now I can't install the software... I've tried fdisk /mbr, I've tried low-level formatting, and nothing is working... but the manual DOES mention something about interruptes 40h and 21h... well, personally I have no idea what interrupt 40h does (altho' my assembly programming experience has taught me to deal with 21h) Can anyone help me? Please email me at the above address or xiphoid@netcom.com .... so that we don't waste bandwith (I really hope this is the correct newsgroup for this...otherwise, please refer me through email!) Any help would be a blessing to me... Happy Holidays everyone! - -- - ------------=========howardl@typhoon.seas.ucla.edu=========--------------- Junk e-mail to:izzyl8v@mvs.oac.ucla.edu Other addresses:xiphoid@netcom.com, xiphoid@qedbbs.com ------------------------------ Date: Sun, 25 Dec 94 16:37:11 -0500 From: xiphoid@netcom.com (Pet Shop Boy) Subject: ThunderByte AV and my boot sector (PC) Recently I was infected with Junkie virus, and in my frenzy I obtained a copy of TBAV. Without reading the manuals, I executed TBUTIL of which one of its features is to create a "virus-resistant" boot sector. Trouble now is that nowadays once in a while a new program to be installed will stop because it needs to write to the boot sector but CAN'T. I check the manual afterwards (yeah, stupid me) and figured out that it seems there's no way to put back a boot sector without some stupid prompt popping up on my screen saying "Boot Sector Possible Virus. Overwrite?" I've fdisked my hard drive with and without the /mbr switch, low-level formatted, all while crossing my fingers, because I knew that seriously speaking none of these procedures would delete the "hidden" sector or whatever on my hard drive that's preventing boot sectore writes without prompts. So I'm asking for help... is there any way to remove that TBAV prompt and/or write a boot sectore on my hard drive without the prompt? I mean, hell, does this mean I finally get the chance to degauss my hard drive or something? I'm having a Merry X-Mas... hope you will too... ^_^ ------------------------------ Date: Sun, 25 Dec 94 23:04:15 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Possible Gold Bug infection (PC) tcarter@magnus.acs.ohio-state.edu (Tim J Carter) 22 Dec 1994 10:58:23 Wrote: > Help!! > >I loaded a copy of Doom (which version, I don't know), and I have a feeling >I have a virus because of it. I just started reading this newsgroup, and >I guess it may be the Gold Bug virus. Well, as far I can see Doom is the "fashion game" in everywhere. Now getting a little more serious, You say that You "guess" about the simptoms that your machine (or net) have. Many Viruses that infect Nets could produce some unexpected trouble. Would be "Gold Bug" or NOT. >What has happened, mainly, is that my computer will not log ino my network. And the others ???. Its a Network, what happen with others?? If others Computers could start, You'll probably have a connection problem. Do You test the connections (twisted pair, coaxial, etc) >I have had many things done changing ports, addresses, cards, etc, and it >always seems like the problem is solved until the next day, same problem. And the programs ??. Do You re-install login.exe program (or similar) >Fprot came up once saying it detected a virus, but couldn't find it again. >We thougth it must have disinfected it. How do I get rid of this damn thing >and are these the symptoms of Gold Bug ( or > possible Symptoms??) You must try with other A-virus package, just in order to be sure that is NOT a Virus. Regards Ruben Arias RALP - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 25 Dec 94 23:04:19 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: junk-virus on my PC- Help me!!! !!! (PC) ct9308@mimas.hts.hsa.nl (J.P. Brouwer) 22 Dec 1994 10:58:24 Wrote: >Hi netters, > >Two days ago evil struck me: my new PC (not even a week old) >has been infected with the JUNK-virus. Every single .com-file has been >damaged. >First I tried to use the latest version of MCAFEE, but this anti-virus- >program was not able to remove the virus from my system. >Since there was not much on my harddisk at that time, I formatted my hd, >trying to get rid of this torture. >But again, Murphy's law proved to be right. Well, if You want get rid of it You must: 1) Turn off Your computer and boot from a "CLEAN" diskette containig at least DOS version 6.0 or 6.2. (Include Fdisk in this diskette) 2) Perform a FDISK /MBR 3) Format Your Hd if You want. But this is NOT necessary. Only Delete Your files or install them again. >At first, it seemed that the virus had disappeared, but after installing >MS-DOS from clean diskettes and rebooting the system, my command.com for >instance had grown from +/_ 56 to +/_ 57 kb. Checking my system with MCAFEE >resulted in a virusreport again. >Is there a possibility of this virus being in my BIOS and when so, what >should I do?? No, not in Your BIOS (You'll probably guess) the virus is in MBR. Regards Ruben Arias RALP - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 26 Dec 94 01:23:19 -0500 From: jja_che@pavo.concordia.ca (TREKER) Subject: Help with Screaming.Fist.Boot Virus (PC) A friend of mine (who doesn't have Internet access) got infected with this virus. He said the even the latest version of McAfee doesn't disenfect it. Any ideas? What program(s) would be able to handle this task? Thanks in advance. Happy Holidays! Andy Chen (JJA_CHE@PAVO.CONCORDIA.CA) Co-Author of THE INVASION Co-Editor of THE NUT & BOLT ECA Newletter of Concordia University ------------------------------ Date: Mon, 26 Dec 94 11:36:05 -0500 From: mitch961@aol.com (Mitch961) Subject: Re: New Bug (PC) I have seen a virus that MWAV identified as NEWBUG on my PC. I noticed this boot virus after a couple of machines started having problem with 32 bit access in win3.1. MWAV (updated version from BBS) does give more info. I found the virus within a few days of being infected and I can't say what the long term effects are. ------------------------------ Date: Mon, 26 Dec 94 15:10:04 -0500 From: Marcus Mac Innes Subject: Tequila Virus (PC) Does anyone know anything about the Tequila virus....? How can it be destroyed? also ... it is only resident in the master boot block of my HD, (according to McAfee Virus scan, Is this accurate, and how can the Master boot block be reformatted without reformatting the Hard Drive. thanks Marcus ------------------------------ Date: Mon, 26 Dec 94 20:18:44 -0500 From: Nick FitzGerald Subject: Re: HELP-Omega (PC) Nick FitzGerald wrote: > ... Also note that NetWare's "read-only" is not the > same as DOS's--it's much stronger and has to be turned off before even > Supervisor can modify a file protected with it. ... Hmmmm--what was I thinking of that day?? 8-) So long as you aren't too liberal with Modify rights, etc RO is somewhat stronger under NetWare than DOS, -but- it isn't anywhere near as strong as this part of my post implied. Sorry for any confusion. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Tue, 27 Dec 94 00:26:56 -0500 From: Subject: virus detection (PC) Hi all, In the market, which virus detection software is the best? Thank you for your help. ------------------------------ Date: Tue, 27 Dec 94 01:40:09 -0500 From: robb@accessone.com (Rob Blomquist) Subject: McAfee vs Central Point vs F-Prot (PC) I am trying to decide which of these 3 to choose from. Under the previous release ( just prior to the current relaease) of McAfee, which I had running I was infected with an unknown virus. I recently bought a copy of PC Tools 2.0 which has Central point Anti-Virus software in it, updates will cost 49.95 per year. I currently run F-Prot, which seems to have recieved high marks in this group. I McAfee or Central Poin worth the expense, or is F-Prot plenty good enough. the obvious advantage for me is Central point, because I have PC Tools as my Windows shell, and CP runs from that platform. but I feel that 49.95 vs free is a rook. Do you folks have any opinions on the relative efficacy, and cost of these products? Thanks in advance, Rob ------------------------------ Date: Tue, 27 Dec 94 04:33:53 -0500 From: khanh@uniwa.uwa.edu.au (Khanh Phi Van Doan) Subject: boot-437 virus (PC) Hi, My computer has been infected with the BOOT-437 virus. McAfee scan can detect but is unable to clean this virus (scan ver 2.13e). Does anyone know how to get rid of it with reformating the hardrive? What does this virus do anyway? Any help would be greatly appreciated. Thanks in advance. Khanh Doan ------------------------------ Date: Tue, 27 Dec 94 09:55:28 -0500 From: gheston@nyx.cs.du.edu (Gary Heston) Subject: Re: Virus protection:the best solution (PC) In article <3dljt1$86h@ixnews1.ix.netcom.com>, Eric Thedaker wrote: [ while discussing antivirus software for NetWare servers ] >We am running Central Point Anti-Virus (CPAV) on our servers. It is >running well, no problems so far. CPAV == MSAV. They're roughly equivalent to trusting the Keystone Kops to guard Fort Knox. I've crossposted this to comp.virus so they can give you the latest problem list with those packages. (Other antivirus software authors have been encouraged to include a disinfect option if detecting those two packages.) Me, I run F-Prot to scan all my servers daily, and encourage people to run the TSRs. I don't have the authority to force them to, unfortunantly. - -- Gary Heston (misc personal nonsense gheston@nyx.cs.du.edu) (work gary@sci.com) (home gary@cdthq.uucp or uunet!sci34hub!cdthq!gary) Disclaimer, datclaimer... "I don't remember anybodys' name. How do you think the "dahling" thing started?" Eva Gabor ------------------------------ Date: Tue, 27 Dec 94 16:19:43 -0500 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: TBAV sig file wanted (PC) UL ENG wrote: >I have the latest copy of ThunderByte antivirus but the last official >signature file I can find is may 93. Is this the last one or are there >later ones out there. Has someone been maintaining their own? >Can someone tell me if I can can a later version and where? > If you have the *latest*, the virus signature file is from december 94 ! Get tbav630.zip and accompanying files from ftp.twi.tudelft.nl, in directory /pub/msdos/virus/tbav !! Bye for now, Piet de Bondt - Delft University of Technology - bondt@ftp.twi.tudelft.nl ============================================================================= FTP-Admin for msdos anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Tue, 27 Dec 94 18:36:23 -0500 From: Tripp@richmond.infi.net (Tripp Lewis) Subject: Re: Just how safe is VSAFE? (PC) ostcroix@aol.com (Ostcroix) says: > > I would like to know how effective is DOS VSAFE against viruses. Is this >the best way to protect my system against viruses? I recently downloaded >the latest signatures from MSDOS BBS. Is their a better virus remover and >detector than VSAFE on the market? Well anyone who uses av tsr utils should be exaimed for head injuries. They can be unloaded by a virus *very* easy. If you must use one, you should leave that vsafe crap alone and try virstop (but it is easy defeated also). Another good piece of av software is invircible. I find that this very good protection from infection and should be used with a virus scanner. The best protection is tape backups and a little common sense. FireCracker ------------------------------ Date: Tue, 27 Dec 94 20:31:34 -0500 From: cceksw@leonis.nus.sg (Gerald Khoo) Subject: What are the effects of FDISK/MBR (PC) Could someone tell me the effects of FDISK / MBR for cleaning a virus??? Will it affect the disk partitioning??? - -- =============================================================================== Khoo Seng Wee, Gerald National University of Singapore Computer Centre Tel: (65) 772-6426 10, Kent Ridge Crescent Fax: (65) 778-0198 Singapore 0511 Internet: cceksw@leonis.nus.sg =============================================================================== ------------------------------ Date: Tue, 27 Dec 94 23:07:22 -0500 From: craigewert@delphi.com Subject: Re: What's a Logic Bomb ? dtulloh writes: >These kinds of things are usually the brainchildren of disgruntled >users. One person I know of claimed to have done such a thing and >then destroyed the source code so the bomb could never be removed. > >Yet another thing to be on the lookout for, I guess. :) While you can destroy the source code, that will not prevent removal of a logic bomb, or a logic flaw. Disassemblers are not that difficult to find or write, and they work on the executable code. To be unremovable, the executable code would have to be destroyed, and that would eliminate the logic bomb as well. Craig Ewert ------------------------------ Date: Wed, 28 Dec 94 01:51:51 -0500 From: skhan@hermes.acs.ryerson.ca (Saleem Khan - JOUR/F94) Subject: VIC virus (PC) Does anyone have any info on the VIC virus (PC)? McAfee's scan 2.13e doesn't pick it up on the boot-up scan scheduled in my autoexec.bat, but after that if I do a scan, I get a message that says something along the lines of "the VIC virus has been detected in memory, or there are remnants of a previous operation present." Any comments/info/help? SK ------------------------------ Date: Wed, 28 Dec 94 02:29:55 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: About memory scanning (PC) Geir M. Koeien wrote: >I can accept that the vir-signatures is loaded into memory by the AV product >when scanning for viri in memory. I can also understand that the signatures, >if left in memory, can cause the AV product to trigger. > >However, I refuse to accept that this problem should be an excuse for not >doing memory scanning. It should be no problem at all for the AV product to >zero-out the signatures before it exits. (no reason for Iolo to watch out >yet) > >So, if you don't want to do memory scanning you'd better put up a better >excuse that this one. Actually, as Padgett Osirus (ha! I love it) sorta suggested, memory scanning is primarily useful for keeping an AV product from spreading a virus. If you have a virus which infects, say, on file open, or findfirst's, etc. then and the virus is in memory, and active, and the av product doesn't detect it, then for each file that is scanned, it is infected. Others might argue further that memory scanning should still be brought forth to program execution -> that a virus should be detected in memory when a virus hooks an exec function, because otherwise if the person scans with the virus in memory, and, let's say disinfects, then exit their program and go back to computing, they will reinfect themselves. Instead, if everyone (...) always would boot from a *known* clean disk, blah blah blah. Further, still, some people think one should detect triggers which might be installed from a virus -- maybe the trigger goes off enough to where the AV package can't scan. Who knows. I think that so long as you are definitely booting from a clean disk, you won't have any problems regardless of the memory detection, but for sure it is a useful function of AV packages. I think maybe some packages just get a little bit carried away with it. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Wed, 28 Dec 94 02:31:46 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Tai-Pan (PC) Bob Vander Steen - Trevose Consultants Ltd. wrote: >I just scanned my drive for viruses with F-Prot and obtained the message >'New or Modified version of Tai-Pan found' on almost all EXE's on two of >my three drives. Does anyone know how I would be able to clean this? How large is the virus? How many bytes are added to a file when it gets infected? NAV 3.0 is for sure able to detect and remove a 438 byte varient of this virus. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Wed, 28 Dec 94 10:13:48 -0500 From: dtheo1@umbc.edu (theo dino) Subject: Re: WIN.COM modification (PC) I have had this problem myself. I thought that it might have been a virus, although a 40K virus is unlikely. Tried to see if it would infect but nothing. Later I found out that my Win.Com would almost double in size when I tried to change video drivers. So, my advice is keep a backup of Win.Com. I just copied the Win.Com from another machine here at work. (Luckily all of my machines have the same configuration) Dino ************************************************************************ * * * Dino Theo * * Systems Analyst/Network Admin/Windows Programmer/All Around Slaveboy * * USF&G Insurance * * EMail - DTheo1@umbc8.umbc.edu * * * ************************************************************************ ------------------------------ Date: Wed, 28 Dec 94 12:36:16 -0500 From: jjenkin@relay.nswc.navy.mil (Jay Jenkins) Subject: Re: Keyboard problem (PC) Don't believe this is a virus problem. davidr@searchtech.com (David Resnick) writes: >I'm having a problem with a Gateway 2000 4DX-33 and I'm wondering >whether it could be a virus. The symptoms are: - --- symptons cut --- >The label on the back of the keyboard indicates that it is an "Anykey" >keyboard, Model 2189014-XX-XXX. >I'd appreciate any help or suggestions. Dave, check your documentation. The 'anykey' keyboard is a programable keyboard, which quite often is delivered with modified key definitions. It can also get scrambled in normal usage/abusage. There is a key combination to reset it to the default, 'normal' state. Sorry that I don't have it handy, but you should be able to find it in the docs somewhere. I had to trouble shoot this very problem when an entire shipment of GW2000 systems that the branch got had keyboard problems. E-mail me if you can't come up with a solution, I'll dig around and see if I can find it again. jAY - ------------------------------------------------------------------------ Jay Jenkins Just MY You don't see Naval Surface Warfare Center opinion no hearses with Dahlgren, VA 22448-5000 of course. luggage racks. jjenkin@relay.nswc.navy.mil ---Don Henley ------------------------------ Date: Wed, 28 Dec 94 12:37:13 -0500 From: blendrhd@netcom.com (Blenderhead) Subject: ThunderByte CRC checking (PC) I am using version 6.26 of ThunderByte and have noticed something that I find to be a little disturbing. When Thunderbyte checks the CRC values in the anti_vir.dat file, it fails to detect altered programs. This is what I did. I used TBSETUP to create the anti_vir.dat file. Then I went in with diskedit and changed a bunch of bytes and saved it back. Then I ran TBSCAN and it said "CRC verified". However TBSETUP when run a second time, reported that one program had changed CRC. This seems to be a bug. Has it been fixed? It is worthless to have TBSETUP detect it because all it does is update the signature file. If I changed the file entirely, then TBSCAN would notice, but not if I changed bytes within it. Now a CRC is a CRC and it should not matter that TBSCAN only checks the begining and end of the program when looking for infections. Does this sound reasonable? BlenderHead ------------------------------ Date: Wed, 28 Dec 94 15:05:06 -0500 From: meam@csqbbs.kmitl.ac.th (Atsawin Ch. Kritsanakul) Subject: Re: Descript.ion Virus (PC) John Mayer (jmayer@sinkhole.unf.edu) wrote: : I came across an extremely funny hidden file on my PC yesterday called : descript.ion. It was a hidden file. As soon as I saw it I ran FP and [deleted] : am pretty sure that I picked it up off of a program called QPEG, which I : obtained from a very reputable FTP site. I have since destroyed the : files and am keeping my fingers crossed. If anyone has any info. on this QPEG save picture's information (size, color, etc.) in 4dos's descript.ion file. You may want to turn this feature off. Just see file QPEG.INI/QPEG.CFG. IMHO, QPEG is a pretty good picture viewer (If you turn off save information option.) Regards, Atsawin. - -- * Atsawin Chowanakritsanakul. * meam@csqbbs.kmitl.ac.th * ------------------------------ Date: Thu, 29 Dec 94 00:53:35 -0500 From: doctorkb@vortex.netbistro.com (doctorkb) Subject: Re: WIN.COM modification (PC) mikie@owlnet.rice.edu says... > >In the past two days, my win.com file has been modified from 50,904 bytes to >95,036 ... The date changes at that point, as well ... When the 95K version is >executed from a DOS command line, the message "Program too big to fit in >memory" appears. > >Sounds evil and virus-like, but I've run mwav, fprot, and tbav, and none have >come up with anything. Sigh. Any comments? Yup, that happened here, too... It isn't a big deal though... just re-install Windows over top of the old one... NO PROBLEMS... it won't overwrite your .ini, .grp, or any files that hold data, only the exe's... One little technicality, though, you couldn't have run mwav... that needs Windows, which wouldn't work... TTYL!!! - -- Signing Off... Dr. MacWinDOS (otherwise known as Kris Benson (that is, in the "real" world)) ----------------------------------------- | Reply addresses in order of reliability | ----------------------------------------- doctorkb@vortex.netbistro.com kris.benson@paradise.nightfall.com kris.benson@two-t.com kris.benson@frostzone.com ------------------------------ Date: Thu, 29 Dec 94 03:42:52 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) Hello, The reports of the Filler and Israeli Boot viruses in memory from McAfee Associates' VIRUSCAN are false alarms caused by a conflict between VIRUSCAN and Central Point Anti Virus. CPAV uses some of the same code that we do to detect viruses, but does not cipher (hide or otherwise encrypt) that code, causing SCAN to erroneously report the presence of a virus (or viruses) when none is actually present. You can confirm this by remarking the CPAV program out of your CONFIG.SYS and AUTOEXEC.BAT files, rebooting your PC, and then running VIRUSCAN to confirm that the viruses are no longer reported as being present in memory. Regards, Aryeh Goretsky McAfee Associates Technical Support /IN REPLY TO/ >In addition to the "Filler" virus, I have detected the "Israeli Boot" >virus on my system. The latest McAfee software will catch them both >when active in memory, but never, ever, ever on any disk. Accepting >that, I went out and bought a brand spanking new copy of the Norton >Anti-Virus, which detected a grand total of nothing at all. - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Thu, 29 Dec 94 03:51:58 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: NATAS Alert! (PC) Hello Ms. Gierisch, You wrote: > This was emailed today (11/30/94) to everyone in my office: {Message about Natas virus being distributed in Dallas mostly deleted for brevity.} > >NATAS is very new, and is not recognizable by SCAN, MICROSOFT ANTI- >VIRUS, and CENTRAL POINT. Only F-PROT, TBAV, and AVPRO can find it. >If you have the virus already, it goes memory resident, and uses heavy >polymorphic code to avoid detection. Chances are, if you're already >infected, virus scanner *might* not find it. Boot from a clean floppy >containinq a anti-virus scanner, and scan all your drives. The current version of VirusScan does detect and remove the Natas virus. The original author of the message (not Ms. Gierisch) was not using a recent version of VirusScan, apparently. Regards, Aryeh Goretsky Technical Support PS: Nice horse. - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Thu, 29 Dec 94 04:40:52 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: What Genb etc is (PC) Hello Mr. Appleyard, Actually, it seems very clear to me, but I think a follow-up posting to comp.virus is in order to explain things. The old Version 11x series of VirusScan had separate virus detection and removal programs (for reasons beyond the scope of this post, although I'd be happy to elaborate is anyone is interested). The detection portion was called VIRUSCAN (filename SCAN.EXE) and the removal portion was called CLEAN-UP (filename CLEAN.EXE). When SCAN found a virus, it would give the name of the virus found, its removal I.D. for CLEAN, and the area or file the virus was found in. A user could then remove the virus using CLEAN (or delete the files, reformat the disk, or what-not). About two or three years ago, John McAfee realized that (1) there were a lot of variants of boot viruses appearing; and (2) there was a finite number of operations they could perform. He then applied this to developing several "generic" master boot record (the so-called "partition table") and boot sector detection routines to look for these operations. Likewise, there were certain things the virus could do with the original boot code. As a result, the Generic MBR [GenP] and Generic Boot [GenB] viruses appeared in SCAN and CLEAN. While they were not specific viruses themselves, they could be used to detect some new and unknown viruses. The new Version 2.x of VirusScan now has the scanning and cleaning built into one program, but it does have separate data files, including one for cleaning. Please feel free to email me if you have any more questions at aryeh@mcafee.com. Regards, Aryeh Goretsky Tech Support (and way-unofficial McAfee historian) /IN REPLY TO/ ANTHONY APPLEYARD writes: > Ref repeated puzzlement what Genb & Genp are: > I get the impression that as follows. Please correct me if I am wrong. > When SCAN reports the xxxx [yyyy] virus, the virus is called xxxx, and CLEAN >must use the method called [yyyy] to remove it. [Genb] is a method of removing >various specific viruses and also indefinitely bad boot sectors. > If the method is specific to one virus, it is named the same as the virus >but in square brackets: it is quicker to report and pass onto CLEAN e.g. >`Michelangelo [Michelangelo]' than `Michelangelo [Michelangelo_remover]' and >so on for every virus with a specific remover. > With specific v. general removers and their names, it is like a pest-control >man being told this:- > SCAN says CLEAN is told > SPECIFIC:- > found: mouse [mouse] clean [mouse] /* use mousetrap */ > found: rat [rat] clean [rat] /* use rat trap */ > GENERAL:- > found: crows [shotgun] > found: rabbits [shotgun] > found: burglars [AK47] > found: escaped_lion [AK47] > - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Thu, 29 Dec 94 05:55:49 -0500 From: Otto Stolz Subject: Re: What can a virus do ? I need HELP! Please (PC) Jim Bennett writes: > can a virus survive a HD reformat or does that remove it from the > system entirely? On Sat, 17 Dec 94 07:09:56 -0500 Kevin Marcus said: > Formatting a fixed disk with FORMAT.COM [...] will only remove a boot > sector infector. With most DOS versions, a SYS C: will also have the desired effect, avoiding the data loss resulting from FORMAT. Beware: the DOS version used for the SYS command must match the version residing on the C partition, otherwise many DOS commands from the HD will refuse to work on account of their built-in version control. If you choose FORMAT, then you may have to specify the /U switch, with some DOS versions, to make sure the HD partition is indeed formatted (I have not tested this; in any case, with the /U switch, you are on the safe side). Kevin Marcus continued: > Even fdisk/mbr will not remove MBR infectors. Even Kevin can err. (Note my appreciation of his usually excellent contributions!) The DOS (Rel. 5, and up) command FDISK /MBR will replace the code part of the 1st hard disk's MBR with a standard boot program, leaving the Partition Table part unaltered. Thus, it will overwrite (at least partially -- see below), and disable, any MBR infector residing on the HD. What else could the term "remove" refer to? Two caveats are appropriate, here: - - as the SYS, or FORMAT, FDISK has to be used under clean conditions to avoid immediate re-infection -- and we've read only recently, in VIRUS-L, how tricky a truly clean boot can be; - - the Partition Table must be right in place, otherwise FDISK /MBR would mess up the HD -- this can easily be tested with the DIR C: command (or equivalent for the operating system that has formated the C: partition) after a clean boot from the floppy disk. Disabling a DBR, or MBR, infector, in this way, will not remove all traces of it from the HD. These viruses will have to keep a copy of the original boot program somewhere on the HD; most MBR infectors keep the original master boot record in a sector of track 0 (though a tiny MBR infector is conceivable that would fit together with the original boot program in the MBR); DBR infectors tend to keep the original DOS boot record in a sector marked Bad, or in the last sector of the root directory. Some MBR, or DBR, infectors are too large to fit in one sector; parts of their code will be kept on the HD like the original boot sector. As the methods discussed above will only replace the boot sector (DBR, or MBR, respectively), the original Boot record, and optionally a part of the virus code, will remain on the disk, where they can be viewed with a sector editor. (These remnants will never be activated, thus they are entirely harmless -- I mentioned this only to clarify the term "remove"). If a HD is infected by two different MBR infectors, the second infection will keep the 1st virus on HD as if it were the original MBR. After you have cleaned the infection with FDISK /MBR, the 1st infector is still where the 2nd infection has placed it. Again, this remnant is entirely harmless (as the standard boot program will not activate it), and can be viewed with a sector editor. In contrast, a naively designed AV program could bring back the 1st infection, in an attempt to disinfect the 2nd one. Hence my advice: after disinfecting, scan again! Of course, these considerations also hold, mutatis mutandis, for two DBR infectors. Best wishes to all of you for a happy, virus-free (if at all possible), new year, Otto Stolz *** Please use only my new address at uni-konstanz.de, as all Bitnet *** addresses at DKNKURZ1 will expire by end of 1994, and all Internet *** adresses at Nyx.Uni-Konstanz.de will do so some time in 1995. ------------------------------ Date: Thu, 29 Dec 94 06:51:53 -0500 From: blandin@ufr-info-p7.ibp.fr (Blandin Patrice) Subject: Jumper Virus! HELP Please! (PC) I have a PC infected with "Jumper Virus". Has someone information on this virus ? What are its effects ? What is the solution to get rid of it ? ------------------------------ Date: Thu, 29 Dec 94 12:34:05 -0500 From: "Fabio Esquivel (Iron Maiden's fan)" Subject: False alarm of FP 2.15 on IBM-DOS boot sector (PC) When testing some 1.44Mb floppy disks with the latest F-Prot shareware=20 version 2.15, it found Natas on the boot sector of one of them. Using Norton's Disk Editor, I made a copy of this boot sector into the=20 file NATAS.BIN and took a look at it. It looked like a normal IBM-DOS=20 boot sector. However I don't have a copy of IBM-DOS to compare it with. I made a binary compare of NATAS.BIN with another binary file containing=20 a healthy MS-DOS boot sector: Just about 80 differences, including the=20 file names (IBMBIO.COM - IO.SYS, IBMDOS.COM - MSDOS.SYS) and other bytes,= =20 but those bytes that contain the boot code were almost identical (just=20 less than 15 differences). For further test, I copied NATAS.BIN into NATAS.COM and debugged it with=20 Borland's Turbo Debugger and found no virus-behaviour in such code (as it= =20 is on Ping Pong, Stoned, Mich, Kampana and other BSI's I have). I think it's a false alarm given by F-Prot. I recall someone reporting=20 an infection of Natas detectable by F-Prot on a previous posting, so he=20 can check it out twice before disinfecting... It's a shame that the "Virus Information" option of F-Prot do not provide= =20 complete information about the viruses it recognizes... Yet I use it=20 simply because it's the best around! PS: What about the latest McAfee's product? Is it reliable enough to=20 use it now, after several months of release? Or should we wait 'til Vessel= in sends its approval to that product? \___/=20 (O o) - ----------------------------------oOo-U-oOo--------------------------------= - -- Fabio Esquivel - University of Costa Rica | C:\GAMES>a:install fesquive@cariari.ucr.ac.cr (163.178.101.5) | Blood_Drinker virus found! fesquive@bribri.ci.ucr.ac.cr (163.178.101.8) | Apply, Kill, Panic? _ =09=09=09 "Up the Irons!" - 8=AC) - ---------------------------------------------------------------------------= - --- __|||__ (__/^\__) ------------------------------ Date: Thu, 29 Dec 94 12:54:06 -0500 From: jmward@cs.UCR.EDU (jonathan ward) Subject: Re: MBR Viruses / rebuilding MBR (PC) Daniel Bucherer wrote: >sorry about this naive way of thinking, but what happens to a boot sector >virus on a hard disk if you boot from a clean disk containing the FDISK >utility and then type FDISK /MBR ? Doesn't that finish off the virus? > >Daniel (dbuchere@physik.tu-muenchen.de) > Not necessarily. For many MBR infectors it will, provided that all the virus did was modify the boot strap code in the first sector to point to itself somewhere, or overwrote it. In this case fdisk /mbr will eliminate it, as it will restore the original code. HOWEVER - not all viruses do that. Off the top of my head I can think of at least one I've seen that doesn't alter the bootstrap code, but instead actually changes the partition table to point to itself. In this case fdisk /mbr will do nothing - one way to get rid of this kind of virus is using a partition table editor and restoring the altered values to their originals, not too hard if the virus has changed the specifications for your primary DOS partition, which usually starts at Head 1, Cyl. 0, Sector 1. That's the only variation of MBR infection methods that I can think of off the top of my head that doesn't work with fdisk /mbr. I'm sure there are others. -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ Date: Thu, 29 Dec 94 13:26:01 -0500 From: jmward@cs.UCR.EDU (jonathan ward) Subject: Re: new virus? (PC) Knightmare wrote: >Hello all, > I think I might have a virus problem .... I've been getting >corrupted files of late in strange places like sbconfig.exe and >cdplay.exe and in various other >places ... in windows files most frequently ... when I run scandisk I >get lots of cross linked file errors and directory names that are to >long ... my windows files are mostly dead and My drivers for other >programs keep popping up corrupted .... HELP!!! .... Ive d/l the >newest antivirus progs from mcafree.COM and those just show which >files of mine are newly corrupted but they dont fix the problem .... >Ive used f-prot and that doesnt help either ... Im tempted to just Do McAffe(sp?) and F-prot actually say that you have a virus? Also, how have you been shutting down your machine? Do you simply turn it off in the middle of Windows when you're done, or do you flush the disk cache? Starting with Windows 3.1, Microsoft shipped an updated version of Smartdrive (ver. 4.0) that included delayed write caching. If the machine were shutdown before the cache was flushed to disk, it would result in data loss and possible file damage due to cross linking. Any machine that runs smartdrv 4.0 should type smartdrv /c before shutting down, as that will flush the cache. Starting with DOS 6.0, Microsoft changed the version to 5.0, which has a feature which flushes the cache before the command prompt comes back up, so as long as you exit windows before turning off, you should be okay(I still manually flush it anyway, just in case). While usually the effects of killing the power aren't that serious, over time it can lead to problems such as you describe. If it is a virus, then you've got one that has a trigger of sorts that's randomly damaging places on your HD, possibly the FAT. The best way to look for one is to look for files that mysteriously have grown in size by some consistent amount(provided the virus isn't stealthing). If it stealths, then you'll need to boot from a clean floppy(meaning format /s /u on a system that isn't infected) to see the size changes. HOWEVER - if it doesn't infect files and is infecting your boot records, there are several things you could try. 1) Boot up clean with the floppy, then (with a clean copy, of course) fdisk /mbr and sys your drive. This should get rid of most, but not all boot viruses. 2) If you still get problems, then your best bet is to get AV software. If nothing works there, then 3) As a FINAL(and I do mean final) method, boot up from a clean floppy(with fdisk, sys, and format on it), use fdisk to delete and recreate all partitions - - this will eliminate any MBR infectors -, then format and sys. This of course is a last try measure, as it wipes your HD. But I doubt that you'll have to go that far. Do NOT just use fdisk /MBR. The only way to be sure you've rid yourself of a possible MBR virus is to delete all paritions then recreate. This completely rebuilds the MBR bootstrap code and the partition table. One more thing - if you do reformat your HD, be careful about saving files from your current setup and then restoring them - you may accidently restore a virus. >format my Hard Drive and start reinstalling ... but I have a 500 Meg >drive and no tape backup !! Lots of install disks though ... Any help Hmm.. You've definitely got a problem there. No backup, bad, bad, bad!! Then again, if it really is a virus, restoring from a backup would most likely be a bad idea, since it would probably restore the virus as well. >or advice greatly appreciated!! > If I do need to format my drive and clean out the boot sectors >and all that stuff ... Could someone please post how to go about >making sure that their is a clean drive after formatting it so I know >I got rid of the poss problem! However - I'll be willing to bet you don't have a virus. It's probably your disk cache, so I'd start there. -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ Date: Thu, 29 Dec 94 13:28:59 -0500 From: byron-gaudet@uiowa.edu (Ilsundal) Subject: Form.A??? (PC) I recently helped someone remove a virus with F-prot. When F-Prot scanned, it reported that it saw the form.a virus. I was just wondering if this was the same as the Form virus. - - Thanks Byron Gaudet Computer Tech/ Network support University of Iowa, College of Dentistry bgaudet@blue.weeg.uiowa.edu - -- You were born with nothing, and shall return that way. ------------------------------ Date: Thu, 29 Dec 94 14:42:26 -0500 From: Kenneth Fribush Subject: Infection via a .WK4 file? (PC) We recently had a problem with the Form virus on a laptop where the only files transferred to it were Lotus 123R4 spreadsheets. Is it possible for a virus to infect a PC via a spreadsheet file? I was under the impression that the carrier had to be an executable file (.EXE, BAT, .OVL, etc.). Any info would be appreciated. ------------------------------ Date: Thu, 29 Dec 94 15:09:15 -0500 From: jmward@cs.UCR.EDU (jonathan ward) Subject: Re: What kind of virus is this ? (PC) Volker Riebeling wrote: >My MSDOS5.0 COMMAND.COM grows from 50031 to 51059, other files grows >by different values, only COM-files are infected but not every file. > >I turn my system off, wait for more than 30sec, then boot with OS/2, >delete my boot-partition. boot again with OS/2 make a bootmanager- >partition on the beginning and a primary partition of the rest. >Now boot with MSDOS5.0, FORMAT C: /U /S . >Now boot from harddisk - no change to the COMMAND.COM ! >Running a lot of programms, no change! >Then I made a CONFIG.SYS with COPY CON C:\CONFIG.SYS > >- - CONFIG.SYS > FILES=30 > BUFFERS=20 > BREAK=ON > >Till there/then, no change to the COMMAND.COM ! >New boot with harddisk - COMMAND.COM grows to 51059 ?!? > >Any ideas ??? > >MCAFFEE 116V found none. >I hope it will be no CMOS-RAM-Virus (if they really exist) because >it is a EISA-System with DALLAS-Chips, there is no jumper to clear >my CMOS-RAM. There's no such thing as a virus that will infect CMOS. For one - you've only got something like 16 or 32 bytes there, which isn't large enough to hold most viruses, let alone something complex enough to write itself there. Second - If it did put itself there, it would seriously screw up your system's configuration, and you'd know it. Third - There's no way that it could get executed on boot-up. The CMOS is only read as data, never executed. What it sounds like you've got is either a multipartite or .COM infector. First off - if you're really running MS-DOS your original command.com file size sounds infected as well. The standard MS-DOS 5.0 command.com size should be 47845 bytes long. My guess is the boot floppy that you formatted with is infected. When you installed DOS off it, you installed an infected copy. I'll assume that you're not using any command.com replacements. If you made that boot floppy from your original system configuration, then it was probably infected, and you created an infected boot floppy. If not, then I'd go find the person who gave you that disk and inform them that they've probably got a virus. Try getting an MS-DOS 5.0 installation disk(as in from the original software box) and installing. If your Command.com size is 47845 up until the reboot after your config.sys, then it means that one of the "programs" that you said you were running is infected with a .COM infector of some sort. Try getting a copy of NAV or F-prot and scanning your hard drive. Also scan any of the floppies you use to install from. -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 3] **************************************** 25-Jan-95 13:33:11-GMT,60616;000000000000 Received: from aramis.rutgers.edu (root@aramis.rutgers.edu [128.6.4.2]) by klinzhai.rutgers.edu (8.6.8.1+bestmx+oldruq+newsunq/8.6.6) with SMTP id IAA14944 for ; Wed, 25 Jan 1995 08:32:58 -0500 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA05860; Wed, 25 Jan 95 08:32:42 EST Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx/8.6.6) with ESMTP id IAA16540 for ; Wed, 25 Jan 1995 08:32:23 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <128205-7>; Wed, 25 Jan 1995 08:07:53 EST Message-Id: <9501251308.AA07882@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #4 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Wed, 25 Jan 1995 08:00:39 EST VIRUS-L Digest Wednesday, 25 Jan 1995 Volume 8 : Issue 4 Today's Topics: comp.virus activates virus ?? "Intelligent Life" messages? snr9501.zip - The Scanner anti-virus newsletter, Jan95 issue Re: Hypertext VIRUS-L FAQ Public perception of the virus situation Virus scanner for Unix system (UNIX) Virus scanning of FAT partition under NT (NT) Re: Mainframe Viruses? (IBM VM/CMS/etc) Need help removing ANTICMOS B (PC) ANTICMOS B ... Need help removing... (PC) Anyone heard of 4112 virus? (PC) Answers about NYB (with interesting "payload") (PC) Re: F-Prot PRO vs. Shareware (PC) AntiEXE virus (PC) Keyboard problem (PC) "Stealth_B" Help (PC) Re: My PC has something that I cannot get rid of (PC) unknown virus (PC) Descript.ion Virus & QPEG (PC) what's wrong? (PC) Re: WIN.COM modification (PC) HELP: My pc has gone braindead.. (PC) Gen b Stealth Virus (PC) Characters disappear on printouts !! (PC) Form.a on Doublespaced Drives. (PC) FProt (PC) Monkey on "Stacked" Hard Drive (PC) Re: memory scanning (PC) Password for HD partitions (PC) Desktop keeps changing, virus?? (PC) Re: One Half Virus (PC) Re: THANKS for your response (PC) Re: Win 96 AV? (PC) Re: How to get with CPAV (PC) Help! Uruguvau virus (PC) Help: Win 3.1 Icons all changed to highway icon (PC) Re: Possible Virus Problem (PC) Anti CMOS type B (PC) List of UnRemovable viruses? (PC) Keypress removal (PC) Novell Lab protection.... (PC) Re: DOOM game messages (PC) Junkie virus (PC) Dos Master Boot Sector Virus from H#ll! (PC) Re: JUNKIE1 (PC) F-PROT 2.16 released (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 30 Dec 94 01:57:46 -0500 From: stegre@delphi.com Subject: comp.virus activates virus ?? hermanni@wavu.elma.fi (Mikko Hypponen) writes: > It also activates when it sees the text -=*@DIE_LAMER@*=- on-screen. Thanks Mikko. I don't think I ever would have had that particular text string on my screen if I hadn't read your message :-) (At least now I know I'm not infected with Vlamix!) - Steve G. ------------------------------ Date: Sun, 01 Jan 95 15:35:41 -0500 From: ejdavis@netcom.com (Edward J. Davis) Subject: "Intelligent Life" messages? I do some occasional virus disinfecting for clients when the need arises. The other day I had a client ask for advice on a problem. He had obtained some children oriented software from a well-known company (name withheld). Some of the functions of the software are to print pictures. When a certain picture is attempted to be printed, the printer printed out this text message "Is there any intelligent life out there to see this bullshit?". He was enraged and contacted the maker of the software. The event is sporatic and cannot be reproduced all the time. At this time, he is not allowing anyone to examine his machine, so I have not been able to do any checks for infection. Anyone know of a virus that does this? BTW, the software itself was purchased from a well-known outlet in Southern California. If this problem originated at either the manufacturer or the outlet, It could be affecting a good number of people. I hesitate to name any names due to the uncertainty of the problem and its source. Ed Davis San Diego, CA ------------------------------ Date: Mon, 02 Jan 95 11:52:57 -0500 From: HRRWood@aol.com (Howard Wood) Subject: snr9501.zip - The Scanner anti-virus newsletter, Jan95 issue I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ snr9501.zip The Scanner anti-virus newsletter, Jan95 issue The Scanner - Vol 1 Issue 1 - is an anti-virus newsletter for users, researchers and developers. Information on recent viruses, hacked programs and trojan alerts are all in The Scanner. Tips on using scanners and integrity programs as well as specific situations for specific virus removal. Special requirements: None FreeWare. Uploaded by the author Howard Wood HRRWood@aol.com ------------------------------ Date: Wed, 04 Jan 95 10:32:58 -0500 From: hermanni@datafellows.fi (Mikko Hypponen) Subject: Re: Hypertext VIRUS-L FAQ Ted Davis (tdavis@umr.edu) wrote: > An hypertext version of the VIRUS-L FAQ is now available on the Web as > URL=http://gearbox.maem.umr.edu/0c:/virus/v-l_faq.htm|/ There seems to be several different conversions of the VIRUS-L FAQ to html format. In addition to your version, there exists at least Doug Petermans version at http://www.umcc.umich.edu/~doug/virus-faq.html and Dalibor Cerar's version which is available from our WWW site at http://www.datafellows.fi/vl-faq.htm. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Wed, 04 Jan 95 16:13:30 -0500 From: "Rob Slade, Social Convener to the Net" Subject: Public perception of the virus situation I thank Jason Robertson for his comments on my "review" of Tekroids. He is quite correct: my posting was arrogant both in its assumption of an "elite" AV audience, and in its failure to provide any useful information to those who require hard facts about the realities of viral programs and the risks of infection. In fact, I had no intention of trying to predict a future technology, although I gave so little detail that Mr. Robertson is fully justified in his critique. I'd like to address the point more fully in a future posting, but, for now, I'd like to concentrate on the other point he raised: the quality of virus reports in the general media. Those who have been involved in an event which got reported in the press will be aware of the disparity between any event and the printed article. To those of us in virus research, this is a constant and strong irritation. In a private virus research discussion recently, it was found that not one of the members had ever, in cooperating with journalists from the popular media, seen an article or piece which did not have signficant errors of fact or implication. A great many now simply refuse to talk to the press at all. This is unfortunate. It leaves the field wide open to those "experts" who are primarily marketing reps, and who are willing to say anything as long as it gets another mention of their product before the public. These people are as much a problem as the journalists themselves, since they have the time and resources to pursue the media, and thus bad information tends to drive out good. The common level, in our society, of ignorance regarding things technical is part of the fault here. This is exacerbated by the media's adherence to the dictum that noone ever went broke underestimating the intelligence of the American people. The fact that major successes like Benjamin Brittan, Monty Python and Stephen Hawking rely on sophistication of understanding seems to occur to remarkably few. A standard reply to this criticism is that the media, in our competitive world, operates under tight pressures. Journalists must produce a number of articles per day. Editors have no time to find and assess resources: they must often go with the first contact with any claim to expertise. Fact checking is limited to "just the facts": implications can't be considered. My own experience bears this out. A magazine called for writers in the security field and I offered them material on viral protection: they asked for an article on groupware. A commissioned article was turned down since it didn't have enough quotes from vendors. In the two years that I produced "V.I.R.U.S. Weekly", not one of the many requests I had for the material turned into a single sale or donation. I was recently asked to participate in an article in a small business journal in the States. After a half hour "interview" and several email sessions, I find that the article will be limited to 500 words, and therefore of extremely limited usefulness. Ray Kaplan is of the opinion that news feeds on "spikes" in the signal, and the virus situation doesn't fit that pattern: it is just a steadily growing problem. The indications do not promise anything better for the future. John Markoff turned out some good stuff in the past, but hasn't been heard from in some time. Sara Gordon is working tirelessly, but also mostly thanklessly. Howard Wood has recently started The Scanner, it is to be hoped that he receives the resources to continue it. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: Fri, 30 Dec 94 10:25:11 -0500 From: Janet Blackburn 5-3861 Subject: Virus scanner for Unix system (UNIX) Having reread the FAQ to refresh my memory ... Is it still the general consensus that scanning for Unix viruses is not really necessary? Would anyone care to educate me further on the subject? TIA, Janet jblackb@aeha1.apgea.army.mil ------------------------------ Date: Wed, 04 Jan 95 10:41:18 -0500 From: Craig Williamson Subject: Virus scanning of FAT partition under NT (NT) We have a new problem. We have gotten viruses on our FAT partition on our NT boxes and this has caused problems. How can we scan these disks under NT since NT will not allow direct access to the disk. The only way we can think that the virus got there is through booting off a flex. We have seen several instances of this so it is becoming important to fix this. Craig AT&T Global Information Solutions Craig Williamson Craig.Williamson@ColumbiaSC.ATTGIS.COM (803) 939-6431 ------------------------------ Date: Wed, 04 Jan 95 21:09:33 -0500 From: T.E.Thacker.Junior@lesueloc.com Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) writes: > > There's absolutely no protections on a DOS machine. You wanna scribble > > anywhere in memory or disk, go right ahead. On the other hand, > > for instance, an IBM mainframe running MVS/ESA with RACF or Top Secret > > installed is *quite* the challenge to write viruses for ... We actually had a mainframe virus at Illinois State University in the mid 1970's. It was called "Cookie Bear". Rumor had it that some rogue professor had planted it for some reason. The virus took advantage of a loophole in the OS/VS operating system. Access to each 4K page frame was controlled by an access control word. Trying to access a frame with a control byte not your own would produce the infamous SOC/7 abort. (I'm doing this from 19-year memory so bear with me). Unfortunately this control word was actually a control byte! (The OS was designed during a time when 128kb was a LOT of core memory!) All it had to do was randomly try page frames to catch frames matching it's control number. It would then look for sequences it could bogart in Priveleged Mode page frames to do it's dirty work. It would then make several dozen copies of itself and tack it into the beginning of other programs. Then it would perform it's payload: It would randomly interrupt CICS and VTAM sessions and present a screen asking "Cookie Bear Want's a Cookie!". The user could clear the screen and continue - but their unsaved screen was lost. Ten minutes later it would ask again. Then five minutes. Then two. Then one. Then 15 seconds. It would get so frequent it would force the user to log off and seek another terminal. The operators & managers couldn't catch it because it could move itself around and hide in "data" segments. (Mainframes at that time could and did intermingle code and data. In fact, the COBOL ALTER verb was an acquiescence to mainframe programmers that wanted to perpetuate their self modifying code. The famous "Trap Door" was a Branch Around Never "NO-OP" instruction. The next instruction would overwrite the previous with a "Branch Around Always" instruction - slamming the door behind it. This was their way of performing a "first Time Only" section. In COBOL this became the instruction "ALTER PREV-PARA TO PROCEED TO AFTER-1ST-TIME-PARA."). Anyway nobody could figure how to get rid of all copies of this thing and it was tying up all the terminals. Until...... One day a freshman who was entering source for a project got the message "Cookie Bear Want's a Cookie". He typed in the word "COOKIE". It said "NO! Cookie Bear Want's a Cookie!". He typed in "OREO". It said "THANK YOU! BYE!" and then proceeded to wipe every copy of itself it had made out of the system! ------------------------------ Date: Thu, 29 Dec 94 21:09:07 -0500 From: rtb4650@tam2000.tamu.edu (Robert Trent Burkey) Subject: Need help removing ANTICMOS B (PC) Found ANTICMOS B on 2 machines(& many floppies) using Macafee's SCAN version 2.1.3 (Nov 1994). The clean feature reports "No known disinfectant for ANTICMOS B" Note: It was found on the Main Boot Record of the hard drive... has caused many errors while running windows... Booting from a clean floppy only works temporarily... then within minutes, the virus is back in memory, and on the (once) clean floppy. Note 2: Norton antivirus (version around 1992-93) with resident scanning failed to detect this virus. Any help/suggestions would be greatly appreciated (My dissertation is on this machine) PS Excellent FAQ! Bob Burkey rtb4650@tam2000.tamu.edu Texas A&M University ------------------------------ Date: Thu, 29 Dec 94 22:13:40 -0500 From: rtb4650@tam2000.tamu.edu (Robert Trent Burkey) Subject: ANTICMOS B ... Need help removing... (PC) - --- Sorry if this is a double post, my server is having a bad day --- Macafee 2.1.3 and 2.1.4beta detected the ANTICMOS B virus on 2 of our machines. It was said to be located in the Master Boot Record. Neither version can clean this virus... Additionally, Norton antivirus (1992-93) failed to detect this virus (runs in background as intercept). Booting on floppies keeps the machine clean for 2-5 min, then machine and floppy are infected (machine memory that is.. hard Drive stays infected of course. Does anyone know how to clean this virus... short of reformatting? No detectable viruses on files... Could data/text files be uploaded to mainframe/transferred to a clean machine... reformat infected machine, then copy files back? Any help would be appreciated... (My dissertation 1/2 finished) and data are on these machines... Thanks Bob Burkey rtb4650@tam2000.tamu.edu Texas A&M University PS... Excellent FAQ ------------------------------ Date: Fri, 30 Dec 94 00:25:44 -0500 From: maint@hpfcla.fc.hp.com (Bob Gunther) Subject: Anyone heard of 4112 virus? (PC) A friend of mine had his computer infected with a virus which MCAFEE calls 4112.It causes the floppy to yield 'Sector Not Found' errors if you boot from the hard drive. If you boot from the floppy, then it will continue to read the floppy. Also it effects every .exe file that you run. MCAFEE shows each .exe file that is infected. MCAFEE was unable to recover the virus. I had to reformat his hard drive and then reload all the software. Any information would be great. Thanks ------------------------------ Date: Fri, 30 Dec 94 01:57:42 -0500 From: stegre@delphi.com Subject: Answers about NYB (with interesting "payload") (PC) Simon Borduas writes: > > TSE CHI ON ANDREW (s935476@acs.csc.cuhk.hk) wrote: > : Hello all! > > : Does anyone know the virus named NYB. It's a very new virus. > : Even the newest SCAN 2.1.3 still cannot kill that virus! > > : So, does anybody know whether there's cleaner for that virus > : NYB? Thanks. > > We also have troubles with this BOOT-MBR infector in Montreal. Any info > will are welcome. > - ----------------------------------------------------------------- NAME: The virus is identified as "B1" by f-prot v2.15 and as "NYB" by scanv v1.17 and various other AV products. SYNOPSIS: It resides in boot sector of floppies or in the MBR of a hard disk. It is not polymorphic (or even encrypted) and does not infect EXE or COM files. Booting from an infected floppy will infect the MBR of all physical hard drives on the system. A copy of the original MBR will be placed at absolute sector 17 (cyl/track 0, head 0). In the case of a floppy, a copy of the original boot sector is placed in the last sector of the root directory. It does not intentionally destroy data, unless you were unlucky enough to have data in the aforementioned sectors. It is a stealth virus; once in memory, it will re-direct attempted reads of the infected MBR (or floppy boot sector) to the original code. After booting from an infected hard disk, the virus will locate itself at the top of memory. The amount of total system memory as reported by CHKDSK will show 1K less than expected. The virus hooks BIOS int 13, and will infect any non-write-protected floppy on any access of track zero (basically always). Each time the floppy is accessed, there is a random one out of 512 chance it will activate its "payload"... PAYLOAD: It then uses INT 13 to send the floppy drive head repeatedly from track 0 sector 1 to "track 255", "sector 62". Since INT 13 does not do validity checking on these values, it jams the floppy stepping motor to its physical limit over and over, ignoring virtually any error codes that are returned (physically opening the floppy door *will* stop it, however). While this makes a pretty horrendous noise, it apparently does no permanent damage to a modern floppy drive. REMOVAL: The virus can be easily removed from the primary hard drive by any of the "standard" MBR virus removal methods often discussed here- e.g. booting from a clean floppy and running FDISK /MBR. If you needed your original exact MBR back for some reason you should be able to use a disk editor to copy sector 17 back to sector 1 (after booting from a clean floppy, of course). I allowed f-prot to remove it with its "generic" boot sector repair feature; this had the additional advantage of removing it from the MBR of a second (physical) hard drive on the machine as well (otherwise the virus could lie dormant on the second drive until it was someday was re-connected as the primary one...) - Steven Greenberg stegre@delphi.com ------------------------------ Date: Fri, 30 Dec 94 02:27:34 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-Prot PRO vs. Shareware (PC) 72712.706@compuserve.com (LARRY BROWN) writes: >response that e-mail to Iceland! No offense intended, Frisk, but e-mail to >Iceland COULD be a tad faster!! Yeah...well...I know. The problem Is just that when I am overloaded with work (which is the "default" situation anyhow), E-mail gets a fairly low priority. However, there are some changes on the way here at Frisk Software - we will be installing a couple of new Unix machines in the near future, and setting up some new mailing addresses like "sales@complex.is" which hopefully should decrease the average response time a bit... - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 30 Dec 94 04:25:50 -0500 From: bhinsee@halcyon.com (Bill Hinsee) Subject: AntiEXE virus (PC) My office has had numerous run-ins with a virus called AntiEXE (the name given by mcafee's virusscan). Does anybody know what exactly this virus does? All I've seen it do is slow the pc's down considerably. Thanks, - - Bill Bill Hinsee bhinsee@halcyon.com ------------------------------ Date: Fri, 30 Dec 94 08:30:39 -0500 From: James F Brown Subject: Keyboard problem (PC) David Resnick writes: > I'm having a problem with a Gateway 2000 4DX-33 and I'm wondering > if it could be a virus. The symptoms are: Gateway "Anykey" keyboards support macros. RTFM on how to clear the macros and I'm sure your problem will go away. - - Jim Brown brownj@world.std.com ------------------------------ Date: Fri, 30 Dec 94 20:06:01 -0500 From: eaglelaws@aol.com (Eagle Laws) Subject: "Stealth_B" Help (PC) We (I and my friends) have encountered a new form of the stealth virus. We were told (by the experts) that it is "Stealth_B" I have spent man... many... hours searching for an anti-virus program that will rid us of this pesky virus. Many programs have Stealth, Stealth_A, Stealth_C, Stealth.1119 but none I have seen contain Stealth_B in their virus lists. I desperately need help solving this problem, so far it has spread to well over 100 machines. If you know anything please send an E-mail message directy to me (because I don't visit this newsgroup very often) I can be reached at the following addresses: eaglelaws@aol.com (used the most) success1@aol.com eagle93@aol.com Thank you for your help! Eagle Laws ------------------------------ Date: Sat, 31 Dec 94 02:41:07 -0500 From: Zvi Netiv Subject: Re: My PC has something that I cannot get rid of (PC) Hello Larry, > I just read the upload announcement by Keith Paterson > about your anti-virus lab. > > A line in the description caught my eye > > XMonkey (the common Monkey mbr infection) ... > > I have had a virus (?) in my PC for a little over one year. > I've tried many packages that I downloaded from the net (Oak.Oakland.Edu), > but none have worked. All say that my PC is 100% OK. Then it's most probably OK! Download InVircible, from Simtel too, install it and let it do its job. If IV too says you have no virus then you have none! (IV is a generic AV system, it will tell you of the presence of any virus, even new and unidentified, yet). > My problem is that when I do a DIR command, the directory always lists two > non-existent files.The two files have 0 bytes and have names that seem > to be randomly generated, such as ADTFGTRB and ADTFGTRF.The names change > when I do the DIR command.The names always start with an "A" or "B". > I would love to get rid of the problem. Can you help me ? >From your description you don't have a virus at all! The files you mention are created by a DOS process known as "piping". Probably as a byproduct of one of your applications. Just delete the files or ignore them. > Could my PC have what your posting calls "XMonkey".I have never heard of > this before. XMonkey removes the Monkey virus, which you HAVEN'T, obviously. :-) Be relaxed, there is much more scare in the virus business than substance. After you installed IV, you'll be the first to know if there will be a virus. And then you'll have plenty of time to chose your options. :-) Happy new year, Zvi Netiv, InVircible ------------------------------ Date: Sat, 31 Dec 94 18:01:07 -0500 From: uja0@rzstud1.rz.uni-karlsruhe.de (Rainer Rawer) Subject: unknown virus (PC) Hi there ! I had some trubles starting Windows one day, so I finally tried to reinstall it - but after the windows setupprogram read its first 2 Disks and tried to change to graph mode it stopped ... . I also had some trubles with other progs like VGACOPY that suddenly stopped working when accessing the VGAmode ... then I found out that all the executed COMs and EXEs where about 500 Byte too long ... This Virus wasnt detected by F-Prot 2.15 and McAffee SCAN 114 and 117 Only Thunderbytes TBVA v6.30 did find that those Files where too long . but thats it ! Where can I get some help ? Please Mail me Rainer - ------ * ____ . . / # ~\ . ############################################ . /#m ##\ * # # |### ~ #| # Rainer Rawer # . |# ~ ####| . # ---------------------------------------- # * | ## ## | . # EMail: uja0@rz.uni-karlsruhe.de # \ ## # / # WWW: //rzstud1.rz.uni-karlsruhe.de/~uja0 # _ \#___/ . # ---------------------------------------- # /| . # Student of Electrical Engineering # . / . # at University of Karlsruhe, Germany # / * # # Mostly Harmless ############################################ ------------------------------ Date: Sun, 01 Jan 95 15:17:36 -0500 From: ejdavis@netcom.com (Edward J. Davis) Subject: Descript.ion Virus & QPEG (PC) The appearance of descript.ion files when running QPEG is a normal function of the program. These files will show up in every directory that you change to when running QPEG. You can turn off this feature, check the documentation. ==================||====================================||===================== Edward J. Davis || Digital Systems Research, Inc. || ejdavis@netcom.com ==================||====================================||===================== ------------------------------ Date: Mon, 02 Jan 95 04:19:07 -0500 From: rgmckay@acs.ucalgary.ca (Ryan Garth McKay) Subject: what's wrong? (PC) First question I have for the experts is as follows. Is it possible for a virus to hide in a gif/jpeg? Is it possible for a virus to be split between two of the above and become active when the two files are downloaded? My brother found a virus before it was too late. It was located in two seperate gif/jpeg files. Using the Windows based antivirus program he thought he cleaned up the mess... But we now think some really bad damage occured. When we turn the machine on we get the standard bios stuff then the starting ms-dos line and then nothing.... It remains on that line for a long long time without any hard disk reads. At this time I though the command.com file wasn't there so I figured that I'll do a boot with a boot disk... Well the next problem arrived. This is a computer with a built in security program and will not let me get at the hard drive when I do this. Any idea's would be welcomed, Thanks Ryan ------------------------------ Date: Mon, 02 Jan 95 17:12:20 -0500 From: Andrej (the REAL) Subject: Re: WIN.COM modification (PC) datadec@cs.UCR.EDU (Kevin Marcus) writes: > Michael Howell wrote: >>In the past two days, my win.com file has been modified from 50,904 bytes to >>95,036 ... The date changes at that point, as well ... When the 95K version is >>executed from a DOS command line, the message "Program too big to fit in >>memory" appears. > > This message is caused when a .COM file is executed that is larger than > 65536-256 bytes is executed. > Didn't you install a video driver using an extremely big VGALOGO.RLE file? (it happened to me once, my win.com was over 70K then...) Happy New Year, by Andrej (theking@ludens.elte.hu) ------------------------------ Date: Mon, 02 Jan 95 20:55:22 -0500 From: taylord@tartarus.uwa.edu.au (David Taylor) Subject: HELP: My pc has gone braindead.. (PC) Hi all, I am very worried. I think my PC has a rather bad little virus. It has been getting slower and slower, and last night I did a system info test (Norton SI) and the reported cpu speed was down to 15.6 from a usual 65+. Anyone having any idea about what may be causing this please email me. Thanks for any help. David Taylor ------------------------------ Date: Tue, 03 Jan 95 00:58:13 -0500 From: carlson@PrimeNet.Com (Don Carlson) Subject: Gen b Stealth Virus (PC) This is a type of boot sector virus that encrypts data from the boot sector and hides it away. It messes with interupt 13, taking control of the dialog between the hard disk and the floppy disk. The virus doesn't destroy a lot of files (at least I hope), but it doesn't allow you to run Windoze (bad, if you keep databases in there). I detected the virus using VShield from McGafee, a memory resident program that is always looking for signs of viral activity. Unfortunately, I haven't found any utilities that will successfully kill this virus (clean 117 from McGafee won't do it and their BBS is always busy lately). Does anyone know of a utility already written to kill this bugger? I would appreciate any help that you might be able to give me. Thanks. Don carlson@primenet.com ------------------------------ Date: Tue, 03 Jan 95 09:01:20 -0500 From: etxron@etxb.eua.ericsson.se (Rolf Nordlander) Subject: Characters disappear on printouts !! (PC) I wonder if anyone can give me a clue about what is wrong! Is it a known virus or is it just a bug somewhere? I have an OKI ML 182 9-pin matrix printer and when I print out a document from a Windows application that uses GRAPHICS MODE (i.e not the printer char set) then some characters just disappear! Following printouts looks the same, same chars not there, each just replaced with a space, e.g NetScape -> Net cape. I've also faxed the formatted document using Delrina with a similar result. Unfortunatelly the Excel document turned out to be to wide for the faxed version so it resulted in two pages. But still, some (other) of the characters disappeared here too. I've used different applications so it doesn't seem to be an application bug nor a driver bug as the example above uses two different drivers. One guess is that there is a DOS bug (using DOS 6.0) nested in the driver's calls to extract the character's graphics, another guess that there is a virus messing things up for me. I'm using: DOS 6.0 Windows 3.1 BIOS Award (forgot the version) stored in shadow ram. ... Thanx for any help Rolf Nordlander etxron@etxu.eua.ericsson.se ------------------------------ Date: Tue, 03 Jan 95 10:37:37 -0500 From: "Meswani, Prashant [MIS]" Subject: Form.a on Doublespaced Drives. (PC) We at Leeds Metropolitan University have been hit by the Form.a virus. This problem is easily resolved on non double-spaced machines, but not on machines with this software. At the moment, all we can do is format the hard drive and redo the machine from scratch. This is causing time-wasting and urgently seek an easier way of solving this problem. Can you help please? ------------------------------ Date: Tue, 03 Jan 95 13:43:45 -0500 From: "Christopher K. Drysdale" Subject: FProt (PC) Could someone out there in netland please point me in the right direction for FProt information, especially updating and licensing for companies? Thanks in advance. Chris. ------------------------------ Date: Tue, 03 Jan 95 14:11:22 -0500 From: corporon@wizard.cse.nd.edu (phillip corporon) Subject: Monkey on "Stacked" Hard Drive (PC) I've come across a computer with the Monkey virus, it also has Stacker installed on it. When I start the process to eradicate the virus by booting from a floppy, I can no longer "see" the drives since the drivers are invoked via the config.sys file. I've tried duplicating the config.sys file, and appropriate binaries, on the boot floppy without any luck. How does one remove the Monkey virus from a "Stacked" drive? Thanks...Phil. - -- corporon@nd.edu ------------------------------ Date: Tue, 03 Jan 95 17:40:16 -0500 From: barbay@dmso.dmso.dtic.dla.mil (Christopher Barbay) Subject: Re: memory scanning (PC) Frans Veldman (Veldman@esass.iaf.nl) wrote: : The same applies to memory scanning. For some reason you consider memory : scanning as a necessary component of an anti-virus product. We have tried : and failed to explain you that locating viruses in memory is and has : never been the goal of anti-virus products, but an aid to achieve the : real goal of anti-virus products: detecting viruses on disks. : If a product is capable reaching that goal by using different methods, : than it should not get a penalty for not using a specific aid. I would suggest that your identification of the true goal of anti-virus products as detecting viruses on disks to be incorrect. It may be true of Thunderbyte, just not true of the field in general. I would suggest the true goal of most anti-virus products is to detect viruses on a system, which supports the following goal of removing them. If I can't detect all of the viruses on my system, whether they be in memory, on a hard disk or on a floppy, the product has not, in my opinion, lived up to its goal. I say this, because if you miss detecting any of the three forms, my system can become reinfected (or was never really cleaned.) I admit, if your product can detect disk based viruses and remove them without any memory resident virus effecting the results, and then locks the system so that I must perform a cold boot, thereby removing any memory resident viruses, then your product would have faithfully lived up to the more general goal of anti-virus products. This opinion is not to be construed as a positive or negative comment on any individual anti-virus product, but rather a comment on what an end user of anti-virus products is looking for. - -- Chris Barbay barbay@dmso.dtic.dla.mil ------------------------------ Date: Tue, 03 Jan 95 23:17:07 -0500 From: Alan_Bailward@mindlink.bc.ca (Alan Bailward) Subject: Password for HD partitions (PC) Hi, I hope this is the right group to post this in, if not - please email me and tell me where would be better. Due to some changes where I work, I am sharing my computer (486-25,4MG) with two other people. We have partitioned the 100MG HD into 4 sections: 1 for general files everyone uses (DOS, windows, utilities etc), and we each have a 25MG partition to ourselves. We are doing this because we each have different programs we want to use, but mostly because we each want our fair share. One of my computer-mates was talking about putting WordPerfect for windows on (not on my HD space pal!! :) Anyway, in the simple quest for security (or privacy), I am looking for a program to password protect a hard drive partition. The only thing I have actually done so far is to use DOS 6's multi-config to ensure no-one steals anyone elses precious memory :) If anyone can help me I would greatly appreciate it. Please respond to me directly at Alan_Bailward@mindlink.bc.ca Thanks in Advance alan - -- **************************************************************************** | Alan Bailward | "Just call me `Big Wall Alan'." | | Alan_Bailward@Mindlink.bc.ca | -Alan Lester of Boulder, seconds | | Alan.Bailward@f288.n153.z1.fidonet.org| before dropping the lid of his and| |---------------------------------------| Fred Knapp's only water bottle | | ------------------------------ Date: Tue, 03 Jan 95 23:20:49 -0500 From: lmikles@aol.com (LMikles) Subject: Desktop keeps changing, virus?? (PC) The bmp of my desktop keeps changing while I am running windows. The machine also locks up sometimes for now reason. I am new to this virus stuff, but am concerned. I ran the virus program that came with dos 6.0, but I imagine that is a low budget program. Could someone help?? Please email me at LMikles@AOL.com Thanks ------------------------------ Date: Wed, 04 Jan 95 02:59:48 -0500 From: ziadeh@symantec.com (Ziadeh) Subject: Re: One Half Virus (PC) >Does anyone know how to get rid of the `One Half' virus? >Any help and/or information would be greatly appreciated. >- ---------------------------------------------------------------------- >Rick Mallett This virus is very dangerous. It utilizes Stealth Techniques and is highly polymorphic. Not only does it infect files and the MBR, it systematically encrypts the Active partition starting at the end and moving back towards the beginning. It stores the encryption key as well as the last cylinder encrypted in its body. This information can be used to recover the hard disk and irradicate the virus by writing a program that decrypts the sectors and writes them back ( provided that you have the time and patience.) If not, your best bet is to look for an antivirus package that'll do it for you. NAV is able to decrypt and restore the hard disk including the MBR; however, due to the complexity of the virus, infected files are not repairable and should simply be deleted upon detection. let me know if you need further assistance. Good Luck, - -Sami sziadeh@symantec.com ------------------------------ Date: Wed, 04 Jan 95 10:42:14 -0500 From: Zvi Netiv Subject: Re: THANKS for your response (PC) Hello Larry, On Wed, 4 Jan 1995, Larry A. Lauenger wrote: > I downloaded InVircible and ran IVSCAN. It appeared to scan all the > files and completed without announcing the presence of a virus. > I don't know if I ran it correctly as there was NO SUMMARY at its conclusion; > other virus s/w display a summary at completion. InVircible is NOT a scanner product. If all you need it for is for scanning, then there are plenty of those on the market. They will keep you busy updating them till the end of computing life. :-) > I ran the ivscan on all my drives and partitions and no virus was found. That's nice but this isn't how IV was conceived to be used. If you are after peace of mind and effective AV protection then install IV as instructed, make its rescue diskette as instructed, and forget about viruses. If there is anything worth knowing, IV will tell you in time. > I also experimented with "DIR/W" and "DIR/W|MORE".The use of MORE with > the pipe causes the problem. > > YOU WERE RIGHT. > > I'll ignore those bogus filenames and "breath easier". Thanks ! > > Perhaps if I upgrade to DOS 6.xx from DOS 5.0 this problem will go away ? I am glad I could reassure you, as too many people are chasing ghosts where they aren't. :-) Changing to DOS 6 won't change anything, piping works the same way in both. If you ask my advice, stay with DOS 5, much more stable and controllable. :-) > By the way, the name InVircible have a meaning? > I checked my dictionary, but found nothing.I can see the "In" and "Vir" > which mean NO and VIRUS, but is there more to it? And it also implies invincible, unvirusable ... The idea in selecting InVircible was that a meaningless word is copyrightable and acceptable as a trade name. :-) Happy new year, Zvi Netiv, InVircible ------------------------------ Date: Wed, 04 Jan 95 10:45:57 -0500 From: hermanni@datafellows.fi (Mikko Hypponen) Subject: Re: Win 96 AV? (PC) Gary Popp (poppg@columbia.dsu.edu) wrote: > I heard a little about F-Protect Professional for Windows, does > it include a TSR? So far, F-PROT Professional has been using the DOS-based VIRSTOP TSR to provide background protection under Windows. However, we are just about to announce a new addition to the F-PROT Professional product family, which will provide improved detection and direct Windows support. This product is codenamed F-PROT Gatekeeper, and it uses the same secure scanning engine F-PROT itself uses. > Will this package work with Win 95? Yes, it will. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Wed, 04 Jan 95 12:01:08 -0500 From: Rick DiBlasi Subject: Re: How to get with CPAV (PC) On 4 Jan 1995, Jonathan Abramson wrote: > I need a way through the I-net to download updates from Central Point. > Can anyone help me. Thanks in advance ftp.symantec.com/public/dos/cpav or .../windows/cpav Later--Rick ------------------------------ Date: Wed, 04 Jan 95 12:07:44 -0500 From: rchase@emelnitz.ucla.edu (Ron Chase) Subject: Help! Uruguvau virus (PC) I found the "URUGUVAU" virus in my roommates computer. Mcaffee version 1.17 found it, but can't clean it. ANY help would be appreciated! E-mail replies are welcome. Thanks! Ron. . . ------------------------------ Date: Wed, 04 Jan 95 13:14:14 -0500 From: rgrover@PrimeNet.Com (Robert Grover) Subject: Help: Win 3.1 Icons all changed to highway icon (PC) Anyone out there experience a virus that changed all Win 3.1 icons to an icon of pavement with a white dotted line? Am also experiencing a tremendous slow down in my system capability. ------------------------------ Date: Wed, 04 Jan 95 13:50:43 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Possible Virus Problem (PC) Asad Chaudhry wrote: >Hello, > > My computer doesn't boot properly. I get a missing interpreter >error. But when I type in command.com at the prompt it boots fine. Then >I type in autoexec and everything is O.K. > >Did some virus do this? If so, how do get my computer to boot normaly? >(I scanned with MSAV and found nothing) Do you have a line in your autoexec.bat (or a file called from there) which says, "comspec=xxx" and xxx does not exist? What about a line in your config.sys which reads, "shell=xxx" where xxx does not exist? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Wed, 04 Jan 95 13:35:09 -0500 From: LakeH@ix.netcom.com (Lake Hennig) Subject: Anti CMOS type B (PC) Using McAffee's antivirus 2.14 (Beta), I was able to identify a virus called Anti-CMOS type B on the boot record of a diskette (3.5"). I did not find it on my hard drive, but I think it must have been at some point. (I just re-installed DOS 6.22 from scratch - not an upgrade-- and believe that may have eliminated the virus from my hard drive.) I had been experiencing problems with the hard drive when I powered on -- also with the video card. I don't know if this was related to a virus or just equipment failure. Does anyone know what Anti-CMOS Type B actually does? (The name alone is scary.) And how do you clean it from a floppy? (The McAffee software 2.14 can't yet). I've tried sys A: but that doesn't do it. Any information would be appreciated. Thanks Lake Hennig -- Treasury - FMS DBA Hyattsville, Maryland ------------------------------ Date: Wed, 04 Jan 95 13:37:25 -0500 From: kenney@netcom.com (Kevin Kenney) Subject: List of UnRemovable viruses? (PC) I'm looking for a (hopefully short) list of viruses or virus families that due to bad writing, destructive tendencies, or whatever, can never be adequately removed from a system. I'm not just talking about newer encryptors: a way will be found around them shortly. I'm talking about viruses that can NEVER be successfully cleaned, and that the only Rx for is 'delete the files' vs. 'get/wait for a newer scanner'. If a virus merely leaves innocuous tidbits after being 'cleaned', it probably shouldn't be on the list. Thanks in advance, ========================= KILL THE PARANOIDS Have fun! A Public Service Message, making paranoids happier, All standard disclaimers: apply! by letting them know that they are right. :o -> :> kenney@netcom.com ------------------------------ Date: Wed, 04 Jan 95 14:52:07 -0500 From: LARRY BROWN <72712.706@compuserve.com> Subject: Keypress removal (PC) RocketRex@AOL.COM wrote stating that McAfee wouldn't clean up the Keypress virus - I've been able to remove it with F-Prot. Larry Brown ------------------------------ Date: Wed, 04 Jan 95 17:49:17 -0500 From: Garrett Mead Subject: Novell Lab protection.... (PC) I realize that this question has probably been asked numerous times, however I have scanned the FAQ and didn't see any mention of it. I have also tried querying the database of past mail. Please forgive me if I have missed a step and I am wasting your time. I am interested in providing the best overall virus protection for my Netware 3.11 100 user Novell network. Last semester I had a really bad run-in with viruses (and for those of you running campus labs, finals week is bad enough WITHOUT the added problems of viruses :) ) I would be interested in hearing from those of you who are running networks about your system of protection. I would like to hear both about share-ware setups and commercial, as I am prepaired to spend the money on commercial if neccessary. I am particularly interested in a process that a Machintosh program (I think it is Gatekeeper or something thereof) uses. I believe that this program does a scan anytime a new floppy is placed in a drive. Is there an IBM equivalent? I would like to hear from those of you protecting your labs in the following areas. 1) how do you protect your individual workstations? Which products do you recommend. Which should I stay away from? 2) If you run any other protection other than what is inherent in Novell, what products do you use? Which should I not use? If you can, please include any information you have on the products that you recommend (ie ftp sides or addresses and telephone numbers) Thank you for your time. Once again I am sorry if I am asking a question that gets asked to frequently, but I have tried to find the information on my own before consulting you. ________________________________ ________| Garrett Mead |________ \ | University of Nevada, Reno | / \ | gmead@scs.unr.edu | / / |________________________________| \ /__________) (__________\ ------------------------------ Date: Wed, 04 Jan 95 20:46:52 -0500 From: T.E.Thacker.Junior@lesueloc.com Subject: Re: DOOM game messages (PC) writes: > The problem with DOOM on a netware system, is that DOOM does not use the > server to transmit the info. The DOOM games sends packets peer to peer, > doesn't even have to go through the server (thus you can't play netDOOM > across a router). You would almost have to put a TSR on every machine > to do this type of checking and filtering. > > I am still fairly new to networking, but this is a problem that we have > dealt with in our lab here, so I've done some looking into the problem > and would be interested in any other suggestions that people may have. I remember someone coming up with an AntiDoom program that recognizes and kills Doom packets. I don't remember where I saw it. It was a couple months ago. Doom 2 is a little better behaved in that it no longer sends out broadcast packets but rather handshakes with the other Doom 2's on the network, then sends targeted packets. A side effect of this is that you can actually set up independent death matches on different machine groups on the same network. ------------------------------ Date: 05 Jan 95 02:35:01 +0000 From: geoff@wcc.oz.au (Geoff Field) Subject: Junkie virus (PC) Here's a little story for you in which I became involved over the Christmas break. I went to stay at my brother-in-law's house for Christmas. He's a computer science teacher at a local (country) TAFE (Technical And Further Education) school. Over the preceding two weeks, his IBM-compatible PC had been getting slower and slower. As he was running Stacker and Microsoft Antivirus (MSAV), he naturally assumed it was a Stacker problem. I looked at his system and the files that MSAV eventually reported as being changed and concluded that he had a boot sector virus. Note that MSAV merely reported files as being changed without actually saying that it had found a virus. Prior to my arrival, however, he had borrowed a friend's computer and backed up his entire hard drive onto the other computer so that he could reformat his hard drive. When he finally obtained a recent version of McAfee's virus software, he discovered that his computer and his friend's computer were infected with the junkie virus. Not only that, but several other people for whom he had done consulting work in the meantime also had infected computers. Unfortunately, neither of us were quite familiar enough with the guts of the PC (I do most of my work on Unix boxes now, and didn't have my reference manuals with me) to us DEBUG or whatever to remove the boot-sector portion of the virus without doing a low-level format, so a *lot* of computers around his area have required reformatting. Painful. He and my sister (his wife) decided that he had probably been infected by a disc he had brought home from TAFE, which means that all of the computers at the school will need to be checked as well. The moral of my little tale of woe? If you don't know where your diskettes have been make sure you check them with an *up-to-date* virus scanner. MSAV is really only a stop-gap measure unless it's *today's* version. It's probably worth scanning your diskettes before inflicting them on other people, too. A second issue: If you know the author of this "junkie" virus, give him an overdose of something nasty for me, will you? Geoff. - -- Geoff Field (R&D Dept) Email: geoff@wcc.oz.au Webster Computer Corporation, Phone: +61 3 564-7611 Fax: +61 3 564-7491 4 Kingston Town Close, Oakleigh Victoria, Australia, 3168. A.C.N 004 818 455 ------------------------------ Date: Wed, 04 Jan 95 23:09:08 -0500 From: stauffer@casbah.acns.nwu.edu (Christopher Stauffer) Subject: Dos Master Boot Sector Virus from H#ll! (PC) I've got a recurring virus. I first cleaned it off with f-prot. An admittedly old version that just wrote over it. Now it is back. Will a newer version of F-Prot do the trick or will it take more. Please e-mail responses to: stauff@nwu.edu ------------------------------ Date: 04 Jan 95 23:32:49 -0500 From: eldebrosse@miavx3.mid.muohio.edu (Eric DeBrosse) Subject: Re: JUNKIE1 (PC) sdhowell@aol.com (SDHowell) writes: > Looking for any information on a virus reported as JUNKIE1 We have had the junkie virus on our campus and I simply boot to a clean disk with f-prot. This seems to take care of it. I think it is a fairly new virus. The first time the computer is re-booted after the virus is in memory, the boot blocks are infected. From then on, any .com files that are executed are infected. I tried an experiment on an infected machine. If you insert a clean disk and do a dir, it will become infected. f-prot comes with documentation that explains most of the viruses it detects. f-prot can be found by ftp at oak.oakland.edu /pub/msdos/virus (fp-215.zip) I hope this is correct, I'm not real sure of the directory that it is in. ------------------------------ Date: Fri, 20 Jan 95 05:40:14 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.16 released (PC) Version 2.16 of F-PROT (shareware) has now (Jan 20th) been released, and should be available on major FTP sites by the time you read this. >From the VIRLIST.LIS file: Detection: This version of F-PROT identifies 4959 different viruses and also detects viruses belonging to 177 other families, giving a total of 5136. Disinfection: F-PROT can disinfect 3903 (76.0%) of those viruses, but another 470 (9.2%) cannot be removed at all, as they overwrite or destroy the victim. This leaves 763 (14.9%) viruses that this version cannot disinfect, but that number will hopefully be reduced in the future. Identification: This version identifies 2121 (41.3%) viruses exactly, meaning that it should detect even single-bit changes in the virus code. It does not attempt to identify viruses belonging to 177 (3.4%) families, but should be able to identify the remaining 2838 (55.3%) viruses with sufficient accuracy to avoid corrupting them when disinfecting, because of a mis-identification. >From the NEW.216 file: There are no major programming changes in this version, but please note that the phone and fax numbers of Frisk Software International have changed. The old numbers will still work for a few months, though. New phone number: +354-5617273 Fax: +354-5617274 Also note that in ORDER-2.DOC several new distributors of the F-PROT Professional package have been added - in Argentina, Australia, Canada, Chile, Mexico and New Zealand. Finally, note that we have changed some E-mail addresses. The addresses that should be used from now on are: support@complex.is for technical support and samples of new viruses sales@complex.is for orders and related subjects frisk@complex.is for private E-mail to Fridrik Skulason We now include PGP signature files for the most critical files in the package. A separate PGP signature for the file FP-216.ZIP will be made available as well. Version 2.16 - the following problems were found and corrected: All .COM files infected with the following viruses were incorrectly reported as "Generation 1" Jerusalem.Pipi.1536 KMIT The Bengal virus was only found in .COM files, not EXE. Version 2.15 missed a very small number of One_Half.3544 and Neuroquila-infected files. It should now detect the viruses 100%. The 2.15 version of virstop would conflict with a program named PC-CONFIG. Version 2.16 - the following false alarms were fixed: NUAGE!.COM reported as "Possibly a new variant of Reklama" SPEED.COM reported (by VIRSTOP) to be Phalcon-infected. Diskettes with RINGFENCE or DISKLOCK (security products) in the boot sector used to be flagged by VIRSTOP as virus-infected. Version 2.16 - minor improvements and changes: Reporting of boot sector viruses has been changed slightly. F-PROT now reports "xxxx (?)" instead of "xxxx - unknown" when it only detects the virus, but has no identification information. Version 2.16 - new viruses: The following 10 viruses are now identified, but can not be removed as they overwrite or corrupt infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." Abraxas.1518 Burger (542 and 560.AV) Cavaco (Virus damages .EXE files but .COM files can be repaired) Dev_X Maaike.164.B Milan.Demon.270 Leprosy (Skism.808.D and Skism.1992.C) VCL.423.Mindless.B The following 220 new viruses can now be detected and removed. Many of these viruses were detected by earlier versions, but are now identified accurately. _132.127 _307.329 _468 _500 _500_2 _656 _872 _1395 _1536.B _2828 Acid.674 Arusiek (691 and 692) Australian_Parasite (Middle.491, Middle.1041 and Middle.1169) Baba.356 Barrotes.1194 Beer (2473, 2620 and 3307) BigX.610 Bobo.427 Bootexe (394 and 443) BW (525, 556 and 756) Caca Carzy.B Cascade (1701.Y, 1701.Z, 1701.Yap.C, 1701.AA, 1701.AB and 1704.Z) Chaos (1181.J and 1181.K) CLME.1528 Clonewar (923.B, 923.C, 923.E, 923.F, 923.G and 923.H) Collor Danish_Tiny.163.C Dark_Avenger.1800.M Datalock.920.L Denied.B Enterprise Error_Inc (260 and 393) Fax_Free (1024.Mosquito.B, 1024.Mosquito.C and 1536.Topo.B) FFFF (432 and 440) Fin Flash.688.D Freak.604 Galeo GameF (1053 and 1065) Geliyor Heja HLL (Vova.8896 and Vova.9904) HLLC (4768.A, 4867.B, Captain and W_A) HS.982 Hymn.Sverdlov.C Ieronim (1020, 1024 and 1082) IMI.2304 Infector (469 and 875) Int_FF Intruder.1355 Ironfist Istanbul (1312 and 1349) IVP.Angry_Samoans.B Jerusalem (1808.Dashes, 1808.Exciter.A, 1808.Exciter.B, 1808.Exciter.C, 1808.Exciter.D, 1808.Frere.J, 1808.sumsdos.AP, 1808.sumsdos.AQ, 1808.New and Tarapa.D) Junkie.B KA Kela (2002, 2010 and 2099) Keykap (923, 1074 and 1077) Keypress Killerwhale.750 Kiwi (1000.A, 1000.B and 1000.C) Kode4.281 Lemming.2144 Leningrad_II (1499 and 2000.B) Little_Red.B Lockjaw.499 Loook Lurid Mag (239, 254.A and 254.B) Marzia.O MMIR (411 and 423) Mne.1173 Moonlite.366 Msu November_17th.522 Nygus.278 Peasant Phx (1289 and 1295) Pixel (124, 200, 852.B, 1577 and 1686) Pose (1155 and 1164) PS-MPC (338.D, 520, 565.E, 565.F, 569.B, 565.G, 565.H, 569.E, 570.E, 570.F, 570.G, 573.J, 573.K, 578.I, 578.J, 578.K, 578.L, 578.M, 579.D, Dangler and Happy_Day) Realiz Sauron Scity (678 and 713) Semtex.1000.D SIC (325 and 456) SillyC (162, 163, 547 and 657) Smegdemo Star Sterculius.440.B Suriv_1.April_1st.F Surprise.1282 SVC (1064.B and 1064.C) Sveta Sword.B Tai_Pan.666 Teraz.4004 Timid.313 Topa.2456 Traven Troi.F TU.2500 Unc (1039, 1377 and 1410) Userlist.1178 Vacsina.Grog.1082 VCL (420, 551, 634, Anston and Rat) Vienna (435.C, 435.D, 435.E, 435.F, 435.G, 435.H, 435.I, 435.J, 435.K, 520, 565, 641, 680.B, 1006, Violator.821.B and Violator.821.C) Void.1886 Wildfire.2371 Wordswap.1503.B WVP.352 Yankee_Doodle (2433 and 3561) Zol The following 35 new viruses are now detected but can not yet be removed. _257.258 4On Astra.927.B Bombtrack.B Cantanto Crepate.1944 Estonia Eternity (565 and 600) Grog.2825 Hello.547 Keykap.685 Moonlite.417 NED (Itshard and Tester) Nigh No_Smoking NRLG.826 Nympho.666 Pollution (381, 378, 390 and 565) Predator.1055 Problem.845 Radyum.509 Rider SIC (651 and 736) SmartC Talon.1894 Twisted (292 and 298) VCL.Renegade.5738 Xuxa The following 14 viruses which were detected by earlier versions can now be removed. Acvt Beer (2794, 2850, 2984, 3164, 3192 and 3490) ... previously only .COM files could be disinfected, but now disinfection of .EXE files has been added as well. Creator Fairz June_12th Screaming_Fist.II.652 Spinner Topa.2520 WXYC (A and B) The following viruses have been renamed: JH -> Error_vir Rythem.* -> Leprosy.Skism.* ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 4] **************************************** 1-Feb-95 13:03:32-GMT,68359;000000000000 Received: from aramis.rutgers.edu (root@aramis.rutgers.edu [128.6.4.2]) by klinzhai.rutgers.edu (8.6.9+bestmx+oldruq+newsunq+grosshack/8.6.9) with SMTP id IAA21804 for ; Wed, 1 Feb 1995 08:02:31 -0500 Received: from remus.rutgers.edu by aramis.rutgers.edu (5.59/SMI4.0/RU1.5/3.08) id AA20810; Wed, 1 Feb 95 08:02:22 EST Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx/8.6.6) with ESMTP id IAA13963 for ; Wed, 1 Feb 1995 08:02:08 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <128535-5>; Wed, 1 Feb 1995 07:21:03 EST Message-Id: <9502011221.AA16733@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #5 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Wed, 1 Feb 1995 07:13:31 EST VIRUS-L Digest Wednesday, 1 Feb 1995 Volume 8 : Issue 5 Today's Topics: Re: Advice needed: Best way to protect heterogeneous LAN ? '69' Virus & McAfee 2.1.3 (PC) Re: Need help selecting virus softwares (PC) Re: Floppy format and NYB???? (PC) Who knows the intercheck virus scanner (PC) Re: Unfavourable InVircible Review (PC) PARADISE.VRS?!? (PC) Re: About memory scanning (PC) re: how do viruses do it?? (PC) Re: Infect with Die Hard 2 ???? (PC) Re: Descript.ion Virus (PC) Re: Keyboard problem (PC) Re: NYB (PC) How to protect the best a file server from viruses? (PC) About memory scanning (PC) surviving warm boot (PC) Re: F-Prot Professional versus F-Prot Shareware (PC) Re: how do viruses do it?? (PC) Re: WIN.COM modification (PC) Re: GenB virus alert (PC) MONKEY Virus? (PC) Re: Virus Help Requested (PC) Re: CARO Naming List (PC) Re: Kampana.C and Perv (PC) Deploying viruses (PC) Hidden code (PC) Monkey Virus on a "Stacked" Hard Drive (PC) Re: New Bug (PC) Best Virus Protection App for PC? (PC) Re: FORM virus on Doublespaced Drives (PC) Re: What are the effects of FDISK/MBR (PC) Re: NYB (PC) Re: F-PROT (PC) FORM_A sighting (PC) boot-437 virus (PC) Tequila Virus (PC) Re: About memory scanning (PC) Re: False alarm of FP 2.15 on IBM-DOS boot sector (PC) Re: Form.A??? (PC) Re: Junkie virus (PC) Re: What are the effects of FDISK/MBR (PC) Re: Fdisk/mbr will remove (almost) all MBI (PC) Re: About memory scanning (PC) Re: McAfee 2.1.4 Crashes - help (PC) Re: CorelDraw 4.0 virus? (PC) Re: DOS dir listing bug, or Trojan? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 05 Jan 95 23:29:26 -0500 From: hgibbons@hoshi.Colorado.EDU (Hugh Gibbons) Subject: Re: Advice needed: Best way to protect heterogeneous LAN ? giddb01@nt.com wrote: > I was wondering if anyone can reccomend a good book that deals with > virus' from a business point of view. Specifically I want to convince > the I.S. dept. where I work that more protection for the company is required. > I want them to continuously update our anti-virus software and also give > copies to employees with home machines. However our I.S. manager is not > totally taken with the idea and as I don't work for him I need some kind > authority to quote or reference. Our network is mid-scale ( about 200 PC's > & 200 Macs & the usual mainframes, servers & UNIX boxes. ) I definitely think a proactive approach is advisable, especially with as many PC's and Macs that you have. Your risk of infection is high, so you should have anti-virus software loaded on all the machines you can. I don't know how the company will feel about your taking copies home, but that would slightly reduce the company's risk. ------------------------------ Date: Thu, 05 Jan 95 05:29:32 -0500 From: johnnyl@ncb.gov.sg (Johnny Lee Tiong Chye) Subject: '69' Virus & McAfee 2.1.3 (PC) Recently, after we started using McAfee 2.1.3, we discovered that some of our PCs were infected with 69 boot sector virus. This virus shows an unstable state as it appears and disappears on and off a PC and diskette. Our earlier version of McAfee 2.1.1 is unable to detect it. McAfee 2.1.3 is able to detect the virus but not clean it. For infected hard disks, we use FDISK/MBR to remove the virus. For infected diskettes, we backed up the files and reformatted the diskettes. Will really appreciate if anyone can throw some light to the following queries : 1. Is 69 virus a genuine boot sector virus ? 2. If so, where does it originate from and what harmful effects (if any) can it cause ? 3. What is a safe and easy method of removing the virus ? 4. Does McAfee has a disinfector for the virus ? 5. Any other infor on the virus ? Thanks very much ! ------------------------------ Date: Thu, 05 Jan 95 04:14:23 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Need help selecting virus softwares (PC) 73504.2304@CompuServe.COM (Quoc Truong) writes: >I like to purchase an anti-virus program for my company, but I >don't have any idea which anti-virus program is currently the >best one. There is no single "best" product, for the simple reason that there are several different issues to consider: 1) Mode of operation: Scanners, behaviour-blockers, NLMs, integrity checker 2) Detection rate 3) False positive rate 4) User-friendliness 5) Support The best programs for a BBS Sysop are quite probably not the same as the best programs for somebody who wants to protect a LAN with 5000 users. You have to specify your needs to get any useful replies. - -frisk ------------------------------ Date: Thu, 05 Jan 95 07:15:33 -0500 From: Hubert Schmitz - BSI Subject: Re: Floppy format and NYB???? (PC) William K. Horne said > Had a problem - couldn't finish a format of a floppy disk. Got all the way > through to 100%, then got abort,retry,fail. Changed card, cable, and drive. > No effect. Ran scan 213, found NYB (no indication of genb or genp). Did > fdisk /mbr on c:. NYB gone, floppies format OK. If you format a floppy disk you will get a display count from 1% to 100%. In this time DOS formats the floppy sectors. The operating system writes the standard format byte 'F6h' to the sectors, to each sector. This means that the bootsector, FAT's and root directory also be written with 'F6'. To do this DOS uses the BIOS Int 13 format function. After that the DOS bootsector, FAT's and rootdirectory will be initialized. This initialization will be done with a BIOS Int 13 write function. B1 controls Int 13 read and write functions to infect floppy disks. The first attempt to write the DOS bootsector causes an infection of the floppy disk. This virus activity is made before the bootsector is written to the disk. So the BIOS Parameter Block (BPB) is not written. During infection B1 copies the original BPB from the bootsector and calculate with its contens the parameter of a location to save the original bootsector. But the contens of the copied BPB is 'F6h'. So this caused the error. > What is NYB? What else does it do? The payload of B1 virus is to move the read/write heads of the actual drive from the first track to a maximum track and return (continously). This maximum track is not calculated. It tries to moves the heads to a maximum track related to hard disks. By floppy disk drives this causes a step over the maximum floppy track (track 79). This can destroy the floppy disk drive. The trigger is related to a BIOS timer which value must reach 0. Hubert Schmitz BSI (GISA, German Information Security Agency) hsm@bsi.de ------------------------------ Date: Thu, 05 Jan 95 00:55:57 -0500 From: petra@dis.nl (Petra Otten) Subject: Who knows the intercheck virus scanner (PC) One of our customers is considering buying the Intercheck virus scanner (version 2.6) by Crypsys. Who knows this virus scanner and wants tell us about his/her experiences with it? Suggestions and experiences with other virus scanners are also welcome. Thanks in Advance, Petra Otten - -- petra@dis.nl ------------------------------ Date: Thu, 05 Jan 95 04:08:55 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Unfavourable InVircible Review (PC) 91406723@brt.deakin.edu.au writes: >I have just finished reading a product review of the InVircible v5.07A >anti-virus software product in the December '94 issue of the Virus Bulletin. >Can anyone out there defend this review as it raised serious issues with the >product. The conclusion drawn was to avoid it. I am the technical editor of the Virus Bulletin. However, I do not have much to do with product reviews. The review looked at the product when used on a computer with existing virus infections. Such a test is suitable for a virus scanner and a virus-specific removal program. In that test, InVircible performed extremely badly. The review also pointed accurately out that the claims of being the "fastest, safest and most efficient product" are false. However, the strong side of InVircible is presumably the integrity checker, and to test that part the product must be installed first, and the machine then infected "normally". This was not tested.....but keep in mind that testing an integrity checker is much more work than testing a scanner. The test is im my opinion accurate, as far as it goes. It demonstrates that the product is of very limited use, if you already have a virus. To be fair, however, it must be noted that the product is not supposed to be used after an infection has occurred, but instead installed on a "clean" machine. In that situation it will presumably function better, but as I wrote above, this was not tested. The reason I do not have much to do with product reviews is quite simple - I am the author of one of the products in this field. As such I have my own private opinion of the product in question. - -frisk ------------------------------ Date: Thu, 05 Jan 95 10:09:33 -0500 From: kief@utk.edu (Kief Morris) Subject: PARADISE.VRS?!? (PC) I had a user come to me with some problems which may be virus related. He had two floppies infected by the monkey virus at a campus computer lab, and the disks have apparently been cleaned by the lab staff. However, he had difficulty saving files to the disks - got an error message which was something like "save error 0" or something of that nature, using WordPerfect. The user tells me there were files called PARADISE.VRS on both his floppies and the hard drive. He had deleted them from the floppies when he brought them to me. I ran F-PROT 2.15, without finding any infections. I ran Norton Disk Doctor on the first floppy (the one he had been using the most recently), and found over 400 crosslinked files, and an invalid bit (I don't remember exactly what NDD called it). "Repairing" the disk with disk doctor apparently destroyed the disk - any attempt to access it from NDD or F-Prot resulted in a divide by zero error and locked up my system. The second floppy only had about 4 cross linked files, and appears OK. I gave him F-Prot and a clean boot disk to run on his hard drive, which he says still has the PARADISE.VRS file. What is the likely explanation for what is going on here? Did the monkey virus do all that damage to his diskettes? What the heck is the PARADISE.VRS file? I can't imagine a real virus would make such a file in plain sight. Perhaps it is the residue of an anti-virus program, but no such program was run on his hard drive. Thanks for any help, Kief ------------------------------ Date: Thu, 05 Jan 95 10:53:12 -0500 From: "David M. Chess" Subject: Re: About memory scanning (PC) > I disagree. There are many reasons for _not_ "scanning memory." > Probably the most important is that if a stealthy, piggybacking virus ... > If the scanner doesn't possess identification > strings for the virus it will be missed and the scan process will > spread the virus. I can't think of a case where scanning *memory* will cause a virus to spread. In fact, scanners first started scanning memory to *avoid* exactly that effect; when the first Dark Avenger virus that infected at open time appeared, it became vital to make sure that the virus wasn't active before starting a scan, because a normal scan (using DOS open calls) could otherwise cause the virus to infect the entire system. I think you're confusing a couple of different points here! In general if a scanner does something while scanning storage media, and that something is something that causes some viruses to spread, it's vital to first make sure that none of those viruses is active in memory. So either one scans media by using subtle low-level things that no know viruses piggyback on (and that, typically, aren't as reliable as higher-level things), or one scans memory for (or otherwise reliably checks for the presence of) for infect-on-scan viruses first. DC ------------------------------ Date: Thu, 05 Jan 95 10:46:12 -0500 From: "David M. Chess" Subject: re: how do viruses do it?? (PC) > From: bdp@flowbee.interaccess.com (Brian Peterson) > if a virus is going to wipe your disk, would it use a dos command > to do it?? like FORMAT.COM or DELTREE.EXE or FDISK.EXE?? because if > it does, cant you just rename those utilities so the virus cant use > them?? Unfortunately, that's not how it works. Except for a few basically brain-dead high-level-language viruses and Trojans that you're unlikely to encounter in real life (unless you hang out in very antisocial online company), real viruses do their damage by using lower-level DOS and BIOS calls. So just renaming a few executables won't help any. You can install TSRs that monitor and try to prevent things that look like destructive viral "payloads", but that's hard to do well, because (1) it's not possible to do this perfectly, and some viruses and Trojans will be able to do their damage anyway, and (2) it's not possible to tell in all cases when an action is legitimate and when it's not, so you have to fall back on asking the user ("Allow alteration of FAT table? (Y/N)"), who probably doesn't know, either... - - -- - David M. Chess | Don't forget: some of us High Integrity Computing Lab | *like* tape hiss! IBM Watson Research | ------------------------------ Date: Thu, 05 Jan 95 11:42:48 -0500 From: Rozman Mohd Noh Subject: Re: Infect with Die Hard 2 ???? (PC) Armour Anti-virus does the cleaning pretty well and it is a malaysian developed product. check it out. ------------------------------ Date: Thu, 05 Jan 95 11:38:09 -0500 From: bshumer@dorsai.dorsai.org (Dr. Whoopie Elders-Surgery) Subject: Re: Descript.ion Virus (PC) Kenneth Albanowski (kjahds@kjahds.com) wrote: : The moderator is quite correct, those are file-descriptions in the format : that 4DOS and NDOS (among others) use. Since you mention it "spreading to : other directories," it sounds as if you have downloaded a piece of : software that understands and will produce these description files in an : attempt to be helpful. They are harmless, and you are welcome to delete : them if they annoy you. As to the "Ha." bit, it could be completely : accidental/incidental, or it could be the result of a joke by the : programmer. In any case, it is still harmless. Qpeg uses its own version of descript.ion files. It can be disabled, or renamed not to conflict, with 4dos in qpeg.ini. Display does this also. Bob/NYC - -- Jury: A group chosen to decide who has the best lawyer. ------------------------------ Date: Thu, 05 Jan 95 11:59:41 -0500 From: garcia@bkfsu1.sedalia.sinet.slb.com (Geoframe User) Subject: Re: Keyboard problem (PC) dabyrd@cc.memphis.edu wrote: : > The label on the back of the keyboard indicates that it is an "Anykey" : > keyboard, Model 2189014-XX-XXX. : I have never seen anyone use this macro feature on an Anykey keyboard, :but I have seen Gateway users think they had a virus due to inadvertent macro It can be a bit disconcerting. I actually have used the keyboard reprogramming capbility. The very first thing I did once I got the computer was to remap those damned diagonal arrow keys to what my fingers expect in that position. - -- Steve Garcia garcia@bakersfield.geoquest.slb.com ------------------------------ Date: Thu, 05 Jan 95 14:39:37 -0500 From: JEFF@CC.mcafee.com (Jeff Van Wallendael) Subject: Re: NYB (PC) McAfee has a beta 214 on their BBS. 214 is capable of cleaning the NYB virus. I have seen a lot of NYB in NYC! :) Regards, Jeff councill@levy.bard.edu (John Councill) writes:>From: councill@levy.bard.edu (John Councill)>Subject: Re: NYB (PC) >Date: 4 Jan 1995 11:29:27 -0000 >TSE CHI ON ANDREW (s935476@acs.csc.cuhk.hk) wrote: >: Hello all! >: Does anyone know the virus named NYB. It's a very new virus. >: Even the newest SCAN 2.1.3 still cannot kill that virus! >: So, does anybody know whether there's cleaner for that virus >: NYB? Thanks. >: - -- >If NYB is the same NYB that I am thinking of (another name for it is >B1), get the latest version of F-prot and boot the machine from a clean >booting disk. Run F-prot. It wasn't able to find the original MBR >but letting F-prot overwrite the MBR with a clean one worked for me. ------------------------------ Date: Thu, 05 Jan 95 15:44:38 -0500 From: acm@andromeda.labvis2.unam.mx (Alvaro Castillo Martinez) Subject: How to protect the best a file server from viruses? (PC) Hi there, We have a netware 3.11 file server who got infected with the NATAS (Vienna?) Then we ran f-prot v2.14 and apparently it was succesfully removed. I cleaned first the workstations rebooting from a clean write-protected disk and then the file server. However I have noticed that some machines don't support the same in memory as before. I ran f-prot again but no viruses were found. What can I do to be sure that there is no viruses on the net? Also I would like to know if it is correct to put 2 or more TSR antivirus programs at a time. Thanks in advance. ------------------------------ Date: Thu, 05 Jan 95 16:01:23 -0500 From: Iolo Davidson Subject: About memory scanning (PC) rc.casas@ix.netcom.com "Robert Casas" writes: > gmk@eva.system.sikkerhet.no (Geir M. Koeien) writes: > > > I can accept that the vir-signatures is loaded into memory by > > the AV product when scanning for viri in memory. I can also > > understand that the signatures, if left in memory, can cause the > > AV product to trigger. > > > > However, I refuse to accept that this problem should be an > > excuse for not doing memory scanning. It should be no problem at > > all for the AV product to zero-out the signatures before it > > exits. (no reason for Iolo to watch out yet) I believe that I have not received all of the recent comp.virus postings, since the above reference does not seem to connect to anything I have seen. If anyone has been puzzled by my lack of comment on any recent post that I might have been expected to refute, then please blame it on my news server. > > So, if you don't want to do memory scanning you'd better put > > up a better excuse that this one. > > I disagree. There are many reasons for _not_ "scanning memory." > Probably the most important is that if a stealthy, piggybacking virus > has already gained controlled of memory then the technical difficulties > involved in scanning in such an environment are enormous. Difficulty is a challenge. Using it as an excuse is a cop-out. Further, the whole point of scanning memory is to warn when a virus is already resident and controlling the system, so that the scan does *not* continue and cause the infection to spread. > This is > especially true if a scanner uses algorithmic and virus-specific > methods of scanning. If the scanner doesn't possess identification > strings for the virus it will be missed and the scan process will > spread the virus. Since viruses are currently being written and > released more quickly than algorithmically based scanner updates > end-user's are putting themselves at risk with such scanners. This is true of all scanners, not specifically memory scanning. Scanners need constant updating in order to find new viruses. It is a weakness in the scanner concept itself. People want scanners, however, and won't, in the main, use checksummers. > Other issues include the scanner's ability to perform self-integrity > checks, self-restore when infected, and detect the process of > piggybacking and alert the user if this happens. Many "scanners" > don't posses all of these capacities. :-) Some can't even detect viruses in memory. > If you think "scanning" is the primary and most important method > for dealing with viruses then your bound to get yourself into > trouble. This can certainly be argued. In the marketplace, though, successful anti-virus companies do not try to tell their customers what they ought to be buying, but sell them what they ask for. Those suppliers who have refused to sell anti-virus TSRs or disinfection utilities on the grounds that they are inherently insecure have been hurt commercially. > There are many stealthy viruses that are already a > few years old that some scanners still don't detect. Even worse, > when resident, there are some "old" stealthy viruses that will > piggyback on well known "scanners" ( including ones that claim > to scan memory ) and infect all scanned files in the process. This is always a danger with scanners. When they do not recognise a new virus, they will not find it and may help it spread. That is why scanners have update programs. Failing to scan memory is not a magic way to stop this happening, but simply a missing weapon in the possible armament. > Best open yourself to new ideas. Your putting yourself at risk > with your current ones. Abandoning last year's new ideas is also a failing strategy. You have to use all effective methods. Then you have to add the things your customers want, even if you don't think they are effective. Then you have to make it work in Windows, even though you know this makes it *less* effective. Memory scanning is effective, which puts it pretty high on the must-do list. - -- SAID ONE WHISKER WITH THIS STUFF TO ANOTHER BROTHER CAN'T GET TOUGH Burma Shave ------------------------------ Date: Thu, 05 Jan 95 16:01:16 -0500 From: Iolo Davidson Subject: surviving warm boot (PC) padgett@tccslr.dnet.mmc.com "A. Padgett Peterson, P.E. Information" writes: > OK some common mythconceptions here. The "cold boot" process > which involves the power-on or reset (if you just push the > button) involve the computer "losing its mind", becoming an 8086 > (going into "real" mode), placing FFFF in the CS, 0000 in the IP > and executing. This is designed into the hardware and a virus > cannot affect this. At least one virus, Exebug, can pervert the cold boot process. It does not mess with the execution path you outline, but it doesn't need to. It tricks the system into booting from the hard disk even with a floppy in the A: drive. > So the real right answer is "If in doubt, power down and restart." I do. This is good basic advice. However, it is not sufficient in itself where Exebug is concerned. - -- SAID ONE WHISKER WITH THIS STUFF TO ANOTHER BROTHER CAN'T GET TOUGH Burma Shave ------------------------------ Date: Thu, 05 Jan 95 18:17:14 -0500 From: hermanni@datafellows.fi (Mikko Hypponen) Subject: Re: F-Prot Professional versus F-Prot Shareware (PC) Gerald Pfeifer (user039@edvzbb2.ben-fh.tuwien.ac.at) wrote: > > Professional version is updated more frequently (once a month > > versus once every two months) > > Well this is not true for F-Prot Professional/German > (in Austria) at least. Ah, I should have made this clearer; what I said applies only to areas where we publish the Professional version. The German- speaking parts of Europe are handled by perComp-Verlag GmbH (percomp@infohh.rmi.de). However, I think they are offering monthly updates for a separate fee as well. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Thu, 05 Jan 95 20:54:01 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: how do viruses do it?? (PC) Brian Peterson wrote: >i was wondering.... > >if a virus is going to wipe your disk, would it use a dos command >to do it?? like FORMAT.COM or DELTREE.EXE or FDISK.EXE?? because if >it does, cant you just rename those utilities so the virus cant use >them?? sorry if this sounds stupid, i'm not that familiar with how >viruses work. any advise/comments/help/etc are welcome! I have yet to see a virus try this -- though I wouldn't be surprised to see one. :) Some viruses explicitly either infect or explicity not infect FORMAT.COM. Generally, however, viruses use int 26h or int 13h to try to cause damage via sector writes. Most of the virus writers haven't a clue on the proper use of int 26h, so most viruses using this method will only harm disks with a 12 bit FAT on them -- 16bit FAT's are left alone. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * Take pride in your work... Code in assembler. ------------------------------ Date: Thu, 05 Jan 95 21:15:58 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: WIN.COM modification (PC) -- useful generic virus detection info Sean Straw wrote: > >I've done virus research in the past (I'm the author of OFF! and NEUTER, as >well as several other freeware antivirus utilities -- and the Virus that >OFF! identifies and completely removes (Offspring v0.89, since OCTOBER >1993), has yet to be identified by McAfee (even though I *GAVE* them source >to the utility and fully disassembled and documented virus code), or even >listed in the Hoffman Virus Summary. While those viruses I've dealt with Where can I find your programs? >POSITIVELY that a virus does indeed exist, and not that something just >seems to be funky on their system, as Joe User might. Quick fixes are >needed in those cases, since even reporting them to McAfee/Symantec/CPS >won't get a disinfector soon. It is just the way I work. I do however Symantec has a 48 hour response time available for customers. You cited an example above where McAfee ignored you -- has Symantec also done this? Have any other companies done this? Which ones? > LIST a file viewer (by Vernon Buerg). Allows you to scroll Also a copy of the Norton Utilities 4.5 (!) or diskedit will be very helpful. > and a "STRINGS" program that can dump apparent ASCII strings found This program is equivalent to the unix utility. The version I have does not allow wildcards in the filespec. Does yours? Do you know where I can get a copy? >Now, that useful bit of virus detection information I mentioned in the >(left column below is the prompts you see, or something very similar, and >the right column is what you type, on the "xxxx:0105" line you press Enter >by itself to stop the assembly process). > > C:\> DEBUG C:\INFECTME.COM > - f 0 ffff 0 > - a > -xxxx:0100 mov ax,4c00 > -xxxx:0103 int 21 > -xxxx:0105 > - rcx > CX 0000 > : 2000 > - w > Writing 02000 bytes > - q > >What this does is creates a .COM file 8K in size (or you could substitute >the "2000" for some other HEX number to dictate the size -- be careful >though) that merely quits when you run it. Immediatley PKZIP the file into >a safe place. PKZIP will do a nice little thing for you: It will generate >a CRC-32 signature for the file (you'd see it if you viewed the ZIP >directory). This file should have a CRC-32 of "9F6613C4", and a length of >8192 bytes. I use another utility I wrote for doing these file signature >checks, but PKZIP will work fine for most any user. > >I call this file a "Petri-file". That is, it is a file quite prepared for >cultivating a virus in (rather like a petri-dish cultivation of a Strep >Throat virus at the Doctor's office), since virtually ANYTHING the virus There are a few notes to make: This file is not susceptible to all viruses. I realize we are discussing WIN.COM here, but let me make a few points. (Aside from the .EXE perspective...) First, some .COM infectors only infect .COM files which already begin with an E9 style jump. The Danish Tiny family comes to mind here. Second, if there is a virus in memory which disinfects files on file-open and reinfects on file-close, and this virus is active, one will not see a difference when zipping; they will only zip a clean file. Third, it is unlikely, though possible, there was an .EXE file size stealthing virus in memory which did something weird to the size reported back to dos when in memory. Occasionally, I have seen viruses report funky things back to DOS while trying to stealth. >I use many variations on the petri-file format (EXE files, files containing >some small amount of code variance before termination), just so I have >several possibilities for virus separation, in case some virus author >thinks he's clever by avoiding files that apparently terminate right off at >the beginning. I have not actually seen this anywhere. Have you? - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * Take pride in your work... Code in assembler. ------------------------------ Date: Thu, 05 Jan 95 21:54:24 -0500 From: hyattt@iia.org (Tim Hyatt) Subject: Re: GenB virus alert (PC) We discovered this virus at my office. It had infected several hard drives and floppy disks. McAfee's SCAN V117 located the virus, and McAfee's CLEAN was able to eradicate it. I believe two different types were discovered: [Genb] and [Genp] I gather the 'b' stands for boot sector and 'p' stands for partition. Does anyone know what this virus might have done had it not been discovered and removed? Or is it simply unknown and you can't tell what it might have done? ------------------------------ Date: Thu, 05 Jan 95 23:17:23 -0500 From: cb630@cleveland.Freenet.Edu (Paul A. Kuehn) Subject: MONKEY Virus? (PC) Has anyone heard of a virus named MONKEY? If so, email me some info if there is any. A friend of mine found it on his network at work and asked me if i knew about it, i never heard about it.. So any info is appreciated .. Thanks - -- ------------------------------ Date: Thu, 05 Jan 95 23:35:52 -0500 From: jgreenhaw@delphi.com Subject: Re: Virus Help Requested (PC) Try a different Virus scanner. F-Prot, ThunderByte, and McAfee's Virus scanners are highly recommended. Not familar with the one you used, so can't compare. I used to be a Sysop of a BBS in the Dallas, TX area, and have be told that these are the best. Used them and remained virus free. I hope this helps you. These scanners can be found on most local BBS and also can be found in some internet gophers. Joey G. ------------------------------ Date: Fri, 06 Jan 95 02:11:22 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: CARO Naming List (PC) srain@netcom.com (Silent Rain) writes: > Where can I acquire the lastest list of CARO approved virus names >for PC viruses? FTP/WWW/Email? The latest list is, well...a biy out of date. However, the people most involved in the naming issues will be meeting in the first week of February, so hopefully a new, up-to-date list should be available soon afterwards. - -frisk ------------------------------ Date: Fri, 06 Jan 95 02:18:41 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Kampana.C and Perv (PC) ethelk@netcom.com (Ethel Kendrick) writes: >Recently I ran across a computer infected with what F-protect called >"Kampana.c". It's a real virus since diskettes I inserted would later >show the infection. F-Protect has no info on this virus in it's database, Well...look under Campana. This virus is also known as Telefonica, Spanish_Telecom and Holocaust. >nor does VSUM. TBAV has it listed but I don't have that registered. A pretty nasty virus.....get rid of it ASAP. >Also, TBAV tells me a program called DOSKEY is a joke program called >Perv. I know DOSKEY is a real program and all, so is this a false >alarm? probably. >What is Perv anyway? Perv is, well....short for "pervert"....a completely harmless "joke" program. - -frisk ------------------------------ Date: Fri, 06 Jan 95 02:19:44 -0500 From: fungible@pipeline.com (Tom Patterson) Subject: Deploying viruses (PC) I'm not a programmer and don't have any experience writing viruses. Yet, I'm puzzled. If you had a virus, and wanted to deploy it easily within a system, say via trojan, couldn't you hide the virus in a data file (say by merely changing the file extension to .dat) and then creating an executable file that merely changes the data file to an executable and then executes it? It sounds like a simple way to work into some poor guy's system: give him some .zip file that contains a relatively harmless executable and a bunch of data files. He scans his disk, and because the scanner only checks .exe files and the boot sector, it comes up with nothing. He runs the .exe which consequently runs the executable hidden as a data file, thereby deploying the virus. By the time the guy runs the scanner again, the virus could already do its damage. Or do virus scanners actually check for this kind of thing? Jest a thought. ------------------------------ Date: Fri, 06 Jan 95 09:26:40 -0500 From: mutz@lep-philips.fr (Stephane Mutz) Subject: Hidden code (PC) Hi Someone said that Truetype font .FOT file contains executable code. Is there any other file type that contains code but seems to be a data file type ? ------------------------------ Date: Fri, 06 Jan 95 09:26:58 -0500 From: corporon@wizard.cse.nd.edu (phillip corporon) Subject: Monkey Virus on a "Stacked" Hard Drive (PC) I've come across a computer with the Monkey virus, it also has Stacker installed on it. When I start the process to eradicate the virus by booting from a floppy, I can no longer "see" the drives since the drivers are invoked via the config.sys file. I've duplicated the hd's config.sys file, and appropriate binaries, on the boot floppy but that did not work either. How does one remove the Monkey virus from a "Stacked" hard drive? Thanks...Phil. - -- corporon@nd.edu ------------------------------ Date: Fri, 06 Jan 95 09:49:58 -0500 From: dave@infi.net (Dave Hinde) Subject: Re: New Bug (PC) We've been hit with the same (New Bug) virus. I was about to post the same question (what are the long term affects?). We also need to know how the virus is being transmitted. We run Intel's Vscan on our Network, scanning each Workstation when it logs on. This catches the virus on the PC, but how is it getting there? The server is constantly being scanned. Can Vscan be missing it on the server, allowing the server to transmit it to the PCs? Any information on this virus would be appreciated. Mitch961 (mitch961@aol.com) wrote: : I have seen a virus that MWAV identified as NEWBUG on my PC. I noticed : this boot virus after a couple of machines started having problem with 32 : bit access in win3.1. MWAV (updated version from BBS) does give more : info. I found the virus within a few days of being infected and I can't : say what the long term effects are. - -- __/,@ __ Dave Hinde /_o____o_| dave@infi.net - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- InfiNet | Hampton Roads' Premier Online Information System | (804) 627-1828, login guest, password guest to register ------------------------------ Date: Fri, 06 Jan 95 09:51:50 -0500 From: Fang Zhong Subject: Best Virus Protection App for PC? (PC) I am posting this message for a friend of mine who is using PC. What would be your prefered virus protection application? (commercial, shareware, freeware) Thanks in advance. Fang ------------------------------ Date: Fri, 06 Jan 95 10:17:41 -0500 From: "Meswani, Prashant [MIS]" Subject: Re: FORM virus on Doublespaced Drives (PC) Steve W. Taylor (misswt@leeds-metropolitan.ac.uk) wrote: : Has anyone had any experience of getting rid of the FORM virus on MSDOS 6.2 : Doublespaced drives? Clean on NAV, DrSolomon etc. fails. Our only solution : is to reformat. : Help would be appreciated. Then Bill Townsend wrote: :Have you tried to use McAfee's SCAN v212e? I have found that McAfee's :programs clean just about every thing. You can get it off the net at :mcafee.com via ftp. If I remember correctly, it is in the /pub/antivirus :directory - or it might just be /antivirus. Give that a try. The type of virus we have is a variant of Form. It is called Form.a. It is more difficult to get rid of this virus by using a lot of the virus checkers on the market. I would be grateful if somebody could e-mail me (directly) with a solution so that I can try it out. Thanks for the advice given so far! P.Meswani@lmu.ac.uk "Prashant Meswani [MIS]" *********************************** * Trust me, I'm only Human * ********************************** ------------------------------ Date: Fri, 06 Jan 95 16:13:32 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: What are the effects of FDISK/MBR (PC) Gerald Khoo wrote: >Could someone tell me the effects of FDISK / MBR for cleaning a virus??? >Will it affect the disk partitioning??? Generally, no. Here is the deal, though it probably is in the FAQ. fdisk /mbr overwrites the *code* portion of your master boot record. It leaves the data alone. if there was a virus there, it is overwritten with fdisk's new code. The procedure for removing a virus of this sort is simple: Boot from a known clean write protected disk with a copy of fdisk on it. type "dir C:". If the message, "Invalid drive specification" comes back to you, then you have a problem - find an AV package to help you. This occurs when the data portion of the master boot record (this data being called the partition table) has been somehow thrashed -- encrypted, overwritten/moved, who knows. *DO NOT* use fdisk/mbr in this case. You will thrash your disk. Sometimes recovery is possible after this, but generally you're pretty hosed, depending on your configuration of your disk. If you get a directory of the disk, then perform the command "fdisk /mbr". This command is available in compaq dos 3.31, msdos 5.0 and up to my knowledge. Boot up again. If the virus is still present (however you know; perhaps your av package can't remove it or something?) Then you may have a grim situation. 1) Your disk wasn't really clean for this stealth virus 2) You have a virus which modified the data in the partition table such that it created it's own "bootable sector" elsewhere on the disk which installs the virus, then continues to load the appropriate boot sector. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * Take pride in your work... Code in assembler. ------------------------------ Date: Fri, 06 Jan 95 16:26:35 -0500 From: dfoster@panix.com (David Foster) Subject: Re: NYB (PC) patlee@panix.com (Patrick Lee) writes: >sborduas@step.polymtl.ca (Simon Borduas) writes: >> >> TSE CHI ON ANDREW (s935476@acs.csc.cuhk.hk) wrote: >> >> : Does anyone know the virus named NYB. It's a very new virus. >> : Even the newest SCAN 2.1.3 still cannot kill that virus! >> : >> : So, does anybody know whether there's cleaner for that virus >> : NYB? Thanks. >> >> We also have troubles with this BOOT-MBR infector in Montreal. Any info >> will are welcome. >A coworker says he was able to clean the NYB virus with Norton Anti Virus. >Does anyone know what harm the virus does? >We're in New York City ... >- -- > Patrick Lee [Internet: patlee@panix.com] [CompuServe: 74003,2566] > Stuyvesant H.S. Alumni Assoc. Home Page http://www.panix.com/stuy This is reposted from steele@delphi.com on alt.comp.virus The virus is identified as [B1] by f-prot v2.14 and as [NYB] by scanv v1.17 and NAV. I have disassembled it; here is a report: It resides in boot sector of floppies and or in the MBR of a hard disk. It is not polymorphic (or even encrypted) and is not multi- partite (it does not affect any executable files). It is, however, a stealth virus; once in memory, it will re-direct attempted reads of the infected MBR or boot sector to another sector which has a copy of the original, un-infected code. Booting from an infected floppy will infect the MBR of all physical hard drives on the system. A copy of the original MBR will be placed at absolute sector 17 (cyl/track 0, head 0). In the case of a floppy, a copy of the original boot sector is placed in the last sector of the root directory. After booting from an infected hard disk, the virus will locate itself at the top of memory. The amount of total system memory as reported by CHKDSK will show 1K less than expected. The virus hooks BIOS int 13, and will infect any non-write-protected floppy on any access of track zero (basically always). Each time a floppy is accessed, the middle two (of four) bytes of the system timer are AND'd with 0x178f. If this result is zero (probability = 1/512) it will activate its "payload", which is its most unique feature.. It uses INT 13 to send the floppy drive head repeatedly from track 0 sector 1 to "track 255", "sector 62" (neither of which exist). Since this BIOS function does not do validity checking on these values, it jams the floppy stepping motor to its physical limit over and over, ignoring virtually any error codes that are returned (physically opening the floppy door *will* stop it). Out of curiosity, I intentionally infected a "spare" computer with a copy of the virus (which I had "patched" so I wouldn't have to wait around too long it to trigger). It made a horrendous noise, the likes of which I have never heard from a floppy drive. After gritting my teeth for about 5 seconds I stopped it; the drive was apparently no worse for the wear. The virus can be removed by booting from a clean floppy and running FDISK /MBR. If you have a non-standard MBR you could remove the virus by copying sector 17 back to sector 1 (after booting from a clean floppy, of course). I allowed f-prot to remove it with its "generic" boot sector repair feature; this had the additional advantage of removing it from the MBR of a second (physical) hard drive on the machine (I'm not sure how you would get FDISK /MBR to do that). - Steve ********************************************************************* David Foster | "But I've been to the pointless forest, dfoster@panix.com | and it isn't pointless at all." CIS: 76436,3627 | -- Oblio, The Point ------------------------------ Date: Fri, 06 Jan 95 17:01:11 -0500 From: j1i1@ugrad.cs.ubc.ca (Ka Chu Ho) Subject: Re: F-PROT (PC) David Resnick (davidr@searchtech.com) wrote: : Sorry if this is in the faq -- haven't gotten a copy of that yet if there : is one. Could someone tell me where I can get a copy of the latest version : of F-PROT? Many thanks in advance! : [Moderator's note: You can get a copy of the FAQ from : ftp://corsa.ucr.edu; also, an updated version of the FAQ is being : developed.] Try dutiws.twi.tudelft.nl:/pub/msdos/virus/misc All the best Clarence - -- | Clarence Ka Chu Ho | |~~\_____/~~\__ | | University of British Columbia, CPSC yr 2 |_________ \______====== )-+ | j1i1@ugrad.cs.ubc.ca, kcho@unixg.ubc.ca | ~~~|/~~ | () ------------------------------ Date: Fri, 06 Jan 95 19:18:44 -0500 From: sloppy@mack.RT66.com (John Millington) Subject: FORM_A sighting (PC) McAfee's Scan 2.1.3 calls it "FORM_A." MSAV (that came with MSDOS 6.22) calls it "Form." It's symptoms seem to match what Patricia Hoffman's VSUM 9411 calls "Form_Canada." Haven't observed it doing any horrible things (yet), but it marks two sectors as bad on infected disks. I used to think that the concept of boot-sector viruses was "primitive" and nothing to worry about, but now I know better. Because it did not infect our file server or my workstation (which I use to run the virus scanners every night) it has been merrily copying itself all over our site for at least two weeks...until *I* finally got it yesterday. Cleanup's easy, though. The hard part is the embarrassment involved in alerting everyone we spread it to. :( This sucks. ------------------------------ Date: Fri, 06 Jan 95 20:04:24 -0500 From: XWWC29A@prodigy.com (MR HENRI J DELGER) Subject: boot-437 virus (PC) > From: khanh@uniwa.uwa.edu.au (Khanh Phi Van Doan) > My computer has been infected with the BOOT-437 virus. McAfee scan can > detect but is unable to clean this virus (scan ver 2.13e). Does anyone > know how to get rid of it with reformating the hardrive? What does this > virus do anyway? You can remove Boot-437 by first booting from a UNinfected DOS boot disk, then from the A> prompt, copy SYS.COM from C:\DOS to the disk, and run the SYS C: command. After that, check to see that the virus is gone, and start checking for infected floppy disks. Boot-437 is unusual in that it infects the hard disk's Boot sector, instead of the Master Boot Record. It moves the original Boot Sector data to the sixth sector of Track Zero. When it infects diskettes, it overwrites the Boot Sector, instead of saving it elsewhere. Henri Delger XWWC29A@prodigy.com BBS: 617 471-6645 ------------------------------ Date: Fri, 06 Jan 95 20:04:27 -0500 From: XWWC29A@prodigy.com (MR HENRI J DELGER) Subject: Tequila Virus (PC) >From: Marcus Mac Innes > Does anyone know anything about the Tequila virus....? > How can it be destroyed? > also ... it is only resident in the master boot block of my HD, > (according to McAfee Virus scan, Is this accurate, and how can the > Master boot block be reformatted without reformatting the Hard Drive. Tequila infects EXE files, and the hard disk's MBR (sector 1, Track Zero). If an infected EXE is run, the virus will run first, and write a copy of itself near the end of the hard disk's file storage area. It then alters the Partition data, reducing the number of data sectors available to DOS, in order to prevent DOS from overwriting its code. It also modifies the Master Boot Record to "point" to the location of the virus code. At this point, the virus is not yet resident in memory. However, at the next boot-up, the virus will be read into memory as a TSR, and begin infecting EXEs. Because it's a stealth-type virus, when in RAM, it hides the 2468 bytes it adds to the length of EXEs, and can cause File Allocation Table errors (causing data loss if Chkdsk /F should be run). Henri Delger XWWC29A@prodigy.com BBS: 617 471-6645 ------------------------------ Date: Sat, 07 Jan 95 05:40:22 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: About memory scanning (PC) datadec@cs.UCR.EDU (Kevin Marcus) writes: >If you have a virus which infects, say, on file open, or findfirst's, etc. >then and the virus is in memory, and active, and the av product doesn't >detect it, then for each file that is scanned, it is infected. Not necessarily. The AV product might bypass the file system...using INT 13 to access files, so the virus will not notice (well, unless it intercepts INT 13, of course). My product does not do this, but there are some that do. The problem ? Well, assume you are scanning a network from an infected workstation. Then you cannot use INT 13 .... and if the scanner does not notice the virus in memory, in may infect the entire server while scanning. This is why I belive memory scanning is necessary. - -frisk ------------------------------ Date: Sat, 07 Jan 95 06:02:10 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: False alarm of FP 2.15 on IBM-DOS boot sector (PC) fesquive@cariari.ucr.ac.cr (Fabio Esquivel (Iron Maiden's fan)) writes: >For further test, I copied NATAS.BIN into NATAS.COM and debugged it with=20 >Borland's Turbo Debugger and found no virus-behaviour in such code (as it= >=20 >is on Ping Pong, Stoned, Mich, Kampana and other BSI's I have). Well, that is perfectly normal. Natas only occupies 41 bytes in the boot sector ... a short "loader", whose only purpose is to load the rest of the virus. >I think it's a false alarm given by F-Prot. If F-PROT actually reports Natas in a boot sector, and not just "possibly a variant of Natas" then you almost certainly have Natas there. F-PROT does "exact" identification of most boot sector viruses, including Natas, and recuires a 32-bit checksum to match exactly to report the virus. >It's a shame that the "Virus Information" option of F-Prot do not provide=20 >complete information about the viruses it recognizes... Yet I use it=20 >simply because it's the best around! Well, the information section is somewhat incomplete, but the reason is that we are working on a complete replacement....just wait and see. - -frisk ------------------------------ Date: Sat, 07 Jan 95 06:03:08 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Form.A??? (PC) byron-gaudet@uiowa.edu (Ilsundal) writes: >I recently helped someone remove a virus with F-prot. When F-Prot >scanned, it reported that it saw the form.a virus. I was just wondering >if this was the same as the Form virus. Well, strictly speaking there is no such thing as "The Form virus". Form is a family of viruses, of which Form.A is just the most common one. F-prot just identifies it properly. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Sat, 07 Jan 95 06:06:48 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Junkie virus (PC) jkao@ic.sunysb.edu (Whodini) writes: > Use F-Protect to clean your Hard Drive's boot sector. It stays in >the MBR. McAfree won't clean it, and F-Prot won't clean files with it >(it just sits there and tries to clean it over and over). Uh, pardon me, but as far as I am aware, F-PROT has absolutely no problems whatsoever disinfecting Junkie-infected files. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Sat, 07 Jan 95 06:15:53 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: What are the effects of FDISK/MBR (PC) cceksw@leonis.nus.sg (Gerald Khoo) writes: >Could someone tell me the effects of FDISK / MBR for cleaning a virus??? Works fine for some MBR-infecting viruses, but will cause serious problems with others. >Will it affect the disk partitioning??? No. FDISK /MBR is of no use, and may actually do more harm than good if: 1) You had some non-standard file system. 2) You got a virus that moved or encrypted the partition information. 3) You have an MBR virus that only changes that data part of the MBR, not the code part. You can be reasonably sure it will not do any harm if you are able to access the hard disk normally after booting from a clean diskette. - -frisk ------------------------------ Date: Sat, 07 Jan 95 07:29:58 -0500 From: Zvi Netiv Subject: Re: Fdisk/mbr will remove (almost) all MBI (PC) > Kevin Marcus wrote: > >Michael Jackson wrote: > >>"Jim Bennett" writes: > >Even fdisk/mbr will not remove MBR infectors. > As one reader kindly mentioned to me in email, my statement should be > corrected to: > "Even fdisk /mbr will not remove *ALL* MBR infectors". > I forgot an important word there... Fdisk/mbr will remove almost all mbr infectors, after taking the customary precautions (boot clean, check for access to drive C:). As a matter of fact, there is only one virus that I know of, that modifies the mbr and won't be removed by fdisk/mbr: Gingerbread Man. This virus modifies the partition data so that the active boot sector points to sector 0,0,2 (where the first sector of the virus is) instead of the standard 1,0,1. As fdisk/mbr rewrites only the boostrap program, the virus remains unaffected. Zvi Netiv, InVircible Fax: +972 3 5325325 ------------------------------ Date: Sat, 07 Jan 95 15:10:17 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: About memory scanning (PC) Robert Casas (rc.casas@ix.netcom.com) writes: > I disagree. There are many reasons for _not_ "scanning memory." Really? OK, let's take a shot at them... > Probably the most important is that if a stealthy, piggybacking virus Hold on! Please stop, take a deep breath, and explain us what do you mean *exactly* by the term "piggybacking virus"? The person who has invented this buzzword - and who was so far the only person to use it - - is Zvi Netiv. I have seen him using this term to mean any of the following: tunneling, stealth, fast infector, polymorphic. I always wanted to ask him which one of those does he mean exactly. Now I am asking you: please define *exactly* the term "piggybacking virus". After all, if you are using it, you should be understanding it. So, what does such a virus do? > has already gained controlled of memory then the technical difficulties > involved in scanning in such an environment are enormous. This is Oh yeah? And how, pray tell, does this "piggybacking virus" make memory scanning so difficult? Remember, on a PC running MS-DOS, the program that is currently executing (i.e., the scanner) has *full* and *complete* access to the whole address space of the CPU - therefore it can look anywhere it wants to. Second, unlike the disk access operations, the memory access operations cannot be intercepted - remember we are talking about plain DOS here; not about some virtual machine running in protected mode. So, as we can see, the virus cannot "hide" (because the scanner can look anywhere), and it cannot intercept the memory access operation and modify its result - therefore, no "memory stealth". About the only thing a virus can do to make detection in memory difficult is to remain polymorphically encrypted in memory. Such viruses do exist (Whale, MtE.Shocker, etc.) but first, they are very few, second, they slow down the infected machine so much, that they get noticed immediately - thus no chance to spread far - and third, it is possible to scan the memory even for them - it's just a bit more difficult than usual. Therefore, your statement above is wrong - finding a virus in memory is trivial. The reason why some anti-virus producers avoid doing it, is because a scanner must not only detect viruses - it must also *not* "detect" non-viruses. That is, it must not cause false positives. Just blindly searching the memory for a bunch of scan strings is bound to cause problems, because some of them might be found in the DOS buffers (the the user has just accessed some infected code - e.g., DIR of a floppy with a boot sector virus, COPY of an infected file, and so on), or it may find it in some memory-resident scanner that is using the same scan string and does not bother to encrypt it, and so on. Therefore, memory scanning must be implemented in an *intelligent* way - - and *this* is what requires some efforts; this is what some anti-virus producers want to avoid. > especially true if a scanner uses algorithmic and virus-specific > methods of scanning. All *scanners* use one of those. There are other ways to detect viruses that use different methods, but such programs are not scanners. > If the scanner doesn't possess identification > strings for the virus it will be missed and the scan process will > spread the virus. Correct. But if the scanner does not bother to scan the memory at all, then it will miss the virus there much more often, no? > Since viruses are currently being written and > released more quickly than algorithmically based scanner updates > end-user's are putting themselves at risk with such scanners. Yes, with *such* scanners. But, not all scanners are *that* bad. Some scanners *do* scan the memory properly, you know? Take a look at AntiVirus Pro some day. > Other issues include the scanner's ability to perform self-integrity > checks, self-restore when infected, and detect the process of > piggybacking and alert the user if this happens. Many "scanners" > don't posses all of these capacities. :-) Those capacities are posessed by the integrity checkers; not by the scanners. It seems that you are confusing two different methods for virus protection. While it is true that both should be present in a good virus protection system, it would be unfair to expect that the integrity checkers should be able to scan and that the scanners should be able to perform integrity check in general. Of course, some elementary steps like checksumming themselves are advisable for all programs, especially those that are intended to be used in a potentially infected environment. While it doesn't always work (i.e., against all viruses), it is a simple thing to do and works in many cases. > The issue most important to assess with an AV package is whether > it performs it's intended function - protecting your system from > viruses and recovering from any damage that does occur. The issue > is not _how_ it accomplishes this goal but _whether_ it does. Correct. My point is that an anti-virus product that does not detect an active virus in memory is not performing its intended function well enough. There are several ways to detect that some virus can be active in memory and not all of them involve known-virus scanning. I don't care what does the product use to detect that a virus is active in the memory of my computer, but I insist that it is able to detect it. > If you think "scanning" is the primary and most important method > for dealing with viruses then your bound to get yourself into > trouble. :-) That's perfectly true but is not the issue here. The issue is not whether scanning is strong or weak as an anti-virus method - the issue is whether a known-virus scanner should be able to detect viruses in memory or not. I think that it should. > There are many stealthy viruses that are already a > few years old that some scanners still don't detect. Even worse, Yes, of course. So what? Did you know that there is a *very* old virus (the first IBM PC virus, actually) that many integrity checkers still do not detect? That's right - most integrity checkers are unable to detect the Brain virus! Why? Simple - Brain infects only floppies. It doesn't infect hard disks - only the boot sectors of the floppies, and it is not practical to check the integrity of those. > when resident, there are some "old" stealthy viruses that will > piggyback on well known "scanners" ( including ones that claim > to scan memory ) and infect all scanned files in the process. Here you used the term "piggybacking" to mean "fast infection". Above you used it to mean (I think) "polymorphism and/or encryption in memory". What do you mean by this term *exactly*? Oh, yes, I almost forgot. You promised us "many reasons not to scan memory for viruses". So far you have not delivered even one such reason that is valid. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 07 Jan 95 23:28:31 +0000 From: Poon Jacob Tin Hang Subject: Re: McAfee 2.1.4 Crashes - help (PC) On 6 Jan 1995, DAN GINSBURG wrote: > I just download McAfee v2.1.4 (scnb214a.zip, which I got from > Software Creations BBS). When I scan my HD, everything is fine until it hits > C:\TELEMATE. It kept locking up at a program called convert.exe in the > directory. It was a program I didn't need, so I deleted and re-scanned. It > again crashed at another EXE in that directory. So, I clean booted and this > time it crashed, but it gave me this error message: > > C:\TELEMATE\GIFLINK.EXE > Error Report: > Error Code 1 > Please record the following information and contact your McAfee > representative. > Source: ph_ui.c Location:679 Status -20480, Information $ Revision:1.15$ > Error Code 1 > Please record the following information and contact your McAfee > representative. > Source: ph_ui.c Location: 679 Status 4096, Information $Revision:1.15$ > > It then crashed at the next EXE in that directory. Unfortunately, > McAfee is closed for the holiday, so I was wondering if anyone has any idea > what this means? Do I most likely have a virus or is this a bug in SCAN? > Also, why would only files in C:\TELEMATE be infected when I have hundreds of > others on my HD? Thanks... Error Code 1 stands for 'Error occured while accessing a file (reading or writing).' Therefore the files in c:\telemate directory in your HD probably corrupted. So use SCANDISK to fix the HD first (if you are using DOS 6.2x). Then use SCAN to verify whether or not it was caused by viruses. ------------------------------ Date: Sat, 07 Jan 95 19:42:30 -0500 From: JVSX30F@prodigy.com (Manfred Von richthofen) Subject: Re: CorelDraw 4.0 virus? (PC) tioga@cts.com (Mason Marks) wrote: > > On Dec, 14 at 7:00am my c: drive which had Corel Draw v4.0 pirate was >deleted. I have heard rumors that this is corel draws fault. Anybody else >hear anything or have anything happen to them related to this? > I doubt this is true. It is illegal for them to do even if you are running an illegal copy of thier software. It is possible that some type of trojan was attached to it somehow.... -RB ------------------------------ Date: Sat, 07 Jan 95 20:52:48 -0500 From: jmward@cs.UCR.EDU (Jonathan Ward) Subject: Re: DOS dir listing bug, or Trojan? (PC) Abhijit Dasgupta wrote: >I run DOS 6.2, and have a 540 Meg Hard Disk. > >I thought that the total size of all files on the disk >(excluding the hidden files) as reported by CHKDSK should >equal to that reported by a "DIR /S/A:-D-H C:\" command. > >However, CHKDSK reports 181 Megs in 4,816 user files, >but the "DIR /S/A:-D-H C:\" command says 130 Megs in >4,816 (same number) files. I believe that the second >report is correct. (The two commands agree on the total >numbers and size of hidden files, and on total space left >on the disk.) > >Am I missing something here or what? > >(Scanning with McAfee's and F-Prot's latest versions >does not report anything however.) > >Any help or comments will be greatly appreciated. > I'd say that you have neither. What you're experiencing is a phenomena caused by the way the DOS filesystem works. I'll explain: When DOS formats a drive, it sets up clusters, the volume(or partition) boot sector(as opposed to the MBR), and the FAT. The FAT is basically a big table, as its name implies, that stores the name of each file, and its associated cluster locations in the data area of the partition. This location is specified by a number, which is(if memory serves) either 12 or 16 bits depending on the size of the partition. Here's where the size discrepency comes in. Each cluster has a fixed length that's established upon formatting. Obviously, the larger your hard drive, the more clusters are available for a given cluster size. However, since the FAT entries are limited to a max of 16 bits each, this limits the total addressable number of clusters that a partition can have. In the case of some large drives, with a sufficently small cluster size this limit could be exceeded. So DOS compensates for this limitation by adjusting the cluster size for larger partitions. Larger clusters mean a fewer number for any given partition. I believe that the usual cluster size went something like: <120 MB - 1024 <240 MB - 2048 <400 MB - 4096 <800 MB - 8192 >800 MB - 16384 Those sizes may be a bit off, but I'm sure you get the picture. When a file is writen to disk, it's given an entry in the FAT, and allocated however many clusters are necessary to hold it. BUT - it has to be allocated at least one cluster. Which is the size of one of the above listed. The DIR command only reports the size of the _file_, but not the size of the number of clusters. Hence, a 1 byte length file actually takes up a minimum of 1k of space on your drive, and more if you've got a bigger partition. CHKDSK, however, looks at the number of allocated clusters to determine the space being used and the space available on your drive. That's why chkdsk says that you have less space than the DIR command. You'll find that on about any PC system. So basically - both are correct. Oh yeah - the size discrepancy gets worse if you have a lot of "little" files that don't use up the whole cluster. This is also a good argument for the use of multiple partitions on large hard drives - it's more efficient use of space. BTW, chkdsk will also tell you the size of the cluster that's currently in use for your partition - that's the X number of bytes in each allocation unit listing that's given. -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 5] **************************************** 6-Feb-95 11:30:17-GMT,74698;000000000000 Received: from aramis.rutgers.edu (root@aramis.rutgers.edu [128.6.4.2]) by klinzhai.rutgers.edu (8.6.9+bestmx+oldruq+newsunq+grosshack/8.6.9) with ESMTP id GAA27802 for ; Mon, 6 Feb 1995 06:29:15 -0500 Received: from remus.rutgers.edu (root@remus.rutgers.edu [128.6.13.3]) by aramis.rutgers.edu (8.6.9+bestmx+oldruq+newsunq+grosshack/8.6.9) with ESMTP id GAA15733 for ; Mon, 6 Feb 1995 06:29:06 -0500 Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx+oldruq+newsunq/8.6.6) with ESMTP id GAA14346 for ; Mon, 6 Feb 1995 06:28:52 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <127693-3>; Mon, 6 Feb 1995 06:07:51 EST Message-Id: <9502061107.AA22799@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #6 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Mon, 6 Feb 1995 05:59:35 EST VIRUS-L Digest Monday, 6 Feb 1995 Volume 8 : Issue 6 Today's Topics: graphics files & viruses virus transfers via email Re: OS/2 Virus'? (OS/2) Need Virus Checker for Novell, DOS, MAC (Novell) Re: how do viruses do it?? (PC) Re: McAfee 2.1.4 Crashes - help (PC) Infection via a .WK4 file (PC) Anti-Virus Comparison (PC) Is it possible to bypass TSR anti-viruses? (PC) Re:just how safe is Vsafe? (pc) SOBOLANUL virus (PC) write-protection error (PC) Re: ThunderByte AV and my boot sector (PC) Re: ThunderByte CRC checking (PC) Jumper alias _2kb; Natas / Trident confusion by SCAN? (PC) Hardware Virus Protection (PC) What is this 'F' virus (PC) Where to get CPAV Updates (PC) McAfee Scan 2.1.213 false alarm with BEER.2794 virus ??? (PC) Problems removing PHNX2000 (PC) I think I have a virus PLEASE help!!!! (PC) Press statement re Gatekeeper (PC) Natas Virus (PC) Re: Entire files in my DOS dir turning to NULLs!!! (PC) Re: Stealth C virus (PC) False alarm with McAfee 2.1.3 ??? (PC) Virus called ALIENINI 64 ???? (PC) SCAN; NATAS (PC) Urgent: NewBug (Genb) virus in RAM. Help needed (PC) Is this a Virus ??? (PC) Re: junk-virus on my PC- Help me!!! !!! (PC) Re: What are the effects of FDISK/MBR (PC) ASeXual Virus... (PC) Heard of the SPRAYER virus? Help me!!!! (PC) Info on 69 virus ?? (PC) Virus testing of CPAV 2.0 (PC) ANSI bombs - MORE vs. TYPE (PC) re:Infection via a .WK4 file? (PC) VET queries (PC) NATAS virus (PC) Best AV software for LAN? (PC) Monkey virus on Staccked Hard Drive (PC) Wanted: info on Sobolanul virus (PC) '69' Virus & McAfee 2.1.3 (PC) InVircible review in Virus Bulletin - part 1 of 2 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 09 Jan 95 18:20:28 -0500 From: Subject: graphics files & viruses Well, there's never a question so silly as the one that isn't asked....and I couldn't find it in the Viruses FAQ's or in the Graphics FAQ's. (Ergo: silly question!) The question: Is it possible to get a virus from a graphic file? I understand that this should not normally happen but....? (Need an answer fairly soon, so responses, flames, etc, can be directed to me, as well as here. THX mspear@griffin.multimedia.edu ------------------------------ Date: Mon, 09 Jan 95 19:25:25 -0500 From: pweinman@dorsai.dorsai.org Subject: virus transfers via email It is safe to say that no virii will be transferred via email.. or is it? (twilight zone music goes here) ------------------------------ Date: Sun, 08 Jan 95 13:30:23 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: OS/2 Virus'? (OS/2) Cyber City (cyber1@io.org) wrote: > David M. Chess wrote: > >There are at least two known viruses that run under OS/2 itself, but > >both are only "laboratory viruses" at the moment; meaning that someo= ne > >with nothing better to do (hard to imagine, eh?) wrote them up and > >distributed them around various K00L HACKERZ boards and such. =C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4 VIRUS_INFO =C4 Msg : 123 of 137 - 122 + 137 = From : John Buchanan 1:271/160 13 Jan 94 = To : T. Curtis = Subj : The virus threat.. = =C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4= TC> Largely virus proof? Hmmmm... The first published native os/2 TC> virus has already been done.. I can't see why any virus couldn't be I believe you are mistaken, Ian! The first two OS/2 viruses were named = SATYR and EROS. They were given to me about 8 months ago with source. I can't tel= l you much more about them simply because I don't fully understand the "ring"= system structure of the coding. I do know that they work. Surprisingly howeve= r, EROS is quite large - some 4823 bytes large. It more or less works like a di= rect action file infector. SATYR is totally beyond me! Anyhow, I just wanted= to clear things up a bit. Author Ellis did *not* write the first OS/2 specific = virus. ------------------------------ Date: Sun, 08 Jan 95 14:16:10 -0500 From: jsevcik@nyx.cs.du.edu (joan sevcik) Subject: Need Virus Checker for Novell, DOS, MAC (Novell) I need a virus checking program for a NOVELL 3.11 network with a DOS server, 15 DOS work stations, and 3 Macintosh work stations. The DOS computers use windows, and doublespace. Is there any way to do this with an automatic scan that works? Automatic diskette checking is needed. Cleaned the Antiexe virus with F-Prot 2.15 (shareware) from this network. It worked great for boot sector and diskettee. Did not reach the network drive or check for Macintosh viruses. Please reply by mail. (jsevcik@nyx.cs.du.edu) Thank you Joan Sevcik - -- Joan Sevcik jsevcik@nyx.cs.du.edu ------------------------------ Date: Sat, 07 Jan 95 20:59:29 -0500 From: jmward@cs.UCR.EDU (Jonathan Ward) Subject: Re: how do viruses do it?? (PC) Brian Peterson wrote: >if a virus is going to wipe your disk, would it use a dos command >to do it?? like FORMAT.COM or DELTREE.EXE or FDISK.EXE?? because if >it does, cant you just rename those utilities so the virus cant use >them?? sorry if this sounds stupid, i'm not that familiar with how >viruses work. any advise/comments/help/etc are welcome! Gosh, I'm too nice. You should read the FAQ. Anyway, I'll just say: No. I've never heard of a virus doing that. It's possible, yes, but I've NEVER seen a virus do that. There are a lot more effiecient ways to demolish a hard drive. Most use either int 13 or int 21 with the appropriate function numbers to do their dirty work. Int 26(absolute disk write) will also work. -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ Date: Sun, 08 Jan 95 05:04:24 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: McAfee 2.1.4 Crashes - help (PC) Sounds like a bug that showed up in the VirusScan 2.1.4 BETA TEST "A" release. We fixed it in the 2.1.4 BETA TEST "B" release. Aryeh Goretsky Technical Support nisk115%albnyvms.BITNET@uacsc2.albany.edu (DAN GINSBURG) writes: > I just download McAfee v2.1.4 (scnb214a.zip, which I got from >Software Creations BBS). When I scan my HD, everything is fine until it hits >C:\TELEMATE. It kept locking up at a program called convert.exe in the >directory. It was a program I didn't need, so I deleted and re-scanned. It >again crashed at another EXE in that directory. So, I clean booted and this >time it crashed, but it gave me this error message: > >C:\TELEMATE\GIFLINK.EXE >Error Report: > Error Code 1 > Please record the following information and contact your McAfee >representative. > Source: ph_ui.c Location:679 Status -20480, Information $ Revision:1.15$ > Error Code 1 > Please record the following information and contact your McAfee >representative. > Source: ph_ui.c Location: 679 Status 4096, Information $Revision:1.15$ > > It then crashed at the next EXE in that directory. Unfortunately, >McAfee is closed for the holiday, so I was wondering if anyone has any idea >what this means? Do I most likely have a virus or is this a bug in SCAN? >Also, why would only files in C:\TELEMATE be infected when I have hundreds of >others on my HD? Thanks... - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Sun, 08 Jan 95 05:49:31 -0500 From: floyd.patterson@ssbbs.org (Floyd Patterson) Subject: Infection via a .WK4 file (PC) KF>From: Kenneth Fribush KF>We recently had a problem with the Form virus on a laptop where the KF>only files transferred to it were Lotus 123R4 spreadsheets. Is it KF>possible for a virus to infect a PC via a spreadsheet file? I was KF>under the impression that the carrier had to be an executable file (.EXE, KF>BAT, .OVL, etc.). KF>Any info would be appreciated. Not exactly. Very Broadly speaking there are two type of viruses. The first I call com/exe viruses which is what you are referring to above. The second are memory resident viruses. These are spread via infected floppys. The virus is resident in the boot sector of the disk. Simply acessing the disk will spread the virus to the other computer. The form virus is a memory resident and was apparently present on the disk you used to transfer the files to your lap top. Now...there is good news and bad news <>. The good news is that the Form virus is very common and is little more then a pest. It will not generally destroy data. The bad news is that many/all of your disks and computers may well be infected. In order to make certain the virus is gone, you will need to scan/clean each computer and every floppy. If there is one infected floppy in your office you run the risk of reinfecting the office. floyd.patterson@ssbbs.org * SLMR 2.1a * Open mouth, insert foot, echo internationally. - --- * Synchronet * System Support BBS (303) 469-9359/9389 Barry Young - ---- +----------------------------------------------------------------------+ | System Support BBS 303-469-9359 Zoom 24v.fc 303-469-9389 Zoom 28v.fc | | Denver, Colorado__MetroLink Hub and InterNet/UseNet Node | +----------------------------------------------------------------------+ ------------------------------ Date: Sun, 08 Jan 95 10:21:22 -0500 From: alans12345@aol.com (Alans12345) Subject: Anti-Virus Comparison (PC) Does anyone know of a document comparing the test results of various anti-virus software? I'm trying to convince someone that F-Protect is indeed one of the best ones but some test results would certainly help. Alans12345@aol.com 71730.141@compuserve.com ------------------------------ Date: Sun, 08 Jan 95 14:18:02 -0500 From: caveman@crl.com (Travis Berthelot) Subject: Is it possible to bypass TSR anti-viruses? (PC) Is it possible for a virus to bypass tsr virus scanners like VSAFE.com that comes with msdos 6.0. By some how geting the original value of the vector table entry for interrupt 21h, 13h rom disk services etc. Then each time before the virus begins to infect a new host it replaces the vector table with the orginal vector entries and continues the infection and then after wards set them back to what they were. Im sure its possible but the virus would have to be in the MBR or have a sys file infected so that it could get the orginal values before the driver is loaded into memory. Or is it possible to get the orignal entries even after the tsr is loaded. I need to know. So if u are educated in this area plez respond ;) The man... Trav ------------------------------ Date: Sun, 08 Jan 95 16:04:12 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re:just how safe is Vsafe? (pc) jfredian@pepperdine.edu (The Mermaid) Re: Just how safe is VSAFE? (PC) 5 Jan 1995 14:47:59 Wrote: >Well, I don't know about how well it keeps viruses off the computers, but >I work in a computer lab at a university, and we're cleaning all our computers >out (it's winter break), and we cleaned all the viruses off the PCs, and >one of the files that was attacked by a virus (Kela, I believe) was >VSAFE.... Yes, but You have better ones Anti Virus packages that will give an accurate detection and removal of Viruses. Statistic reveals that Vsafe/Msav of DOS is not complete "Secure/Accurate", this no means that You could not use it. I Strongly recommend this products: * F-prot (ver 2.15) [This product could use Scanning an heuristic technics] * Integrity Master (ver 3.15) [This product use Integrity Checking and Scanning technics] * TBAV (ver 6.25) [This product use Scanning/Heuristic/I. checking technics] Warm Regards Ruben Arias RALP Computer Security - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 08 Jan 95 18:33:52 -0500 From: S1094896@cedarville.edu (Derek Shaw ) Subject: SOBOLANUL virus (PC) Does anyone have any information about a virus called SOBOLANUL? I'm a tech who went to clean TEQUILA off a computer, but SCAN and F-PROT could not find it. SCAN finds traces of TEQUILA in memory but not in any files. When I looked at an infected file, the string "'SOBOLANUL' virus present" was there. I wrote a small scan and clean for it, but I would like more information. Derek G. Shaw s1094896@cedarville.edu derek@cactus.cedarville.edu ------------------------------ Date: Sun, 08 Jan 95 22:01:56 -0500 From: af930002@v9001.ntu.ac.sg Subject: write-protection error (PC) Hello, I am not sure if my PC was infected by virus. I got the problem I couldn't solve. The hard disk can root, read and run, but cannot write. The error messages are "write protection", or "drive failure", or "possible virus". I don't know what's wrong. I can copy files from hard disk to diskette, but cannot copy files from diskette to hard disk, cannot format the hard disk even low-level format. In a word, cannot write ANYTHING to hard disk. Can anyone help? Thanks a lot. Qian ------------------------------ Date: Mon, 09 Jan 95 01:26:05 -0500 From: "Frans Veldman" Subject: Re: ThunderByte AV and my boot sector (PC) xiphoid@netcom.com (Pet Shop Boy) writes: > Recently I was infected with Junkie virus, and in my frenzy I obtained a copy > of TBAV. Without reading the manuals, I executed TBUTIL of which one of ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > its features is to create a "virus-resistant" boot sector. Trouble now > is that nowadays once in a while a new program to be installed will stop > because it needs to write to the boot sector but CAN'T. I check the manual > afterwards (yeah, stupid me) and figured out that it seems there's no way > to put back a boot sector without some stupid prompt popping up on my > screen saying "Boot Sector Possible Virus. Overwrite?" I've fdisked my > hard drive with and without the /mbr switch, low-level formatted, all > while crossing my fingers, because I knew that seriously speaking none of > these procedures would delete the "hidden" sector or whatever on my hard > drive that's preventing boot sectore writes without prompts. So I'm asking > for help... is there any way to remove that TBAV prompt and/or write a boot > sectore on my hard drive without the prompt? I mean, hell, does this mean > I finally get the chance to degauss my hard drive or something? It means you just have to read the manual carefully. Even if you didn't, TbUtil explained on the screen what it was about to do, how to remove it afterwards, etc. If you are one of these people keeping you finger on the 'Y'-prompt without reading *anything*, well... Anyway, boot from a write protected bootable diskette, run 'TbUtil restore' (you have made a backup of the original MBR and put it on a diskette, didn't you?) or, use FDISK/MBR to create a new MBR. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Mon, 09 Jan 95 01:26:08 -0500 From: "Frans Veldman" Subject: Re: ThunderByte CRC checking (PC) blendrhd@netcom.com (Blenderhead) writes: > Subject: ThunderByte CRC checking (PC) > > I am using version 6.26 of ThunderByte and have noticed something that I > find to be a little disturbing. When Thunderbyte checks the CRC values > in the anti_vir.dat file, it fails to detect altered programs. > > This is what I did. I used TBSETUP to create the anti_vir.dat file. Then > I went in with diskedit and changed a bunch of bytes and saved it back. > Then I ran TBSCAN and it said "CRC verified". However TBSETUP when run a > second time, reported that one program had changed CRC. > > This seems to be a bug. Has it been fixed? It is worthless to have > TBSETUP detect it because all it does is update the signature file. If I > changed the file entirely, then TBSCAN would notice, but not if I changed > bytes within it. Some quotes of the manual: TbScan performs an integrity check automatically, and it does not have the false alarm rate other integrity checkers have. The goal is to detect viruses and not to detect configuration changes! Note that TbScan only reports file changes that could indicate a virus. Internal configuration areas of program files may also change, but TbScan does normally not report this. However, if a file gets infected with any virus -known or unknown - the vital information will change and TbScan will indeed report it to you! So, TbScan distinguishes between changes that are the result of a virus infection, and changes which are not the result of a virus infection, like internal configuration changes, etc. > Now a CRC is a CRC and it should not matter that TBSCAN only checks the > begining and end of the program when looking for infections. Does this > sound reasonable? No, because that is not what TbScan is doing. It is far more complex. TbScan follows the execution flow within the program, and only checks those instructions which are executed when the program starts up. If you alter a byte somewhere in a text string in the program, TbScan won't bother you with a virus message, since a change in a text string only does not indicate that the program is infected. The purpose of TbScan is to detect viruses, not changes in programs. If you want to detect changes to program files you should use another product. Be prepared to receive many 'Program changed' reports which do not indicate a virus at all. But that is what you obviously want. If you want to 'test' an anti-virus product, you should rather use REAL viruses to perform the test, instead of assuming what the product is doing and trying to get it triggered. Actually, any test on anti-virus products without real viruses can be used as false alarm test. In your case, with random changes in a program, if TbScan would have reported this as a possible virus then it would have been a false alarm! The better the anti-virus product, the more difficult it is to fool it with non-viruses. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 80 787 881 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 80 789 186 2:280/200.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Mon, 09 Jan 95 06:55:50 -0500 From: "A.Appleyard" Subject: Jumper alias _2kb; Natas / Trident confusion by SCAN? (PC) This morning SCAN (the sort that comes with a separate CLEAN) said that one of my department's PC's had _2kb in its C: boot sector. Can _2kb infect multiply? Also, SCAN v2.13 said that several of its .COM files had NATAS virus, but the abovementioned older SCAN said instead that they had TridenT virus. Why the name difference? (CLEAN removed some of the TridenT's but not all, and I had to restore the affected files from other PC's or from our server.) ------------------------------ Date: Mon, 09 Jan 95 07:10:21 -0500 From: sayhow@technet.sg (Foo Say How) Subject: Hardware Virus Protection (PC) Ok guys/gals, I need some help. The PC I have installed in Batam (an Island south of Singapore, belong to Indonesia) is constantly hit by Virus. Look like education does not work, and software protection did not really help much if the users insist of doing things their way. So I may have to resort to hardware locks which are available in Singapore, or if necessary from Overseas. Any suggestion or experience is welcome. Why type of planning do you have to prevent virus from affection your systems. - -- FOO SAY HOW .... foo say what .. foo say who ... foo say when .. foo say why - ------------------------------------------------------------------------------ Please note E-Mail address changed due host configuration changes NEW E-MAIL ADDRESS : sayhow@technet.sg Company: Systran (S) Pte Ltd ADDRESS: 133 New Bridge Road #21-01, Chinatown Point, Singapore 0105 TEL: 65-7327007, 65-5388449 FAX: 65-5388515 ------------------------------ Date: Mon, 09 Jan 95 09:37:16 -0500 From: F.Kooger@vanveen.nl (Frank Kooger) Subject: What is this 'F' virus (PC) Since this weekend (after a lot of searching and downloading from the NET) I have a virus in my PC which now and than places an 'F' as a prefix in the line 'MS-DOS wordt gestart', which is the Dutch equivalent for 'MS-DOS loading' or something like that. It than looks: 'FMS-DOS wordt gestart', and the PC hangs. For the time being I can repair that by booting and 'sys'ing from a floppy. Does anyone knows this virus and what to do against it? thanks, Frank Kooger, Holland ------------------------------ Date: Mon, 09 Jan 95 10:17:57 -0500 From: Kevin.Melcher@LeRC.NASA.GOV (Kevin J. Melcher) Subject: Where to get CPAV Updates (PC) Anyone know if CPAV updates are available from anywhere besides the Central Points bulliten board? I can easily obtain stuff via FTP via the internet but I have no reliable modem. Also, I've seen some posts about F-PROT. do you know how it compares to CPAV? Where might one obtain a copy? Thanks :: Kevin J. Melcher :: ORG: 2560/System Dynamics Branch :: NASA Lewis Research Center :: EMAIL: kmelcher@lerc.nasa.gov :: 21000 Brookpark Road, MS 77-1 :: PHONE: 216-433-3743 :: Cleveland, Ohio 44135-3127 :: FAX: 216-433-8643 :: :: Opinions are mine & do NOT represent any official position by my employer. ------------------------------ Date: Mon, 09 Jan 95 12:16:13 -0500 From: vonburg@ifr.mavt.ethz.ch (vonburg) Subject: McAfee Scan 2.1.213 false alarm with BEER.2794 virus ??? (PC) I checked my disk and floppies with McAfee 2.1.3 and it's virus list V2.1.213 and received an alarm for one single file SR340.SYS (Tiga driver) with a possible infection by BEER.2794. This file is about 3 year's old and is called at boot every day. Although with the former list's V2.1.212 and 2.1.211 check for this virus I didn't get an alarm. False alarm ??? Can anybody confirm ??? Witch other scanner is able to crosscheck ??? Thanks for any help Peter *************************************************************** * Peter von Burg, Institut fuer Robotik, ETH Zuerich * * * * Mail: ETH-Zentrum, CH-8092 Zuerich, Switzerland * * Phone: ++41 1 632 27 80 * * Fax: ++41 1 632 11 95 * * e-Mail: vonburg@ifr.mavt.ethz.ch * * * *************************************************************** ------------------------------ Date: Mon, 09 Jan 95 13:52:07 -0500 From: "Fred E. Rosenblatt" Subject: Problems removing PHNX2000 (PC) I am having problems removing a PHNX2000 virus that McAfee scan2.1.3 has reported. When I boot from a clean write protected floppy disk, I get: === Scan V.2.1.3 Copyright (c) McAfee, Inc. 1994. All rights reserved. Virus data file V2.1.213 created 11/15/94 7:01:01 01/06/95 10:44:27 Options: /REPORT c:\user\report.vir Traces of PHNX2000 virus found in memory! This may be an active virus, or an image left by a previous operation === When I select the /NOMEM option no virus is found. McAfee scan117 does not find any virus in memory and locks up when "Scanning for known viruses". The PC is a Tandy 1110 HD Notebook and the main processor is a NEC V20, 16MHz. Fred Rosenblatt rosenbla@lafayette.edu Computer Programmer rosenbla@lafayett.bitnet Lafayette College (610) 250-5501 Easton, PA 18042 ------------------------------ Date: Mon, 09 Jan 95 17:08:11 -0500 From: ad809@freenet.toronto.on.ca (Ali Emami) Subject: I think I have a virus PLEASE help!!!! (PC) Hi I was just wondering what should I do if I have a virus that can't be detected? I already have Norton Anti-Virus and MacAfee Scan 117 but both of them can't detect anything. Ok here is why I think I have a virus. When I turn on my computer I go to play a game or something, after about one hour my computer reboots by itself. After that it becomes a random thing. Every few minutes my computer reboots by itself. I think this type of virus is called a Boot Sector Virus or something. If anyone could PLEASE tell me where to find a anti-virus that can detect and kill this type of virus I would really be greatful. This is a very anoying problem. And I would really appreciate it if anyone could help. Oh and by the way if you decide to help do not post your answer because I hardley ever read any newsgroups. But instead could you please E-mail me at: ad809@freenet.toronto.on.ca with the FTP site or whatever of where I could find an ant-virus that kills the type of virus I explained. Thanks a lot Ali Emami Jan.9 1994 ------------------------------ Date: Mon, 09 Jan 95 17:29:47 -0500 From: cshema@laventeli.cs.uta.fi (Helenius Marko Tapio) Subject: Press statement re Gatekeeper (PC) I am including here our statement of a press release Data Fellows published recently. There was a need for the statement, because the press release was misleading and gave a strongly wrong impression of our work. I personally disaprove the way our test reports were quoted and I hope there will not be a need to respond on quotations in the future. Best Regards, Marko Helenius - ------------------------------------------------------------------------------ VIRUS RESEARCH UNIT'S STATEMENT OF THE QUOTATION DATA FELLOWS MADE IN THEIR PRESS RELEASE CONCERNING GATEKEEPER'S BETA VERSION Data Fellows has made in December 1994 a press release where they are advertising Gatekeeper. In the press release they stated their arguments for Gatekeeper's performance against polymorphic viruses on research papers published by the Virus Research Unit. However the quotation was unfortunate. The original test reports did not include a test of Gatekeeper's beta version and the quotation is only a selective part of the test reports. Therefore Virus Research Unit cannot take any responsibility on the results in the press release concerning Gatekeeper or its beta version. Those who want to compare the original test reports with the results in the press release may download the original test reports via anonymous ftp as ftp.informatik.uni-hamburg.de: /pub/virus/texts/tests/vtu/wildtest.zip _____________________________________________________________________________ Virus Research Unit, University of Tampere, Department of Computer Science, P.O.BOX 607, 33101 TAMPERE, FINLAND, E-mail: cshema@uta.fi - -- ____________________________________________________________________________ Marko Helenius, University of Tampere, Virus Research Unit, Department of Computer Science, P.O.BOX 607, 33101 TAMPERE, FINLAND, Tel: +358 31 215 7139, Fax: +358 31 215 6070 ------------------------------ Date: Mon, 09 Jan 95 18:47:56 -0500 From: umfauche@cc.UManitoba.CA (Ryan Ulric Faucher) Subject: Natas Virus (PC) Any information that any one currently has on where I can obtain information on viruses(databases or otherwise) would be greatly appreciated. I am currently working on a research paper which due to current incidents I have decided to complete on viruses. Of particular interest to me is the Natas virus. If you have any knowledge of this virus or where I may find some please email the location of this information to me at: umfauche@cc.umanitoba.ca Thank-you, Ryan Faucher. ------------------------------ Date: Mon, 09 Jan 95 19:12:40 -0500 From: ftijdens@pielab.knoware.nl (Folkert Tijdens) Subject: Re: Entire files in my DOS dir turning to NULLs!!! (PC) myroon@ee.ualberta.ca says... > >Hi all... I seem to be having some sort of problem that looks like a >virus. In my DOS dir (and only there from what I've seen so far), >entire files are turning to nothing but NULL characters. That is to >say it you look at them in hex mode, they are nothing but 00 00 00 00 >00 00 00 etc... The file sizes remain the same and the dates do not >change! I've tried the latest versions of McAfee's Scan and F-Prot >2.15. Neither tell me of any virus. > >If anyone has any info.. thanks! I had exactly the same experience a few month ago. I also could not find a virus. I have no idea when it happened or what caused it. It took some time before I even discovered it, and most of my backups were wrong by that time too. ------------------------------ Date: Mon, 09 Jan 95 21:35:23 -0500 From: steveschmitz@ins.infonet.net Subject: Re: Stealth C virus (PC) jfredian@pepperdine.edu (The Mermaid) writes: >I saw this virus about a week ago, and I think the McAffee scanner said >it was a strain of the Genb virus. The virus was in the boot sector of >the disk, and the only thing we knew to do was to reformat the disk. If >anyone else knows any other ways of ridding floppies of this virus, please >post. Thanx. > We've had about 3 or 4 pc's struck by the Stealth_C virus. It is infecting the master boot record of the disk. Besides infecting the disk, what will this virus do? The only indication we had of it's presence was that windows would not load if emm386 was supplying upper memory blocks and we booted off the infected disk. ------------------------------ Date: Tue, 10 Jan 95 03:34:12 -0500 From: vonburg@ifr.mavt.ethz.ch (Peter von Burg) Subject: False alarm with McAfee 2.1.3 ??? (PC) I receive a virus alarm with McAfee 2.1.3 and it's Viruslist 2.1.213. The file SR340.SYS (Tiga driver) is supposed to be infected by BEER.2794. With previous viruslist's I don't get an alarm althougth the virus is listed. The file is running on my system since a few years and as no other file is reported as corrupt I suspect false alarm. any confirmation ??? any doublecheck possibility ??? Thanks for your help Peter *************************************************************** * Peter von Burg, Institut fuer Robotik, ETH Zuerich * * * * Mail: ETH-Zentrum, CH-8092 Zuerich, Switzerland * * Phone: ++41 1 632 27 80 * * Fax: ++41 1 632 11 95 * * e-Mail: vonburg@ifr.mavt.ethz.ch * * * *************************************************************** ------------------------------ Date: Tue, 10 Jan 95 04:19:13 -0500 From: moeza@ifi.uio.no (Moez Ben Lamine Abidi) Subject: Virus called ALIENINI 64 ???? (PC) Hallo Does any one know any thing about this virus.? Which anti-virus program can be used to take it away??? Thank you Moez e-mail:moeza@ifi.uio.no Norway ------------------------------ Date: Tue, 10 Jan 95 06:26:32 -0500 From: "A.Appleyard" Subject: SCAN; NATAS (PC) Today I had NATAS on another of my PC's. SCAN v2.13 in /CLEAN mode successfully removed it from .EXE and .OVL files but not from .COM files. It also had NATAS.MBR in its boot sector. (1) What is the latest version of SCAN? Where to get it? (2) When will SCAN be able to remove NATAS from ? (3) What is the latest version of VET? Can it remove NATAS? (4) What does NATAS do, except spread? Please also reply to me personally, so I get the replies quicker. ------------------------------ Date: Tue, 10 Jan 95 07:56:11 -0500 From: merrill@fub46.zedat.fu-berlin.de (Stefan Simon) Subject: Urgent: NewBug (Genb) virus in RAM. Help needed (PC) A few days ago a friend of mine detected a NewBug (Genb) virus in the RAM of his PC. My questions to all of you who read this are: 1) Where does this virus come from ? 2) What effect does he have ? 3) How to get rid of it ? You would do me a great favour, if you sent all information you have (and of which you think it could help my friend) to my e-mail adress: merrill@fub46.zedat.fu-berlin.de Thanx in advance, Stefan Simon. ------------------------------ Date: Tue, 10 Jan 95 12:14:27 -0500 From: Michael Hemy Subject: Is this a Virus ??? (PC) I have come accross a very strange behavior which suggests a presence of a virus. I wonder if any of you, have seen a similar manifestation. A friend of mine purchased a new laptop and proceeded moving some of her SW from her old machine to the new one (using diskettes). [ By the way the problem (soon to be described) never manifested itself on the old machine ]. At some point the machine would not boot: it would hang. Further examination showed that it was getting stuck while running power.exe. Removing power.exe from config.sys moved the problem further: it would stop, while trying to load high a routine, with the message: EMM386 - Unrecoverable priviledged operation error #00. Press enter to reboot. Looking further I found that EMM386.exe was causing a problem somehow which was manifesting itself when trying to load high any program. (power.exe tries to load itself high automatically if it can). Also, If I had not loaded anything high, when starting windows I got a message saying that something was present that prevents accessing the disk in the standard way, and suggesting a third party cache SW or a VIRUS !!! msav did not find anything, and after talking to the mfr of the laptop they suggested that some memory may be bad. They suggested replacing the laptop, and so did my friend do. When the new laptop arrived, everything was fine. When she proceeded installing her SW, the problem resurfaced. Since this was a completely new machine I assumed it must have been a virus. I reformatted the HD and reinstalled DOS and WINDOWS. The problem disappeared. Of course she will not try to install her disks now... So, is this a VIRUS, a coincidence or an incompatability ? Thanks, - -- Michael ------------------------------ Date: Tue, 10 Jan 95 14:27:35 -0500 From: Richard van Eckendonk Subject: Re: junk-virus on my PC- Help me!!! !!! (PC) > ct9308@mimas.hts.hsa.nl (J.P. Brouwer) > 22 Dec 1994 10:58:24 Wrote: > > >Hi netters, > > > >Two days ago evil struck me: my new PC (not even a week old) > >has been infected with the JUNK-virus. Every single .com-file has been > >damaged. > >First I tried to use the latest version of MCAFEE, but this anti-virus- > >program was not able to remove the virus from my system. > >Since there was not much on my harddisk at that time, I formatted my hd, > >trying to get rid of this torture. > >But again, Murphy's law proved to be right. > > Well, if You want get rid of it You must: > > 1) Turn off Your computer and boot from a "CLEAN" diskette containig at > least DOS version 6.0 or 6.2. > (Include Fdisk in this diskette) > > 2) Perform a FDISK /MBR > > 3) Format Your Hd if You want. But this is NOT necessary. > Only Delete Your files or install them again. It is not necessary to format your Harddisk or delete ALL the files. The Junkie virus is a multi partite virus which infects files, bootsector and master boot sector. Step 1 and 2 are correct (from above) Step 3 should be: Replace the system files on your harddisk by SYS C: Step 4: Scan your system with a virusscanner and clean the infected files (not all files will be infected!) When it's impossible to clean-up these infected files you have to delete them. Remember: Most important thing for scanning viruses is: Boot your PC from a clean bootable diskette before scanning your computer. Some viruses are invissible for the scanner while active in memory Regards, Richard van Eckendonk McAfee Nederland ------------------------------ Date: Tue, 10 Jan 95 14:32:39 -0500 From: Richard van Eckendonk Subject: Re: What are the effects of FDISK/MBR (PC) > Could someone tell me the effects of FDISK / MBR for cleaning a virus??? > Will it affect the disk partitioning??? FDISK /MBR will overwrite your Master Boot Record. This is the first thing your computer starts while booting the PC. The code in the MBR will read the information from the Partition Table and searches for the bootsector on the active partition (read from the partition table). Than the bootsector code will be started. This code will finaly execute your operating system. So when the MBR is overwritten, no data is lost (the partition table is not altered!) Richard van Eckendonk. McAfee Holland ------------------------------ Date: Tue, 10 Jan 95 18:11:53 -0500 From: trjordan@new-orleans.NeoSoft.com (Todd Jordan) Subject: ASeXual Virus... (PC) I had this show up on my computer on midnight between 1 and 2 January. Locked up the machine and printed a one line message similiar to the following. ASeXual Virus: Your computer has been personally phucked! Bummer was...I had no way of knowing what had caused it. I had just scanned with McAffee and MSAV and Norton's and no luck stopping it. As it was I had a clean protected boot disk and was able to reinstall dos again and slowly root out the problem. It appeared to create com files named for my exe files and corrupted some com files. It failed to get all exes and all com files but who knows why. It also created these com files as hidden and write protected. Ended up I replaced all executables and was not too much of a burden. Has anyone got anything they can share about this with me? THanks. - -- Todd Jordan, Sysop of Assassin's Lair BBS (504) 362-1636 trjordan@neosoft.com Todd.Jordan@f80.n396.z1.fidonet.org ------------------------------ Date: Tue, 10 Jan 95 20:40:14 -0500 From: travis.cook@m.cc.utah.edu (Travis Cook) Subject: Heard of the SPRAYER virus? Help me!!!! (PC) My computer is sorely affected with the SPRAYER virus. It attacks the boot sector and is a TSR. I cannot boot my computer from my HD, and therefore cannot do a lot of things that I need to. McAffee (the lasted version on Simtel) found Sprayer, but was unable to remove it. Clean.exe didn't recognize it. The newest sig file from CPAV (Jan 6, 1995) did not have SPRAYER in its list!! How can I get this thing off my Boot sector without reformatting. This is the second time this has happend and the first time I did re-format (not knowing what was causing it.) Please help if you can... ------------------------------ Date: Tue, 10 Jan 95 22:11:16 -0500 From: cei@technet.sg (Sylvie Ong) Subject: Info on 69 virus ?? (PC) Hi, I seem to be having trouble with the 69 virus in my system. Scan 117 doesn't seem to detect it but scan 2.1.3 can detect it. Scan 2.1.3 cannot clean this virus so can anyone please advise on this situation? Also, I can sometimes detect NYB virus on my system but when I try to clean it, it cannot be found? Appreciate if anyone can reply as soon as possible as I have some code on my system that I need to distribute. Thanks in advance. Kenneth Lee ------------------------------ Date: Tue, 10 Jan 95 22:18:32 -0500 From: robb@accessone.com (Rob B.) Subject: Virus testing of CPAV 2.0 (PC) There seems to be a lack of information on Central point Anti-virus 2.0. The recent FAQ on virus scanning software, only covered CPAV 1.0 and 1.4. I assume that 2.0 is an overhaul of the system, since they have now acquired Symantic (Norton) and PC Tools shows the effect. Has anybody run tests? Are tests on CPAV 2.0 planned? Do I need to do them? ------------------------------ Date: Wed, 11 Jan 95 04:09:35 -0500 From: David Hanson Subject: ANSI bombs - MORE vs. TYPE (PC) I know that an ANSI bomb can remap your keyboard if you have ANSI.SYS loaded and you TYPE a file. Can an ANSI bomb remap your keyboard if you use MORE instead of TYPE? ie.,: C:\>MORE Subject: re:Infection via a .WK4 file? (PC) >From: Kenneth Fribush >Date: Thu, 29 Dec 94 14:42:26 -0500 >We recently had a problem with the Form virus on a laptop where the >only files transferred to it were Lotus 123R4 spreadsheets. Is it >possible for a virus to infect a PC via a spreadsheet file? I was >under the impression that the carrier had to be an executable file (.EXE, >BAT, .OVL, etc.). FORM is normally transmitted via the boot sector. So it wasn't in any of the files, but it probably was (is?) on the boot sector of the diskette used to transfer the files. BTW the diskette does -not- have to be bootable to be infected and infectious. When faced with a FORM infection, the most effective strategy is to isolate and disinfect any infected hard disks, then aggressively seek out and scan/disinfect all diskettes which -may- have come in contact with an infected system. Recurring infections are common, as it is often difficult to find - -all- infected diskette. HTH. Good Luck! Dave Hanson Armed Forces Recreation Center Europe Garmisch-Partenkirchen Germany afrc-mis@augsburg-emh1.army.mil Any info would be appreciated. ------------------------------ Date: Wed, 11 Jan 95 05:37:14 -0500 From: "A.Appleyard" Subject: VET queries (PC) My department's 16 public PC's each call VET automatically once a day. Today PC #2 on its early morning boot-up was an unusually long time in VET, and on exit from VET its file C:\VET_LOG.1 said this:- _________________________________________________ CYBEC Pty Ltd, PO Box 205, Hampton. Vic. 3188, AUSTRALIA. (03/613) 521-0655 VET #7.81 Virus Protection Program. (C) CYBEC 1989-94. <<< Set up to run from a file server. >>> Friday, 23 December, 1994 13:07:34 Prepared for Manchester Computing Centre To run on a PC Compatibles under DOS V6.20 *** Integrity Test O.K. *** VET is loaded at 02977:0000h. Top of memory is 09EF6:0000h (635K). Intermediate scan is active. m:\util\vet\VET.EXE: O.K. a:\*.*/rlxah=0 Drive A; Reading boot sector ... DOS Boot Sector Non-std size, may have Jumper virus. Boot sector is corrupted; Will replace it. VET can only fix the following sizes; A 360K B 720K C 1.2M D 1.44M Enter the size (A-D), if you are certain of it, or Q to abort. NB. If you enter the wrong size the disk will be destroyed. : Boot sector should be OK now. Scanning program files in directory a:\ recursively. Hit Esc or Q to stop, space to pause. a:\UUDECODE.EXE has Natas virus. Deleted. a:\UUENCODE.EXE has Natas virus. Deleted. 3 dir(s) & 133 file(s): 4 files were checked. 2 viruses were found. All were repaired, renamed, or deleted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (a) What is the email address of the people who write & maintain VET? (b) That PC's hard disk is C:, and at the time it had no floppies in. Why then did it say it found an infected file on `a:'??? (c) How do I get it to clean infected files rather than deleting them? ------------------------------ Date: Wed, 11 Jan 95 11:11:38 -0500 From: dangelo@drmail.dr.att.com (131E50000-D(DR2641)283) Subject: NATAS virus (PC) Does anyone have any technical information about the NATAS virus, i.e., how it infects, the best way to eradicate, etc? Thank you, Diana M. D'Angelo (dangelo@dr.att.com | diana.dangelo@att.com) (303) 538-4274 AT&T Bell Laboratories 11900 N. Pecos St. Room 31F-18 Denver, Colorado 80234 ------------------------------ Date: Wed, 11 Jan 95 14:55:43 -0500 From: dburnett@garnet.msen.com (Doug Burnett) Subject: Best AV software for LAN? (PC) What is the most widely used AV software on LAN. I'm new to the subject and trying to figure out who the big players in LAN AV are. Cheyenne? Intel? Who are the others? TIA - Doug ------------------------------ Date: Wed, 11 Jan 95 16:11:54 -0500 From: corporon@wizard.cse.nd.edu (phillip corporon) Subject: Monkey virus on Staccked Hard Drive (PC) I've come across a computer with the Monkey virus, it also has Stacker installed on it. When I start the process to eradicate the virus by booting from a floppy, I can no longer "see" the drives since the drivers are invoked via the config.sys file. I've duplicated the hd's config.sys file, and appropriate binaries, on the boot floppy but that did not work either. Bottom line: How does one remove the Monkey virus from a "Stacked" hard drive? In the mean time, how does one enable a stacked hard drive while booting from a floppy. Thanks...Phil. - -- corporon@nd.edu ------------------------------ Date: Wed, 11 Jan 95 21:51:28 -0500 From: S1094896@cedarville.edu (Derek Shaw ) Subject: Wanted: info on Sobolanul virus (PC) I came across the SOBOLANUL virus were I work. I wrote a scan and clean for the virus and removed it from the computer, but I don't have much information on the virus. Current versions of McAfees' Scan and F-Prot don' t scan for Sobolanul. Does anybody haveany information? Derek G. Shaw S1094896@cedarville.edu ------------------------------ Date: Wed, 11 Jan 95 23:09:09 -0500 From: johnnyl@iti.gov.sg (Johnny Lee Tiong Chye) Subject: '69' Virus & McAfee 2.1.3 (PC) Recently, after we started using McAfee 2.1.3, we discovered that some of our PCs were infected with 69 boot sector virus. This virus shows an unstable state as it appears and disappears on and off a PC and diskette. Our earlier version of McAfee 2.1.1 is unable to detect it. McAfee 2.1.3 is able to detect the virus but not clean it. For infected hard disks, we use FDISK/MBR to remove the virus. For infected diskettes, we backed up the files and reformatted the diskettes. Will really appreciate if anyone can throw some light to the following queries : 1. Is 69 virus a genuine boot sector virus ? 2. If so, where does it originate from and what harmful effects (if any) can it cause ? 3. What is a safe and easy method of removing the virus ? 4. Does McAfee has a disinfector for the virus ? 5. Any other infor on the virus ? Thanks very much ! ------------------------------ Date: Fri, 03 Feb 95 13:17:12 -0500 From: Zvi Netiv Subject: InVircible review in Virus Bulletin - part 1 of 2 (PC) In reply to an article published in Virus-L: > Date: Tue, 20 Dec 94 00:24:39 -0500 > From: 91406723@brt.deakin.edu.au > Subject: Unfavourable InVircible Review (PC) > I have just finished reading a product review of the InVircible v5.07A > anti-virus software product in the December '94 issue of the Virus > Bulletin. > Can anyone out there defend this review as it raised serious issues > with the product. The conclusion drawn was to avoid it. I am the author of InVircible, the product that the Virus Bulletin "reviewed" in its December 94 issue. The "product review" in the December issue of the Virus Bulletin lacks the customary warning one usually gets with fictional publications, which state: "Any resemblance between the product reviewed in this article with any real products on the market is purely imaginative and not real ... " etc. The poster may also have noticed that the Bulletin didn't attach any comments to the review from the products developer, which is only courteous, to balance the negative and highly opinionated article. In late July '94 I was "overwhelmed with honor" :-) when the Bulletin called upon me to say they had decided to prepare a review of InVircible. It did seem unusual to me that VB would want to review a product that, at that time, was barely known. I have to admit, here, that I do not subscribe to the Bulletin since $400 per year seems expensive and unjustified for a publication that doesn't contribute anything to the development of my product. At the Bulletin's request, our US distributor sent VB a software package with documentation accompanied with my offer to assist the Bulletin and answer any questions the reviewer might have. For three months I didn't hear a word from VB although I did keep updating Richard Ford, the editor, and his assistant Megan Palfrey, with all current developments in IV. Some of the developments were of prime importance such as the introduction of the generic correlator (IVX) which replaced the phased-out virus scanner. I would like to give you some background information regarding the Virus Bulletin at this point. VB is by its own definition a "prestigious publication" about virus and antivirus matters. Somewhere in the fine print, one will find that the Bulletin belongs to the Sophos group, which is the producer of Sweep, a scanner based antivirus package that competes with other scanner based AV software. To support its appearance of excellence, and justify its overbearing price, VB presents you with an impressive gallery of famous names on its board of editors. In late November 94 I finally received Richard Ford's reply (he also identifies himself as "Dicky" Ford on CompuServe's forums) with a draft of the review. Richard gave me three days to comment on a three page review that took VB almost three month to prepare. I was obviously naive in letting the Bulletin prepare the unsolicited (from my part) review, and played into the Bulletin's hands. Upon reading Dr. Keith Jackson's article (the VB reviewer), it became pretty obvious that VB had an ulterior purpose in the review. They were not interested in reviewing an antivirus package that was, and is, becoming increasingly known for its effective and sophisticated approach to viruses. Their motive was simple: To kill InVircible as a viable competitor to their own conceptually outdated product before it became a real threat to the established and entrenched AV industry, and probably to the very existence and need for a publication like the Bulletin. The editors weren't ignorant of the fact that a product like InVircible could develop to the stage it has without needing virus sources and libraries, at all. The antivirus industry's existence depends on its ability to rapidly put its hands on new viruses and produce updates in the losing battle they conduct against the flood of new viruses written every week. Five years ago, the antivirus producers didn't collaborate with each other. Everyone operated in isolation. But since 1990, most producers have understood that their only chance for survival was in collaboration, at least at the level of exchanging information on new viruses, since none of them could afford that effort required to do this alone. That's how organizations like CARO, the NCSA and the Virus Bulletin came about. As InVircible is not an antivirus "scanning" product and it does not depend on a constant "feed" of new virus signatures, it's independence could become dangerous to the rest of the industry. End-users could discover that they have been fooled for years into thinking that frequent "updates" to AV products was necessary for effective antivirus protection. This mistaken belief on the part of end-users has kept them a captive market for AV developers that produce ongoing and many times unnecessary antivirus updates. The developers make money from the erroneous belief of end-user's that AV protection requires them to frequently update. This is only true for product's that use virus-specific methods of detection and repair. InVircible, on the other hand, is a generic product that does not function primarily on the basis of virus-specific detection and repair routines. Therefore, it does not need to be frequently updated. The VB strategy was simple: As most users and readers equate antivirus protection with scanning, then show what a "poor" scanner InVircible is and it's dead! :-) It doesn't matter that IV isn't a scanning antivirus at all. It doesn't matter that InVircible offers far superior antivirus protection using generic methods. Since end-users have been led to believe that only "scanning" will protect them, InVircible will be perceived as useless if it shown to have a poor virus "scanning" detection rate. After the Bulletin gave its verdict to "avoid" InVircible then most end-users wouldn't even bother to evaluate it independently. In effect, they would never learn about an alternative to traditional "scanning" based approaches to antivirus protection and the industry would be preserved. When I told Richard Ford that his review was full of factual errors and that the reviewer didn't even evaluate all of InVircible's different functions (the reviewer admitted this himself!), he then gave me the Devil's choice: Either to add a 500 word rebuttal, or to see the review published without it. I asked in return either to publish my rebuttal in the same issue, with the same length as the VB review, or to abstain from publishing the maliciously intended and fabricated review. I would have been a fool to legitimate the review by accepting Richard's disingenuous and deceptive offer of a 500 word rebuttal. Richard has ignored my messages and faxes since I refused to accept his offer; and, he didn't even give me the courtesy of informing me that the Bulletin published the review. As said earlier, I do not subscribe to VB and I have no intention of doing so. The biggest farce was yet to come. Since I didn't want the Bulletin to make "corrections" to the flawed review, I requested that the floppy with the program be returned to me and THAT THE REGISTRATION BE UNINSTALLED BACK FROM THE HARD DISK TO THE FLOPPY, before it was returned to me. Dr. Jackson, the reviewer, replied that he airmailed the floppy back. But, and this is important, he couldn't uninstall the registration from the machine he used for preparing the review since, "The computer in question is currently 300 miles away, and is in use by somebody else." When I checked the returned diskette, the TWO REGISTRATION KEYS WERE ON THE FLOPPY, which simply means that the software was never installed properly to the hard disk; and, the reviewer could not, and did not, evaluate InVircible in it's "full authorization" mode of operation. Furthermore, Dr. Jackson gives proof by his own words that he failed with the installation. At the end of the review he writes: "Many features are unavailable unless execution takes place from the original floppy disk, not a backup copy." The facts are that once the installation is properly completed, the original floppy can be stored in a safe place and _all features are available_ with no restrictions! This means that the review is based on an evaluation of InVircible in its "sentry" shareware mode of operation. A few advanced features of InVircible are non-functional until the product is registered. One such function is the generic integrity checkers (IVB) ability to restore virus-damaged files to their original condition, byte-for-byte, right down to their original time and date stamp! The registered IVB can restore virus damaged files more effectively than any other product currently available to PC users. Draw your own conclusions. Did the Bulletin evaluate InVircible properly? Or, did it perform an incomplete evaluation. The conclusion is inescapable. The reviewer did not evaluate InVircible since he never completely installed it on his system. He admitted in his review that he did not test all of InVircible's programs. However, he did not admit that he failed to evaluate InVircible while it was fully functioning. He didn't even realize the fact that he failed to install the software in "full authorization" mode. I think most people can draw an additional conclusion from this fact. Dr. Jackson's ability to judge the worth of InVircible should be suspect and viewed carefully. After all, what else might he have failed to do properly? Rather than leave you guessing about the many errors and factual inaccuracies in the Bulletin's review I have made annotations to the pre-publication copy of it sent to me by Richard Ford, below. ===================== The VB review, commented. ======================= VB> InVircible: InVincible? by Dr Keith Jackson VB> InVircible, 'The World's most effective anti-virus system', claim its VB> vendors. 'InVircible, The Ultimate Anti Virus Protection', says a file VB> on the product's master disk. Does the package live up to its claims? VB> This product consists of a scanner, several 'repair utilities', and an VB> integrity checker which claims to be able to detect known and unknown VB> viruses. It also offers network capabilities and operation under OS/2, VB> which were not included in the tests, as this review concentrates on VB> the DOS software. The integrity checker and the scanner include VB> features which purport to be able to remove viruses from infected VB> files. Plain deception. The documentation, both printed and on-line hypertext states clearly that InVircible is a _generic_ virus detection and disaster recovery system. The documentation emphasizes and strongly recommends that users do not rely on the scanner as the primary AV tool in the package since it is merely a platform for certain generic techniques, which the reviewer did not test or even understand, as will be described later. By emphasizing InVircible's scanner the reviewer laid the basis for his dismissal of InVircible as an effective AV package in the conclusions of his review. InVircible is not a scanner. The product uses far more effective methods to combat viruses. VB> Documentation VB> The manual, an unbound, unindexed, 46-page A5 booklet, provides a good VB> description of the theory behind InVircible, and an adequate explanation VB> of how to use its individual components. Readability, however, is not VB> helped by the fact that pages 28A and 28B are simply stuffed in between VB> pages 28 and 29, with no attempt made to maintain continuity. Deliberate nit picking. Even when giving a compliment on the good description of the theory behind InVircible he cannot refrain from focusing upon meaningless details. It is an insult to the readers' intelligence. It assumes they are unable to recognize that 28a and 28b are provisional inserts offered to user's. We think that we render a good service to our customers by providing immediate documentation, as soon as we upgrade the product, rather than withholding it until an new printing of the manual. Unfortunately, it would appear that providing the reviewer with this late-breaking news about the product was insufficient to educate about it. By the way, the above insert described the new generic hyper-correlator, IVX, an important addition to IV, that was first introduced in the version sent to Dr. Jackson. It's ironic that when I told to Richard that Dr. Jackson didn't understand the product, he still didn't address any questions to me. Here is what Ford answered: RF> One of the points of Keith's review is that if you want to do things RF> differently, you need to made certain you explain the logic fully RF> *in the documentation*. Well dear Editor, this is exactly what I did, and Dr. Jackson admitted so himself! VB> The documentation is prone to making claims which are palpably untrue. VB> For instance, its scanner is claimed to be 'faster, safer and more VB> efficient than any other on the market'. InVircible is indeed fast at VB> scanning, but certainly not the fastest; ThunderBYTE (to name but one VB> competitor) beats it hands down. The scanner's efficiency at virus VB> detection is also noticeably poor (see measurements below). Again: Notice that of the six modules in InVircible the reviewer singles out and focuses upon the scanner so that he can later justify the one "test" he performed on InVircible which was of IVSCAN. Dr. Jackson's "test" was not a valid one. Testing InVircible by evaluating IVSCAN's virus detection rate is like evaluating the worth of a weapon based upon the size of its container. We all know that it is the "payload" that counts, not the size of the shell that holds it. VB> Scanners in general are rubbished in the documentation, in such phrases VB> as: 'Polymorphic viruses have rendered scanners effectively useless VB> since they cannot be removed by an algorithmic approach'. This is, of VB> course, untrue. The manual also contains a two-page diatribe against VB> memory-resident components, which, despite some salient points, does VB> spoil its arguments through over-emphasis. Scanners and their perpetuation are Dr. Jackson's main goal and interest. If InVircible really does what it claims to do then scanners could become history and who would then need his expertise in testing them? VB> Copy Protection VB> Regular readers of these articles will know that VB does not review VB> copy-protected products, taking the stance that such products breach a VB> fundamental rule of security; i.e. the maintenance of accurate and VB> plentiful backups of all disks. The introduction to InVircible's manual VB> states that the product is copy-protected, but when asked, the vendors, VB> New Castle International, denied this, describing the process as VB> 'registration or personalisation'. VB> The company claims this to be similar to procedures used by products VB> such as QEMM and Stacker, both of which require user registration VB> information to be written back to the floppy disk used for installation. VB> They omit to say that it is possible to make as many backup copies as VB> desired of QEMM and Stacker floppy disks, and to install from these VB> backups, unlike InVircible. Further, the developers claim that this VB> scheme is 'favored by corporate and institutional users'. If so , why VB> pretend it is not copy-protected? VB> If InVircible is installed from a copy of the original floppy made using VB> DISKCOPY, not all its features are available, despite the fact that VB> DISKCOMP thinks the original floppy disk and the copy are identical - VB> restoration functions are disabled. It is thus not possible to take a VB> complete backup copy of a floppy disk: where this is so, the product is VB> copy-protected. The rest is marketing fog, designed to confuse. Plain rubbish. As explained before, the reviewer didn't even notice that he was evaluating a non registered copy. Secondly, InVircible is distributed freeware (the very same software that the reviewer used!) on the Internet, Compuserve, Simtel, AOL and countless BBSs! Furthermore, the registered floppy can be formatted and will retain it's registration! Moreover, the rescue diskette that the reviewer probably never prepared, and constitutes a crucial component in the InVircible concept, retains a copy of your registration too. The IV ResQdiskette can be duplicated as many times as one wishes by plain DISKCOPY. Now comes an interesting one! InVircible, in its UNREGISTERED form is more useful than any other antivirus product. Fact: On the new year's eve, IVX, the generic hyper-correlator, succeeded in eliminating the SOURCE of repeated outbreaks of a virus in one of the biggest American software enterprises! The virus attacks (by Dark Avenger, alias Eddie) repeated themselves on hundreds of file servers in the production lines, sometimes three times a day! None of the king's horses and scanners used could solve this problem. IVX located the source of the virus immediately. A desperate technician, working for that firm, downloaded InVircible from Compuserve. In a couple of days he figured out how to use and interpret IVX. With it he found several RELATED droppers (two stage droppers, very sophisticated activation) and removed them! The technician, without academic training and with no background in virus matters, could figure out in a few days what Dr. Jackson couldn't (or perhaps didn't want) to understand in two months, in spite of his academic degree and his self proclaimed expertise in virus and antivirus matters! VB> Installation VB> The installation process creates its own directory on drive C, then VB> scans for viruses, copies the required files, and creates a set of VB> 'Integrity Signatures'. Two lines are inserted at the beginning of VB> AUTOEXEC.BAT which verify the PC's integrity before other programs are VB> allowed to execute. What about viruses which may be inside already VB> installed EXE files as device drivers when AUTOEXEC.BAT is executed? VB> Installation also produced a series of high-pitched squeaking noises VB> whilst InVircible files were being copied. Most odd. The comment about viruses that install as devices shows that the reviewer didn't actually test IV but rather speculated upon what he read and thought that he understood. If he had tested InVircible instead of speculated about (based on outdated assumptions and ideas), he would have found and learned how InVircible does it. IV has the most comprehensive generic virus detection techniques there are. The IV tests are PURPOSELY put in the autoexec.bat and NOT in the config.sys, as they are based on the positive identification of viral activity - which shouldn't be confused with activity monitoring. The more programs that are run before IV's tests are launched the better are the chances of detecting anything suspicious! The reason we install the IV tests at the beginning of the autoexec.bat is to avoid conflicts with other antivirus programs that some intimidated users still keep in their autoexec. Normally, users give up scanning and antivirus TSR, after gaining confidence with IV. The Antivirus Practice Lab (AVPL) - another of our freeware products - expedites this developing confidence since it provides hands-on near real virus experience. AVPL is a must for all the users who depend on other people's (and self proclaimed experts') opinions! :-) VB> When the installation process was complete, InVircible had added itself VB> to the MS-DOS PATH, and five files to drive C's root directory. Such VB> file scattering is unforgivable. The product's report files are also VB> created in the root directory, rather than in its own, which would be VB> far more sensible. Here is some free advice: When you don't understand the reason for things, either ask or keep silent. People may perceive it as wisdom. But don't cry your ignorance out loud. The "unforgivable" files in the root directory have a purpose. They are there for disaster recovery. As such, they must be traceable even if booted from a floppy, or when started without a search path, or when run from a floppy. In emergency situations one cannot rely on knowing whether IV was installed with its defaults or the user preferred to bury IV deep down in an inaccessible Stacker or DoubleSpace volume! VB> After everything was installed, a message appeared onscreen saying: VB> 'Prepare the Rescue Diskette immediately after rebooting'. Rebooting is VB> requested, not enforced - nothing onscreen warns users to remove the VB> master disk first. The rescue disk is set up as a bootable floppy, and VB> information about the partition, the boot sector, and file integrity is VB> copied across, as are InVircible's own files. This floppy can be used to VB> great effect when a virus has affected a hard disk. At last a paragraph with only one insult, underestimating the users' intelligence. VB> Most of the product's features are accessible from within a single menu VB> program. This has a cluttered interface which continually displays a VB> list of the amount of DOS memory available, the current integrity VB> database filename, space available on the target disk drive, frequency VB> with which integrity checks are made, and 'authorization status': i.e. VB> whether or not copy-protected features have been installed. Although a reviewer's opinion is acceptable, it seems that Dr. Jackson is surpassing himself in being petty in an effort to discredit IV on all fronts. The user interface is one thing that everybody understands and the general response to IV's is that users love it. :-) VB> Scanning VB> Buzzwords abound in the scanner as elsewhere in the product: for VB> instance, the help feature for the scanner says that it is 'equipped VB> with the SeeThru (c) anti spoofing feature and a generic boot code VB> analyzer' - plain English would be infinitely more useful than this VB> jargon. In Dr. Jackson's language, "buzzwords" stands for "I failed to understand this" or "I failed to test this feature, since I failed to install the program properly on my disk." Which failure on the reviewer's part that "buzzword" refers to depends on the specific aspect of InVircible he is discussing. :-) VB> When InVircible starts a scan, it displays the directory tree of the VB> selected drive, then waits for the user to select a directory. If the VB> root directory is chosen, the entire disk is scanned. Scanning an entire VB> disk or a specific subdirectory seem to be the only available scanning VB> options, and it is not possible to scan down part of a directory tree VB> recursively. Wrong! The menu oriented mode is a single directory mode indeed, the command line one will let you do whatever you wish, including sub-dirs. Just type the \TOP-DIR after the selected command. :-) VB> InVircible took 1 minute 15 seconds to scan the hard disk of my test PC, VB> a timing which rose to 1 minute 19 seconds when the provided PIF file VB> was used to execute the scanner in a DOS box under Windows. In VB> comparison, Dr Solomon's AVTK took 1 minute 10 seconds to carry out the VB> same task; Sophos' Sweep took 2 minutes 4 seconds in 'Quick' mode, 6 VB> minutes 26 seconds in 'Full' mode. Sounds very good! Yet, IV's scanner is used very rarely, in fact almost only for the installation of IV to the hard disk. The daily scan is the integrity checker's. According to the above performance, it should have taken about 12 seconds, once a day! The routine startup tests of IV take about 1 to 3 seconds, depending on the machine. A once-daily full integrity scan on 450+ MB of files requires about 1 minute and 30 seconds on a DX2-66 machine. Because of its length, this article was posted in two parts. Part 2 deals with key features of InVircible such as accuracy in virus detection and of removing them, integrity checking and generic recovery (which as Frisk - the VB's technical editor - rightfully stated, is one of IV's strongest parts), and the entirely new technology of the generic correlator, which was totally dismissed by the reviewer. Commented by Zvi Netiv, NetZ Computing, Israel email: Zvi Netiv ftp: ftp.netcom.com/an/antivir/invircible Fax: +972 3 532 5325 ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 6] **************************************** 6-Feb-95 12:40:50-GMT,73186;000000000000 Received: from aramis.rutgers.edu (root@aramis.rutgers.edu [128.6.4.2]) by klinzhai.rutgers.edu (8.6.9+bestmx+oldruq+newsunq+grosshack/8.6.9) with ESMTP id HAA29772 for ; Mon, 6 Feb 1995 07:40:49 -0500 Received: from remus.rutgers.edu (root@remus.rutgers.edu [128.6.13.3]) by aramis.rutgers.edu (8.6.9+bestmx+oldruq+newsunq+grosshack/8.6.9) with ESMTP id HAA17574 for ; Mon, 6 Feb 1995 07:40:47 -0500 Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx+oldruq+newsunq/8.6.6) with ESMTP id HAA16116 for ; Mon, 6 Feb 1995 07:40:34 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <128178-4>; Mon, 6 Feb 1995 07:22:32 EST Message-Id: <9502061222.AA23693@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #8 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Mon, 6 Feb 1995 07:15:27 EST VIRUS-L Digest Monday, 6 Feb 1995 Volume 8 : Issue 8 Today's Topics: Student computer labs New Risk from the WWW Christmas Virus? Re: Virus scanner for Unix system (UNIX) Re: Virus scanner for Unix system (UNIX) Natas Virus (PC) PINWORM or PINWORM_G virus: please help! (PC) "Crazy Boot" virus? (PC) New, destructive boot sector virus (PC) ANTICMOS A VIRUS (PC) JUNKIE.BOOT virus in game (PC) What is a TAI-PAN virus? (PC) Stoned virus in memory (PC) DiskSecure-2.42 for Boot Sector Viruses. (LONG!) [Rev.1] (PC) ANNOUNCE: FREE Virus Scanning Shell (PC) Monkey Virus (PC) Norton (PC) Vdefend caused false +ve in Scan (PC) Re: Gen b Stealth Virus (PC) Form Virus - How to Find It? (PC) Found NYB virus on friend's computer....NEED HELP! (PC) JUNKIE.BOOT virus in game (PC) Re: Monkey on "Stacked" Hard Drive (PC) WSCAN214 Profiles (PC) Re: what's wrong? (PC) Anticmos (PC) Scan 2.1.3 and 2KB Virus. (PC) anti-CMOS virus (PC) KHOBAR virus (PC) Re: HELP: My pc has gone braindead.. (PC) Parity Boot virus (PC) Stoned.Standard (PC) Re: Anti CMOS type B (PC) "NoInt" (PC) Need virus info. (PC) Novell Lab protection.... (PC) Virus-Scanning Software (PC) Re: what's wrong? (PC) Possible unknown virus (PC) JUNKIE.BOOT virus in game (PC) AntiCMOS-A help (PC) Stealth [genb] Virus -- Crazy Boot Ver. 1.0 (PC) Is this a virus or logic bomb, or is it a software conflict? (PC) Monkey (Help) (PC) Monkey virus (PC) Help---AntiCMOS & B1 virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 21 Jan 95 10:05:49 -0500 From: brendaa999@aol.com (BrendaA999) Subject: Student computer labs I teach computer technology at a community college. We have about a dozen computer classrooms scattered around campus. Some of the rooms are available for student use when they are classes are not being held in them. I have been put in charge of a committee to set policies for the labs to prevent virus outbreaks. I think this is mainly common sense, but my boss wants me to find out what policies other campuses have. I would appreciate any suggestions or copies of policies from your campus or office. Thanks. Brenda Arnsdorff Meridian, MS ------------------------------ Date: Mon, 23 Jan 95 08:28:09 -0500 From: jmacinty@mv.us.adobe.com Subject: New Risk from the WWW Hello, this is a crossposting from the Forum on Risks to the Public in Computers and Related Systems ; please, ignore it gently if you already have seen this contribution. For the rest of you, I guess, this may be interesting. Best wishes, Otto Stolz *** Please use only my new address at uni-konstanz.de, as all Bitnet *** addresses at DKNKURZ1 have expired, and all Internet adresses at *** Nyx.Uni-Konstanz.de will do so some time in 1995. - ----------------------------Original message---------------------------- At the end of January middle of February this year Microsoft will be introducing Internet Assistant. A HTML creater and WEB browser for Word for Windows 6.0. The WEB browser will read Word 6.0 documents directly and therefore the risk. Word documents can come with programming that will activate on opening. While this has always been a problem document distribution hasn't generally been widespread until soon from now. Three types of things I can see happening. 1. Viral type documents. These are documents that will change your normal.dot and copy itself from document to document. 2. Trojan Horse type 1 documents. These are documents that do something on opening, like delete files etc....And possibly even harmless things. 3. Trojan Horse type 2 documents. Really scary documents that communicate BACK to the web-server without your knowing it and sending additional information gleaned from your machine and or network. There are some truly scary things that could be done with a creative VBA/CGI programmer. It is unfortunate that these risks exist, because otherwise the ability to have "programmable" documents on the web is a really cool concept. But nonetheless risks like these have to be dealt with John ------------------------------ Date: Wed, 25 Jan 95 17:46:05 -0500 From: sgrossin@carleton.edu (seth) Subject: Christmas Virus? Hello. Hs anyone heard of the "Christmas Virus"? Does such a thing exist? Someone I know can't set the date on their computer. It always reverts to December 25, 1995, She suspects it may be caused by this virus. If you have more info, could you post here or send me mail, please? --seth ------------------------------ Date: Wed, 25 Jan 95 13:23:47 -0500 From: "Tom Zmudzinski" Subject: Re: Virus scanner for Unix system (UNIX) Janet Blackburn 5-3861 posted to VIRUS-L Digest Wednesday, 25 Jan 1995 Volume 8 : Issue 4 > Having reread the FAQ to refresh my memory ... > > Is it still the general consensus that scanning for Unix viruses > is not really necessary? > > Would anyone care to educate me further on the subject? IMNSHO, scanning for Unix viruses on a Unix platform is overkill. However, scanning for DOS viruses on a Unix server may be good business. It depends on one's local environment. It's generally more effective to do the scans as part of the DOS boot, but if you've got some PC clients that receive executable files (e.g. Mail Enabled Applications) and "never" get rebooted, you might want to add centralized virus scanning. Just my $.02[*] /z/ [*] Hey, don't laugh! That's a whole dollar after taxes! ------------------------------ Date: Wed, 25 Jan 95 13:36:57 -0500 From: radatti@cyber.com (Pete Radatti) Subject: Re: Virus scanner for Unix system (UNIX) > Date: Fri, 30 Dec 94 10:25:11 -0500 > From: Janet Blackburn 5-3861 > > Having reread the FAQ to refresh my memory ... > > Is it still the general consensus that scanning for Unix viruses > is not really necessary? It depends upon what you are doing and what type of equipment you are using. If you are using a PC running Unix then there are lots of viruses that normally run under MS-DOS that will damage your system. There are Unix only viruses, however they are still rare. There are a number of books that include detailed explanations on how to write viruses for Unix. Most Unix viruses are written in portable script and can move between versions of Unix with no problem. There is also the Chapter-13 virus which is a binary infector. The book it was published in mentioned that it will be much more of a problem when all the Unix companies adopt the common binary object format that everyone keeps talking about. MS-DOS viruses that run on PC Unix system don't have the same effect as they would on their target system. In general they just trash the filesystem since they are writing to places where they "think" it should be. In addition, if you are running an emulator for Dos or Mac then they can become infected. Finally, there is always the Typhoid Mary problem where the Unix system serve out infected files on the network to PCs and MACs. I have personally seen this problem. A real and common problem on all Unix systems are trojan horses. They are not viruses but still create a lot of damage. The last trojan horse that had wide spread coverage over the Internet was called "choosegirl.game". There are also back-doors such as was found in IRC. These forms of attack software are problems and can be located using scanner technology. I believed that the combined problems of viruses, Typhoid Mary syndrome and other forms of attack software were enought of a problem that I wrote the VFind virus scanner for Unix 5 years ago. I and a whole bunch of other people use it to protect their systems. [Moderator's note: Good points, IMHO. Additionally, UNIX trojan horses left behind by intruders are _very_ common. These include back doors, stealth-modified system diagnostic tools, audit record modifiers/editors, etc. Periodically scanning UNIX systems for _changes_ to existing executables (not just PC virus signatures) is _very_ good business. Be sure to NOT rely on standard UNIX checksums (a la /usr/ucb/sum), since the trojans mentioned above are frequently installed on a system using a tool known as "fixit", which modifies the executable's 16-bit CRC to match that of the original that it is replacing; MD5 is your friend. Happy hunting.] From: Peter Radatti Subject: Heterogeneous Computer Viruses In Unix (Unix) The following paper was published by me in 1991. It was carried in a security newsletter but was never published on the net. The paper was written for people that didn't understand the problems of viruses as well as the readers of virus-l so it may be a little slow to read. Feel free to email me any comments but please remember that the paper was written in 1991 not 1995. Pete Technical White Paper Title: Heterogeneous Computer Viruses In A Networked Unix Environment Subtitle: Heterogeneous Computer Virus Infections By: Peter V. Radatti radatti@cyber.com Date: September 1991 This paper is intended to inform the Unix and computer communities about formally undocumented computer virus problems. My observation of these problems were made at heterogeneous Unix network sites and confirmed by discussions with system adminstators at other sites. I believe that these problems are not limited to Unix or heterogeneous networks. Futhermore, I expect the problem to expand in complexity, scope and virulence. I have observed non-Unix personal computers attached to a heterogeneous network that were infected with computer viruses originating from Unix workstations. The Unix systems were not the original point of entry for the viruses. The viruses were dormant while on the Unix nodes and became harmful when they migrated to their target systems. The Unix systems acted as unaffected carriers of computer viruses for other platforms of computers. For the sake of simplicity, I have coined the phrase "Typhoid Mary Syndrome" when describing this problem. Typhoid Mary was an unfortunate New York City carrier of Typhoid Fever in the 1930's. Although Mary was an unaffected carrier of the desease, she unknowingly spread it to members of almost every establishment in which she was employed. The similarities between Typhoid Mary and the computer problem named Typhoid Mary Syndrome are close. Networks and specifically Unix because of its ability to provide networked file systems are susceptible to this problem. Using an example of MS-DOS personal computers on a network of Unix systems, the Typhoid Mary Syndrome would be in effect if the viruses that were targeted against the MSD-DOS platforms migrated to the Unix systems. Once on the Unix system, the viruses remain dormant until they migrate to an MS-DOS platform. I became aware of this problem when I took part in the investigation of an infection of personal computers on a network with a large population of Unix workstations and servers. The virus was manually attacked on the personal computers using virus scanners. During the infection, all of the target platform computers were disconnected from the network and unused. All removable media was checked. Once all infected files were identified and removed, the personal computers were reattached to the network. A few weeks later, a sanity check using the same virus scanner was performed on the target platform with positive results. The same computer virus strain had reinfected the systems. Since the systems and all removable media had been cleansed, the network came under suspicion. In retrospect, this problem had to exist. The use of network file systems that were exported from the Unix platform to the personal computer platforms provided an easy, powerful method of transferring data, including executables. Some network designs proide all third party software from a network disk for ease of maintenance and reduced storage overhead. This easy access provides an open door for viruses. What I found surprising was the fact that the viruses were able to migrate out of the common storage areas into user's home directories. Users had several reasons for performing this action, the most prevalent, to have a "safe" copy of the program. Additional methods of migration may exist that I have not considered. Some migration functions may be a deliberate act of the virus designer. This may be accomplished using a similar design as demonstrated by the Internet Worm which was able to migrate to dissimilar Unix systems and then adapt to its new host enviroment. The most obvious method of reducing the possibility of the Typhoid Mary Syndrome is to carefully regulate and control what type of files can move between platforms. Although it is possible to infect data files, the virus would be rendered harmless in a non-executable file. It is therefore resonable to assume that the movement of data files such as word processing documents across platforms is safe. The examples presented have been the result of direct single action events such as a user copying MS-DOS executables over the network. When the problem enters multilevel action events, or includes time delay events, then the complexity of the problem increases. If the virus copied had been the Friday the 13th virus and the reinfeciton had been delayed by external events, then the results of the infection on the target machine would be felt at a variable time plus the time required to reach activaiton after the initial transfer of the virus to the carrier system. "Effectiver Interval:, Ei = Td + Ta where; Td = delay in transfer to target, Ta = positive value activation interval. A third level of complexity is introduced through the import and export of files. Files can be imported through may sources, including removable media such as magnetic tape. There have been several documented cases of manufacturers delivering shrink-wrapped software which contained viruses. A fourth level of complexity can be introduced through the use of a Wide Area Network such as the Internet or more traditional computer bulletin boards. In addition to the Typhoid Mary Syndrome, there are several other types of harmful software that are native to and targeted against Unix systems. They are trojan horses, logic bombs and worms. Worms require considerable commitment and a strong understanding of the Unix system to write. For the immediate future, worm attacks will be rare due to the skill required to author one. As has happened with computer viruses, that skill may become more common place if anyone publishes the source code to a worm. The increasing availability of Unix systems could combine with a "recipe" to place the required skill and systems into the hands of otherwise ineffective potential authors. Trojan horses and logic bombs are simple programs that can be written by programmers of high school skill level. Trojan horses appear to be performing desired processing while creating damage. They are spread by unsuspecting users who copy them in order to take advantage of their usefulness. Many torjan horses are hidden in computer games. Once recent trojan horse that was spread via the Internet was called "choosegirl.game". Logic bombs or time bombs are simple programs that wait for an event to occur such as midnight and then damage the system. A simple time bomb might wait until 10 minutes before a scheduled system backup and then destroy the file system. Viruses that directly target Unix systems have been written and demonstrate under controlled research conditions. The first computer virus ever written was for the Unix system. Viruses are not currently a major problem for Unix, however, as the popularity of the Unix system grows, so will the treat. Anyone wishing to comment on this paper may contact me: Peter V. Radatti CyberSoft, Inc. 1508 Butler Pike Conshohocken, PA 19428 USA Telephone: (610) 825-4748, FAX: (610 825-6785 E-mail: radatti@cyber.com Copyright, September 1991 by Peter V. Radatti. All rights reserved. - ----------------------------------------------------------------------------- Post Note: July 1994 This paper now appears to me as very dated. The number of viruses that directly attack Unix systems has increased, althrough they are still small in number. Currently there are the AT&T Virus, (aka: Usenix Virus), the Ls Virus and the Chapter-13 Virus. There is also a compiler defiler "virus", however it has not been found in the wild and therefor does not count. In addition, Unix systems now directly execute Microsoft Windows, MS-DOS and Apple Mac executables in emulation mode. These emulators are all directly suspectable to attack. Besides emulation mode, Unix executing on IBM PC type platforms have been found, in the wild, executing MS-DOS viruses. The MS-DOS virus infected Unix executables. The processor and BIOS are both the same and many viruses can co-exist on both platforms. I assume that the same will be true of Apple Mac(s) and all other systems that can run Unix. Pete End of Document ------------------------------ Date: Sat, 21 Jan 95 13:11:42 -0500 From: Roberto Parker Subject: Natas Virus (PC) We have developed a Natas Specific Antivirus. Roberto Parker ------------------------------ Date: Sun, 22 Jan 95 18:14:44 -0500 From: tlipschultz@delphi.com Subject: PINWORM or PINWORM_G virus: please help! (PC) I believe that I'm infected with the PINWORM or PINWORM_G virus. My symptoms: 1) Disk access speed has greatly slowed down. It now takes 15 seconds to load an EXE that used to run instantly. 2) Missing conventional memory. I used to have 593,000 bytes free, now I only have 540,000 bytes free, and nothing new was loaded or changed. I noticed that my total memory is also down to 634k. The huge reduction in memory happened overnight. 3) Both MSAV and SCAN (unreleased version) have been altered. Upon using them, I receive the DOS error "Program too big to fit into memory". Each program uses very little conventional memory. Oddly, VSAFE was not effected. 4) Some programs cause the computer to lock up 50% of the time. DEFRAG causes the computer to lock up each time I attempt to use it. If I do indeed have thwe virus, I acquired it almost exactly 24 hours ago from the posting of this note. There is another theory that these problems are the result of a bug in the MS-DOS 6.2 command MSBACKUP. If ANYONE knows how to remove this virus and/or bug, please email me at TLIPSCHULTZ@DELPHI.COM. If you're curious, VSAFE is not detecting anything. Thanks for whatever help you can give! -Thomas Lipschultz ------------------------------ Date: Mon, 23 Jan 95 06:41:55 -0500 From: usmmmx10@ibmmail.com Subject: "Crazy Boot" virus? (PC) hi all, do you know any disinfector for "Crazy Boot" viruses ? thanks in advance Best Regards, Feridun ------------------------------ Date: Mon, 23 Jan 95 10:11:38 -0500 From: runefr@ifi.uio.no (Rune =?iso-8859-1?Q?Fr=F8ysa?= ) Subject: New, destructive boot sector virus (PC) We've detected a new and destructive boot sector virus. The virus has been sendt to frisk@complex.is, and analysed by Norman Defence System. McAfee has also been contacted. The virus has atleast existed sice 16 dec 1994. The byte sequence C2 33 D2 26 can be found on floppy and HD boot sectors of infected systems, but I don't know if this is a "propper" signature. /Rune ------------------------------ Date: Mon, 23 Jan 95 20:56:07 -0500 From: Bill Staples Subject: ANTICMOS A VIRUS (PC) I recently downloaded the new McAfee Viruscan and found to my suprise, the ANTICMOS A VIRUS on the boot sector of my hard disk and all other floppies of mine. All attempts to figure out what the virus is or how to get rid of it have failed. (McAfee says it can't be cleaned). Has anyone heard of this virus? Does anyone know the cure...... Thanks for any help. Email: wjs@destiny.itsnet.com ------------------------------ Date: Mon, 23 Jan 95 22:24:57 -0500 From: noel@rdt.monash.edu.au (Noel Rode ) Subject: JUNKIE.BOOT virus in game (PC) I spent the day yesterday getting rid of the JUNKIE.BOOT virus of my cousins PC. I think if I had V214 of McAfee scan it would have helped a lot. I located the source where I got the virus from. It came from a game called "Quarter Pole" by Microleague. Each of the four (write protected) disks were infected. I'm sure it must have been said many times before but please be sure to scan ANY new disks purchased before making use of them. Noel Rode - -- - ------------------------------------------------------------------------- - - Noel J. Rode (Ph.D Candidate) e-mail: noel@rdt.monash.edu.au - - - Dept. Robotics and Digital Technology Phone : +61 3 905 3575 - - - Monash University, Clayton Campus, Fax : +61 3 905 3574 - ------------------------------ Date: Tue, 24 Jan 95 08:19:14 -0500 From: d94ba@efd.lth.se (Bjoern Andreasson) Subject: What is a TAI-PAN virus? (PC) I suspect that my computer has been infected whith a virus, called TAI-PAN. The virus attacks my files randomly, no special type of file is the target of infection. I noticed that some files all of a sudden has becom 438 bytes larger. When I took a closer look I noticed that in the end of all the "infected" files (in the code) there was an appendix saying "Whisper presenterar Tai-Pan". I could just track approx. 240 bytes of the virus in the program. The other 198 bytes was for me untraceable. Now I have a few questions? 1) What damage does the virus do? 2) Is there an antidote to the virus and where can I find it? 3) How can I remove it? Please contct me if you have an answer to my question! Thank you! d94ba@efd.lth.se ------------------------------ Date: Tue, 24 Jan 95 13:50:47 -0500 From: z3f192@ugrad.cs.ubc.ca (Catherine Maxcy Chow) Subject: Stoned virus in memory (PC) Hello, A stoned virus search string is found in the partition table of my computer, I do not know how to get rid of it, I tried several scanning sofeware, they seems not able to remove the virus from the memory. It also said that the boot sector is infected. Please let me know how to get rid of it! Thanks you. Cathy ------------------------------ Date: Tue, 24 Jan 95 15:04:07 -0500 From: Mike Ramey Subject: DiskSecure-2.42 for Boot Sector Viruses. (LONG!) [Rev.1] (PC) The following message contains my experiences with Padgett Peterson's DiskSecure-2.42 program. I was prompted to try using it because it is highly recommended in "Robert Slade's Guide to Computer Viruses" which was recently published. I think it is a program well worth using. This information is provided without warranty or guarantee of any kind; I hope it proves useful to you. -- Mike Ramey (-mr) This weekend I learned how to use Padgett Peterson's DiskSecure-2.4 programs to protect the hard-disk against boot-sector infectors. The original documentation may be confusing; but the "Quick Start" instructions _do_ work. I recommend you read _all_ the documentation before attempting to use the program, ... and then try it out. I cannot recommend this program for distribution to naive users, because it makes changes to the hard-disk MBR (Master Boot Record) and requires careful reading of the documentation, and careful installation to ensure recovery later. Once installed, this program does _not_ require periodic updating; it is an MBR change-detection (and recovery) program. After reading (and re-reading) the complete documentation, I used the "Quick Start" instructions to install the program. If you plan to install this program, here are some things I would recommend: - Cold boot from a known-clean floppy. - Use a virus scanner to insure you do not _already_ have an infected boot sector (which will be saved by DiskSecure for deinstallation). - Reboot from the computer's hard disk, so that DiskSecure can determine (during its install process) what the true operating environment will be (what TSR's will be running etc.). - Be sure the directory C:\DS2\ is not already in use. (There is not yet any provision in DS2INST.BAT for specifying another directory.) - Ensure that C:\AUTOEXEC.BAT and C:\CONFIG.SYS are *not* read-only. The DiskSecure install procedure will ask permission to modify these files; if they are read-only, they cannot be modified. The original AUTOEXEC and CONFIG files will be saved in the C:\DS2\ directory. (I modified my copy of DS2INST.BAT to avoid this problem by using the REPLACE command.) - Manually modify CONFIG.SYS and AUTOEXEC.BAT to run DS2CHK.EXE and DS2MOVE.SYS from C:\BAT\ or other utility directory. (I modified DS2INST.BAT, DS2.B, DS2.C to do this during installation). This allows you to remove the C:\DS2\ files to prevent modification of DiskSecure, such as unauthorized installation of a password. - It appears that the reply checking in DS2INST.BAT is not thorough; I have not yet determined what happens if you hit a random key. - During installation, be careful to strike the response keys just once! It may be that accidental multiple responses will be used on the next questions. (I have not tested this.) - During installation, when asked "Do you wish to save the partition table(s) to a file?", be sure to answer 'y'. - If you choose to rename the DSRPART.DAT (MBR/Partition-Table recovery file/program), do NOT use 'anyname.COM'; an error at the end of the DS2INST.BAT file deletes all *.COM files from the installation/working directory. I modified DS2INST.BAT to fix this. - Be _sure_ to copy the MBR-Recovery file to a diskette for future emergency recovery _and_ identify the specific computer it came from. Use an inventory or serial number, such as U1234567.COM for the copy. {This file is called DSPART.DAT in the documentation but is created as DSRPART.DAT during installation. It will recover the MBR; _but_ if you execute the wrong DSRPART.COM file; the entire hard-disk will become unreadable!!! Be careful.} I just now tried infecting a Disk-Secure'd computer with the 'Form' virus by doing a power-off reboot from an infected floppy disk. I got the usual "Non-System disk ..." from the floppy. When I removed it to continue booting from the hard-disk, I got: Vector Error DiskSecure Recovery Mode (C)1993 Padgett Recovery pursued, Press any key to continue Starting MS-DOS... [ and other usual messages ] and there was _no_ evidence of infection after completion of the boot! I wish the message above were more explicit, but perhaps there are conditions where the recovery cannot be performed automatically at boot time ("Azusa" is mentioned in the documentation). I recommend this program highly. To get the program, see below ... - ------ forwarded from the comp.virus newsgroup ------ ~From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) ~Date: 2 Jan 94 16:48:11 GMT ~Newsgroups: comp.virus ~Subject: diskse24.zip - DiskSecure: Protects hard disk partition table (PC) [ DiskSecure-2.42 (an updated version) is available from: [ host: oak.oakland.edu [ directory: pub/msdos/virus [ file: dsii242.zip [ URL: ftp://oak.oakland.edu/pub/msdos/virus/dsii242.zip [ See below for alternate file name at other sites. -mr ] DiskSecure v2.4 Disksecure II is a BIOS level antivirus program for Intel platforms that combines integrity management with BIOS definitions. It uses multiple redundancy to detect/block/remove MBR and DBR infections. DS II is also the only known antivirus program that will also block MBR "droppers". Used in conjunction with a BIOS that selects booting from the hard disk only, will provide compete protection against low-level infections. DiskSecure II is compatable with Novell Netware for use on Novell servers. Provision is also made for booting from a standard floppy disk following authentication. It also includes a simple access control (password) mechanism that cannot be bypassed by DOS 6 F5/F8. DiskSecure II is copyrighted FreeWare (no charge for individual use) - custom logos/features/switches are available on a site/corporate license basis. Uploaded by the author. Padgett - - - - A. Padgett Peterson padgett@tccslr.dnet.mmc.com - ----- Mike Ramey wrote to Padgett: >This is what I found (after much searching): >ftp://oak.oakland.edu/pub/msdos/virus/diskse24.zip is version 2.4 >ftp://oak.oakland.edu/pub/msdos/virus/dsii242.zip is version 2.42 >This is very confusing. ... -mr - ----- From: padgett@tccslr.dnet.mmc.com [That is true only at oak.oakland.edu]: everywhere else in the world it is just DS242.ZIP (DS followed by the version number). Seems OAK already had a DSxxx.ZIP in its directory services area and we negotiated the DSIIxxx.ZIP since that was closer to DS2. [The file name] Is standardized now. [It] Will always be either DSxxx or DSIIxxx with the last three being the version number. [edits by -mr] Batch (and related) files for DiskSecure-2.42 as modified by Mike Ramey: - ------------------------------------------------------------------------ DS2INST.BAT =========== @echo off echo off :: Modified DS2INST.BAT file for version 2.42 of DiskSecure2. :: :: 94-12-07; modified by Mike Ramey to ... :: - install boot-time files in C:\BAT\ directory; :: - use REPLACE to update/overwrite read-only files; :: - (at ENDIT) *not* delete C:\DS2\*.COM files [ this caused :: deletion of DSRPART.DAT file if it was renamed ANYTHING.COM ]; :: - at end exit to C:\DS2\ directory (for cleanup & DSRPART copy); :: :: START rem Invocation syntax: DS2INST [drive DS files are on] [drive to install] rem e.g. DS2INST a d (do not include colons) if DS2INST is invoked rem without any parameters, it will assume from a & to c set d1=%1 set d2=%2 if t%d1%==t set d1=a if t%d2%==t set d2=c echo. echo Use this installation file only if DISKSECURE II is on a floppy disk echo (A/B) and you are installing to a hard disk. echo Otherwise install manually (see documentation) echo. echo DISKSECURE II will be installed from drive %d1% to drive %d2% echo press control-C to exit if incorrect, (enter) to continue. echo. echo. Modified by Mike Ramey to install and run DS2CHK.EXE echo. and DS2MOVE.SYS in/from the C:\BAT\ directory, which will be echo. created if it does not exist. All other DiskSecure-II files echo. -- including the DS[R]PART.DAT/.COM (MBR Recovery File) -- echo. will be copied to the (default) C:\DS2\ directory, which echo. will be created if it does not exist. echo. Also modified to use dos REPLACE command to update echo. the AUTOEXEC.BAT and CONFIG.SYS files. This will work even echo. if they are write-only files! echo. echo. STOP NOW and be sure the C:\DS2 directory does NOT exist echo. -- to avoid overwriting any user files !!! Then re-run. echo. pause echo. :: Change to the hard disk [C:]. -mr %d2%: %d1%:chk512 if not errorlevel 1 goto secok echo. echo Invalid disk sector size (over 512 bytes) - cannot install DiskSecure II goto endit :SECOK %d1%:dos32.com if not errorlevel 1 goto lowdos echo. %d1%:chkint13.com if errorlevel 1 goto intok echo. echo Interrupt 13 vector report invalid. If QEMM386 "stealth" not in effect, echo you may have a virus already. In any event, DiskSec II cannot initialize. echo If no virus is found, you may have to boot from a "bare floppy" to install. goto endit :INTOK echo. echo Interrupt 13 validated. echo. :: Already on hard drive [C:], change to root directory. -mr cd \ :: Insure [C:]\BAT\ directory exists. -mr echo on MD \BAT echo off :: md \ds2 cd \ds2 :: Change to floppy disk [A:]. -mr %d1%: echo. echo Copying DS2 files to %d2%:\ds2 copy *.* %d2%: >nul :: echo. Copying DS2CHK.EXE and DS2MOVE.SYS to the %d2%:\BAT directory. REPLACE DS2CHK.EXE %d2%:\BAT\ /R REPLACE DS2CHK.EXE %d2%:\BAT\ /A ATTRIB +R %d2%:\BAT\DS2CHK.EXE REPLACE DS2MOVE.SYS %d2%:\BAT\ /R REPLACE DS2MOVE.SYS %d2%:\BAT\ /A ATTRIB +R %d2%:\BAT\DS2MOVE.SYS :: :: Change to the hard disk [C:]. -mr %d2%: echo. echo Do I have permission to add DISKSECURE II verification to your echo AUTOEXEC.BAT file ? (y/n) ask if errorlevel 89 if not errorlevel 90 goto addbat goto next :ADDBAT if not exist c:\autoexec.bat goto newbat echo. echo The original AUTOEXEC.BAT is being saved as %d2%:\ds2\autoexec.ds copy c:\autoexec.bat autoexec.ds >nul :: copy ds2chk.exe c:\ >nul {copied to C:\BAT\ with REPLACE commands -mr} copy ds2.b+autoexec.ds autoexec.bat >nul REPLACE AUTOEXEC.BAT C:\ /R goto dsconfig :NEWBAT copy ds2.b c:\autoexec.bat >nul goto dsconfig :NEXT echo. echo It is suggested that the command lines in file DS.B be added to your echo startup procedure to verify proper operation of DISKSECURE. goto dsconfig :DSCONFIG echo. echo This PC is currently running DOS 3.2 or above. If this is correct for echo normal operation then do I have permission to add DISKSECURE II echo DS2MOVE.SYS to your CONFIG.SYS file ? echo This will make maximum available memory to DOS. (y/n) ask if errorlevel 89 if not errorlevel 90 goto addcon goto next2 :ADDCON :: copy ds2move.sys c:\ >nul {copied to C:\BAT\ with REPLACE commands -mr} copy c:\config.sys config.ds >nul echo. qemmst.com if not errorlevel 127 goto cok2 echo. echo If QEMM DOSDATA.SYS and DOS_UP.SYS are present in CONFIG.SYS echo DS2MOVE.SYS may be installed only AFTER these drivers. echo DS2INST will place DS2MOVE.SYS LAST in CONFIG.SYS. To install echo first, you will have to install the device driver manually. echo. echo Do you wish to continue (y) or skip the update of CONFIG.SYS (n) ? ask if errorlevel 89 if not errorlevel 90 goto cok1 goto next2 :COK1 :: echo If QEMM DOSDATA.SYS and DOS_UP.SYS are present in CONFIG.SYS ... if not exist c:\config.sys goto newsys echo The original CONFIG.SYS is being saved as %d2%:\ds2\config.ds copy config.ds+cr.lf+ds2.c config.sys >nul REPLACE CONFIG.SYS C:\ /R goto dsin :COK2 echo. echo The original CONFIG.SYS is being saved as %d2%:\ds2\config.ds copy ds2.c+config.ds config.sys >nul REPLACE CONFIG.SYS C:\ /R goto dsin :NEWSYS copy ds2.c c:\config.sys >nul goto dsin :NEXT2 echo. echo It is suggested that the command line in file DS2.C be added to your echo CONFIG.SYS file for minimal memory use. :DSIN disksec2 goto endit :LOWDOS echo. echo The DiskSecure files have been copied to your hard disk however you echo are not currently running DOS 3.2 or above. While the DiskSecure echo protection does not require this, the instalation procedure does echo to be able to properly set up the automatic recovery feature. echo. [ NO files have been copied. -mr ] echo. echo Consequently, you will have to boot the machine with DOS 3.2 or above echo and run DiskSec2.exe manually or rerun this .BAT file to fully install echo the product. goto endit :ENDIT :: del *.com del ds2inst.bat del ds2.c del ds2.b del cr.lf set d1= set d2= cd A:\ cd C:\DS2 C: echo. :: END DS2.B ===== @echo off :: --- Remove DS2 before updating DOS or repartitioning fixed-disk! c:\BAT\ds2chk.exe >nul if not errorlevel 1 pause DS2.C ===== ; --- Remove DS2 before updating DOS or repartitioning fixed-disk! device=C:\BAT\ds2move.sys DS2REMOV.BAT ============ @echo off echo off echo. echo DS2REMOV.BAT echo 94-12-07; revised and corrected for version 2.42 of DiskSecure2. -mr echo. echo This batch file will remove DiskSecure files from the root directory echo of the fixed disk (C:\DS2CHK.EXE and C:\DS2MOVE.SYS). It will leave echo the C:\DS2\ directory and all files in it; these may be deleted if echo desired. The DISKSEC2 program will be invoked to replace the echo DS2-modified MBR (Master Boot Record) with the original MBR. echo. echo WARNING - AUTOEXEC.BAT and CONFIG.SYS files will be returned to echo condition found when DiskSecure was first installed. echo. echo Be sure that none of the files C:\AUTOEXEC.BAT, C:\CONFIG.SYS, echo C:\DS2CHK.EXE, and C:\DS2MOVE.SYS are read-only; this will echo prevent complete removal and restoration of these files. echo. echo Enter Ctrl-C to exit without removing. echo. pause :START if not exist config.ds goto nogood if not exist autoexec.ds goto nogood if not exist disksec2.exe goto nogood echo DiskSecure II removal routine requested if exist c:\ds2move.sys del c:\ds2move.sys >nul if exist c:\ds2chk.exe del c:\ds2chk.exe >nul copy config.ds c:\config.sys >nul copy autoexec.ds c:\autoexec.bat >nul disksec2.exe goto endit :NOGOOD echo. echo ERROR -- no changes have been made. echo. echo DiskSecure batch removal can only be requested while in the echo same directory as CONFIG.DS, AUTOEXEC.DS, and DISKSEC2.EXE. echo This is usually the C:\DS2\ directory. echo. echo If changes were _not_ made to AUTOEXEC.BAT and CONFIG.SYS when echo DiskSecure was installed, removal may be accomplished by using echo the DISKSEC2.EXE program alone. echo. :ENDIT === End-of-Message -mr === ------------------------------ Date: Wed, 25 Jan 95 09:15:48 -0500 From: "Mark Hazen" Subject: ANNOUNCE: FREE Virus Scanning Shell (PC) On Wed, 04 Jan 95 at 17:49:17, Garrett Mead wrote: >Subject: Novell Lab protection.... (PC) > >I am interested in providing the best overall virus protection for my >Netware 3.11 100 user Novell network. Last semester I had a really >bad run-in with viruses (and for those of you running campus labs, >finals week is bad enough WITHOUT the added problems of viruses :) ) I suppose it's time I made the announcements. I've been working for the past half year or so, in my copious spare time, on a virus scanning shell that uses F-Prot shareware over a network, and provides centralized reporting to any user. The shell was written ENTIRELY in 4DOS scripting, which is called by running a .BAT file. Ergo, you do NOT have to be using 4DOS as a shell on workstations to use this scanner; you ONLY have to have 4DOS installed somewhere on your network. I decided not to rewrite this in C... I left it in script format because 1) it's a pretty polished system as is, and 2) because EVERY NOVELL NETWORK ON THE FACE OF THE EARTH IS DIFFERENT... everyone has special needs. In the script form, it's VERY easy for anyone who can write a batch file to customize the script for their own special needs. The system includes a comprehensive installer, easy to follow documentation, and has been beta tested. There are a few features I will change as time goes by, but it is in a completely functional form. This product is FREE... but because of my schedule, I really can't spend my work hours supporting it. If there are bugs, I will fix them and release updates, but I have had a 2 month beta-test period and have cleaned up the two (!) bugs we found. I use this system to keep our network clean. Please note: I am requesting that the folks who -do- use this system, please register the shareware packages F-Prot and 4DOS, both of which are invaluable to anyone maintaining DOS networks. To obtain this package, ftp to: ftp.fcs.uga.edu and grab the file: vste202.zip Let me know how it works for you, and if there are other features you would like to see! -Mark H. - ---------------------------------------------------------------------- */ Mark Hazen mhazen@fcs.uga.edu /* */ Computer & Network Support hazen@phoenix.cs.uga.edu /* */ College of Family & Consumer Sciences phone: (706) 542-4864 /* */ FCS Users:Send Service Requests/Questions to helpdesk@fcs.uga.edu/* ------------------------------ Date: Wed, 25 Jan 95 10:22:32 -0500 From: jlaws@IndyNet.indy.net (James R. Laws) Subject: Monkey Virus (PC) Help. I have been plagued with the Monkey Virus. It keeps coming back. Last night I removed the Monkey Virus once again and now my computer won't recognize the "D" drive. I have tried everything that I can think of including running the setup program again. When I went back to my hard drive installation software it recognizes the "D" drive and the drive tests out perfectly. I can't see the "D" drive in either DOS or Windows. How do I get rid of the Monkey Virus permanently? I have been removing it with my Microsoft Antivirus program located on my "C" drive but it keeps coming back. How do I restore my "D" drive? Any help would be greatly appreciated. Please E-mail me at jlaws@indy.net. Thanks!!!! ------------------------------ Date: Wed, 25 Jan 95 10:25:00 -0500 From: hiscrp@leonis.nus.sg (C R Pennell) Subject: Norton (PC) I have Norton Utilities V. 8. This ahs a TSR program which notifies me if any change is attempted to a co. or.exe file. IE if something tries to change or delete one of those files it flashes a warning. How much extra protection does this give against viruses, over and above the VIRSTOP which comes with F-PROT? Richard Pennell History National University of Singapore hiscrp@leonis.nus.sg ------------------------------ Date: Wed, 25 Jan 95 11:51:51 -0500 From: "A.Appleyard" Subject: Vdefend caused false +ve in Scan (PC) After a virus alarm had got a student in my department to virus check his home PC, SCAN 213 said that his PC had Israeli Boot. This was a false positive caused by a 1991's vintage VDEFEND antiviral which was still in his PC and activated by a line in AUTOEXEC.BAT (His PC is second-hand and came with FOUR! hard disks in, each 32 megabytes, C: D: E: F:) ------------------------------ Date: Wed, 25 Jan 95 13:51:26 -0500 From: jrushin@ibm.net Subject: Re: Gen b Stealth Virus (PC) carlson@PrimeNet.Com (Don Carlson) writes: >This is a type of boot sector virus that encrypts data from the boot >sector and hides it away. It messes with interupt 13, taking control of >the dialog between the hard disk and the floppy disk. The virus doesn't >destroy a lot of files (at least I hope), but it doesn't allow you to run >Windoze (bad, if you keep databases in there). > >I detected the virus using VShield from McGafee, a memory resident >program that is always looking for signs of viral activity. >Unfortunately, I haven't found any utilities that will successfully kill >this virus (clean 117 from McGafee won't do it and their BBS is always >busy lately). Does anyone know of a utility already written to kill this >bugger? my colleague came to me today; he inadvertently booted with a diskette someone had given him in his disk drive. after he rebooted, he could not run Windows. when he executed the WIN command, the screen would blank as though Windows was loading, then he was returned to a DOS prompt. we booted the machine with a clean, write-protected boot disk that has McAfee SCAN 2.1.1 (212). Scanning the hard drive, the Scan program reported that the Master Boot Sector was infected with Stealth_C. Utilizing the /Clean option of the Scan program we were able to remove this virus. john r. - ------------------------------------------------------------------ but if i'm content with a little, enough is as good as a feast - ------------------------------------------------------------------ jrushing@attmail.com or jrushing@squeaky.free.org or john.rushing@syslink.mcs.com or jrushin@ibm.net - ------------------------------------------------------------------ ------------------------------ Date: Wed, 25 Jan 95 14:13:13 -0500 From: jcarr@crl.com (John B. Carroll) Subject: Form Virus - How to Find It? (PC) I've detected the Form virus at work but have not been able to locate the EXE that is installing it (ie I rewrite the boot sector and stay clean for a few days, then it reappears). I've tried McAfee and the MS Windows Anti-virus program. Any help is appreciated . . . John - -- <><><><><><><><><><><><><><><><><><><><><><><><><><> <> John B. Carroll - jcarr@crl.com <> <> "Put pepper in my coffee . . ." - R.E.M. <> <><><><><><><><><><><><><><><><><><><><><><><><><><> ------------------------------ Date: Wed, 25 Jan 95 16:52:50 -0500 From: kg5ai@w5ac.tamu.edu (Myles Barkman - KG5AI) Subject: Found NYB virus on friend's computer....NEED HELP! (PC) Yesterday, I found what VIRUSCAN calls the NYB virus. It infects the Master Boot Record. I tried to use Clean to remove it but that didn't work. I found in some documentation to try FDISK/MBR. That worked on the hard drive. Now I'm trying to clean up his infected floppies (Windows set up disks). Now, I found that I can use SYS to overwrite the boot record and get rid of the virus, but I was wondering if there was a better way of fixing the floppies without making them bootable using SYS. I have not been able to find any sources that mention the NYB virus. Someone I know found it (I think) in VSUM or some virus database. I don't have F-PROT but I will try to find it. Anyone have any ideas how to disinfect floppies without making them bootable? - -- Myles Barkman KG5AI kg5ai@w5ac.tamu.edu College Station, Texas Ag '92 ------------------------------ Date: Wed, 25 Jan 95 20:57:17 -0500 From: noel@rdt.monash.edu.au (Noel Rode ) Subject: JUNKIE.BOOT virus in game (PC) I spent some time recently getting rid of the JUNKIE.BOOT virus off my cousins PC. I think if I had V214 of McAfee scan at the time it would have helped a lot. The only problem I had with scan was that I had to reboot the machine each time scan found and tried to remove the JUNKIE.BOOT virus from a diskette. Scan would find and remove the first detected virus and any following viruses found would be reported as "JUNKIE.BOOT+emr" and could not remove the virus. The virus would also be loaded into memory when first detected and hence needed to be rebooted. I located the source where I got the virus from. It came from a game called "Quarter Pole" by Microleague. Each of the four (write protected) disks were infected. I'm sure it must have been said many times before but please be sure to scan ANY new disks purchased before making use of them. Noel Rode - -- / Noel J. Rode (Ph.D Candidate) e-mail: noel@rdt.monash.edu.au \ | Dept. Robotics and Digital Technology Phone : +61 3 905 3575 | | Monash University, Clayton Campus, Fax : +61 3 905 3574 | \ Melbourne, Victoria, Australia 3168 ...Hi There. / ------------------------------ Date: Wed, 25 Jan 95 22:07:11 -0500 From: scotts95@aol.com (ScottS95) Subject: Re: Monkey on "Stacked" Hard Drive (PC) > I've come across a computer with the Monkey virus, it also has Stacker > installed on it. When I start the process to eradicate the virus by > booting from a floppy, I can no longer "see" the drives since the > drivers are invoked via the config.sys file. I've tried duplicating > the config.sys file, and appropriate binaries, on the boot floppy > without any luck. you have one of the New, Improved monkey viruses :-< like we fought through at work. one would Expect that stacker, like TroubleSpacey, would have a container file you had as the "fat drive", and a core that would diskette-boot as a C:. however, we have fought a Monkey that was so re-infected that using a Linux A1 diskette's fdisk for inspection, had five junk partitions created by the bug that quite hid things. booting "clean" (sorta) off the infected hard disk, with only the stacker binaries and no other TSR, etc stuff, you could run McAfee evaluation 2.14 or higher with the /clean parm and it might go. I find that killmonk.exe did the job for us. I believe the anonymous ftp path is oak.oakland.edu \pub\ms-dos\virus to get to that fine little program. scotts95@aol.com ------------------------------ Date: Thu, 26 Jan 95 00:55:17 -0500 From: waygee@pipeline.com (Waygee Ho) Subject: WSCAN214 Profiles (PC) Have a quick question concerning the Mcafee WSCAN214 program. When I run a profile (lets say for a b), the software will proceed to scan the floppy drives. My question is: Is there any way to configure the profile so that it will automatically try to clean as well. This would be useful for our users since it would be a simple point and click operation. Any help would be appreciated. WayGee ------------------------------ Date: Thu, 26 Jan 95 01:15:37 -0500 From: jmward@cs.UCR.EDU (Jonathan Ward) Subject: Re: what's wrong? (PC) Ryan Garth McKay wrote: >First question I have for the experts is as follows. >Is it possible for a virus to hide in a gif/jpeg? I suppose it is theoretically possible. If the virus is a simple overwriter and doesn't check what type of file it's going to infect, it could conceivably write itself onto random datafiles, including gifs/jpeg. As long as it slaps itself on the head of the file, you could effectively "execute" the graphics file, as dos would just load it into memory like a com(of course, you'd have to change the filename extension to .COM). I've seen viruses that will do this, and change the extension as well. However, it's rather stupid for a virus to do such a thing, as graphics files aren't executed, only read into memory. The only way for a virus to run, and thus spread, is for it to be executed by the CPU - simply loading it into memory won't do any good(unless by some freak chance an errant program decided to set CS:IP right where the virus happened to be - but I've never heard of it happening: it would be a freak occurance at best). >Is it possible for a virus to be split between two of the above >and become active when the two files are downloaded? Yes, it could be split by a compression program. No, downloading the files wouldn't put it together much less activate it. See above. > >My brother found a virus before it was too late. It was located >in two seperate gif/jpeg files. Using the Windows based antivirus >program he thought he cleaned up the mess... But we now think some >really bad damage occured. When we turn the machine on we get the >standard bios stuff then the starting ms-dos line and then >nothing.... > I'd like to know how the virus got active(if you have one at all) if it was lying only in graphics files. The only way I could think of is if the files you downloaded were the type that had an imbedded viewer combined with the image in one file - in which case the virus would see it as a regular executable and merrily infect away. >It remains on that line for a long long time without any hard >disk reads. At this time I though the command.com file wasn't >there so I figured that I'll do a boot with a boot disk... Well >the next problem arrived. This is a computer with a built in >security program and will not let me get at the hard drive when I >do this. Sounds like you forgot a BIOS password or something. Such setting would be in the BIOS setup. If you forgot the password, one way to get rid of it is to open up the machine, and pull the lithium battery pack from the motherboard for a few seconds, which will effectively wipe the CMOS memory, and resotre it to its original state. You'll have to reconfigure, but you'll be in. Depending on the make of board, some motherboards have a jumper that you can bridge to reset the BIOS. > >Any idea's would be welcomed, > >Thanks > >Ryan > -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ Date: Thu, 26 Jan 95 01:43:11 -0500 From: david@mindlink.bc.ca (David de Lisle) Subject: Anticmos (PC) I had this virus last month on a PC based system. Nothing worked on the floppies. However the virus will not transfer to tape so I was able to backup to tape. format the floppies and then put the data back to the floppies. Problem solved. _ _ | \ /\ \ / | | \ | | /__\ \ / | | | |_/ / \ \/ | |_/ david@mindlink.bc.ca _________________________________ Vancouver Canada____ ------------------------------ Date: Thu, 26 Jan 95 04:05:47 -0500 From: excoffier@cemag-lyon.fr (David Excoffier) Subject: Scan 2.1.3 and 2KB Virus. (PC) I'm working in a Research Institute, and lotsa computers have been infected with 2KB Virus. We're using VScan 2.1.213 for trying to eradicate this virus. But here's the problem : 2KB Virus is perfectly removed when it's found on HDD, and on a majority of floppy disks. But sometimes, Vscan CAN'T remove this virus from floppy disks, whether it detects perfectly that it is 2KB Virus !!! Where does it come from ? Is it a new version of 2KB Virus? Why can't Vscan able to remove it ???? What can I do to clean these disks, it's very important !!! Does Mc-afee has an E-Mail in France? Thank you for your help and comments. David EXCOFFIER. excoffier@cemag-lyon.fr ------------------------------ Date: Thu, 26 Jan 95 08:50:50 -0500 From: Paul Owen Subject: anti-CMOS virus (PC) What can the wise old heads of the Internet tell me about the anti-CMOS virus ? I have seen it on several PC's and have noticed those with MSAV are unable to detect it. PC's with the IBM anti-virus software (such as the Thinkpad) seem able to identify it however. What is the best way to protect aginst it ? ------------------------------ Date: Thu, 26 Jan 95 08:59:32 -0500 From: twe@rix01.lyngbyes.dk (Torben Wendelin) Subject: KHOBAR virus (PC) I have found the KHOBAR virus on my PC. Does anybody know about it, What it does and how to desinfect? thanks Torben ------------------------------ Date: Thu, 26 Jan 95 09:30:14 -0500 From: "Robert Smith jr." Subject: Re: HELP: My pc has gone braindead.. (PC) taylord@tartarus.uwa.edu.au (David Taylor) wrote: > > Hi all, > I am very worried. I think my PC has a rather bad little virus. It has > been getting slower and slower, and last night I did a system info test > (Norton SI) and the reported cpu speed was down to 15.6 from a usual 65+. > Anyone having any idea about what may be causing this please email me. Dave, Sounds like Michaelangelo or another boot sector virus. Go to a CLEAN computer, create a system disk, and get a good cleaning program on it. Boot from the disk and run the cleaner. Good Luck .... Bob ------------------------------ Date: Thu, 26 Jan 95 11:07:32 -0500 From: orjan.vestgote@innitor.se Subject: Parity Boot virus (PC) Maybe you already have discussed Parity Boot virus: A few days ago I found that my machines were infected by the "B-variant of the Parity_boot virus". The boot sector on two HDD's were infected and, in addition, about 60 floppies. I estimate that the virus entered my systems 4 - 6 months ago. In November I got a strange error message when I started Windows, saying something about the 32-bit disk handler being lost. This made me suspicious, but I had only MSAV available and this program found nothing. A few days ago my kids ran the F-PROT anti virus and the program discovered Parity Boot. The virus had done no harm so far and it was fairly easy to disinfect the disks and the floppies. To my surprise, today, two days after the disinfection, the CMOS setup data had been wiped away, all zeroes !!!. My HDD was of course inaccesible, but since I had saved the setup parameters and by booting from floppy, I could easily make the system work again. That machine is only 6 weeks old, and the battery should be healthy for at least another year. Has anoyone of you discovered a connection between Parity Boot virus and a zeroed CMOS setup ? Regards Orjan ------------------------------ Date: Thu, 26 Jan 95 12:22:31 -0500 From: univel.telescan.com!jag@Lehigh.EDU (John Guynn) Subject: Stoned.Standard (PC) I just found a virus on a machine that F-prot 2.16 calls Stoned.Standard - unknown but it will not disinfect. Luckly fdisk /mbr kills it. Is this a new variant of stoned? John Guynn jag@univel.telescan.com Network Admin Telescan Inc. "If you're killed, you've lost a very important part of your life." - --Brooke Shields ------------------------------ Date: Thu, 26 Jan 95 13:15:08 -0500 From: bsinet@cloudnet.com (Bankers Systems) Subject: Re: Anti CMOS type B (PC) I've seen this virus too (Anti CMOS A and B). I removed them with an FDISK /MBR (master boot record) - make sure that you clean boot first. This seemed to clean them up. Hope that helps! Lake Hennig (LakeH@ix.netcom.com) wrote: : Using McAffee's antivirus 2.14 (Beta), I was able to identify a virus : called Anti-CMOS type B on the boot record of a diskette (3.5"). I did : not find it on my hard drive, but I think it must have been at some : point. (I just re-installed DOS 6.22 from scratch - not an upgrade-- : and believe that may have eliminated the virus from my hard drive.) I : had been experiencing problems with the hard drive when I powered on -- : also with the video card. I don't know if this was related to a virus : or just equipment failure. : Does anyone know what Anti-CMOS Type B actually does? (The name alone : is scary.) And how do you clean it from a floppy? (The McAffee software : 2.14 can't yet). I've tried sys A: but that doesn't do it. ------------------------------ Date: Thu, 26 Jan 95 13:25:41 -0500 From: ai660@freenet.buffalo.edu (Brian J. Beiter) Subject: "NoInt" (PC) Does anybody know what a "NoInt" virus is? What does it do? How do I get rid of it? Thanks for any help. - -- ------------------------------ Date: Thu, 26 Jan 95 14:48:39 -0500 From: dorothy@svpal.svpal.org (Dorothy Brown) Subject: Need virus info. (PC) I recently found the virus Monkey-B on my computer and am now looking for more info on the virus itself, and on the best antivirus software. Any info. would be greatly appreciated. Thanks in advance, Dorothy Brown dorothy@svpal.org ------------------------------ Date: Thu, 26 Jan 95 15:44:17 -0500 From: Iolo Davidson Subject: Novell Lab protection.... (PC) gmead@scs.unr.edu "Garrett Mead" writes: > I am particularly interested in a process that a Machintosh program (I > think it is Gatekeeper or something thereof) uses. I believe that this > program does a scan anytime a new floppy is placed in a drive. Is there > an IBM equivalent? Yes, several DOS anti-virus TSRs scan floppies for boot sector viruses on the first access. > 2) If you run any other protection other than what is inherent in Novell, > what products do you use? Which should I not use? There are lots of anti-virus NLMs to run on the server in addition to anti-virus DOS software run on the workstation. Which? Both "Virus Bulletin" and "SECURE Computing" have recently run comparison reviews. > If you can, please include any information you have on the products that > you recommend (ie ftp sides or addresses and telephone numbers) I think you will want a commercial package for a network based strategy. - -- SPECIAL SEATS WHO SCRATCH RESERVED IN HADES THE LADIES FOR WHISKERED GUYS Burma Shave ------------------------------ Date: Thu, 26 Jan 95 16:11:36 -0500 From: mukher@cc.gatech.edu (Amitesh Mukherjee) Subject: Virus-Scanning Software (PC) I am trying to find out what are the premium virus-scanning software (most up-to-date), who sells them etcc.......Phone numbers, adresses will also be helpful.....Please e-mail to ` mukher@cc.gatech.edu Thanx.......... Amitesh Mukherjee - -- -Amitesh Mukherjee (mukher@cc.gatech.edu) ------------------------------ Date: Thu, 26 Jan 95 16:25:46 -0500 From: amf94@ecs.soton.ac.uk (Andrew Forster) Subject: Re: what's wrong? (PC) Ryan Garth McKay (rgmckay@acs.ucalgary.ca) wrote: : First question I have for the experts is as follows. : Is it possible for a virus to hide in a gif/jpeg? : Is it possible for a virus to be split between two of the above : and become active when the two files are downloaded? I would say, it is possible to hide a virus in a gif or jpeg.. It is possible to hide anything in a gif or jpeg within reason, BUT, the virus would have to be extracted by something - a viewer or something.. Viral code may be located in a viewer program - did you download anything to view it? Alternatively, the virus infected a gif file down to poor programming - it searched for *.* instead of executables. : My brother found a virus before it was too late. It was located : in two seperate gif/jpeg files. Using the Windows based antivirus : program he thought he cleaned up the mess... But we now think some : really bad damage occured. When we turn the machine on we get the : standard bios stuff then the starting ms-dos line and then : nothing.... There's always the possibility that the gif / jpeg data matches a viral signature enough to trigger a false alarm.. You used a windows based anti-virus and you refer to "STARTING MS-DOS..." - you weren't using Microsoft Windows Anti-Virus were you? I personally have a very low opinion of the Microsoft / Central Point Anti-Virus products, for example, they don't spot any of the viruses created by VCL (Virus Creation Laboratory) and this is an entire toolkit! : It remains on that line for a long long time without any hard : disk reads. At this time I though the command.com file wasn't : there so I figured that I'll do a boot with a boot disk... Well : the next problem arrived. This is a computer with a built in : security program and will not let me get at the hard drive when I : do this. Have you tried pressing F5 about the same time as the "starting ms-dos" message? It may be a file in your config.sys that is corrupt, such as himem.sys or emm386.exe.. F5 will give you a clean boot bypassing entirely the config.sys and autoexec.bat : Any idea's would be welcomed, : Thanks : Ryan Andy ______________________________________________________________________________ Department of ECS, University of So'ton amf94@ecs.soton.ac.uk PGP 2.6ui Public Key Available On Request "640K ought to be enough for anybody." - Bill Gates, 1981 - ------------------------------------------------------------------------------ ------------------------------ Date: Thu, 26 Jan 95 18:07:18 -0500 From: wnc1081@rigel.tamu.edu (W. Neil Craig) Subject: Possible unknown virus (PC) Howdy everyone, I have been using MS Anitvirus to check my PC and this afternoon I discovered that all the system files, most of the files in my dos directory, and several dozen files in my windows directory had grown in size. The majority of these files are .exe and .com files. MSAV doesn't detect a virus, but just notes the change in the file size. I am running MS DOS 6.2.2 and Windows 3.1, and I have only experienced a few mild problems so far with some of the affected windows apps. If you know anything about this or could give me some help it would be greatly appreciated. Neil Craig Mechanical Engr. Undergrad, Texas A&M University College Station, Texas, USA email: WNC1081@rigel.tamu.edu ------------------------------ Date: Thu, 26 Jan 95 19:05:14 -0500 From: noel@giskard.rdt.monash.edu.au (Noel Rode ) Subject: JUNKIE.BOOT virus in game (PC) I spent some time recently getting rid of the JUNKIE.BOOT virus off my cousins PC. I think if I had V214 of McAfee scan at the time it would have helped a lot. The only problem I had with scan was that I had to reboot the machine each time scan found and tried to remove the JUNKIE.BOOT virus from a diskette. Scan would find and remove the first detected virus and any following viruses found would be reported as "JUNKIE.BOOT+emr" and could not remove the virus. The virus would also be loaded into memory when first detected and hence needed to be rebooted. I located the source where I got the virus from. It came from a game called "Quarter Pole" by Microleague. Each of the four (write protected) disks were infected. I'm sure it must have been said many times before but please be sure to scan ANY new disks purchased before making use of them. Noel Rode. - -- / Noel J. Rode (Ph.D Candidate) e-mail: noel@rdt.monash.edu.au \ | Dept. Robotics and Digital Technology Phone : +61 3 905 3575 | | Monash University, Clayton Campus, Fax : +61 3 905 3574 | \ Melbourne, Victoria, Australia 3168 ...Hi There. / ------------------------------ Date: Thu, 26 Jan 95 19:44:38 -0500 From: raymoon@DGS.dgsys.com (Raymond Moon) Subject: AntiCMOS-A help (PC) Does anyone have any information on a Virus identified as AntiCMOS-A? I have detected it using IBMAV and McAfee. Calling McAfee reveals that it attacks the CMOS of "certain" computers. McAfee could not identify which computers were vulnerable. I have Zeniths 386 and 486s. Thanks in advance. Ray ------------------------------ Date: Thu, 26 Jan 95 20:10:24 -0500 From: fruits@cgs.edu (Eric Fruits) Subject: Stealth [genb] Virus -- Crazy Boot Ver. 1.0 (PC) Yesterday I got the Crazy Boot stealth virus. After talking to McAfee tech support, I discovered it is a stealth boot sector virus. After two hours with tech support we managed to fix it. I did not lose any data and now my machine is running fine and virus-free (as far as I know). Here's how to remove the virus and fix your machine: 1. Boot off a DOS installation/setup disk. 2. A:\>fdisk /mbr This will replace the master boot record on your disk. There is a chance you will lose data--I did not. 3. Power down your machine. 4. Boot off the A:\ drive with a clean, write-protected floppy that contains Norton Disk Doctor. 5. A:\>ndd /rebuild 6. Answer YES to every question NDD asks you (you do not have to create an undo file, though) 7. Boot of the A:\ drive with a clean, write-protected floppy that contains the virus scanner of your choice. 8. Scan for viruses -- it should come up clean. Done. Good luck. Eric Fruits fruits@cgs.edu ------------------------------ Date: Thu, 26 Jan 95 20:44:09 -0500 From: Sick Puppy Subject: Is this a virus or logic bomb, or is it a software conflict? (PC) There is a problem affecting some of our users and we don't know if it is a virus, a logic bomb, or simply some kind of software conflict. We have a couple of small Banyan LAN's with a couple of servers. Users load Windows off the Banyan server when they first log into the network. Sometimes a thin black line appears about one inch down from the top of the screen and slowly extends across the screen. When it reaches the other side, there is a kind of beep. These lines can be minimized or maximized. A few minutes later another line appears about 1.1 centimeter/1 quarter of an inch and slowly extends across the screen. After several of these lines going horizontally across the screen, the same kind of lines start to extend vertically down the screen. If the PC is left for about 30 minutes, the screen changes to multiple colors. It looks very pretty but makes Windows useless. This affects some users but not others. We have scanned the PC's and servers with three different anti-virus programs and found nothing. Is this a virus or a logic bomb? Or is it a software conflict? Sick Puppy the Cat_Eating_Dawg in the basement of Bellcore ------------------------------ Date: Thu, 26 Jan 95 21:58:16 -0500 From: liy@ecf.toronto.edu (Yi-Fan Y LI) Subject: Monkey (Help) (PC) Hi Recently, my PC is infected by some virus. F-Prot reports that it is Stoned.Empire.Monkey.A and McAfee recognizes it as Monkey_1 virus. But F-Prot failed to clean it. Since the boot track is modified by virus, system doesn't recognize the harddisk if it starts from a clear system flopy. The McAfee does not work either (or I did not find the right way to do it). How do I remove it???? Any help is highly appreciated. Thanks again. Yours Y.Li - -- ------------------------------ Date: Thu, 26 Jan 95 22:14:05 -0500 From: mdf2@po.cwru.edu (Mike Facemire) Subject: Monkey virus (PC) I just finished removing (supposedly) the Stoned.Empire.Monkey virus from my pc with the killmonk program on novell software. Everything is now fine except for the fact that i cannot access my A drive. Whenever i hit a: from the c-prompt i get the message Drive not ready. This happens whether or not there is a disk in the drive. The drive does not even spin to check if there is a disk there or not. I cannot boot from this drive (my only other than the hard drive) either. I went into my BIOS setup and made sure that it was properly set to be a 1.44M 3.5" drive. I rebooted and then checked the status of the drives using Microsoft diagnostics (msd). This showed that the A drive was a 360K 5.25" drive. What is happening?? Is there a way to fix this other than totally reformatting everything?? Thanks for any help. Mike Facemire mdf2@po.cwru.edu ------------------------------ Date: Thu, 26 Jan 95 23:52:01 -0500 From: wnc1081@rigel.tamu.edu (W. Neil Craig) Subject: Help---AntiCMOS & B1 virus (PC) Howdy everyone, Using F-Prot 2.16, I have detected 2 viruses. When you boot my PC from the hard disk, and then run F-Prot, it warns me that the AntiCMOS virus string (it doesn't specify A or B ) is resident in memory, and refused to go farther, and instructs me to boot the machine from a clean system disk. When I boot from a clean system floppy disk and then run F-Prot, it finds the B1 virus in the master boot record, but doens't find the AntiCMOS virus. If anyone could give me any help, it would be greatly apprecitated. Sincerely Neil Craig Mechanical Engr. Undergraduate Texas A&M University College Station Texas USA email: wnc1081@rigel.tamu.edu ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 8] **************************************** 6-Feb-95 12:40:59-GMT,70290;000000000000 Received: from aramis.rutgers.edu (root@aramis.rutgers.edu [128.6.4.2]) by klinzhai.rutgers.edu (8.6.9+bestmx+oldruq+newsunq+grosshack/8.6.9) with ESMTP id HAA29777 for ; Mon, 6 Feb 1995 07:40:58 -0500 Received: from remus.rutgers.edu (root@remus.rutgers.edu [128.6.13.3]) by aramis.rutgers.edu (8.6.9+bestmx+oldruq+newsunq+grosshack/8.6.9) with ESMTP id HAA17578 for ; Mon, 6 Feb 1995 07:40:56 -0500 Received: from fidoii.cc.lehigh.edu (fidoii.CC.Lehigh.EDU [128.180.1.4]) by remus.rutgers.edu (8.6.8.1+bestmx+oldruq+newsunq/8.6.6) with ESMTP id HAA16134 for ; Mon, 6 Feb 1995 07:40:45 -0500 Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <128104-8>; Mon, 6 Feb 1995 06:43:42 EST Message-Id: <9502061145.AA23166@bull-run.assist.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V8 #7 X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Mon, 6 Feb 1995 06:36:48 EST VIRUS-L Digest Monday, 6 Feb 1995 Volume 8 : Issue 7 Today's Topics: Virus Researchers Incompetent? Exsvira? "Live Robots" by Rucker dinamo(kiev) Champion !!! (PC) Re: question on virus (PC) MONKEY_B & ANTIEXE viruses (PC) Both Form and AntiExe? (PC) NYB Virus (PC) Natas (PC) info request on AntiCMOS.A (PC) How to clean 69 and AntiCOMS ?? (PC) virus detection (PC) F-Prot (PC) Barrotes virus (PC) unknown possible virus--new post (PC) EXEBUG virus in Novell network (PC) Stoned Variation (PC) Help, Monkey on my back!! (PC) 69 virus (PC) Network Scans (PC) icarus virus-utils (PC) Do you have features of 2KB Virus ??? (PC) Re: McAfee vs Central Point vs F-Prot (PC) "FORM" virus (PC) Virus Protection Software (PC) GENB Queries (PC) Coruna 4 infection (PC) Invircible software review (PC) Virus questtion... (PC) AntiCMOS A - Desire Info (PC) Re: Junkie virus (PC) Re: Stealth C virus (PC) BACKFORM virus (PC) Is "jumper" an alias for "2kb"? (PC) W-BOOT.A (PC) boot sector (PC) Need info re: "Wolfgang Gullich" Virus (PC) f_def482.zip - File Defender Plus: File protection driver McAfee VirusScan 2.1.4 uploaded to SimTel (PC) InVircible review in Virus Bulletin - part 2/2 (PC) 12th Annual ISSA Conference & Exposition VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 08 Jan 95 15:51:25 -0500 From: arfman2@aol.com (Arfman2) Subject: Virus Researchers Incompetent? The following is a quote from Geoff Chappel, author of DOS Internals regarding anti-virus researchers. This note appears as a public posting in CompuServes Doctor Dobb's Journal Forum under the Undocumented Corner. >>Subj: BUG in DOS 6 w/F5 key Section: Undocumented Corner >>From: Geoff Chappell 100043,564 # 78864, * No Replies * >> To: Leonard Gragson 73131,1034 Date: 08-Jan-95 11:26 >>OK, I'm not so naive that I have believed that anti-virus people actually >>disassemble viruses to discover how they work - but I'm idealistic enough >>to believe that you ought to and I'm cynical enough to believe that many >>uninformed users think that anti-virus defences are the product of careful >>analysis. I have not posted the entire note, though this is the only segment that deals with virus researchers as a class. Mr. Chappell and I had a disagreement over whether a particular piece of code was a virus or not. I thought all the researchers on here would like to see what a published author has to say about virus researchers. ------------------------------ Date: Fri, 20 Jan 95 03:31:08 -0500 From: sayhow@technet.sg (Foo Say How) Subject: Exsvira? My boss dropped me a note : When I was in Europe I saw in the news that a certain German acadermic (Bugavitch?) have converted electronic panel board with the name of Exsvira can prevent virus in the computer. Please find out. Ok, any one has any clue on this? Any way to contact this acadermic? Thanks in advance. - -- FOO SAY HOW .... foo say what .. foo say who ... foo say when .. foo say why - ------------------------------------------------------------------------------ Please note E-Mail address changed due host configuration changes NEW E-MAIL ADDRESS : sayhow@technet.sg Company: Systran (S) Pte Ltd ADDRESS: 133 New Bridge Road #21-01, Chinatown Point, Singapore 0105 TEL: 65-7327007, 65-5388449 FAX: 65-5388515 ------------------------------ Date: Thu, 19 Jan 95 14:34:42 -0500 From: "Rob Slade, Social Convener to the Net" Subject: "Live Robots" by Rucker BKLIVRBT.RVW 941223 "Live Robots", Rucker, 1994, 0-380-77543-3, U$5.99/C$6.99 %A Rudy Rucker %C 1350 Avenue of the Americas, New York, NY 10019 %D 1994 %G 0-380-77543-3 %I Avon Books/The Hearst Corporation %O U$5.99/C$6.99 %P 357 %T "Live Robots" This is a double volume, originally published as "Software" (1982) and "Wetware" (1988). The basic premise is the tension between "thinking" robots (called "boppers" or "bops") and humanity. Two items are of interest. The first is the development of machine intelligence, which we see only in retrospect. The growth of artificial cognition is promoted by a type of genetic programming. The original programmer builds "immutable" instructions into the robots to submit their software to some minor random variation every ten months. The robots are also to build replicas of themselves during the ten-month period, although these seem to be primarily for replacement purposes, rather than reproduction. The concept of "immutable" code is interesting here, since it would be subject to the same variation as all the other programming. As well, the ten-month "generations", and the few dozen initial robots, would result in a very slow evolution. The concepts, though, are quite sound, and very similar to "real" genetic programming. The other point of interest is raised in the last few pages of the latter book. A computer virus is let loose in order to foul up the network of the authorities for a few hours. (The virus is let loose from a graphic, but ...) The point is correctly made that once the existence of a network virus is known, effective defences take only hours to build. (In this case, that is all that is necessary.) A very good understanding of the concepts, for such an early (1988) work. copyright Robert M. Slade, 1994 BKLIVRBT.RVW 941223 ============= Vancouver p1@arkham.wimsey.bc.ca | "If a train station Institute for Robert_Slade@sfu.ca | is where a train Research into rslade@cue.bc.ca | stops, what happens User p1@CyberStore.ca | at a workstation?" Security Canada V7K 2G6 | Frederick Wheeler ------------------------------ Date: Thu, 12 Jan 95 10:32:23 -0500 From: maren@helix.nih.gov (Maren) Subject: dinamo(kiev) Champion !!! (PC) How do i get rid of this virus? It has infected one person's computer and she cannot even boot it up properly now. F-prot finds the problem and says to run fdisk /mbr. Is there any other way to get rid of this dinamo virus ? thanks. ------------------------------ Date: Thu, 12 Jan 95 11:06:17 -0500 From: fbultot@vub.ac.be (BULTOT FREDERIK) Subject: Re: question on virus (PC) Laurent Aureyre (aureyre@grenet.fr) wrote: : I've got a big problem with my PC computer... : I've got a virus called 2KB, I know the name because I used a program : (virus scan) which is stupid because it gives me the name of the virus but : can't repair my system. : I know that my virus is in the master boot sector but I don't know how to : remove it. Somebody told me that I can do something with the FDISK option : of the Dos 6.22 but I don't know how to use it.... try FDISK /mbr take a look at "mcafee.com : /pub/antivirus" and get cleanXXX.zip or try something else ... ------------------------------ Date: Thu, 12 Jan 95 15:00:21 -0500 From: ckokesh@expert.cc.purdue.edu (Christopher Kokesh) Subject: MONKEY_B & ANTIEXE viruses (PC) Does anyone know anything about these two viruses? When I run Mcafee's Vshield it says the Monkey B is in my memory and that my boot partition is infected with the ANTIEXE. Can these be removed? Also, when I run Mcafee's Scan it doesn't detect the ANTIEXE but does detect the Monkey B. I've tried turning the computer off and booting off of a clean floppy, but it still says I have Monkey B! Any help would be greatly appreciated! Thanks, Chris (ckokesh@expert.cc.purdue.edu) ------------------------------ Date: Thu, 12 Jan 95 15:16:19 -0500 From: Bill McGeehan Subject: Both Form and AntiExe? (PC) I have been given a 3.5 inch HD diskette that *seems* to have two viruses on it. I'm using F-PROT 2.15 under DOS 5.0. Using the automatic disinfect option, F-PROT reports that I have the AntiExe virus, and since I have the automatic disinfect feature turned on, it also tell me "Virus infection(s) found and removed". Then when I scan it again F-PROT reports the Form.A virus, which it also claims to automatically remove. Beautiful so far. But when I scan additional times, F-PROT again reports the AntiExe, then the Form.A and so on in a continuous loop (as long as I keep asking F-PROT to scan)! This doesn't seem to be a phantom virus or false positive, since I rebooted and checked the same diskette and got the same results. I can retrieve the information on the infected diskette, that's not a problem. What I'd like to know is what's going on. If less knowledgeable users were to encounter this problem, they wouldn't have run F-PROT a second time, assuming that all viruses were removed *as claimed*. Has anyone else seen this kind of problem? I don't know enough about MBR's, DBR's, and disk editing programs to dump this data and analyze it, so I'm hoping someone can tell me what is happening and what action to take. Bill McGeehan, Smithsonian Institution Computer Security Manager ------------------------------ Date: Thu, 12 Jan 95 16:07:08 -0500 From: pbooth@robins.af.mil (PHIL BOOTH) Subject: NYB Virus (PC) NYB-boot Virus Information Description NYB-boot is a new virus that infects the MBR on hard disks and the BR on floppy diskettes, but it does not infect the program files. The virus relocates the original contents of the MBR/BR to another place on the disk. On hard disks, the MBR is moved to sector 17, on head 0, cylinder 0. On floppy disks the location is the last sector of the root directory, which depends on the capacity of the diskette. For example, on 360K diskettes ( remember those?), it will be at sector 14, on head 1, cylinder 0. The virus stays resident in memory just below the top of conventional memory. It reduces the base memory size by 1K. For example, a system with 640K base memory will appear to have 639K after the virus goes resident. Once loaded in memory, NYB-boot points the disk access vector (INT 13h) to its own handler. It examines the read and write requests, and infects the MBR/BR if it is not already infected. The handler also has stealth capability to mask its presence on the disk, and to protect itself against being overwritten. For example, you cannot use a general purpose disk sector editor such as Norton Utilities (tm) and modify the MBR, where the virus is located, as long as the virus is active in memory. You will most likely get an error message about the operation. The coding style in the virus suggests that its author is relatively experienced in PC assembly language; there is an apparent attempt to minimize code size and to use tricky code ( t make reading it difficult). The virus fits in one sector. The partition table or the BPB (BIOS Parameter Block) is kept intact during infection. on an unprotected diskette will cause it to get infected. Diskettes in both A and B drives are infected. The virus transfers from infected diskettes to hard disks if the system is booted off the infected floppy. Once the hard disk is infected, any unprotected disks used in that system will become infected variants. Doing a simple DIR Diskettes used for backup with a program that has its own disk format may become corrupted and lose data. The virus checks the BIOS timer tick counter and executes a loop that contains a VERIFY SECTOR instruction. This may confuse certain software and give the impression of disk problems. The virus itself does not appear to have deliberate overwriting of data. The diskette can also become unusable if this mechanism triggers. re Z-RAM Inc. P.O. Box 2087 Annapolis, MD 21404 1-800-638-2000 Phil Booth pbooth@wrdis01.robins.af.mil ------------------------------ Date: Thu, 12 Jan 95 20:16:05 -0500 From: Roberto Parker Subject: Natas (PC) Mexico was under Natas attack for some months. We developed an efffec tive Natas AV. Aftedr extensive testing it gives false posotives when scanning a lemmings or 1226M infected file. Any interest? Natas is prettey good. Regards Roberto Parker Mexico City ------------------------------ Date: Thu, 12 Jan 95 23:07:42 -0500 From: dwjackso@nyx.cs.du.edu (Donald Jackson) Subject: info request on AntiCMOS.A (PC) I would appreciate any info on a virus that most antivirus programs don't yet handle: AntiCMOS.A It's a boot sector virus. That's all I really know. F-Prot 2.15 detects it, but doesn't offer removal. A friend said that NAV 3.0 (new off the shelf) detected on his hard drive during installation. In particular, what size boot sectors or master boot records (for hard disks) does this virus infect? Is it malicious, if so, doe it have a trigger (time/date/etc.), or does it just replicate itself and do unintentional damage due to common assumptions made by viruses such as the size of the floppy disk it's infecting? I found one lost cluster, and a couple of hidden files (a ~-something.DOC MS Word file and file from a screen save called SlideShow - PUZZLE.EXE - both files tested negative for viruses). Does this virus hide in sectors marked "bad" or otherwise encrypt/morph/stealth itself? Any and all information is appreciated. Please respond via email to donald.jackson@psyberdyne.com, or reply via email to the account from which this was posted, it will be forwarded to me. I don't normally follow this newsgroup, so any info on how I can get a comprehensive list of viruses (esp. new ones) so I don't clutter up the usenet any more than I have to will also be very much appreciated. TIA- Donald Jackson ------------------------------ Date: Fri, 13 Jan 95 12:22:27 -0500 From: leeng@technet.sg (Vei-Ming Chong) Subject: How to clean 69 and AntiCOMS ?? (PC) Recently I have seen quite a few 69 + anticmos virus. Any suggestion on GOOD virus cleaner and detector for them? Many thanks! Vei-Ming ~~~~~~~~ .----------------------------------------. | Vei-Ming Chong, R&D Department | | Optics Storage Pte Ltd, Singapore | |----------------------------------------| | Tel : (65) 382-3100 | | Fax : (65) 281-2786 | | Internet : leeng@einstein.technet.sg | `----------------------------------------' ------------------------------ Date: Fri, 13 Jan 95 13:33:01 -0500 From: Iolo Davidson Subject: virus detection (PC) news@hpg30a.csc.cuhk.hk "" writes: > In the market, which virus detection software is the best? January 1995 "SECURE Computing" gives Editor's Choice to Dr. Solomon's Anti-Virus Toolkit, and Recommended to F-Prot Professional and Thunderbyte. This is in a review of 17 anti-virus products, testing only the stand-alone virus scanner part of the product. The checksummer and memory resident components are to be tested in a review in the February 95 edition. (I am the technical editor of "SECURE Computing".) - -- SAID ONE WHISKER WITH THIS STUFF TO ANOTHER BROTHER CAN'T GET TOUGH Burma Shave ------------------------------ Date: Fri, 13 Jan 95 19:02:33 -0500 From: creid@ccinet.ab.ca (C. Reid) Subject: F-Prot (PC) I am a new user on the internet and am having difficulty trying to locate a certain file. I would appreciate it if somebody could point me in the direction of the virus protection program F-Prog. Or any other similiar program. If possible could you please contact me via-Email creid@ccinet.ab.ca Thank you David Reid ------------------------------ Date: Fri, 13 Jan 95 23:15:28 -0500 From: GeorgeAl@ix.netcom.com (George Alexeief) Subject: Barrotes virus (PC) I recently came across the Barrotes virus on two machines in my organization. I ftp'd from mcafee.com, their scan117, and used it to successfully identify seven .exe files that scan117 showed as infected by the following: Barrotes [Bar] Barrotes [B5] Do I understand the dual references to Barrotes correctly, i.e. that it was a single virus infection (with 1k addition to the .exe files) which left two signatures (bar, and B5), which clean117 can then deal with? or are these two related but distict viruses working in tandem? the viruslst.txt file only lists the first entry, so I hope that the B5- "strain" doesn't have additional attributes (like burrowing or poly- morphism). Can anyone advise? george a. los angeles, california ------------------------------ Date: Fri, 13 Jan 95 23:28:11 -0500 From: tr5374@csc.albany.edu (REYNOLDS THOMAS) Subject: unknown possible virus--new post (PC) I apologize in advance if I'm merely being stupid, but I observed strange behavior right after getting F-Prot 2.13a at school in 09/94. The next day, I went to the school computer I'd copied from, ran its own F-Prot on it and it found a virus (Form, I believe, or maybe Stoned--I'm not sure now). The day after, several computers by it were roped off, all virused. Chkdsk at the time of the strange behavior showed a decrement of approx 17K memory; then shortly after, a decrement of only approx 8K; then only 32 bytes. I'll not describe more details--perhaps they're not important. I've been reading comp.virus since then, but noone at school has been much help. I've tried shareware F-Prot through 2.15, but nothing definite ever found; McAfee Scan 114 and 117 find nothing; and my old CPAV from early 94 finds nothing. I tried fdisk /mbr and sys from a good floppy. Now I try to learn to use PCTools DiskEdit and look at files in hex, and find the three basic system .COM (and PCTools vwatch.com, identified (1st) by F-Prot 2.15 heuristics as "modified") all start with E9, which an October 1994 post by Kevin Marcus (very informative) said was a characteristic of infected .COM files. Also odd, the end of the hard drive is all hex "36" bytes for very many sectors except for approx 2 1/2 lines at the start of the sixth sector from end (120MB drive, approx 47MB never used yet). Can someone help me, even if only to tell me I'm worrying too much? Thanks very much. Tom Reynolds, tr5374@cnsunix.albany.edu (We seem to get comp.virus only in occasional batches.) ------------------------------ Date: Sat, 14 Jan 95 10:22:19 -0500 From: inform Subject: EXEBUG virus in Novell network (PC) Does anyone know how you can destroy the virus EXEBUG in a Novell Network. What is at the moment the most powerful anti-virus software for a Novell network ? Thanks a lot. Katia ------------------------------ Date: Sun, 15 Jan 95 04:22:29 -0500 From: Jason Wilkinson Subject: Stoned Variation (PC) Norton Anti Virus detects a "Stoned Variation" virus on my system. When I boot from the hard drive everything seems fine but the virus is resident in memory. Now when I boot from a clean floppy, my hard drives become inaccessible to me responding with "invalid drive specification" so that I am not able to this crappy little boot sector virus. Could someone please offer me some suggestions. ------------------------------ Date: Sun, 15 Jan 95 14:21:20 -0500 From: amiel@umr.edu (Jeffrey A Amiel ) Subject: Help, Monkey on my back!! (PC) Ok....The old monkey virus hit me hard..... Noticed the computer running sluggish.... ran Mcaffe Scan 117 and lo and behold, Monkey [Mon] was found. It was not until I accidentally infected 2 clean boot disks (write protect) that I wised up. There was a point when I was infected where I could still read files... now I have 4 non-dos partitions on the drive and Clean 117 wont touch it (can't acess drive C---invalid drive) Does Monkey attach itself to exe files?? Did I get this from something I downloaded off of Simtel or does it only reside in the boot sectors of floppies and fixed disks?? Am I screwed?? Is there any hope for getting my partitions back to normal or do I format, clean, and resort to my 10 day old backup? I emailed Mcaffe, but with the holiday weekend, I doubt they will get back to me in time.... Any help would be MUCH appreciated. Jeff Amiel amiel@umr.edu ------------------------------ Date: Mon, 16 Jan 95 10:31:19 -0500 From: cuthbert@temasek.teleview.com.sg (Shepherdson Cuthbert Nicholas) Subject: 69 virus (PC) Hi there, I recently came across this virus which can be only detected by this version of Scan and probably later (tried a beta 2.1.4). Ironically, I could not find out any info of what this virus can do or what damage it can cause. I thought initally that it was a false alarm, but F-Prot and TBAV also detect the possibility of a boot sector infection on diskettes detected by Scan 2.1.3. The virus can spread very easily. All you need to do a DIR command on an infected diskette, and the virus goes into the memory of your PC. Every disk that you do a Dir is also infected. It can also the infect the Harddisk (tried this out). I removed the virus from the hard disk using the FDISK/MBR command and powered off the PC. For diskettes , it 's a big problem. Got a number of diskettes infected, will need to reformat them. Well, has anyone else come across this virus and knows what it maliciously does? and knows of better ways to remove this virus from infected diskettes. (Actually got program from a BBS here to just overwrite the boot sector which does remove the virus...only thing that all my diskettes have the same vol no...) Can anyone comment/advise? Thanks Bert ------------------------------ Date: Mon, 16 Jan 95 22:39:53 -0500 From: jdaro@netcom.com (Jeffrey Daro) Subject: Network Scans (PC) I am looking for a virus scan/removal system that would be powerfull over a novell and/or NT server network. Price is really not a problem as this is for a very importat network. Does anyone know fo a good scan/cure? I am interested in all options store bought or net shareware. Thanks. - -- - ------------------------------------------------------------------------------- | Jeff - Daro@Ukko.Rowan.Edu | | | JDaro@Netcom.Com | My only love sprung from my only hate! | |----------------------------------| Too early unknown, and known too late! | | T A Z M A N I A | | | Ukko.Rowan.Edu 5000 | | - ------------------------------------------------------------------------------- ------------------------------ Date: Tue, 17 Jan 95 10:09:50 -0500 From: Alfred JILKA Subject: icarus virus-utils (PC) hi all, my boss just gave me a complete suite of icarus virus-utils for evaluation. It contains versions for DOS, WINDOWS and NETWARE. Though I heard that some experts were impressed by their virus-definition-language I'm not sure about the effectiveness of the product itself. Is there anyone out there in netland to comment on this product ? TIA, Alfred - -- ...^^^^^.. ******************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/1/712-56-74/96 * ........... HOME Graz : * Fax: +43/1/713-64-57 * :.. * * ...: * * :........: ******************************** BB | !BB William Shakespear ------------------------------ Date: Tue, 17 Jan 95 10:17:00 -0500 From: excoffier@cemag-lyon.fr (David EXCOFFIER) Subject: Do you have features of 2KB Virus ??? (PC) Hi netsurfers. I've a problem, Numerous PC's HDD & Floppies have been infected by 2KB VIRUS (according to Virus Scan from McAfee) We're in phase of eradication of this virus, but lotsa users ask me what are the features of this virus and how dangerous it is. I absolutely have no answer to their questions (except than 2KB is a virus resident in the Master Boot Record, or Boot sector of Disks). So, if someone know what are the features of this 2KB VIRUS, and the consequences of its activity, i'd then be able to reply to their questions. Thanks in advance for your precisions. E-mail me : excoffier@cemag-lyon.fr ------------------------------ Date: Tue, 17 Jan 95 21:06:10 -0500 From: scotts95@aol.com (ScottS95) Subject: Re: McAfee vs Central Point vs F-Prot (PC) >I currently run F-Prot, which seems to have recieved high marks in this >group. I McAfee or Central Poin worth the expense, or is F-Prot plenty >good enough. the obvious advantage for me is Central point, because I >have PC Tools as my Windows shell, and CP runs from that platform. but I >feel that 49.95 vs free is a rook. my observations are that the biggest difference, assuming you keep up on the new signatures etc. is that the major difference is which you prefer. All work. I personally have been with CPAV since 1.0 and McAfee since the earliest Shareware days (I think 0.51). The only thing is that if you load multiple AV programs, often enough the signature code of one will trip another... so watch which file names are alleged to be diseased ;) scotts95@aol.com ------------------------------ Date: Wed, 18 Jan 95 19:20:42 -0500 From: bblinn@infinet.com (Bill Blinn) Subject: "FORM" virus (PC) A customer will bring in his computer tomorrow. Central Point Anti Virus says it's infected with the FORM virus. I've looked, but not yet extensively, and have found nothing about that virus. I'll continue looking; but if you know anything about this particular virus, I'd appreciate some advice -- either here or direct to me via e-mail. Thanks! - --- Bill Blinn (bblinn@infinet.com) -- N8POV@W8CQK.#CMH.OH.US.NOAM (Ham Radio) The first rule of intelligent tinkering is to save all the parts. Speaking on, but not for, NewsRadio 610 WTVN. ------------------------------ Date: Wed, 18 Jan 95 20:29:58 -0500 From: elcentro@cyberspace.com Subject: Virus Protection Software (PC) I am the computer support person at a large non-profit organization. Our license for our virus protection software has just expired. I am in the process of comming up with alternitives for the current package we have. It is McFee's Virus protection software. I have no problem with this software except the price. I would apreciate either your recomendations, pointers to reviews, and any other aid you can give me. I have been searching for recorces on the Internet but hav'nt found that much yet. Thank you for your time. Richard E. Amerman (elcentro@cyberspace.com) ------------------------------ Date: Thu, 19 Jan 95 00:08:28 -0500 From: zapper01@technet.sg (Ho T S) Subject: GENB Queries (PC) I did a scan with the latest version of McAfee's scan and it showed tht I had a GENB virus in the boot sector or something like that. It also stated that there is no "cure" for it at present. Can anyone help by telling me how to reformat such that it goes? I tried fdisk-ing but it doesn't work. I figure a low level format would have to be done. How do I do that? Thanks ------------------------------ Date: Thu, 19 Jan 95 04:18:54 -0500 From: conic@math-appli-uco.fr (conic) Subject: Coruna 4 infection (PC) Hi, i'am trying to find any meaning to fight against Coruna4=20 virus, the more recent versions of Mac Aphee recognize the virus=20 sometimes but they are not very efficient against it (V117 SCAN,CLEAN &=20 2.1.3). Is anyone know how to destroy the Virus ? Please E-Mail if you've any informations. Thanks in advance Nicolas CONAN - ----------------------------------- Institut de Math=E9matiques Appliqu=E9es Universit=E9 Catholique de l'Ouest conic@math-appli-uco.fr http://www.math-appli-uco.fr - ----------------------------------- ------------------------------ Date: Thu, 19 Jan 95 15:49:09 +0000 From: noam@techunix.technion.ac.il (Amir Noam) Subject: Invircible software review (PC) i recently heard of a review of the invircible antivirus package, but i can't find it anywhere. i'm considering it for our network, so i'd appreciate any advice, pointers, and info about this elusive review. thanks, noam amir noam@techunix.technion.ac.il noam@laum.univ-lemans.fr please respond by email! ------------------------------ Date: Thu, 19 Jan 95 19:38:24 -0500 From: raymoon@DGS.dgsys.com (Raymond Moon) Subject: Virus questtion... (PC) [ Article crossposted from alt.msdos.programmer ] [ Author was Jason L Perron ] [ Posted on 18 Jan 1995 17:07:13 GMT ] Hello all, I am not sure if this is the best place to post this question, but here it goes anyways.... Has anybody heard of or know anything about a virus named LENART? >From what I have been told, this is a fairly new virus that might have come out around Sept/Oct. 1994. I am asking this because a friend of mine recently bought a large computer system that suddenly crashed. Upon calling in the person who sold him the system he was told the crash was due to this LENART virus. This would be fine, but the salesperson doesn't seem very honest/reliable and my friend is afraid that the salesperson made up the story about the virus to cover up the fact that he doesn't know what he is doing and is also trying to make more $$$ by fixing the system. ANYBODY know anything that could help me out? Sincerely, - --------------- Jason perron@wpi.edu ------------------------------ Date: Thu, 19 Jan 95 19:59:28 -0500 From: raymoon@DGS.dgsys.com (Raymond Moon) Subject: AntiCMOS A - Desire Info (PC) Does any one have any information on AntiCMOS A? >From McAfee tech, I was told that it reportedly attacks the CMOS of certain computers by nulling the CMOS. Implied but not known is which computers are vulnerable to attack by this virus. Anyone with experience, information would be greatly appreciated. For information, cleaning appears to be easy. For hard disks, "format \mbr". For floppies, "format \u". Thanks in advance. Ray ------------------------------ Date: Thu, 19 Jan 95 22:52:16 -0500 From: jerejian@tartarus.uwa.edu.au (Rafi Jerejian) Subject: Re: Junkie virus (PC) Whodini writes: >On 23 Dec 1994, John Davey wrote: >> Hopefully someone reads this. >> >> I've picked up the junkie virus from someware, ftp I think, getting kermit.exe. >> >> Anyway, we cant seem to get rid of it, it seems to stick to com files, clean >> gets rid of it, but after a clean boot it seems to re-appear.> >> Any comments?> > Use F-Protect to clean your Hard Drive's boot sector. It stays in >the MBR. McAfree won't clean it, and F-Prot won't clean files with it >(it just sits there and tries to clean it over and over). FInd all the >files with it, delete them, and boot on a clean system disk. Use >F-Protect to clean your boot sector, and you will be fine. (Just got rid >of it a week ago) We were infected with the junkie virus this morning and used F-protect (sept 1994 version) to disinfect files without any problem. Do you have an older version of this? - -Rich. - -- +----< jerejian@lethe.uwa.edu.au >--------------------------------------------+ "NEWSFLASH: Suicidal Twin kills brother by mistake" +--------------------------------------------< jerejian@lethe.uwa.edu.au >----+ ------------------------------ Date: Fri, 20 Jan 95 00:15:27 -0500 From: Michael Jackson Subject: Re: Stealth C virus (PC) The Mermaid writes: >I saw this virus about a week ago, and I think the McAffee scanner said >it was a strain of the Genb virus. The virus was in the boot sector of >the disk, and the only thing we knew to do was to reformat the disk. If >anyone else knows any other ways of ridding floppies of this virus, please >post. Thanx. I've run into several machines here in the local area that were infected also. I've found that F-Prot will disinfect the disks. -Mike mrjackson@delphi.com ------------------------------ Date: Fri, 20 Jan 95 04:24:14 -0500 From: "Ferenc Bajan - Centre of Informatics" Subject: BACKFORM virus (PC) I have a user, who has found the Backform virus in the file COMMAND.COM (Ms-DOS 6.20). This virus is in the stack area, no length difference on the disk. He used F- Prot 2.15 and TBAV (Scan 2.1.12 han nothing found). F-Prot could not removed the virus, TBAV seems to cleaning, but after this, COMMAND.COM's length is 5488 bytes....;-) What this virus makes, and how to remove it? - ---------------------------------------------------------------------- /_/_ /_/_/_/_/_ /_ /_ /_ Ferenc Bajan /_ /_ /_ Centre of Informatics /_ /_/_ /_/_/_/_ BDTF Szombathely /_ /_ /_ H-9700 Szombathely /_ /_ /_ Karolyi G. ter 4. /_/_/_/_/_ /_ bferi@fs2.bdtf.hu - ---------------------------------------------------------------------- ------------------------------ Date: Fri, 20 Jan 95 09:29:09 -0500 From: aureyre@grenet.fr (Jean Luc Demoisson Jean Claude Chaperon) Subject: Is "jumper" an alias for "2kb"? (PC) I'd just like to know if silly, jumper and 2kb is the same virus thank you! ------------------------------ Date: Fri, 20 Jan 95 11:40:25 -0500 From: j.s.elrick@stir.ac.uk (Ian Elrick) Subject: W-BOOT.A (PC) Hello Folks I have just discovered a user with the W-BOOT.A virus (according to F-Prot v 2.15) and have succeeded in disinfecting using the same package. I like to get info on what viruses I am dealing with though and I cannot find it anywhere. What other names does it go under???? Thanks in advance. Ian Elrick ------------------------------ Date: Fri, 20 Jan 95 14:04:08 -0500 From: chou@stamina.csd.hku.hk (Chou Sui Lin) Subject: boot sector (PC) Does anyone know how to get rid of a boot sector virus named "bootexe.451". The file setver.exe was also infected with "bootexe.452". Thanks in advance chou - -- - ----------------------------------------------------------------------- Sui Lin CHOU Email: chou@csd.hku.hk ------------------------------ Date: Fri, 20 Jan 95 18:29:41 -0500 From: "Garb, Gary [BB]" Subject: Need info re: "Wolfgang Gullich" Virus (PC) One of my users reports a suspected boot sector virus that displays "WOLFGANG GULLICH" on the screen. It is detectable with F-PROT 2.15. Does anyone recognize this virus(?) and have any info on it? Any help is much appreciated. Gary Garb Unisys Corporation "Beware of Geeks bearing GIFs" ------------------------------ Date: Sun, 15 Jan 95 03:54:29 -0500 From: dk@burka.carrier.kiev.ua (Dmitry S. Kohmanyuk) Subject: f_def482.zip - File Defender Plus: File protection driver I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): ftp://oak.oakland.edu/SimTel/msdos/virus/f_def482.zip SimTel/msdos/virus/ f_def482.zip File Defender Plus: File protection driver File Defender Plus v4.82 is file-level data protection driver. It allows you to selectively protect files from modification, therefore blocking possible virus infections. File Defender Plus enhances the way DOS treats read-only attribute of files - it can only be set once, and cannot be removed. You can easily set all your executable files to read-only (use DOS ATTRIB command, for example), and they would be safely protected from viruses. If a program tries to remove the protection you will hear an audible warning sound. Environment: PC/MS-DOS 3.30+, DR-DOS 6+, Novell DOS 7 FreeWare. Author: Compact Soft Uploaded by: Dmitry S. Kohmanyuk Dmitry.Kohmanyuk@UA.net dk@burka.carrier.kiev.ua ------------------------------ Date: Wed, 18 Jan 95 04:42:29 -0500 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VirusScan 2.1.4 uploaded to SimTel (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): ftp://oak.oakland.edu/SimTel/msdos/virus/scn-214e.zip ftp://oak.oakland.edu/SimTel/msdos/virus/vsh-214e.zip ftp://oak.oakland.edu/SimTel/msdos/virus/whatsnew.214 ftp://oak.oakland.edu/SimTel/msdos/virus/wsc-214e.zip SimTel/msdos/virus/ scn-214e.zip VirusScan V2.1.4 scans/cleans viruses (V214 data) vsh-214e.zip VShield V2.1.4 antivirus TSR (V214 data) whatsnew.214 Errata for VirusScan & VShield 2.1.4 wsc-214e.zip VirusScan V2.1.4 for MS-Windows (V214 data) replaces: scn-213e.zip, vsh-213e.zip, wsc-2123.zip WHAT'S NEW Version 2.1.4 of the VirusScan series adds detection for many new viruses. A complete list can be found by running SCAN with the /VIRLIST switch (DOS, OS/2) or clicking on the "Virus Info" icon (Windows). Additionally, new or improved removers have been added for the FORM-A, Junkie, Natas, NYB, Parity Boot B, and Sampo (alias "69") viruses. Two new options have been added to the command-line versions of VirusScan, the /FREQUENCY switch and then /MEMEXCL switch: o The first, /FREQUENCY, allows VirusScan to be run only after a specified number of hours have passed. This allows network administrators to periodically run VirusScan from a network login script. o The second, /MEMEXCL, excludes a range of memory from being scanned for viruse