VIRUS-L Digest Tuesday, 4 Oct 1994 Volume 7 : Issue 80 Today's Topics: Re: Netcom distributing viruses viruses and the average folk _need_ to trigger virus checker Stealth Virus ANSI Bomb? Netcom and viruses: letters Re: Netcom distributing viruses Network Security Observations Re: MBR Virus and OS/2 with HPFS (OS/2) Re: Anyone heard of a virus for a SCO XENIX system? (UNIX) Re: Help, unknown virus. (PC) Re: Can a virus change CMOS settings??? (PC) Possible virus please help - URGENT (PC) Re: VIRUSCAN 2.x gripes & grumbles (PC) Re: Gingerbread Man Virus (PC) Re: Can a virus change CMOS settings??? (PC) Jumper.B or 2KB virus (PC) Re: Viruses & TSRs (PC) Help with whisper virus! (PC) help anti thunderbyte (PC) Re: Integrity Checker? (PC) KMIT virus? (PC) Re; F-Prot scans UMBs ??? (PC) Re; [Info-Needed] Junkie Virus (PC) Re; Need Help With Trident Virus (PC) Re; What is known about a virus called int (PC) Re; Form virus (PC) Re; Info on Bobo Virus (PC) VCL?? (PC) new virus? (PC) Quantum hardcard (PC) EXE infection: How is it possible? (PC) Whisper Virus (PC) Re; No_init virus info (PC) Info on WHISPER Virus (PC) Re: Integrity Checker? (PC) Re: How can I remove a version of NATAS? (PC) Re: MCafee, MSAV, and FORM? (PC) GenB Virus - Need Help! (PC) Rosenthal Virus Simulator (PC) How to remove FORM from PC bootsector? (PC) Goldbug Virus (PC) Re: Form virus (PC) Opinions on Intel LanProtect Antivirus (PC) F-PROT 2.14 is out (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 13 Sep 94 04:45:59 -0400 From: bradleym@netcom.com (Bradley) Subject: Re: Netcom distributing viruses Terry Reeves (treeves@magnus.acs.ohio-state.edu) wrote: > ygoland@hollywood.cinenet.net (Yaron Y. Goland) wrote: > > That netcom allows it's users to distribute viral code and related > > information when clearly marked as such is required as a basic > > characteristic of freedom as defined in the United States of America. > > > I for one would be happy to see the deliberate distribution of viruses > & virus code - even between consenting adults, made a federal crime. Alot of people would be happy to see alot of things made illegal. Fortunately I can't see code being made illegal. And remember, when code is outlawed, only outlaws will code. > Some are designed to protect children. As a US citizen and a citizen > of the state of Ohio, I am not allowed to give or sell alchohol to minors. > An adult cannot have sex with a minor. But this is a poor analogy. If applied to viruses would be similar to me infecting your computer. I consider making virus code, or even live viruses, available similar to showing a minor how alcohol is made, or what sex is. It's called education, and last I heard it's still legal to learn things. > It is a crime to let a virus loose on someone else's computer. It is not > a far step, nor is it a break with the existing philosophy of our laws, to > make it illegal to ditribute the virus randomly to others - since a > reasonable person knows that some of those others will let it loose. If the text that makes up virus source code were made illegal, then it would also not be such a far stretch to say that telling someone to type "format c: /u" would be illegal as well. And how do you propose to make it "illegal to ditribute the virus randomly to others"? Are you going to be the one to decide who the proper person is? Will we all have to register our copies of format.com as a dangerous weapon along with the DOS manual that tells us how to wipe a HD with it? I do agree that some people should not have access to viruses. These are people that have nothing better to do than try to damage other's computers. But I don't think that the flow of any information should be stopped because of a few people. Bradley - -- bradleym@netcom.com finger for PGP public key Hayward, CA ------------------------------ Date: Wed, 14 Sep 94 09:54:50 -0400 From: TCLdutch@aol.com Subject: viruses and the average folk I am submitting this for consideration for comp.virus. Thanks.. I'm looking for some guidance for a newspaper story about computer viruses. I am a reporter for The Post-Standard newspaper in Syracuse, NY, and am researching virus matters. I know from browsing this list you all deal with - what seems to me - to be technical and complex. But what I'm hoping to do is find someone out there who can help explain these matters to people who just bought a pc or are thinking about it. I know there's alot of misunderstanding about viruses among the media and the general populace. Anyway, if you can help please e-mail me or give me a call, collect. Thanks for sharing your space. Todd Lighty Voice: (315) 470-2195 The Post-Standard Fax: (315) 470-3981 PO Box 4818 E-Mail: TCLdutch@aol.com Syracuse, NY 13221 ------------------------------ Date: Wed, 14 Sep 94 13:33:32 -0400 From: elyja@kocrsv01.delcoelect.com (Jeff Ely) Subject: _need_ to trigger virus checker I don't want to throw a shovel of coal on a fire - but I don't want to see this question lost. I believe there is a real need to be able to trigger virus checkers. I have followed the discussion (with a huge hole in dates between 8/25 and 9/12!? Was my news feed broken, or was the info "aggregated"?) about simulators, etc. and have seen the issues hotly debated. So let me first make a couple of very clear statements so this post isn't misread: #1. I do _not_ want to test the ability of a PROPERLY CONFIGURED virus checker to find the most viruses. I depend on test results from specialists for that info. #2. I do not want any real or live virus, even if it's intended to be _harmless_. So let me give a brief background on this question - so you'll know where I'm coming from. Our company was looking at anti-virus products to use on our computers. We didn't look at any that weren't deemed to be highly effective by outside test results. Our purpose was to judge the "live-ability" of the product. e.g. - can we live with a wait of several minutes on every reboot as required by some SLOW products! Such a product won't be running very long on many of our computers ('cause the users will rem them out)! Other questions are: can we actually run any resident checking. I've had many bad experiences in the past that said resident protection just had too many problems (compatibility w other apps, etc.) So we did our eval, made some observations, etc. But we never could see how gracefully the programs handled reporting a suspected problem (esp with resident checking). And again, this is an area where we've had problems in the past. So we asked the vendor of the top contender if they could give us something that could trigger their product. We very specifically stated that we did not want a REAL virus. They said "nope". And this is really where such items need to come from; not a third party. Eventually, someone in our organization contributed a floppy disk that tested positive for FORM virus. So that let us (reluctantly) see what happens when the resident checker checks a floppy and reports a problem through to Windows. Someone mentioned that the product documentation is the right place to find out what happens when the detector is triggered. I'd quote, but the 8/25 postings have expired from my news server and there's this firewall in the way... Anyway, we all know that product documentation is often sparse and often wrong. Or the product just may not work as intended on your setup! I've spent lots of time (in the not-so-distant past) chasing "lockups" that just turned out to be resident protection that didn't report as advertised and was experiencing a false alarm. In this present evaluation, the product documentation mentioned how to set up custom messages - but I can't even determine what the standard message is if they don't tell me (and they didn't) and I can't trigger the thing! And there are lots of options about when to check what items. I'd also like our setup people to have something (totally safe) that they can run to verify that they've properly installed and configured a setup. That means they'd need something to check each desired "mode" that can be configured (e.g. check during copy, check floppy boot sectors, etc.) There's nothing (well, almost nothing) more frightening to me than the false sense of security that can be caused by an improperly configured (or mis-understood) anti-virus product. And what really happens with the various different reporting options (freeze vs. std report vs. quiet or whatever applies to the specific product)? And what does it really mean when it claims to check "packed" files? And does the resident protection check before execute or only on copy? The docs are unclear. I have reason to believe that I've been misinterpreting those sparse statements in the documentation! Re the Rosenthal simulator - all the arguments taken into consideration, I thought that it might indeed be adequate for my purpose, so I gave it a try (no "viral" supplements, mind you). Several attempts failed to produce a boot sector virus that our leading contender would detect. Remember - we depended on other testing to assure ourselves that the product was effective at finding viruses, so that didn't shake our confidence in the anti-virus product. Several hundred "simulated infected" com and exe files produced a lot of alarms on the most secure scanning modes, but not any on the fast mode. And since the fast mode is the one used in the resident protection, I still didn't have the ability to trigger the resident protection (aside from the truly infected floppy I mentioned previously). This does indeed raise the question in my mind of how much less effective the "fast" mode is on real viruses. So the Rosenthal simulator doesn't seem to do it for my specific need. So that's my case for needing a trigger for anti-virus products - and as I said, the ideal place for that to come from would be the writer of the anti-virus package. But if they don't provide it, that kind of leaves me in the cold. So - is there any help for me? If not, I'd at least hope that some anti-virus product makers would recognize this need (I understand that some of them do provide something like this). Jeff Ely ------------------------------ Date: Sun, 04 Sep 94 14:33:04 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Stealth Virus Hello All! What's a stealth virus? Does it use (new) techniques that should not be detected by AV-products? Greetz, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Sun, 04 Sep 94 14:18:02 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: ANSI Bomb? Hello All! 10 Aug 94 18:14, Iolo Davidson wrote to All: >> I was wondering if anyone knew of a virus scanner/cleaner that >> can clean something called an "ANSI bomb"? Could someone tell me what a ansi bomb is? Thanks in advance.. Greetz, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Thu, 15 Sep 94 11:40:22 -0400 From: tomb@bedford.progress.COM (Tom Barringer) Subject: Netcom and viruses: letters I sent a letter to postmaster@netcom.com (which I asked the postmaster to forward to the president of the company) expressing my displeasure with the policy I read here. Here is the response I received. (Unfortunately, I do not have a copy of the original letter, but the response quotes relevant passages. Headers & other trivia edited. Following netcom's .sig is my response. >From support@netcom.com Wed Sep 14 18:33:30 1994 To: tomb@bedford.progress.COM (Tom Barringer) Date: Wed, 14 Sep 1994 14:13:00 -0700 (PDT) In-Reply-To: <9409131354.AA20257@aegina.bedford.progress.COM> from "Tom Barringer" at Sep 13, 94 09:54:10 am Tom Barringer writes: > To: postmaster@netcom.com > Subject: comp.virus #1903 - Re: Netcom distributing viruses > Sender: netmail > > Postmaster: Please forward this to the president of your company. > Thank you. Our company management has directed me to answer this question in NETCOM's behalf. > To the President and policy-making members of Netcom: > > On the comp.virus newsgroup, Fridrik Skulason wrote: > > )Netcom's policy on making viruses available via FTP is: > ) > ) >Viruses and information relating to viruses are not, at this time, > ) >controlled code. We allow users to make available via anonymous FTP any > ) >and all data as long as it is legal, which viruses, viral source code, and > ) >newletters published by virus groups are. It is not placed there by > ) >Netcom, and it's distribution is not necessarily endorsed by Netcom. > > Is this correct? Yes. > If so, this is one of the most irresponsible positions > I have seen a service company take in a long time. Does it mean anything > to you that you are the only service to take this position? We doubt the validity of that statement, but if it is true, it is indeed quite shocking. We would expect more ISP's to support the free and legal rights of their customers. > Or, how about > that by making viruses available to anyone, you are singlehandedly going to > give source code to people -- kids, mostly -- who are then going to > intentionally try to infect their friends, and any other sites they can, > with these viruses? Worse, you are providing virus code which can be > slightly tweaked to bypass existing virus scanners and become able to > infect even reasonably well protected sites? We are doing no such things. We are merely providing a service. If you feel that user is doing something illegal with that service, you should talk to that user and consult a lawyer of your own. We do not see the aforementioned user violating the law or our user agreement. If NETCOM were truly out to promote viruses, then I doubt we would provider Internet connectivity to the many anti-virus software comapnies that we do, such as Mcafee Associates and Microsoft. - -- Bruce Sterling Woodcock Systems Administrator / Systems Analyst Technical Support Staff NETCOM On-line Communication Services Network Operations Center support@netcom.com My response, to be mailed today: > We doubt the validity of that statement, but if it is true, it is indeed > quite shocking. We would expect more ISP's to support the free and legal > rights of their customers. It is possible that you are correct, of course; I haven't called every service provider in the world. But I know of no other organization that permits viruses and virus code to be publicly downloaded. I also stipulate that it is not illegal. I don't, in fact, believe that I questioned the legality of your stance in my first message; I said it was "irresponsible." See again the following: > > Or, how about > > that by making viruses available to anyone, you are singlehandedly going to > > give source code to people -- kids, mostly -- who are then going to > > intentionally try to infect their friends, and any other sites they can, > > with these viruses? Worse, you are providing virus code which can be > > slightly tweaked to bypass existing virus scanners and become able to > > infect even reasonably well protected sites? > > We are doing no such things. We are merely providing a service. If you > feel that user is doing something illegal with that service, you should > talk to that user and consult a lawyer of your own. We do not see the > aforementioned user violating the law or our user agreement. I am sorry; whether or not this is your intent, you _are_ doing this. Whatever your intent is -- and what it is is not clear to me -- you are also simultaneously providing the ability to abuse that service by making it available to the general public. You are doing the equivalent of handing out guns in your front yard to anyone who asks. While there are legitimate reasons to have, or give out, such weapons (guns or viruses) to some people, there are equally good reasons to not do the same for all comers. As for prosecuting users of your service, I'm sorry again, but I find that argument fatuous. While it is true that it is your user who violates the law rather than you, you know as well as I do that there is no possible way to determine whether a virus attack -- any virus attack from now until the end of the Intel chipeset, which is based on code related to that in your archive -- came or did not come from copies of what you provided the attackers. > If NETCOM were truly out to promote viruses, then I doubt we would > provider Internet connectivity to the many anti-virus software comapnies > that we do, such as Mcafee Associates and Microsoft. I am not suggesting that your policy is to promote viruses. (I am intrigued, by the way, that you call Microsoft an "anti-virus software company." You may not be aware that they purchased MSAV -- hardly their mainstay product - -- from a third party and relabelled it.) I am saying that, whatever your policy is, at least one side-effect of that policy is to promote viruses. Does Netcom's response remind anyone of a sleazy supermarket tabloid? - -- Tom Barringer : Progress Software Corp. : The Tall Conspiracy is looking QA Development : 14 Oak Park : for members. Please see the tomb@progress.com : Bedford, MA 01730 : recruitment flyer posted on GEnie: T.Barringer : #include : the top of your refrigerator. HREF="ftp://ftp.progress.com/tomb/tomb.html" ------------------------------ Date: Thu, 15 Sep 94 19:12:28 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Netcom distributing viruses Ian Douglas wrote: >> Their policy seems perfectly reasonable and legitimate to me. > >You left out 'irresponsible'.... > >I don't care if they allow someone like Vess or Frisk to DL viruses. I DO >care when they allow all and sundry to do so, because that increases the >potential risk to MY computer and those of people I care about. To the best of my knowledge, there is only one company which has an antivirus product that has done all of the following: 1) Offered $ for viruses (which is essentially the same as buying a CD with them) 2) Participated in the distribution of viruses. (Virus 101?) 3) Incites fear into the public so their product sells. This is the only company which would probably be interested in some kind of service like this; surely Frisk wouldn't partake in it directly, and despite Vesslin's attitude, I would be surprised if he did. So, you should care quite a bit if people like Vess o r Frisk start to DL viruses --> Then they're almost as bad, if not worse, than the virus public. I suppose I left myself open for the "which company is that?" question. Do some research on Virus 101 and figure it out. >We have a problem here atm with kids messing around with VCL, and also >hacking old viruses, which the UL to bulletin boards. It is a problem which >we do not need. So, by all means, if they are able to put them up for download for the peopel who *you* trust, right? I think a worse problem would be those same people you "trust" taking advantage of the services offered by the people they are trying to prevent from spreading viruses. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu datadec@wintermute.ucr.edu ------------------------------ Date: Tue, 27 Sep 94 04:41:35 -0400 From: nso@delphi.com Subject: Network Security Observations Announcement November 1994 NETWORK SECURITY OBSERVATIONS will be out with its inaugural issue. NETWORK SECURITY OBSERVATIONS is expected to be the leading international journal on computer network security for the science, research and professional community. Every annual volume contains five issues, each offering ample space for vigorously reviewed academic and research papers of significant and lasting importance, and a wealth of other network security information, including security patches and other technical information supplied by manufacturers, related governmental docu- ments (international), discussions about ethics and privacy aspects, the Clipper chip and other cryptologic issues, viruses, privacy enhanced mail, protocols, harmonization of computer security evaluation criteria, information security management, access management, transborder data flow, edi security, risk analysis, trusted systems, mission critical applications, integrity issues, computer abuse and computer crime, etc. etc. If and when appropriate reports of major international conferences, congresses and seminars will be included, as well as information made available by governments, agencies, and international and supra national organizations. Network Security Observations is published in the English language, and distributed Worldwide. The publication does NOT feature commercial announcements. National and international organizers of dedicated conferences, etc. can offer calls for papers and invitations to participate. Relevant posting from other publishers announcing new relevant books, etc are welcomed as well. NETWORK SECURITY OBSERVATIONS provides the in depth and detailed look that is essential for the network system operator, network system administrator, edp auditor, legal counsel, computer science researcher, network security manager, product developer, forensic data expert, legislator, public prosecutor, etc., including the wide range of specialists in the intelligence community, the investigative branches and the military, the financial services industry and the banking community, the public services, the telecom industry and the computer industry itself. Subscription applications by email or fax before November 1, 1994 are entitled to a special rebated subscription rate. Special academic/educational discounts, and rebates for governmental personnel, and other special groups, are available upon request. Network Security Observations is a not-for-profit journal, and therefore we are sorry to reject requests for trial orders. For further information please contact: by email> NSO@delphi.com Or by fax> +1 202 429 9574 Or alternatively you can write to: Network Security Observations Suite 400 1825 I Street, NW Washington DC, 20006 United States =========================================================== Please cross post on Internet/Bitnet list services and Usenet news boards. =========================================================== ------------------------------ Date: Wed, 14 Sep 94 04:48:48 -0400 From: koenen@cipserv1.physik.uni-ulm.de (JOACHIM KOENEN) Subject: Re: MBR Virus and OS/2 with HPFS (OS/2) tnmanego@rrws1.wiwi.uni-regensburg.de (Thorsten Manegold) writes: >From: tnmanego@rrws1.wiwi.uni-regensburg.de (Thorsten Manegold) >Subject: MBR Virus and OS/2 with HPFS (OS/2) >Date: 12 Sep 1994 13:50:19 -0000 >Hi all! >I'd like to know what a Boot Sector/MBR Virus (like PARITY-B) can do >under OS/2 especially if the HD is formatted with HPFS. Does it get >activated when OS/2 starts via the Boot Manager? If so can it do >damage to an HPFS Partition? Can OS/2 run with a Boot Virus active in >Memory? Can it spread further under OS/2? And finally how would one >go about removing the virus? If it attacs the partition table, it acts like under pure DOS, because partition tables are not very OS specific. If it attacs the boot partition (bootmanager) it4s very likely thatz it doesn4t know anything about bootmanager and therefore destroys it by moving and copying sectors. It can be recreated with fdisk /BM /create (I4m not sure, maybe it was format an the parameters are different but refer to the manual or the command reference). In no case a DOS MBR/Virus can become active under OS/2. If you have OS/2 on a primary partition booting without BM the virus will destroy the bootsector(s). I do not have a solution for this, but maybe chkdsk will do some work. Bye Jo +-----------------------------------------------------------------------+ | Joachim A. Koenen; Universitaet Ulm; Abt. Experimentelle Physik | | Albert-Einstein-Allee 11; D-89069 Ulm; Germany Tel: ++49 731 502-3022 | | E-mail: Joachim.Koenen@Physik.Uni-Ulm.De | +-----------------------------------------------------------------------+ ------------------------------ Date: Thu, 15 Sep 94 04:13:20 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Anyone heard of a virus for a SCO XENIX system? (UNIX) Hello Mr. Zanagar, I'm assuming you mean SCO XENIX running on an Intel 80x86-based computer, correct (I'm not aware of any other versions, but....)? Any type of master boot record or boot sector virus would infect the hard disk regardless of the operating system installed on it. Boot viruses are operating system indepedent and rely on the computer hardware's ability to load an operating system to be executed. This occurs regardless of what operating system is currently installed. What sort of damage will you see? Well, all boot viruses I have heard of seem to be written with DOS FAT formatted hard disks in mind. The results of a boot virus on a different file system (OS/2's HPFS, Windows NTFS, UNIX, and so forth) can vary from no noticable problems, to the PC booting normally once before crashing, to no longer being able to boot at all. Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ ertan@ponder.csci.unt.edu (Ertan Zanagar) writes: > Does anyone know if there is a virus outhere that would >in any way effect a SCO XENIX system? Any help is much appreciated. > > _______________________________________ > ________| Ertan Zanagar ezanagar@gab.unt.edu |_______ > \ | Lab. for Advaced Software Technology | / > \ | University of North Texas | / > / |_______________________________________| \ > /__________) (_________\ > - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Tue, 13 Sep 94 02:47:07 -0400 From: at796@freenet.carleton.ca (Ajay Kapal) Subject: Re: Help, unknown virus. (PC) In a previous article, cs911035@ariel.cs.yorku.ca (CHRISTOPHER M. ACKNEY) says: >Hi there, I'm new to this group, so I don't know the ins and outs of viruses. >However, a friend of mine seems to have gotten himself into a wee bit of >trouble. > >It seems that after a certain amount of time on his computer, the characters >on the screen begin flashing in different colours. It may be a video problem, >but then shouldn't it occur when he turns his computer on. Also, the >background remains stable. >Besides this, his computer speed drops noticeably. >He's used Mcafee scan117, but to no avail. >Can anyone offer any help DOH! i have the exact same virus...just sprouted up today...(er...make that yesterday...) i tried to use scan117, f-prot213a, and Thunderbyte 6.22. none of them caught it. f-prot doesn't even think a virus is in mem...perhaps the virus resides in EMS/XMS. I know that if i bypass my config.sys and autoexec. files, the virus doesn't show up (ie, perhaps cause i don't load up the memory manager..) Or of course, it could just be an infected file in autoexec and/or config.sys ps...the virus doesn't work under os/2 (as far as i can see...ive been using os2/2.1 for quite a while and it hasn't showed up yet.. Windoze 3.1 slows to a crawl tho (or is that normal :^)) HELP! ------------------------------ Date: Tue, 13 Sep 94 05:00:27 -0400 From: hollow@brahma.trl.OZ.AU (John Hollow) Subject: Re: Can a virus change CMOS settings??? (PC) interaccess!grouch@uunet.uu.net (Ray Moran) writes: >I am having a problem with several PCs where the CMOS settings are >seemingly randomly changing. Could a virus be causing this?? >Any information would be greatly appreciated. Yes a virus can change CMOS settings. If you can change CMOS from the keyboard, then obviously the change goes via the CPU, so a virus can change CMOS settings. Earlier this year, we had a virus (well, strictly speaking a trojan in FORMAT.COM, but the same principles apply), and it rewrote CMOS with a copy of part of the hard-disk boot sector. So yes, a virus CAN change CMOS. Thus, you may have a virus problem. Then again, it might be something different. - --John Hollow, Telecom Research Labs, PO Box 249, Clayton, Australia 3168 j.hollow@trl.oz.au FAX : +613 253-6473 (03)253-6473 X400: g=john s=hollow ou=trl o=telecom prmd=telecom006 admd=telememo c=au ------------------------------ Date: Tue, 13 Sep 94 05:42:56 -0400 From: seanl@harlequin.co.uk (Sean Lange) Subject: Possible virus please help - URGENT (PC) Hi A friend has noticed strange behavoiur on his machine. Whenever starting some graphics applications he gets 'SW' in big letters on the screen, then the application runs and appears to be fine. Does anyone know if this is a virus and if so how to get rid of it. Any help gratefully appreciated ASAP if it is virus he'd like to get it sorted before it causes any damage. Thanks - - sean ------------------------------ Date: Tue, 13 Sep 94 06:07:10 -0400 From: hansjc@xs4all.nl (Hans Schotel) Subject: Re: VIRUSCAN 2.x gripes & grumbles (PC) kellogg@netcom.com (Lucas) wrote: >> Okay, here's what is known, and what is being done: >> 3) The workaround for QEMM 7.0x is to load VShield after all of >> the QEMM commands have been executed in the Autoexec.bat. Sorry, doesn't work. I have been doing this from the first testversion I received, and I keep getting problems when loading VShield "plain". The only way I can use is without problems is with the option " /noems ", and that costs me about 43 Kb of conventional memory (only 6 Kb is loaded into XMS). I have reported this to the Dutch McAfee representative, who will send it on to the USA. It is a longstanding problem with the 2.x.x. version, but hopefully it will be fixed as yet. This problem never occurred on my system with the 1.xx versions. Greetings, Hans Schotel ------------------------------ Date: Tue, 13 Sep 94 08:14:04 -0400 From: pein@informatik.tu-muenchen.de (Ruediger Pein) Subject: Re: Gingerbread Man Virus (PC) oas@po.CWRU.Edu (Omar A. Syed) writes: |> Hello |> |> This is my first time reading/contributing to this group. |> I've come here today, to ask for your help. Just a few days ago, |> I was struck with the Gingerbread Man Virus. I FTP'ed a file, |> and it had three files contained in the .ZIP. They were: |> |> GINGER.VIR |> GINGER.COM |> GINGER.EXE |> |> I didn't know what they were at the time that I executed the |> executable file. After running the executables, I read the |> GINGER.VIR. It has all the information on the Gingerbread Man You shouldn't download files from a VIRUS BBS and try them without knowing about what you do !!! Even if it wasn't a virus BBS (where did you find it then ???), you should read all the DOCs to see what you're starting (also could have been a quick format program without security features...). So if anyone got infected because of this, it's your fault ! Pay more attention next time when you entrust unknown programs to your computer, otherwise you will be guilty for spreading viruses around. - -- Ruediger Pein (pein@informatik.tu-muenchen.de) Hi! I'm a .signature virus! Add me to your .signature and join in the fun! ------------------------------ Date: Tue, 13 Sep 94 08:18:07 -0400 From: pein@informatik.tu-muenchen.de (Ruediger Pein) Subject: Re: Can a virus change CMOS settings??? (PC) interaccess!grouch@uunet.uu.net (Ray Moran) writes: |> I am having a problem with several PCs where the CMOS settings are |> seemingly randomly changing. Could a virus be causing this?? |> |> Any information would be greatly appreciated. Of course software can change the CMOS, and indeed some viruses do so. I only remember the SVC virus by name, but there are many others, too. That's the reason why you can store the CMOS into a file with most AV programs. To see if you really got a virus, look out for other symptoms like file length increase etc. Much luck ! - -- Ruediger Pein (pein@informatik.tu-muenchen.de) Hi! I'm a .signature virus! Add me to your .signature and join in the fun! ------------------------------ Date: Tue, 13 Sep 94 08:43:11 -0400 From: C.J.Sparke@bham.ac.uk (Carole Sparke) Subject: Jumper.B or 2KB virus (PC) Has anyone come across information on a virus identified as Jumper.B by the F-PROT software or 2KB by the McAffee SCAN software? I'd be interested to know what it does (retrospectively now that we have cleared up the infection and have a copy isolated!). A pointer to an FTP-able information file would be fine if the answer's a long and complicated one. Thanks in advance, Carole Sparke Email C.J.Sparke@bham.ac.uk ------------------------------ Date: Tue, 13 Sep 94 13:36:46 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Viruses & TSRs (PC) virusbtn@vax.oxford.ac.uk writes: >I would tend to agree with this. I mean, who *doesn't* know how to unhook the >MSAV TSR. Even if you armour your code, the virus writer gets as long as >he likes to break it. The other thing to remember with TSR virus protection >is that many of the virus-specific ones do not have a very good detection >ratio (see Virus Bulletin test in September 1993 edition)... especially on >the extreme polymorphics. When discussing how a virus can defeat TSR there is one important thing to remember. How a virus could defeat TSR with tunneling or whatever if TSR is able to find this virus. This because obviously virus does not get a change to run. If the virus is unknown one to the TSR, virus doesn't have to bother thinking how to defeat the TSR. >Indeed, it would seem that much of the effort is >concentrated on what is in the wild. Well this is same kind of a comment which is often used to downplay the role of memory resident scanners. Answer is there is BIG differences in these memory resident products and I see it quite unprofessional to make above kind of generalisations. For example with Vi-Spy there is NO difference what the scanner and TSR finds. Of course the price there is the memory requirement which if I remember right is somewhere around 20-30k. These comments are based on what I have read from other sources. I haven't been able to test the product. VirusGuard which is the TSR scanner part of the Solly's Toolkit finds about >95% of the viruses which are found by the scanner FindViru. And it propably will get much closer to the 100% still. Problem is with the most polymorphic ones. >I would be interested to know how many >TSR scanners get Pathogen or Queeg. The problem here is one of overhead (both >memory and performance). Just make your code polymorphic enough, and you will >defeat the TSR. Why pick just those two as an example? Hmmm obviously some testing is needed. Best Regards Kari Laine, LAN Vision Oy, Agent for the Toolkit in Finland. buster@klaine.pp.fi ------------------------------ Date: Tue, 13 Sep 94 19:52:12 -0400 From: ccthomp@ruby.indstate.edu (Jason Thompson) Subject: Help with whisper virus! (PC) Does anyone know anything about the Whisper Virus. Very Urgent!!! ------------------------------ Date: Wed, 14 Sep 94 03:26:35 -0400 From: ig891959@teak.canberra.edu.au (K. Chan) Subject: help anti thunderbyte (PC) My Pc has infected the new 94's virus named 'anti thunderbyte', it cannot be detected and cleaned with the latest version Mafee' scanv117 and clean117. Is anyone can tell me any commerical antivirus tools are able to clean it up, all the pathed executable files has beed infected. Please send me a email, or reply on this newsgroups. Many Thanks. ------------------------------ Date: Wed, 14 Sep 94 08:42:36 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: Integrity Checker? (PC) Jeffrey Rice - Pomona College, California. wrote: > I noticed a few posts ago a bit on how NAV's inoculation isn't as >secure as it could be. (I think it was Vesselin....) Anyway, that is about >the only part of NAV I do rely on. I know some other products have checksuming >(AVP,McAFee, TBAV), but these don't check as the file is executed. Or am I >mistaken on that? Does anyone know of a good product that has checksuming, >whether or not it scans on access? > F-Prot and TBAV at least do a sanity-check on their own programs, and (as I use this one most of the time) TBAV checkes every file that gets either executed, or moved/copied. You can decide on your own that 'harddisk' execu- tables are to be trusted, but extracting files from an archive-file (.arj zip or whatever) that you copied to your harddisk makes this rather dangerous practice... so I configured it to check *every* file that wants something (copies/moved/executed/remain tsr/direct disk/mem access, etc.) I don't know for the other products mentioned. I think Vesselin had a very good opinion on AVP's integrity checker. And you can also try Integrity Master, but never trust a single package. Always try to use two scanners (I recommend any of AVP, F-Prot and TBAV) and an integrity checker.. Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Wed, 14 Sep 94 08:46:50 -0400 From: jaoneil@crsgi1.erenj.com (Jill O'Neil) Subject: KMIT virus? (PC) We have had a recent virus incident that has been identified by McAfee as the KMIT virus. I have looked through recent virus-l digests and do not see any information about this one. THe only reference I found was in the July '94 WildList. Can anyone provide information about what this virus does and how to get rid of it? ADVthanksANCE. Jill A. O'Neil ------------------------------ Date: Wed, 14 Sep 94 01:28:45 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; F-Prot scans UMBs ??? (PC) trebor@test1.stack.urc.tue.nl (tREBOr) writes: > I was wondering if F-Prot scans UMBs (A000-FFFF-segments, tech. speaking) as > well. If it does: are there any viruses who utilize it Yes. For example Gold-Bug - Spawning Color Video Resident and Extended HMA Memory Resident Boot-Sector and Master-Sector Infector. Once DOS moves into the HMA, then GOLD-BUG moves into the HMA at address FFFF:FB00 to FFFF:FFFF. - -- OK ------------------------------ Date: Wed, 14 Sep 94 00:04:53 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; [Info-Needed] Junkie Virus (PC) ecsclfe@lux.latrobe.edu.au (ENRIQUEZ Luke) writes: > I came across the Junkie virus recently. TB 6.23 identified it > as Junky in some files and as an unknown virus in others. It appeared > to do something with INT 1C because qemm failed in stealth mode (ie > It couldn't find the rom handler for INT 1C). Does the virus actually > do something with INT 1C? Uses simple anti-debuging tricks... (MC-2885). Virus can repair it self if it finds that an Anti-Virus tried to disable it in memory. - -- OK ------------------------------ Date: Wed, 14 Sep 94 01:47:06 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; Need Help With Trident Virus (PC) mhwoo@ucdavis.edu (I Wouldn't Normally Do This Kind of Thing.....) writes: > My computer has been infected by the [TridenT] virus. After I > deleted all the infected files, I used the scan116 to scan my harddisk > and no virus was found, but later, I find it again after 1 or 2 days. Possibility it is "TridenT-3010". It infects COM and EXE, resident. Also it may corrupt this files. Try AIDSTEST (Lozinski, Russia). Good luck ! - -- OK ------------------------------ Date: Wed, 14 Sep 94 01:37:02 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; What is known about a virus called int (PC) lev@slced1.Nswses.Navy.Mil (Lloyd E Vancil) writes: > A friend has been attacked by a virus identified > as int. His virus checker is not the most recent > and claims not to be able to remove this boot sector > virus... Possibility it is the "Int10". These are a not dangerous memory resident boot viruses. They hook INT 10h, 13h and 1Ch. Int 10h is used for INT 13h interception, INT 1Ch - for trigger routine, INT 13h - - for infection. They hit MBR of hard drive and boot-sectors of floppy-disks. The viruses encrypt original sector before saving it. Sometimes they call some video effect. I hope this boot sector virus can be removed with a "generic" method. - -- OK ------------------------------ Date: Wed, 14 Sep 94 01:49:10 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; Form virus (PC) bryon@netcom.com (Bryon M. Elliott) writes: > Well, I just recently enjoyed the priveledge of wiping the Form virus > off of my computer. But now that I've stopped that little viral > infection, I'm wondering what exactly it was that I squashed. Can > anyone out there fill me in on the detail of Form? Form ---- This is a very dangerous virus. It hits Boot-sector of floppy disks during an access to them and Boot-sector of the hard disk on a reboot from an infected floppy disk. The virus acts only on the 24th of every month. It processes a dummy cycle while pressing on the keys. If you work with a hard disk, the data can be lost. The virus hooks INT 9 and INT 13h. It contains the text "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." - -- OK ------------------------------ Date: Wed, 14 Sep 94 00:58:27 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; Info on Bobo Virus (PC) fisherd@cfs.purdue.edu (David Fisher ) writes: > I recently discovered a virus which was identified as "Bobo". It > apparently corrupts command.com and may randomly format the infected hard > drive. Does anyone have further info? May be it is a "Bob-718" ? Bob-718 ------- This is a very dangerous not memory resident virus which scans the subdirectory tree and writes itself into the .COM-files beginnings. This virus contains the text strings "*.COM", "COMMAND.COM". On 1993 year this virus will overwrite the files by a small program which types: "Program terminated normally". Good luck ! - -- OK ------------------------------ Date: Wed, 14 Sep 94 15:03:41 -0400 From: theoj00@DMI.USherb.CA (JEAN-FRANCOIS THEORET) Subject: VCL?? (PC) Does anyone know where can be found the VCL (Virus Creation Vibrary)? Should we really be alarmed about the emergence of such products? Jean-Francois Theoret (theoj00@dmi.usherb.ca) ------------------------------ Date: Wed, 14 Sep 94 15:35:58 -0400 From: at796@freenet.carleton.ca (Ajay Kapal) Subject: new virus? (PC) argh....this virus is driving me crazy! after a short period of time under dos, any characters on the screen start to pulsate with colours... and it slows down the system by quite a bit....i've tried fprot2.13a, thunderbyte 6.22, and clean/scan117....no help. Can anyone help? thanks. - -- z ------------------------------ Date: Wed, 14 Sep 94 18:03:47 -0400 From: yyjdavis@sol.UVic.CA (John Davis) Subject: Quantum hardcard (PC) When I restore a pc from backup, I routinely do low level and high level formats of the hard disks first. Recently, we added some storage devices called "Quantum hardcards" to some of the machines. They come with their own configuration programs, but use the format command from the appropriate version of DOS. They appear, for most purposes, like additional hard disks, but it's actually a different technology. Does anyone know what potential there is for a virus hiding in this sort of device, and whether there is something akin to a "low level format" which could be used in addition to the basic setup program? - ------------------------------------ John N. Davis ------------------------------ Date: Wed, 14 Sep 94 22:52:24 -0400 From: diegom@pts.mot.com (Diego Montanez) Subject: .EXE infection: How is it possible? (PC) Hello, I have a question: how does a virus manage to attach itself to an executable file (.COM, .EXE) and still the executable can be run (of course, after the viral code has been executed)? DiEgO - -- +----------------------------------------+ | Diego A. Montanez - diegom@pts.mot.com | | Phone: (809) 855-2000 Ext. 2520 | +----------------------------------------+ ------------------------------ Date: Wed, 14 Sep 94 22:58:25 -0400 From: ctthomp@indsvax1.indstate.edu Subject: Whisper Virus (PC) Hello. I am Jason Thompson and I am a student supervisor consultant here at Indiana State University. We are wondering if anyone has information about the Whisper virus. If so please e-mail me any information. Thanks for any info... ------------------------------ Date: Thu, 15 Sep 94 00:13:22 +0400 From: Kazatski Oleg Nikolaevitch Subject: Re; No_init virus info (PC) brett_miller@ccm.hf.intel.com (Brett Miller - N7OLQ) writes: > I am looking for information on the no_init virus. I have checked many > different sources and can not find any mention of this virus. *** SCAN *** A Infects Fixed Disk Partition Table-A-------------------+ 9 Infects Fixed Disk Boot Sector-----9-----------------+ | 8 Infects Floppy Diskette Boot-------8---------------+ | | 7 Infects Overlay Files--------------7-------------+ | | | 6 Infects EXE Files------------------6-----------+ | | | | 5 Infects COM files------------------5---------+ | | | | | 4 Infects COMMAND.COM----------------4-------+ | | | | | | 3 Virus Installs Self in Memory------3-----+ | | | | | | | 2 Virus Uses Self-Encryption---------2---+ | | | | | | | | 1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | | | | | | | | | | | | Increase in | | | | | | | | | | Infected | | | | | | | | | | Program's | | | | | | | | | | Size 1 2 3 4 5 6 7 8 9 A | | | | | | | | | | | | Virus Disinfector V V V V V V V V V V V Damage No-Int [Stoned] Clean-Up . . x . . . . x . x N/A O *** MSAV *** This boot virus is 512 bytes long. It infects boot sectors of diskettes and the partition table of hard disks. It remains resident in memory. Side effects include damaged file linkage, changes to system run time operation and changes to the boot sector. - -- OK ------------------------------ Date: Thu, 15 Sep 94 03:19:09 -0400 From: rsymons@werple.apana.org.au (Ross Symons) Subject: Info on WHISPER Virus (PC) Hi, Just been infected with the whisper virus and need info regarding damage caused and removal, Thanx, Ross. ------------------------------ Date: Thu, 15 Sep 94 03:57:51 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Integrity Checker? (PC) Hello Mr. Rice, VirusScan (our virus scanner) can add, check, or remove CRC's when run. VShield (our memory-resident virus protection program) can check the CRC's when a file is executed. Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ "Jeffrey Rice - Pomona College, California." writes: > I noticed a few posts ago a bit on how NAV's inoculation isn't as >secure as it could be. (I think it was Vesslin....) Anyway, that is about the >only part of NAV I do rely on. I know some other products have checksuming >(AVP,McAFee, TBAV), but these don't check as the file is executed. Or am I >mistaken on that? Does anyone know of a good product that has checksuming, >whether or not it scans on access? > >/-----------------------------------------------------------------------------\ >| Jeffrey Rice | "The man who ...is not moved by concord of sweet | >| Pomona College | sounds is fit for treasons, stratagems, and | >| Claremont, California | spoils. Let no such man be trusted." -WS | >\-----------------------------------------------------------------------------/ > - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 15 Sep 94 03:59:30 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: How can I remove a version of NATAS? (PC) Hello Mr. Ramos, The beta test version of VirusScan 2.1.1 should remove the Natas virus for you. It is available by anonymous ftp to mcafee.com://pub/beta/scnb211e.zip. Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ al161926@academ01.mty.itesm.mx (Jesus Barrera Ramos) writes: >Hi all > >I have a real problem, Natas is invading my school ITESM Campus Monterrey, >and I've not been able to remove it from my computer, I tried SCAN and >F-PROT 2.13 and both detect it but can't remove it. Does anybody know >some program to remove this virus from my computer?. If you can help me >I'll thank you very much. Thanks in advance. > >Jesus >al161926@academ01.mty.itesm.mx > - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 15 Sep 94 04:02:45 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: MCafee, MSAV, and FORM? (PC) Hello Mr. Eskilsson, The special release of VirusScan to detect and clean the KAOS virus only detects and removes one virus. The latest version of VirusScan, Version 2.1.1, is in beta-test and available as mcafee.com://pub/beta/scnb211e.zip. Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ xandy@hamlet.telelogic.se (Andy Eskilsson (Flognat)) writes: >Does mcafee's scan detect the form virus? > >MSAV reported the existence of the FORM virus on one of the laptops I >am maintaining. Null problemo I thought, and brought out my virus >killer, emergency disk (write protected disk, containing mcafee's scan >(2.1.12? with the kaos extension) with virus description file dated >07/28-84). > >Booted the computer on the emergency disk, did a scan c:, mcafee >reported *no* viruses. run msav /c, msav detected and cleared the FORM >virus. > >If I ran msav /c after booting from infected(?) harddisk, it hung when >it tried to scan. > >The reason to why we started scanning for the virus were that MS >Windows (WfWg 3.11) at startup complained over a bad driver/virus >infection/diskcache. > >Any hints why scan didn't detect the FORM virus ? > > /andy > - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Tue, 06 Sep 94 09:46:00 +0200 From: Paul_Browning@f110.n111.z9.virnet.bad.se (Paul Browning) Subject: GenB Virus - Need Help! (PC) TO: spdaley@undergrad.math.uwaterloo.ca > McAfee 2.01 GenB at 960k There should be a clean program with mcafee - find out how to use mcafee to clean the virus and you should be able to erase it. - --- FMail/386 0.98a * Origin: Ultimate BBS - Vancouver, BC, Canada - (604) 224-1657 (9:111/110) ------------------------------ Date: Sun, 04 Sep 94 14:28:03 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Rosenthal Virus Simulator (PC) Hello Vesselin! 10 Aug 94 14:14, Vesselin Bontchev wrote to All: VB> Rubbish. This is a LIE! The "actual Dark Avenger mutation engine" has VB> _*NOT*_ "been made safe and benign" at all, BECAUSE IT HAS NOT BEEN VB> MODIFIED IN ANY WAY! I have a copy of your viruses and have checked. What do the two virusses? I mean, they mutate.. but do they infect files? ' Destroy' files?? Greetz from holland! Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Sun, 04 Sep 94 14:16:01 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: How to remove FORM from PC bootsector? (PC) Hello Klaus! 10 Aug 94 14:17, Klaus Breuer wrote to All: KB> Any ideas? I must admit to having very little experience in KB> such things. Boot on a dos-disk. Use the doscommand Sys c: That should do the trick.. Greetz from holland, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Fri, 09 Sep 94 16:55:01 +0200 From: Jeroen_Thijs@f6.n313.z9.virnet.bad.se (Jeroen Thijs) Subject: Goldbug Virus (PC) Hi Mikko! I think I've become a victim of the Goldbug Virus you mentioned in Virus Digest volume 7 Issue 73. Since I haven't got Internet Access, I can't write you an e-mail, but could you give me any help on how to remove it from my system. Thanks in Advance, Jeroen * Origin: -=[ Quest For Data BBS +31-40-854657 ]=- (9:313/6) ------------------------------ Date: Thu, 15 Sep 94 09:49:29 -0400 From: prvalko@vela.acs.oakland.edu (prvalko) Subject: Re: Form virus (PC) Bryon M. Elliott (bryon@netcom.com) wrote: : Well, I just recently enjoyed the priveledge of wiping the Form virus : off of my computer. But now that I've stopped that little viral Hi! Same thing here. Just found it this morning. Not sure where it came from either! Any of you net.virus.fans know what is does? paul ------------------------------ Date: Thu, 15 Sep 94 11:36:15 -0400 From: grettir@keflavik.wordperfect.com (Grettir Asmundarson) Subject: Opinions on Intel LanProtect Antivirus (PC) Does anyone have any opinions about Intel's LanProtect Antivirus. There is a push to make LanProtect the anti-virus standard at my place of work. I'm not familiar with Intel's product. I am familiar with most other virus protection software packages, and would love to see us go with Net-Prot and F-Prot Professional, but I need some ammunition before I start bucking the system. What virus detection engine does LanProtect use? From the name I gather that it has a server component, but is there a workstation component as well? Is it a hog when it comes to server resources? How is its detection/disinfection rate? Anyone have experience, either negative or positive, with it? Thanks in advance, Grettir ------------------------------ Date: Thu, 15 Sep 94 12:50:22 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.14 is out (PC) Version 2.14 is now available. It should be available on OAK.OAKLAND.EDU and its mirrors by the time you read this, but if you do not have FTP access you can have an uuencoded copy e-mailed to you by sending e-mail to f-prot@complex.is. Major changes in this version: We have added a new scanning "engine", which does not use search strings like the earlier one. Currently less than 200 viruses are being detected with the new engine, but all new viruses are added to it. The old engine still handles the remaining 4300 viruses, but we are converting them over to the new one and when finished, users of F-PROT can expect a significant speed increase, as well as a significant reduction in memory requirements. The "Quick Scan" option has been removed, as it was not significantly faster than the regular scan. This also reduced the size of the program by 20 KB and reduced the memory requrements even more. We also added detection of around 250 new viruses, bringing the total to 4460 differtent ones that are recognized. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 80] *****************************************