VIRUS-L Digest Friday, 28 Oct 1994 Volume 7 : Issue 89 Today's Topics: Re: How does one become a "respectable" researcher? Re: How does one become a "respectable" researcher? Re: Common Virus Sources Re: Common Virus Sources Amiga viruses...Ack (Amiga) Internet worm/ viruses in SCO UNIX (UNIX) Re: Unix viruses and Internet worm (UNIX) How do you like F-Prot compared to other antivirus software? (PC) DOOM II (PC) central point soft : update? (PC) Re: F-Prot under windows (PC) What do Stealth_C and Form_A do ? (PC) McAfee = Devo (PC) Monkey B (PC) Re: Is this virus/trojan? (PC) Boot sector virus won't die (PC) Alphastriker?!!? - HELP (PC) Re: Help needed with PINWORM (PC) The truth about the CD-ROM (PC) KOH is not destructive (PC) MtE virus (PC) Virus: Leandro and Kelly! GV-MG-BRAZIL Unkwon Virus in Brazil (PC) Re: How to Remove a swiss virus from the partition table? (PC) Is this a known virus symptom (PC) Floppy copy errors? (PC) HELP - what is this virus? (PC) Re: Exebug (PC) HELP restoring boot sector... (PC) Help...Monkey B (PC) Help: Remove 437 Boot Virus (PC) Re: Anti-CMOS Virus Infection - HELP! (PC) Re: How do boot sector viruses speard from X to X? (PC) Micheal Angelo virus (PC) NYB [Gen B] virus detected. (PC) Re: NATAS information wanted (PC) Leandro and Kelly BRASIL virus (PC) PVT RPLY ONLY --> Re: Boot Sector Reading (PC) Any info about NATAS? (PC) Re: _need_ to trigger virus checker (PC) Re: F-Prot under windows (PC) Need info: VCL-DIAT virus (PC) Date stamps changed by 8 months. (PC) tbav625/tbavx625 - Thunderbyte anti-virus v6.25 (Complete/Optimized) (PC) scn-212e/vsh-212e/wsc-212e - McAfee VirusScan/VShield V2.1.2 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 20 Oct 94 11:53:44 -0400 From: user039@edvzbb2.ben-fh.tuwien.ac.at (Gerald Pfeifer) Subject: Re: How does one become a "respectable" researcher? frisk@complex.is (Fridrik Skulason) wrote: >If anybody is interested, I could produce a list of subjects that anybody could >write a paper on, with a good chance of getting it accepted at one of the >virus-releted conferences....making the author much more likely to be >accepted by the anti-virus community. Yes please! (Consider this me being interested.) Gerald Pfeifer ------------------------------ Date: Thu, 20 Oct 94 15:41:10 -0400 From: ames@bcstec.ca.boeing.com (Wes Ames) Subject: Re: How does one become a "respectable" researcher? I have followed this thread with some interest, and I wanted to interject some thoughts that reflect a large corporate bias :-). One thing that concerns me is the desire for many casual users to become "Virus Researchers". Ours is a company with many very capable computer users and programmers, so the community is quite computer familiar. Some express a desire to learn about computer viruses that is valuable to the company, in that they help others and their organizations in avoiding (or greatly reducing) the virus exposure. To encourage this I teach a Virus class that discusses the basics of virus technology, and the specifics of company policy and our anti-virus software. The objective is to channel casual interest in a productive direction. We use a pre-configured version of a major anti-virus package that we site license. The configuration control is necessary for support (it reduces the variation and we can minimize the problems we have previously seen from problem configurations), as well as giving us a standard anti-virus environment, should we encounter a previously unseen virus. I am responsible for our anti-virus policies and procedures as well as technical support of our technicians who handle end user problems. I receive requests for viruses for test purposes, and that was undesirable for many of the reasons mentioned earlier in this thread. Instead, I built a very specific test disk that will generate 2 false positives, and offerred training for technicians. Those who have a sincere interest in working the project are invited to participate in the team activities and meetings where we work out the details for our multi-company implementation. In Frisk's last memo he wrote: "Having a large virus collection is neither sufficient nor required to be considered a virus researcher" I hope this suggestion is well received by the academic community. All the indications I see in a large corporate environment require our virus team to be aware of business computing requirements, have a central tech support staff that can accurately assess the threat from the actual "wild" viruses, and quickly understand the threat from new viruses. This is necessary to effectively apply corporate resources to control the problem with minimum impact to users and budget. We accomplish the above with many different tools and skills, and collecting viruses is only a very small part of the effort. Wes Ames Boeing Anti-Virus Program Manager ames@bcstec.ca.boeing.com ------------------------------ Date: Fri, 21 Oct 94 15:09:15 -0400 From: kief@utk.edu (Kief Morris) Subject: Re: Common Virus Sources drmaier@wam.umd.edu (Louis Maier) says: >I'm trying to find out what the most common sources of >infection are for typical PC based users/organizations (i.e. >BBS's, shrink-wrapped products, internet, network >technicians updating/diagnosing machine with infected >disks,etc.) I ran a BBS for two years and never once ran into an infected file. I've worked as in microcomputer support for a University for two months and have had dozens of cases of users with infected floppies. Two viruses in particular are being spread through PC's shared in computer labs on campus, and users swapping disks. Once they start floating around the campus it appears they'll never be gone for good. My experience with virii is limited, but so far every virus I've come across spreads by floppies - boot sector viruses. These are hard to spread online Executable file viruses don't seem as common to me. Kief ------------------------------ Date: Sat, 22 Oct 94 15:18:25 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Common Virus Sources Louis Maier wrote: >I'm trying to find out what the most common sources of >infection are for typical PC based users/organizations (i.e. >BBS's, shrink-wrapped products, internet, network >technicians updating/diagnosing machine with infected >disks,etc.) I would probably say that it comes from people simply not having enough knowledge of anti-virus products, or using them improperly while exchanging software from work/home/friends. Most prolific infections are boot sector/ master boot record infectors (or multipartite ones.) >In particular, people in the organization I work for >want to know how "safe" internet is. If anyone knows >how safe internet is vs. shrinked wrapped sources, >this would be especially helpful since shrink wrapped >sources are the most common here. However, even >information as vague as "Internet has had many/few virus >carrying PC executables this year" would be helpful. Well, I would have to say that I have heard of many more viruses leaking out in commercial shrink wrapped products than I have over the internet. However, I woudl also say that the infections I have heard of over the Internet have created quite a bit more of a ruckus than the shrink wrapped ones. Quick example there would be KAOS4 from just a few months ago. There are also service providers who don't particularily care what people make available. I have only seen it on netcom, but I wouldn't be surprised if others took the same stand. Netcom has made it clear that they don't care if their users want to make viruses and the like available for anonymous ftp to the rest of the world. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sun, 23 Oct 94 23:30:34 -0400 From: ar314@freenet.carleton.ca (Eric Benoit) Subject: Amiga viruses...Ack (Amiga) Yeesh, I've had my amiga for about 5 months...and when I first got it, my WB EXTRA's disk was infected by the SCA (AKA Amiga Virus) virus..goes something like this when you reboot: Blah Blah (I forget) Your Amiga...Is Alive That was it... Ok, I've also had the CCCP virus didn't do a THING! The ByteBandit too, didn't do a thing... On my 486sx-25..Heck, I've had 0 viruses, 1 ANSI Bomb! Yeesh! BTW IBM AnsiBombs DO work on Amiga's too, but since Amiga's use DELETE and not DEL, doesn't usually do anything :) Anyone ever hear of the BYAFA virus? Cya - -- : Little Willy feeling bright, ar314@freenet.carleton.ca : Bought a stick of dynamite. eric.benoit@f539.n163.z1.fidonet.org : Curiosity seldom pays, ebenoit@ocean.pinetree.org : It rained Willy for seven days! RO=Read Only R/W=Read and Write ------------------------------ Date: Thu, 20 Oct 94 17:07:24 +0100 From: Mohammed Ali Subject: Internet worm/ viruses in SCO UNIX (UNIX) dear sir/madam I would like to have any informations on Internet Worm, is it a UNIX virus......how does it work?.......etc. Are there any viruses under SCO UNIX, and how many? regards ------------------------------ Date: Sat, 22 Oct 94 15:23:17 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Unix viruses and Internet worm (UNIX) Mohammed Ali wrote: >dear reader, i am a new comer in unix word and internet, i will be greatfull >if you could provide for me any general information about viruses in UNIX. >What is internet worm? are there FAQ? Yes, there is a FAQ which is available for anonymous ftp from cs.ucr.edu, /pub/virus-l/FAQ.virus-l The FAQ is currently in the process of being re-written. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Thu, 20 Oct 94 08:27:03 -0400 From: Phil_Lewis@mindlink.bc.ca (Phil Lewis) Subject: How do you like F-Prot compared to other antivirus software? (PC) I'd appreciate people's opinions about F-Prot compared to other anti-virus software. I have a friend who swears by it. What do you think? I've used Norton Anti-virus with monthly updates. F-Prot, too, has regular updates. - -- ============================================================================== Phil Lewis Abbotsford, British Columbia, Canada Phil_Lewis@Mindlink.bc.ca ============================================================================== ------------------------------ Date: Thu, 20 Oct 94 10:57:41 -0400 From: Bert.Martin@UAlberta.CA (Bert Martin) Subject: DOOM II (PC) I have a 486 with 46 corrupt files, mostly WINDOWS files. Many more must be corrupt as the system hangs on most DOS commands. F-PROT 2.14 detected nothing(except the corrupt files) from a clean boot. VIRUSCAN 9.24 v116 found nothing. CPAV hung on a file with sector not found. DOOM II was found on this machine. Could this be just a coincidence? Has anyone found an actual virus directly related to DOOM II or if DOOM II is the culprit, is it simply a BAD program? Please respond to me directly or this forum. Flames welcome, just include some FACTS to help me out. ;) Thank You for all responses. ==================================================== ___O Bert Martin # BOOT HUMOR: # \ > /__,/ Plow University of Alberta # keyboard error # \ / / the (403)-492-5356 # Press F1 to RESUME # \ * Powder! ===================================================== \, ------------------------------ Date: Thu, 20 Oct 94 12:48:02 -0400 From: jmh@info.polymtl.ca (Jean-Marc Heneman) Subject: central point soft : update? (PC) Sorry, I suppose it's a faq! I'm new in dealing with viruses : I have central point software for windows v1.5 on my machine : I have some reason to suspect that I have viruses on my machine : change of size of files. Where can I get a lists of new viruses , I suppose I can have aa free update for this list and better : I suppose I can ftp it from a [safe] anonymous ftp? - -- jmh jean-marc heneman = jmh@info.polymtl.ca I prefer ASCII mail for now, but you can send me NextMail for attachment __ / /_/ __/ / / ------------------------------ Date: Thu, 20 Oct 94 14:30:00 -0400 From: fw100@fim.uni-erlangen.de (Christof Tebbe) Subject: Re: F-Prot under windows (PC) In a previous article, jrice@pluto.pomona.claremont.edu (Jeffrey Rice) says: > Can anyone tell me what Virstop's virus-detection message looks like >under Windows? I haven't been running Windows much, and the only times >Virstop has caught viruses I've been in DOS. Any info would be appreciated. I have installed Virstop with the /boot /copy /warm /freeze options. Some weeks ago, I tried to access a floppy from within the Windows- Filemanager, which was infected by a boot sector virus called B1, as I found out later. I got no message or something on the screen, but there were two or three short beeps at a somehow low frequenzy, the mouse cursor turned to red color (I have never seen a red mouse cursor before) and the computer stopped doing anything, probably due to the freeze-option. I think, too, that Frisk should improve the documentation on this item. Ciao, Christof - -- - ----------------------------------------------------------------- rz94-004@wsrz1.wiso.uni-erlangen.de Christof Tebbe, Germany - ----------------------------------------------------------------- ------------------------------ Date: Thu, 20 Oct 94 14:52:53 -0400 From: scary@ix.netcom.com (Steve Cary) Subject: What do Stealth_C and Form_A do ? (PC) I have run into several PC's with Stealth_C and Form_A viruses (usually together) lately, and am having a hard time eradicating them. If not eradicated, what do they do? Is there a reference anywhere about this subject? Thanks. Steve Cary - -- Steve Cary scary@ix.netcom.com ------------------------------ Date: Thu, 20 Oct 94 16:56:08 -0400 From: santra@netcom.com (Sandy Santra) Subject: McAfee = Devo (PC) I think McAfee is going backwards, as in "deevolution." I have a very recent version of their virus-checking software, v. 2.1.1, and it will only clean certain versions of Michelangelo. That's alright by me, but what's strange is that an *older* version of their software--to wit, 9.27--*will* clean these same strains of Michelangelo. That's right: the OLD version works better than the NEW. Today I finally got someone at technical support to admit the glitch and discuss the issue. He said he wasn't happy with the design department at McAfee, and could lose his job talking about this, but felt it important that I know what was going on. Apparently some very lethal (and terrifying) viruses have been developed in the last few years. McAfee has concentrated on creating software to combat these viruses. The software takes up so much space that they decided to pull out some of the cleaning sections of the program (the ones which worked on certain strains of "less significant" viruses like Michelangelo). Hence, their latest software will NOT clean all Michelangelo strains, although some of the OLDER versions of clean.exe WILL. I guess they don't consider Michelangelo very important, since it only does damage on one day of the year. But it does some serious damage if it gets activated on that day: it wipes the hard drive! McAfee, it seems to me, is going downhill. I think the software doesn't have as much integrity as it used to. I cannot in good conscience recommend that my company renew its license next year. - -- "In an upstairs room, a modem made a connection." --Lincoln Spector __________________|_____________________________|__________________________ sandy santra santra@netcom.com el cerrito, california ------------------------------ Date: Thu, 20 Oct 94 19:18:19 -0400 From: computergy@aol.com (Computergy) Subject: Monkey B (PC) I recently had a client get the Monkey B. I would like to know what kind of damage this virus can do? We had a bunch of zero length files that appeared at the same time as the virus. Is this a Monkey B attribute Thank you in Advance Greg (computergy @ aol.com) ------------------------------ From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Re: Is this virus/trojan? (PC) It is likely that you are infected by a stealth virus whose signature is still unknown to the anti-virus software. Boot from a clean system diskette and check the file size of some programs in the harddisk. In most cases, you should be able to see that the file sizes are different from booting from diskette and hard disk. This is stealth. Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Thu, 20 Oct 94 22:13:50 -0400 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Boot sector virus won't die (PC) I believe your problem could be that you didi not boot up from a clean disk. The correct procedure is to boot from a clean system disk with the same DOS version (write-protect your diskette). Then type A> SYS C: Of course you need the SYS.EXE in your diskette and this is for boot viruses infecting the boot record of hard disks and not the partition record. May I suggest that once your system is free from virus, you should try out FRONTLINE. FRONTLINE when installed into the hard disk will give your hard disk the first line of defence against boot viruses - past, present and future. If you need more information, please email me. Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Fri, 21 Oct 94 10:52:31 -0400 From: mt0001%albnyvms.BITNET@uacsc2.albany.edu Subject: Alphastriker?!!? - HELP (PC) Hi - I recently ran the latest version of F-prot and it detected Alphastriker. I then chose the "automatic disinffect" option, and the program did its thing. The hard drive is now virus-free, but there are problems! Windows wont start, and emm386 is reporting some sort of errror, and then haulting the system. I know that many key files were infected (command.com, win.com, etc.) could they be permanantly damaged. Where do I start with repairing my system?! Any help is really appreciated !! (on the virus, or what to do now) Thanks alot - pls. post response OR email me. take care M. ------------------------------ Date: Fri, 21 Oct 94 12:19:30 -0400 From: m.brown@imperial.ac.uk (Mr M.J. Brown) Subject: Re: Help needed with PINWORM (PC) Zvi Netiv writes: > -=> Quoting Jay Fuller to All <=- > > JF> I've had a caller report to me on my system he is infected with > JF> pinworm ,and he is really anxious to get a clean for it. is there a > JF> clean out anywhere which will totally get rid of Pinworm? [cut for brevity] > Pinworm is in the wild for already 6 to 8 months and although samples > were sent to most leading AV developers, there is not one signature > scanner that I know of at this moment that detects it in files. Sweep from Sophos definitely does detect it -- I know, because I added it. It's been there for at least three months. > A few instruction to get it right at the first shot: As Pinworm is > heavily encrypted and polymorphic Rubbish. Pinworm is pretty pathetic as polymorphic viruses go -- it exhibits little variation in the code it generates, and it's very easy to detect. - -Matt ------------------------------ Date: Fri, 21 Oct 94 13:16:20 -0400 From: "AMERICAN EAGLE PUBLICATION INC." <0005847161@mcimail.com> Subject: The truth about the CD-ROM (PC) Iolo Davidson writes: >dnikuya@netcom.com "dave nikuya" writes: >> For example, Vesselin's statement regarding Ludwig's CD-ROM: >> "most respectable anti-virus researchers refuse to even take a >> look at it." Well, I bought it, and I also subscribe to his >> newsletter. Yes! I admit it! > >This would put you in a somewhat questionable ethical position >if you were an anti-virus software producer, with major >corporations amongst your clients. QUITE a number of A-V researchers who regularly voice their opinions in Virus-L and who are considered the very best in the field have bought our CD-ROM of viruses. Yes, some even trusted us enough to send their credit card numbers. IF I were to name them, some people reading this column would be shocked. However, I will not. Our company policy forbids the release of customer's names. Of course they have no qualms about buying a CD to improve their product. They would be fools to try to ignore such a fine collection of viruses, which will save them so much time and effort. In fact, I'd say that an anti-virus company that's so backward that they'd actually wait for their clients to be hit and send them a copy of a virus before they included it in their protection scheme really deserves to go out of business. Being pro-active is not a moral disgrace. Not for Dave Nikuya, not for any other a-v developer. >Most such responsible people consider it wrong to help create a >market in viruses or contribute to any financial or other incentive >for their writing and distribution. If I were a customer, I'd demand my A-V pay attention. However you can probably leave that to several magazine publishers who've bought the CD for testing when they review products. If you, by censorship, make the CD into something that only virus writers or lawbreakers can get, then it will probably encourage virus writing, yes. If you would work with me to get it into the hands of people who legitimately need it, I suspect it would help to solve problems instead of creating them. Just like a gun. Give it to good cops or good citizens and it helps. Give it to bad cops, or to criminals, and it hurts. Let's stop the rhetoric about creating incentive to write viruses, though. I mean, let's face it: Writing a good anti-virus program, or achieving commercial success with your anti-virus program is an incentive to write viruses. This is a well-known fact. For example Thunderbyte is often a target of virus writers. Why? Well, it's a half-way decent product. Likewise, McAfee's SCAN and Central Point's CPAV are often targets because they are successful. So why don't A-V developers write lousy products and shun commercial success. Next time PC Mag offers you Editor's Choice, threaten to sue! Why not? The answer is, of course, simple: The A-V people really believe that by creating good products they're helping to solve the virus problem--and they are. If they are targets of virus writers, it's not really their fault. Now, I really believe that an open exchange of information contributes to the solution of the problem, so I am trying to make that information freely available. A-V's will argue themselves blue about that, but in the end, it's all wind. I am seeing plenty of positive results, and I believe I will continue to. If my work is attacked, perverted or misused, though, it's really hard for me to see it as being somehow my fault, any more than it is Thunderbyte's fault that it will trash the computer when you try to disinfect a Jackal infection. - ---------------------------------------------------------------------------- Mark Ludwig (602)888-4957 American Eagle Publications, Inc. ameagle@mcimail.com P.O. Box 41401 Tucson, AZ 85717 - ---------------------------------------------------------------------------- ------------------------------ Date: Fri, 21 Oct 94 13:17:11 -0400 From: "AMERICAN EAGLE PUBLICATION INC." <0005847161@mcimail.com> Subject: KOH is not destructive (PC) Ian Douglas responds to a question about KOH: >> one does have to invite KOH to install itself. to get it to set itself up >> on your hard drive, you have to first install it on a floppy disk and then >> boot using that floppy. it then asks you if you want it to install. its >> pretty hard to do this by accident. > >I said No. It installed anyway. Then it trashed a floppy without asking >permission. Not nice.. Ian, what you had must not be KOH. Obviously we cannot control what is not shipped out of our office, and whatever you got, it didn't come from us. If you think it was a virgin copy of KOH, perhaps you could describe how the following code will install if you say "No"? INFECT_HARD: call CLEAR_SCREEN ;clear video display mov si,OFFSET HARD_ASK ;ask if we should infect HD call ASK jz IH00 ;ok to migrate jmp IHDR ;exit migration routine routine IH00: (Migrate to hard disk here) . . . ;*************************************************************************** ;Ask the question in DS:SI and return Z if answer is Y, else return NZ. ASK: push ax ;preserve registers call DISP_STRING ;display string at ds:si ASKGET: mov ah,0 ;get a response int 16H and al,0DFH ;make upper case push ax mov ah,0EH int 10H ;display response mov ax,0E0DH int 10H ;and cr/lf mov ax,0E0AH int 10H pop ax cmp al,'Y' ;set flag pop ax ASKR: ret This is what KOH uses to ask. And you can buy the source to check it out if you don't believe me. (By the way, the latest version is 1.02.) If anyone really does have a problem with KOH, please call, write, or e-mail and we'll get the problem resolved. Posting a problem to a public forum without ever trying to get it resolved with the vendor is malicious. Secondly, please don't spread lies and disinformation unless you're prepared to have the same done to you. The bottom line is this: KOH is a SUPPORTED freeware product. If you have any problems installing it, etc., you can call our office 8-5 Arizona time, and we'll get to the bottom of it. Read the manual and follow the instructions and you shouldn't have any trouble. If you do, we are eager to resolve the problem just like any other software vendor (uh, I guess that's not saying much: MORE than most software vendors). - ---------------------------------------------------------------------------- Mark Ludwig (602)888-4957 American Eagle Publications, Inc. ameagle@mcimail.com P.O. Box 41401 Tucson, AZ 85717 - ---------------------------------------------------------------------------- ------------------------------ Date: Fri, 21 Oct 94 13:38:06 -0400 From: charlesb@bedford.progress.COM (Charley Boudreau) Subject: MtE virus (PC) Can anyone give me any info on the MtE virus. I was infected with it yesterday. InocuLAN cleaned it up nicely, but I'd like to know what damage it was trying to do and any technical info on it. ------------------------------ Date: Fri, 21 Oct 94 13:43:38 -0400 From: kahall@halcyon.com (Kevin Hall) Subject: Virus: Leandro and Kelly! GV-MG-BRAZIL <--Detect/Kill???? (PC) We have refound a virus that we are trying to get rid of. The virus appears to remain dormant until some date and then upon bootup displays: Leandro and Kelly! GV-MG-BRAZIL You have this virus since 11-08-94 The date changes. So far I have not found a virus detect program that detects or cleans this virus. I am pretty sure it lives in the master boot block. Detection means currently employed: Place a blank write protected floppy in drive, chkdsk the floppy and note the values displayed. Unwrite protect the floppy and re-chkdsk the floppy. If infected, 1024 bytes of bad sectors will show up. The only methods I have found to remove the virus is to clean boot off a floppy and use fdisk /mbr to re-write the master boot block. Any thoughts please let me know. Kevin Hall ------------------------------ Date: Fri, 21 Oct 94 14:15:14 -0400 From: jawiendl@ciagri.usp.br (Jorge A. Wiendl) Subject: Unkwon Virus in Brazil (PC) I need help about a new virus what I found here in Brazil. It only displays: Leandro e Kelly NC Brasil, the computer stops. Does anybody knows anything about it? I think it is a partition table virus, but I can't destroy it with scan/clean. Thanks. ------------------------------ Date: Fri, 21 Oct 94 14:24:29 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: How to Remove a swiss virus from the partition table? (PC) Kevin Marcus (datadec@corsa.ucr.edu) wrote: > Do you know the exact name of the virus? The only "Swiss.xxxx" viruses > I have seen were very small, I seem to remember a Swiss.143. For sure, > this was not a boot sector infector. If memory serves, Scan will report ExeBug as Swiss Boot... Can be fixed by moving 0,0,17 to 0,0,1, after a clean boot of course. Check CMOS first.. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 21 Oct 94 15:07:27 -0400 From: B.lang@inria.fr (Bernard Lang) Subject: Is this a known virus symptom (PC) Is this a symptom of viral attack... any other suggestion? (or simply a buggy benchmark program). My PC (386) had 3 partitions: C D E (+ other for Linux and OS/2) C primary partition on master disk D, E logical partitions on ANOTHER slave DISK I was working in partition E, and from DOS-shell I run the PC-Magazine Labs Benchmark release 6.0 to test memory and measure disk access-time. Then I quit the bench program, back to DOS-shell. Then with shift-F9 I when back to the DOS prompt. I typed win to run windows and it displayed the windows logo then said that the file for kernel 386 was not found. I retried, typing win, and this time it just said that the command does not exist. Then I looked for what was wrong: Partition C: all directories have disappeared, except \TEMP and \DOS. File C:\AUTOEXEC.BAT has been moved to root in partition D:\ (and also AUTOEXEC.BAK) Other files have disappeared from C:\ (mostly AUTOEXEC.*, but some stayed (including C:\CONFIG.SYS). Files UNDELETE.* and UNFORMAT.* appeared in C:\ and E:\, where they were not before. Partition D: apparently OK Partition E: all subdirectories destroyed, and new files have appeared at root level. Help will be greatly appreciated. Please e-mail too if possible, since I will be without news access for a few days. Thank you. - -- Bernard Lang ,_ /\o \o/ Voice +33 (1) 3963 5644 B.Lang@inria.fr ^^^^^^^^^^^^^^^^^^^^^^^ Fax +33 (1) 3963 5330 ------------------------------ Date: Fri, 21 Oct 94 16:51:48 -0400 From: jmiller@elvis.umd.umich.edu (john miller) Subject: Floppy copy errors? (PC) I have a recurring problem in which errors appear when I copy files to a floppy disk. I can temporarily cure the problem by booting from a floppy and using sys to install the boot files but the problem invariably returns after a few hours or days. Scanning the hard drive with scan.exe does not identify any problems. Also, the problem has not propagated to other machines that I use. Does anyone have any ideas as to what might be causing the problem. I suspect that there is a trojan present but know of no easy way to identify the offending program. Thanks in advance for any help John Miller ------------------------------ Date: Fri, 21 Oct 94 20:26:19 -0400 From: rwalters@bu.edu (Ronald Walters) Subject: HELP - what is this virus? (PC) First, here are the symptoms: 1). On boot-up, my mouse driver will not load-up - even though it has worked hundreds of times before. This appears to be random. However, most of the time I get a message saying, "Driver not found". When it does load, I get a "jumping" mouse effect. The pointer will disappear and reappear when I move it. 2). When I enter text, a random sequence of events will take place. Either, a). The letter appears on the screen with no trouble. or b). The PC speaker emits a "beep" and no letter appears or c). "beep" The previous letter typed will be erased. or d). "beep" Multiple instances of the letter will appear. or e). "beep" Shift lock is activated. 3). As far as I can tell, nothing else is affected. I have run vsafe, mwav, and msav with no result (Granted these are limited, but they're all I have at present). I have even selectively reinstalled programs which may have been affected (Dos, and windows, for example). So, my questions are: 1. Is this a virus? If not, what the heck is going on? 2. Where can I get a good virus detector/cleaner? (ftp preferred) 3. If this is a virus, how do I get rid of it? And, What program will do it? PLEASE, respond by e-mail. Thanks in advance, - -- R WALTERS RWALTERS@ACS.BU.EDU ------------------------------ Date: Fri, 21 Oct 94 22:54:34 -0400 From: Zeppelin@ix.netcom.com (Mr. G) Subject: Re: Exebug (PC) mshmis@world.std.com (MSH MIS) writes: >I have recently found Exebug on a number of computers and it seems >difficult to eliminate. > >Yesterday I booted from a clean write protected boot diskette which >contains Mcafee's latest anti-virus software. The message on the screen >said that traced of exebug were found in memory. > >How could this be? > >Please e-mail me at GFrick@msh.org if you have any experience with Exebug >or solutions to my exebug problems. Call Sharalee Buzzell at Norton AntiVirus Research, Santa Monica. She will send you a disk to remove the Exebug. Otherwise try the newest Norton AV software. I can tell you this, this is the only virus I woudl trust Norton with. -Zep- ------------------------------ Date: Sat, 22 Oct 94 01:49:20 -0400 From: bo@leland.Stanford.EDU (Bo Peng) Subject: HELP restoring boot sector... (PC) Hi all, Maybe this is not exactly the right group but I suspect the incident was caused by virus and, hopefully, some anti-virus experts would be able to help me out. A PC in my work unit failed. It rebooted itself in the middle of operation -- no message, no apparent cause, just a click. Then it got stuck when booting, saying "cannot find boot sector on hard disk." I went in from floppy and found that even the partition table was wiped clean. So I used fdisk to recreate the primary partition as before, and tried to look at the disk contents using ProView (McAfee). The "master boot sector" looked fine, but no "boot sector" -- I didn't want to reformat the disk, risking the chance to salvage files back. All the FAT are still there. ProView was able to search through the entire disk. So, it looks more like a virus attack than a physical crash. And, all it takes for returning the disk to its original condition seems like somehow restore the boot sector to its original state. Then I could scan for traces of virus or physical damage. Could someone please tell me if there's anyway to accomplish that? Unfortunately, the lady using the machine doesn't have any backups nor "emergency rescue disk" type stuff. She's left out cold. Any help would be very much appreciated. Please note that this is not my "normal" account. Please direct your reply to bo@saavik.cem.msu.edu. Bo ------------------------------ Date: Sat, 22 Oct 94 03:43:10 -0400 From: computergy@aol.com (Computergy) Subject: Help...Monkey B (PC) I am looking for a description of the Monkey B. I would like to know what kind of damage it can do and how fast it spreads. Thankyou in Advance Greg (computergy @ aol.com) ------------------------------ Date: Sat, 22 Oct 94 06:44:17 -0400 From: ryoungdj@cc.curtin.edu.au Subject: Help: Remove 437 Boot Virus (PC) Help... One of our PC's as gone down with the a boot virus that McFee Scan 2.0.0 detects as the 437 virus. Using the clean boot option did not work. We have also tried FDISK /MBR without any success. The last time we suffered this problem I had to trash the the whole disk and rebuild it. Is there a solution?? Please EMAIL if you have a solution. Thanks in advance. - -------------------------------------------------------------------------- Steve Young ryoungdj@cc.curtin.edu.au - -------------------------------------------------------------------------- ------------------------------ Date: Sat, 22 Oct 94 14:08:09 -0400 From: paul@fuzzy.dialup.access.net (Paul) Subject: Re: Anti-CMOS Virus Infection - HELP! (PC) Simon Cheung (Simon_Cheung@kcbbs.gen.nz) wrote: : Using the latest version of scan V.2.1.1., one of my computers was found : to be infected with the "Anti CMOS" virus. Previously, version 117 of : scan identified the problem as a generic MBR virus. : : As a remover was not as yet available with V.2.1.1. of scan, does anyone : know of what solutions I have, as I'd like to regain the use of the : computer. I have the same problem so would really appreciate any information. Even reformatted the hard-drive from "clean" floppy disks and when the PC is booted from hard drive - the virus is still there! HELP Please! Paul ------------------------------ Date: Sat, 22 Oct 94 15:30:43 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: How do boot sector viruses speard from X to X? (PC) Brian D Stark wrote: > I've often been interested in how a virus from an infected boot >sector of a disk, transfers to a harddrive. A long lasting rumor is that >just by typing 'dir', the virus will be transferred. I have played with >several boot sector viruses and they have never transferred using this >method. (This message is not intended to start a flame war over the >'dir' command) I can only take guesses at what happens. My best guess is >that when you copy a file from the disk to the harddrive, the virus >hooks onto this process and loads into the computer's memory. From >there it is eventually copied to the boot sector of the harddrive. > > Can someone please fill me in on how boot sector viruses are >transfered? Please be as technical as you want to be. I'm going to skip the issue of multi-partitite infectors which are sometimes similar to this, as well as skipping the issue of droppers and trojan horses. Okay. Let's say that I have floppy disk drive A:, floppy drive B:, and hard disk C:. Lets further say that entire system is clean. Now, lets say that I have an infected disk that I place into drive A:. When I boot the system up, the boot sector (on most BIOS's; newer BIOS's allow individuals to boot from drive c: instead of a:), the floppy disk boot sector is loadded -- the infected one. The virus goes resident. Occasionally, the virus immediately attempts to infect the first physical hard drive. Nonetheless, the virus could also hook any merry vectors (usually int 13) as check for disk read/writes. On a disk read/write, the virus can check to see if the volume being accessed is checked for infection and is infected if it wasn't. In this manner, a dir could spread an infection. If the virus had not been in memory, then "dir" of an infected disk would *NOT* activate the virus at all. The boot sector is accessed only for the BPB on the floppy which tells the computer about the geometry of the disk. This is used as data, not executable code, and is why some virus scanners might report that a virus is in memory after accessing an infected disk. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 22 Oct 94 19:21:45 -0400 From: MoonLady@ix.netcom.com (Diana St Martin) Subject: Micheal Angelo virus (PC) Does anyone remember what the Michael Angelo virus did and what it's trigger was? I just got infected by it and would appreciate the information. Many Thanks! Diana ------------------------------ Date: Sat, 22 Oct 94 23:49:39 -0400 From: dstaley@dorsai.dorsai.org (Dennis Staley) Subject: NYB [Gen B] virus detected. (PC) Another division of my organization contacted me, to say they thought they had a virus on about 25 stand alone pc's. I furnished them with McAfee Scan v.117 and it detected the NYB [Gen B] virus resident in memory. I understand that the clean-up program is supposed to repair this, but they are asking what data they will loose in the process. According to documents supplied by McAfee, the virus installs itself in memory, and infects floppy and fixed disk boot sector. Is there other things we should take into account? Any help would be appreciated. Dennis Staley Network Administrator Legal Aid Society, CDD dstaley@dorsai.dorsai.org - -- - --------------------------------------------------------------------------- Dennis J. Staley | dstaley@dorsai.dorsai.org Network Administrator | 72430.2107@compuserve.com Legal Aid Society of New York | ff679@cleveland.freenet.edu ------------------------------ Date: Sat, 22 Oct 94 23:49:36 -0400 From: "Nuke." Subject: Re: NATAS information wanted (PC) I don't know that it's dangerous, but it's Satan spelled backwards. that doesn't SOUND like a safe virus... ------------------------------ Date: Sun, 23 Oct 94 13:34:06 -0400 From: dtschile@huelen.reuna.cl (Bernardo Rosenzweig) Subject: Leandro and Kelly BRASIL virus (PC) I found a new virus from called BRASIL, with a message at the startup Leandro and Kelly, if somebody knows something about this extrange virus please let me know. Unitl now I did not find ANY antivirus for it, neither scan 117, f-prot 1.13, vprotect ( INTEL ), Dr. Solomon. Please I need urgently an inmunization !!!!!!. Thanks a lot. Best Regards Bernardo Rosenzweig A. Electrical Engineer Chile, South America E-Mail : dtschile@huelen.reuna.cl ------------------------------ Date: Sun, 23 Oct 94 23:14:58 -0400 From: ar314@freenet.carleton.ca (Eric Benoit) Subject: PVT RPLY ONLY --> Re: Boot Sector Reading (PC) If anyone can mail me a UUENCODED utility to give me hex dumb of the fat table or boot sector ..That'd be great! Thanks! - -- : Little Willy feeling bright, ar314@freenet.carleton.ca : Bought a stick of dynamite. eric.benoit@f539.n163.z1.fidonet.org : Curiosity seldom pays, ebenoit@ocean.pinetree.org : It rained Willy for seven days! RO=Read Only R/W=Read and Write ------------------------------ Date: Mon, 24 Oct 94 08:31:15 -0400 From: mmeijer@cc.ruu.nl (Maarten Meijer) Subject: Any info about NATAS? (PC) Could anyone please give us information about the Natas virus? Recently we discovered several computers being infected with this virus. McAfee v117 and 2.1.0 could not detect it, but F-Prot 2.13(+) did, and could even remove it. The newest McAfee (2.1.1) works too. Anyway, it's a highly infectious virus: once loaded in memory, it infects floppy bootsectors (putting virus code at the end of the disk and decreasing the disk's size), hard disk MBR (putting the virus code between MBR and the first partition), and .COM and .EXE programs when executed (appending polymorphic virus code at the end of file). Can anyone tell us if Natas does something else besides reproducing itself? Any answers greatly appreciated! - -- Maarten Meijer (mmeijer@cc.ruu.nl) ACCU -- Academic Computing Centre Utrecht University -- Budapestlaan 8, P.O.Box 80011, 3508 TA Utrecht, Netherlands. phone (31)30531660 / fax (31)30531633 ------------------------------ Date: Mon, 24 Oct 94 09:57:25 -0400 From: elyja@kocrsv01.delcoelect.com (Jeff Ely) Subject: Re: _need_ to trigger virus checker (PC) Iolo Davidson says: > > elyja@kocrsv01.delcoelect.com "Jeff Ely" writes: > >> So that's my case for needing a trigger for anti-virus products - >> and as I said, the ideal place for that to come from would be the >> writer of the anti-virus package. But if they don't provide it, >> that kind of leaves me in the cold. So - is there any help for >> me? If not, I'd at least hope that some anti-virus product >> makers would recognize this need (I understand that some of them >> do provide something like this). > >Yes. Dr. Solomon's comes with information about how to make >"installation test" materials in both file and disk form. These >will cause the scanner and resident scanner to issue a report of >a "test" being found, thereby allowing you to test reporting >facilities. > >The test materials are not actually provided on disk, because >they can cause confusion when people are not expecting them. >Since you must make them yourself (with an editor) you only get >the "test" report when you are expecting it. And that's fine. I have no problem "building" the test per instructions. Hats off to Dr. Solomon. >I believe FProt has a similar facility. To the best of my knowledge, it does not. It does have a program called f-test.com that reports that virstop is installed and active. But that is not really adequate for my needs. It doesn't show me that an alert can be communicated properly through to Windows (like if I blew running NOVCAST). And it doesn't help me see that I've set the right switches so that it does what I want. I want to see that I really did re-hook and virstop is watching network transfers. I want to see that it really is properly configured to check a floppy's boot sector. I want to see the alert message - what it looks like and what the standard message says (these items are not necessarily covered in manuals!) And I also want something that will trigger a non-resident scan that I may run in my autoexec. J. Ely ------------------------------ Date: Mon, 24 Oct 94 10:18:21 -0400 From: elyja@kocrsv01.delcoelect.com (Jeff Ely) Subject: Re: F-Prot under windows (PC) Jeffrey Rice says: > > Can anyone tell me what Virstop's virus-detection message looks like >under Windows? I haven't been running Windows much, and the only times >Virstop has caught viruses I've been in DOS. Any info would be appreciated. > It (I'm using F_PROT Professional) comes up with a dialogue box, title "virstop", two bug icons, "ALERT!", then some text like "Your floppy disk contains a boot sector virus! Please run F-PROT Professional to disinfect it." And it has an OK button. That's assuming you've correctly run Novcast, etc. Do you also wish you had a way to trigger an alert intentionally? Jeff Ely ------------------------------ Date: Mon, 24 Oct 94 12:33:04 -0400 From: bsvend@aol.com (BSvend) Subject: Need info: VCL-DIAT virus (PC) Recently recieved copy of McAfee scan for Windows 2.1.1 evaluation copy. Scan detected VCL-DIAT on my computer. Also ran McAfee scan for DOS 115 and 2.1.0 evaluation copy and Microsoft Anti-virus. None of these rported a virus. I deleted the files that were reported infected and have experienced no problems. I would like some info on this virus such as a history and an explination of how it functions. ------------------------------ Date: Mon, 24 Oct 94 13:28:21 -0400 From: sean.doherty@channel1.com (Sean Doherty) Subject: Date stamps changed by 8 months. (PC) On 10/20/94 I installed the latest version of McAfee's Viruscan software. I have off and on used Viruscan in the past and have never had anything but success. During the early morning hours on 10/21/94 we ran a scan on our 3.5GB Novell Netware v3.11 network. The command line I used was "SCAN F: G: /PLAD" to "Preserve the Last Access Date". To my horror, I we found on 10/21/94 that many (but not all) files ending with EXE, COM, SYS, DLL, BIN and OVL extensions has their dates changed by 8 months. This was discovered when files began appearing with date stamps containing the month "0"! There was no way to determine which files had been changed and which had not without comparing the date of every single file on the network. Using NDIR.EXE and FIND.EXE we created a list of every file on the network (including their creation dates) and searched this list for " 0-" (representing the month of zero) which we *KNOW* is wrong. >From this list we were able to get a sample of the effected files and determined that only the EXE, COM, SYS, DLL, BIN and OVL files were effected. Files with these extensions were the only files scanned on our network (I hope) by the McAfee software. I used BINDFIX.EXE to repair our network binderies and VREPAIR to repair any FAT errors we may of had but found no problems. I then began restoring all files (with the above listed extensions) from the backup we had done just minutes before the McAfee scan. These files all had the correct dates. While waiting for the restore to complete I scanned all workstations on our network with McAfee, Norton AV and Microsft AV. I found no viruses. I then began searching the EMAIL areas (such as this one) for similiar problems/symptoms and found none. Since 10/21/94 we have not used the McAfee software and had no reoccurrances. Does anyone have any idea what happened? All I can think of is perhaps the "/PLAD" parameter screwed up the dates. I would like to continue using the McAfee sofware and hope someone has a solution/explanation for this problem. Appreciation to all readers of this message ... :( Sean ------------------------------ Date: Sat, 22 Oct 94 15:08:40 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav625/tbavx625 - Thunderbyte anti-virus v6.25 (Complete/Optimized) (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbav625.zip Thunderbyte anti-virus pgm (complete) v6.25 tbavx625.zip TBAV anti-virus - processor optimized versions The Thunderbyte Anti-Virus utilities are ShareWare. There are four security modules (TbScan, TbScanX, TbClean, TbMon) included. This modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of three resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.22 a complete Windows version is available. Note that for Windows you need both the Windows and the DOS files! Replaces: SimTel/msdos/virus/ tbav624.zip and older tbavx624.zip and older TBAV is uploaded by it's authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel, garbo.uwasa.fi, nic.funet.fi and ftp.sunet.se, and from there to their mirror-sites. Greetings, Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Sat, 22 Oct 94 15:10:19 -0400 From: aryeh@mcafee.com (McAfee Associates) Subject: scn-212e/vsh-212e/wsc-212e - McAfee VirusScan/VShield V2.1.2 (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ dat-212.zip McAfee's virus signature data file Version 212 scn-212e.zip McAfee's VirusScan: Scans/cleans viruses vsh-212e.zip McAfee's VShield: Anti-virus TSR wsc-212e.zip VirusScan for MS-Windows: Scans/cleans viruses replaces: scn-211e.zip, vsh-211e.zip, wsc-211e.zip WHAT'S NEW The .ZIP files for VirusScan and VShield contain only new data files to detect and remove new viruses. The programs have not changed. If you have previously downloaded ???-211E.ZIP, the only file you need to download is DAT-212.ZIP. You can then unpack the new .DAT files and copy the over your old ones. For Validate information, please refer to the PACKING.LST file inside each program's .ZIP file. Regards, Aryeh Goretsky Professional Services Group McAfee Associates, Inc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 89] *****************************************