VIRUS-L Digest Monday, 24 Jan 1994 Volume 7 : Issue 5 Today's Topics: Request help about viruses (PC) Subscription Info: "CuD" NETWARE Virus? (Novell) Removing Viruses from Large Installations (primarily PC) Re: Help in removing Monkey virus from hard disk (PC) FreeWare FixMBR and FixFBR (PC) What Scanner is the Best (PC) Re: McAffee SCANV109 finds prob w/MODE.COM (PC) Form Virus (PC) Re: Need info on "RIPPER" virus. (PC) re: Possible Windows-specific virus (PC) re: Help in removing Monkey virus from hard disk (PC) Virus as it relates to Netware (PC) Ripper Virus Description (PC) FORM virus on OS/2 v2.1 (PC) re: FORM virus on OS/2 v2.1 (PC) Re: SCAN 109 FALSE POSITIVE (PC) help - erased hard disk? (PC) Can't load NETSHLD 1.56 (can't find IsColorMonitor) Do you know how to kill the Stone-4 Virus? (PC) HELP with virus !!! (PC) Telcom PT2 (PC) EMD Enterprises PC Armor Beta Test Survey (PC) 3.1 Antiviral reports - scanners (CVP) Other antivirals - activity monitors (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 10 Jan 94 08:19:43 -0500 From: tom_katt@spirea.gih.no (Tom Katt) Subject: Request help about viruses (PC) We are a group of students who are going to make a simulation program and therefor needs information about viruses: - what damage they do - the visual effects on the display - what happends when the viruses is active - the category the viruses are placed in - if there are some good simulation programs available on internet we can get ideas/hints from We hope some of you out there will help us. You can send your information to us by E-mail - dag_jens@linnea.gih.no. Regards Ellen, Ove R. and Dag R. ------------------------------ Date: Mon, 10 Jan 94 19:00:33 -0500 From: LARRY BROWN <72712.706@compuserve.com> Subject: Subscription Info: "CuD" CuD (Computer Underground Digest) is a weekly (or so) "newsletter" published by Jim Thomas and Gordon Meyer at Northern Ill. Univ. You can subscribe by e-mailing tk0jut2@mvs.cso.niu.edu and putting the phrase "Subscription Request" in both the Subject and Body of the e-mail. Larry Brown 72712.706@compuserve.com ------------------------------ Date: 13 Jan 94 09:09:13 -0700 From: hitcmap@nebula.syscon.hii.com Subject: NETWARE Virus? (Novell) Hello! Can someone please point me to a FAQ on Netware fileserve viruses? I have not heard of a virus that actually destroys a Netware volume, or ABENDS the server. So if there are some that do this - please excuse my ignorance!! I am trying to select the most suitable viral detection for our Netware LAN. I am interested in any opinions on Cheyenne's InocuLAN as well, since we use Cheyenne Arcserve. I am curious what the performance ramifications are when one runs a NLM-based virus checker. Any comments would be greatly appreciated! Best Regards. . . Mike ================================================================================ Michael A. Passineau, Systems Analyst Harnischfeger Industries, Inc. INTERNET: mpassineau@hii.com ================================================================================ ------------------------------ Date: Mon, 10 Jan 94 10:21:23 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Removing Viruses from Large Installations (primarily PC) Note: I have left of the original poster's name since it would serve no purpose to repeat. Rather I would like to point out that there is a "higher path" that can be taken. Unfortunately few do so since it takes an "upfront" management commitment that too often is not made. It is a case of "You can pay once now, or pay many times in the future." >Subject: "Good Viruses?" >Each of these events took over a day to completely recover since even after >the network is cleaned, each individual workstation has to be checked for >potential infection (this can be done in an automated fashion, but not if >the virus is a "fast-infector" and is likely to be RAM resident as is the >case with Pegg). Once a virus is found on an individual workstation, one >must take the time to personally visit the workstation to ensure that it >is cleaned properly, and that diskettes are scanned to ensure against >re-infection. All this takes time, costs money, and reduces the capability >of employees using the network to get work done. This is the way I used to work a few years ago, but having a "large" installation (just about everything imaginable including over 70 Novell servers reachable from my desk), I do things differently now, with a module based approach. Software is used to identify changes to a system so that immediate "something" notification occurs. Next, a trained individual is dispatched for a "what" detemination. Once the "what" is known, one of two paths is taken: a) If the event is localized, the (wo)man on the spot takes care of it. b) If there is a chance it has spread (rare thanks to the defenses we have in place), then a specialized "identification module" is developed. Since we have a large collection of such modules, this is usually quick. These modules generally take the form of a small .COM progam (in PCs) that is capable of identifying and recording the particular problem on a PC. It first checks memory for residence, then if the problem is a program infector, it checks the programs on a user's disk. Since the module is specialized, it usually can be made very fast (execution time is usually about a third longer than a "dir \/s" would take and has a similar output). MBR and BSI infector modules are much faster. It has often seemed to me that a-v developers usually focus on the "single PC/single user" concept even in network installations and often miss the economies of scale possible at large, commonly-equipped sites. In this case, the time scale from first detection looks more like this: Explicit indentifiaction - 1 hour Module Development - 1 hour Module Distribution (via net) - 30 minutes Identify affected network resources - 15 minutes per server (done in parallel) affected resources moved to repository - generally not server applications since these are protected Identify affected clients - as they login - login is denied and trouble report generated In parallel, the technician will check assets in the physical vicinity of the affected unit and try to determine how the exception occured. True: there is an investment that must be made up front: a) technician training to be able to gather sample of problem and make explicit identification b) network administrators much know procedure to follow whan module is ditributed. c) library of "template" modules must be maintained for fast turn-around. However, ther is no need IMHO for days of lost time and downed machines provided that a proper investment is made into "fire-fighting equipment". Warmly, Padgett ------------------------------ Date: Mon, 10 Jan 94 10:33:55 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Help in removing Monkey virus from hard disk (PC) warrenw@tekig6.pen.tek.com (Warren Woo) writes: >attempted to run F-prot, but it won't recognize the existence >of c: drive. I have read in past postings about using >FDISK /MBR to get rid of boot sector viruses, but will this >work if I can't access c: drive? No. It will not work at all under those circumstances. FDISK /MBR will just overwrite the code part of the MBR, it would leave the partition data corrupted. F-PROT *should* be able to remove it....but you have to use a command like F-PROT /HARD /DIS instead of the usual F-PROT C: /DIS because of the problem you described - drive C: "does not exist" after you boot from a clean floppy. There is another method, which also works if the MBR gets corrupted by a trojan or whatsoever. (Be careful, and do not use this method unless you are 100% sure what you are doing) 1) Use NU or any other disk editor, and erase (fill with 0 bytes) the entire MBR (head 0, track 0, sector 1) 2) Run NDD - it will ask if you have problems accessing partitions on the hard disk...answer "Y", and it will recreate the MBR. This will of course only work on machines with normal DOS partitions..... - -frisk ------------------------------ Date: Mon, 10 Jan 94 11:16:24 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: FreeWare FixMBR and FixFBR (PC) >From: uttsbbs!steven.hoke@pacbell.com (Steven Hoke) >Subject: MBR/FBR viruses (PC) >Could you explain in non-technical terms what these utilities do? I know >how to use FDISK, and FDISK /MBR, but I'm not exactly certain what the >MBR contains. "Once again into the breach dear friends" The MBR (Master Boot Record) contains two elements: the partition table which is a 40h byte data area that describes the layout of the disk (multiple logical drives - c d e or multiple operating systems - MS-DOS, OS/2, Novell Netware, etc.). If the partition table is corrupt or not in the exact location expected. The disk will either not be bootable or some/all of the partitions will be unreachable. The second component is the MBR code. This is an executable program which tables control of the boot process, performs a trivial sanity check, determines which partion is selected for boot, loads the first sector from that partition (for DOS, this is the DOS Boot record and is essentially the same as the first sector on a floppy disk), and executes it. Viruses often move the MBR elsewhere so that they will be executed instead of the real MBR. Generally viruses will copy the Partition Table into them- selves so that the boot process will operate normally though some "stealth" viruses (such as the "Monkey") do not in this case booting from a floppy will be unable to access the fixed disk. If the partition table is still in place, DOS 5+ FDISK/MBR will work since it simply re-writes the executable code portiton of the MBR, overwriting the virus code. If the virus is not resident (e.g. if the boot was from floppy), the virus cannot prevent this. Before there was a FDISK/MBR, I wrote FixMBR with the same intent but a few other considerations. First FixMBR has much more error checking than FDISK. Second, most MBR viruses hide the original MBR somewhere in the "hidden sectors". FixMBR will check each of these sectors in turn looking for a valid Partition table (as verified by the information stored in the CMOS/BIOS) - in counterpoint, FDISK looks only at the first sector. Next and "just in case", FixMBR will save a copy of what it found in the MBR as an executable program that may be used to restore the machine if anything goes rong. Finally, FixMBR gives the user the choice of using either the original code or my SafeMBR program that checks for viral activity on execution. On floppies we have a different situation. A floppy disk always has a single partition consisting of all of the sectors on a disk so instead of an MBR, floppies have a DBR (DOS boot record). Like the MBR this is divided into two pieces, a data area (the Boot Parameter Block) that tells DOS what kind of floppy it is and a code fragment used to make the disk bootable if necessary. This code is on every floppy disk formatted with DOS whether or not is is bootable (if not, this is was prints the "no operating system found" message). Again like the MBR, many viruses infect floppies by replacing the DBR with their own code. For years the only way to recover a floppy was to SYS it. This would fail if the floppy had any programs on it leaving only specialized virus removal programs or to FORMAT the disk losing all of the data on it. For this reason I wrote FixFBR, an analogue to FixMBR except that it could be simpler since there are only four main types of floppy in use: 360k/1.2 Mb 5 1/4" and 720k/1.44 Mb 3 /12". True, there are 160k/180k/320k 5 1/4" and 2.88 Mb 3 1/2" floppies but these are not very common so I followed KISS and stuck to the four types. Not to say I could not add 2.88s or whatever, just do not have one & haven't (what do you want for free ?) FixFBR first performs some heuristic checks of the floppy disk but the main purpose is to replace the existing DBR with a generic one that also includes simple virus detection software and a warning if an accidental boot from floppy takes place. Usually it does this without any help but in the occasional case where a virus has put the wrong BPB on a disk (e.g. a 1.2Mb BPB on a 720k disk) the user has an option to correct this. I first made FixMBR and FixFBR FreeWare in the months before Michelangelo (a move that was soon copied by some other organizations with "Crippleware", FreeWare - copyrighted material with no charge for individual use) having decided that if I can't get rich, I'll settle for glory 8*). Of course if an organization would rather not have my name appear all of the time, I am willing to create "special" versions in exchange for hobby supplies (Pontiacs, computers, pictures of dead presidents,...) Don't forget, DS II is now also "FreeWare" and *much* more powerful. Warmly, Padgett ------------------------------ Date: Mon, 10 Jan 94 16:41:34 -0500 From: hexx@telerama.lm.com (Don Pellegrino) Subject: What Scanner is the Best (PC) What is the best virus scanner/ remover available? I have DOS 6.2 and Microsoft Anti-Virus but how can this be good if it is not updated? I have used McAffee's SCAN.EXE and CLEAN.EXE and they seem to work well. I am looking for cheap software that runs quickly but will be very effective. - -- SMM: hexx@telerama.lm.com Please send to both addresses. or: don.pellegrino@jbjsys.com ------------------------------ Date: Mon, 10 Jan 94 19:17:42 -0500 From: mikehan@kaiwan.com (Mike Hanewinckel) Subject: Re: McAffee SCANV109 finds prob w/MODE.COM (PC) Rich Chong (U41602@uicvm.uic.edu) wrote: : I just got SCANV109.ZIP off of oak.oakland.edu and started a scan : on a few of my systems. On a DOS 3.3 system, it finds 1008drop : in MODE.COM. I don't have a reference copy of the old mode.com : Does anyone know if this could be real for me? or just a known : false alarm? No other files werte flagged as sick. Thanks : rich What they mean by it being a dropper is that it is not actually "infected" but has been "booby-trapped" to release a virus once it is run. Do you know where the file came from??? If not, I suggest you delete it. Mike Hanewinckel ------------------------------ Date: Mon, 10 Jan 94 19:48:31 -0500 From: ALLENTAYLOR@delphi.com Subject: Form Virus (PC) From: allentaylor.delphi.com - ---------------------------- Writes: < Subject: Form Virus on PC < Keywords: < We have big problems with a virus called FORM. < I want information about this virus < How it infects? < Where does it come from? at>The FORM-Virus, or Form Boot is a memory resident infector of hard disk and floppy boot sectors, discovered in Switzerland circa mid 1990. at>Download the Virus-L Frequently Asked Question file via anonymous FTP on cert.org [192.88.209.5] and read Sections [B.3], [b.10],[c.4],[d-ALL]. at>Download VSUMX312.zip via anonymous FTP on McAfee.com [192.187.128.1] This text has been the subject of some serious criticisim in this forum but does have "some" relevant information concerning your problem. at>Generaly speaking, this virus can be dealt with like most boot sector viruses: 1. Power down your PC. 2. Boot up from a previously prepared write protected Boot_Floppy. 3. You can use the appropriate virus cleaner [TBAV-TBUtility], [and with DOS 5 or higher; FDSIK /MBR command] or [DOS Sys Command] or, [McAfee MDisk] to restore the boot sector. 4. RESCAN with a Virus Scanner on a write protected Floppy. 5. Don't forget to scan ALL floppys that have come in contact with the infected PC and be sure to warn others to whom you may have sent infected floppys. Best Regards, - ------------------------------------------------------------------------ | Allen G. Taylor, | allentaylor.delphi.com | | Computer Virus Research Center | * CVRC BBS * | | Indianapolis, Indiana, USA | Specializing in Anti-Virus Software | - ------------------------------------------------------------------------ ------------------------------ Date: Tue, 11 Jan 94 10:31:36 -0500 From: shume@lbs.lon.ac.uk (Stephen Hume) Subject: Re: Need info on "RIPPER" virus. (PC) Dr Solomons Tookit also detects Ripper; CPAV v 2 (due early '94) will detect it (there's an interim fix available). We're cleaning PCs with Cleanpar (Dr Solomon) and floppies with Cleanboo, then loading Toolkit's Guard in autoexec.bat and running F-prot file scan. Don't know much about how Ripper works, but it does infect format.com and unformat.com. To check a PC is clean, we system format a floppy and see if Ripper appears on it. Have tested the clean by re-booting over 30 times without Ripper re-appearing, but not at all convinced we've seen the last of it. In article <0018.9401101418.AA00414@bull-run.ims.disa.mil> MILAMC@vaxa.cis.uwosh.edu (Charles R. Milam - UW-Oshkosh) writes:>From: MILAMC@vaxa.cis.uwosh.edu (Charles R. Milam - UW-Oshkosh)>Subject: Need info on "RIPPER" virus. (PC)>Date: 29 Dec 93 20:33:41 GMT >Greetings All, >I'm a microcomputer technician with Academic Computing at the University >of Wisconsin-Oshkosh. We recently encountered the "RIPPER" virus, both >in student IBM PC labs and shared student/faculty machines. >The only software that was able to detect and clean this virus was F-PROT >2.10C (December 1993.) It should be noted that this virus infected both >bootable and _non-bootable_ fixed and floppy disks. >"Ripper" shows up in F-PROT's listing of new viruses, but there's no >information available on it. >Does anyone have any information/experience with this particular virus? >What damage does it do (Besides mess with Windows 3.1's 32-bit disk access)? >Is it a time bomb? If, so when does it "detonate?" >Thanks, >Charles R. Milam >University of Wisconsin-Oshkosh >Academic Computing >(414) 424-2309 >milamc@vaxa.cis.uwosh.edu >milamc@oshkoshw.bitnet ------------------------------ Date: Tue, 11 Jan 94 10:57:09 -0500 From: "David M. Chess" Subject: re: Possible Windows-specific virus (PC) > From: gooley@netcom.com (Mark. Gooley) > I started up Windows 3.1 this morning to find that it could read no > group configuration files except the one for Games -- it claimed that > the others were corrupted. > I installed the anti-virus software from IBM's PC-DOS 6.1: running > IBMAVD gave the message "Stack overflow!" and IBMAVSP hung after the > initial banner. Turn the machine off, boot it from a write-protected and known-clean DOS boot diskette, then run IBMAVSP off of the last installation diskette (also write-protected!). That way at least you'll know that the program you're running hasn't become infected, and the virus is not active in the system. - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Tue, 11 Jan 94 11:02:24 -0500 From: "David M. Chess" Subject: re: Help in removing Monkey virus from hard disk (PC) > From: warrenw@tekig6.pen.tek.com (Warren Woo) > > I used scan109 and F-prot 2.10c to detect the virus. F-prot > and killmonk.exe appear to have gotten rid of the virus > from my floppies (clean109 does not work), but I am having > difficulty in removing the virus from my hard disk. If you boot a machine with a Monkey-infected hard disk from a clean floppy, the hard disk won't be visible (since the Monkey puts down an invalid partition table in the master boot record). Do *not* use FDISK /MBR in this situation, as it will make the messed-up partition table permanent. Anti-virus programs should still be able to scan and repair the infected master boot record. I don't know how you'd do it with F-PROT, but (assuming it's the usual Monkey virus) with IBM AntiVirus, you'd run "IBMAVSP" from the install diskette, and tell it to check all local fixed drives. It should then find the virus in the MBR, locate the original MBR (with a valid partition table), and put it back. The machine should then reboot correctly from the hard disk. (A hacker with DEBUG and a knowledge of the virus should also be able to do it by hand if all else fails...) - - -- - David M. Chess / "In the long run, life depends less on High Integrity Computing Lab / an abundant supply of energy than on IBM Watson Research / a good signal-to-noise ratio." - Dyson ------------------------------ Date: Tue, 11 Jan 94 18:05:10 -0500 From: hitcmap@nebula.syscon.hii.com Subject: Virus as it relates to Netware (PC) Hello Everyone! This may be a fact, but since I do not post here on a regular basis please excuse this question. without. These clients all access Novell Netware fileservers. The majority of servers are running 3.1x of the OS. My question is first, are there any proven viral strains that can affect a Novell Netware 3.1x file server and ABEND it or destroy the data on the actual Netware volumes? If so, what Anti-virus software should I be using to prevent these strains? We use Cheyenne Arcserve today and would prefer to use InnocuLAN if it is viewed as being a good solution by this list. Second, what are the recommended anti-virus software for Netware. How do these products impact server perfomrance, client perofmrance, compatibility issues. Any comments, recommendations will be greatly appreciated!! With best regards. . . Mike Michael A. Passineau, Systems Analyst Harnischfeger Industries, Inc.Harnischfeger Industries, Inc. INTERNET: mpassineau@hii.com =============================================================================== ================================================================================ ------------------------------ Date: Wed, 12 Jan 94 01:46:49 -0500 From: "Roger Riordan" Subject: Ripper Virus Description (PC) There has been a lot of discussion recently about this virus, which is apparently spreading rapidly in Europe, and now the US. We have not seen any good description of what it does, and in response to a query from a customer Jakub (who does most of the disassembly here) has prepared the following notes: Ripper [Jack Ripper] virus. This is a boot sector virus that infects the DOS Boot Sector on floppies and the Master Boot Record on the hard disk. The virus is two sectors long. The first sector, which replaces the normal boot sector, contains two encrypted messages, but has the normal drive parameter block, and error messages, so that it looks fairly normal when viewed with a hex editor. When it infects a floppy the virus puts this sector at track 0, side 0, sector 1 (ie DOS Boot Sector) and puts the second sector and a copy of the original Boot Sector into the last two sectors of the root directory. So up to 32 files can be lost if a floppy with a full root directory becomes infected with the Ripper virus. When it infects a hard disk the virus puts the first secor at track 0, side 0, sector 1 (the Master Boot Record) and the 2nd sector, followed by the original MBR, into track 0, side 0, sectors 8 & 9 (which is normally an empty area). The first sector contains the two encrypted messages: "FUCK'EM UP!" and "(C) 1992 Jack Ripper". When a PC is booted from an infected disk (hard or floppy) the virus installs itself in memory (decreasing top of memory by 2Kb) and intercepts Int 13 (the BIOS disk access). The virus is stealthed (so that the infected BS cannot be seen if the virus is active), and on every disk access it checks the boot sector if it is more than two seconds since the last check, or if the current drive has changed. Thus the virus should infect every disk accessed, and quickly thwart any attempt to remove it while it is active. The virus contains an extremely nasty war head which causes insidious damage to data. On every write operation it fetches the timer tick count, ANDs it with 3FFh, and if the result is zero it swaps a randomly chosen word in the second half of the write buffer with the following word. On average corruption will occur on one write in 1024. This type of damage is particularly nasty as any type of file, or system areas including FATs and directories, can be damaged, and the damage may not show up immediately. If the FAT is affected files may become cross-linked. On a stacked drive serious (and probably irreparable) loss of data could occur very quickly. VET#7.54 will detect the virus and automatically clean infected disks. If the virus is already active when VET is run VET can detect and disable the memory resident part of the virus and then successfully restore the clean original MBR. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 12 Jan 94 03:18:19 -0800 From: Johnson_B.MARL@rx.xerox.com Subject: FORM virus on OS/2 v2.1 (PC) Help required after inadvertently booting an OS/2 v2.1 PC running HPFS only (NOT Bootmanager) with a DOS floppy infected with FORM. The usual, forgot to remove the floppy from the previous day :>(. The PC is a COMPAQ DESKPRO 386/20E, with 16M memory, 40M C drive and 150M D drive. Currently cannot see either hard drive. Booted the PC from the vendor's floppy, tried to restore the HPFS boot sector using SYSINSTX.COM but it did not work - some file must be missing/corrupted or the drive(s) are totally knackered. Cannot run my DOS version of McAfee's CLEAN because the PC is in OS/2 and booting the PC into DOS then running CLEAN would probably not work and I do not have the OS/2 version of CLEAN. All programs and files on the PC are expendable so I am treating this as a learning session :>). Any suggestions aside from reformat the hard drives? You can reply directly to Brian_Johnson.Marl@rx.xerox.com and I will summarise the responses if appropriate for this DL. Thanks in advance for your help! Brian Johnson ------------------------------ Date: Wed, 12 Jan 94 08:21:39 -0500 From: "David M. Chess" Subject: re: FORM virus on OS/2 v2.1 (PC) You should be able to use the IBM AntiVirus Standalone Program (IBMAVSP) from either IBMAV/DOS or IBMAV/2 (it's a Family App, and runs under both DOS and OS/2). As long as the virus and the operating system haven't started to interact in nasty ways, it should be able to restore the original system boot record from where the virus stashed it. It may be, on the other hand, that the virus has already damaged the filesystem beyond easy recovery; the FORM assumes that all bootable partitions are FAT-formatted, but it doesn't check to make sure. So it will have overlayed a couple of basically-random sectors on the hard disk with a copy of the original boot record, and half of its own code (the part not stored in the boot record). These sectors may be unused space (if you're lucky), or (if you're less lucky) part of the data for a file, or a filesystem data structure. It will also have tweaked a few bytes in what it thinks is the file allocation table, but which is in fact something else (again, basically at random). Once you've apparently removed the virus (using SYSINSTX or IBMAV or some other anti-virus), and a reliable scanner says that the system is clean, run a CHKDSK against the bootable partition and see if that finds any filesystem damage. Also check the contents of important files to make sure the virus hasn't accidentally corrupted them. If you're unlucky and the virus has corrupted the filesystem, you may not be able to make the system bootable/usable even if you can restore the system boot record. In that case, I'd recommend re-installing OS/2, and having it format the partition on the way in. Hope that's helpful! - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Wed, 12 Jan 94 13:56:29 -0500 From: jimb@neu-a.dnd.ca (Jim Bureaux) Subject: Re: SCAN 109 FALSE POSITIVE (PC) Martin@salig.demon.co.uk (Martin Overton) writes: >From: Martin@salig.demon.co.uk (Martin Overton) >Subject: SCAN 109 FALSE POSITIVE (PC) >Date: 31 Dec 93 14:43:14 GMT >We have stumbled across a 'false positive' when using the /A >option with SCAN 109 on PC's with IBM DOS 3.3. This may also >affect other 3.3 versions of MS-DOS and it's derivatives. >The 'false positive' is the MODE.COM file, and SCAN 109 reports >that it contains the 1008-B Dropper [1008Drop] virus. >If the /A (Scan ALL Files) switch is not used no 'false positive' >is experienced. >This has been reported to McAfee in the States, but, they say they >have not had this 'bug' reported previously. They also mentioned >that they had NOT tested 109 on a PC with IBM DOS 3.3. [ remainder deleted] We had this problem scanning Epson Equity III Plus PCs with Epson DOS 3.3 (end Nov 93). We passed the info to McAfee via e-mail at that time. I don't remember the address and the individual who sent the mail is away from the office. The McAfee rep responded saying that they were investigating it as a possible false positive. Nothing heard since. ------------------------------ Date: Wed, 12 Jan 94 19:54:02 -0500 From: RICKMCBROOM@delphi.com Subject: help - erased hard disk? (PC) A friend of mine has had his PC incapacitated by the Stoned virus, and he's asked me to post a message in his behalf. If he try's to boot from C: drive, he gets a "BAD OR MISSING COMMAND INTERPRETER" message. If he boots from a floppy and try's to access drive C:, he gets a "INVALID DRIVE" error. What is his next step? Will Macaffee's Clean program work, since the system is apparently unable to read the hard drive? Has anyone else out there successfully recovered a hard drive from the Stoned virus? Any help will be greatly appreciated. Thanks! ------------------------------ Date: Thu, 13 Jan 94 08:21:23 -0500 From: am@unidoct.Chemietechnik.Uni-Dortmund.DE (Andreas Maylaender) Subject: Can't load NETSHLD 1.56 (can't find IsColorMonitor) I can't load the NETSHLD module (Ver 1.56/ McAfee). I know it is the right version for Novell NetWare v3.11 and i loaded SPXFIX2.NLM bevore NETSHLD.NLM. So, this is the way i tried to load NETSHLD.NLM: load SYS:SYSTEM/ANTIVIR/NETSHLD load This is the reaction: Loading module NETSHLD.NLM NETSHIELD Version 1.56 December1, 1993 Loader cannot find public symbol: IsColorMonitor Load file referenced undefined public variable. Module NETSHLD.NLM NOT loaded How can i solve this problem ? Thanks in advance, Andreas - -------------------------------------------------------------------------- Andreas Maylaender Universitaet Dortmund Chemietechnik-Rechnergruppe e-mail : am@chemietechnik.uni-dortmund.de Tel. : +49 (0)231-755-2633 ------------------------------ Date: Thu, 13 Jan 94 12:24:04 -0500 From: maox7899@mach1.wlu.ca (Christine Mao u) Subject: Do you know how to kill the Stone-4 Virus? (PC) This is a cry for help. A friend of mine, Miss Wang, who lives in Toronto just had her computer attacked by the Stone-4 Virus. She has tried reformatting the hard disk, but still has not managed to kill the virus. If anyone out there knows how to kill this virus or has some advice as to how to go about getting more information on this virus, please contact me Christine Mao -- e-mail: maox7899@mach1.wlu.ca Or please contact my friend, Miss Wang, directly at: (416) 928-0480. Thank you. We look forward to hearing from someone soon. ------------------------------ Date: Thu, 13 Jan 94 15:54:51 -0500 From: snguyen@asturias.acs.uci.edu (Son Nguyen) Subject: HELP with virus !!! (PC) Help! I think we have a virus. Here's the haps: before locking the pc, we get the following message on the screen: "((cc)) CCooppyyrriigghhtt 11998844,, 1199877 AAwwaarrdd SSooffttwwaarree IInncc.. AAllll RRiigghhttss RReesseerrvveedd*". Then the hard disk led stays on and the hard drive partition is completely lost. I've tried scanning with Mcafee's, Norton's, PCTools' and none of them found a virus. Any info would be greatly appreciated. - -- Son Nguyen snguyen@orion.oac.uci.edu ------------------------------ Date: Fri, 14 Jan 94 05:19:23 -0500 From: reeda@sun1.bham.ac.uk (Alan Reed) Subject: Telcom PT2 (PC) I have a user's PC that runs under DOS 6 and when CPAV is run this claims to find Telecom PT2 just after the memory scan and before the scan of files. On trying to remove this virus CPAV says 'disk error' and does not remove the virus. F-prot 2.10 does not detect any virus at all even when the system is booted from a clean DOS6 bootable disk. CPAV still thinks Telecom PT2 is present but I cannot infect a floppy disk. Has anyone else seen this effect and can advise me? ------------------------------ Date: Tue, 11 Jan 94 18:22:22 -0500 From: ghosh@cs.pitt.edu (Sunondo Ghosh) Subject: EMD Enterprises PC Armor Beta Test Survey (PC) I am posting this for someone without access to the internet. Please reply to them directly. Sunondo - ----------------------------------------------------------------------- FREE VIRUS & PASSWORD SECURITY SYSTEM !! Need beta testers for a new IBM compatible PC security product. Includes hardware based Password & Virus Protection, Virus Scanner, Restricted Directory Access, Hard Disk Repair, Hard Disk Lock, Keyboard Locking, User Usage Log, and Screen Blanker. Please note that these features are hardware based and do not require the use of any of the computer's conventional memory, thus leaving plenty of room for your programs!!! This cutting edge product will be given FREE to each beta tester (retail list $199.00). Beta testers should currently be working in a business that uses some means of computer security. Simply fill out following survey and fax, mail, or Email to: Fax: 717-235-1456 EMD Enterprises 6 Cardinal Drive Glen Rock, PA 17327 Attn: Alan A. Gilmore, Director of Marketing EMAIL Address: 70473.3260@compuserve.com ========================================================================== HURRY !!! First qualified testers will receive FREE PC SECURITY SYSTEM !! ==========================Beta Testing Survey============================= [ ]YES, I want to qualify for beta testing and a free security system! Name: Email address Compuserve: GEnie: America On Line: Internet: Other(specify): Company: Company address: Number of employees: What is the primary end product or service performed at this location: Your principal job function: Do you procure computer equipment? What computer products do you plan on purchasing in the next year: Are you a programmer? If yes, what languages: Years of computer experience: The PC security system will be tested on the following computer: Type: Hard disk(s) size: RAM: Operating system: Network? If yes, type of network: What computer security products do you or your company now use (include hardware and software products): Where do you purchase computer products: [ ] Manufacturer [ ]Distributor [ ]Reseller [ ]VAR [ ]System Integrator [ ]Consultant [ ]Superstore What magazines do you read? [ ] AI [ ] BBS [ ] Buyers Guide To Printers [ ] BYTE [ ] CD ROM [ ] CD ROM WORLD [ ] Compute [ ] Computer Buyer's Guide [ ] Computer Buyers Guide and Hand Book [ ] Computer Craft [ ] Computer Language [ ] COMPUTER MONTHLY [ ] Computer Shopper [ ] Computer World [ ] DATA BASE PROGRAMMING & DEVELOPMENT [ ] DESKTOP VIDEO [ ] DOS Resource Guide [ ] DR DOBBS [ ] EDN [ ] Electronic Design [ ] Electronic Engineering Times [ ] FAX BUYERS GUIDE [ ] Home Office [ ] Info World [ ] Lan Times [ ] LAPTOP [ ] Laptop Buyers Guide [ ] Midnight Engineering [ ] Network World [ ] Nuts & Volts [ ] ONLINE ACCESS [ ] PC [ ] PC BUYERS GUIDE TO WINDOWS [ ] PC Catalog [ ] PC Computing [ ] PC COMPUTING [ ] PC Home Journal [ ] PC Laptop [ ] PC Magazine [ ] PC NOVICE [ ] PC Sources [ ] PC TODAY [ ] PC Upgrade [ ] PC World [ ] PRINTERS [ ] S/W DEVELOPMENT [ ] SHAREWARE [ ] The Computer Applications Journal [ ] WINDOWS [ ] WINDOWS AND DOS USERS GUIDE [ ] Windows H/W and S/W for Graphics Comp [ ] Windows Sources [ ] Windows Upgrade [ ] Windows User [ ] WORD PERFECT If you could have a PC computer product that is not currently available it would be... ===========================End of Survey========================== Thank you for submitting the survey, Alan A. Gilmore Director of Marketing EMD Enterprises ------------------------------ Date: Thu, 30 Dec 93 17:23:52 -0500 From: "Rob Slade" Subject: 3.1 Antiviral reports - scanners (CVP) BEGPAN9.CVP 931105 3.1 Scanners OK. You suspect you have a virus. You have made what preparations you can. Let us look at what to do in light of the different ways this problem has come to your attention. If you truly do have a virus, you probably have been alerted by a virus signature scanning program. Scanners, for all their faults, still account for the vast majority of virus infection alerts, as much as 90%, according to one study. Therefore, you probably even know the name of the virus. Thus, you may be in a position to call for help with that specific virus. But, be careful. This type of request is made all the time on the nets, and the answer is always the same. Which scanner did you test it with? Which version of the scanner do you have (and is it up to date)? Have you confirmed this with another scanner? The reason behind these questions is that all scanners do not use the same name for the same virus. In particular, some of the very popular commercial programs feel no need to correspond to anyone else. Therefore, the names they assign may be very arbitrary, and of no help to someone trying to help you. Furthermore, all scanners are subject to "false positive" results. This is when a virus signature used in the scanner matches a string in a non-infected file. Most viral scanning programs use signatures that are worked out independently and, therefore, they work slightly differently. Therefore, it is a good idea to check the results of one scanner against another, or even more. Also, it is a good idea to ensure that you have the latest version of any given scanner, so that any problems previously noted may have been ironed out. If you do a second test with an updated version of your scanner and it reports a different virus name, this is not unusual. Virus researchers, and scanner authors, have to give a virus *some* name when they receive it. They may later change the name when others are using a more suitable or standardized name. In summary: if you are using scanning software, have more than one scanner around. In fact, it might be a very good idea *not* to standardize on a single product. If you have a very large company, you might license three different antiviral programs, each for a third of your computers. If the various scanners are distributed throughout the company, it is almost as good as having all three on each machine, since infections tend to occur in geographic clumps. Keep your scanners up to date, and when an alarm is raised, check it out with other programs. copyright Robert M. Slade, 1993 BEGPAN9.CVP 931105 ============= Vancouver ROBERTS@decus.ca | Lotteries are a tax Institute for Robert_Slade@sfu.ca | on the arithmetically Research into rslade@cue.bc.ca | impaired. User p1@CyberStore.ca | Security Canada V7K 2G6 | ------------------------------ Date: Tue, 04 Jan 94 12:47:46 -0500 From: "Rob Slade" Subject: Other antivirals - activity monitors (CVP) BEGPANA.CVP 931111 3.2 Other Antivirals - Activity Monitors Scanners are still the most widely used of antiviral software, and result in by far the highest number of infections detected. When this happens, you usually get a name associated with the report of an infection. You may, however, have one of the other two types of antivirals, sometimes lumped together under the term "generic" antivirals, since they do not rely on a specific identification (and, indeed, cannot perform it). These are activity monitoring software and change detection software. If you have activity monitoring software, you will likely have been told that a suspicious activity has been detected, or that a certain program has virus-like characteristics, or even simply that a certain program is infected with a virus. If a specific program is named, the easiest thing to do might be to get rid of it. Copy the program on to a disk, first, so that someone qualified can study it. Then re-install the program from the original (or original backup) disks. There is a chance, and a fairly good one, that you still have other infected programs somewhere on your disk, but at least you have dealt with the immediate problem. I said there is a good chance that other programs were infected: this is assuming that the alarm was valid and that the program named *was* infected. This is by no means always the case. Both activity monitors and change detectors are subject to "false positive" alarms. This occurs when the antiviral detects something similar to a virus, but which actually is not infected. In the case of activity monitors, programs are being checked for suspicious actions. Viral programs will try to change other programs, or change the boot sector on floppy disks, or do "direct" writes to the hard disk (bypassing the operating system). The trouble is, other programs have valid reasons, sometimes, for doing the same thing. If, therefore, it is inconvenient to replace the program, you will have to do some more investigating. What were you doing just before the alert? Were you using one program to delete another? Were you trying to format a floppy disk? Both of these will trigger some activity monitors. Were you changing some settings in WordPerfect? A number of settings cause the program to rewrite its own code, which will trigger alarms. So will setting up a new program with SETVER, a part of DOS 5 and 6. Utility programs will often set off all kinds of alarms. Make a copy of the suspect program, and get it to a recognized researcher. Someone who knows the field can perform more sophisticated tests. One quick one, even if you don't replace the file, is to compare it for size with the original. Or, just get a really good scanner, and check things out. copyright Robert M. Slade, 1993 BEGPANA.CVP 931111 ============== Vancouver ROBERTS@decus.ca | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User p1@CyberStore.ca | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 5] ****************************************