VIRUS-L Digest Monday, 27 Jun 1994 Volume 7 : Issue 45 Today's Topics: Re: Stealth and Self-encryption Re: Nomenclature Virus in GIF Re: Good viruses/Bad viruses Re: ARJ-, ZIP-viruses ? Re: Bad and good viruses... Re: The truth about good viruses Re: The truth about good viruses Good Virus?, here's a potential ironic example. Re: The truth about good viruses Re: Disabled viruses? Re: Good virus ? Re: Stop the madness! :-) Killed the Monkey Virus (PC) Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Scan V115 (PC) Re: MtE Virus info wanted (PC) Re: FLIP and CANSU (V-SIGN) viruses (PC) Re: dir/reg (PC) Re: HELP: How add code into .EXE ? (PC) Junkie virus (PC) HELP!!!!! (PC) New AV software (PC) Little Fishies? (pc) Re. Swiss virus (PC) Re: Server-Downing Viri (PC) Re: VIRSTOP 2.12 Freezes PC (PC) Re: FYI: New PC Virus alert (PC) Telecom Virus (PC) Safe ANSI driver - where ? (PC) Re: Jack The Ripper (PC) Re: Server-Downing Viri (PC) Monkey Virus Attack (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 23 Jun 94 10:14:06 -0400 From: robertk@stack.urc.tue.nl (Robert Klep) Subject: Re: Stealth and Self-encryption Chris Sexton (itxcs@upsyc.psychology.nottingham.ac.uk) wrote: : Hi, : This may be an ignorant question, but can anyone please explain : the difference between stealth techniques and self-encryption? : Is either one something to do with making a DIR command (for : example) not include the extra size due to the virus? Yeah....thats stealth........it means that the virus will do its best not to be detected. There are several techniques that are used for this: not showing extra size, circumventing AV-software with on-the-fly desinfection, and much more......... : What does either method involve? Self-encryption is a method to hide the actual virus-code in an infected file. When it's used with a variable encryption-key, (almost) every copy of the virus will be different....this is done to prevent AV-software to 'lock on to' scanstrings, which can be used to identify a virus. : Thanks in advance, : Chris robertk : ==========================.===========================================. : | Chris Sexton | * * * * | : | ICL Institute of I.T. | * ^___^ | : | Nottingham University |_______________mm_(_o o_)_mm_______________| : | University Park |___l___l___l___l___l___l___l___l___l___l___| : | Nottingham, NG7 2RG. |_l___l___l___l___l___l___l___l___l___l___l_| : - --------------------------.-------------------------------------------. : | csx@cs.nott.ac.uk | "I'd rather have a full bottle in front | : | itxcs@psyc.nott.ac.uk | of me than a full frontal labotomy." | : ==========================.===========================================. ------------------------------ Date: Thu, 23 Jun 94 10:14:58 -0400 From: dwd@umr.edu (Dan DeNise) Subject: Re: Nomenclature Fredrick B. Cohen (fc@Jupiter.SAIC.Com) wrote: > How about this for a way to differentiate different types of viruses: > > Benign viruses > Malignant viruses How about Wild vs. Domesticated? Captures the sense that wild viruses are found 'in the wild' while domestic ones stay where you corral them and, under normal circumstances, don't gore their owners. - -- Daniel DeNise dwd@umr.edu 1.314.341.4841 Computer Center University of Missouri-Rolla Missouri's Technological University ------------------------------ Date: Thu, 23 Jun 94 10:15:12 -0400 From: an24237k@aol.com (AN24237K) Subject: Virus in GIF This is probably a simple question, but is it possible to embedd a virus into a GIF file? ------------------------------ Date: Thu, 23 Jun 94 10:06:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good viruses/Bad viruses Adam Jenkins (Adam.Jenkins@dbce.csiro.au) writes: > >Agreed. What I (and several others; the original term has been > >proposed by Dr. Alan Solomon) call "real viruses" is not an > >exact definition, it is not a scientific term at all, and can't > >be found in any serious scientific paper about computer viruses. > >In short, it's useless from the scientific point of view. > Who cares what you call "real viruses"? Well, both me and Dr. Solomon are considered authorities in the computer virus field, so I guess some people do care how we are calling those things. Whether *you* care about it, or whether you recognize our authority in this field is a completley different subject, which, I am afraid is rather irrelevant. Of course, you are entitled to you oppinions - ain't freedom of speech wonderful? > Since when were you an > authority on the English language? First, the term was initially coined by Dr. Alan Solomon from the UK, who happens to speak British English. Second, I've heard that the American and the Australian dialects sometimes differ so much from it, that the respective people sometimes do not understand each other - maybe this is your case. Third, my English is certainly better than your Bulgarian. Fourth, I was speaking as an authority on computer viruses and not as an authority on the English language. Enough? > A real virus as defined by a > dictionary is an organism that is able to reproduce. OK, let's make it "real computer virus" then. > >Fact is that for most people the term "computer viruses" means > >those nasty little programs that invade their computers without > >authorisation, that often destroy data, and that always waste a > >lot of time and efforts. > Hmmmm these views aren't necessarily an accident, it is in both > the media and the anti-virus industry's interests to promote > these views. Those views certainly aren't an accident - they reflect the real losses of time, efforts and money that the real people have suffered from real viruses. The claim that such a view is in the interests of the anti-virus industry is certainly interesting - maybe you can supply some evidence to back it up? Why exactly is it in the interests of the anti-virus industry to consider computer viruses as the kind of programs described above? Methinks, the interests of the anti-virus industry is to sell anti-virus products and services. For this purposes, it is sufficient that the potential customers (a) know that there are computer viruses, (b) know that they are widespread, (c) know that some of them cause damage, and (d) want to get rid of them. How does the claim that *all* viruses are bad help the anti-virus insdustry? Will the benefits diminuish of it is admitted that beneficial viruses are possible? Why? Just asking... > And viruses like KOH do not waste time or effort; This is the third time I read about the dreaded KOH virus in this issue and I am getting really bored by it. No, KOH is NOT a beneficial virus. Yes, KOH can (and does) cause damage. > >You can't hope to change those people's view, so let's try to at > Why not? Because it's hopeless. :-) Most people who have tried have witnessed it. > It's a misconception, let's correct it, it is unethical > to let anti virus vendors sell millions of copies of their > software on the basis of people's ill founded fears. Oh! Is it? "Ill founded fears"? Do you know how often I am getting calls to help about a virus-related problem? About 2-3 times per day. And I am even not working on a virus help line. All this is without counting the countless times I have answered virus-related questions here and have helped people to recover from a virus attack. I guess, all those hare "ill founded fears"... I wish that there were a way to gather all the loudmouths like you and to force them to do our job - maybe then you will finally learn how "profitable" our profession is, and how "ill founded" those fears are... Wishful thinking... Loudmouths never do real work, by definition. > >New York Times article entitled "Bank Loses $10 Million Due to > >Computer Viruses. Are We All Doomed?". :-) > Perhaps it should read "Bank Loses $10 Million Due to Negligence > in their Computer Security". Except that it doesn't sell that well. > >fact that the media has twisted the noble word "hacker" to mean > >"a twit with no life who enjoys breaking into other people's > >computers". > Hmmm I've seen this argument before. The way I see it, the > confusion arises because in the early days of computing, hacking > meant using things that weren't known, and this often meant > breaking into systems etc. In those days it seems people had > better perspective, and realised that hacking to get more > computer time or for the challenge was more a misdemeanour than a > federal offence. Too bad, it seems that some people have lost this perspective now and are doing it "for fun", "to be cool", and so on, often without even bothering to understand *what* they are doing and *why* the list of system bugs they have snatched from a fellow cracker works, let alone how to fix them. Lots of loss of perspective, as it seems... > I still don't understand why a 14 year old > breaking into a bulletin board system is investigated by the same > law enforcement agencies that investigate drug cartels and > matters of national security. The blame should be as much on the > administrators not the hackers. That's certainly an interesting point of view. I suggest that the next time somebody breaks into your house, you tell the police to arrest you, because it's your fault that you have not put a better lock on the door. > >Well, maybe that the ticket! Since the term "computer virus" is > >already loaded with negative sense in the view of the public oppinion, > >maybe you should use a different term when you are talking about > >"useful replicating programs". > You keep saying this. Because (a) it is true, (b) it works, and (c) several companies are already doing this. > But to do this would continue the deceit > and why should the general public be kept in the dark just > because they are already in the dark? You think it would be much better to confuse them by telling them that computer viruses can be beneficial, without explaining them that you mean something completely different under the term "virus"? > >You will discover that most of them understand a computer virus > >as "something that came when I didn't want it". > Or "something that came when I was leeching several megs of > software that I didn't pay for". There seems a much higher > incidence of viruses transmitted in pirated software than in > original copies, who are we protecting here? Is there? Evidence, please. My own statistics show that the most widespread viruses have been distributed in some perfectly legal way. The prefered ones are: a boot sector virus on pre-formatted diskettes; a virus on the cover diskette of a computer magazine; a virus in a popular commercial package; (and only from time to time) in a shareware package. The claim that viruses are spread mostly by pirated programs is a completely unfounded myth. There is something else which is true however. In countries where the software piracy is widely practiced, the estime for intellectual property is very low, the programmers are less motivated to create useful code, and more people write viruses. Bulgaria and Russia are two excellent examples. (The widespread virus writing in the USA is caused by different factors.) > >Dr. Cohen, I am sorry to disappoint you, but relatively very few > >people have read the paper you are talking about. It's too > >technical for most. Most people prefer their morning newspaper > >as a source of information. > He mentioned it as a reference; and I would think it a much more > valid reference than a morning newspaper. It's certainly a better scientific reference. And just as certainly most people will prefer to read the morning newspaper instead. > I shudder to think at > what people would think if they believed everything that was > found in the newspapers. But people do believe all the nonsense that is in the newspapers - at least most of them do so. Welcome to the real world. [CARO] > Perhaps not money, but it is in the groups common interest that > all viruses be regarded as dangerous and unwanted. Is it? Why? I can't follow you here. Please, elaborate. > I think this > is why people like yourself keep sniping at the virus researchers > that are looking at things with a more realistic perspective and > are not as closely affiliated with groups that profit from public > fear. So, what is exactly my interest in this? Perhaps you think that I am a masochist (sp?), enjoying working 14 hours per day on a half-time job, ruining my health, and replying to stupid questions? Oh, yes, the "virus researchers". Who are they? I don't know any self-respecting scientific researcher, besides Dr. Cohen, who claims that computer viruses can be beneficial. And my only gripe with Dr. Cohen is that he should take more care to explain (with simple words) that what he is talking about is something completely different from what most people undertsand under the term "computer virus". I'm not even arguing whose understanding is more correct and am ready to admit that he is right and everybody else is wrong. I only want him to emphasize that he is talking about something *different* - in order not to give an excuse to the crowd of malicious "real" virus writers to condone their acts. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 10:16:55 -0400 From: pike@UTKVX.UTCC.UTK.EDU (HANK PIKE) Subject: Re: ARJ-, ZIP-viruses ? Kazatski Oleg Nikolaevitch writes... > > Are there scanner which scan viruses in incompressed, >self-extracting programs and .ARJ (.ZIP) files ? What is his name ? >Are there viruses which really infect .ARJ and .ZIP files ? Norton Antivirus 3.0 (NAV) has an optionto scan within compressed files. F-prot can scan all files so I assume it scans in compressed files too. Anyone know for sure? Frisk? ------------------------------ Date: Thu, 23 Jun 94 10:17:59 -0400 From: bradleym@netcom.com (Bradley) Subject: Re: Bad and good viruses... Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) wrote: > 12 May bradleym@netcom.com (Bradley) wrote: > > How about KOH? Also the Potassium Hydroxide virus. It will encrypt your > > HD for you using the IDEA algorythm. > Tell me please about Potassium Hydroxide virus. It's a virus that does what I said. It includes an uninstall option for the hard drive. If you want to know more, I have the full KOH document in my little personal FTP site: ftp.netcom.com:/pub/bradleym Just read the KOH.readme to find the KOH directory, and DON'T take the actual program out of the U.S. because it's export controlled. Next time you qoute, please be more careful. I didn't say the following things. > > A virus by nature is what? It's intention is to produce copies > > of itself and attach these copies to your programs (without you > > knowing) and either display a message, play a tune, fill up your > > disk, destroy data etc... How can this be good? NOT POSSIBLE!!! > I am agree. There are not good and harmless viruses. Also boot > viruses modify my boot sector without my wishes. Prove it. I only have to name one Good Virus (tm) to prove you wrong, and I have. But I think many people would admit that it's preferable to not have the majority of the viruses on thier computer. > > Any program that functions to work without the owners approval is > > harmful. > YES, and once more YES ! But most programs DO. That's what programs are for. I can't think of a single install program that actually included a list of what it was going to do. Bradley - -- bradleym@netcom.com finger for PGP public key Hayward, CA ------------------------------ Date: Tue, 07 Jun 94 16:49:21 -0400 From: 39534@brahms.udel.edu (Scott Ste Beardsley) Subject: Re: The truth about good viruses UCC DASD Administration wrote: >>Date: Wed, 11 May 94 01:06:17 -0400 >>From: pjc@as03.bull.oz.au (Paul Carapetis) >>Subject: Re: The truth about good viruses >> >>I have yet to be convinced that _any_ virus can be _known_ to be >>benevolent. >> I am yet to be convinced that any software can be known to be benevolent. Anyhting you can do to ensure the validty of software can be used on virii. Crypto signatures, checksums, trusted suppliers etc... >>No matter how talented a programmer wrote it, no matter how honourable its >>design intentions, no matter how well it worked when it was first released, >>how can the integrity of said virus be confirmed by the time it infects >>your (or my) machine? Wouldn't a known "benevolent" virus be the perfect >>target for one of the twisted minds that create the "malicious" variety? I >>can just see it... Gee don't they already do that to regular software? It's called Trojan Horses. What can be used to ensure that the shareware of software you have gotten is of the same integrity as it is advertised or as yu percieve it to be? >> >>No thank you very much! I want full control over everything that is run on >>my system, and a virus must already be running in order to ask permission >>to infect, so how can I be sure it has not already taken any action? Then im afraid you'll have to write all your own software and OS. OR you could run an OS that allows acces to all sourcecode like Linux. Otherwaise you really don't know whats going on now do ya? I installation prgram must allready be running to ask if you wish to insallthat new graphics program you bought, how do you know it hasnt done something already? > >I think this illustrates quite nicely the whole problem with beneficial >viruses. That being the lack of a trusted path. When I buy a software >package, or down load a shareware program, or buy a Rolex watch from the >trenchcoat of a gentlemen on the streets of Manhattan, I am depending on a >certain avenue through which this product came. How reliable is that >path? It's one thing to talk about self replicating code in the ivory >confines of a researcher's tower. And I don't doubt the veracity of those >claims. But once you pass those doors and come out into the gene pool, >you loose that element of verifiability. An unknown program running on my >computer is suspect, even if it says, Hi! I'm from the Government/Virus >Research Department/Mensa club, and I'm here to help you..... As the >saying goes, How do you know where it's been? Once again the sawm can be said for any software which you don't compile yourself or have full acces to the source code, and that you are skilled enough to understand. You CAN use crypto signatures, and other things to verify it's intergrity, but the same thing could be done to virii. > >I don't think the most important question is whether beneficial viruses >exist. But how could you tell if you had the real thing? The same way that you can tell if the OS your running is benificial, and if it's windows, than we know you've been had already 8) ------------------------------ Date: Tue, 07 Jun 94 18:53:57 -0400 From: hiscrp@leonis.nus.sg (C R Pennell) Subject: Re: The truth about good viruses At the risk of starting this all over again, would someone PLEASE tell me what are the supposed benefits of a "good" virus? What are they supposed to do? Why are they supposed to be better than allowing me to go out an buy/ download something that I specifically asked for? I've been looking for this info in the argument, but it's been a bit like coming in after the film has started. Only this one appears to have no plot at all. Richard Pennell History national Uni of Singapore My opinions not NUS's ------------------------------ Date: Tue, 07 Jun 94 23:51:19 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Good Virus?, here's a potential ironic example. I've seen a few messages about the potential good virus. Here's a potential example that I throw out for analysis/opinion. Ironically it's the VIR.DAT file of NetShield. Background: NetShield is McAfee's anti-virus NLM for Novell servers. The encrypted database of viruses that the NetShield NLM uses when it scans for viruses is the VIR.DAT file. When new virus strings are found, they are added and a new, updated VIR.DAT file is created and distributed. (The latest VIR.DAT file is zipped up in McAfee's filename: VIRDT115.ZIP.) Scenario: In a multiple server environment with NetShield running on each server, NetShield can be configured with "Cross Server Updating Enabled". With cross server updating enabled, if the VIR.DAT file on the one server is updated (by copying a new VIR.DAT file over the older file), VIR.DAT will then proceed to copy itself to all the other servers and automatically update the virus database on each server. One can certainly argue that VIR.DAT is a "good virus" because it reproduces itself across the network to other servers without intervention. It, of course, needs the environment of having cross server updating enabled plus NetShield on each server, etc. In actuality, it is the NetShield NLM that is facilitating the reproduction of VIR.DAT so perhaps this is an ironic variation and an arguable example of a good virus! The argument seems to reduce to what degree can the environment itself contribute to the reproductive behavior. Each "virus" (good or bad) needs a certain environment to reproduce. VIR.DAT needs NETSHLD.NLM and cross server updating enabled. A "bad" virus might need command.com or the hidden files or ? The next step in this direction would be the argument that programs that do "software distribution" across a network are in fact facilitators of good viruses. The bottom line of my analysis of these examples is that it shows the ridiculousness of trying to talk about good viruses. IMHO, there is no good virus because for all practical purposes, a virus is a bad thing by definition. Using the definition that "something nice that replicates is a good 'virus'" is an oxymoron (sp?) as far as I'm concerned. Best regards, Norman Hirsch ------------------------------ Date: Wed, 08 Jun 94 03:33:53 -0400 From: computergy@aol.com (Computergy) Subject: Re: The truth about good viruses UCCDASD Administration writes: I have concerns about a 'good' virus. As anyone who uses computer software on a regular basis even the best program can have errors and glitches. A 'good' virus no matter how well written is bound to have some conflict with other software or equipment that causes it to do a bad thing. Since there are millions of combinations of computers and software there is always going to be a chance that the virus will do something wrong. Computergy @ Aol.com All knowledge is power. --Emerson ------------------------------ Date: Wed, 08 Jun 94 04:17:31 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Disabled viruses? dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >res@bfs.uwm.edu (Ralph Stockha >usen) writes: >>I would like to check out the functioning of my anti-virus setup. Are there >>any "disabled" viruses available that my program could detect, but would be >>safe have on a test floppy? >>Thanks, >>Ralph >Doren Rosenthal has one, but I forgot her full email address Well, as I have said several times before...the programs created by the virus simulator are not viruses, so anti-virus programs should *not* detect them at all. Some scanners may or may not detect them, but detection (or failure to detect) says nothing about the ability of the scanner to detect the actual viruses. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 08 Jun 94 08:07:11 -0400 From: "The Radio Gnome" Subject: Re: Good virus ? Hi, Another thought on the operation of a 'good' virus. Wouldn't such a program use the same sort of mechanisms to spread as bad viruses? If so, then all the existing anti-virus TSRs would stop it in its tracks. If it found a way around F-PROT for example, then some cybervandal would inevitably reverse engineer it and attach a harmful payload, thus making the 'good' virus an unwitting 'partner' in creating the next generation of harmful virus technology. Short term benefits with long term negative complications. Starting to sound like nuclear power? :-) Re: compression... not all EXEs (fewer and fewer with Windows and more advanced OSs) are compressable, even though they might 'look' so. Even PKlite stumbles on some. Take the following scenario: "Hello, I am the Space Saver(c), should I compress your programs? (125 programs to compress, 9.2Mb of disk would be saved) (y/n) Y .compressing... DONE! IPX NETX (oops! this program uses self modifying code or some other trick) workstation hangs, NIC generates a packet storm, file server ABENDS running NCP... Congratulations, the 'good' virus just kicked 100+ students off of the lab net, luckily the routers stopped the storm from speading to the campus backbone. The real issue here is control. When the user or administrator has control away from them, the problems start. BTW, how is a program like WSUPDATE (Novell Netware) classified? I just posted a note on the Novell list about using it to control DOOM and other nuisance net games. - -------------------------------------------------------------------------- Politics is not the art of persuasion, its the science of selfishness Andy Wing - Temple University Computer Services ------------------------------ Date: Thu, 09 Jun 94 07:08:33 -0400 From: "Fredrick B. Cohen" Subject: Re: Stop the madness! :-) "Brian H. Seborg" writes: > Yes it's time again to fire another salvo over the bow of the good > ship Malarkey! I challenged Fred Cohen to provide us with > documentation on "good viruses" and he referred us to his book (this > from someone who had just maligned anti-virus software authors as > stoking the flames of public fear just to make a buck! By the way, > Fred has his own anti-virus package on the market, but I would never > suggest that he was trying to get people to write "good" viruses so > there would be a greater need for his package! :-)). Several inaccuracies here. 1 - I do not have an antivirus package on the market - it was licensed long ago to a Danish firm - SR 2 - There is a big difference between making a buck by scaring people needlessly and paying for the costs of doing research by publishing results through a reputable publisher. You seem to have no objection to paying for many less reputable researchers via your tax dollars. > As Ross > Greenberg so aptly pointed out, I'm sure Fred could enlighten us in a > paragraph so we wouldn't have to wait to buy his book for an answer! As Vesselin Bontichev so aptly pointed out, it often takes more than a paragraph to understand the issues of how life works. You don't have to wait to buy my book, it has been out for some time. I will, however try to help enlighten you by responding to your questions in a form that will encourage you to take the time and effort to get the whole story by reading my books. > Also, Fred seems to be making a claim that if a virus asks your > permission to spread that it is okay! This is idiotic! First, > consider this, for the virus to ask your permission to spread, it has > to be running on your PC without your permission! Vesselin, I can't > believe that you bought off on this lame distinction! :-) I don't think I ever said that, and I do not think it is idiotic. Naturally, people who are context bound such as you seem to be may not see some of the other ways that permission can work. I hope you will decide to read my book to learn about different ways of thinking about the issue. > Another point, Fred, have you ever heard of version control? How > about change control? How would you affect these via a virus? Yes indeed, I have. In fact, if you would have read my books on the subject, you would probably find that I know quite a bit about these issues and have investigated them in some depth. Unfortunately, I cannot detail all of the issues of change control in such a small space, but if you read my books, you will hopefully come to understand just how these issues can be addressed and how most current change control systems miss the mark. > Here's > a scenario, I send out a "good" virus (Ha, ha, ha, sorry, I can't keep > myself from laughing!) throughout my corporation. It must be very enjoyable to laugh while slandering ideas you have not yet taken the time to investigate, but I think that you would make a much better case and sway more people to your point of view if you would think more and abuse less. > This is the > infamous compression virus (hee, hee, sorry!) that will compress any > executable file it encounters. First, though, to be a "good" virus it > asks permission to infect the system ("Hi, I am Fred Cohen's > compression virus, I am very nice and will help you save disk space, > is it okay for me to infect your computer?"). I did not write the infamous compression virus, I wrote some of the famous ones that preceded some of the commercial products that are widely used to reduce disk usage and increase performance. My viruses do not get their authorization to spread in such a way. If you would take the time to read my works, you would probably already know that, but people who laugh at new ideas without bothering to investigate them often encounter this problem. > Of course unless every > user in the corporation is computer literate they will probably reboot > the computer at this point, but, humor me and I'll continue. I don't understand why computer challenged people would reboot their computers if this message appeared or what that has to do with the issue of benevolent viruses. > Assuming > the user allows the virus to infect (will it ask this same question > everytime it attempts to infect another file? Perhaps I am giving you too much credit, but I bet that if you spend some time thinking before typing, you could come up with a better way. > Man, would this be > boring or what?) it will then ask, "Hey, this file is not compressed, > would you like me to compress it?" (would it ask this every time it > encountered a non-compressed executable, or would it be able to flip a > bit to store the fact that the question had already been asked and > answered in the negative? What if the next time I DID want it to > compress the file? Would the virus just neglect to ask me so that I > would not get any benefit from it?). Also, I can see the user saying, > "Damn, how do I turn this stupid thing off!" after about the 10th time > the virus asks permission to do something! I have a similar problem with lots of poorly designed programs that ask stupid questions and don't adapt well to me, but that has nothing to do with being a virus, only with the limits of the program's ergonomics. Perhaps if you took some time to look into this subject, you could contribute to writing better programs. > > One more issue, how will you make sure the virus gets control in > memory? Will it infect command.com or one of the system areas so that > it makes sure to get control every-time? If this is the case, then > how many different "good" viruses can use this same paradigm before > you run out of space in command.com (I guess we could change it to > command.exe and then load it up with different special purpose viruses > and make it an even greater lumbering behemoth than it is now!) Actually, you should read my books and find out about other ways viruses can work. There isn't enough room here to detail all of them. > > Now, let's say you want to upgrade this virus. How are going to > enforce version control? In other words, you have a faster, better > compression algorithm, and you update the virus and now you want to > make sure it is in place throughout the corporation, how do you affect > this change? How do you even know the first version even made it to > all PCs? One more thing, not all PCs are network connected, how do > you get the virus and the upgrades to the laptops (this is a tough > enough issue for legitimate software)? You know, you are starting to make me feel as if I am very smart because solving these problems wasn't that hard for me to do. But maybe it's you that are not thinking hard enough. Try this. For each question you have written, think until you find a good way to solve the problem. This will probably take a few years if you continue to ask questions. Then, write down all of the issues and the ways to resolve them, and publish them in a book. Then listen to people like you claim that you are an idiot. I will, of course, help defend you. > > Finally, how do you ensure that the virus does not leave your > corporate environment for parts unknown? (other people's PCs?) Even > if you had a method of doing this, how much would it cost and how big > would the virus be at this point? What if it did get out? It would > seem that you'd be legally liable for any damage it did, or trespass > at the least. But, I digress... Suffice it to say that the concept > of a "good" virus all sounds good theoretically, but when you give it > a "reality-check" the notion of "good" viruses beyond the confines of > a laboratory environment shows itself to be the ludicrous idea it is. > Maybe I've been spending too much time in the real world! :-) I guess > I'll just have to buy Fred's book! :-) From your electronic mailing address, I had guessed you worked for the FDIC, and agency of the US government. Most people would not consider that the "real world". But as a reality check, I have been working most of my time for a wide variety of corporations of all sizes, government agencies, and community organizations for most of the last ten years. There have been benevolent viruses operating in commercial applications since 1985, and none of them have ever caused any of the problems you claim to be unaviodable. I guess you will just have to buy a copy of my books! > > "..castles made of sand slip into the sea eventually..." > > -Jimi Hendrix Here here! UCC DASD Administration writes under an anonymous ID (no human name on this account) > ... > I think this illustrates quite nicely the whole problem with beneficial > viruses. That being the lack of a trusted path. When I buy a software > package, or down load a shareware program, or buy a Rolex watch from the > trenchcoat of a gentlemen on the streets of Manhattan, I am depending on a > certain avenue through which this product came. How reliable is that > path? It's one thing to talk about self replicating code in the ivory > confines of a researcher's tower. And I don't doubt the veracity of those > claims. But once you pass those doors and come out into the gene pool, > you loose that element of verifiability. An unknown program running on my > computer is suspect, even if it says, Hi! I'm from the Government/Virus > Research Department/Mensa club, and I'm here to help you..... As the > saying goes, How do you know where it's been? A very interesting and valid point to be addressed. And it has been addressed in my books. But without even referring to them, I don't understand what the issue of a trusted path has to do with viruses and does not apply to anyothr program. Obviously, if you purchase a benevolent virus from a guy in a trench coad who is selling fake Rolex watches, or if you take a gift virus from the NSA, you are asking for trouble. But the same is true regardless of whther it is a virus or any other software. > > If some people came to your house and said, You just go away for a few days. > We're going to clean your house for you, fix the roof and install a Jacuzzi > in the master bedroom. Trust us. We're Nice People. Maybe they're telling > the truth. But if they have no credentials, references or licenses, how > would you know? Would you hand over the keys to your house? But of course, in the computing environment, we do this far too much. We commonly allow programs to operate for millions of instructions without chceking on them. This mail is being sent through hundreds of computers over which we have no control, and yet we choose to trust them. I agree strongly that we need better integrity controls for all information technology, but again, I don't understand what this has to do with viruses as opposed to all software. > > I don't think the most important question is whether beneficial viruses > exist. But how could you tell if you had the real thing? > Here here! We need to only buy computer viruses from legitimate sources. I agree that the same standards should be applied to the purchase of benevolent viruses as any other program. FC ------------------------------ Date: Thu, 23 Jun 94 10:12:35 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killed the Monkey Virus (PC) I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP.. The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from a clean floppy, the hard disk drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the floppy disk boot sectors were rebuilt using NDD to prevent re-infection. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy molloyt@iia.org ------------------------------ Date: Thu, 23 Jun 94 10:13:50 -0400 From: dasheiff+@pitt.edu (Richard M Dasheiff M.d.) Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) frisk@complex.is (Fridrik Skulason) writes: ]heilfort@ap01.physik.uni-greifswald.de (Matthias Heilfort) writes: ] ]]I have uploaded to the SimTel Software Repository (available by anonymous ]]ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): ] ]]SimTel/msdos/virus/ ]]vbait12.zip Simple virus bait, detects COM infecting virus ] ]"Detects COM infecting viruses"...hmm... Is it able to detect infection ]by stealth viruses ? If not, I would say a redesign was required. ] ]- -frisk ] Speak plainly (as I installed this virus bait). Is it worthless? (i.e. just takes up disk space) harmful? (i.e. gives a sense of False security) helpful? (i.e. works as advertised) ?-) rmd@med.pitt.edu - -- :-) rmd@med.pitt.edu ------------------------------ Date: Thu, 23 Jun 94 10:14:34 -0400 From: auyanged@jhunix.hcf.jhu.edu (Edward D. Auyang) Subject: Scan V115 (PC) I have McAfee's Scan v115...upon entering the command, the hard drive is accessed for a second or so before the memory check...anyone know what it's doing? Also, has anyone had VShield to successfully intercept a virus? Please mail me rather than post. TIA Ed ------------------------------ Date: Thu, 23 Jun 94 10:17:09 -0400 From: pike@UTKVX.UTCC.UTK.EDU (HANK PIKE) Subject: Re: MtE Virus info wanted (PC) "Jeff E. Lewis" writes... >I would appreciate information on "MtE" which I "found" on my >machine with Norton Antivirus 2.1. THis was NOT indicated by > >cpav (1991?) >microsoft anti-virus (1993) >mcafee scan 106 >mcafee scan 108 > >but there was no doubt that something was present since scandisk >recovered 90 mb of hard disk space 11 days after I started using >the indicated infected program. >Thanks, >Jeff E. Lewis > Jeff, If you want a great antivirus program, try F-prot, it is available free to private users and it is by far the best AV program I have found. Stay away from McAfee, it is no good from what I have seen. It could not clean up the MONKEY virus and F-prot got it right away. hp ------------------------------ Date: Thu, 23 Jun 94 10:17:25 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: FLIP and CANSU (V-SIGN) viruses (PC) itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) writes: >From: itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton) >Subject: FLIP and CANSU (V-SIGN) viruses (PC) >Date: Tue, 21 Jun 1994 10:23:12 EDT >Hi All, >After having a recent _nightmare_ with my PC (work deadlines >and a virus attack) I found *TWO* of the critters on my machine. >These were the FLIP virus and CANSU (or V-SIGN). >When one of them acted, it savaged my partition table and FAT, >meaning I couldn't access any files. If it wasn't for Norton >Utilities and Mcafee I'd be up the Khybosh without a paddle. >NU completely rebuilt my FATs and Partition table, and saved >the day. I thought it was a general hardware failure of the >hard drive, not a virus. >My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't >work out which of these viruses actually did the damage. I've >got a feeling it was FLIP, as CANSU seems a pretty harmless >beast (wiping system files is harmless compared to major >h/d failure ;-) ). >Anyway, I'd appreciate any suggestions as to which one caused >me so much hassle, and also any other stories of run-ins with >either of these babies. It is hard to say exactly what has happened without seeing the disk but I think what has happened: 1. Virus caused damage to your partition sector. 2. Norton finished the work :-( Now you need an expert who could have a look on your hard disk. But because of 2. it might be gone. Kari Laine ------------------------------ Date: Thu, 23 Jun 94 10:18:09 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: dir/reg (PC) >We received a demo diskette from Network Computing Inc. for a program called >LAN Page. It was version 1.0.5. When it arrived, it was taken out of the >package, write protected, and inserted in a workstation protected by VIRSTOP >2.12. The intercept immediately reported a FORM infection in the boot sector. >F-Prot 2.12 was able to remove the virus and everything seems to be fine. >We called the company's tech support line and reported it. They said that it >isn't the current shipping version, but they will check out the duplicator >stations to be safe. Hi Diane, could you confirm that was there really a Form on the diskettes send out by this company? Have they confirmed or who else did? Regards Kari Laine ------------------------------ Date: Thu, 23 Jun 94 10:19:10 -0400 From: simoaro@freenet.hut.fi (Simo Aro) Subject: Re: HELP: How add code into .EXE ? (PC) Edellisessd artikkelissa cogni@actcom.co.il (Michael Cale') sanoo: >May be someone can help me - send any working code or write what are ALL >needed procedures to add code into .EXE correctly. >P.S. DON'T WORRY - I DON'T TRY WRITE VIRUS. Even if You are NOT coding a virus, have a look at some EXE-infecting virus source. And try to find 40HEX-virus magazines, there was a good article about EXE-infectors (in issue #8 or #9).. When You know a lot about EXE-infectors, it should be a lot easier to write such a program You were about to do. ------------------------------ Date: Thu, 23 Jun 94 10:19:24 -0400 From: rbhessing@amoco.com (Bart Hessing) Subject: Junkie virus (PC) I recently read something about a new, advanced virus called "Junkie", but don't have any details about it. Can anyone enlighten? Thanks. ------------------------------ Date: Tue, 07 Jun 94 19:49:52 -0400 From: c007@Lehigh.EDU (ERIC A. MEEKER) Subject: HELP!!!!! (PC) I'm pretty sure I have a virus on my computer but I have no idea what it is or how to get rid of it. I've been trying a few virus scanners, etc. and have no luck. The only thing I noticed is that the virus is adding (usually) 959 bytes to most executable files. I have a program called vsafe that tells me what is being changed, but it does nothing to remove it. If ANYONE can help me, please write to the Internet address below. Thanx in advance!!! Eric Meeker Internet address: c007@ns1.cc.lehigh.edu ------------------------------ Date: Wed, 08 Jun 94 02:36:25 -0400 From: tluten@delphi.com Subject: New AV software (PC) Greetings, wizards! I'm new to the net, and came because I thought I'd find a collection of virus experts here. I think I have. My purpose is to seek advice. I may have an opportunity to do some work with a start-up that poposes to market a new AV product. My problem is that I have a sense the AV market is pretty well served already. Three years ago, it seems that I was reading about computer viruses every other day. I know that when Michelangelo was about to go off, we bought Norton AV, Flushot, got a copy of SCAN, and worried a lot. Not so much now. I read that Windows files are basically uninfectable. Does the rise of Windows spell the end of virus concerns? Do concerns over viruses spell the end of DOS? So, if we posit a new AV product with essentially a 100% hit rate, very fast integrity checker, heuristics, etc., etc., in short a betterfasternotcheapersmarter product, does anyone care? Does the world want/need a new AV product? And by the way, what does it take in an AV company to be a top three player? All responses welcome! And thanks for your time. Tom Luten ------------------------------ Date: Wed, 08 Jun 94 03:39:46 -0400 From: computergy@aol.com (Computergy) Subject: Little Fishies? (pc) About a year ago I had to do a search and destroy mission on an clients machine. I knew there was a virus lurking but only one program out of four I used would detect and clean it. I believe it infected the partition table on the hard drive. It would replicate onto every floppy disk placed in a drive. (took hours to track down all floppies that had been in the machine.) When active it would slow the machine to a crawl, then lock it up, and display the words 'Save the Little Fishies'. I have never read anything about a virus of this sorts. For personnel interest, does anyone have an idea? Thanks Computergy@aol.com All knowledge is power.--Emerson ------------------------------ Date: Wed, 08 Jun 94 03:47:18 -0400 From: riordan@tmxmelb.mhs.oz.au (Jakub Kaminski) Subject: Re. Swiss virus (PC) Gerard Ineichen writes: >A student has found a "swiss virus" that infects the boot record. It seems >to be a new variant of the virus. Mac Afee scan 114 lists it but i haven't >found more info. > >Be carefull : it isn't the swiss phoenix nor the Swiss 143. Gerard, Probably you've found the Swiss Boot virus (Swiss Army or Armee). It is DOS Boot Sector virus. It infects floppies (as far as I know it doesn't affect 1.44M diskettes) and Dos Boot Sector of the active partition on a hard disk. It is 3 sectors long. When it infects a hard disk it hides the original DBS and its two sectors inside last three sectors of drive C:. When it infects a floppy it hides the original DBS and rest of itself in two first unused clusters and marks those clusters in the File Allocation Table as: "". When you boot off the infected floppy virus infects the hard disk. After booting from infected hard disk it gets memory resident (catches int13). It infects diskette if detects int13, ah=2, ch=0 (read cylinder 0). It's not a stealth virus so you can clean infected hard disk even if Swiss Boot is active in memory but of course it's always safe to boot off the system disk first. On the 7th of February it displays the message and overwrites all sectors!!! The message is encrypted in the last sector: "Schaft die Schweizer Armee ab !". I think there is a variant that triggers on the 2nd of February but it's so easy to produce plenty of them :-/ Regards, Jakub Kaminski riordan.cybec@tmxmelb.mhs.oz.au (Jakub Kaminski) CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 08 Jun 94 04:31:52 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Server-Downing Viri (PC) U56513@uicvm.uic.edu (Christopher Aedo) writes: >One of the books on NetWare listed a few viruses that were common >threats to NetWare. These viruses are: There is absolutely netware-specific about the viruses...they are just fairly common file viruses....that's all. >According to the publication, these viruses will move from an >infected workstation, onto the server. Most file viruses will do so (boot sector viruses will not). However, in many cases the viruses can be stopped easily by simply making shared directories read-only, and by making the shared programs "execute-only". There are a few viruses that are Netware-specific, attempt to use loopholes in some particular versions of Netware, but they are not among those you listed. - -frisk ------------------------------ Date: Wed, 08 Jun 94 04:39:14 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: VIRSTOP 2.12 Freezes PC (PC) gus@jomega.eglin.af.mil (Eric P. Augustus) writes: >I don't recall the exact reasons why virstop hangs with 386max, but if >you use the '/notrace' command line parameter it'll work okay. right. The exact reason....uh, well...Virstop uses some "dirty tricks", and 386max does too....and those tricks are mutually incompatible. the /Notrace also fixes a few other incompatibility problems - it makes Virstop work on old Cyrix 486SLCs (which are not 100% Intel compatible), as well as on machines with old DR DOS 3.x - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: 08 Jun 94 09:41:17 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: FYI: New PC Virus alert (PC) As far as I know (Chinon have yet to send me a sample) this is a Trojan, not a virus. The description seems to have varied somewhat from the original press release. I may be wrong. Richard Ford Editor, Virus Bulletin ------------------------------ Date: Wed, 08 Jun 94 05:10:50 -0400 From: watson (John Watson) Subject: Telecom Virus (PC) Can anyone e-mail me information about the Telecom virus. Thanks John ------------------------------ Date: Wed, 08 Jun 94 14:04:15 -0400 From: mramey@u.washington.edu (Mike Ramey) Subject: Safe ANSI driver - where ? (PC) Can anyone tell me where to get a shareware -safe- ANSI driver? Some of the programs used in our computer lab require ANSI.SYS. PKSFANSI is -not- included in the shareware version of PKZIP. bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Richard M Dasheiff M.d. (dasheiff+@pitt.edu) writes: >> I just read an article by Brett Glass in the May 2, 1994 INFOWORLD about >> ANSI bombs. It's a sequence of characters imbedded in a text file which can >> be interpreted by ansi.sys to do something unexpected, like redefining >> the keyboard to replace the enter key with deltree c:\*.* /y >> He spoke of a defense against it with a program by PKware called PKSFANSI >> Is that s/w, and if so, what ftp site? >2) Run an ANSI driver that does not allow, or can be configured not to >allow, keyboard reprogramming. NNANSI and ZANSI are two examples of such. ------------------------------ Date: Wed, 08 Jun 94 15:02:01 -0400 From: id@mist.demon.co.uk (Iolo Davidson) Subject: Re: Jack The Ripper (PC) ineichen@cui.unige.ch "INEICHEN Gerard(centre EAO" writes: > We have found a "Jack The Ripper" virus in more than one school in Geneva. > Does anybody have more information about this virus ? Off the top of my head, it is a fairly news boot sector virus that has a disk wipe payload. If your anti-virus can recognise it, it should be able to get rid of it too. - -- Iolo Davidson - "My boss made me say it. He dares you to sue." ------------------------------ Date: Wed, 08 Jun 94 15:02:15 -0400 From: id@mist.demon.co.uk (Iolo Davidson) Subject: Re: Server-Downing Viri (PC) U56513@uicvm.uic.edu " Christopher Aedo" writes: > One of the books on NetWare listed a few viruses that were common > threats to NetWare. These viruses are: > Cascade.1701 > Cascade.1704 > Frodo > Green Caterpillar.1 > Jerusalem.Standard > Yankee Doodle 2885 > > According to the publication, these viruses will move from an > infected workstation, onto the server. Almost any file virus will infect dos programs stored on the file server. > We are also trying to evaluate virus protection. We are > running Norton AntiVirus on the server right now, so this would > be a good test to see if it is able to detect and stop these > viruses before anything major happens. > > The environment is secure and controlled, so we are going to > try to infect the server with these viruses. > > What I would like is either the source code, or maybe an > infected file UUencoded, or somewhere where I can get these > viruses. I do not believe that any reputable company will be willing to supply live viruses for such a purpose. They would make themselves liable to possible legal action and certain moral censure. > Also, which anti virus package is the best one out there these > days? Dr. Solomon's Anti-Virus Toolkit for Netware is the best. F-prot's netware product would be a contender if it was as good as the standalone F-Prot, but I have seen a review which says it's detection abilities are inferior. (disclaimer: I helped write Dr. Solomon's, but am no longer employed by this company.) - -- Iolo Davidson - "My boss made me say it. She dares you to sue." ------------------------------ Date: Wed, 08 Jun 94 16:03:50 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Monkey Virus Attack (PC) I had a little excitement yesterday. An accounts customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his Compaq notebook. He wanted to know if I could help him to recover his critical data. I put the disk in my AST notebook and typed 'dir'. Immediately, the bells and whistle from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP..... The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from floppy, the hard drive was not visible or identifiable (drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer home office, the notebooks go into docking stations that are connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were not up-to-date on the latest virus definitions. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original boot sector file and restore the machine. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk's boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software. - -- TC Molloy EDS 5400 Legacy Drive C4-1D-33 Plano, Texas 75024 Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 45] *****************************************