VIRUS-L Digest Friday, 1 Jul 1994 Volume 7 : Issue 47 Today's Topics: Searching for Documents on Virus Ethical Issues Types of viruses??? Re: danger from used disks? Re: danger from used disks? Re: danger from used disks? Re: Good viruses/Bad viruses 380A: U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) Re: Dr Solomon's on the move! (PC) Boot sector virus ? (PC) Virus found, Please help! (PC) Cansu virus...Please Help/RISC-Aix virus Scan (PC) Matura (PC) SMEG Junkie (PC) Budo Virus (PC) Help! (PC) Testing Anti-Virus TSRs (PC) unknown virus (PC) STACK virus (PC) Chill Touch and Junkie Viruses (PC) New virus was found. (PC) NATAS Virus? (PC) Stoned.Manitoba (PC) Re: info on 2 viruses (PC) Re: "New" Virus found? (PC) Cure for SVC.2936 & Three_Tunes viruses (PC) Need help on "stoned" virus (PC) Re: Joshi virus - False alarm? (PC) Re: Virus in Norton Commander 4.0! (PC) The AntiCMOS virus (PC) Junkie virus (PC) McAfee VirusScan V2.0.2 uploaded to SimTel (PC) F-PROT 2.12C released (PC) fp-212c.zip - Version 2.12c of the F-PROT anti-virus package Updated VDS 3.0m on Oak (PC) McAfee files available on risc.ua.edu (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 13 Jun 94 02:19:02 -0400 From: JUAN CARLOS PEREZ Subject: Searching for Documents on Virus Ethical Issues Hello all, I have to do an oral presentation for a class about a computer related ethical issue and chose "Viruses" as my topic. Someone mentioned to me that there was an outstanding Bulgarian article posted a while back concerning Virus Ethics. I would appreciate aa repost of this article (or where I can find it) and possibly any other articles relating to the ethical issues concerning viruses. The presentation is for June 28. Thank you so much! :) ------------------------------ Date: Fri, 17 Jun 94 16:19:43 -0400 From: mlwinkelman@dow.com (Mike Winkelman) Subject: Types of viruses??? Hello, I was wondering if there is a faq for this group and where it might be? Also, could someone explain in short sentences and laymans dialog the major methodologies by which viruses infect computers? I'm particularly interested to find out if there are any viruses that infect things like word processing files or other nonexecutable files that get transported from work to home and vice versa. Just what are the problems with doing that?? I do not intend to floppy transport any executables. Any advice? Help?? Experiences?? Regards, Mike Winkelman mlwinkelman@dow.com ------------------------------ Date: Thu, 23 Jun 94 17:12:35 -0400 From: tracker@netcom.com (Craig) Subject: Re: danger from used disks? Nathan Schechtman (nschechtman@pppl.gov) wrote: : I just bought several hundred used disks from someone on the internet. : I'd like to guarantee that they're safe. Any suggestions out there? : Will reformatting them remove all viruses? : Thanks : Nathan Schechtman email: nschechtman@pppl.gov : Princeton Plasma Physics Lab phone: 609-243-3465 : Princeton, NJ 08543 : If you use Norton's Wipedisk that'll defintiely remove anything on them. ------------------------------ Date: Thu, 23 Jun 94 18:04:09 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: danger from used disks? Nathan Schechtman (nschechtman@pppl.gov) writes: > I just bought several hundred used disks from someone on the internet. > I'd like to guarantee that they're safe. Any suggestions out there? > Will reformatting them remove all viruses? It depends on what kind of disks they are and what do you understand under "formatting" them. If they are floppy disks, then formatting them will almost certainly remove any viruses. Just beware of some "safe formatting" programs, that do not do destructive format but only zero out a few important areas (like FAT, root directory, etc.). If you use one of them, it will be possible to "unformat" the floppy, thus recovering any previously present virus. The latest versions of DOS (5.0 and above) do "safe formatting" by default, unless you supply the /U switch to the FORMAT command. If they are hard disk, things are getting trickier. The DOS command FORMAT will remove any boot sector virus, will remove recoverably and file virus, but will not touch any master boot sector virus. To remove the latter, you'll need to run the program FDISK from DOS 5.0 or above with the option /MBR. Of course, I am assuming that you want the disks formatted for DOS. If this is not the case, the solution might be completely different. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 23 Jun 94 18:06:50 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: danger from used disks? Nathan Schechtman wrote: )I just bought several hundred used disks from someone on the internet. )I'd like to guarantee that they're safe. Any suggestions out there? )Will reformatting them remove all viruses? ) )Thanks Not if the machine you format them with has a virus on it. Wiping the floppies with a strong magnet (look at the refrigerator for a source) is guaranteed to remove all viruses. Formatting may install one, though. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 23 Jun 94 19:40:12 -0400 From: Dennis.Clouse@ucop.edu (Dennis Clouse) Subject: Re: Good viruses/Bad viruses Item from S.F. Chronicle 6/11/94: >>Shooting Victim Pulled Fake Gun, Police Say<< A man shot by an undercover officer during a Tenderloin narcotics investigation had pulled a realistic replica of a .45-caliber pistol on another officer, police said yesterday. (remainder deleted). Note the response here was a) immediate, and b) absolute. Would anyone suggest that the correct response would be to wait until the trigger had been pulled a few times to establish whether or not *this* pistol has or has not caused harm (at least to date)? Would anyone suggest that the correct response would be to wait until the pistol could be disassembled and analysed to determine if it *could* cause harm? I feel the appropriate response to any viral computer system intrusion should be a) immediate, and b) absolute. Security professionals are not in a position to wait and assess damage prior to response: they must respond to the *perceived threat*. Whether a viral threat turns out to be 'Real' during the post-mortem of the virus is immaterial ... the important thing is that the *perceived threat* to the system has been negated. We consider mosquitoes a threat because they *may* carry diseases. We eradicate them, without considering the guilt or innocence of *individual* mosquitoes. Frankly, were someone to suggest that they had bred a 'beneficial' mosquito, and we should amend our mosquito abatement methods to indentify and allow for that single, exceptional, allegedly benign creature, I would question his/her motives (if not sanity). Ditto the alleged 'beneficial' or 'nondestructive' computer virus. To paraphrase one of Rob Slade's .sig lines (Rob? Where are you?): > _Kill them all and let the apologists sort them out_ < (Works for me!) Dennis * Dennis.Clouse@UCOP.EDU Office of the President, University of California * "my neighbor just gave me a GenB pistol ... is it dangerous?" ------------------------------ Date: Mon, 13 Jun 94 19:59:10 -0400 From: qna@cac.washington.edu ("David Wall c/o QnA") Subject: 380A: U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) On Mon Jun 13 16:53:05 PDT 1994, David Wall wrote: > On Sat Jun 11 13:18:08 PDT 1994, Mike Ramey wrote: > > CAC/HELP: > Do we have a local (uwash.) or regional (pnw.) newsgroup for virus info? > I suggest it may be worth creating one -- preferably 'pnw.' because if > there is a virus in Portland, it may be in Seattle next week. Also note > that VIRUS-L and comp.virus messages are posted only about once a week. > While we certainly don't want to disseminate false reports, we also need > to alert each other to real virus outbreaks. Your comments please. > Mike, C&C maintains reasonably current PC and Mac virus utilities on the ftp.cac host. We also publish a very basic document about the virus problem. We recognize that this is an area of serious concern. At this time we do not have plans to take any additional action, but we wouldn't be opposed to people starting a new newsgroup. A local, UW, group would be easily set up. One with wider circulation would require the Usenet new group process. - -- David Wall (QnA Router) router@ren.cac.washington.edu ------------------------------ Date: Mon, 13 Jun 94 21:01:15 -0400 From: "R. Wallace Hale" Subject: Re: Dr Solomon's on the move! (PC) >S&S International, developers of Dr Solomon's Anti-Virus Toolkit, >are moving to new, larger premises. Used versions 4.xx, but missed the 5.xx series completely. Recently put 6.51 through the mill and was impressed. Installation is fast, simple, and flexible, and the optional Toolkit interface certainly makes usage easy, even for a tyro. Going head-to-head with F-PROT 2.12, it's nearly impossible for me to pick a winner. However, since I value both products primarily for their scanner functions, and strongly advocate the use of at least two quality scanners, that presents no problem. :) Lest any one get an incorrect impression, I am not attempting to present a critical review of Toolkit. I'm not in the business of formally testing AV products, nor am I on the payroll of any AV product vendor. I've regarded Toolkit as one of the best AV products available and wonder why there is so little mention of it here, other than in Vesselin's posts. Perhaps Toolkit users have no problems to discuss? R. Wallace Hale "You can observe a lot just by halew@nbnet.nb.ca watching." BBS (506) 325-9002 - Lawrence Berra ------------------------------ Date: Tue, 14 Jun 94 03:35:57 -0400 From: berek@xmission.com (Berek Halfhand) Subject: Boot sector virus ? (PC) Does anyone know of a boot-sector virus called Leonart2 or Lennart2 or something like that? It's been going around the college recently and supposedly few virus checkers find the thing... I would like to know the following, if possible: 1. Analysis 2. What detects it 3. What cures it 4. Where can I find the cure 5. Has anyone had problems with this particular virus before, and the previous version (I assume) Any responses are welcome, as are e-mail replies... berek@xmission.com ------------------------------ Date: Tue, 14 Jun 94 10:33:20 -0400 From: CL-28951@cphkvx.cphk.hk Subject: Virus found, Please help! (PC) My friend's company has a Novell network computer system. He told me that when he DIR the Executable files (EXE files>, the file size was increased. He used the Mcafee SCN-201 to scan the hard disk, but it does not show virus was detected. Does anybody know what kind of virus is it? How can this virus can be removed. Please advise! Thanks Philip Tong My Email Address: cl-28951@cphkvx.cphk.hk ------------------------------ Date: Tue, 14 Jun 94 20:47:04 -0400 From: vmgerman@rodan.syr.edu (Victor M. Germani) Subject: Cansu virus...Please Help/RISC-Aix virus Scan (PC) I have recently been on-site installing software and I have found a disk infected with the CANSU (??) virus. What is this virus? What does it do? what kind of virus is this. I need as much info on this virus as I can get. There is a possibility that we have infected several sites. I also found that the MSAV and Norton cannot find this virus. The virus was found using a customers virus program called inoculan (I think). Are there any other programs that can detect this virus? This virus was found on a DOS disk, however, the file came off of a RISC/AIX server. Can this effect the server/UNIX enviornment and also the network. I need help! Any and all responses will be greatly appreciated. Please E-mail me directly at: vmgerman@rodan.syr.edu Thanks in advance ------------------------------ Date: Wed, 15 Jun 94 16:00:21 -0400 From: moodley@beastie.cs.und.ac.za (Sugan Moodley) Subject: Matura (PC) Help! I got the Matura92 virus.... Actually the entire durban campus of Natal got it ( south africa ) Is there a doctor in the house? Whats the prognosis....? Thanx in advance.... ------------------------------ Date: Wed, 15 Jun 94 16:01:26 -0400 From: lev@slced1.Nswses.Navy.Mil (Lloyd E Vancil) Subject: SMEG Junkie (PC) A report in dod news this am ,Quoted below, speaks of Smeg and Junkie spreading. I cannot find reference to either in vsum. Can someone out there enlighten me please. What are these? Is the report below accurate? what can I use to find and kill them? Macafee? Article follows >From DOD news Paperboy@Tecnet1.jcte.jcs.mil june 15 94 :``JUNKIE'' COMPUTER VIRUS SPREADING ANN ARBOR, Mich., June 14 -- A new breed of computer virus that outsmarts anti-virus software has cropped up nationwide and as far away as London's financial district since its discovery in Ann Arbor, experts said Tuesday. The virus known as "Junkie" and its relative "Smeg" are part of a technological breakthrough by the underground hackers who create viruses for the thrill of infecting computers and destroying data. Junkie was discovered last month after an Ann Arbor man bought a new computer for his son. The virus shut down the computer and went undetected until local computer consultant Jim Shaeffer found it using a special program. Shaeffer reported the virus to Frank Horowitz, a specialist in anti- virus software in Brier, Wash. "This is the first time we've seen this," Horowitz told United Press International. "And there're going to be many others like this." After computer users were electronically told about the discovery, Horowitz said, the Smeg virus was found in computers used by London financial services firms. It's unclear how many computers have been infected by the new viruses, which Horowitz said are far more dangerous than the well-publicized "Michelangelo" virus, which was designed to shut down computers on Michelangelo's birthday several years ago. Horowitz said he's received reports from across the country about the new virus. But he said it's impossible to tell how far it's spread. By breaking Junkie's code, Horowitz said, he could tell the virus was created in 1994. The code also contained the virus name, a standard procedure for hackers who want to know when their creation gets publicity. Junkie is unique because, unlike other viruses, it can attack a floppy disk, a computer's boot sector, or its executable files. Other viruses only attack one of those three crucial areas of a computer. It's also dangerous because Horowitz said standard, scanner- type anti-virus software can't find Junkie. The virus is "polymorphic," meaning its characteristics are always changing to avoid detection. Horowitz compared the relationship between the new virus and anti- virus software to updated police radar devices that go unseen by civilian radar detectors. Also disturbing is that Junkie was found in a new computer. Horowitz said the computer might have been infected at the computer factory. The discovery indicates that viruses are entering a new phase of destruction, Horowitz said. "Viruses are continuing to be developed with a lot of expertise," Horowitz said. "They're definitely a growing number of viruses out there with new technology, and we're beginning to see the distribution of those viruses more quickly." ===== ------------------------------ Date: Wed, 15 Jun 94 15:59:23 -0400 From: Dana Antkowiak Subject: Budo Virus (PC) Has anyone else been infected with the Budo (B2) virus? If you have and have sucessfully cleaned it, please e-mail me back on which program you used to clean it off of your machine. Or if anyone has any ideas or suggestion that would be helpful will be appreciated. Thanks:=} ------------------------------ Date: Thu, 16 Jun 94 17:39:50 -0400 From: craig%enterprise@uunet.UU.NET (Craig S. Maloney) Subject: Help! (PC) I need help in getting rid of a virus. It is Newbug variety of the GENB [Generic Boot Sector] virus. It will not "Clean" from a hard disk. I have used McAfee Clean ver. 115 to remove Genb from floppy drives, but I have had no luck with hard disks. Anyone have any ideas? Craig - -- - ------------------------------------------=---------------------------------- Craig Maloney | Engineering Computer Center Supervisor | Wayne State University PC/Mac Systems, College of Engineering | 5050 Anthony Wayne Drive Internet: craig@enterprise.eng.wayne.edu| Detroit, MI 48202 Fax : 313-577-5969 | - ------------------------------------------=---------------------------------- ------------------------------ Date: Fri, 17 Jun 94 07:42:29 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Testing Anti-Virus TSRs (PC) I am writing utilities for automating the testing of DOS anti-virus TSRs, the idea being to find out which file viruses a TSR can detect/intercept without having to clean up an infected computer every time one is missed. I have been able to perform sensible tests on the TSR components of the following products: Norton Smartscan Central Point McAfee Dr. Solomon's However, I have had anomolous results with TSRs from the following products: Thunderbyte IBM Virex Untouchable Cybec I would like to correspond with the authors of the software concerned, with a view to getting some details about the way their programs work. As the author of one of these products, (VirusGuard in Dr. Solomon's Anti-Virus Toolkit) I understand the desire to keep such details from the competition, defined as both competing AV vendors and the virus writers. I do not therefore intend to discuss the matter in a public forum, nor press for details that authors are unwilling to reveal. I am no longer employed by any anti-virus software publisher and am now writing and programming free lance. I invite anyone with technical information on the products which are giving me trouble to correspond with a view to making the testing of their product easier and safer. I hope that they (you?) will feel that it is in their own interests to do so. - -- Iolo Davidson "I am the Cat," said the Cat, "who walks by himself, and all places are alike to me." - Kipling ------------------------------ Date: Fri, 17 Jun 94 12:13:07 -0400 From: beichelb@topgun.idbsu.edu (Ben Eichelberger) Subject: unknown virus (PC) We have experienced an unknown virus on our University Campus. The lastest version of McAfee Virus Detection software 114 did not find anything. However, these are the symptoms: Many lost clusters taking up hard disk space. On one machine it ate up over 140MB of disk space leaving less than a MB of room to work in. Other machines had 30MB, 50MB and 70MB of lost clusters in one file. Some diskettes have also had lost clusters eating up remaining room on the diskette. Two of the diskettes where unrecoverable and data was lost. We were able to fix the lost clusters with dos chkdsk /f. Our major concern now is how to remove an unknown virus from these machines. Any help or suggestions would be greatly appreciated. ------------------------------ Date: Fri, 17 Jun 94 15:04:08 -0400 From: peterj@netcom.com (Peter Jennings) Subject: STACK virus (PC) In a routine scan of my system using McAfee's SCAN 1.15B obtained yesterday from a SimTel site, the STACK virus was reported in 6 files recently installed with Xerox Ventura PicturePro. The files were DLLs and executable overlays (filters). However, the documentation accompanying both SCAN and CLEAN makes no reference to the STACK virus. I attempted to use the SCAN /AF followed by the CLEAN /GRF options to remove the viruses, but got a message that the file generated by SCAN was "damaged". I attempted to use the SCAN /AG command as described in the CLEAN documentaion as a prelude to running CLEAN /GENERIC, but /AG seems to be unrecognized as an argument by this copy of SCAN. It seems to only be part of version 1.5. Does anyone have any knowledge of the STACK virus and how I might go about removing it, or if this product gives a false indication with SCAN. The virus is present on both the 3.5 and 5.25 inch disks in the package. Apparently Xerox has sold Ventura to Corel, but Corel claims that they support Ventura Publisher, but not Ventura PicturePro, so I am having trouble finding the right Customer Support number to call for help. Any help would be appreciated. Peter - -- - -- peterj@netcom.com |==================================================================| | Netsurfers using DOS should finger peterj@netcom.com to learn | | about MagicKey, the pop up Internet Help window with autotyping. | | Over 300 Internet resources available at the touch of a key. | |==================================================================| ------------------------------ Date: Fri, 17 Jun 94 20:50:13 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Chill Touch and Junkie Viruses (PC) The following viruses arrived too late to be placed into Version 116, however, enclosed are descriptions and external strings to detect them with VIRUSCAN (and possibly other antivirus programs, as well). To use the external strings, create a text file with one string per line and save it with a name like VIRUS.TXT. Then run VIRUSCAN by typing: SCAN C: /EXT VIRUS.TXT You can replace "C:" with any drive letter or letters (each separated by a space). To check all local hard disk drives, replace "C:" with the "/ADL" switch. To check all network dsik drives, replace "C:" with the "/ADN" switch. NOTE: These strings are for VIRUSCAN Version 11X only, not the new Version 2.x series. Chill Touch Description: The Chill Touch virus is a memory-resident .COM file infector. When run, the virus installs itself in memory as a terminate-and-stay resident program and infects COMMAND.COM. Infection Method: Once in memory, the virus watches for the running, copying, and opening of .COM files and infects on these accesses, increasing the size of infected files by 544 bytes. Messages: The virus contains the message "Chill Touch . You can't touch these phantoms", however, the message is not visible within the virus code due to a simple XOR loop used to cipher the virus code. Detection: The virus can be detected by VIRUSCAN's /EXT switch with the following string: "C7 09 8B F7 AC 34 ? AA E2" Chill Touch Infected files can be deleted with the DOS DEL command or VIRUSCAN`s /D switch. VIRUSCAN's validation and recovery codes option will also detect and remove this virus. Other: We have received two reports of this virus from the United States and one report of the virus from Europe to date. Junkie Description: The Junkie virus is a memory-resident multipartite (file and system area) infector. The virus infects .COM files greater than 4,096 bytes and the master boot record of hard disks. Infection Method: Once a virus-infected program is run, the virus installs itself in memory as a terminate-and-stay-resident program. On the system area of the hard disk, the virus copies two 512-byte sectors of code into the first track of the hard disk. The virus then modifies the existing master boot record of the hard disk to read the extra sectors and execute them upon boot-up. For files, the virus monitors the system for attempts to run and open them. When a file is run or opened, the virus checks it for a .COM extension on the file. The virus modifies the begining instructions of the file to point to the end of the file, and adds approximately 1,024 bytes of virus code to the end of the file. The next time the file is run, the virus code will then be executed before returning control to the host program. Messages: The virus contains the text "Dr White - Sweden 1994 Junkie Virus - Written in Malmo..._", however, this message is not visable within the virus code due to a simple XOR loop used to cipher the virus code. Detection: The Junkie virus can be detected by VIRUSCAN's /EXT switch with the following string: "26 81 34 ? ? 46 46 E2 F7" Junkie Virus Infected files can be deleted with the DOS DEL command or VIRUSCAN's /D switch. VIRUSCAN's validation and recovery codes option will also detect and remove this virus. Other: We have had one report of this virus on one PC from Stockholm, Sweden. While there have been multiple reports of this virus from the Great Lakes region of the United States, it appears that these are not reports OF the virus but reports ABOUT the virus from the U.S. distributor of a Scandanavian antivirus program. We have had no other infection reports of this virus from any of our 150+ offices in 50+ countries around the world. Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Sat, 18 Jun 94 12:32:25 -0400 From: s9410544@yallara.cs.rmit.OZ.AU (Hoang Anh Nguyen) Subject: New virus was found. (PC) I have discoved a new virus with the name NGVC, this virus very small size and only distroy the Fat, Probably this virus come from Vietnam. ------------------------------ Date: 15 Jun 94 22:23:50 +0000 From: garcia@bkfsu1.sedalia.sinet.slb.com (Geoframe User) Subject: NATAS Virus? (PC) I notice an "emergency copy" of the new Scan 2, specifically aimed at the "NATAS" virus. After downloading it from the McAfee ftp site, I'm still no wiser than before about this virus, but I assume if McAfee saw fit to release a special version, it must be fairly serious. Anybody have any information? Oh, for what it's worth, this special version seems to hang up on me while doing an "internal scan" of one of my Central Point Backup files. No error message, it just stops. Anyone else have any problems with it? Steve Garcia garcia@bakersfield.geoquest.slb.com ------------------------------ Date: Mon, 20 Jun 94 10:50:00 -0400 From: janzen@atbms.ncs.dnd.ca (R. Janzen) Subject: Stoned.Manitoba (PC) We have been hit by teh virus which f-prot identifies as Stoned.Manitoba. It seems to be removed normally by f-prot, and all of the floppy disks have been scanned. However, the virus seems to be popping up at several other locations (around the original infection). As I understand BSVs, the only way that it could be spread is by booting off of an infected disk (or having an infected data disk in the boot drive at boot-time). To me this means one of two things: either Stoned.Manitoba is not a BSV, or not all floppy disks have been scanned. I'm currently scanning *every* floppy disk anywhere near the area, and not trusting the users at all. Can anyone verify for me whether stoned.manitoba is only a BSV? And am I correct on how it could be spread. Thanks Rob janzen janzen@atbms.achq.dnd.ca ------------------------------ Date: Thu, 23 Jun 94 11:54:33 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: info on 2 viruses (PC) sa1737976@v9001.ntu.ac.sg writes: >and where can i get a copy of f-prot ? seems like quite a lot of ppl r talking >abt it and using it. i can accept uuencoded stuff :). thanx !! it is available on most major FTP sites, but you can always get a copy of the latest version (currently 2.12c) by uuencoded e-mail, by sending any mail message to f-prot@complex.is - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Thu, 23 Jun 94 11:56:32 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: "New" Virus found? (PC) bullingt@sfu.ca (Keith Gordon Bullington) writes: >I've come across a .COM infecting virus that fails to be caught by >SCAN v2.01, TBScan or F-Prot 2.12. the virus in question (Junkie) can be detected and removed with F-PROT 2.12c - -frisk ------------------------------ Date: Thu, 23 Jun 94 22:14:25 -0400 From: "Fabio Esquivel C." Subject: Cure for SVC.2936 & Three_Tunes viruses (PC) Are those viruses really hard do disinfect? There are several PCs=20 infected here in different enterprises and friends' homes, with both=20 viruses and still McAfee's product (version 115B) and Fridrik's F-Prot=20 (version 2.12c) are unable to disinfect them, though they are relatively=20 old viruses. I remember that Dark Avenger was disinfectable by undoing the changes=20 made to the executable's header and wiping off the virus code from the=20 end of the executable file. I think that SVC.2936 (Scan's June1530) and=20 the Three_Tunes viruses infect executable files in the same manner as=20 Dark Avenger does. Then, why it is not possible to undo the changes to the exec's header and= =20 leave the files as closely as they were before infection? By now, my friends and the enterprises attacked are just replacing the=20 files from backups or reinstallations... \___/=20 (O o) - ----------------------------------oOo-U-oOo--------------------------------= - -- Fabio Esquivel - University of Costa Rica | C:\GAMES>a:install fesquive@cariari.ucr.ac.cr (163.178.101.5) | Blood_Drinker virus found! fesquive@bribri.ci.ucr.ac.cr (163.178.101.8) | Apply, Kill, Panic? _ =09=09=09 "Up the Irons!" - 8=AC) - ---------------------------------------------------------------------------= - --- __|||__ (__/^\__) ------------------------------ Date: Fri, 24 Jun 94 02:47:57 +0000 From: phle@undergrad.math.uwaterloo.ca (Phat H. Le) Subject: Need help on "stoned" virus (PC) Please forgive me if this is one of those FAQ. The problem is that my PC is infected with the so called "stoned" virus. This virus infects the boot sector and from the info I've got from MSAV indicates that this virus is harm- less yet irritating. Anyway, I tried F-PROF and it told me to reboot the PC with a virgin boot disk and rerun the antivirus software. I did just that but when I rebooted the PC with a cleaned boot diskette, I couldn't see the C drive. So the way I got rid of the virus was to reboot the PC from the harddrive and backed up all the files onto a server, then did a low level format to the C drive. This is what you might call a "brute force" method and it worked fine. However, my question is - is there another way to remove this stoned virus or is there any antiviral software out there that can get rid of it other than the "brute force" method? Any help on this will be greatly appreciated, PhLe - -- +----------------------------------------------------------------------------+ | Phat H. Le | | | phle@napier.uwaterloo.ca | "I'LL BE BACK!" - Arnold Schwarzenegger | +----------------------------------------------------------------------------+ ------------------------------ Date: Fri, 24 Jun 94 03:41:21 -0400 From: Henrik Stroem Subject: Re: Joshi virus - False alarm? (PC) > From: gbesko@bldgeduc.lan1.umanitoba.ca (Geoff Besko) > Date: Thu, 23 Jun 1994 10:37:28 EDT > When I scan a machine on my network with the Microsoft Anti-Virus utility, > that came with MS-DOS 6.1, it says that the machine has the Joshi virus. Really? I didn't know a MS-DOS v6.1 was ever released. Microsoft jumped from v6.0 directly to 6.20, then later to 6.21 and 6.22 (current). PC-DOS on the other hand released v6.1, and jumped up to 6.3 (current). But I don't think you mean PC-DOS 6.1 because it comes with IBM Anti-Virus, and not MSAV. > However, when I check the same machine with the newest (v2.12) of F-Prot it > doesn't register any viruses at all. F-Prot should be able to detect Joshi, so it is probably a false alarm, or a new variant of Joshi (not likely). > Has anyone heard about problems with the reliability of the MS Antivirus > program? I will probably try another program to see if it finds anything but > I was wondering if anyone has had any similar experiences? Any help would be > much appreciated! There has been much noise about MS Anti-Virus, but I've never heard about a Joshi false positive from it before, so this might be something else. Maybe you have a floppy that is infected, and which where in use at the time you detected the virus? You might want to check out the FIXUTIL6.ZIP, containing some nice tools that should be able to tell you whether you are infected or not. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 24 Jun 94 03:46:31 -0400 From: Henrik Stroem Subject: Re: Virus in Norton Commander 4.0! (PC) > From: gorbiel@student.uci.agh.edu.pl (Andrzej Gorbiel) > Subject: Virus in Norton Commander 4.0! (PC) > Date: Thu, 23 Jun 1994 10:37:28 EDT > BTW if you find whitch bit of NC.INI is critical (i.e. causes this > effect) do not hesitate to inform me (by e-mail). Or write a virus > that changes that bit and call it Symantec! Another solution would be to upgrade to NC v4.5, and chances are that this problem might have been fixed. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 24 Jun 94 04:32:46 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: The AntiCMOS virus (PC) In the last two weeks, I have noticed a dramatic increase in the number of reported AntiCMOS infections. My guess is that the virus got "locky", and is being distributed in some packege, preinstalled on machines from some manufacturer, or on pre-formatted floppy disks from some producer. I am looking for any information that might explain this sudden increase. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 15 Jun 94 15:58:10 -0400 From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) Subject: Junkie virus (PC) Does anyone have any specific information on the "Junkie" virus? I got the following fax yesterday from someone. Do any other scanners detect and/or clean this. I don't buy their solution for cleaning it. From what I've been hearing, it's a pretty nasty little bug. ***Begin included article ****Another Super-Virus Discovered 06/02/94 BRIER, WASHINGTON, U.S.A., 1994 JUN 2 (NB) -- A super-virus that can create havoc on your computer system has been accidentally discovered while a sales representative was demonstrating an anti-virus program to a customer. Called "Junkie," the virus was discovered in Ann Arbor, Michigan, while a Reflex Inc. rep was demonstrating the merits of that company's Disknet anti-virus software. "Junkie" reportedly has software engineers concerned for several reasons: It is encrypted, making it difficult to be spotted; it is polymorphic, meaning it changes each time it replicates; and it infects both the drive's boot sector and executable files on the Reflex engineers are studying the characteristics of "Junkie" in an effort to see what other effects it may have on a computer. The source of the virus is still uncertain, but it was discovered on pre-installed, shrink-wrapped software. The PC manufacturer that pre-installed the software was not identified, but Reflex spokesperson Bob Reed told Newsbytes that it appears that was not the source of the infection. "The system was installed for a month before it ("Junkie") showed up." said Reed. Reflex engineers say "Junkie" is spread by infecting the boot sector, the portion of the hard disk that contains the startup instructions for a computer. It can reportedly also infect the boot sector of a floppy drive and even make an anti-viral program a carrier. "Junkie can make anti-virus toolkits spread viruses. Scanners open files to search for viruses, in turn opening the door for Junkie to use the scanner itself as a means of spreading the virus," according Reed said the Ann Arbor incident is the only time so far "Junkie" is known to have surfaced. he said there are no visable warnings of the virus. He stresses the need for having a current backup of your computer data. "The only known cure is re-formatting the hard disk," sys Reed. That gets rid of "Junkie." Users are cautioned not to make a backup copy of the drive that is suspect, since the backup will also be contaminated. Most anti-virus programs scan for known viruses, but cannot always detect a new and different problem such as "Junkie." That makes it necessary to continually update anit-virus programs, with a resultant added cost in time and money to make sure your computer system is virus-free. (Jim Mallory/19940602/Press contact: Lucy Stokstad, Reed, Revell-Pechar, 206-4624777; Reader contact: Reflex Inc., 800-673-3539) ***End included article ------------------------------ Date: Wed, 15 Jun 94 02:48:05 -0400 From: lucas@mcafee.com (Kelly Lucas) Subject: McAfee VirusScan V2.0.2 uploaded to SimTel (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ scn-202.zip VirusScan V2.0.2 scans/cleans for viruses vsh-202.zip VShield V2.0.2 virus prevention TSR WHAT'S NEW VirusScan Version 2.0.2 contains the following changes from 2.0.1: VirusScan .DAT files o A false alarm of the TELECOM (alias: Antitelefonica) virus in memory on Toshiba T-4500 notebook computers has been fixed. o CLEAN.DAT now includes removers for over 1,250 viruses, including the 5Volt, Lycee.0930, ParVir1, and most boot viruses. o All false alarms reported to the VirusScan Development Team have been fixed. VirusScan for DOS o The /NOBREAK switch has been added. This switch will prevent a scan from being stopped by pressing the Ctrl-C or Ctrl-Brk keys. o VirusScan now makes use of Expanded Memory (EMS) available using the LIM-EMS 4.0 specification. This can reduce VirusScan's Conventional Memory (Base 640Kb) requirements by up to 60%. o Conventional memory requirements have been reduced from 340kb to 300Kb. o VirusScan's scanning speed has been improved by approximately 12%. VShield o False reports of viruses in memory on older PC's has been fixed. o A problem launching DOS programs under Windows has been fixed. For instructions on using the programs, please refer to the VirusScan documentation. For Validate values, please refer to the PACKING.LST enclosed inside each .ZIP file. Regards, Kelly Lucas Technical Support - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: lucas@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ Date: Thu, 16 Jun 94 10:21:29 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.12C released (PC) Version 2.12c is a minor update ... it adds detection and disinfection of a fairly large number of viruses, but the primary reason it is released is that some of those viruses are "in the wild" Among the viruses we added detection/disinfection of are: Chill (in the wild in USA) Junkie (in the wild in several countries) Natas (in the wild in Mexico and USA) SMEG.Pathogen and SMEG.Queeg (In the wild in the UK) I just uploaded 2.12c to oak.oakland.edu....it should be avaialable for download soon, but it can also be obtained by sending e-mail to our mail server: f-prot@complex.is it will attempt to e-mail an uu-encoded copy back to you. - -frisk ------------------------------ Date: Fri, 17 Jun 94 09:58:04 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: fp-212c.zip - Version 2.12c of the F-PROT anti-virus package I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ fp-212c.zip Version 2.12c of the F-PROT anti-virus package Version 2.12c is a minor update... it adds detection and disinfection of a fairly large number of viruses, but the primary reason it is released is that some of those viruses are "in the wild". Among the viruses we added detection/disinfection of are: Chill (in the wild in USA) Junkie (in the wild in several countries) Natas (in the wild in Mexico and USA) SMEG.Pathogen and SMEG.Queeg (In the wild in the UK) - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 17 Jun 94 17:22:43 -0400 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: Updated VDS 3.0m on Oak (PC) Hello everyone, The new VDS (Virus Detection System) 3.0m Shareware Edition is available on Simtel-20 and some of its mirrors; the file name is VDS30M.ZIP. This release of the package is intended to allow potential customers to evaluate the suitability of the product to their needs. It is a fully functional copy that lacks a few features of the Pro version (see the docs for details). VDS 3.0m includes a fast virus scanner, a robust integrity checker with anti-stealth capability, a generic virus remover, external signature support, emergency diskette preparation, a very versatile decoy launcher, a low-level disk recovery tool, readable documentation, excellent Netware support (not just compatible), automatic and semi-automatic installation (with de-install feature), and an object-oriented (seriously) user interface. VDS 3.0 emphasizes integrity checking, but also provides known virus scanning. Its catalog-based integrity database supports both DOS drives and Novell volumes. Newly-added installation program simplifies protecting workstations by offering complete electronic distribution and configuration options. Once in place, VDS can perform periodic (user-definable) integrity checks and scans without further user intervention. System requirements: IBM PC compatible computer Hard disk (for integrity checker) with 1024K free space 384K of memory available Optional 192K extended memory for large catalogs MS/PC-DOS 3.0 or later If you are looking for a comprehensive and up-to-date anti-virus package, we invite you to try VDS. It's only an FTP away! Let us know what you think. Regards, Tarkan Yetiser tyetiser@gl.umbc.edu VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. ------------------------------ Date: Mon, 20 Jun 94 14:32:44 -0400 From: James Ford Subject: McAfee files available on risc.ua.edu (PC) Mirrored 02 Mirrored from: ftp.mcafee.com:/pub/antivirus Mirrored to: risc.ua.edu:/pub/ibm-antivirus/Mirrors/mcafee/antivirus) @ Mon Jun 20 12:26:55 CDT 1994 - ------------------------------ Got 00-Index 2124 Got clean116.zip 276384 Got ocln116.zip 289502 Got oscan116.zip 256697 Got scanv116.zip 255499 Got virdt116.zip 76232 Got vshld116.zip 146472 Got wscan116.zip 310518 removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/wscn115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/vsh115.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/scn115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/oscn115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/ocln115b.zip removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/cln115b.zip - ---------- James Ford - Seebeck Computer Center jford@seebeck.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) (205) 348-3968 (205) 348-3993 (fax) ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 47] *****************************************