VIRUS-L Digest Thursday, 8 Dec 1994 Volume 7 : Issue 98 Today's Topics: "Good times" is a HOAX! Need basic virus information Re: any virus WWW sites? I.C.A.R.O. goes on the Web Virus List via Gopher or WWW? How do you get rid of Pinworm? Re: Mainframe Viruses? (IBM VM/CMS/etc) Virus-stealth? (UNIX) Re: MtE virus (PC) Re: GenB virus alert (PC) Re: NAV 3.0 updates ? (PC) Re: contracting monkey/boot sector virus (PC) Re: Telecom virus (PC) Re: NCSA hasn't heard of Viking virus (PC) Possible Virus Problem (PC) F-prot and diskless workstations (PC) Need info: Trident Virus (PC) F-Prot (PC) Of what value is McAfee Netshld (PC) re:Vacsina v 5 ?!? Info wanted!!! (PC) Re: master boot record viruses (PC) Re: Monkey Virus is on our backs... (PC) Re: Exebug apparently surviving boot (PC) F-PROT's Virstop.. How effective is it? (PC) McAfee VirusScan 2.1.* (PC) The Antivirus Practice La (PC) InVircible Problems, Security Scares!!!!! Re: Stealth* What is it? Virus DB? (PC) Ahhhhh! McAfee killed my files! (PC) Re: Signalit PT virus maybe ? (PC) Re: HELP: Form virus attacks Windows NT NTFS boot sector. (PC) Re: Help! Filler, GenB, GenP viruses (PC) Re: Differences between McAfee products? (PC) Re: A non-viral cause of Windows being slow (PC) Re: Any1 who have info of the junkie virus (PC) 386Spar.par Virus? (PC) comp.os.ms-windows.setup (PC) Re: Thunderbyte anti-virus announcement messages (PC) Re: Virus Found in MSAV.EXE (PC) Re: Virus MTE-Encrypted (PC) Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) NYB (PC) A SETUP funny on boot : virus or what? (PC) Re: master boot record viruses (PC) Re: GenB virus - Need Help (PC) Rostov virus (PC) new virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 07 Dec 94 14:11:29 -0500 From: "Kenneth R. van Wyk" Subject: "Good times" is a HOAX! In the past few days, VIRUS-L/comp.virus has become inundated with (mostly identical) submissions regarding a reported virus on America On Line called "Good Times". This report has been determined (by several FIRST teams, etc.) to be a hoax started by a user at a university. Because of this, I will not be posting any of the submissions on this "virus". Cheers, Ken van Wyk VIRUS-L/comp.virus moderator ------------------------------ Date: Tue, 22 Nov 94 23:16:48 -0500 From: prosys@Cybernetics.NET (Gary S. Hutchins) Subject: Need basic virus information I am doing some research about computer viruses. Can someone please answer the following questions for me: Where can I get a list of all know viruses (name, description, possible damage, etc.)? Where can I get a list of all occurences of the accidental release of viruses by commercial companies? Have there been any lawsuits because of the accidental release of viruses by commercial companies or individuals? What are the top 10 virus detection programs on the market today? Thank you for your responses. ------------------------------ Date: Wed, 23 Nov 94 04:22:12 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: any virus WWW sites? Hello, Two web servers that come to mind are www.mcafee.com and www.symantec.com. I believe that Data Fellows has a web server, too. Also, I believe there may be some virus information available from IBM's web server. Regards, Aryeh Goretsky Technical Support "Jim Powlesland" writes: >The subject heading says it all. Are there any virus World Wide >Web sites? And if so, what are the addresses? - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Wed, 23 Nov 94 12:44:51 -0500 From: Luca.Sambucci@IWI.unisg.ch Subject: I.C.A.R.O. goes on the Web The I.C.A.R.O. goes on the Web! I'm pleased to announce the Italian Computer Antivirus Research Organization's World Wide Web site at the following address: http://www-iwi.unisg.ch/~sambucci/icaro.index.html Here you'll find information related to the antivirus research, programs, texts, all the ICARO files (tests, reports, etc.), as well as links to the major AntiVirus-related sites on the Internet. Best Regards, Luca Sambucci + . . + . . * . . + . . + * * Luca Sambucci luca.sambucci@ntgate.unisg.ch . . . . . . . . . * . Italian Computer Antivirus Research Organization . + . . . . . . * Iterum rudit leo . + ------------------ ------------------------------ Date: Thu, 24 Nov 94 23:04:51 -0500 From: dave@io.org (David E. Beaupre) Subject: Virus List via Gopher or WWW? Hi, I was wondering if anyone has started or is maintaining an extensive list of virus which describe: Virus Name,Virus Type,Files Effected,Method of Prevention,What the Virus does Does anyone know of such a document which might be available from a gopher or WWW server. Any information would be appreciated. Thanks, Dave [Moderator's note: Seems to be a recurring theme here... :-)] ============================================================================= David E. Beaupre dave@io.org Mgr, Computer Services - QUEUE Systems - (905) 940-8132 dave@queue.pci.on.ca ------------------------------ Date: Thu, 24 Nov 94 11:15:30 -0500 From: Joseph Volence Subject: How do you get rid of Pinworm? How do you get rid of the Pinworm virus? ------------------------------ Date: Tue, 22 Nov 94 16:57:44 -0500 From: adamsp@umbsky.cc.umb.edu (Peter C.S. Adams) Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) MVillegas wrote: >Has anyone heard of an IBM mainframe virus? Do or have they >existed? According to Vesselin Vladimirov Bontchev: > HP-48: Haven't seen any, but have heard of at least 3. > UNIX: At least 5. Three I have here, one used in Dr. Cohen's experiements, and one compiled virus (not a sh script) described in Tom Duff's paper. Also, a few versions of the infectious sh script described in the other paper in the same volume. > Are there any Vax viruses, and if not, why not? I am not aware of any true VAX/VMS virus and know of only one worm, written in DCL. Why? Probably because VMS is not so widespread and again, low-level information about it is known by few people, who are motivated to apply their knowledge for productive (and well paid) things; not for virus writing. On the other side, most Unix viruses will run happily under Ultrix. ------------------------------ Date: Wed, 23 Nov 94 12:57:23 -0500 From: jonmillr@csn.net (Jon Miller) Subject: Virus-stealth? (UNIX) we appear to have a STEALTH virus on a Unix based Altos computer. Does anyone have experience with STEALTH on UNIX? How can we get software to deal with it? Please e-mail me at jonmillr @ teal.csn.org. Thanks. [Moderator's note: Although I've seen a lot of stealth-like (but NON-REPLICATING!) malicious code on UNIX systems, I haven't seen any such viruses; it would probably help if you'd list out the symptoms and such that you're seeing.] ------------------------------ Date: Mon, 21 Nov 94 11:07:11 -0500 From: Otto Stolz Subject: Re: MtE virus (PC) charlesb@bedford.progress.COM (Charley Boudreau) writes: > Can anyone give me any info on the MtE virus. I was infected with it On Sat, 05 Nov 94 12:14:23 -0500 said: > Hwo could you get infected by the MTE ?? Every AV product > out there (TSR) sees it ?? Beware: - - Every AV product out there does NOT see it. - - TSRs have a hard time to detect polymorphic viruses. E.g., the documentation for VIRSTOP (i.e. the TSR part of the F-Prot package) says, verbatim: > IMPORTANT! ... VIRSTOP does not detect the same number of viruses as > F-PROT. In particular, VIRSTOP does not detect most polymorphic > viruses. It is therefore recommended that VIRSTOP only be used as > one component of the virus protection - do not rely on it alone. Best wishes, Otto Stolz >>>>> Please use only the address given above, as all Bitnet addresses >>>>> at DKNKURZ1 will expire by end of 1994, and all Internet adresses >>>>> at Nyx.Uni-Konstanz.de will do so some time in 1995. ------------------------------ Date: Mon, 21 Nov 94 16:26:31 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: GenB virus alert (PC) Michel Carbon writes: >I have avirus : GenB. >I have detected it with scan117, on a floppy disk. >how can I eradicate it , on my floppy disk? >If there is a cleaner for that, where can I have it? GenB by McAfee means it's sure you have a virus in the boot sector. But it doesn't know what it is. So, neither can anyone else till they see your sample or you get a scanner that does know exactly which virus you have. If you follow these steps, you can have something to send to AV people to help you determine what you have: stick diskette in A: using DEBUG - -l 100 0 0 1 - -n virus.boo - -r cx :200 - -w - -q If you must put the diskette in B:, then the first instruction is l 100 1 0 1 When you do that, if you feel like sending me a copy, contact me and I'll give you some procedures. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Mon, 21 Nov 94 16:30:59 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: NAV 3.0 updates ? (PC) Don Olson writes: >I recently quit C$ and am a newbee on the internet. >I still need to get NAV3.0 updates from Symantec, but nobody from Symantec >seemed interested in responding to my requests on C$ for an internet site >where they could be had. >I would rather ftp than deal with their stupid BBS, since it usually only >connects at 2400 baud lately and the toll call is a killer. >Is there a site that carries them thar updates?? You must realize that you don't get much response asking for free what is being sold... But they should be available on Symantec's WWW site: http://www.symantec.com Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Mon, 21 Nov 94 16:37:10 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: contracting monkey/boot sector virus (PC) Keenan Brock writes: >How exactly do you catch a virus like monkey? I always boot from my >harddrive. I don't see when code from the infected disk is run. By booting off an infected floppy disk. That's the only way. >A dir command executes code on my hard drive. When is code in the >virus run? If all you have done is to DIR a diskette and your scanner says you have Monkey in memory, you have a ghost positive. We at NAV would argue that this is bad. But on the other hand, you will be scared by it to make you start looking around. >pointers to sources of information would be helpful aswell. NAV Technical Support has a fax-back on Monkey available. If you are a NAV customer, you may request it through 503-465-8450. Jimmy Norton AntiVirus Research ------------------------------ Date: Mon, 21 Nov 94 16:45:10 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: Telecom virus (PC) The Packetman writes: >My friend is currently wrestling with the Telecom virus(maybe). While >formatting his hard drive, the computer tells him that there is a >possible virus. After continuing with the format, we ran f-prot and >it returned saying that the telecom virus was present in memory. We >then performed a clean boot and ran f-prot again. This time f-prot >said the computer was clean. Just to make sure he tried to format the >drive again, but the same virus message appeared. We have gone >through the cycle of running f-prot and numerous other anti-virus >programs but the virus hasn't showed up except for the first time, >although the "possible VIRUS" message always appears when he tries to >format the drive. Could anyone who has any ideas or knowledge about >the Telecom virus please help us. Thanks. You probably have a behaviour blocker installed. It is warning you about your attempt to write to your boot sectors, which in normal circumstances, you would not do. But in your case, the process of formatting a disk/ette does. If you booted clean, have scanned clean, and are formatting. And the TSR is warning about writing to a boot sector, you are probably clean. NAVTSR has this capability. For such programs as FORMAT, you are advised to put it into your exclusions list because FORMAT has to write to the boot sector. (Or set your TSR to "prompt" so you can be made aware of what it's doing and override the conditions because you know what you're doing.) Jimmy Norton AntiVirus Research ------------------------------ Date: Mon, 21 Nov 94 17:33:58 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: NCSA hasn't heard of Viking virus (PC) Richard Bondi writes: >The Subject is overly provocative. I read a bit about NCSA, and they told me >stuff about ANTICMOS that McAfee didn't tell me, so I assumed what I had read >was true: that they have a database of all viruses and are used as a central >resource by all virus fighters. >If they've not heard of Viking, it can't be true. Is it true of anyone, and if >so, of whom? No one has a collection of all known viruses. If anyone claims so, there's probably a misunderstanding since it is so ludicrous that anyone might think that they did. Jimmy Norton AntiVirus Research ------------------------------ Date: Mon, 21 Nov 94 17:43:42 -0500 From: templeto@toadflax.cs.ucdavis.edu (Scot P. Templeton) Subject: Possible Virus Problem (PC) Perhaps someone can help my father with a possible virus at work. I have included his email to me (slightly modified), which indicates his problem and symptoms. - --------------------------- INCLUDED MESSAGE --------------------------- Here are the symptoms of suspicious occurrences which are suspected to be caused by a virus. First occurrence, computer did a spontaneous reset and would not function properly due to all files in root directory being erased except the 3 DOS files [msdos.sys, io.sys, and command.com]. Root directory files were restored using "undelete". Approximately 2 weeks later the operator of the same computer noticed a message while in windows "** DELETING **" (not sure if upper or lower case or exact word or spacing) [message popped up in a window, I beleive]. The same set of files were erase and subsequently recovered. The above computer runs DOS 6.22 and Windows most of the time. Approximately 2 to 3 weeks later another computer with DOS 5.0 and not used for Windows, would not boot due to all files in root directory being erased including Command.Com (not the 2 DOS SYS files). Again all files were restored using "undelete" (to ensure destruction of any virus I deleted the partition, reestablished it, and reformatted it with DOS 6.22). Both computers have been checked with SCAN, CPAV, and MSAV with no virus detected. If you hear of any virus that deletes C:\ root directory files please let me know all there is to know about it, especially how to detect it and how to kill it. - ------------------------ INCLUDED MESSAGE (END) ------------------------ I will be giving him f-prot, thunderbyte, and scan 212 this weekend (Thanksgiving). Since this occurred on two different machines by two different users, we do not believe the problem is user/software error. Any and all help will be greatfully recieved. Scot - -- / \ University of California / \ /\ Davis | |_| /\ /\ _||_ \ \ ||- |/\| |_ _| Department of Computer Science | | | || |||| || Graduate Studies \ / ||- |\/| || \ / \/ \/ \/ templeto@cs.ucdavis.edu ------------------------------ Date: Tue, 22 Nov 94 05:21:37 -0500 From: ccbb@kudu.ru.ac.za (Mr BT Bonnevie) Subject: F-prot and diskless workstations (PC) Hi I would like to use VirStop (the TSR virus shield that comes with F-Prot) on our diskless workstations. I have created a bootimage that loads Virstop just before loading the netx Netware shell and this works. When you log onto the Novell server, however, Virstops continuously looks for a floppy disk in the a: drive and this significantly reduces the performance of the workstation. Does anybody know of a way of solving this problem? Thanking you in advance, Bo - -- - ----------- Bo Bonnevie e-mail: ccbb@kudu.ru.ac.za Computer Services, Rhodes University, Grahamstown, 6140, South Africa ===================================================================== ------------------------------ Date: Tue, 22 Nov 94 08:53:55 -0500 From: aswNS@hamp.hampshire.edu (Albert S Woodhull) Subject: Need info: Trident Virus (PC) I need information on the Trident virus. While on a consultation visit to the National University of Nicaragua I found my colleagues there had a serious problem with it. Their virus detection software may have been too old. CPAV and MSAV did not detect Trident. We could detect Trident with McAffee 115 or 117 which I had with me. The virus is very hard to clean. It seems to infect both .com and .exe files. When active it hides changes in file sizes that it has caused, and it may be able to hide in the boot sector. We had the impression that McAffee SCAN did not always detect it, so it may have alternate forms. (I tried to post a similar query to this about a week ago, but it never made it.) Albert S. Woodhull, Hampshire College, Amherst, MA awoodhull@hamp.hampshire.edu ------------------------------ Date: Tue, 22 Nov 94 11:49:14 -0500 From: C.Booth-94@student.lut.ac.uk (C.Booth-94) Subject: F-Prot (PC) Is F-Prot still available to home users for one pound? I had a cover disk version a while back I though it was very good. Is it available from an FTP site or can you register online? ------------------------------ Date: Tue, 22 Nov 94 12:00:58 -0500 From: kloeppej@ccmail.orst.edu (John Kloepper) Subject: Of what value is McAfee Netshld (PC) We've recently run through an evaluation period using the McAfee Netshield NLM on one of our files servers. Maybe I didn't have it correctly configured, so i'm willing to cut it a break, but I can't see how it works. More Info: In our office we have a couple of programers who are constantly tweaking and updating pieces of code. When they recompile their programs and then load their files up to the server, the NLM would grab them and send a message that a virus was detected. However when I would view the log file all that is reproted was that the suspect file was moved to it's infected subdirectory. There was no mention of what type of Virus was suspected of operating. I suspect in our case all the program was doing is a CRC comparison check and then throwing the changed file into the infected area. In which case the moved file wasn't virus contaminated at all. Has any one been able to get more bang for their buck using netshield to scan servers for viruses or is there something else, we should be considering. ------------------------------ Date: Tue, 22 Nov 94 12:01:55 -0500 From: David Hanson Subject: re:Vacsina v 5 ?!? Info wanted!!! (PC) >Gustaaf Vocking writes: >Today we encountered the Vacsina virus (v5) on our WAN... >All in all it has temporarily infected over 2000 PC's I guess, >since it klung to MAP.EXE in the SYS:PUBLIC directory of over >20 Novell Fileservers... Does this virus bypass Novell file rights? If not, then let this be a lesson to make all public executables read-only. Dave Hanson afrc-mis@augsburg-emh1.army.mil ------------------------------ Date: Tue, 22 Nov 94 12:32:43 -0500 From: mkmurry@omnifest.uwm.edu (Mary Kay Murry) Subject: Re: master boot record viruses (PC) I work for a school district, and we also have had the MONKEY virus appear on both our PCs and our file servers. We have successfully gotten rid of it. We have used 3 different things: Norton Anti Virus latest version (3.0) F-PROT and sometimes with correcting the boot partition we have used Norton's Disk Doctor to correct the problem. Be sure to boot from an uninfected floppy disk first. Hope you have success. Mary Kay Murry ------------------------------ Date: Tue, 22 Nov 94 14:29:43 -0500 From: hiwire@technet.sg (Lim Beng Cheng) Subject: Re: Monkey Virus is on our backs... (PC) Bruce Burrell (bpb@stimpy.us.itd.umich.edu) wrote: : Lim Beng Cheng (hiwire@solomon.technet.sg) wrote: : : : However, I have written a program called FRONTLINE. It is specifically : : designed to detect and remove boot virus of any kind, including stealth : : and polymorphic boot viruses - past, present and future. : ^^^^^^^^^^ : I have a lot of problems with claims like this.... : : There is no need to update FRONTLINE because it is a generic virus : : detector. Just install into your hard disk and you can totally forget : : about the threat of boot viruses. The moment you switch on you PC and : : boot up from the hard disk, if there is a boot virus, it will be detected : : and removed automatically. The user just have to type Y in response to : : "Remove suspected boot virus (Y/N)?". : "Removing the boot sector virus" is not the same thing as "fixing the : problem". : : FRONTLINE is the most reliable software solution to your boot viruses : : problem - don't even need a system disk to recover from an infection. : : Moreover, it saves your investment in your existing anti-virus software. : : FRONTLINE complements your anti-virus software. : Suppose FRONTLINE encounters a piece of boot code (virus or otherwise) : which uses at least some of its 512 bytes to encrypt and decrypt other : areas of the disk. If the code is overwritten with generic boot sector : code, any encrypted sectors may be forever lost. If those sectors happen : to be critical (FAT, root dir, or just important data), overwriting could : be disastrous. Can FRONTLINE, therefore, figure out all possible future : boot sector infectors and guarantee that if the boot sector is fixed, all : side effects are removed as well? Until it is (and that's a highly : non-trivial exercise), I'll stick to products which are updated : periodically to handle all past and present infections. I prefer to wait : for an upgrade which I know will work than to risk using a product which : claims today to handle "all future infections". I fully agree that the future cannot be told but an anti-virus solution which does not depend on virus specific signatures will last longer and able to detect and remove more of the future viruses. Supposing, you have 10 PCs in your office, and not all of them will get infected at the same time. When you accidentally leave an infected diskette in drive A: then power up, that hard disk will get infected but when you reboot from the hard disk, FRONTLINE will detect the presence of the virus and remove it immediately. With prompt action, you get only 1 PC infected. Without FRONTLINE and if the virus progressively corrupts one sector or track on each boot up, as an example, you will end up with a massively corrupted hard disk within a week. You can't wait for the next upgrade which may be months later. With FRONTLINE, you stop it at the first instant on boot up. There is no 100% foolproof solution as far as PCs are concerned. Proper procedures, guidelines, early detection and prompt action all helps to minimize and contain the damage. Finally, I would like to thank Bruce for his concern, which is valid. However, every bit of effort puts you closer to a more secure environment :) - -- Lim Beng Cheng Know the viruses Hiwire Computer & Security Pte Ltd Know the anti-viruses hiwire@technet.sg Know none of them and your system will soon perish ------------------------------ Date: Tue, 22 Nov 94 15:06:00 -0500 From: hiwire@technet.sg (Lim Beng Cheng) Subject: Re: Exebug apparently surviving boot (PC) Jackson Harvey (jch9@po.cwru.edu) wrote: : >But Exebug can spoof a cold boot. It forces the computer to : >start booting from the hard disk even though you think it it : >booting from the floppy. Once it has loaded and run the : >partition sector (MBR), getting the virus into memory and active, : >then it continues the boot from the floppy so you are none the : >wiser. For this reason, anti-virus scanners have to be able to : >detect Exebug in memory. : Excuse my ignorance, but how is this accomplished (possible)? If a computer : is set to boot from floppy, and then from hard disk if a floppy is not : available, how does the virus 'gain control'? : Thanks, : Jackson Harvey To: jch9@po.cwru.edu (Jackson Harvey) Subject: Re: Exebug apparently surviving boot (PC) you wrote: : >But Exebug can spoof a cold boot. It forces the computer to : >start booting from the hard disk even though you think it it : >booting from the floppy. Once it has loaded and run the : >partition sector (MBR), getting the virus into memory and active, : >then it continues the boot from the floppy so you are none the : >wiser. For this reason, anti-virus scanners have to be able to : >detect Exebug in memory. : Excuse my ignorance, but how is this accomplished (possible)? If a computer : is set to boot from floppy, and then from hard disk if a floppy is not : available, how does the virus 'gain control'? It is possible under 2 special conditions. The first condition is when the boot virus on execution, makes itself resident in memory then tries to read the floppy drive for the boot sector thereby creating the effect of booting up from a floppy when in fact the virus is already in memory. Of course, with a floppy diskette in the drive A:, you will argue that it must boot from A: if you cold boot (switch off then on). Now the second condition. That PC must have been set with the boot sequence as C: first then A:. Now the question is how can a PC get infected when the boot sequence is C: then A:. Three possibilities (not necessary related to EXEBUG). First, the PC was in the sequence A: then C: and get infected then the sequence was changed by the user himself. Second, the PC was in the sequence A: then C: and when infected, the virus changes the CMOS setup to sequence C: then A:. Thirdly, the boot virus is carried by a parasitic virus (multi-partitie virus) and the hard disk can get infected by the boot virus even when the sequence is C: then A:. FRONTLINE when installed prior to the infection, can detect and remove such viruses on boot up from the hard disk. - -- Lim Beng Cheng Know the viruses Hiwire Computer & Security Pte Ltd Know the anti-viruses hiwire@technet.sg Know none of them and your system will soon perish ------------------------------ Date: Tue, 22 Nov 94 15:10:32 -0500 From: dasdwl@uwoadmin.uwo.ca (David W. Loveless) Subject: F-PROT's Virstop.. How effective is it? (PC) Does F-PROT's virstop function effectively under Windows after it's loaded as a TSR in the autoexec.bat file? I've personally been using F-PROT more as an off-line scanner of new files rather than as an on-line detector of viruses. Thanks for your help. ------------------------------ Date: Tue, 22 Nov 94 16:48:03 -0500 From: THE GAR Subject: McAfee VirusScan 2.1.* (PC) I got my "Winter Newsletter" from McAfee the other day with my VirusScan 2.1.2 (and Vshield). I wonder how it is being received at other sites? Here, we were told by McAfee that the terrible problems we were having with WordPerfect for Windows 6.0 when we had their software loaded were resolved by the 2.1 version. And indeed they are. But their newsletter says: "VirusScan 2.1 has had major improvements in its ability to remove viruses from files and boot sectors." yet we find that to be bogus. Indeed, we have been unable to remove the virus which is reported as "Stealth-C" by Scan with 2.1.2 ... tech support at McAfee first told us to get 2.1.3, which we did, and are now telling us to use 117 (the "old" "Clean.exe" from McAfee), because SCAN 2.1.X is UNABLE TO REMOVE BOOT SECTOR VIRUSES! So we find ourselves in a tough spot. We have a site license for McAfee products, and don't want to buy another (at least until our current contract runs out), and yet to give my users a product that will both run on their machine and allow them to remove the viruses they may encounter, we have to go back to a version that has ANTIQUE signature strings with which to search! Suggestions from any loyal McAfee fans would be appreciated. /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Supervisor Computer Networking and Repair ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: Tue, 22 Nov 94 18:06:56 -0500 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: The Antivirus Practice La (PC) Zvi Netiv To ALL about The Antivirus Practice La on 11-15-94 ZN> AV Lab uses some real but emasculated viruses, such as Stoned and ZN> Monkey. They have been tamed to assure they cannot escape in the wil ZN> yet they will let you explore how such viruses work, what are their ZN> symptoms and how to remove them safely. These specific viruses, and Zvi: This may be all well and good, but what is to keep hackers from modifying the defanged viruses, or adding real live viruses to the archive, and distributing this modified archive to other BBSs? Bill For PGP key. Send E-Mail to bill.lambdin@pcohio.com - --- * CMPQwk 1.4 #1255 * PREDATOR 3 R C B80057E82A0180FEC8737780C6C88916 - --------------------------------------------------------------- PC-Ohio PCBoard PO Box 21411 The Best BBS in America South Euclid OH 44121 DATA: 216-381-3320 pcohio.com FAX: 216-291-2685 - --------------------------------------------------------------- ------------------------------ Date: Tue, 22 Nov 94 18:14:50 -0500 From: whudace@bgsuvax.bgsu.edu (Bill Hudacek) Subject: InVircible Problems, Security Scares!!!!! (PC) To all who have reason to be concerned (and that's anyone who has a copy of InVircible): The "InVircible Soap Opera" continues. At this point, the representative of FuturSoft Corporation has not responded to [my] latest questions. Enclosed please find a digest of relevant message contents. History: 1. I noticed mention of InVircible in comp.virus, and went out & found it. 2. I took it home & tried it, & loved it. I called the vendor; I bought the software (no credit cards involved, just my address & "pay when you get it"). 3. Package shows up 3 days later; I had problems installing, made two calls to Support; ended up getting authorization key over the phone --- seems that with SMARTDRV *write-enabled* on a floppy, the install can't work :) They were supposed to send another disk; I haven't seen it. (to be fair, I haven't asked them about it either!) 4 I noticed "Mr. G's" post (enclosed below), which mentioned some rather undesirable behaviors when he ran IVINIT at system startup --- with ThunderByte utilities already running. I sent mail to the vendor, adding my own concerned voice... 5. The vendor's response is included herein. (Essentially, "No way it's our software.") 6. I went out myself, and got the latest copy of ThunderByte (6.26). I saw many of the same symptoms that night, that Mr. G. had reported. Details are below, but here's a synopsis: a) ATTEMPTED: COMMAND.COM renamed to 'g .COM' * no matter how I answered ThunderByte's prompt, the system hung. b) I removed TBFILE from startup files, & (ostensibly) got past the command.com manipulations (this is getting scary, isn't it?). c) ATTEMPTED: creation and invocation of between 3 and 5 .COM files with names like 'GUH7487H.COM'... ThunderByte's TBCHECK, which monitors executed programs (checked against data base of files...) detected every one of these attempts. 7. I sent mail to Mr. G. and Jeff Murphy (of FuturSoft), letting them know that I'd duplicated the a) environment and b) the symptoms observed (by Mr. G.). This message was the last sent to/from FuturSoft. Perhaps, here, in a public forum, more pressure can be brought to bear. QUESTIONS: 1) Can anyone else verify or obviate the two test situations?? 2) I've tried MacAfee (latest version, whatever that is), and something called 'fixutils' which was locally recommended), and NEITHER of them let out so much as a peep when IVINIT was 'doing its thing'. Anyone out there that can try other packages (either ThunderByte, or any other)???????? It's this way: the more of us who verify and repeat these circumstances, the better the odds of getting satisfaction. BTW, I really _do_ hope this can be worked out. This is a 'sexy' package, aside from its *invasion* of your most private parts :^) Please feel free to respond to the group. If anyone hears from FuturSoft, please let the group know! Relevant passages of past messages follow. Line 218-236 of this file show FuturSoft's reaction to Mr. G.'s discovery. Regards, and Happy Thanksgiving to all. William G. Hudacek Internet: whudace@dad.bgsu.edu University Computer Services Bowling Green State University ======================================================================== >From: Zeppelin@ix.netcom.com (Mr. G) >Newsgroups: comp.virus >Subject: Re: The InVircivle Anti-Virus Expert System v6.01 (PC) >Date: 15 Nov 1994 17:41:42 -0000 >Distribution: world rc.casas@ix.netcom.com (Robert Casas) writes: >frankj@tv.tv.TEK.COM (Frank Jazowick) writes: > >> I just have heard about the 'new' anti-virus program called >>The InVircivle Anti-Virus Expert System v6.01... >> >> It just came out of Israel and is being used by Australia and >>New Zealand. >> >> So as anyone heard of this program and how good it is as >>compared to well-known shareware and commerical anti-virus >>programs????? > >> >F-PROT is a very good scanner. So, too, are TBAV and AVP. However, >InVircible is not really an AV product designed around the concept of >"scanning" to detect viruses so that you can remove them. This is >probably one of the most difficult ideas that people familiar with >traditional AV tools - such as F-PROT, TBAV, and AVP - will have to >deal with to understand and accept InVircible. > >InVircible does have a virus scanner (IVSCAN) but it is designed to >detect common viruses. Also, it does not work with "signatures" or >"heuristics" in the way most "scanners" do. In any case, IVSCAN is not >the most interesting or powerful feature of InVircible. I have been using IV for about a week, and was pleased with its graphical approach as well as its speed. I used the IVINIT, IVB, IVSCAN at boot up, and felt secure. Well, being a little paranoid, I kept my Registered TBAV,TBMEM active as my only TSR. No PROBLEMs, yet. So this week, after having to rebuild a friends HD after a Whisper attach, I decided to add TBcheck and TBfile to my active TSR's. Here is where it got sticky. Upon bootup, after TBMEM/TBCHECK/TBFILE were active , IVINIT sent a flag to TBAV. Several in fact. Then IVB started sending flags (warnings) to TBAV, and TBAV told me that IVB was trying to rename Command.com to @!$&.com (this is no shit), and would I like to stop it. The first time I said no, and IV went on to remane 6 different files from DOS and set them in my root directory. When all the TBAV/IV flags stopped, my system hung telling me that it could not find a command interperter. I booted from my Norton Utilities Rescue Disk (not the one IV made), and did a SYS c: to restore my missing Command.com. I then went to Norton Commander and viewed the Drive. I found that the 6 files were 6 bytes long, and named like that of a "Stoned Marked," file. I deleted them, and restored the renamed files with my 6.22 setup disks. I have removed IV from my autoexec.bat, but not from the HD, YET. I plan on trying the IVSCAN a little later, after I get a response from this post from the author. ======================================================================== >From Zeppelin@ix.netcom.com Tue Nov 22 17:11:32 1994 Date: Tue, 15 Nov 1994 20:17:45 -0800 From: "Mr. G" To: Bill Hudacek Subject: Re: The InVircivle Anti-Virus Expert System v6.01 (PC) You wrote: > >In comp.virus you write: > >< clip... > > >>a little paranoid, I kept my Registered TBAV,TBMEM active as >>my only TSR. No PROBLEMs, yet. So this week, after having to >>rebuild a friends HD after a Whisper attach, I decided to >>add TBcheck and TBfile to my active TSR's. Here is where it > Bill' What I have since found out is this; If you start VI prior to TBAV/F-PROT, ect, it sends no woarnings. B U T !!! If you try to run IV after TBAV's shit is memory, bells and alarms go NUTS!!! Same shit starts, and command.com is gone again, plus you have about 10 6 byte files ?????? ummmmmmmmmmm -Zep- - ---------- Forwarded message ---------- Date: Wed, 16 Nov 1994 12:32:04 From: "Jeffrey K. Murphy" To: whudace@dad.bgsu.edu Subject: Re: *** The InVircivle Anti-... Hi William, >I'd like to add my own request for information to that of the >author of the included news posting. > >I can be reached through this email address; or, if you wish, you may >reply to comp.virus (where this post originally appeared), and I will see >it there. > >Thank you, Your welcome! >rebuild a friends HD after a Whisper attach, I decided to >add TBcheck and TBfile to my active TSR's. Here is where it >got sticky. Upon bootup, after TBMEM/TBCHECK/TBFILE were active >, IVINIT sent a flag to TBAV. Several in fact. Then IVB started >sending flags (warnings) to TBAV, and TBAV told me that IVB was >file. I deleted them, and restored the renamed files with my >6.22 setup disks. I tried the same exercise under identical conditions as described above. At no time did IVB (or any other InVircible component) try and rename any files. InVircible has no internal facilities to automatically rename files during any process. The ONLY TIME InVircible will rename a file is through the IVX module and then ONLY AT THE USERS REQUEST. InVircible has NO TSR's that will manipulate memory or other processes during operation. It was purposly designed this way. I have since tried different memory managers and other methods to duplicate the results and have not had any difficulties, nor have we EVER received and compliants on the effectivness or operation of InVircible. Should you have any other questions or concerns please contact us at 1-800-NOVIRUS (668-4787) and we'll be happy to assist you. Jeff Murphy FuturSoft Corporation InVircible North American Distributions and Support ======================================================================== >From whudace@chip.bgsu.edu Tue Nov 22 17:11:49 1994 Date: Thu, 17 Nov 1994 10:38:31 -0500 (EST) From: William Hudacek To: "Jeffrey K. Murphy" Cc: "Mr. G" Bcc: Jim Hoy , Kent Strickland Subject: Re: InVircible I thought you would both like to know that I obtained a copy of ThunderByte (version 6.26, from risc.ua.edu. I installed the full suite of memory-resident tools, whilst leaving IVINIT in the autoexec file, but set to run after TBFILE. When I rebooted, I received a message (as soon as IVINIT started up), that was trying to rename command.com to .com (three times, this message had a null file name, three other times, it was 'g '.com). No matter my answer (cancel: Y/N), the box hung...but did not necessarily require a hard reset. The key buffer would not fill up; CTRL-BREAK caused a strange, two-tone beep; and, once, after pounding on various keys for some length of time, I *did* have to do a hard reset. This done, I removed TBFILE, and, (though the command.com mods now proceeded[???]), I received messages from TBCHECK that it 'did not find the checksum information for . Cancel execution? Y/N'...! The file names given were, variously, I8YVCYG7.com (twice!!!??) CEQ87EN6.com I believe this proves (beyond any _reasonable_ doubt) that it's not a problem which is isolated to "Zeppelin's" computer. This means it's in the software. I believe the ball is in your court now, Jeff. Waiting is, William G. Hudacek Internet: whudace@dad.bgsu.edu University Computer Services Bowling Green State University ======================================================================== ======================================================================== >Date: Wed, 16 Nov 1994 12:32:04 >From: "Jeffrey K. Murphy" >To: whudace@dad.bgsu.edu >Subject: Re: *** The InVircivle Anti-... > < clipped> > >I tried the same exercise under identical conditions as described >above. At no time did IVB (or any other InVircible component) try >and rename any files. InVircible has no internal facilities to >automatically rename files during any process. The ONLY TIME >InVircible will rename a file is through the IVX module and then >ONLY AT THE USERS REQUEST. > >InVircible has NO TSR's that will manipulate memory or other >processes during operation. It was purposly designed this way. > >I have since tried different memory managers and other methods to >duplicate the results and have not had any difficulties, nor have >we EVER received and compliants on the effectivness or operation >of InVircible. > >Should you have any other questions or concerns please contact us >at 1-800-NOVIRUS (668-4787) and we'll be happy to assist you. > >Jeff Murphy >FuturSoft Corporation >InVircible North American Distributions and Support > Jeff: This is Zeppelin. I am using a registered copy of TBAV and I am using the TBCHECK3.exe, TBMEN3.exe and TBFILE.exe. I can tell you for a fact that this happenes !!! Since my copy of TBAV registered is UPPER level(ie: processor addressable, and there is a difference)) it just goes nuts. I am afraid to run IV execpt at boot up. If you load all TBAV (ALL) prior to IV, you should/will get all the bells you like. You can say what you want, but understand that I like you product, and will continue to use it at boot up instead of the TBAV boot check, but there are real problems. If you e-mail Zeppelin at ALT.COMP.VIRUS I will return you mail with a call ! Otherwise, your just blowing smoke my friend. I know what I know. -Zep- ======================================================================== - -- William G. Hudacek Internet: whudace@dad.bgsu.edu University Computer Services Bowling Green State University ------------------------------ Date: Tue, 22 Nov 94 20:34:07 -0500 From: Michael Jackson Subject: Re: Stealth* What is it? Virus DB? (PC) Bryan M. Becker writes: >My company is having a problem with the Stealth* virus. I check the latest >VSUM (408) and it isn't included. What kind of virus is it? And are >there programs that have a virus DB on them like VSUM? Bryan, I think you're refering to the Stealth Boot Sector virus, or a stealth type virus. I give a run down on each one. The stea Stealth Boot Sector Virus does as its name implies, hide in the boot sector of the disk. This virus will infect both floppy disks and hard drives. If it is on a floppy disk it will go 'active' when the computer first reads the boot sector to determine the type of disk you installed (double-density or high-density). It doesn't matter if the disk is a program disk or a data disk. Once active it will write itself onto the hard drive boot sector. Most anti-virus programs will find the Stealth Boot Sector virus and clean it, however most people neglect to check *ALL* disks in the office to see if there This is very important, I've found as many as six other floppies infected, and each one of them had the potential to re-infect the hard drive. a Stealth type virus is a catagory of viruses that use programming methods such as hooking processor interrupts to hide its presence from simple detection methods such as the DOS commands DIR, CHKDSK, and MEM. Hope this helps. Mike Jackson mrjackson@delphi.com ------------------------------ Date: Tue, 22 Nov 94 21:55:57 -0500 From: penguin@netcom.com (XENOPHOBE) Subject: Ahhhhh! McAfee killed my files! (PC) I'm using McAfee's [I don't no how it's spelled] 2.1.1: I ran SCAN.EXE with the /av option to add AV verification to executable files. Unfortunately, I can't run many Windoze programs because the files fail the verification test because htey are 98 bytes larger. I tried running: SCAN /rv c: I't just scanned, but DIDN'T remove the AV. I ran this at least 3 times! Help me, I need to run those programs! - -- Don't expect me to cry for all : Pasadena, California the reasons we have to die. : Canter & Siegel got a Green Card ------------------------------ Date: Wed, 23 Nov 94 02:33:25 -0500 From: zaphod@dorsai.dorsai.org (Eugene Accado) Subject: Re: Signalit PT virus maybe ? (PC) Gary Novay (gn0j+@andrew.cmu.edu) wrote: : Hello, : I recently purchased a Quantex Pentium 90 multimedia system. : It consists of 16 meg of ram, 730 meg WD E-IDE drive, : a sound card and speakers. : fax/modem : Colorado 250 tape backup, 5 1/4" and 3 1/2" floppies : Double speed Sony CD-ROM : DOS V.6.2 and Windows for Workgroups and lots of windows software : VSAFE is part of my autoexec.bat file : I tested the machine and it's vast selection of pre-installed software : for 2 days, with no problems. : My son used the a: drive to access a wordperfect document from within : windows that he brought from school. The next time the computer was booted : vsafe detected a virus and suggested running msav to clean up the problem. : Upon running msav, from the dos prompt,an error message is generated : that says : Disk Error: Cause: Disk is write protected. If a virus is present, called : "Signalit PT", How do I eradicate it ? : I don't understand how the hard drive can be write protected. I can : copy files from directory to directory with no problem. : Is there something strange about having a drive > 528 meg. ? I can't tell you whether or not you really have a virus or if msav is giving you a false positive (false alarm). However, I learned today that msav does not run properly on drives over a certain size. It is either 520 or 540 megs which is less then what you have. I don't know all the effects it will have on a hard drive but it will mark everything above the maximum size as physically damaged areas. I know my information is sketchy. Hopefully someone has more info. To me this is a really SERIOUS BUG in Microsoft software. What could be worse then software that is supposed help correct a problem causing an even worse problem of it's own? Eugene Accardo ------------------------------ Date: Wed, 23 Nov 94 04:37:56 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: HELP: Form virus attacks Windows NT NTFS boot sector. (PC) tito@ciunix.uc.pt (Paulo Jorge Pimenta Marques) writes: [...short description of FORM virus deleted...] >Under Windows NT, however, its effects are disastrous. I don't think the form >virus could attack from within Windows NT itself, since the system is so >robust, not allowing programs to mess up with the system. If, however, you >boot up a PC with an infected floppy disk, the form virus attacks every >partition it finds, not caring whether it is, FAT, HPFS or NTFS. [...more about FORM on Windows NT deleted...] To remove the virus, try booting the infected hard disk from a clean copy of DOS (IBM, MS, Novell) and then try running your antivirus program. I've had luck with users doing this with VirusScan on Windows NT systems with FAT and NTFS volumes. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Wed, 23 Nov 94 04:43:15 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Help! Filler, GenB, GenP viruses (PC) Hello, While I usually respond to questions or comments about VirusScan in email directly to the poster, I thought I would reply in comp.virus since your question may be one that other users have. Most likely the report of the Filler virus in memory was a false report due to the presence of other anti-virus software in memory which might be conflicting with VirusScan. As for the Generic MBR [GenP] and Generic Boot [GenB] reports, can you try running a later version of VirusScan (Version 2.1.3(213) is the current release) and see if it is able to offer a more precise identification of which virus is present? Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ achwong@hkusub.hku.hk (Albert C. H. Wong) writes: >I really do not have any idea on how to remove Filler/GenB/GenP viruses >from my PC. It is a mysterious matter. When just started my PC, I used >Virusscan v117 to scan viruses and there was no discovery. However, >when checking for viruses the second time using Virusscan v117 again, >the viruses came out. Then, all I could do was to reboot my PC with a >clean Virusscan floppy disk. However, there was still no discovery even >I checked it several times. The viruses could only be detected again >after I ran some programs from my fixed drives. But I was unable to >clean them. Then, I used a newer version of Virusscan (v212) for virus >checking. But nothing can be detected anymore. They cannot be detected >also by using Thunderbyte Anti-virus utilities. > >Could anyone give me advice on this? Especially on how to clean the >viruses? Otherwise, I have to format my harddisks which I extremely do >not want to do. > >Any comments will be greatly appreciated. > >- -- > {^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^} > { Albert Wong } > { Mobile and Radio Communication R & D Group } > { University of Hong Kong } > { achwong@hkueee.hku.hk } >{ achwong@hkusub.hku.hk } >^^^^^^^^^OOO^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^OOO^^^^^^^^^^^@@@@@& > - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Wed, 23 Nov 94 04:56:21 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Differences between McAfee products? (PC) Hello, [Since the answer is (I'm sure) of interest to people other than the poster I am replying through comp.virus rather than email. AG] Version 2.x is McAfee's major revision of anti-virus software and the two basic differences between it and the older Version 11x series are that it is faster than the older version and requires less memory to run. Other changes are more precise identification of viruses, automatic loading of the TSR into memory above 640Kb and integrated scanning and cleaning for viruses. Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ etate@mcl.bdm.com (C. Emory Tate) writes: >Could someone please enlighten me as to the difference between >McAfee's VirusScan 117 products and their 2.1.0e products? - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Wed, 23 Nov 94 04:57:18 -0500 From: schirk@sbox.tu-graz.ac.at (Christian Schirk) Subject: Re: A non-viral cause of Windows being slow (PC) ANTHONY APPLEYARD (A.APPLEYARD@fs1.mt.umist.ac.uk) wrote: > When Windows runs, it swops matter between RAM and a big hidden system file > called (in my PC) C:\386SPART.PAR, which in my PC is 20,135,936 bytes long, > but I cave seen them over 60,000,000 bytes long. This should be consecutive, > because of the way Windows accesses it. But, if you are installing or > re-installing Windows and it can't find that much consecutive free disk space, > it must set up C:\386SPART.PAR fragmented, and having to use a fragmented swop > file makes Windows S----L----O----W as in `snail', and not a virus need be > within a mile of the place. So, when (re)installing Windows, first:- > (1) Delete any old C:\386SPART.PAR that may be in the PC. > (2) Run the defragmenter in full "configure" mode. > Note that the defragmenter won't defragment C:\386SPART.PAR, because it is > marked as "not to be moved", because Windows accesses it by the absolute disk > addresses of its various parts. If you want to install a bigger permanent swop file, you have to edit the file SYSTEM.INI in the Windows-Directory. Insert under [386 enh] the line: PageOverCommit = 5 or bigger To get a faster access to the swopfile insert the line: PageBuffers=32 - -- Christian Schirk alias schirk@sbox.tu-graz.ac.at ------------------------------ Date: Wed, 23 Nov 94 10:48:31 -0500 From: ok3@irz301.inf.tu-dresden.de (Olaf Krusche) Subject: Re: Any1 who have info of the junkie virus (PC) pi92ae@yngve.pt.hk-r.se (Andy Eskilsson (Flognat)) writes: >We have just discovered the junkie virus here at school, but we have >no info about it, Are there any1 out there with some more knowledge >that they would like to share? > >What viruskillers/detectors do you receommend, to get rid the virus? Try the latest F-Prot version... - -- ,,, (o o) Olaf Krusche, e-mail: ok3@irz.inf.tu-dresden.de - --oOO--(_)--OOo---------------------------------------------------- 'It's simple. Change the graviton constant of the Universe.' ST-TNG: Q in 'Deja Q' ------------------------------ Date: Wed, 23 Nov 94 11:23:02 -0500 From: smoore@mail2.sas.upenn.edu (Sean David Moore) Subject: 386Spar.par Virus? (PC) I was wondering if I have a virus on my com. I get this huge file >12MB that appears called 386Spar.par...it's modification dates don't even coincide with when the computer was on. If I take a look at it, there is Boomerang...and a copyright. then a lot of crap with intermittent Windows response codes. What's going ON!?!? Sean - -- Sean Moore VAMC Philadelphia, Medical College of Pennsylvania, and the University of Pennsylvania... ------------------------------ Date: Wed, 23 Nov 94 11:24:50 -0500 From: jdw@cs.wustl.edu (j d wilson) Subject: comp.os.ms-windows.setup (PC) One of our users had found that his system was giving him an error with 32 bit disk access under WFWG v3.11. I had posted a message about this problem to the comp.os.ms-windows.setup group, and found one user there had three systems with this same problem. So we suspected a virus, and went to purchase the latest virus software. Well, we found one. We think the virus came from one of his son's PC at St. Louis University. NOT CONFIRMED. Several other students used his system, and it is uncertain where it could have come from. We suspect American Heritage Dictionary from Softkey Intl, some shareware from Serria (Lesuire(sp?) Suit Larry?). In any case, we found that PCscan V2.6 (check it pro) found virus Azusa* in memory. SCAN 9.24 V113 by McAfee Assoc found NewBug both Genb and Genp on two different passes. We suspect it is the same virus. The user has fixed his disk drive and now he has the 32 bit disk access working once again. I hope this posting helps someone else, and thanks to kevinm@cais.cais.com and B. E Johnson for their input and replies. This virus may be new or an old one, I don't know, but we just now have found it. john d wilson TRIFID Corp St. Louis, MO 314-991-3095 jdw@cs.wustl.edu ------------------------------ Date: Wed, 23 Nov 94 15:00:25 -0500 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: Thunderbyte anti-virus announcement messages (PC) >: I have uploaded to SimTel, the Coast to Coast Software Repository (tm), >: (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu >: and its mirrors): > >: SimTel/msdos/virus/ >: tbav625.zip Thunderbyte anti-virus pgm (complete) v6.25 >: tbavx625.zip TBAV anti-virus - processor optimized versions > >I saw version 6.26 instead of 6.25. What happened to 6.25? > To clear this once and for all: this announcement was *not* posted by me, but by Keith Petersen, maintainer of SimTel. All software that is uploaded to that site has an accompanying upload message, which is posted to (mostly) comp.archives.msdos.announce For anti-virus software he also posts my mail to comp.virus, but because this is a moderated forum, with a moderator who should have 6 hands and three brains and 12 legs because of all the jobs he has to do, the messages are always (a few) days delayed. That's why I've stopped posting upload messages to this forum, because in other ways people can get to know about uploads. TBAV v6.25 got a bug which was corrected shortly after the release, making the version v6.26 ... So far the explanation. To be added to the tbav new releases list, send me a mail. Thank you. Piet de Bondt bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Wed, 23 Nov 94 15:31:04 -0500 From: fpaterek@uceng.uc.EDU (Harald Paterek) Subject: Re: Virus Found in MSAV.EXE (PC) Talking about MSAV, anybody knows where I can find updated signature files for this program? Harald - -- |-|-----------------------------------------------------------------------|-| |o| F. Harald Paterek fpaterek@uceng.uc.edu |o| | | | | |o| Call Congress today and oppose speed limits on the information |o| ------------------------------ Date: Wed, 23 Nov 94 21:29:07 -0500 From: bobby mack Subject: Re: Virus MTE-Encrypted (PC) Before you start formatting your hard drive; make sure it isn't a false positive I had a MtE alert on my pc and my NORTON Anti virus 2.1 told me it couldn't clean any of it up. Needless to say, I freaked out and called Symantec. However, they told me that NAV 2.1 was generating false positives for MtE. Better make sure you don't have a false positive. best, bobby m ------------------------------ Date: Wed, 23 Nov 94 23:09:37 -0500 From: frederick870@delphi.com Subject: Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) Lim Beng Cheng writes: >Try FRONTLINE. When installed in your hard disk, it can detect and >remove all boot viruses - past, present and future including stealth ones >and that Monkey virus. Since it is generic, no update is necessary. >FRONTLINE has been carefully designed and thought out. It is the most >reliable defence against boot viruses. Moreover, it is designed to >complement your existing anti-virus software thus saving your >investment. It reliably detects and removes all boot viruses even those >missed by the anti-virus software. No false alarm! > >For more info, just email me. Thank you. I would appreciate any information you have on Frontline. Many thanks in advance. Fred Woodbridge ------------------------------ Date: Thu, 24 Nov 94 01:26:53 -0500 From: s935476@acs.csc.cuhk.hk (TSE CHI ON ANDREW) Subject: NYB (PC) Hello all! Does anyone know the virus named NYB. It's a very new virus. Even the newest SCAN 2.1.3 still cannot kill that virus! So, does anybody know whether there's cleaner for that virus NYB? Thanks. - -- ||||||| ..|||||||| ..|||||||| ..|||||||| ..||||||||| .||| .||| .||| ||| ..||| .||| ..||| .||| ..||| .||| ..||| .||| .......||| .||| .||| ========= -=== --=== -=== --=== -======== --======== --=== -=== -=== --'94 ||| ..||| .||| ..||| .||| ..||| .||| ||| ...||| .......||| .||| .||| ||| ..||| .||| ..||| .|||||||| ..||| ..||| .||||||||| ..||||| ||||| ------------------------------ Date: Thu, 24 Nov 94 03:24:47 -0500 From: ANTHONY APPLEYARD Subject: A SETUP funny on boot : virus or what? (PC) I am in charge of 16 public PC's. 10 of them are PCSX 386's which are now a few years old. Some of them have developed a persistent intermittent slowly spreading malady. SCAN and VET show no virus now (but we have had Jumper alias _2kb in the past). As an example, our PC #15 just now on cold boot displayed "512K BAse memory, 03072K Extended. / Invalid configuration information - please run SETUP program / Strike the F1 key to continue, F2 to run the setup utility". I pressed F2, and its screen cleared, and displayed in blue: "Errors have been found during the power on self test in your computer. The errors were: / Incorrect configuration informatyion in CMOS / Memory size in CMOS invalid / SETUP will attempt to correct these / errors through auto-configuration. / Hit any key to continue:". I then pressed RET. It gave the SETUP screen, blue on black, including "512K base memory, 3072K extended memory". I pressed F10 for "continue", and it booted. The correct mamory size for these PC's is 640K base memory, 5380 (or thereabouts) K extended memory. Sometimes in this error condition it finds those memory sizes OK, sometimes it finds 512K base memory and no extended memory. Any idea what is wrong? The other man in charge of this room can't find anything wrong, although he is accustomed to seeing the insides of PC's. ------------------------------ Date: Thu, 24 Nov 94 07:53:48 -0500 From: Jeff Subject: Re: master boot record viruses (PC) Good Morning, At my place of work we just went through a virus called Parity Boot. What seems to happen with these Boot record virus is that they move to memory then you do your low level format. When you are done and turn the machine off the virus moves back to the Hard Drive. What I wound up doing is making the a bootable disk from a "clean machine" then instead of accessing the hard drive we purchased Norton Anti-Virus and run it from the floppy drive never accessing the hard drive right away. This prevents the virus from getting back up into memory. Norton scanned the drive, found the virus and killed it. We then began to do a load from the tape backup but you can not reload any of the boot records from tape or your infected again! All of our tape data was ok as in your case. By the way Norton also has a subscription service that will mail you a quarterly update on new virus. After what we have been through it is well worth the fee. You can e-mail me at JEFFLUTTS@DELPHI.COM good luck jeff ------------------------------ Date: Thu, 24 Nov 94 08:00:49 -0500 From: Jeff Subject: Re: GenB virus - Need Help (PC) We just went through the same thing with a Gen B virus and every time we accessed the hard drive we had the virus againg. Try the following: 1. Make your bootable disk on a clean machine 2. Re-boot the invected machine and do not access the hard drive. 3. Run a anit-virus program from the floopy drive and let it access the hard drive not you. We used Norton Anti-Virus. 4. With these Gen B virus' each time we accessed the hard drive it moved to memory and you have it again even with a low level format. When you reboot the virus moved from the memory back you the hard drive and could not get it out. The above finally worked by letting the Anti-Virus activate the hard drive. ------------------------------ Date: Thu, 24 Nov 94 10:19:30 -0500 From: wfg1001@hermes.cam.ac.uk (W.F. Grainger) Subject: Rostov virus (PC) Well, does anyone know ANYTHING at all about this virus? It's appeared once or twice with Dr solomn's, but then it can't find it on the disk. I go "Whaaaat?" Please help! Will Grainger ------------------------------ Date: Thu, 24 Nov 94 12:23:52 -0500 From: isaaclee@aol.com (Isaaclee) Subject: new virus? (PC) i found what may be a new virus and would appreciate help! the virus is undetectable by nav 3.0, macafee, and msav. it is detectable by the following test: in config.sys add himem.sys and emm386.exe devices; load smartdrv.exe and attempt to write to the hard drive. if you get emm386.exe exception error 00, the virus has found a home in your pc. the only way i could clear it out was to destory the partition table, cold boot with a clean, copy protected dos disk, fdisk, format, etc. and then restore data from a tape, not from floppies. any thoughts, ideas or suggestions are welcome!...IsaacLee@aol.com, aka Lee Isaacson ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 98] *****************************************