VIRUS-L Digest Wednesday, 21 Dec 1994 Volume 7 : Issue 102 Today's Topics: POSSIBLE TROJAN ALERT - Software Vault Gold Collection CD-ROM (PC) Re: Virus List via Gopher or WWW? Re: Research assistance request Re: Need basic virus information Virus CD-ROM Re: Need basic virus information sep.14, 1996! READ!! OS/2 Virus'? (OS/2) Serial Port Virus ??? (PC) Virus Help Requested (PC) Re: MSAV / F-Prot comparison (PC) parity check virus - activated on perl harbor day?? (PC) Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) Re: McAfee VirusScan 2.1.* (PC) Re: How do you get rid of Pinworm? (PC) AntiCMOS B (PC) "form" virus, how to get rid of it (PC) TH TH virus? (PC) Re: 386Spar.par Virus? (PC) F-Prot PRO vs. Shareware (PC) Re: Network Antivirus NLM's / need advise (PC) Re: Can a virus spread like this? (PC) Re: Am I Stoned Again? (PC) Re: Rostov virus (PC) Question re: Form Virus (PC) Re: new virus? (PC) Exebug apparently surviving boot (PC) New Bug (PC) PC SAFE H/W AV product? (PC) Re: A SETUP funny on boot : virus or what? (PC) Re: One Half Virus (PC) Natas Virus (PC) Tai-Pan (PC) Re: NAV 3.0 updates ? (PC) Re: Virus-Made Directories (PC) Re: Best form of Virus Protection? (PC) Re: MSAV / F-Prot comparison (PC) Re: F-Prot (PC) HAPPY Virus? (PC) Re: Anti CMOS virus - help! (PC) Stealth C virus (PC) B variant of jumper virus (PC) Tell me how to find and remove this virus(PC) Re: Need info: Trident Virus (PC) NOVI antivirus software good? (PC) More memory scanning (was: Help! Filler...) (PC) Just how safe is VSAFE? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 20 Dec 94 14:08:23 -0500 From: HRRWood@aol.com Subject: POSSIBLE TROJAN ALERT - Software Vault Gold Collection CD-ROM (PC) [Moderator's note: With all of the recent Internet hoax messages floating around (e.g., "Good Times", "xxx-l", "Microsoft buying the Catholic church"), I was hesitant to accept this posting at face value; it is early in the morning, and I don't have any independent verification on this message, so I would consider it prudent for anyone reading this to verify with the CD vendor before taking action.] The following message was taken off of the WildNet Virus conference 19 December 1994: - ------------------------------------------------------------------------ Date: 12-16-94 Msg # 98 To: ALL Conf: (125) Virus'-WN From: ROBERT KEMPER Stat: Public Subj: WARNING WARNING WARNING Read: Yes - ------------------------------------------------------------------------ I discovered a Trojan on the Software Vault Gold Collection CD. Under the utilities section is a supposedly shareware virus scanner that will damage any disk you attempt to scan. The file name is SCCL100.zip DO NOT ATTEMPT TO RUN THIS PROGRAM ! I have notified American Databankers Corp and they have confirmed that this program is designed to damage disks and will be removed from future CD's. Copyright 1994 Robert L. Kemper Jr. - --- ~ TNet 3.60 w WILDNET: The Right Note! - MUSIC ORIENTED BBS - 502-452-1453 /////////////////////////////////////////////////////////////////////////// Thanks Robert, great catch!! The staff at The Scanner went into action and went looking. We found this program on 8 CDs total in our area and made the proper notifications to the sysops. Here they are the CDs and the areas the program was found in: CD Title Area - -------------------------------------------------------------------------- Shareware Vault Gold Virus Detection and Prevention Shareware Studio #4 Virus Tech Arsenal Anti-Virus Utilities Cream of the Crop II Virus Prevention Hobbes OS/2 MAC File Viewers Best of Bizzness '94 Virus Utilities Best of Shareware '94 MAC File Viewers Night Owl #9 Virus The file is 709180 Bytes with a file date of 05-26-93. This program claims to be a *virus scanner*. The program will start out asking you what drive you want to scan. Upon entering a dive letter you are immediately taken to a screen where the alleged scanning is taking place. The unsuspecting victim will observe a Scanning box and a Status box on the screen. As the Scanning box fills ( Showing the percentage of the disk that is scanned ) the status box shows the message : "Scanning Memory ...." Once the Scanning box reaches 100%, the status box then reports "Memory appears to be clean ....". Now the program performs the alleged disk check. The Scanning box once again will display the percentage of the disk being scanned and the status box displays the following message: " Now performing check on disk.... Please Wait ...." Now the fun begins. The Scanning box will go the screens width several times and the then stop. The Status box displays the following message: " Uh Oh....Virus Detected...." Upon hitting the return button this message comes up: " Trying to gain control of vital areas...." After a few seconds the final message comes up as: " Cannot destroy virus !!!!" The system is waiting for a RETURN from the user. The light on the A: drive goes on and the damage is now in progress. After the drive stops, the system is locked up. The system needs to be rebooted again. After rebooting, the unsuspecting user then looks at the disk in the A: drive to see if the "virus" has been removed only to find the disk deleted and unformatted. That, folks, is a TROJAN. A program that claims to do something, but in reality does something else unbeknownst to the user. ////////////////////////////////////////////////////////// I am planning on putting this out in the next SCANNER. If you feel it is something that needs to get out before than feel free to edit it any way you see fit and use it for the Virus -L or VLERT ------------------------------ Date: Thu, 08 Dec 94 13:55:48 -0500 From: Mikko Hypponen Subject: Re: Virus List via Gopher or WWW? dave@io.org (David E. Beaupre) wrote: > I was wondering if anyone has started or is maintaining an extensive > list of virus which describe: > > Virus Name,Virus Type,Files Effected,Method of Prevention,What the Virus > does > > Does anyone know of such a document which might be available from a > gopher or WWW server. Take a look at our popular virus description service available at www.datafellows.fi. We also have links to other virus information sites in the web. The full URL to this service is 'http://www.datafellows.fi/vir-desc.html'. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Sat, 10 Dec 94 22:18:02 -0500 From: Michael Jackson Subject: Re: Research assistance request JENNELYN J FAJARDO writes: >Hi everybody! I'm doing a research about computer viruses... >How serious is it and what damages can result from it? That is a very general question, and it would take quite a bit of space to answer it. Start by looking in the document files for both F-Prot nad TBAV anti-viral programs. Both of them give a good discussion of what types of viruses there are and the damage they can do. -Mike mrjackson@delphi.com ------------------------------ Date: Sat, 10 Dec 94 22:43:31 -0500 From: Michael Jackson Subject: Re: Need basic virus information Gary S. Hutchins writes: >Where can I get a list of all know viruses (name, description, possible >damage, etc.)? Big question, known to whom? Best place to start is Patrica Hoffman's program VSUM. Also, most of the anti-virus programs have a database section which provide information of viruses. >Where can I get a list of all occurences of the accidental release of >viruses by commercial companies? > >Have there been any lawsuits because of the accidental release of viruses by >commercial companies or individuals? There have been occurences, but since I don't have exact detail, I'll leave this alone. I haven't heard of lawsuits because of this. >What are the top 10 virus detection programs on the market today? This depends on who you're talking with. I haven't seen a comprehensive list yet that wasn't challenged by on group or another. -Mike mrjackson@delphi.com ------------------------------ Date: Tue, 20 Dec 94 11:58:02 -0500 From: ac87@ns.cityscape.co.uk (ac87) Subject: Virus CD-ROM I've just received the latest Dr Solomons Anti-Virus toolkit with which came a newsletter. In this news letter it mentioned that in the US a CD-ROM is available with 4000 viruses, and includes writing tools etc. As a software developer I would be interested in obtaining it, not to make viruses (The company I work for have been on the receiving end and they caused havoc), but to look at for protecting software, polymorphic programs etc. One thing I need to know, how does the UK stand on the matter. Am I allowed to have the CD as long as I don't release any. If it is OK to own it how do I get hold of it, how much? DB [Moderator's note: Follow-ups via e-mail, please.] ------------------------------ Date: Sat, 10 Dec 94 05:12:32 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Need basic virus information prosys@Cybernetics.NET (Gary S. Hutchins) writes: >Where can I get a list of all know viruses (name, description, possible >damage, etc.)? You cannot. That is, there is no single list that lists *all* viruses (currently above 5500 DOS viruses). There are lists that list the majority of them, there are sources of descriptions, often incomplete or inaccurate.. combining the lists is not an easy task. >Where can I get a list of all occurences of the accidental release of >viruses by commercial companies? You cannot. Some of the more interesting ones have been kept secret....known only to the company and a single AV vendor that helped them clean up the mess. >Have there been any lawsuits because of the accidental release of viruses by >commercial companies or individuals? Not *yet*, as far as I know. >What are the top 10 virus detection programs on the market today? Depends entirely on what you mean by "top 10". Market share ? Detection rate ? Accuracy ? Disinfection ability ? Detection of "new" viruses ? - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sun, 11 Dec 94 22:36:20 -0500 From: chewy@atl1.america.net (Matt cline wall) Subject: sep.14, 1996! READ!! My brother recieved a book of binary text the other day, and he is currently having it unencrypted. the only thing they have out of it right now is September 14, 1996 the date. Ga. Tech are the ones doing the work. We were wondering if there were any viruses that are supposed to go that day because thats what it looks like. If we find anything out, I will let you know. If anyone knows if this might be a virus, please e-mail me, address below. Thanks for any help. Matthew D. C. Wall chewy@america.net ------------------------------ Date: Tue, 20 Dec 94 11:53:24 -0500 From: "David M. Chess" Subject: OS/2 Virus'? (OS/2) > From: lrgray@ix.netcom.com (Lee Gray) > First off, are there viri out there designed specifically for OS/2? If > so, can somebody please supply names, etc... I have done a scan through > my latest copy of VSUM and could not find any virus reference to OS/2. There are at least two known viruses that run under OS/2 itself, but both are only "laboratory viruses" at the moment; meaning that someone with nothing better to do (hard to imagine, eh?) wrote them up and distributed them around various K00L HACKERZ boards and such. Neither has ever been seen "in the wild" (spreading from innocent user to innocent user), and neither is very likely to be (both are non-resident infect-files-in-this-directory sorts of thing, which historically do not spread well). The names usually used for them are OS2VIR1 and JISKEFET. > And, can OS/2 become infected by a virus? My manager claims that with > the new memory mgmt. performed by OS/2 a virus cannot infect it. Viruses can be written for basically any general-purpose operating system, I'm afraid. It'd certainly be somewhat more work to write a resident infect-on-execute file infector for OS/2 than it is for DOS, because memory and process management are somewhat more complex under OS/2. As long as the system is BIOS compatible, boot viruses can spread to OS/2 machines, since when you boot from an infected diskette the virus runs long before the operating system gets control. On the other hand, I've never seen a boot virus spread *from* an OS/2 machine, since boot viruses spread by hooking the BIOS real-mode diskette-IO vector, and OS/2 never uses that. File-infecting viruses written for DOS can sometimes function in OS/2 VDMs (Virtual DOS Machines), depending on whether or not they are "well behaved" (in the sense of using only documented or otherwise supported DOS functions). Some viral damage routines (direct writes to the hard disk, for instance) won't work from OS/2 VDMs; others (erasing lots of files, for instance) will. There are some good OS/2 antivirus products on the market; I recommend IBM AntiVirus/2, for instance (note that I'm not unbiased!). The IBM AntiVirus suite also includes an NLM for Netware (since someone asked). - - -- - David M. Chess | Remember: it's your pineal gland, High Integrity Computing Lab | but it's their antenna! IBM Watson Research | -- Shieldworks ------------------------------ Date: Thu, 08 Dec 94 08:56:26 -0500 From: russadam@access.digex.net (Russ Adams) Subject: Serial Port Virus ??? (PC) Is there a virus that attacks serial ports on PCs? I'm having serial port problems after downloading communication software for a PPP connection. I've swapped modems between the computer having the problem and a computer that could not have been infected, and the modem works. I've run tests and verified that the serial port hardware is working. I've tried communication over the same phone line using the problem PC and the one that is working. The problem occures whether running a communications program under Windows or DOS. All other programs seem to be working properly. I've run F-PROT and come up clean. The only things left are a motherboard problem, flaky harddisk, or some type of virus. Russ Adams - -- Russ Adams russadam@access.digex.com ------------------------------ Date: Thu, 08 Dec 94 11:01:27 -0600 From: Karen Adkins Subject: Virus Help Requested (PC) Virus Help Requested for Meridian Community College, Meridian, Mississippi, US On Dec. 1st virus appeared on campus. Approximately 100 computers were infected. All of hard drives infected would not boot. Used Norton to rebuild partition tables, FAT tables & boot sectors. Used Norton to make C drive bootable again. Ran CPAV ver 2.2 and could not find any virus. Ran F-Prot ver 2.15 and could not find any virus. In 1 computer CMOS had to be reinitialized. Since computers have been made bootable again, hard drives have once again begun crashing. Types of computer affected include: Memorex Telex 486, CompuAdd 386SX, Gateway 2000 486, and IBM PS/2. Any help you can provide would be greatly appreciated. Please respond in non-technical language. I am passing this message from the computer lab personnel. I am not well versed in computer technology, I just happen to have Internet access. Thanks. ------------------------------ Date: Thu, 08 Dec 94 13:58:02 -0500 From: karpens@iluvatar.ncssm.edu (------Simon------) Subject: Re: MSAV / F-Prot comparison (PC) I have some experience with this. A friend's system was infected with stealth boot c. They lost lots of files becuase they had been relying on MSAV for virus protection. On a clean boot (both), MSAV said the disk was clean then I ran f-prot. It found and removed the virus. Simon - -- ******************************************************************************* * Simon Karpen karpens@ncssm-server.ncssm.edu * * flames to /dev/null Linux: choice of the GNU generation * * #include I don't speak for NCSSM * ******************************************************************************* ------------------------------ Date: Thu, 08 Dec 94 14:12:44 -0500 From: pta00@amail.amdahl.com (Paul Adams) Subject: parity check virus - activated on perl harbor day?? (PC) Both a coworker and myself received a "PARITY CHECK" message on our PC's last night around 9pm. The PC required a h/w reset to come back up. Now the symptoms are: unable to format a floppy in drive A, can't boot from drive A (DOS says booting from removeable media, then uses the C drive to boot. Several programs will now hang the PC (xtree, msav). I don't know how bad the damage really is - although without being able to boot off a floppy, I'm afraid this is going to be a MAJOR headache. One more thing I should mention is that we both are using stacker 4.0 and make extensive use of software found on the internet. Any other unfortunate souls out there (or has anyone beat this virus yet???). Thanks for any help, Paul - email to the above OR juts.ccc.amdahl.com!pta00 ------------------------------ Date: Thu, 08 Dec 94 16:49:04 -0500 From: JeffRogers@ccmail.turner.com (Jeff Rogers) Subject: Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) >> )Hi all, recently, I found a boot sector virus on a 3.5" floppy. Scan211e >> )calls it CANSU, fp214 calls it V-sign. Neither scan211e /clean nor >> )clean117 can remove it. :( clean117 can remove it with CLEAN C: [CANSU] Scan 211 won't remove Cansu, as far as I can tell... EMAIL ADDRESS: jeff.rogers@turner.com Roll Tide Anyway! ------------------------------ Date: Thu, 08 Dec 94 16:56:53 -0500 From: JeffRogers@ccmail.turner.com (Jeff Rogers) Subject: Re: McAfee VirusScan 2.1.* (PC) >yet we find that to be bogus. Indeed, we have been unable >to remove the virus which is reported as "Stealth-C" by Scan >with 2.1.2 ... tech support at McAfee first told us to get >2.1.3, which we did, and are now telling us to use 117 (the >"old" "Clean.exe" from McAfee), because SCAN 2.1.X is UNABLE >TO REMOVE BOOT SECTOR VIRUSES! I have had this same difficulty with 2.1.x version of Mcafee... we have a site license, but I have gone back to using Clean117 to clean systems. EMAIL ADDRESS: jeff.rogers@turner.com Roll Tide Anyway! ------------------------------ Date: Thu, 08 Dec 94 18:34:02 -0500 From: mmessier@emerald.tufts.edu (PapaGino) Subject: Re: How do you get rid of Pinworm? (PC) Joseph Volence (jvolence@delphi.com) wrote: : How do you get rid of the Pinworm virus? As a second note, is there a safe way to examine it? (i currenly have a zipped copy) - -- PapaGino I didn't know, (I didn't know that I was that far gone), I didn't know, (I didn't know that I was that far gone)... Pardon me Doug, is that a picture of Otis Redding, (Yeah yeah yeah), Taken just before he di-highed, why don't you give me his hide... -????????? ------------------------------ Date: Thu, 08 Dec 94 18:39:21 -0500 From: tguen@ix.netcom.com (Tom Guendelsberger) Subject: AntiCMOS B (PC) This little nasty has been diagnosed on several machines at work. Does anyone have information about the symptoms and behavior of this virus? (So far it seems to affect 32-bit Windows access.) Is there a FAQ that contains such info? Thank you. ------------------------------ Date: Thu, 08 Dec 94 19:08:29 -0500 From: p_ravix%csc32.dnet.dec.com@nntpd2.cxo.dec.com () Subject: "form" virus, how to get rid of it (PC) Hi, I've been infected by a "form" virus (Boot sector), Anybodys help to get rid of it will be greatly appreciated Thanks Philippe ------------------------------ Date: Thu, 08 Dec 94 22:52:55 -0500 From: jnaughto@ee.ryerson.ca (JASON NAUGHTON) Subject: TH TH virus? (PC) Hello, I'm just looking for information about the "TH TH" virus. I have been working along on my PC for some time with no problems. I had bought a software package years ago and UN-installed it some time back. I decided to reinstall it but this time vwatch tells me that the TH TH virus is attached to a file and will not let me install. Yet I can't get the blasted thing cleaned off, nothing recognizes it when scanned. The only thing that sees it is vwatch... Could someone tell me some info on this virus so I know what I'm dealing with? If anyone else has encountered this virus tell me what you did to get rid of it. Cheers Jason Naughton Ps Please respond through e-mail the net is noisy enough... ------------------------------ Date: Thu, 08 Dec 94 23:49:45 -0500 From: summer@panix.com (SummerCat) Subject: Re: 386Spar.par Virus? (PC) Forsooth, on 8 Dec 1994 18:21:29 -0000 did [Sean David Moore] write: : I was wondering if I have a virus on my com. : I get this huge file >12MB that appears called 386Spar.par...it's : modification dates don't even coincide with when the computer was on. : If I take a look at it, there is Boomerang...and a copyright. : then a lot of crap with intermittent Windows response codes. : What's going ON!?!? Sean, this is not a virus (although the Boomerang part is a mystery to me...). In Windows, you can create either a temporary or permanent "swap file" to facilitate faster operation in that environment. Temporary files are, of course, deleted when you exit Windows. The permanent swap file has the filename 386SWAP.PAR or something like that; the size is based on the amount of free disk space you have left on the hard drive. In other words, the file is okay.... [Moderator's note: No fewer than 50 responses to this question were posted to the group. I won't be posting all of them. However, if anyone has substantive follow-ups, of course, I'll post those.] _____________________________________________________________________________ Roland R. Thomas | Internet: summer at panix dot com | MCIMail: 648-6491 Fudd's First Law of Opposition: Push something hard enough and it will fall over. ------------------------------ Date: Tue, 20 Dec 94 10:57:59 -0500 From: LARRY BROWN <72712.706@compuserve.com> Subject: F-Prot PRO vs. Shareware (PC) In reference to Julian Ilicki's question about the differences between F-Prot's Shareware & Professional versions, I am pretty sure that they use the same engine/database - the major difference is that the Pro version also includes an integrity-checking TSR and associated utilities. You also get support from a US-based company, which provides quicker response that e-mail to Iceland! No offense intended, Frisk, but e-mail to Iceland COULD be a tad faster!! Larry Brown ------------------------------ Date: Tue, 20 Dec 94 11:55:16 -0500 From: "David M. Chess" Subject: Re: Network Antivirus NLM's / need advise (PC) IBM AntiVirus for Netware is an NLM that has (if I do say so myself) a very good detection rate, low overhead, and all like that there. The Number to Call in the U.S. is 1-800-742-2493; in other countries, contact your local IBM office. DC ------------------------------ Date: Tue, 20 Dec 94 11:59:02 -0500 From: "David M. Chess" Subject: Re: Can a virus spread like this? (PC) > From: dhusson@novell.business.uwo.ca > Doing a dir of an infected floppy will laod the virus into memory in > the case of the ANTIEXE and STONED.HENGE. The Viruscan software picks > this up. If you write a file to your hard disk, the hard disk does > become infected. This is not correct. Doing a DIR of an infected diskette may load the virus into memory (because the virus is in the boot record, and the boot record is read into memory, and may get buffered or cached and therefore stay there for awhile), but the virus will not be *executed*, and the hard disk cannot become infected that way. If the system is clean, doing a DIR on an infected diskette and then writing a file will *not* cause the hard disk to become infected. To infect the hard disk, the virus must execute. That means, for a boot virus, booting from an infected diskette (even if the diskette isn't a system diskette, and the "Non-system disk or disk error" message appears, the virus will still have run, and may have infected the hard disk). DC ------------------------------ Date: Fri, 09 Dec 94 09:27:12 -0500 From: Zvi Netiv Subject: Re: Am I Stoned Again? (PC) -=3D> Quoting Steve Leung to Zvi Netiv on Fidonet <=3D- ZN> Seems that you don't have the virus anymore, as if you had, then ZN> _both_ drives should have it. These are probably the remains of ZN> Monkey, on your second drive. Monkey becomes active only if the first ZN> drive mbr is infected. If I recall, your first drive is an IDE and the ZN> second one is a SCSI. SL> The thing is that my IDE is the one where F-Prot says Monkey is SL> hiding. I saw someone suggested that you use ResQdisk for fixing whatever problem was left on your hard disk. The following is guidance of what to look for with ResQdisk and how to use it. These are snapshots of the mbr content, as seen by ResQdisk. Since hi-ascii characters are not accepted in e-mail, I replaced them with "x"s. The first is how a healthy mbr looks like. It contains a tiny bootstrap program, less than 256 bytes, and the partition data - a 4 by 16 bytes block. The message at the end of the boostrap program is typical and its presence can be used as a visual clue that all is OK. Note also two additional clues, the one at the top left corner, and at the bottom right. ------------------------------------------------------------------- |xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxxxxxxx < bootsrap program > xxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxx Invalid partition table Error loading operating syste | |m Missing operating system | | | | < empty > | | xx | |xxxxx < partition dada blocks > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxU=AA | =C0-----------------------------------------------------------------= =D9 The next is what you see in the mbr when it is infected with Monkey. Note that Monkey's code occupies most of the sector and it overwites the partition data block (that's why you can't access the drive when booted from a floppy). When booted from an infected drive, then you should be able to toggle between the two views: The lower one (the virus) will show with SeeThru ON (use F9) and the upper one with SeeThru OFF. =DA-----------------------------------------------------------------= =BF |=EBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxxxxxxxx < Monkey virus code> xxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |xxxxxxxx < overwritten partition data > xxxxxxxxxxxxxxxxxxxx U=AA | =C0-----------------------------------------------------------------= =D9 If what you see in both states is the good one (top), then there is no infection at all. If OTOH you see the infected (lower) sector in both states, that means that the virus can't spoof int 13h because you have either a 32 bit access controller, or a 32 bit access driver, or that you are working from a virtual DOS machine environment - such as from enhanced mode Windows. The latests may present quite an advantage in speed in normal operation, but will interfere with the removal of Monkey. First, exit Windows completely if in Windows. If you use some 32 bit access driver in the config.sys, then REM it out for the cleaning and reboot. If then you still can't see the clean mbr with SeeThru OFF, then you have a 32 bit access disk controller and the only way to remove Monkey will be by using XMONKEY (written by me, freeware) after booting clean from a floppy. Your drive won't be accessible at this stage, but will surface again after XMONKEY removed the virus and you reboot. ZN> You probably used FDISK to create new partitions on both drives as ZN> Monkey messed them up. While doing this, FDISK wrote a fresh SL> Yep. That was before anyone told me not too... ZN> If it bothers you, then here is a method to cure that little problem. ZN> Change your first IDE drive to "not installed" in the CMOS setup. ZN> Boot from a DOS 5+ floppy, having the FDISK program on it. See if you ZN> can access the SCSI drive, it should be C: now. _ONLY_ if yes, then ZN> run FDISK/MBR, install back the IDE drive in the CMOS and reboot. SL> I'll give that a try and let you know... Zvi Netiv, InVircible NetZ Computing Ltd. Israel ftp.datasrv.co.il/user/netz Fax: +972 3 5325325 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - ----------------------------------------------------- Subj: Re: VIRUS HELP! Junkie (PC) -=3D> Quoting Chris Lee to All on Fidonet <=3D- CL> I need some help.. I ran McAfee Scan v117 over my HDD a while ago, and CL> found the Junkie [Junk] virus, and it had infected a few files, so I CL> reinstalled the infected files, and ran scan and it was all gone, but CL> now I realise its back.. I only did a scan today as a friend at school CL> said he has it also and that he deleted the infected files and CL> reinstalled them, and it came back later, the McAfee docs has no info CL> on this virus, so I have no idea what it does. CL> If anyone knows what this virus does, and if its safe to just leave CL> it, then please let me know. Junkie isn't "safe" to leave it there. In fact no virus is safe to be left in a machine as it may have a payload that triggers at a later date. Junkie has no particular payload, just a few "bugs". One of is that it corrupts EXE structured files having a COM extension, 4DOS.COM and NDOS.COM for example. The computer will hang on booting if one of the two got infected. I don't know about IBMBIOS.COM and IBMDOS.COM, but I guess Junkie will mess these too and hang the machine. The reason the infection is back is because CLEAN 117 didn't remove Junkie from the mbr. Junkie has two modes of propagation, from an infected boot sector / mbr or by execution of an infected file. SCAN/CLEAN 117 does spot the infected files and deletes them, but misses the mbr infection, and once you rebooted, the Junkie infection started all over again. One way to go is to boot clean from a DOS floppy, run CLEAN and let it remove all the infected files, run FDISK/MBR and reboot. The machine should be clean, now replace the deleted files from backup. A long range solution, if you don't like to constantly update your antivirus software, to stay clean from Junkie as well as from other viruses, is to register your copy of InVircible. Since Junkie is a common and widespread virus, IV will remove it from files (not erase, but clean the files). IV's scanner policy is not to bother about every new virus since it's generic recovery can remove almost every common or new virus. Yet, this requires that you install IV on your machine _before_ it was hit, even in its Sentry mode (freeware - unregistered). IV is also gentler on your computer resources (speed, memory, memory conflicts) and applications and does not take over your machine, unlike some AV scanner and TSR do. Regards, Zvi Netiv, InVircible NetZ Computing Ltd. Israel ftp.datasrv.co.il/user/netz Fax: +972 3 5325325 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - -------------------------------------------- Subj: Re: Anti-virus Practice Lab (PC) ML> I tried to use the AVPL and couldn't get the stone virus to do ML> anything. ML> I know it is supposed to flash a message on the screen saying " Your ML> PC is stoned" or something to that effect and it doesn't. Stoned isn't "supposed" to do anything. The message appears sometimes when you boot from an infected _non bootable_ floppy. ML> I know it is there cause when i run TBAV and F-PROT, they both get ML> excited and flash a message saying " Stone virus in memory and on ML> MBR" Why couldn't you have this pc is stoned flashed on the screen?? As explained in the on-line guide, the AVPL viruses were "tamed" not to replicate from floppies, so that they cannot get in the wild. Therefore you cannot produce a diskette infected by Stoned, and consequently you can't see the message on screen while booting. Yet you can see the message easily by "infecting" with Stoned and then run ResQdisk, also in the AVPL package. You will see the (in)famous message "Your PC is now Stoned, LEGALIZE MARIJUANA!". Fair enough? Zvi Netiv, InVircible NetZ Computing Ltd. Israel ftp.datasrv.co.il/user/netz Fax: +972 3 5325325 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - ----------------------------------------------- Subj: Zappa - new virus - follows Michelangelo (PC) Has anybody seen the Zappa virus in action? On December 4th it trashed the 255 first cylinders of infected hard disks, after announcing "Dedicated to ZAPPA...". The sample I collected was from a government PC, _after_ the hd was gone. Unfortunately they used DoubleSpace on C: so that it was impossible to recover anything as the CVF header was wiped out. Hadn't they used disk compression, quite a lot could be recovered by using ResQdisk, and then UNFORMAT C: /U. Worth remembering, as it works in Michelangelo's case too. Zappa resembles Michelangelo in many aspects, including the payload. If anybody lost a disk on December 4th, the Zappa virus could be the reason. Can anybody tell what's the connection between Zappa (probably Frank Zappa) and the date of December 4th? The message isn't visible in the code, as it is encrypted. Zappa infects floppies' boot sector and the hd mbr. Unlike Michelangelo, Zappa does not relocate the original mbr of the hd, yet it relocates floppies' bs the same way Mich, Stoned and many other bsi do - i.e. to the end of the root directory sectors. Zappa does not use stealth. It is easily detected and removed by generic detection and removal. IVINIT will announce there is memory stealing at booting and then indicate the presence of a boot infector. Zappa can be removed by IVSCAN (registered only) or by ResQdisk (Sentry mode too). Fdisk/mbr will remove Zappa from the hd, once you know that there is a mbr virus. Yet it's safer to do it under the visual inspection of ResQdisk, to assure there are no hidden traps. You can remove Zappa from floppies with the registered IVSCAN, or just with Fixboot (freeware), provided as freeware with AVPL. :-) Regards, Zvi Netiv, InVircible Available from ftp.netcom.com/pub/an/antivir/invircible/ NetZ Computing Ltd. Israel ftp.datasrv.co.il/user/netz Fax: +972 3 5325325 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - ------------------------------------------------ Subj: Re: ANTICMOS boot virus (PC) -=3D> Quoting Dell Garner to All on Fidonet <=3D- DG> I've had a virus identified my McAfee VisusScan and F-PROT as DG> ANTICMOS A, but have been unable to locate any information about it. DG> I know that it's a memory resident virus that infects the master boot DG> record of hard disks, and the boot sector of diskettes. What I'd like DG> to know is what its destructive nature is, if any, and what triggers DG> its actions. What difference does it really make what is the "destructive nature" of this virus? If I tell you that it isn't destructive would you let it stay on your hard drive and floppies? From the drastic measures you took it seems that not! DG> I used McAfee's CLEAN to remove it from hard disks, and reformatted DG> infected diskettes, though I imagine I probably could have just DG> rewrote the boot sector. At home, I took the extreme measure of DG> low-level formatting my hardrive, and formatting all infected DG> diskettes. Extreme measure indeed! Now suppose that the DOS floppy from which you reconfigured and rebuilt your hd at home was infected by AntiCMOS. Maybe the whole trouble of low-level formatting was in vain? DG> Though this seems to have eradicated the virus, I'm concerned with DG> the CMOS part of the name and its implications. Does this refer DG> to the possibility of the virus scrambling CMOS, or does it mean DG> that the virus transfers itself to CMOS (is this possible)? No, it's impossible! The CMOS stores 64 data bytes and if there is one byte misplaced there, your machine won't simply boot! AntiCMOS's code is 512 bytes long. Except that, the CMOS content is never "executed". BTW, DIR-2 is also called Creeping Death! What would you do in case it strikes your machine, disinfect it with napalm? :-) A simple fdisk/mbr removes AntiCMOS from the hard drive and you could clean all your floppies with FIXBOOT, without formatting a single floppy or loosing their content. Relax Dell, boot viruses do not infect unless _actually booting_ from an infected floppy or hard drive. Zvi Netiv, InVircible NetZ Computing Ltd. Israel ftp.datasrv.co.il/user/netz Fax: +972 3 5325325 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - -------------------------------------------- Subj: Re: A Fake Virus? (PC) -=3D> Quoting Doug Muth to Zvi Netiv on Fidonet <=3D- > The file has no virus, it contains plain bitmap data. Furthermore, the > file does not even have an executable structure! You can prove it to > yourself by renaming the file to an executable extension name and > running it. Nothing will happen, it will just hang the computer. DM> In my case, TBAV 6.26 said that the file had Satan Bug, but set DM> off no heuristic alarms. Scan and F-Prot didn't catch it. And Like DM> Zvi said, the file wasn't executable... > I wonder for what purpose would one scan non-executable files for > viruses? DM> Well, I do it just to be safe. I have yet to encounter a DM> non-executable file that scans as a virus but was a flase alarm. DM> Remember, a trojan archive could contain one or more viruses named wit= h DM> non-executable extensions, and rename them to executable extensions an= d DM> run them when the trojan program is run... It's entirely to you to decide what safety margins you want. Yet for the benefit of others, let me say that scanning non-executable files does not make any sense, from a cost/effectiveness standpoint. You have just proven to yourself that the chances of detecting a false positive are incomparably higher than to find a real virus (or trojan) this way. From my little experience in viruses I can say that one in a million is still a too high probability that you'll find anything else than a false positive, when scanning non executable files. Another point that may interest you: It's very simple to discriminate files that have executable structure, from files that haven't. There are at least two scanners that I know of, except IV's, that can do that: Findviru from Dr. Solomon's AVTK and AVP from KAMI. The later has a nice shareware version. Both are superior in detection probability as well as their negligible susceptibility to false positives. Regards, Zvi Netiv, InVircible NetZ Computing Ltd. Israel ftp.datasrv.co.il/user/netz Fax: +972 3 5325325 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - ------------------------------------------ Subj: Re: InVircible/AVPL -=3D> Quoting Arjan Van Der Werf to Zvi Netiv on Fidonet <=3D- AVDW> Invircible is now available in The Netherlands, the latest version wa= s AVDW> hatched through the anti4us file area so both Peter and i have receiv= ed AVDW> a copy. Let's hope that AVPL will also be hatched through the same ar= ea AVDW> because i'm very interested in that piece of code. :-) AVDW> That's great, but i hope it does work together with the resident TBAV AVDW> utilities because when i executed an IV executable TBAV would give me= a AVDW> warning that a file was renamed and then Qemm would give an #13 error AVDW> and the whole system would crash. :-(I tried to run the IV executable= s AVDW> again after i had booted and pressed F5 and everything worked, but wh= y AVDW> does IV conflict with TBAV? I know what your opinion is about virus AVDW> scanners and products like F-prot and TBAV (which i use both) but i w= as AVDW> a little disappointed when i couldn't get IV to work when the TBAV AVDW> utilities were loaded. :-( Here is a quote from the "Troubleshooting" topic in InVircible's on-line guide: "Many cases were reported in which users have caused themselves a lot of trouble by loading unnecessary drivers and TSRs. Following is a sample list of such instances: [ ... ] The Thunderbyte anti virus TSRs are hostile to InVircible. If you use one then don't use the other. They simply don't coexist." As IV doesn't cause Qemm exception #13 by itself, but only in the presence of TBAV TSR's, then you should address the question to Frans Veldman. IV does not have any TSR component and it doesn't constantly monitor anything. When you execute an IV program it performs its predefined task and that's it. I reject the idea that a piece of software, sophisticated as it may be, will judge what is legitimate and what is not! Any instruction that a machine was designed to execute is legitimate by definition. IV runs perfectly well, and does successfully what it was supposed to do in any environment, except in the presence of the specific TBAV TSR's. Since IV isn't a virus, then you may say that the TB TSR alerts on a false positive, at least in this case. In fact, TB's aggressiveness to IV can have quite unpleasant results. IV isn't the only software that TBAV is hostile to. The same happens with the IMMUNE module from BRM's V-Analyst/Untouchable. They use a similar baiting technique to IV's, since late 92. :-) I suppose this answers your question. Regards, Zvi Netiv, InVircible NetZ Computing Ltd. Israel ftp.datasrv.co.il/user/netz Fax: +972 3 5325325 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - --------------------------------------------- ------------------------------ Date: Fri, 09 Dec 94 10:24:03 -0500 From: gcluley@sands.co.uk Subject: Re: Rostov virus (PC) wfg1001@hermes.cam.ac.uk (W.F. Grainger) writes: >Well, does anyone know ANYTHING at all about this virus? It's appeared >once or twice with Dr solomn's, but then it can't find it on the disk. I >go "Whaaaat?" >Please help! > >Will Grainger Will, We'll probably need some more information before we can diagnose what is happening. For example, what version of Dr Solomon's Anti-Virus Toolkit are you using? Which program is reporting the virus (FindVirus or VirusGuard)? Where is the virus appearing (in files or in memory)? What programs/operating systems do you have installed? etc etc etc Rostov is, if I recall correctly, a Trojan and thus unlikely to be seen much in the wild. It would probably be a good idea for you to contact our technical support department. They can be contacted via email at: support@sands.co.uk, or by telephone on the number below. Our technical support department will probably be able to get to the heart of your problem in no time. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Product Specialist, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks, UK S&S International PLC +44 (0)1296 318700 ------------------------------ Date: Fri, 09 Dec 94 11:45:51 -0500 From: ivi@netcom.com (Internet Videos) Subject: Question re: Form Virus (PC) We are interested in any information that can be provided regarding this virus. Origin, effects, disinfectant options, etc. We have encountered this in distribution copies of commercial software. Please send email to address below or call 1-800-LOOK-IVI. Thanks - -- |----===+++++===-----||---===============<><><><><><><>================---| || || || || Peter Vos || Internet Videos,Inc. || || ivi@netcom.com || -------------------- || || 301-897-DATA || Turning Novices Into Navigators (TM) || || || || |----===+++++===-----||---===============<><><><><><><>================---| ------------------------------ Date: Fri, 09 Dec 94 13:59:17 -0500 From: dwarf@step.polymtl.ca (Patrice Chiniara) Subject: Re: new virus? (PC) Isaaclee (isaaclee@aol.com) wrote: : i found what may be a new virus and would appreciate help! the virus is : undetectable by nav 3.0, macafee, and msav. it is detectable by the : following test: in config.sys add himem.sys and emm386.exe devices; load : smartdrv.exe and attempt to write to the hard drive. if you get : emm386.exe exception error 00, the virus has found a home in your pc. the : only way i could clear it out was to destory the partition table, cold : boot with a clean, copy protected dos disk, fdisk, format, etc. and then : restore data from a tape, not from floppies. any thoughts, ideas or : suggestions are welcome!...IsaacLee@aol.com, aka Lee Isaacson Ouch... I think you should have contacted some technical support (ie McAfee or Norton) before repartionning your hard drive. McAfee already helped me getting rid of few viruses. Their technical support is excellent. Usually, they give an answer your mail within 24 hours... Try E-mailing McAfee's technical support at support@mcafee.com ************************************* Patrice Chiniara dwarf@step.polymtl.ca http://step.polymtl.ca Directeur du projet STEP (1994-1995) ECOLE POLYTECHNIQUE DE MONTREAL ************************************* ------------------------------ Date: Fri, 09 Dec 94 14:23:45 -0500 From: Iolo Davidson Subject: Exebug apparently surviving boot (PC) hiwire@technet.sg "Lim Beng Cheng" writes: > Jackson Harvey (jch9@po.cwru.edu) wrote: No he didn't. The following text was written by me. > : >But Exebug can spoof a cold boot. It forces the computer to > : >start booting from the hard disk even though you think it it > : >booting from the floppy. Once it has loaded and run the > : >partition sector (MBR), getting the virus into memory and active, > : >then it continues the boot from the floppy so you are none the > : >wiser. For this reason, anti-virus scanners have to be able to > : >detect Exebug in memory. This part was written by Jackson Harvey. > : Excuse my ignorance, but how is this accomplished (possible)? If a computer > : is set to boot from floppy, and then from hard disk if a floppy is not > : available, how does the virus 'gain control'? And this by Lim Beng Cheng. > It is possible under 2 special conditions. > The first condition is when the boot virus on execution, makes itself > resident in memory then tries to read the floppy drive for the boot sector > thereby creating the effect of booting up from a floppy when in fact the > virus is already in memory. Of course, with a floppy diskette in the > drive A:, you will argue that it must boot from A: if you cold boot > (switch off then on). I don't follow the above entirely, but as far as I can tell, it is nothing to do with Exebug's spoofing method. > Now the second condition. That PC must have been set with the boot > sequence as C: first then A:. Not necessary for the Exebug spoofing. > Now the question is how can a PC get infected when the boot sequence is C: > then A:. Three possibilities (not necessary related to EXEBUG). First, the > PC was in the sequence A: then C: and get infected then the sequence was > changed by the user himself. Second, the PC was in the sequence A: then > C: and when infected, the virus changes the CMOS setup to sequence C: then > A:. Thirdly, the boot virus is carried by a parasitic virus > (multi-partitie virus) and the hard disk can get infected by the boot > virus even when the sequence is C: then A:. Nothing to do with the Exebug spoofing. Exebug can make some computers start booting from the hard drive even when they are set to boot from the floppy. It does this by fiddling with the CMOS, further details deliberately withheld. - -- A GIRL BUT NOT SHOULD HOLD ON WHEN HE'S DRIVING TO HER YOUTH Burma Shave ------------------------------ Date: Fri, 09 Dec 94 15:18:14 -0500 From: Michael Chow Subject: New Bug (PC) I am looking for information on a virus called New Bug or it could be called NewBug. I think there might be a cross posting about it being a variant of GenB or something like that. I think that is the name that NAV detected it as. I don't know the specifics of this virus, but the current rumor is that this is a boot sector virus, and that after a month from infection time, it will destroy the data on the harddrive. Any clues? Please E-mail me Thanks in Advance Mic ------------------------------ Date: Fri, 09 Dec 94 20:55:32 +0000 From: paulh@crash.cts.com (Paul Hemond) Subject: PC SAFE H/W AV product? (PC) My company has received information about a product called PC SAFE which says it is a hardware based anti-virus solution from a company called Texan Enterprises. The literature states that it is a physical board installed in the system with an ISA interface. Anyone have any info regarding the protection ability of this product? ------------------------------ Date: Fri, 09 Dec 94 18:26:34 -0500 From: garcia@bkfsu1.sedalia.sinet.slb.com (Geoframe User) Subject: Re: A SETUP funny on boot : virus or what? (PC) ANTHONY APPLEYARD (A.APPLEYARD@fs1.mt.umist.ac.uk) wrote: : I am in charge of 16 public PC's. 10 of them are PCSX 386's which are now a : few years old. Some of them have developed a persistent intermittent slowly ^^^^^^^^^^^^^ : displayed in blue: "Errors have been found during the power on self test in : your computer. The errors were: / Incorrect configuration informatyion in : CMOS / Memory size in CMOS invalid / SETUP will attempt to correct these / : errors through auto-configuration. / Hit any key to continue:". I then Ummm. How long has it been since you replaced the CMOS batteries ;-) Optimists claim the batteries will last 5 years. - -- Steve Garcia garcia@bakersfield.geoquest.slb.com ------------------------------ Date: Fri, 09 Dec 94 21:20:32 -0500 From: rmallett@boris.ccs.carleton.ca (Rick Mallett) Subject: Re: One Half Virus (PC) Does anyone know how to get rid of the `One Half' virus? Any help and/or information would be greatly appreciated. - -- - ---------------------------------------------------------------------- Rick Mallett Carleton University Email address: rmallett@ccs.carleton.ca - ---------------------------------------------------------------------- ------------------------------ Date: Fri, 09 Dec 94 21:22:29 -0500 From: umfauche@cc.UManitoba.CA (Ryan Ulric Faucher) Subject: Natas Virus (PC) I have recently come across the Natas 4744/4746 variations on my PC computer. So far I have been able to remove it, except from boot sectors on my floppy disks. I am currently using F-Prot 2.15 and Microsoft virus scanners. Microsoft does not recognize anything and F-Prot returns a message that it does not know how to remove the virus. Through writing new code I have been able to repair most disks. This is the good news. Unfortuneately I have also come across what F-Prot calls a variation of the Natas virus. The program is unable to remove this virus. This is not a boot sector virus. In total I have removed 1 virus from my MBR of my hard drive, 7 rewrites of floppy boot sectors, and 56 copies from other files(must scan all files or you will miss some copies). Currently the virus has been removed except from files infected with this variation. The virus has currently disabled my MSOFFICE package. If anyone can offer advice on removing this variation, or what I should do with it. Please contact me at: umfauche@cc.umanitoba.ca Any reponse would be appreciated! Ryan Faucher. ------------------------------ Date: Fri, 09 Dec 94 21:46:24 -0500 From: trevose@sas.ab.ca (Bob Vander Steen - Trevose Consultants Ltd.) Subject: Tai-Pan (PC) I just scanned my drive for viruses with F-Prot and obtained the message 'New or Modified version of Tai-Pan found' on almost all EXE's on two of my three drives. Does anyone know how I would be able to clean this? Thanks - -- Bob Vander Steen Trevose Consultants Ltd. ------------------------------ Date: Fri, 09 Dec 94 23:24:27 -0500 From: Michael Jackson Subject: Re: NAV 3.0 updates ? (PC) Jimmy Kuo writes: >>Is there a site that carries them thar updates?? > >You must realize that you don't get much response asking for free what is >being sold... I believe he's requesting the signature updates. I've routinely called Symantec's BBS for the signature updates with no problem -Mike mrjackson@delphi.com ------------------------------ Date: Fri, 09 Dec 94 23:24:30 -0500 From: Michael Jackson Subject: Re: Virus-Made Directories (PC) Eug Kogan writes: >The virus I just had made about 75 directories that strange ascii >characters in their names. Is there any way I can delete them? I've >tried dos, windows file manager, and a few other such programs, none were >able to access there dirs. I would recommend PC Tools Directory Maintenance program. It has so far done an excellent job of deleting unwanted directories even if there are files in them. -Mike mrjackson@delphi.com ------------------------------ Date: Fri, 09 Dec 94 23:48:11 -0500 From: Michael Jackson Subject: Re: Best form of Virus Protection? (PC) Tom Neumann writes: > A-for downloading and decompressing files use a shell such as > shez or winzip with mcafees scan 1.17, always use the shell > to scan the file immediately after download. I would recommend using F-Prot or TBAV instead of VScan. Better detection results on "unknown" viruses. > This regimen should keep you safe, one more step might be to run > Fprot's TSR at boot-up but I have encountered many problems with > various anti-virus tsr's. I've used TBAV's TSR with no problems at all. The multitude of areas that can be selectively check is good. -Mike mrjackson@delphi.com ------------------------------ Date: Fri, 09 Dec 94 23:48:14 -0500 From: Michael Jackson Subject: Re: MSAV / F-Prot comparison (PC) Elizabeth Barclay writes: >Does anyone have any information comparing the >performance of MSAV vs. F-Prot? F-Prot a winner, hands down. But you can verify this with Patty Hofmans (sp?) VSUM. -Mike mrjackson@delphi.com ------------------------------ Date: Sat, 10 Dec 94 05:16:11 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-Prot (PC) C.Booth-94@student.lut.ac.uk (C.Booth-94) writes: >Is F-Prot still available to home users for one pound? it has never been one pound. The shareware version is free of charge to private users. >version a while back I though it was very good. Is it available from >an FTP site or can you register online? you can get it from major FTP sites like oak.oakland.edu (look for fp-215.zip) or by sending e-mail to f-prot@complex.is - it will automatically e-mail an uuencoded copy back. - -frisk ------------------------------ Date: Sat, 10 Dec 94 06:13:05 -0500 From: groger@infi.net (Roger A. Grimes) Subject: HAPPY Virus? (PC) Although I have a pretty solid AV background this one is new to me. One of our sister hospitals in Michigan is reporting a virus with the following signs: Disables mouse Puts reverse video time-stamp counter in upper-left corner of screen Deletes *.ini, *.exe *.coms Plays new-age music out of speaker Pushing F11 puts a Happy message box in center of screen Signs do not occur on all systems all of the time, except the Happy message appears on every machine when he hits F11. He has not sent me a sample, yet, and he is not very AV knowledgable. It seems that this is a pretty big virus, not meant to be very hidden. Has anyone else heard of this virus? Please respond via reply mail, too. Thanks. - -- - -------------------------------------------------------------------------- Roger A. Grimes "Often wrong, but never in doubt!" "My views are my employer's views!" - -------------------------------------------------------------------------- ------------------------------ Date: Sat, 10 Dec 94 08:55:59 -0500 From: debrown@hubcap.clemson.edu (David E. Brown) Subject: Re: Anti CMOS virus - help! (PC) ajmor5@giaec.cc.monash.edu.au (Andrew Morrissey) writes: >Simon_Cheung@kcbbs.gen.nz (Simon Cheung) writes: >>Scan V.2.1.1. had found the "Anti CMOS" virus on one of my systems. >>While Scan is able to identify the problem, it couldn't remove it as >>yet. As far as I have learn form Scan, this infects the master boot >>record of the system. >> >>Does anyone know more about what harm this virus could do, and more >>importantly, how to remove it? I really want to hear from you. i found it on mine yesterday. macafee's clean couldn't remove it. it would stay in an infinite search mode as "searching for original boot sector" or something like that. i had to spend the money to call compuserve and download the latest virii definitions by norton. however, they worked great and i was easily able to clean my infected floppies. the information on the virus said it was rare, and pretty much harmless - -- all it did was replicate. i did notice my systems resources seemed to keep dropping as i worked and i suppose this is cleared up now. dave ------------------------------ Date: Sat, 10 Dec 94 10:44:40 -0500 From: jwall@interaccess.com (James Wall) Subject: Stealth C virus (PC) I'm not sure if this is the right newsgroup for this message. If it isn't, please don't bother flaming me. The newsgroup is empty on my usenet server so I can't tell. Discovered the Stealth C virus on a floppy disk and I'm looking for a program that will clean it off. The latest Mcafee scanner (the one after 1.13) will find it, but it can't clean it off. As yet, none of the computers have been found to have it, but if a disk has it, then it's easily possible. The computers all had a different virus (Form A I believe). Just trying to be prepared. Has anyone seen this virus before or a fix for it? - -Jim ------------------------------ Date: Sat, 10 Dec 94 15:11:03 -0500 From: Martin Gutowski Subject: B variant of jumper virus (PC) Can anyone tell me anything about the 'b variant of the jumper virus' that i recently detected on one of our computers. The first clue there was a virus present was when i took a disk home and Norton Anti-Virus (with Norton Desktop for Windows) caught the 'silly BP' virus on my floppy. I then checked the computer in our lab that I was using earlier and f-prot found the jumper virus. (As an aside, microsoft antivirus that came with dos 6 didn't find it) How bad is this virus? I think I got rid of it? Thanks for any info, marty Martin Gutowski FAX: 814.865.3725 9 Ferguson Building mjg8@psuvm.psu.edu Penn State University voice 814.865.1132 University Park, PA 16802 ------------------------------ Date: Sat, 10 Dec 94 20:01:55 -0500 From: pjc5@po.CWRU.Edu (Philip J. Croy) Subject: Tell me how to find and remove this virus(PC) For a little while now I have had a few problems that I believe are related to a virus. First of all I get messages on boot that tell me my partition table is bad. But not every time, in fact only maybe once every twenty times I boot and turning the computer off and then on again fixes this. Second, and most annoying, the spell checkers and some other sub-parts of windows programs no longer work correctly. (They do not work at all in most cases) The system seems to be getting progressively slower in operation. The hard drive is not experiencing any corruption that I can tell. No new files are appearing mysteriously. The hard drive is also not becoming more fragmented it still tests at under 2% fragmentation. I have tried running Norton, McAffe, and invb. I now run both Norton and invb on every boot up hoping to spot changes caused by virus activity. Nothing from any of them. Word for Windows has become almost unusable despite re-installing it several times. Even a complet wipe, reformat, and restore of both hard drives did not seem to clean up the problem. BTW, the computers in the schools lab experience the same problems I do with Word. Please help me, I need any advise available on how to find and remove this problem. Phil ------------------------------ Date: Sat, 10 Dec 94 23:11:24 -0500 From: Michael Jackson Subject: Re: Need info: Trident Virus (PC) Albert S Woodhull writes: >I need information on the Trident virus. While on a consultation visit >to the National University of Nicaragua I found my colleagues there >had a serious problem with it. Their virus detection software may have >been too old. CPAV and MSAV did not detect Trident. We could detect >Trident with McAffee 115 or 117 which I had with me. The virus is >very hard to clean. It seems to infect both .com and .exe files. When >active it hides changes in file sizes that it has caused, and it may >be able to hide in the boot sector. We had the impression that McAffee >SCAN did not always detect it, so it may have alternate forms. Trident is not actually a virus, but an encrytion engine that can be used to make viruses polymorphic. Hex scanners such as McAffee have a hard time finding all the possible iterations of such a virus. Best bet would be to go with a heurstic type scanner such as F-Prot or TBAV. Both of these can be found at oak.oakland.edu. -Mike mrjackson@delphi.com ------------------------------ Date: Sun, 11 Dec 94 02:24:48 -0500 From: anele@AccessPt.North.Net (Anele Waters) Subject: NOVI antivirus software good? (PC) I have NOVI antivirus software by Certus and was wondering if it was adequate for detecting viruses now. This is a 1991 edition. -- ------------------------------ Date: Sun, 11 Dec 94 11:34:53 -0500 From: john@pc.xs4all.nl (Jan-Pieter Cornet) Subject: More memory scanning (was: Help! Filler...) (PC) "Frans Veldman" once said: > This is an excellent example why memory scanning (Iolo Davidson watch out!) > is a bad idea. What happened is that the first time you use the scanner > you also load its signatures in memory. When you run the scanner again, > the signatures from the first time are still floating around in memory, > and Scan detects its own signatures. Tss... hard to believe nobody tested scan by running it twice in succession. Very sloppy programming practices. > Another possibility is that you > load CPAV in memory, it also contains signatures, and these signatures > are detected by SCAN. > > Once again, memory scanning causes more confusion than it solves. It seems to me like it should be possible to only scan "active" parts of memory for viruses. I figure since TBSCAN already does a lot of disassembly on files, and also tunnels to the original INT entry points, that it should be possible to check the programs or segments that hooked some of the sensitive interrupts. This probably requires the use of specialised in-memory virus signatures, and probably also some new in-memory virus detection heuristics, but i think it's doable. Ideas? =====BEGIN FRACTAL-COMPRESSED SIGNATURE===== | Jan-Pieter Cornet !PGP0XA4E77CCB/KVC=1FCBE41048A009550F68867928EB8DDF | =====END FRACTAL-COMPRESSED SIGNATURE===== ;-) My v2.6 decompressor (out soon!) will expand this to a 72 minutes MPEG movie! ------------------------------ Date: Mon, 12 Dec 94 01:30:55 -0500 From: ostcroix@aol.com (Ostcroix) Subject: Just how safe is VSAFE? (PC) I would like to know how effective is DOS VSAFE against viruses. Is this the best way to protect my system against viruses? I recently downloaded the latest signatures from MSDOS BBS. Is their a better virus remover and detector than VSAFE on the market? Thanks in advance............................................................... ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 102] ******************************************