VIRUS-L Digest Tuesday, 29 Mar 1994 Volume 7 : Issue 21 Today's Topics: Re: Good Vs. Bad Viruses Re: Good Vs. Bad Viruses protection from virus in college labs Security and Virus Policy Re: Good Vs. Bad Viruses good vs bad viruses virus signatures of rare viruses the current virus threat Re: Intelligent detection Help OS/2 Viruses (OS/2) OS/2 and Virus's (OS/2) McAfee virus programs (PC) McAfee VSHIELD Interupt 21H Conflict (PC) Possible coding error in JezzBall (windows, PC) MSAV signature files via FTP? (PC) Re: FORM problems (PC) Re: New viruses (PC) Re: Clean 111 & Mich. (PC) NAV Update Files by FTP? (PC) Re: Alternate infection method? (V-Sign) (PC) Help! Monkey Virus (PC) Re: DOS 6.X Anti-Virus (PC) Mich Birthday... (PC) A false alarm report (PC) Michelangelo survey (PC) Help with V-Sign? (PC) Help! Monkey (PC) Re: Removing the Form Virus (PC) Re: Michelangelo (PC) vds30j.zip - Anti-virus w/integrity checker, scanner & more (PC) McAfee VIRUSCAN V113 uploaded to SimTel Software Repository (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 17 Mar 94 17:03:51 -0500 From: Mike Mattone Subject: Re: Good Vs. Bad Viruses I think that the people who design the virus-protection software are the ones inventing a majority of the viruses out there. If a new virus appears on the scene, you have to rush out buy some software to protect your computer, right? Sort of a self-perpetuating business, huh? - -Mike Mattone P.S. Just kidding, okay? I personally am *glad* some programmers work hard to design software to protect our information from those that wish to sabotage it. Kudos to you. ------------------------------ Date: Fri, 18 Mar 94 10:11:48 -0500 From: cholette@jsp.umontreal.ca (Cholette Martin) Subject: Re: Good Vs. Bad Viruses olpopeye@aol.com writes: >This writer has followed the learned and not-so-learned discourse >on "Good Viruses," "Bad Viruses," "Good vs. Bad Viruses" and >all the surrounding rhetoric with emotions ranging from raucous >laughter to gasps of disbelief. I don't care what a virus does. If it changes something on a machine it can lead to problems. Even if the virus does nothing bu append itself to a file, I don't like it. I don't go have surgery for the fun of it. Neither should virii. Martin Cholette cholette@jsp.umontreal.ca ------------------------------ Date: Fri, 18 Mar 94 12:37:11 -0500 From: jorvis@madonna.ec.usf.edu (Juliann Orvis) Subject: protection from virus in college labs Keywords: I teach at a community college campus that has 80 computers connected through Banyan Vines as well as each station being used as intel term. We have been having a terrible time keeping our stations "clean" even though we require students to get their disks checked before entering the lab. Students have computers at home and at work that may be getting infected by our viruses or vice versa. While we have not run into a lot of problems with viruses on our network, independent stations have been a constant area of concern. If those of you at any other campuses have had success with procedures implemented or other good ideas that would give us a better handle on this problem, it would be greatly appreciated. Thanks for whatever suggestions you might impart. Juli in Tampa ------------------------------ Date: Fri, 18 Mar 94 13:06:23 -0500 From: trimm@netcom.com (Trimm Industries) Subject: Security and Virus Policy I am in need of a sample corporate virus / computer security policy document. If anyone can help, please post here or e-mail to me. Thanks, - -- Gary M. Watson Trimm Industries Internet: trimm@netcom.com North Hollywood, CA 91605 Compuserve 72242,3437 * Manufacturers of Disk/Tape Enclosures and Hot Swap Disk Array Enclosures * * Views expressed here may not even be mine, much less Trimm Industries'! * ------------------------------ Date: Sat, 19 Mar 94 11:20:02 -0500 From: Henrik Stroem Subject: Re: Good Vs. Bad Viruses Walter E. Murdock (olpopeye@aol.com) writes: [...Stuff deleted] >But despite these obvious disqualifications, allow me to pose the > following test: > > 1. Is the **INTENT** of the perpetrator to cause me harm? > 2. Is the **INTENT** of the perpetrator to cause me inconvenience? > 3. Is the **INTENT** of the perpetrator to cause me loss of > disk storage space (thus reducing the utility of my computer(s))? > 4. Is the **INTENT** of the perpetrator to destroy my data? > 5. (Add in your own tests here...) > >Then, if the answer to ANY of the above is YES, then the perpetrator >is a criminal and should be dealt with as such. And, there is no >sophomoric quibble about whether a virus is *harmful*. The answer >then becomes obvious: *IF YES THEN ----* and so forth..... >Has the above clarified these muddy waters? I think you are missing the point. The discussion, as I have understood it is whether a virus is harmful by definition. And the answer is yes, if any change to the system not approved by its user is defined as harmful. If we look at your test above, it is many viruses which may not cause a YES to appear, and the virus-writer will then by your book not be a criminal because the lack of intent. The reason for discussing whether a virus is harmful by definition, or not, is so that we can rule out the above test. If a virus is defined as harmful, you will not have to prove intent. If you have to prove intent, you will most likely loose in a court of law. So the REAL issue is if it is OK to define "Changes made to a computer system without the permission of its users" as harmful. I think this is an acceptable definition. A similar problem: Computer intrusion. It is possible to break into a computer system anywhere in the world, from your own home, or from work or school. It is also possible to not leave ANY traces what-so-ever about this intrusion. The only way to get caught is by having law-enforcement tapping the communication- lines between the local and remote computer. Or my having them look over your shoulder while you perform the illegal act. In this case you can't argue that changes to the system was harmful because you did not ask permission beforhand. Instead you have a law making it a crime, no matter how much or little harm done. In many cases of computer intrusion the harm consists of being caught. The victim may not even have to know that there was a computer break-in, and any costs will then be a burden of the law-enforcement which must be paid for having caught the intruder. The same should be the issue with computer viruses. It should be defined illegal by the law. Whether it is "harmful by definition" or not, is not important. Even if viruses are "mostly harmful", the law will do far more good than bad. I don't think we have much to loose by making it a crime to spread computer viruses. If they have any scientific value at all, they should be studied by scientists with the proper knowledge and equipment, not by teenage "wannabe" programmers. You don't have to forbid the writing of viruses, but rather the (accidental?) release of those viruses. Whether you released the virus with intent or not shouldn't matter much. Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 21 Mar 94 09:25:58 -0500 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: good vs bad viruses Brian Seborg >As for Ktark (is this a leap or what?!) :-). My only comment is that >you are seemingly proving the old addage "If your going to be wrong, >be loud!" You or anyone in this group have yet to prove that I am wrong. Is is common knowledge that virus infection and 'damage' figures are way out of proportion to scare users and sell more AV software. >You have not refuted any of the arguments regarding "good" >viruses, and if David Stang actually stated that most businesses would >not be affected by viruses, that is probably because he is aware that >most businesses fail. :-) The David Stang quote was a serious one, pseudo-humour does not apply here. I hate to turn this into personal excursion into adolescence.. but since most businesses fail, then VDS leads the pack.. right? Isn't VDS a business after all? :) >Those businesses that are on-going concerns, >and which have PCs and networks will see a virus if they have not >already. But this is not worth arguing over. The fact is, there is >no such thing as a good virus in the wild. You have even admitted as >much, end of argument. I will like to see that. >So, if you want to waste bandwidth by arguing >the contrary, argue on, but know that the rest of us know the truth. >:-) The is no such thing as 'the truth.' If your statements are not supported by someone's knowledge or studies, then your truth is a particular one and might not have much in common with a universal truth. You say 'There is no such thing as a good virus in the wild' Prove it! ------------------------------ Date: Mon, 21 Mar 94 09:26:26 -0500 From: vollmerm@fh-nuertingen.de (Michael Vollmer) Subject: virus signatures of rare viruses Hi comp.virus-guys, does anybody knows where to become signatures of rare viruses that common virus scanners not search for, especially viruses in European area? Please send a e-mail to vollmerm@fh-nuertingen.de. All a virus-free time Michael V. ------------------------------ Date: Wed, 23 Mar 94 11:09:27 +0000 From: cs90cwo@brunel.ac.uk (Christopher W Outtrim) Subject: the current virus threat I am carrying out a study of the current threat to computer systems, in particular stand alone PC's and PC networks. I am particularly interested in polymorphic viruses (eg. The Satan Bug) and the methods used to guard against and remove such viruses. I am interested in any comments or suggestions concerning this subject and also any suggestions as to how to get further information. ------------------------------ Date: Thu, 24 Mar 94 03:57:22 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Intelligent detection I'm sorry my reply is a bit late, but I just came back from a short vacation... iszucs@stwing.resnet.upenn.edu (Istvan Szucs) writes: >one issue I haven't been able to settle to my satisfaction: extracting >signatures automatically. Assuming you have a virus, where exstracting a search string is possible to begin with, and that you have been able to determine which areas of the virus contain constant program code, it is easy to extract a search string that will reliably detect the virus - the problem, as you know, is to extract one which does not cause any false positives. The problem is that there is no single search string that is the "best" - on one hand, you might want a search string that was as generic as possible - using only code from some obscure part of the program .... code that was likely to appear as well in other versions of the virus. Or, you might want a very specific search string, that would only identify this particular variant - Without knowing more about exactly what you want, it is difficult to suggest how to proceed. - -frisk ------------------------------ Date: Thu, 17 Mar 94 13:53:28 -0500 From: hervey@oregon.uoregon.edu (Hervey Allen) Subject: Help OS/2 Viruses (OS/2) I've been dealing with Macintosh and DOS viruses for sometime, but recently we got a machine running OS/2 into our support center here at the University of Oregon. The owner of the machine thinks that it has a virus. My questions to anyone out there are, "Are there any OS/2 specific viruses ?", and "Can you point to a file on the network that might talk about such viruses?" The following is a description of what's been done with the machine - The problem is that when it attempts to boot off of the hard drive you get a screen full of multi-colored flashing ascii-text characters. I can get the machine to boot off the A: drive with a DOS disk (the OS/2 volume is not using HPFS). I've scanned it for viruses, I've run NDD, nothing seems to be wrong with the machine So I assume the problem is with one of the OS/2 start up files. If anyone has dealt with anything like this, or if this really sounds like corrupt OS/2 startup files any advice or info that comes my way would be greatly appreciated. Thank You in Advance! =========================================================================== | Hervey Allen / Phone: (503) 346-4412 | | Microcomputer Support Specialist \ FAX: (503) 346-4397 | | Computing Center / Office: (503) 346-0940 | | University of Oregon \ | | Eugene, OR 97403-1202 / e-mail: hervey@oregon.uoregon.edu | =========================================================================== ------------------------------ Date: Wed, 23 Mar 94 12:55:19 -0500 From: sirtwist@csuohio.edu (Brian J. Geregach) Subject: OS/2 and Virus's (OS/2) Looking for any information on how virus's affect the OS/2 environment. Thanks Sirtwist ------------------------------ Date: Thu, 17 Mar 94 16:56:55 -0500 From: Mike Mattone Subject: McAfee virus programs (PC) Can anybody tell me where I can find the shareware versions of the McAfee virus protection programs, SCAN, CLEAN and VSHIELD? I looked at wuarchive.wustl.edu but they've made so many changes to their system since I last looked there that I can't find *anything* anymore. I'd prefer e-mail rather than a follow-up post because I rarely have a chance to check netnews, but I will make a point of it now that I have asked this question. So, feel free to respond in whatever manner seems most appropriate to you. Thanks for any info you may have... - -Mike Mattone ------------------------------ Date: Fri, 18 Mar 94 10:59:22 -0500 From: "S. Brian Suddeth USAISSC" Subject: McAfee VSHIELD Interupt 21H Conflict (PC) I work in a computer software test center, and have gotten volunteered to work on the anti-viral software in use by the Army. Currently we are under license to use the McAfee products. One of the users forwarded a problem, and I have seen nothing in the VSHIELD documentation that provides a clue as to what to do about it. I've also not duplicated the problem, so I can't even verify the accuracy of the problem reported. I wanted to see if anyone else had any ideas about it. PROBLEM FROM USER: "It has recently come to our attention that there is a problem running a system compiled with the Alsys 32-bit compiler on a computer running VSHIELD. The problem is both Alsys and VSHIELD at runtime are modifying the same interrupt which is 21H. The result is a system using the VSHIELD and Alsys 32-bit mode will occasionally lock up. Can anyone help with this?" I must assume that the Alsys is his Ada compiler, and it is blowing when he is running some application he developed in Ada. He didn't mention what version of VSHIELD is in use. Anyone have any ideas? Is there a way to change the interrupt vectors that VSHIELD uses? "Making Quality Software Happen" ** FROM: S. Brian Suddeth - UNIX Lab Admin. 703-285-6101 ** * IN VA 800-468-7783 OUTSIDE VA 800-626-3206 DSN 356-6101 * * USAISSC ESSD GPCSD (Gen. Purpose Comp. Support Division) * ** Attn: ASQB-IES-G; Stop H-14; Ft. Belvoir, VA 22060-5456 ** ** END NOTE ** ------------------------------ Date: Fri, 18 Mar 94 20:02:34 +0000 From: olympian@mentor.cc.purdue.edu (Alan D. Tegel) Subject: Possible coding error in JezzBall (windows, PC) Hi, My parents last week (3-7) bought a new computer and I found a neat windows game called JezzBall. Well, my 13-year old sister and I got into a competition and ran up tghe score. Well, I had to work the next day; however, she continued on and played all night. When I came back to college my parents called and said they were having problems with the game she was playing. She said she would reach a very high score and then low and behold the whole screen would turn into Japanese letters Being a typical American and only knowing English. This turned out to be a problem. Is there any viruses out there that would be specific like this. My parents are clueless about computers; however, I guided them over the phone about the using a cheap alternative to anti-viral software, MSAV, However, it wouldn't phase me if this missed it. I have f-prot211.zip, but I can't get it to them yet. Does this sound like a virus or a software bug? Thanks for any and all help..... Al GO PURDUE.......Destination Final Four..... - -- Alan D. Tegel @ Purdue University |"When written in Chinese the word crisis is olympian@mentor.cc.purdue.edu |composed of two characters. One represents |-> tegelad@.cc.purdue.edu <--| |danger and the other represents opportunity." |---consultant account(s) ----| | -John F. Kennedy ------------------------------ Date: Mon, 21 Mar 94 09:23:36 -0500 From: mm94jony@sirius.ru.ac.za (YALUSA JONGIHLATI) Subject: MSAV signature files via FTP? (PC) Could someone please tell me if the MSAV signature file for Viruses can be downloaded via FTP and if so, could you please E-Mail it to me. Thanks Yalusa M. Jongihlati ------------------------------ Date: Mon, 21 Mar 94 09:25:35 -0500 From: nvankest@rodan.syr.edu (Nancy L. Van Kesteren) Subject: Re: FORM problems (PC) "Gretchen King Ryan, Development" writes: >II am >a new internet user and am still quite confused about getting around. >Briefly, we can't seem to get rid of Form in our office and lately it >appears to be getting more virulent. Is this possible? Vsafe and >Norton's don't always catch it. Lately, they can't repair it! >We have lost a heck of a lot of data on floppies. In my opinion >this virus should be taken quite seriously.X-News: scuacc virus-l:659 I had the Form virus in both my office computer and home computer about 4 or 5 months ago.... You can get rid of it by running Norton Utilities AntiVirus software. It seemed to be the only software I could find that would "kill" this virus......it worked. Nancy Internet: Nvankest@rodan.syr.edu E-mail: Nvankest@mailbox.syr.edu ------------------------------ Date: Mon, 21 Mar 94 13:33:18 -0500 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: New viruses (PC) Greg Merideth writes: >Isn't it possible that it is going to get rather difficult in the near >future to make a virus that cannot be detected? > >If a virus accesses the disk, theres a checksum, if it seaches for a >com file, theres a checksum, overwrites a boot partition, theres a >checksum, there's not much left to do. Yes there is. One example: Slow-viruses. But most people don't have the antivirus setup you describe, so even the simplest new infectors may hurt them. But even with the "perfect" setup there is holes. At least as long as you need to actually USE your computer. Stop using it, and it can be secured 100%. A near 100% might also be accomplished by making the computer very hard to use, e.g., by installing some extreme integrity-checking, combined with hardware- monitoring asking for permission to ALL changes inflicted upon the system while it is used. You would need to permit only those changes that are not performed by a virus, so this would be rather hard. User-friendly computers are often most likely to be infected. Not only because such a computer will be used more than one that is hard to use, but also because the programs making the computer user-friendly imposes security-holes. The most realistic solution for most of us, are to use antivirals. Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 21 Mar 94 13:48:57 -0500 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: Clean 111 & Mich. (PC) c9219517@sage.newcastle.edu.au (Scott Howard) writes: >woody@knapper.cactus.org wrote: >: that I tried. Clean should have enough brains to be able to >: inactivate Mich in memory, or at least know that once it cleaned it > > Considering that there are often dozens of mutations of each virus, it > would be almost impossible to write a program that could actually > deactivate all of them from memory, and even if it could, it would still > have no way of safely de-activating new strains. Sorry, but you are wrong. It is indeed possible to disable a virus in memory without knowing much about it. It is hard to claim that this will work for all viruses, but this is not necessary either. It is possible to disinfect without de-activating. >: and you rebooted, that the active in memory portion would no longer be >: a threat. But No, it can't do that. > > The problem with this idea is that the moment clean actually removes > the virus from the disk, the copy of Micheangelo in memory re-infects > the disk again, leaving you right back where you started!! This is because clean is not supposed to be run when a virus is active in memory. This doesn't mean that another, smarter, program can't run when the virus is active in memory. It is of course prefered to boot off from a floppy when disinfecting, but this is not always possible. Henrik Stroem Stroem System Soft ------------------------------ Date: Mon, 21 Mar 94 14:51:27 -0500 From: dpatel@menger.eecs.stevens-tech.edu (Dilan Patel) Subject: NAV Update Files by FTP? (PC) Is there anyway that one can get NAV 3.0 update files directly off an internet site ? if so, can someone please tell where I can get the updates ? I would appreciate any help. Please e-mail me with any info. Thanks, Dilan dpatel@menger.eecs.stevens-tech.edu ------------------------------ Date: Mon, 21 Mar 94 20:25:06 +0000 From: kenney@nb.rockwell.com (Kevin Kenney) Subject: Re: Alternate infection method? (V-Sign) (PC) > Boot infectors work in non-booting floppies the same way as in boot >floppies! Read the FAQ! Non-booting floppies have a boot sector, which >contains a small dummy program that merely prints out "This floppy is not >bootable", and can be infected same as any other boot sector. I know the above. I also know that boot sector viruses are often larger than the boot sector, with the 'body' of the virus being elsewhere. In V-Sign's case, I've been told this 'body' resides in the directory table area. My comment was if this 'body' was in the data area, and corrupted a file, the 'body' could be written so as to infect a system if the corrupted file was run. I'd read the FAQ if it were ever updated! It's two years old! It should keep people up to date, instead of just giving basic defintions. ========================= KILL THE PARANOIDS A Public Service Message, making paranoids happier, All standard disclaimers: apply! by letting them know that they are right. :o -> :> kenney@nb.rockwell.com ------------------------------ Date: Mon, 21 Mar 94 18:08:57 -0500 From: umdougl6@cc.umanitoba.ca (Bruce Andrew Carl Douglas) Subject: Help! Monkey Virus (PC) Hello. My Father brought home 4 infected floppies from his school. I was using McAfee's VSHIELD (v108) and it detected it. Mcafee SCNA 9.19 v108 later identified it as the Monkey virus located in the boot sector of his floppies. MSAV (bundled with MS-Dos 6.2) also reported the monkey virus. However, neither of the cleaning programs with these two packages worked. I used the FDISK /MBR command on one of the floppies, and i was given the message PACKED FILE CORRUPT. After that, i switched to the C:\ drive and rescanned the floppy. It was reported clean. Now, here's the problem...according to MS-Dos, the floppy is unformated. I ran Norton Utilities Disk Tools, and put the new format information on the disk, but again it didn't work. Is this typical of the monkey virus? Is there a way to retrieve the files on the floppy? Many TIA, umdougl6@cc.umanitoba.ca ------------------------------ Date: Tue, 22 Mar 94 01:48:55 -0500 From: Fred Houlihan Subject: Re: DOS 6.X Anti-Virus (PC) I subscribed to the IBM update service and received a diskette with the signature file for the IBM Antivirus update 1.04 this past Saturday. It immediately detected 2 probable virus's on my system that V1.02 missed. But this diskette was cut in November and a number of virus's have originated since then. I'd feel more comfortable with something more current. I am considering buying the Norton antivirus program. I witnessed Norton support in January when a co-worker's system became infected. He called Norton and after describing the symptoms they determined it was the v-sign (sp?) virus and they had just added it to their signature file on Jan 14. He downloaded it and was able to recover from it all in a couple of hours. Meanwhile I am still in big trouble dealing with both Central Point and IBM and my system is still sick. IBM says to call back tomorow, plus I am dealing with Central Point via their BBS and have heard nothing back yet. There are only 2 sources where this virus could have come from: my installation of Central Point V2 for Windows or the IBM Antivirus update. I purchased CP Tools from them directly and received the IBM diskette in the mail from my paid subscription. I have no bootleg software or freeware on my system. Fred Houlihan - 814-238-4123, Fax: 814-238-1604, Compuserve:73532,2110 ------------------------------ Date: Sun, 13 Mar 94 16:31:03 +0200 From: Rob_Vlaardingerbroek@f4.n9931.z9.virnet.bad.se (Rob Vlaardingerbroek) Subject: Mich Birthday... (PC) Hello Nemrod, > It seems that the 4th birthday of Michaelangelo was > not a big thing to the > media this year but seems that this virus is not yet > dead. Well as it was a Sunday, we only got 4 reports in from Holland and Belgium. > Seems that old viruses are not yet dead and we should > still keep our eyes > opened and USE our anti-viruses regulary. Well, as they are not really alive, they can't die. Wordperfect 4.0 is also still working :-) And I even run software made in 1988 up here, it will not die either, but can be deleted of course. I am amazed though to see the number of infections in Israel, but then it is a working day also up there. Nice ino, thanks.... Groetjes, Rob Vlaardingerbroek - --- GEcho 1.01+ * Origin: Virus Research Centre Holland (9:9931/4) ------------------------------ Date: Thu, 24 Mar 94 09:20:41 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: A false alarm report (PC) I just checked a file named DELAY.EXE, in a file named imagepro.zip, which is available on most major FTP archive sites. This was because according to a report I received, an anti-virus program (VirHunt 4.0c) reports a NMAN virus in that file. This is incorrect - the file is NOT infected. I do not know what program this VirHunt is, or if this has been fixed, but if not, then the producers should fix it right away.... - -frisk ------------------------------ Date: Thu, 24 Mar 94 09:27:43 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Michelangelo survey (PC) The results of my totally unscientific Michelangelo survey were as follows: I got 19 useful replies, reporting activation on 1-20 machines, for a total of 59 machines. Most of the replies came from the US....only 3 (one machine each) came from elsewhere (India, South Africa, Germany). This doesn't really mean anything - but probably we will see a lot more activity on March 6th next year, which does not fall on a weekend, like this year. - -frisk ------------------------------ Date: Thu, 24 Mar 94 11:05:47 -0500 From: jbakan@opal.tufts.edu Subject: Help with V-Sign? (PC) Can anyone help me figure out the following: A 486DX2-66 began to show some memory problems with loading tsr's and drivers high. At first it appeared that programs loaded high were somehow migrating to conventional memory after running Windows aps. Then, at boot, most programs were failing to load high (a couple did, however). A scan with F-Prot version 211 showed the presence of V-Sign (in the MBR I think). It was subsequently removed with F-Prot. The inability to load high, however continues, even if booted from a clean floppy. Again, this is not a total failure to load high, a couple of small aps do load high, but most only load in conventional memory. The machine scans as clean with F-Prot and Viruscan. What does V-Sign do? How is it propagated? Are the continuing memory problems due to V-Sign, or do I have another (possibly hardware) problem? Any advice would be appreciated. Joe Bakan jbakan@opal.tufts.edu ------------------------------ Date: Thu, 24 Mar 94 13:16:45 -0500 From: umdougl6@cc.umanitoba.ca (Bruce Andrew Carl Douglas) Subject: Help! Monkey (PC) Hello. My Father brought home 4 infected floppies from his school. I was using McAfee's VSHIELD (v108) and it detected it. Mcafee SCNA 9.19 v108 later identified it as the Monkey virus located in the boot sector of his floppies. MSAV (bundled with MS-Dos 6.2) also reported the monkey virus. However, neither of the cleaning programs with these two packages worked. I used the FDISK /MBR command on one of the floppies, and i was given the message PACKED FILE CORRUPT. After that, i switched to the C:\ drive and rescanned the floppy. It was reported clean. Now, here's the problem...according to MS-Dos, the floppy is unformated. I ran Norton Utilities Disk Tools, and put the new format information on the disk, but again it didn't work. Is this typical of the monkey virus? Is there a way to retrieve the files on the floppy? Many TIA, ps. any other info on the Monkey virus would be appreciated as well. umdougl6@cc.umanitoba.ca ------------------------------ Date: Thu, 24 Mar 94 15:03:28 -0500 From: keith.watson@stucen.gatech.edu Subject: Re: Removing the Form Virus (PC) >Date: Wed, 16 Mar 94 09:45:49 -0500 >From: Steve Bonds (007) >Subject: Removing the Form Virus (PC) > - ---- stuff deleted >*Preventing the previously infected computer from booting from a floppy* > > Most newer BIOSes have an option to boot only from the hard disk. If you > do not have such a BIOS, I strongly suggest that you upgrade. - ---- stuff deleted > >Good luck! > > -- Steve Bonds > >------------------------------ This method does not work if you are using a SCSI controller, or for any other type of controller that has it's own built in BIOS. How can you tell? Does your controller installation instructions tell you to set your system CMOS to no hard drives installed? If this is the case the "Boot from C: then A:" in CMOS will not work as the system thinks it has no hard drive. The controller's BIOS isn't accessed until after the test for an attached hard drive by the system BIOS. Such a bummer too:( All our machines have SCSI drives. If anyone knows of a solution, please let me know. Keith R. Watson Systems Administrator S.C./Auxiliary Enterprises Georgia Institute of Technology, Atlanta Georgia, 30332-0453 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3 Internet: keith.watson@stucen.gatech.edu Phone: 404-894-2523 GIST: 222-2523 ------------------------------ Date: Thu, 24 Mar 94 20:27:56 +0000 From: amn@ubik.demon.co.uk (Anthony Naggs) Subject: Re: Michelangelo (PC) There were two posters asking about Michelangelo in the latest virus-l ... William D Sands, , writes: > > ... A friend of mine had his harddrive infected > with the Michelangelo virus last week. I have plenty of > software with which to disinfect his harddrive and floppy > discs, but my question is: Is there any way to recover any of > the data which was present on the harddrive, or is the only > alternative to reformat the harddisk ... If Michelangelo has activated, (ie booting the PC on 6 March), then it will overwrite most of your data. Recovery may be possible, but expensive, ask OnTrack, (they usually have an advert in Byte). If you decide not to recover the data this way you should use Fdisk and then Format to prepare your hard drive, and reinstall, (your DOS user guide should explain this). Some people use software such as Disk Manager to partition their hard drives, in which case refer to your documentation. If the PC is infected but not damaged you can use an antivirus program to 'disinfect' without damaging your data, (unless the antivirus s/w is faulty). Hope this helps, - -- Anthony Naggs Paper mail: Hat 1: Software/Electronics Engineer PO Box 1080, Peacehaven, Hat 2: Computer Anti-Virus Researcher East Sussex BN10 8PZ PGP: public key available from keyservers Great Britain Email: amn@ubik.demon.co.uk Phone: +44 273 589701 ------------------------------ Date: Mon, 21 Mar 94 09:25:04 -0500 From: tyetiser@gl.umbc.edu (Mr. Tarkan Yetiser) Subject: vds30j.zip - Anti-virus w/integrity checker, scanner & more (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ vds30j.zip Anti-virus w/integrity checker, scanner & more VDS 3.0j is a comprehensive anti-virus package with a robust integrity checker, a fast scanner, a generic cleaner, a decoy launcher, and much more. It has excellent Netware support (not just compatibility), easy installation (and de-installation), readable documentation, and an object-oriented user interface. This is the ShareWare edition of the military-grade Pro release. vds30j.zip has replaced vds30g.zip. Uploaded by the author. Tarkan Yetiser VDS Advanced Research Group tyetiser@umbc8.umbc.edu ------------------------------ Date: Wed, 23 Mar 94 18:00:07 -0500 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VIRUSCAN V113 uploaded to SimTel Software Repository (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ clean113.zip CLEAN-UP 9.24V113 virus remover for PC's/LAN's scanv113.zip VIRUSCAN 9.24V113 scans PC's/LAN's for viruses virdt113.zip NETSHIELD VIR.DAT V113 virus signature update vshld113.zip VSHIELD 5.57V113 virus prevention TSR for PC's wscan113.zip WSCAN V113 Windows version of VIRUSCAN This release of the VIRUSCAN series adds detection of 13 new viruses and 15 variants of existing viruses, bringing the total number of known viruses to 1,890, or counting variants, 2,847. Also fixed in this release is the DiskWasher [GenB] false alarm on some PC's with certain versions of Phoenix Technologies' ROM-BIOS (which are OEM'ed in Europe by Siemens and Olivetti, apparently). CLEAN-UP adds removers for the Arusiek and Tamper viruses. VALIDATE VALUES CLEAN FOR OS/2 V113 (OS2CLEAN.EXE) S:333,104 D:03-17-94 M1: 8F29 M2: 1B9E CLEAN-UP 9.24V113 (CLEAN.EXE) S:196,853 D:03-17-94 M1: FA39 M2: 005F NETSHIELD V113 (VIR.DAT) S:71,441 D:03-14-94 M1: FF42 M2: 1818 SCAN FOR OS/2 9.24V113 (OS2SCAN.EXE)S:241,568 D:03-17-94 M1: C742 M2: 1F90 SCAN FOR WINDOWS V113 (WINSTALL.EXE)S:19,606 D:03-17-94 M1: 1B41 M2: 15C2 SCAN FOR WINDOWS V113 (WSCAN113.EXE)S:76,868 D:03-17-94 M1: CCBE M2: 0EF5 VIRUSCAN SCAN 9.24V113 (SCAN.EXE) S:164,046 D:03-17-94 M1: F23D M2: 041F VSHIELD 5.58V113 (VSHIELD.EXE) S:52,749 D:03-17-94 M1: 89D7 M2: 1479 Regards, Aryeh Goretsky Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 21] *****************************************